OpenVPN

Ну чисто в тупую могу предположить что не настроен роутинг, вроде об этом говорят ошибки, т.е. там написано что то вроде: получен не роученный контрольный пакет.

Т.е. с ключами всё Ок?

Для сервера пропиши
local 10.1.1.1
remote 10.1.1.2
ето должно помочь.
А права на ключики поправь, ибо "group or others accessible" не есть
секурно. 0600 поставь от греха.

ЗЫ. И что то типа етого надо добавить в оба конфига route 192.168.1.0 255.255.255.0

Спасибо, ща будем пробовать ;)

>Для сервера пропиши
>local 10.1.1.1
>remote 10.1.1.2

А куда прописать-то? Если в конфиг, то выдаёт:

# openvpn --config office1
Options error: --local and --remote addresses must be distinct from --ifconfig addresses
Use --help for more information.

Да и вроде как оно само нормально определяет кому какой адрес. Или я что-то неправильно понял?

По поводу прав. Просто я вчера поменял местами сервер 
и клиент и забыл соответственно права на поменявшихся 
ключах выставить. Сейчас выставил chmod рекурсивно и 
клиент (слака) выдаёт следущее:

# openvpn --config office2
Wed Mar 30 11:11:15 2005 OpenVPN 2.0_rc17 i686-pc-linux [SSL] [LZO] built on Mar 20 2005
Wed Mar 30 11:11:15 2005 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Mar 30 11:11:15 2005 TUN/TAP device tun0 opened
Wed Mar 30 11:11:15 2005 /sbin/ifconfig tun0 10.1.1.2 pointopoint 10.1.1.1 mtu 1500
Wed Mar 30 11:11:15 2005 /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.1.1
Wed Mar 30 11:11:15 2005 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Wed Mar 30 11:11:15 2005 Local Options hash (VER=V4): 'bed69dfd'
Wed Mar 30 11:11:15 2005 Expected Remote Options hash (VER=V4): 'dd105312'
Wed Mar 30 11:11:15 2005 UDPv4 link local (bound): [undef]:5000
Wed Mar 30 11:11:15 2005 UDPv4 link remote: 192.168.0.1:5000
Wed Mar 30 11:11:15 2005 TLS: Initial packet from 192.168.0.1:5000, sid=2e4f91f0 03b48718
Wed Mar 30 11:11:15 2005 VERIFY ERROR: depth=0, error=self signed certificate: /C=RU/ST=Rostov_Reg/L=Rostov/O=PSMD/CN=darkstar.example.net/emailAddress=patriot
ica@mail.ru
Wed Mar 30 11:11:15 2005 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Mar 30 11:11:15 2005 TLS Error: TLS object -> incoming plaintext read error
Wed Mar 30 11:11:15 2005 TLS Error: TLS handshake failed
Wed Mar 30 11:11:15 2005 TCP/UDP: Closing socket
Wed Mar 30 11:11:15 2005 /sbin/route del -net 192.168.1.0 netmask 255.255.255.0
Wed Mar 30 11:11:16 2005 Closing TUN/TAP interface
Wed Mar 30 11:11:16 2005 SIGUSR1[soft,tls-error] received, process restarting
Wed Mar 30 11:11:16 2005 Restart pause, 2 second(s)
Wed Mar 30 11:11:18 2005 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Mar 30 11:11:18 2005 TUN/TAP device tun0 opened
Wed Mar 30 11:11:18 2005 /sbin/ifconfig tun0 10.1.1.2 pointopoint 10.1.1.1 mtu 1500
Wed Mar 30 11:11:18 2005 /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.1.1
Wed Mar 30 11:11:18 2005 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Wed Mar 30 11:11:18 2005 Local Options hash (VER=V4): 'bed69dfd'
Wed Mar 30 11:11:18 2005 Expected Remote Options hash (VER=V4): 'dd105312'
Wed Mar 30 11:11:18 2005 UDPv4 link local (bound): [undef]:5000
Wed Mar 30 11:11:18 2005 UDPv4 link remote: 192.168.0.1:5000
Wed Mar 30 11:11:18 2005 TLS Error: Unroutable control packet received from 192.168.0.1:5000 (si=3 op=P_CONTROL_V1)
Wed Mar 30 11:11:18 2005 TLS Error: Unroutable control packet received from 192.168.0.1:5000 (si=3 op=P_CONTROL_V1)
Wed Mar 30 11:11:18 2005 TLS Error: Unroutable control packet received from 192.168.0.1:5000 (si=3 op=P_CONTROL_V1)
Wed Mar 30 11:11:18 2005 TLS Error: Unroutable control packet received from 192.168.0.1:5000 (si=3 op=P_CONTROL_V1)
Wed Mar 30 11:11:18 2005 TLS: Initial packet from 192.168.0.1:5000, sid=37fbfb01 3e2e93a2


Может всё же в ключах дело? Может потому что я задавал в обоих ключах одинаковый Common Name?

Sorry, local и remote - должны быть реальными адресами интерфейсов, через которые ты ВПН пробрасываешь. У тебя вот что смущает UDPv4 link local (bound): [undef]:5000 Т.е. на одной стороне он не знает на каком интерфейсе будет линк ВПН-ский

Такая беда теперь. Прописал

local 192.168.0.4                                                                                                                                                        
remote 192.168.0.1 

# openvpn --config office1
Wed Mar 30 12:30:46 2005 OpenVPN 2.0_rc17 i686-pc-linux [SSL] [LZO] built on Mar 20 2005
Wed Mar 30 12:30:46 2005 Diffie-Hellman initialized with 1024 bit key
Wed Mar 30 12:30:46 2005 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Mar 30 12:30:46 2005 TUN/TAP device tun0 opened
Wed Mar 30 12:30:46 2005 /sbin/ifconfig tun0 10.1.1.1 pointopoint 10.1.1.2 mtu 1500
Wed Mar 30 12:30:46 2005 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Wed Mar 30 12:30:46 2005 Local Options hash (VER=V4): 'dd105312'
Wed Mar 30 12:30:46 2005 Expected Remote Options hash (VER=V4): 'bed69dfd'
Wed Mar 30 12:30:46 2005 UDPv4 link local (bound): 192.168.0.4:5000
Wed Mar 30 12:30:46 2005 UDPv4 link remote: 192.168.0.1:5000
Wed Mar 30 12:30:46 2005 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Mar 30 12:30:48 2005 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Mar 30 12:30:51 2005 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
............

Может с iptable что-то? В предыдущем посте я показал, что выводит слака, если пустить её в качестве сервера. Попробовал прописать ремув/локал на Фре и сервер стартовал. Запускаю клиента на слаке и пока не вижу различий в логах.... Всё те же local (bound): [undef]:5000

Спасибо!

Вы меня немножко с толку сбили ;) У меня нет подсети 192.168.1.0. Что интересно, я её менял на свою.... А потом по запарке вставил скопированное значение на клиент (с сервером всё ок).

Сейчас как увидел на клиенте:

/sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.1.1

Сразу по голове себя дал ;)))

Теперь другая проблема, другой лог ;))

# openvpn --config office2
Wed Mar 30 12:50:56 2005 OpenVPN 2.0_rc17 i686-pc-linux [SSL] [LZO] built on Mar 20 2005
Wed Mar 30 12:50:56 2005 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Mar 30 12:50:56 2005 TUN/TAP device tun0 opened
Wed Mar 30 12:50:56 2005 /sbin/ifconfig tun0 10.1.1.2 pointopoint 10.1.1.1 mtu 1500
Wed Mar 30 12:50:56 2005 /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.1.1.1
Wed Mar 30 12:50:56 2005 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Wed Mar 30 12:50:56 2005 Local Options hash (VER=V4): 'bed69dfd'
Wed Mar 30 12:50:56 2005 Expected Remote Options hash (VER=V4): 'dd105312'
Wed Mar 30 12:50:56 2005 UDPv4 link local (bound): [undef]:5000
Wed Mar 30 12:50:56 2005 UDPv4 link remote: 192.168.0.1:5000
Wed Mar 30 12:50:57 2005 TLS: Initial packet from 192.168.0.1:5000, sid=48f0a812 9dd19f27
Wed Mar 30 12:51:22 2005 TLS: new session incoming connection from 192.168.0.1:5000
Wed Mar 30 12:51:56 2005 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Mar 30 12:51:56 2005 TLS Error: TLS handshake failed
Wed Mar 30 12:51:56 2005 TCP/UDP: Closing socket
Wed Mar 30 12:51:56 2005 /sbin/route del -net 192.168.0.0 netmask 255.255.255.0
Wed Mar 30 12:51:56 2005 Closing TUN/TAP interface
Wed Mar 30 12:51:56 2005 SIGUSR1[soft,tls-error] received, process restarting
Wed Mar 30 12:51:56 2005 Restart pause, 2 second(s)
Wed Mar 30 12:51:58 2005 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Mar 30 12:51:59 2005 TUN/TAP device tun0 opened
Wed Mar 30 12:51:59 2005 /sbin/ifconfig tun0 10.1.1.2 pointopoint 10.1.1.1 mtu 1500
Wed Mar 30 12:51:59 2005 /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.1.1.1
Wed Mar 30 12:51:59 2005 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Wed Mar 30 12:51:59 2005 Local Options hash (VER=V4): 'bed69dfd'
Wed Mar 30 12:51:59 2005 Expected Remote Options hash (VER=V4): 'dd105312'
Wed Mar 30 12:51:59 2005 UDPv4 link local (bound): [undef]:5000
Wed Mar 30 12:51:59 2005 UDPv4 link remote: 192.168.0.1:5000
Wed Mar 30 12:51:59 2005 TLS: Initial packet from 192.168.0.1:5000, sid=e5dadad0 b8597455
Wed Mar 30 12:52:25 2005 TLS: new session incoming connection from 192.168.0.1:5000
Wed Mar 30 12:53:00 2005 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Mar 30 12:53:00 2005 TLS Error: TLS handshake failed
Wed Mar 30 12:53:00 2005 TCP/UDP: Closing socket

Ну, тут ХЗ, ключ видать ему не нравица. Включи в конфиге verb 9 и посмотри поточнее.

>ЗЫ. И что то типа етого надо добавить в оба конфига route 192.168.1.0 255.255.255.0

Добавляется в конец клиенского (слаковского) конфига, но не добавляется во фрюшный :(

Пишет примерно след:

route add -net 192.168.0.0 10.1.1.2 255.255.255.0
route: writing to routing socket: File exists
add net 192.168.0.0: geteway 10.1.1.2: File exists
ERROE: FreeBSD route add command faild: shell command exited with error status

И при старте ещё выдает:

ifconfig tun0 10.1.1.1 10.1.1.2 mtu 1500 netmask 255.255.255.255 up

Маска правильная или тоже должна быть 255.255.255.0??

>>fconfig tun0 10.1.1.1 10.1.1.2 mtu 1500 netmask 255.255.255.255 up >>Маска правильная или тоже должна быть 255.255.255.0?? Маска то правильная.

Итак. Повторяющийся блок.

Wed Mar 30 13:40:59 2005 us=58661 I/O WAIT status=0x0004
Wed Mar 30 13:40:59 2005 us=58698  read from TUN/TAP returned 42
Wed Mar 30 13:40:59 2005 us=58834 TUN READ [42]: 4500002a 00064000 40116f11 0a010102 c0a80001 13881388 0016df5c 38788ed[more...] md5=c7519396 76e5ce23 92f2d60c 6c26fcb9
Wed Mar 30 13:40:59 2005 us=58905 TLS Warning: no data channel send key available:  [key#0 state=S_PRE_START id=0 sid=c17b29cd f8b5bfef] [key#1 state=S_UNDEF id=0 sid=00
000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Wed Mar 30 13:40:59 2005 us=58978 TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=788edbeb 7150e32a, stored-sid=c17b29cd f8b5bfef, stored-ip=192.168.0.1:5000
Wed Mar 30 13:40:59 2005 us=59027 TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
Wed Mar 30 13:40:59 2005 us=59065 ACK reliable_can_send active=1 current=0 : [1] 0
Wed Mar 30 13:40:59 2005 us=59123 ACK reliable_send_timeout 2 [1] 0
Wed Mar 30 13:40:59 2005 us=59151 TLS: tls_process: timeout set to 2
Wed Mar 30 13:40:59 2005 us=59192 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=508862d7 f873dbd8, stored-sid=00000000 00000000, stored-ip=[undef]
Wed Mar 30 13:40:59 2005 us=63170 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[undef]
Wed Mar 30 13:40:59 2005 us=63260 PO_CTL rwflags=0x0001 ev=3 arg=0x080916dc
Wed Mar 30 13:40:59 2005 us=63292 PO_CTL rwflags=0x0001 ev=5 arg=0x080916e0
Wed Mar 30 13:40:59 2005 us=63331 I/O WAIT TR|Tw|SR|Sw [1/129487]
Wed Mar 30 13:41:00 2005 us=192524  event_wait returned 0
Wed Mar 30 13:41:00 2005 us=192628 I/O WAIT status=0x0020
Wed Mar 30 13:41:00 2005 us=192662 TIMER: coarse timer wakeup 1 seconds
Wed Mar 30 13:41:00 2005 us=192716 TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=788edbeb 7150e32a, stored-sid=c17b29cd f8b5bfef, stored-ip=192.168.0.1:5000
Wed Mar 30 13:41:00 2005 us=192768 TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
Wed Mar 30 13:41:00 2005 us=192812 ACK reliable_can_send active=1 current=0 : [1] 0
Wed Mar 30 13:41:00 2005 us=192937 ACK reliable_send_timeout 1 [1] 0
Wed Mar 30 13:41:00 2005 us=192967 TLS: tls_process: timeout set to 1
Wed Mar 30 13:41:00 2005 us=193010 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=508862d7 f873dbd8, stored-sid=00000000 00000000, stored-ip=[undef]
Wed Mar 30 13:41:00 2005 us=193066 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[undef]
Wed Mar 30 13:41:00 2005 us=193119 PO_CTL rwflags=0x0001 ev=3 arg=0x080916dc
Wed Mar 30 13:41:00 2005 us=193149 PO_CTL rwflags=0x0001 ev=5 arg=0x080916e0
Wed Mar 30 13:41:00 2005 us=193187 I/O WAIT TR|Tw|SR|Sw [1/129487]
Wed Mar 30 13:41:00 2005 us=260444 PO_WAIT[0,0] fd=3 rev=0x00000001 rwflags=0x0001 arg=0x080916dc 
Wed Mar 30 13:41:00 2005 us=260557  event_wait returned 1
Wed Mar 30 13:41:00 2005 us=260591 I/O WAIT status=0x0001
Wed Mar 30 13:41:00 2005 us=260643 UDPv4 read returned 14
Wed Mar 30 13:41:00 2005 us=260700 UDPv4 READ [14] from 192.168.0.1:5000: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=c17b29cd f8b5bfef [ ] pid=0 DATA 
Wed Mar 30 13:41:00 2005 us=260751 TLS: control channel, op=P_CONTROL_HARD_RESET_SERVER_V2, IP=192.168.0.1:5000
Wed Mar 30 13:41:00 2005 us=260816 TLS: initial packet test, i=0 state=S_PRE_START, mysid=788edbeb 7150e32a, rec-sid=c17b29cd f8b5bfef, rec-ip=192.168.0.1:5000, stored-s
id=c17b29cd f8b5bfef, stored-ip=192.168.0.1:5000
Wed Mar 30 13:41:00 2005 us=260874 TLS: found match, session[0], sid=c17b29cd f8b5bfef
Wed Mar 30 13:41:00 2005 us=260913 TLS: received control channel packet s#=0 sid=c17b29cd f8b5bfef
Wed Mar 30 13:41:00 2005 us=260954 ACK read ID 0 (buf->len=0)
Wed Mar 30 13:41:00 2005 us=260985 ACK 0 is a replay: [1]
Wed Mar 30 13:41:00 2005 us=261012 ACK acknowledge ID 0 (ack->len=1)
Wed Mar 30 13:41:00 2005 us=261066 TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=788edbeb 7150e32a, stored-sid=c17b29cd f8b5bfef, stored-ip=192.168.0.1:5000
Wed Mar 30 13:41:00 2005 us=261118 TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
Wed Mar 30 13:41:00 2005 us=261159 ACK reliable_can_send active=1 current=0 : [1] 0
Wed Mar 30 13:41:00 2005 us=261291 ACK write ID 0 (ack->len=1, n=1)
Wed Mar 30 13:41:00 2005 us=261324 Dedicated ACK -> TCP/UDP
Wed Mar 30 13:41:00 2005 us=261354 ACK reliable_send_timeout 1 [1] 0
Wed Mar 30 13:41:00 2005 us=261382 TLS: tls_process: timeout set to 1
Wed Mar 30 13:41:00 2005 us=261440 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=508862d7 f873dbd8, stored-sid=00000000 00000000, stored-ip=[undef]
Wed Mar 30 13:41:00 2005 us=261497 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[undef]
Wed Mar 30 13:41:00 2005 us=261553 PO_CTL rwflags=0x0003 ev=3 arg=0x080916dc
Wed Mar 30 13:41:00 2005 us=261583 PO_CTL rwflags=0x0000 ev=5 arg=0x080916e0
Wed Mar 30 13:41:00 2005 us=261621 I/O WAIT Tr|Tw|SR|SW [1/129487]
Wed Mar 30 13:41:00 2005 us=261665 PO_WAIT[0,0] fd=3 rev=0x00000004 rwflags=0x0002 arg=0x080916dc 
Wed Mar 30 13:41:00 2005 us=261698  event_wait returned 1
Wed Mar 30 13:41:00 2005 us=261727 I/O WAIT status=0x0002
Wed Mar 30 13:41:00 2005 us=261778 UDPv4 WRITE [22] to 192.168.0.1:5000: P_ACK_V1 kid=0 sid=788edbeb 7150e32a [ 0 sid=c17b29cd f8b5bfef ]
Wed Mar 30 13:41:00 2005 us=261886 UDPv4 write returned 22
Wed Mar 30 13:41:00 2005 us=261933 TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=788edbeb 7150e32a, stored-sid=c17b29cd f8b5bfef, stored-ip=192.168.0.1:5000
Wed Mar 30 13:41:00 2005 us=261983 TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
Wed Mar 30 13:41:00 2005 us=262022 ACK reliable_can_send active=1 current=0 : [1] 0
Wed Mar 30 13:41:00 2005 us=262085 ACK reliable_send_timeout 1 [1] 0
Wed Mar 30 13:41:00 2005 us=262114 TLS: tls_process: timeout set to 1
Wed Mar 30 13:41:00 2005 us=262156 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=508862d7 f873dbd8, stored-sid=00000000 00000000, stored-ip=[undef]
Wed Mar 30 13:41:00 2005 us=262211 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[undef]
Wed Mar 30 13:41:00 2005 us=262258 PO_CTL rwflags=0x0001 ev=3 arg=0x080916dc
Wed Mar 30 13:41:00 2005 us=262288 PO_CTL rwflags=0x0001 ev=5 arg=0x080916e0
Wed Mar 30 13:41:00 2005 us=262323 I/O WAIT TR|Tw|SR|Sw [1/129487]
Wed Mar 30 13:41:00 2005 us=262358 PO_WAIT[1,0] fd=5 rev=0x00000001 rwflags=0x0001 arg=0x080916e0 
Wed Mar 30 13:41:00 2005 us=262390  event_wait returned 1
Wed Mar 30 13:41:00 2005 us=262418 I/O WAIT status=0x0004
Wed Mar 30 13:41:00 2005 us=262469  read from TUN/TAP returned 50
Wed Mar 30 13:41:00 2005 us=262562 TUN READ [50]: 45000032 00074000 40116f08 0a010102 c0a80001 13881388 001e4b5d 28788ed[more...] md5=912ae962 2ca071ac 3d5378a8 64178b8b
Wed Mar 30 13:41:00 2005 us=265288 TLS Warning: no data channel send key available:  [key#0 state=S_PRE_START id=0 sid=c17b29cd f8b5bfef] [key#1 state=S_UNDEF id=0 sid=0
0000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]

А вот вступление:

# openvpn --config office2
us=492588 Current Parameter Settings:
us=492856   config = 'office2'
us=492889   mode = 0
us=492918   persist_config = DISABLED
us=492948   persist_mode = 1
us=492977   show_ciphers = DISABLED
us=493008   show_digests = DISABLED
us=493039   show_engines = DISABLED
us=493070   genkey = DISABLED
us=493099   key_pass_file = '[UNDEF]'
us=493129   show_tls_ciphers = DISABLED
us=493159   proto = 0
us=493187   local = '[UNDEF]'
us=493217   remote_list[0] = {'192.168.0.1', 5000}
us=493253   remote_random = DISABLED
us=493286   local_port = 5000
us=493316   remote_port = 5000
us=493345   remote_float = DISABLED
us=493376   ipchange = '[UNDEF]'
us=493406   bind_local = ENABLED
us=493435   dev = 'tun'
us=493463   dev_type = '[UNDEF]'
us=493493   dev_node = '[UNDEF]'
us=493522   tun_ipv6 = DISABLED
us=493552   ifconfig_local = '10.1.1.2'
us=493583   ifconfig_remote_netmask = '10.1.1.1'
us=493614   ifconfig_noexec = DISABLED
us=493645   ifconfig_nowarn = DISABLED
us=493675   shaper = 0
us=493704   tun_mtu = 1500
us=493733   tun_mtu_defined = ENABLED
us=493763   link_mtu = 1500
us=493802   link_mtu_defined = DISABLED
us=493833   tun_mtu_extra = 0
us=493862   tun_mtu_extra_defined = DISABLED
us=493893   fragment = 0
us=493922   mtu_discover_type = -1
us=493952   mtu_test = 0
us=493980   mlock = DISABLED
us=494009   keepalive_ping = 0
us=494039   keepalive_timeout = 0
us=494069   inactivity_timeout = 0
us=494099   ping_send_timeout = 0
us=494129   ping_rec_timeout = 0
us=494159   ping_rec_timeout_action = 0
us=494189   ping_timer_remote = DISABLED
us=494221   remap_sigusr1 = 0
us=494250   explicit_exit_notification = 0
us=494281   persist_tun = DISABLED
us=494311   persist_local_ip = DISABLED
us=494342   persist_remote_ip = DISABLED
us=494373   persist_key = DISABLED
us=494403   mssfix = 1450
us=494432   passtos = DISABLED
us=494462   resolve_retry_seconds = 1000000000
us=494495   connect_retry_seconds = 5
us=494525   username = '[UNDEF]'
us=494554   groupname = '[UNDEF]'
us=494584   chroot_dir = '[UNDEF]'
us=494614   cd_dir = '[UNDEF]'
us=494643   writepid = '[UNDEF]'
us=494673   up_script = '[UNDEF]'
us=494702   down_script = '[UNDEF]'
us=494733   down_pre = DISABLED
us=494763   up_restart = DISABLED
us=494802   up_delay = DISABLED
us=494832   daemon = DISABLED
us=494860   inetd = 0
us=494888   log = DISABLED
us=498431   suppress_timestamps = DISABLED
us=498497   nice = 0
us=498525   verbosity = 9
us=498555   mute = 0
us=498583   gremlin = 0
us=498611   status_file = '[UNDEF]'
us=498641   status_file_version = 1
us=498672   status_file_update_freq = 60
us=498703   occ = ENABLED
us=498732   rcvbuf = 65536
us=498760   sndbuf = 65536
us=498811   socks_proxy_server = '[UNDEF]'
us=498843   socks_proxy_port = 0
us=498873   socks_proxy_retry = DISABLED
us=498904   fast_io = DISABLED
us=498933   comp_lzo = DISABLED
us=498963   comp_lzo_adaptive = ENABLED
us=498993   route_script = '[UNDEF]'
us=499024   route_default_gateway = '[UNDEF]'
us=499055   route_noexec = DISABLED
us=499086   route_delay = 0
us=499115   route_delay_window = 30
us=499145   route_delay_defined = DISABLED
us=499190   route 192.168.0.0/255.255.255.0/nil/nil
us=499225   management_addr = '[UNDEF]'
us=499255   management_port = 0
us=499285   management_user_pass = '[UNDEF]'
us=499317   management_log_history_cache = 250
us=499350   management_echo_buffer_size = 100
us=499382   management_query_passwords = DISABLED
us=499414   management_hold = DISABLED
us=499446   shared_secret_file = '[UNDEF]'
us=499478   key_direction = 0
us=499507   ciphername_defined = ENABLED
us=499539   ciphername = 'BF-CBC'
us=499569   authname_defined = ENABLED
us=499599   authname = 'SHA1'
us=499629   keysize = 0
us=499657   engine = DISABLED
us=499686   replay = ENABLED
us=499715   mute_replay_warnings = DISABLED
us=499747   replay_window = 64
us=499789   replay_time = 15
us=499819   packet_id_file = '[UNDEF]'
us=499850   use_iv = ENABLED
us=499879   test_crypto = DISABLED
us=499909   tls_server = DISABLED
us=499939   tls_client = ENABLED
us=499969   key_method = 2
us=499998   ca_file = '/etc/ssl/my/my-ca.crt'
us=500030   dh_file = 'dh1024.pem'
us=500061   cert_file = '/etc/ssl/my/certs/office2.crt'
us=500095   priv_key_file = '/etc/ssl/my/private/office2.key'
us=500130   pkcs12_file = '[UNDEF]'
us=500160   cipher_list = '[UNDEF]'
us=500191   tls_verify = '[UNDEF]'
us=500221   tls_remote = '[UNDEF]'
us=500251   crl_file = '[UNDEF]'
us=500282   ns_cert_type = 64
us=500311   tls_timeout = 2
us=500340   renegotiate_bytes = 0
us=500371   renegotiate_packets = 0
us=500402   renegotiate_seconds = 3600
us=500434   handshake_window = 60
us=500465   transition_window = 3600
us=500496   single_session = DISABLED
us=506343   tls_exit = DISABLED
us=506414   tls_auth_file = '[UNDEF]'
us=506490   server_network = 0.0.0.0
us=506526   server_netmask = 0.0.0.0
us=506559   server_bridge_ip = 0.0.0.0
us=506593   server_bridge_netmask = 0.0.0.0
us=506627   server_bridge_pool_start = 0.0.0.0
us=506662   server_bridge_pool_end = 0.0.0.0
us=506693   ifconfig_pool_defined = DISABLED
us=506728   ifconfig_pool_start = 0.0.0.0
us=506762   ifconfig_pool_end = 0.0.0.0
us=506807   ifconfig_pool_netmask = 0.0.0.0
us=506840   ifconfig_pool_persist_filename = '[UNDEF]'
us=506874   ifconfig_pool_persist_refresh_freq = 600
us=506907   ifconfig_pool_linear = DISABLED
us=506939   n_bcast_buf = 256
us=506969   tcp_queue_limit = 64
us=507000   real_hash_size = 256
us=507030   virtual_hash_size = 256
us=507060   client_connect_script = '[UNDEF]'
us=507093   learn_address_script = '[UNDEF]'
us=507125   client_disconnect_script = '[UNDEF]'
us=507157   client_config_dir = '[UNDEF]'
us=507189   ccd_exclusive = DISABLED
us=507219   tmp_dir = '[UNDEF]'
us=507249   push_ifconfig_defined = DISABLED
us=507283   push_ifconfig_local = 0.0.0.0
us=507334   push_ifconfig_remote_netmask = 0.0.0.0
us=507369   enable_c2c = DISABLED
us=507399   duplicate_cn = DISABLED
us=507431   cf_max = 0
us=507459   cf_per = 0
us=507488   max_clients = 1024
us=507518   client_cert_not_required = DISABLED
us=507551   username_as_common_name = DISABLED
us=507583   auth_user_pass_verify_script = '[UNDEF]'
us=507617   auth_user_pass_verify_script_via_file = DISABLED
us=507651   client = DISABLED
us=507679   pull = DISABLED
us=507708   auth_user_pass_file = '[UNDEF]'
us=507745 OpenVPN 2.0_rc17 i686-pc-linux [SSL] [LZO] built on Mar 20 2005

Ндааааа...... Не стартует оно, оказывается и на сервере:( Просто я не дожидался никогда, пока оно начнёт матом крыть.

# openvpn --config office1
OpenVPN 2.0_rc17 i686-pc-linux [SSL] [LZO] built on Mar 20 2005
Diffie-Hellman initialized with 1024 bit key
Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
TUN/TAP device tun0 opened
/sbin/ifconfig tun0 10.1.1.1 pointopoint 10.1.1.2 mtu 1500
/sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.1.1.2
Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Local Options hash (VER=V4): 'dd105312'
Expected Remote Options hash (VER=V4): 'bed69dfd'
UDPv4 link local (bound): 192.168.0.4:5000
UDPv4 link remote: 192.168.0.1:5000
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
TCP/UDP: Closing socket
/sbin/route del -net 192.168.0.0 netmask 255.255.255.0
Closing TUN/TAP interface
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 2 second(s)
Diffie-Hellman initialized with 1024 bit key
Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
TUN/TAP device tun0 opened
/sbin/ifconfig tun0 10.1.1.1 pointopoint 10.1.1.2 mtu 1500
/sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.1.1.2
Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Local Options hash (VER=V4): 'dd105312'
Expected Remote Options hash (VER=V4): 'bed69dfd'
UDPv4 link local (bound): 192.168.0.4:5000
UDPv4 link remote: 192.168.0.1:5000
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
TCP/UDP: Closing socket
/sbin/route del -net 192.168.0.0 netmask 255.255.255.0
Closing TUN/TAP interface
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 2 second(s)

Кое-что поправил, новая трабла (сколько можно? ;))

# openvpn --config office1ll
Wed Mar 30 22:12:48 2005 OpenVPN 2.0_rc17 i686-pc-linux [SSL] [LZO] built on Mar 20 2005
Wed Mar 30 22:12:48 2005 Diffie-Hellman initialized with 1024 bit key
Wed Mar 30 22:12:48 2005 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Mar 30 22:12:48 2005 TUN/TAP device tun0 opened
Wed Mar 30 22:12:48 2005 /sbin/ifconfig tun0 10.1.1.1 pointopoint 10.1.1.2 mtu 1500
Wed Mar 30 22:12:48 2005 /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.1.1.2
Wed Mar 30 22:12:48 2005 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Wed Mar 30 22:12:48 2005 Local Options hash (VER=V4): 'dd105312'
Wed Mar 30 22:12:48 2005 Expected Remote Options hash (VER=V4): 'bed69dfd'
Wed Mar 30 22:12:48 2005 UDPv4 link local (bound): 192.168.0.4:5000
Wed Mar 30 22:12:48 2005 UDPv4 link remote: 192.168.0.1:5000
Wed Mar 30 22:12:48 2005 write UDPv4 []: Operation not permitted (code=1)
Wed Mar 30 22:12:50 2005 write UDPv4 []: Operation not permitted (code=1)
Wed Mar 30 22:12:52 2005 write UDPv4 []: Operation not permitted (code=1)

Каких прав и куда ему не хватает?

А с правами кого ты openvpn запускаешь? У меня вот от nobody работает вроде неплохо. В конфиге есть user и group, копай туда. Хотя ето могут быть и не права, а че нить с фаерволом?

Пробовал поставить и ноубоди и рут... Не помогло...

А что и как нужно открыть в фаерволе? А то освоить iptables пока не удалось (даже начинал;)))

В скрипте фаервола пррописал --

$IPTABLES -A FORWARD -p udp --dport 1100:6000 -j ACCEPT

# iptables -nL

target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1100:6000

Поставил в конфиге:

proto tcp-server

Кажись всяё заработало:

# openvpn --config office1
OpenVPN 2.0_rc17 i686-pc-linux [SSL] [LZO] built on Mar 20 2005
WARNING: you are using user/group/chroot without persist-key/persist-tun -- this may cause restarts to fail
Diffie-Hellman initialized with 1024 bit key
Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
TUN/TAP device tun0 opened
/sbin/ifconfig tun0 10.1.1.1 pointopoint 10.1.1.2 mtu 1500
/sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.1.1.2
Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Local Options hash (VER=V4): '8596e55e'
Expected Remote Options hash (VER=V4): '18e46e78'
GID set to nobody
UID set to nobody
Listening for incoming TCP connection on 192.168.0.4:5000

Что-то ничего не работает :( Так и весит:

Listening for incoming TCP connection on 192.168.0.4:5000

И не пингуется 10.1.1.*. Снова на фаервол похоже?

А так:
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -d 192.168.0.4 -m udp -p udp --dport 5000 -j ACCEPT

Я решитл использовать tcp и порт по умолчанию

Attempting to establish TCP connection with 192.168.0.1:1194

всё на той же стадии стоит :(

Вводил:

# iptables -A INPUT -i tun+ -j ACCEPT

# iptables -A FORWARD -i tun+ -j ACCEPT

# iptables -A INPUT -d 192.168.0.4 -m tcp -p tcp --dport 1194 -j ACCEPT

Во время попытки подключения локальная сеть не пингуется.

$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

Но не пингуется и создаваемая:

$ ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

Слушай, может проще будет по асе этот вопрос решать? Моя 170160171. А то я так ещё год буду настраивать ;))

Не, я щаз запарен сильно, извини.

Ещё раз повторюсь. Я кое-что поменял. UDP на TCP и порты с 5000 на порт по умолчанию 1194

Attempting to establish TCP connection with 192.168.0.1:1194

Сервер вроде пускается (как проверить, работает ли он на самом деле?), а вот клиет останавливается на строке, которю я привёл выше и потом начинает:

TCP: connect to 192.168.0.1:1194 failed, will try again

ТСР: connect to 192.168.0.1:1194 failed, will try again

А ещё в системном логе я нашёл вот это:

Mar 31 15:43:30 darkstar kernel: device eth0 left promiscuous mode Mar 31 15:43:54 darkstar kernel: device tun0 entered promiscuous mode