LINUX.ORG.RU

Сообщения ecspl01t

 

Не может подключится сервер к openVPN серверу

Входные данные: Первый сервер, далее vpn_1 Второй сервер, далее vpn_2. Все сервера работают под Debian 10 и настроены по этому мануалу: https://www.8host.com/blog/nastrojka-servera-openvpn-v-debian-10/

После того как поднял несколько серверов с openVPN проверял работоспособность. К каждому VPN серверу клиент может подключиться.

Теперь пытаюсь vpn_1 сервер подключить к vpn_2 серверу, после чего терминал зависает, логи:

Sat Jul 31 18:17:29 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
Sat Jul 31 18:17:29 2021 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Sat Jul 31 18:17:29 2021 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jul 31 18:17:29 2021 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jul 31 18:17:29 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]server_vpn2:1194
Sat Jul 31 18:17:29 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Jul 31 18:17:29 2021 UDP link local: (not bound)
Sat Jul 31 18:17:29 2021 UDP link remote: [AF_INET]server_vpn2:1194
Sat Jul 31 18:17:29 2021 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sat Jul 31 18:17:29 2021 TLS: Initial packet from [AF_INET]server_vpn2:1194, sid=9ddc72fa ddd275ca
Sat Jul 31 18:17:29 2021 VERIFY OK: depth=1, CN=Easy-RSA CA
Sat Jul 31 18:17:29 2021 VERIFY KU OK
Sat Jul 31 18:17:29 2021 Validating certificate extended key usage
Sat Jul 31 18:17:29 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Jul 31 18:17:29 2021 VERIFY EKU OK
Sat Jul 31 18:17:29 2021 VERIFY OK: depth=0, CN=server
Sat Jul 31 18:17:30 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sat Jul 31 18:17:30 2021 [server] Peer Connection Initiated with [AF_INET]server_vpn2:1194
Sat Jul 31 18:17:31 2021 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jul 31 18:17:31 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,block-outside-dns,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Sat Jul 31 18:17:31 2021 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.4.7)
Sat Jul 31 18:17:31 2021 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jul 31 18:17:31 2021 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jul 31 18:17:31 2021 OPTIONS IMPORT: route options modified
Sat Jul 31 18:17:31 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jul 31 18:17:31 2021 OPTIONS IMPORT: peer-id set
Sat Jul 31 18:17:31 2021 OPTIONS IMPORT: adjusting link_mtu to 1624
Sat Jul 31 18:17:31 2021 OPTIONS IMPORT: data channel crypto options modified
Sat Jul 31 18:17:31 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Jul 31 18:17:31 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jul 31 18:17:31 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jul 31 18:17:31 2021 ROUTE_GATEWAY server_vpn1/255.255.255.0 IFACE=eth0 HWADDR=22:54:00:fc:3b:b1
Sat Jul 31 18:17:31 2021 TUN/TAP device tun0 opened
Sat Jul 31 18:17:31 2021 TUN/TAP TX queue length set to 100
Sat Jul 31 18:17:31 2021 /sbin/ip link set dev tun0 up mtu 1500
Sat Jul 31 18:17:31 2021 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Sat Jul 31 18:17:31 2021 /sbin/ip route add server_vpn2/32 via server_vpn1
Sat Jul 31 18:17:31 2021 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Sat Jul 31 18:17:31 2021 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Sat Jul 31 18:17:31 2021 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Sat Jul 31 18:17:31 2021 GID set to nogroup
Sat Jul 31 18:17:31 2021 UID set to nobody
Sat Jul 31 18:17:31 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Jul 31 18:17:31 2021 Initialization Sequence Completed
Sat Jul 31 18:21:34 2021 [server] Inactivity timeout (--ping-restart), restarting
Sat Jul 31 18:21:34 2021 SIGUSR1[soft,ping-restart] received, process restarting
Sat Jul 31 18:21:34 2021 Restart pause, 5 second(s)
Sat Jul 31 18:21:39 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]server_vpn2:1194
Sat Jul 31 18:21:39 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Jul 31 18:21:39 2021 UDP link local: (not bound)
Sat Jul 31 18:21:39 2021 UDP link remote: [AF_INET]server_vpn2:1194
Sat Jul 31 18:21:39 2021 TLS: Initial packet from [AF_INET]server_vpn2:1194, sid=c839268b 87b99781
Sat Jul 31 18:21:39 2021 VERIFY OK: depth=1, CN=Easy-RSA CA
Sat Jul 31 18:21:39 2021 VERIFY KU OK
Sat Jul 31 18:21:39 2021 Validating certificate extended key usage
Sat Jul 31 18:21:39 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Jul 31 18:21:39 2021 VERIFY EKU OK
Sat Jul 31 18:21:39 2021 VERIFY OK: depth=0, CN=server
Sat Jul 31 18:21:39 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sat Jul 31 18:21:39 2021 [server] Peer Connection Initiated with [AF_INET]server_vpn2:1194
Sat Jul 31 18:21:40 2021 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jul 31 18:21:40 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,block-outside-dns,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Sat Jul 31 18:21:40 2021 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.4.7)
Sat Jul 31 18:21:40 2021 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jul 31 18:21:40 2021 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jul 31 18:21:40 2021 OPTIONS IMPORT: route options modified
Sat Jul 31 18:21:40 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jul 31 18:21:40 2021 OPTIONS IMPORT: peer-id set
Sat Jul 31 18:21:40 2021 OPTIONS IMPORT: adjusting link_mtu to 1624
Sat Jul 31 18:21:40 2021 OPTIONS IMPORT: data channel crypto options modified
Sat Jul 31 18:21:40 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Jul 31 18:21:40 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jul 31 18:21:40 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jul 31 18:21:40 2021 Preserving previous TUN/TAP instance: tun0
Sat Jul 31 18:21:40 2021 Initialization Sequence Completed
Sat Jul 31 18:26:02 2021 [server] Inactivity timeout (--ping-restart), restarting
Sat Jul 31 18:26:02 2021 SIGUSR1[soft,ping-restart] received, process restarting
Sat Jul 31 18:26:02 2021 Restart pause, 5 second(s)
Sat Jul 31 18:26:07 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]server_vpn2:1194
Sat Jul 31 18:26:07 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Jul 31 18:26:07 2021 UDP link local: (not bound)
Sat Jul 31 18:26:07 2021 UDP link remote: [AF_INET]server_vpn2:1194
Sat Jul 31 18:26:07 2021 TLS: Initial packet from [AF_INET]server_vpn2:1194, sid=a3b0f535 1ec34abd
Sat Jul 31 18:26:07 2021 VERIFY OK: depth=1, CN=Easy-RSA CA
Sat Jul 31 18:26:07 2021 VERIFY KU OK
Sat Jul 31 18:26:07 2021 Validating certificate extended key usage
Sat Jul 31 18:26:07 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Jul 31 18:26:07 2021 VERIFY EKU OK
Sat Jul 31 18:26:07 2021 VERIFY OK: depth=0, CN=server
Sat Jul 31 18:26:07 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sat Jul 31 18:26:07 2021 [server] Peer Connection Initiated with [AF_INET]server_vpn2:1194
Sat Jul 31 18:26:08 2021 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jul 31 18:26:08 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM'
Sat Jul 31 18:26:08 2021 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jul 31 18:26:08 2021 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jul 31 18:26:08 2021 OPTIONS IMPORT: route options modified
Sat Jul 31 18:26:08 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jul 31 18:26:08 2021 OPTIONS IMPORT: peer-id set
Sat Jul 31 18:26:08 2021 OPTIONS IMPORT: adjusting link_mtu to 1624
Sat Jul 31 18:26:08 2021 OPTIONS IMPORT: data channel crypto options modified
Sat Jul 31 18:26:08 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Jul 31 18:26:08 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jul 31 18:26:08 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jul 31 18:26:08 2021 Preserving previous TUN/TAP instance: tun0
Sat Jul 31 18:26:08 2021 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Sat Jul 31 18:26:08 2021 /sbin/ip route del 10.8.0.1/32
Sat Jul 31 18:26:08 2021 ERROR: Linux route delete command failed: external program exited with error status: 2
Sat Jul 31 18:26:08 2021 /sbin/ip route del server_vpn2/32
Sat Jul 31 18:26:08 2021 ERROR: Linux route delete command failed: external program exited with error status: 2
Sat Jul 31 18:26:08 2021 /sbin/ip route del 0.0.0.0/1
Sat Jul 31 18:26:08 2021 ERROR: Linux route delete command failed: external program exited with error status: 2
Sat Jul 31 18:26:08 2021 /sbin/ip route del 128.0.0.0/1
Sat Jul 31 18:26:08 2021 ERROR: Linux route delete command failed: external program exited with error status: 2
Sat Jul 31 18:26:08 2021 Closing TUN/TAP interface
Sat Jul 31 18:26:08 2021 /sbin/ip addr del dev tun0 local 10.8.0.6 peer 10.8.0.5
Sat Jul 31 18:26:08 2021 Linux ip addr del failed: external program exited with error status: 2
Sat Jul 31 18:26:09 2021 ROUTE_GATEWAY server_vpn1/255.255.255.0 IFACE=eth0 HWADDR=22:54:00:fc:3b:b1
Sat Jul 31 18:26:09 2021 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Sat Jul 31 18:26:09 2021 Exiting due to fatal error[.code]


Конфиг vpn_1 и vpn_2 server.conf:

port 1194 / 443 (vpn_2)
 
proto udp / tcp (vpn_2)

dev tun

ca ca.crt
cert vpn_1.crt
key vpn_1.key  

dh dh.pem

server 10.8.0.0 255.255.255.0

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "block-outside-dns"

keepalive 10 120

tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256

user nobody
group nogroup

persist-key
persist-tun

verb 0

explicit-exit-notify 1

server_vpn1#: openvpn --client --config ./config.ovpn

config.ovpn

client

dev tun

proto tcp

remote server_vpn1 443

resolv-retry infinite

nobind

user nobody
group nogroup

persist-key
persist-tun

remote-cert-tls server

cipher AES-256-CBC
auth SHA256
key-direction 1


script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

verb 3

<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-auth>
...
</tls-auth>

Схема, которую хочу получить: client1->vpn_1->vpn_2->internet

Что-то не работает разметка сообщений. Только code работает

 , ,

ecspl01t
()
41 комментарий

mikrotic проброс

Доброго времени суток!
Не знал еще куда обратится с этим вопросом, так что простите!
Стоит микротик, к нему подключен сервер и пользователи.
На сервере стоит nginx, по внутреннему IP я попадаю на веб-сервер, а по внешнему - нет.
Сделал проброс в разделе NAT, но он касается только тех, кто подключается из вне. Как сделать чтобы и я мог подключатся по внешнему IP/домену к веб-серверу ?

[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 95.*.*.* 1
1 S 0.0.0.0/0 192.168.88.1 1
2 ADC 95.*.*.*/28 95.*.*.* ether1 0
3 ADC 192.168.88.0/24 192.168.88.1 bridge-local

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1

7 ;;; web-server
chain=dstnat action=dst-nat to-addresses=192.168.88.243 to-ports=80 protocol=tcp dst-address=95.*.*.* in-interface=ether1 dst-port=80

8 chain=dstnat action=dst-nat to-addresses=192.168.88.243 to-ports=3000 protocol=tcp dst-address=95.*.*.* in-interface=ether1 dst-port=3000

 , ,

ecspl01t
()
5 комментариев

проблемы с locale

Доброго времени суток.
Появилась проблема с locale, а исправить не могу.
# locale
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
LANG=ru_UA.UTF-8
LANGUAGE=ru_UA:ru
LC_CTYPE=«ru_UA.UTF-8»
LC_NUMERIC=«ru_UA.UTF-8»
LC_TIME=«ru_UA.UTF-8»
LC_COLLATE=«ru_UA.UTF-8»
LC_MONETARY=«ru_UA.UTF-8»
LC_MESSAGES=«ru_UA.UTF-8»
LC_PAPER=«ru_UA.UTF-8»
LC_NAME=«ru_UA.UTF-8»
LC_ADDRESS=«ru_UA.UTF-8»
LC_TELEPHONE=«ru_UA.UTF-8»
LC_MEASUREMENT=«ru_UA.UTF-8»
LC_IDENTIFICATION=«ru_UA.UTF-8»
LC_ALL=ru_UA.UTF-8

# locale -a
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_COLLATE to default locale: No such file or directory
C
C.UTF-8
POSIX

# export LC_ALL=«ru_UA.UTF-8»
-bash: warning: setlocale: LC_ALL: cannot change locale (ru_UA.UTF-8)

# dpkg-reconfigure locales
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = «ru_UA:ru»,
LC_ALL = «ru_UA.UTF-8»,
LC_PAPER = «ru_UA.UTF-8»,
LC_ADDRESS = «ru_UA.UTF-8»,
LC_MONETARY = «ru_UA.UTF-8»,
LC_NUMERIC = «ru_UA.UTF-8»,
LC_TELEPHONE = «ru_UA.UTF-8»,
LC_IDENTIFICATION = «ru_UA.UTF-8»,
LC_MEASUREMENT = «ru_UA.UTF-8»,
LC_TIME = «ru_UA.UTF-8»,
LC_NAME = «ru_UA.UTF-8»,
LANG = «ru_UA.UTF-8»
are supported and installed on your system.
perl: warning: Falling back to the standard locale («C»).
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
/usr/sbin/dpkg-reconfigure: locales is broken or not fully installed

/etc/default/locale:
LANG=«ru_UA.UTF-8»
LANGUAGE=«ru_UA:ru»
LC_ALL=«ru_UA.UTF-8»

на мыло еще это приходит:
/etc/cron.weekly/man-db:
/usr/bin/mandb: can't set the locale; make sure $LC_* and $LANG are correct

 ,

ecspl01t
()
14 комментариев

программный RAID1 debian

Доброго времени суток! Делал я рейд при установке дебиан, там вроде все хорошо прошло.. после установки я не проверял, работает он или нет. Точка монтирования я не ставил. После загрузке системы, сделал mount /dev/md0 /data, после чего начал заливать туда данные. Сегодня утром решил проверить работоспособность рейда1. Отключил один из винтов и запустил сервер. Все хорошо, данные есть. Отключил другой винт - данных нету. Подключил обратно два винта и прописал

# mdadm --monitor /dev/md0

ответ:

mdadm: Monitor using email address «root» from config file mdadm: Warning: One autorebuild process already running. и так же на мыло пришло это: A DegradedArray event had been detected on md device /dev/md0.

Faithfully yours, etc.

P.S. The /proc/mdstat file currently contains the following:

Personalities : [raid1] md0 : active raid1 sdb1[0] 976629568 blocks super 1.2 [2/1] [U_] unused devices: <none>

я не знаю что и как должно написано быть при рабочем рейде, но в строчке md0: active raid 1 sdb1, кажется не хватает еще диска sdc..

----

# fdisk -l

Disk /dev/sdb: 1000.2 GB, 1000204886016 bytes 255 heads, 63 sectors/track, 121601 cylinders, total 1953525168 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 4096 bytes I/O size (minimum/optimal): 4096 bytes / 4096 bytes Disk identifier: 0x000edb1f

Device Boot Start End Blocks Id System /dev/sdb1 2048 1953523711 976760832 fd Linux raid autodetect

Disk /dev/sdc: 1000.2 GB, 1000204886016 bytes 255 heads, 63 sectors/track, 121601 cylinders, total 1953525168 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 4096 bytes I/O size (minimum/optimal): 4096 bytes / 4096 bytes Disk identifier: 0x0001e50b

Device Boot Start End Blocks Id System /dev/sdc1 2048 1953523711 976760832 fd Linux raid autodetect

Disk /dev/sda: 120.0 GB, 120034123776 bytes 255 heads, 63 sectors/track, 14593 cylinders, total 234441648 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x000ae539

Device Boot Start End Blocks Id System /dev/sda1 * 2048 232421375 116209664 83 Linux /dev/sda2 232421376 234440703 1009664 82 Linux swap / Solaris

Disk /dev/md0: 1000.1 GB, 1000068677632 bytes 2 heads, 4 sectors/track, 244157392 cylinders, total 1953259136 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 4096 bytes I/O size (minimum/optimal): 4096 bytes / 4096 bytes Disk identifier: 0x00000000

Disk /dev/md0 doesn't contain a valid partition table

---

# df -h

Filesystem Size Used Avail Use% Mounted on rootfs 110G 2.1G 102G 2% / udev 10M 0 10M 0% /dev tmpfs 1.6G 292K 1.6G 1% /run /dev/disk/by-uuid/172fee51-841c-4a73-a5ed-2ff6cb320015 110G 2.1G 102G 2% / tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 3.4G 0 3.4G 0% /run/shm /dev/md0

 ,

ecspl01t
()
31 комментарий

разбивка RAIDs 1

Доброго времени суток! Заказал два-ssd 120gb и два-hdd 1tb. Хочу сделать два рейда 1. Задача состоит в том, как правильно разбить. Я подумал что систему(linux) поставить на рейд1-ssd, а data на hdd. Но, Я, не понимаю как это так разбить при установке дистрибутива(debian). Расскажите пожалуйста как это сделать!

p.s. как это все в результате будет видеть система, потому что я когда ставил линус всегда был один hdd?!

 , , ,

ecspl01t
()
8 комментариев

RSS подписка на новые темы