|
Openvpn. первые шаги. Клиент не видет сеть за сервером.
Здравствуйте.
Рано или поздно большинство системных администраторов приходят к решению создать VPN. Вот и я хочу примкнуть к этому большинству. Опыта по созданию виртуальных частных сетей у меня нет, поэтому для начала решил попробовать на виртуальной машине. Делал опираясь на данную статью http://www.lissyara.su/?id=1549 Соединение создается, но клиент не видит сеть за VPN-сервером. server.conf
читать дальше »
proto udp dev tun port 2000 ca /usr/local/etc/openvpn/keys/ca.crt cert /usr/local/etc/openvpn/keys/server.crt key /usr/local/etc/openvpn/keys/server.key dh /usr/local/etc/openvpn/keys/dh1024.pem server 10.10.100.0 255.255.255.0 route-method exe push "route 10.0.0.0 255.255.255.0" #push "dhcp-option DNS 10.0.0.5" client-config-dir ccd route 10.10.100.0 255.255.255.252 #route 10.0.0.0 255.255.255.0 10.10.100.1 #tls-server tls-auth keys/ta.key 0 tls-timeout 120 auth MD5 cipher BF-CBC keepalive 10 120 comp-lzo max-clients 2 user openvpn group openvpn persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log verb 3 openvpn.ovpn
читать дальше »
dev tun proto udp remote 192.168.1.1 port 2000 client resolv-retry infinite ca ca.crt cert client.crt key client.key tls-client tls-auth ta.key 1 auth MD5 cipher BF-CBC ns-cert-type server comp-lzo persist-key persist-tun verb 3 show-net-up Лог на сервере
читать дальше »
Thu Apr 2 15:40:46 2009 OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Mar 24 2009 Thu Apr 2 15:40:46 2009 Diffie-Hellman initialized with 1024 bit key Thu Apr 2 15:40:47 2009 Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file Thu Apr 2 15:40:47 2009 Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication Thu Apr 2 15:40:47 2009 Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication Thu Apr 2 15:40:47 2009 TLS-Auth MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ] Thu Apr 2 15:40:47 2009 gw 10.0.0.11 Thu Apr 2 15:40:47 2009 TUN/TAP device /dev/tun0 opened Thu Apr 2 15:40:47 2009 /sbin/ifconfig tun0 10.10.100.1 10.10.100.2 mtu 1500 netmask 255.255.255.255 up Thu Apr 2 15:40:47 2009 /sbin/route add -net 10.10.100.0 10.10.100.2 255.255.255.252 add net 10.10.100.0: gateway 10.10.100.2 Thu Apr 2 15:40:47 2009 /sbin/route add -net 10.10.100.0 10.10.100.2 255.255.255.0 add net 10.10.100.0: gateway 10.10.100.2 Thu Apr 2 15:40:47 2009 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ] Thu Apr 2 15:40:47 2009 GID set to openvpn Thu Apr 2 15:40:47 2009 UID set to openvpn Thu Apr 2 15:40:47 2009 UDPv4 link local (bound): [undef]:2000 Thu Apr 2 15:40:47 2009 UDPv4 link remote: [undef] Thu Apr 2 15:40:47 2009 MULTI: multi_init called, r=256 v=256 Thu Apr 2 15:40:47 2009 IFCONFIG POOL: base=10.10.100.4 size=62 Thu Apr 2 15:40:47 2009 Initialization Sequence Completed Thu Apr 2 15:43:17 2009 MULTI: multi_create_instance called Thu Apr 2 15:43:17 2009 192.168.1.2:2000 Re-using SSL/TLS context Thu Apr 2 15:43:17 2009 192.168.1.2:2000 LZO compression initialized Thu Apr 2 15:43:17 2009 192.168.1.2:2000 Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ] Thu Apr 2 15:43:17 2009 192.168.1.2:2000 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ] Thu Apr 2 15:43:17 2009 192.168.1.2:2000 Local Options hash (VER=V4): '1056bce3' Thu Apr 2 15:43:17 2009 192.168.1.2:2000 Expected Remote Options hash (VER=V4): '03fa487d' Thu Apr 2 15:43:17 2009 192.168.1.2:2000 TLS: Initial packet from 192.168.1.2:2000, sid=961616e1 a0f126d4 Thu Apr 2 15:43:17 2009 192.168.1.2:2000 VERIFY OK: depth=1, /C=RU/ST=Omsk/L=Omsk/O=server/OU=server/CN=server/emailAddress= Thu Apr 2 15:43:17 2009 192.168.1.2:2000 VERIFY OK: depth=0, /C=RU/ST=Omsk/O=server/OU=server/CN=client/emailAddress= Thu Apr 2 15:43:17 2009 192.168.1.2:2000 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Apr 2 15:43:17 2009 192.168.1.2:2000 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication Thu Apr 2 15:43:17 2009 192.168.1.2:2000 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Apr 2 15:43:17 2009 192.168.1.2:2000 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication Thu Apr 2 15:43:17 2009 192.168.1.2:2000 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Thu Apr 2 15:43:17 2009 192.168.1.2:2000 [client] Peer Connection Initiated with 192.168.1.2:2000 Thu Apr 2 15:43:17 2009 client/192.168.1.2:2000 OPTIONS IMPORT: reading client specific options from: ccd/client Thu Apr 2 15:43:17 2009 client/192.168.1.2:2000 MULTI: Learn: 10.10.100.2 -> client/192.168.1.2:2000 Thu Apr 2 15:43:17 2009 client/192.168.1.2:2000 MULTI: primary virtual IP for client/192.168.1.2:2000: 10.10.100.2 Thu Apr 2 15:43:18 2009 client/192.168.1.2:2000 PUSH: Received control message: 'PUSH_REQUEST' Thu Apr 2 15:43:18 2009 client/192.168.1.2:2000 SENT CONTROL [client]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route 10.10.100.1,ping 10,ping-restart 120,ifconfig 10.10.100.2 10.10.100.1' (status=1) Thu Apr 2 15:45:32 2009 client/192.168.1.2:2000 MULTI: bad source address from client [192.168.1.2], packet dropped Thu Apr 2 15:45:34 2009 client/192.168.1.2:2000 MULTI: bad source address from client [192.168.1.2], packet dropped Thu Apr 2 15:45:35 2009 client/192.168.1.2:2000 MULTI: bad source address from client [192.168.1.2], packet dropped Thu Apr 2 15:51:10 2009 client/192.168.1.2:2000 [client] Inactivity timeout (--ping-restart), restarting Thu Apr 2 15:51:10 2009 client/192.168.1.2:2000 SIGUSR1[soft,ping-restart] received, client-instance restarting лог клиента
читать дальше »
Thu Apr 02 15:43:16 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 Thu Apr 02 15:43:16 2009 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file Thu Apr 02 15:43:16 2009 Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication Thu Apr 02 15:43:16 2009 Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication Thu Apr 02 15:43:16 2009 LZO compression initialized Thu Apr 02 15:43:16 2009 Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ] Thu Apr 02 15:43:16 2009 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ] Thu Apr 02 15:43:16 2009 Local Options hash (VER=V4): '03fa487d' Thu Apr 02 15:43:16 2009 Expected Remote Options hash (VER=V4): '1056bce3' Thu Apr 02 15:43:16 2009 UDPv4 link local (bound): [undef]:2000 Thu Apr 02 15:43:16 2009 UDPv4 link remote: 192.168.1.1:2000 Thu Apr 02 15:43:16 2009 TLS: Initial packet from 192.168.1.1:2000, sid=12903bca d8356c6e Thu Apr 02 15:43:16 2009 VERIFY OK: depth=1, /C=RU/ST=Omsk/L=Omsk/O=server/OU=server/CN=server/emailAddress= Thu Apr 02 15:43:16 2009 VERIFY OK: nsCertType=SERVER Thu Apr 02 15:43:16 2009 VERIFY OK: depth=0, /C=RU/ST=Omsk/O=server/OU=server/CN=server/emailAddress= Thu Apr 02 15:43:17 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Apr 02 15:43:17 2009 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication Thu Apr 02 15:43:17 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Apr 02 15:43:17 2009 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication Thu Apr 02 15:43:17 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Thu Apr 02 15:43:17 2009 [server] Peer Connection Initiated with 192.168.1.1:2000 Thu Apr 02 15:43:18 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Thu Apr 02 15:43:18 2009 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route 10.10.100.1,ping 10,ping-restart 120,ifconfig 10.10.100.2 10.10.100.1' Thu Apr 02 15:43:18 2009 OPTIONS IMPORT: timers and/or timeouts modified Thu Apr 02 15:43:18 2009 OPTIONS IMPORT: --ifconfig/up options modified Thu Apr 02 15:43:18 2009 OPTIONS IMPORT: route options modified Thu Apr 02 15:43:18 2009 TAP-WIN32 device [Подключение по локальной сети 2] opened: \\.\Global\{634FCA8C-EBAB-4C90-A6A3-3B101C7F534B}.tap Thu Apr 02 15:43:18 2009 TAP-Win32 Driver Version 8.4 Thu Apr 02 15:43:18 2009 TAP-Win32 MTU=1500 Thu Apr 02 15:43:18 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.10.100.2/255.255.255.252 on interface {634FCA8C-EBAB-4C90-A6A3-3B101C7F534B} [DHCP-serv: 10.10.100.1, lease-time: 31536000] Thu Apr 02 15:43:18 2009 Successful ARP Flush on interface [3] {634FCA8C-EBAB-4C90-A6A3-3B101C7F534B} Thu Apr 02 15:43:18 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down Thu Apr 02 15:43:18 2009 Route: Waiting for TUN/TAP interface to come up... Thu Apr 02 15:43:19 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down Thu Apr 02 15:43:19 2009 Route: Waiting for TUN/TAP interface to come up... Thu Apr 02 15:43:20 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down Thu Apr 02 15:43:20 2009 Route: Waiting for TUN/TAP interface to come up... Thu Apr 02 15:43:21 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down Thu Apr 02 15:43:21 2009 Route: Waiting for TUN/TAP interface to come up... Thu Apr 02 15:43:22 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down Thu Apr 02 15:43:22 2009 Route: Waiting for TUN/TAP interface to come up... Thu Apr 02 15:43:23 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down Thu Apr 02 15:43:23 2009 Route: Waiting for TUN/TAP interface to come up... Thu Apr 02 15:43:24 2009 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up Thu Apr 02 15:43:24 2009 route ADD 10.0.0.0 MASK 255.255.255.0 10.10.100.1 Thu Apr 02 15:43:24 2009 Route addition via IPAPI succeeded Thu Apr 02 15:43:24 2009 OpenVPN ROUTE: omitted no-op route: 10.10.100.1/255.255.255.255 -> 10.10.100.1 SYSTEM ROUTING TABLE 10.0.0.0 255.255.255.0 10.10.100.1 p=0 i=3 t=4 pr=3 a=0 h=0 m=1/-1/-1/-1/-1 10.10.100.0 255.255.255.252 10.10.100.2 p=0 i=3 t=3 pr=2 a=0 h=0 m=30/-1/-1/-1/-1 10.10.100.2 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=0 h=0 m=30/-1/-1/-1/-1 10.255.255.255 255.255.255.255 10.10.100.2 p=0 i=3 t=3 pr=2 a=0 h=0 m=30/-1/-1/-1/-1 127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=27716 h=0 m=1/-1/-1/-1/-1 192.168.1.0 255.255.255.0 192.168.1.2 p=0 i=2 t=3 pr=2 a=24 h=0 m=20/-1/-1/-1/-1 192.168.1.2 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=24 h=0 m=20/-1/-1/-1/-1 192.168.1.255 255.255.255.255 192.168.1.2 p=0 i=2 t=3 pr=2 a=24 h=0 m=20/-1/-1/-1/-1 224.0.0.0 240.0.0.0 10.10.100.2 p=0 i=3 t=3 pr=2 a=0 h=0 m=30/-1/-1/-1/-1 224.0.0.0 240.0.0.0 192.168.1.2 p=0 i=2 t=3 pr=2 a=24 h=0 m=20/-1/-1/-1/-1 255.255.255.255 255.255.255.255 10.10.100.2 p=0 i=3 t=3 pr=2 a=27716 h=0 m=1/-1/-1/-1/-1 255.255.255.255 255.255.255.255 192.168.1.2 p=0 i=2 t=3 pr=2 a=27716 h=0 m=1/-1/-1/-1/-1 SYSTEM ADAPTER LIST TAP-Win32 Adapter V8 - Минипорт планировщика пакетов Index = 3 GUID = {634FCA8C-EBAB-4C90-A6A3-3B101C7F534B} IP = 10.10.100.2/255.255.255.252 MAC = 00:ff:63:4f:ca:8c GATEWAY = DHCP SERV = 10.10.100.1 DHCP LEASE OBTAINED = Thu Apr 02 15:43:24 2009 DHCP LEASE EXPIRES = Fri Apr 02 15:43:24 2010 Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - Минипорт планировщика пакетов Index = 2 GUID = {3007B9D1-E1CF-4192-99DF-CAF8F2B165F6} IP = 192.168.1.2/255.255.255.0 MAC = 00:1d:7d:e8:7b:ed GATEWAY = Thu Apr 02 15:43:24 2009 Initialization Sequence Completed Ifconfig (сервер)
читать дальше »
le0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 00:0c:29:4b:76:9a inet 10.0.0.33 netmask 0xffffff00 broadcast 10.0.0.255 media: Ethernet autoselect status: active le1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 00:0c:29:4b:76:a4 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 media: Ethernet autoselect status: active plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 inet 10.10.100.1 --> 10.10.100.2 netmask 0xffffffff Opened by PID 863 ipconfig (клиент)
читать дальше »
Настройка протокола IP для Windows Имя компьютера . . . . . . . . . : new Основной DNS-суффикс . . . . . . : odp.local Тип узла. . . . . . . . . . . . . : гибридный IP-маршрутизация включена . . . . : нет WINS-прокси включен . . . . . . . : нет Подключение по локальной сети - Ethernet адаптер: DNS-суффикс этого подключения . . : Описание . . . . . . . . . . . . : Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC Физический адрес. . . . . . . . . : 00-1D-7D-E8-7B-ED Dhcp включен. . . . . . . . . . . : нет IP-адрес . . . . . . . . . . . . : 192.168.1.2 Маска подсети . . . . . . . . . . : 255.255.255.0 Основной шлюз . . . . . . . . . . : Подключение по локальной сети 2 - Ethernet адаптер: DNS-суффикс этого подключения . . : Описание . . . . . . . . . . . . : TAP-Win32 Adapter V8 Физический адрес. . . . . . . . . : 00-FF-63-4F-CA-8C Dhcp включен. . . . . . . . . . . : да Автонастройка включена . . . . . : да IP-адрес . . . . . . . . . . . . : 10.10.100.2 Маска подсети . . . . . . . . . . : 255.255.255.252 Основной шлюз . . . . . . . . . . : DHCP-сервер . . . . . . . . . . . : 10.10.100.1 Аренда получена . . . . . . . . . : 3 апреля 2009 г. 8:52:31 Аренда истекает . . . . . . . . . : 3 апреля 2010 г. 8:52:31 netstat -r (сервер)
читать дальше »
Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 10.0.0.11 UGS 0 163 le0 10.0.0.0 link#1 UC 0 0 le0 dc2.odp.local 00:04:23:b0:a8:8e UHLW 1 1174 le0 1200 10.0.0.11 00:c0:26:a7:f0:c7 UHLW 2 1 le0 792 FreeBSD 00:0c:29:4b:76:9a UHLW 1 20 lo0 new.odp.local 00:1d:7d:e8:7b:ed UHLW 1 210 le0 757 buhs.odp.local 00:11:11:11:33:14 UHLW 1 45 le0 1158 10.0.0.255 ff:ff:ff:ff:ff:ff UHLWb 1 50 le0 10.10.100.0/30 10.10.100.2 UGS 0 0 tun0 => 10.10.100.0 10.10.100.2 UGS 0 0 tun0 10.10.100.2 10.10.100.1 UH 2 0 tun0 localhost localhost UH 0 30 lo0 192.168.1.0 link#2 UC 0 0 le1 192.168.1.2 00:1d:7d:e8:7b:ed UHLW 1 68 le1 1085 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWb 1 63 le1 Internet6: Destination Gateway Flags Netif Expire localhost localhost UHL lo0 fe80::%lo0 fe80::1%lo0 U lo0 fe80::1%lo0 link#4 UHL lo0 ff01:4:: fe80::1%lo0 UC lo0 ff02::%lo0 fe80::1%lo0 UC lo0 route (клиент)
читать дальше »
=========================================================================== Список интерфейсов 0x1 ........................... MS TCP Loopback interface 0x2 ...00 1d 7d e8 7b ed ...... Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - ╠шэшяюЁЄ яырэшЁют∙шър яръхЄют 0x3 ...00 ff 63 4f ca 8c ...... TAP-Win32 Adapter V8 - ╠шэшяюЁЄ яырэшЁют∙шър яръхЄют =========================================================================== =========================================================================== Активные маршруты: Сетевой адрес Маска сети Адрес шлюза Интерфейс Метрика 10.0.0.0 255.255.255.0 10.10.100.1 10.10.100.2 1 10.10.100.0 255.255.255.252 10.10.100.2 10.10.100.2 30 10.10.100.2 255.255.255.255 127.0.0.1 127.0.0.1 30 10.255.255.255 255.255.255.255 10.10.100.2 10.10.100.2 30 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 20 192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 20 224.0.0.0 240.0.0.0 10.10.100.2 10.10.100.2 30 224.0.0.0 240.0.0.0 192.168.1.2 192.168.1.2 20 255.255.255.255 255.255.255.255 10.10.100.2 10.10.100.2 1 255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1 =========================================================================== Постоянные маршруты: Отсутствует |
Ребята, не знаю как решили эту проблему, но я столкнулся с тем же самым. OpenVPN пускает клиента на машину, где сам же OpenVPN сервер установлен. А дальше, во внутреннюю сеть никак не пробиться.
Думаю, что проблема с маршрутизацией (OpenVPN сервер не является рутером), но никак не могу сообразить что нужно копать... Помогите пожалуйста советом! |
| Время: 10:40. |
Время: 10:40.
© OSzone.net 2001-