OpenVPN na routeru RT-AC66U s DD-WRT

[Jirka_Ka]

Ahoj, prosím o pomoc s nastavebím routeru na výše jmenovaném. Certifikáty mám,ale nějak se i nedaří server zprovoznit. Děkuji za rady

[Reklama]

[alfi]

Na "něco se pokazilo" se odpovídá hodně těžko (max. "něco bylo utaženo", viz dneska už klasické dopisování pilotů a techniků :-) ). Na serveru i klientovi píše openvpn detaily chyby do logu, když nepíše, stačí zvýšit verb(osity) a potom už píše - nebo alespoň navede, ve kterém z cca stovek možných míst je problém.

[Jirka_Ka]

No nějak nevím co a jak dál ,hlavně v routrování:

Zde je log z mého tlf.:

2016-12-27 20:40:33 oficiální verze 0.6.60 running on Sony D5803 (MSM8974), Android 6.0.1 (23.5.A.1.291) API 23, ABI armeabi-v7a, (Sony/D5803/D5803:6.0.1/23.5.A.1.291/2769308465:user/release-keys)
2016-12-27 20:40:33 Vytvářím konfiguraci…
2016-12-27 20:40:33 started Socket Thread
2016-12-27 20:40:33 Stav sítě: CONNECTED LTE to MOBILE internet
2016-12-27 20:40:33 P:Initializing Google Breakpad!
2016-12-27 20:40:33 Current Parameter Settings:
2016-12-27 20:40:33   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2016-12-27 20:40:33   mode = 0
2016-12-27 20:40:33   show_ciphers = DISABLED
2016-12-27 20:40:33   show_digests = DISABLED
2016-12-27 20:40:33   show_engines = DISABLED
2016-12-27 20:40:33   genkey = DISABLED
2016-12-27 20:40:33   key_pass_file = '[UNDEF]'
2016-12-27 20:40:33   show_tls_ciphers = DISABLED
2016-12-27 20:40:33   connect_retry_max = 0
2016-12-27 20:40:33 Connection profiles

• :

2016-12-27 20:40:33   proto = udp
2016-12-27 20:40:33   local = '[UNDEF]'
2016-12-27 20:40:33   local_port = '1194'
2016-12-27 20:40:33   remote = '213.X.X.X'
2016-12-27 20:40:33   remote_port = '1194'
2016-12-27 20:40:33   remote_float = DISABLED
2016-12-27 20:40:33   bind_defined = DISABLED
2016-12-27 20:40:33   bind_local = ENABLED
2016-12-27 20:40:33   bind_ipv6_only = DISABLED
2016-12-27 20:40:33   connect_retry_seconds = 2
2016-12-27 20:40:33   connect_timeout = 120
2016-12-27 20:40:33   socks_proxy_server = '[UNDEF]'
2016-12-27 20:40:33   socks_proxy_port = '[UNDEF]'
2016-12-27 20:40:33   tun_mtu = 1500
2016-12-27 20:40:33   tun_mtu_defined = ENABLED
2016-12-27 20:40:33   link_mtu = 1500
2016-12-27 20:40:33   link_mtu_defined = DISABLED
2016-12-27 20:40:33   tun_mtu_extra = 0
2016-12-27 20:40:33   tun_mtu_extra_defined = DISABLED
2016-12-27 20:40:33   mtu_discover_type = -1
2016-12-27 20:40:33   fragment = 0
2016-12-27 20:40:33   mssfix = 1450
2016-12-27 20:40:33   explicit_exit_notification = 0
2016-12-27 20:40:33 Connection profiles END
2016-12-27 20:40:33   remote_random = DISABLED
2016-12-27 20:40:33   ipchange = '[UNDEF]'
2016-12-27 20:40:33   dev = 'tun'
2016-12-27 20:40:33   dev_type = '[UNDEF]'
2016-12-27 20:40:33   dev_node = '[UNDEF]'
2016-12-27 20:40:33   lladdr = '[UNDEF]'
2016-12-27 20:40:33   topology = 1
2016-12-27 20:40:33   ifconfig_local = '[UNDEF]'
2016-12-27 20:40:33   ifconfig_remote_netmask = '[UNDEF]'
2016-12-27 20:40:33   ifconfig_noexec = DISABLED
2016-12-27 20:40:33   ifconfig_nowarn = ENABLED
2016-12-27 20:40:33   ifconfig_ipv6_local = '[UNDEF]'
2016-12-27 20:40:33   ifconfig_ipv6_netbits = 0
2016-12-27 20:40:33   ifconfig_ipv6_remote = '[UNDEF]'
2016-12-27 20:40:33   shaper = 0
2016-12-27 20:40:33   mtu_test = 0
2016-12-27 20:40:33   mlock = DISABLED
2016-12-27 20:40:33   keepalive_ping = 0
2016-12-27 20:40:33   keepalive_timeout = 0
2016-12-27 20:40:33   inactivity_timeout = 0
2016-12-27 20:40:33   ping_send_timeout = 0
2016-12-27 20:40:33   ping_rec_timeout = 0
2016-12-27 20:40:33   ping_rec_timeout_action = 0
2016-12-27 20:40:33   ping_timer_remote = DISABLED
2016-12-27 20:40:33   remap_sigusr1 = 0
2016-12-27 20:40:33   persist_tun = DISABLED
2016-12-27 20:40:33   persist_local_ip = DISABLED
2016-12-27 20:40:33   persist_remote_ip = DISABLED
2016-12-27 20:40:33   persist_key = DISABLED
2016-12-27 20:40:33   passtos = DISABLED
2016-12-27 20:40:33   resolve_retry_seconds = 60
2016-12-27 20:40:33   resolve_in_advance = DISABLED
2016-12-27 20:40:33   username = '[UNDEF]'
2016-12-27 20:40:33   groupname = '[UNDEF]'
2016-12-27 20:40:33   chroot_dir = '[UNDEF]'
2016-12-27 20:40:33   cd_dir = '[UNDEF]'
2016-12-27 20:40:33   writepid = '[UNDEF]'
2016-12-27 20:40:33   up_script = '[UNDEF]'
2016-12-27 20:40:33   down_script = '[UNDEF]'
2016-12-27 20:40:33   down_pre = DISABLED
2016-12-27 20:40:33   up_restart = DISABLED
2016-12-27 20:40:33   up_delay = DISABLED
2016-12-27 20:40:33   daemon = DISABLED
2016-12-27 20:40:33   inetd = 0
2016-12-27 20:40:33   log = DISABLED
2016-12-27 20:40:33   suppress_timestamps = DISABLED
2016-12-27 20:40:33   machine_readable_output = ENABLED
2016-12-27 20:40:33   nice = 0
2016-12-27 20:40:33   verbosity = 4
2016-12-27 20:40:33   mute = 0
2016-12-27 20:40:33   gremlin = 0
2016-12-27 20:40:33   status_file = '[UNDEF]'
2016-12-27 20:40:33   status_file_version = 1
2016-12-27 20:40:33   status_file_update_freq = 60
2016-12-27 20:40:33   occ = ENABLED
2016-12-27 20:40:33   rcvbuf = 0
2016-12-27 20:40:33   sndbuf = 0
2016-12-27 20:40:33   sockflags = 0
2016-12-27 20:40:33   fast_io = DISABLED
2016-12-27 20:40:33   comp.alg = 2
2016-12-27 20:40:33   comp.flags = 1
2016-12-27 20:40:33   route_script = '[UNDEF]'
2016-12-27 20:40:33   route_default_gateway = '[UNDEF]'
2016-12-27 20:40:33   route_default_metric = 0
2016-12-27 20:40:33   route_noexec = DISABLED
2016-12-27 20:40:33   route_delay = 0
2016-12-27 20:40:33   route_delay_window = 30
2016-12-27 20:40:33   route_delay_defined = DISABLED
2016-12-27 20:40:33   route_nopull = DISABLED
2016-12-27 20:40:33   route_gateway_via_dhcp = DISABLED
2016-12-27 20:40:33   allow_pull_fqdn = DISABLED
2016-12-27 20:40:33   route 0.0.0.0/0.0.0.0/vpn_gateway/default (not set)
2016-12-27 20:40:33   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2016-12-27 20:40:33   management_port = 'unix'
2016-12-27 20:40:33   management_user_pass = '[UNDEF]'
2016-12-27 20:40:33   management_log_history_cache = 250
2016-12-27 20:40:33   management_echo_buffer_size = 100
2016-12-27 20:40:33   management_write_peer_info_file = '[UNDEF]'
2016-12-27 20:40:33   management_client_user = '[UNDEF]'
2016-12-27 20:40:33   management_client_group = '[UNDEF]'
2016-12-27 20:40:33   management_flags = 4390
2016-12-27 20:40:33   shared_secret_file = '[UNDEF]'
2016-12-27 20:40:33   key_direction = 0
2016-12-27 20:40:33   ciphername = 'BF-CBC'
2016-12-27 20:40:33   authname = 'SHA1'
2016-12-27 20:40:33   prng_hash = 'SHA1'
2016-12-27 20:40:33   prng_nonce_secret_len = 16
2016-12-27 20:40:33   keysize = 0
2016-12-27 20:40:33   engine = DISABLED
2016-12-27 20:40:33   replay = ENABLED
2016-12-27 20:40:33   mute_replay_warnings = DISABLED
2016-12-27 20:40:33   replay_window = 64
2016-12-27 20:40:33   replay_time = 15
2016-12-27 20:40:33   packet_id_file = '[UNDEF]'
2016-12-27 20:40:33   use_iv = ENABLED
2016-12-27 20:40:33   test_crypto = DISABLED
2016-12-27 20:40:33   tls_server = DISABLED
2016-12-27 20:40:33   tls_client = ENABLED
2016-12-27 20:40:33   key_method = 2
2016-12-27 20:40:33   ca_file = '[[INLINE]]'
2016-12-27 20:40:33   ca_path = '[UNDEF]'
2016-12-27 20:40:33   dh_file = '[UNDEF]'
2016-12-27 20:40:33   cert_file = '[[INLINE]]'
2016-12-27 20:40:33   extra_certs_file = '[UNDEF]'
2016-12-27 20:40:33   priv_key_file = '[[INLINE]]'
2016-12-27 20:40:33   pkcs12_file = '[UNDEF]'
2016-12-27 20:40:33   cipher_list = '[UNDEF]'
2016-12-27 20:40:33   tls_verify = '[UNDEF]'
2016-12-27 20:40:33   tls_export_cert = '[UNDEF]'
2016-12-27 20:40:33   verify_x509_type = 0
2016-12-27 20:40:33   verify_x509_name = '[UNDEF]'
2016-12-27 20:40:33   crl_file = '[UNDEF]'
2016-12-27 20:40:33   ns_cert_type = 0
2016-12-27 20:40:33   remote_cert_ku = 160
2016-12-27 20:40:33   remote_cert_ku = 136
2016-12-27 20:40:33   remote_cert_ku = 0
2016-12-27 20:40:33   remote_cert_ku = 0
2016-12-27 20:40:33   remote_cert_ku = 0
2016-12-27 20:40:33   remote_cert_ku = 0
2016-12-27 20:40:33   remote_cert_ku = 0
2016-12-27 20:40:33   remote_cert_ku = 0
2016-12-27 20:40:33   remote_cert_ku = 0
2016-12-27 20:40:33   remote_cert_ku = 0
2016-12-27 20:40:33   remote_cert_ku = 0
2016-12-27 20:40:33   remote_cert_ku = 0
2016-12-27 20:40:33   remote_cert_ku = 0
2016-12-27 20:40:33   remote_cert_ku = 0
2016-12-27 20:40:33   remote_cert_ku = 0
2016-12-27 20:40:33   remote_cert_ku = 0
2016-12-27 20:40:33   remote_cert_eku = 'TLS Web Server Authentication'
2016-12-27 20:40:33   ssl_flags = 0
2016-12-27 20:40:33   tls_timeout = 2
2016-12-27 20:40:33   renegotiate_bytes = 0
2016-12-27 20:40:33   renegotiate_packets = 0
2016-12-27 20:40:33   renegotiate_seconds = 3600
2016-12-27 20:40:33   handshake_window = 60
2016-12-27 20:40:33   transition_window = 3600
2016-12-27 20:40:33   single_session = DISABLED
2016-12-27 20:40:33   push_peer_info = DISABLED
2016-12-27 20:40:33   tls_exit = DISABLED
2016-12-27 20:40:33   tls_auth_file = '[UNDEF]'
2016-12-27 20:40:33   client = ENABLED
2016-12-27 20:40:33   pull = ENABLED
2016-12-27 20:40:33   auth_user_pass_file = '[UNDEF]'
2016-12-27 20:40:33 OpenVPN 2.4-icsopenvpn [git:HEAD-9d8801b6185d7453] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [IPv6] built on Oct  9 2016
2016-12-27 20:40:33 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
2016-12-27 20:40:33 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2016-12-27 20:40:33 MANAGEMENT: CMD 'hold release'
2016-12-27 20:40:33 MANAGEMENT: CMD 'proxy NONE'
2016-12-27 20:40:33 MANAGEMENT: CMD 'bytecount 2'
2016-12-27 20:40:33 MANAGEMENT: CMD 'state on'
2016-12-27 20:40:34 LZO compression initializing
2016-12-27 20:40:34 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2016-12-27 20:40:34 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2016-12-27 20:40:34 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2016-12-27 20:40:34 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2016-12-27 20:40:34 TCP/UDP: Preserving recently used remote address: [AF_INET]213.X.X.X:1194
2016-12-27 20:40:34 Socket Buffers: R=[163840->163840] S=[163840->163840]
2016-12-27 20:40:34 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2016-12-27 20:40:34 UDP link local (bound): [AF_INET][undef]:1194
2016-12-27 20:40:34 UDP link remote: [AF_INET]213.X.X.X:1194
2016-12-27 20:40:34 MANAGEMENT: >STATE:1482867634,WAIT,,,,,,
2016-12-27 20:40:34 MANAGEMENT: >STATE:1482867634,AUTH,,,,,,
2016-12-27 20:40:34 TLS: Initial packet from [AF_INET]213.211.44.252:1194, sid=c0c3ef34 bb71e895
2016-12-27 20:40:34 VERIFY OK: depth=1, C=CZ, ST=CZECH REPUBLIC, L=XXX, O=XXX, OU=XXX, CN=xxx, name=JK, emailAddress=XXX@XXX.com
2016-12-27 20:40:34 Validating certificate key usage
2016-12-27 20:40:34 ++ Certificate has key usage  00a0, expects 00a0
2016-12-27 20:40:34 VERIFY KU OK
2016-12-27 20:40:34 Validating certificate extended key usage
2016-12-27 20:40:34 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2016-12-27 20:40:34 VERIFY EKU OK
2016-12-27 20:40:34 VERIFY OK: depth=0, C=CZ, ST=CZECH REPUBLIC, L=XXX, O=XXX, OU=XXX, CN=XXX, name=server, emailAddress=XXXc@XXX
2016-12-27 20:40:35 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541'
2016-12-27 20:40:35 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
2016-12-27 20:40:35 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
2016-12-27 20:40:35 [XXX] Peer Connection Initiated with [AF_INET]213.XXX.XXX.XXX:1194
2016-12-27 20:40:36 MANAGEMENT: >STATE:1482867636,GET_CONFIG,,,,,,
2016-12-27 20:40:36 SENT CONTROL [XXXX]: 'PUSH_REQUEST' (status=1)
2016-12-27 20:40:36 PUSH: Received control message: 'PUSH_REPLY,route 172.16.0.0 255.255.0.0,dhcp-option DNS 82.202.114.2,route 192.168.66.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.66.6 192.168.66.5'
2016-12-27 20:40:36 OPTIONS IMPORT: timers and/or timeouts modified
2016-12-27 20:40:36 OPTIONS IMPORT: --ifconfig/up options modified
2016-12-27 20:40:36 OPTIONS IMPORT: route options modified
2016-12-27 20:40:36 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2016-12-27 20:40:36 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:406 ET:0 EL:3 ]
2016-12-27 20:40:36 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2016-12-27 20:40:36 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
2016-12-27 20:40:36 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-12-27 20:40:36 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2016-12-27 20:40:36 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
2016-12-27 20:40:36 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-12-27 20:40:36 GDG: SIOCGIFHWADDR(lo) failed
2016-12-27 20:40:36 ROUTE_GATEWAY 127.100.103.119/255.0.0.0 IFACE=lo
2016-12-27 20:40:36 GDG6: remote_host_ipv6=n/a
2016-12-27 20:40:36 ROUTE6: default_gateway=UNDEF
2016-12-27 20:40:36 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
2016-12-27 20:40:36 Otevření rozhraní tun:
2016-12-27 20:40:36 OpenVPN ROUTE: failed to parse/resolve route for host/network: ::/0
2016-12-27 20:40:36 Místní IPv4: 192.168.66.6/30 IPv6: null MTU: 1500
2016-12-27 20:40:36 DNS server: 82.202.114.2, Doména: null
2016-12-27 20:40:36 Trasy: 0.0.0.0/0, 172.16.0.0/16, 192.168.66.1/32, 192.168.66.4/30
2016-12-27 20:40:36 Vyloučené trasy:
2016-12-27 20:40:36 Instalované VPNService trasy: 0.0.0.0/0
2016-12-27 20:40:36 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2016-12-27 20:40:36 Zakázané VPN aplikace:
2016-12-27 20:40:36 MANAGEMENT: >STATE:1482867636,ASSIGN_IP,,192.168.66.6,,,,
2016-12-27 20:40:36 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2016-12-27 20:40:36 MANAGEMENT: >STATE:1482867636,ADD_ROUTES,,,,,,
2016-12-27 20:40:36 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2016-12-27 20:40:36 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2016-12-27 20:40:36 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2016-12-27 20:40:36 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2016-12-27 20:40:36 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2016-12-27 20:40:36 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2016-12-27 20:40:36 Initialization Sequence Completed
2016-12-27 20:40:36 MANAGEMENT: >STATE:1482867636,CONNECTED,SUCCESS,192.168.66.6,213.211.44.252,1194,,
2016-12-27 20:40:46 Bad LZO decompression header byte: 42

Toto je log z android tlf, spojení se sestaví ale dále se nic neděje.Stále se opakuje poslední řádka. Pokud měním adresu dns je to stále stejné.Moje lokální síť je 172.16.0.1, veřejná a pevná IP je, zde je nastavení v routeru -SERVICES-VPN:

push "route 172.16.0.0 255.255.0.0"
push "dhcp-option DNS 82.202.114.2"
server 192.168.66.0 255.255.255.0

dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

Zde je ADMINISTRATION - COMANDS :

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT

uloženo jako save firewall

[Jirka_Ka]

Ještě podotýkám že i když se mi sestaví přípojení tak v STATUS - OPENVPN  stejně nic nevidím