OpenVPN nepoužívá nastavené porty

thor5

Re: OpenVPN nepoužívá nastavené porty
« Odpověď #45 kdy: 31. 05. 2011, 23:50:28 »
At na to koukam tak na to koukam a nevidim duvod, proc by to melo rvat na lokalni branu (tedy za predpokladu, ze se nezmenila rout. tabulka, co jste udal vyse). Jedine cemu nerozumim (a rozhodne netvrdim, ze je to tim) je, ze na serveru vam trochu splyvaji site. mate 10.0.0.0/8 smerovane na eth0 a 10.88.255.0/24 na tap0. Skoro bych tipoval, ze data z klienta tecou na def. branu vpn, ale paket se nevrati protoze se posle zpatky odkud prisel, tj.z eth0 na eth0 a klientovi nedorazi a pak se klient pokusi o presmerovani pozadavku druhou znamou cestou. (Pokud se mylim a placam nesmysly, opravte mne :) )


Jarda001

Re: OpenVPN nepoužívá nastavené porty
« Odpověď #46 kdy: 01. 06. 2011, 08:39:34 »
takže udělal jsem pár změn dle vašich typů:
tady je to z klienta:
C:\Documents and Settings\Administrator>route print
===========================================================================
Seznam rozhraní
0x1 ........................... MS TCP Loopback interface
0x30003 ...00 06 4f 04 4d 6c ...... SiS 900 PCI Fast Ethernet Adapter - Packet S
cheduler Miniport
0x30004 ...00 ff 91 d8 fe 2b ...... TAP-Win32 Adapter V9 - Packet Scheduler Mini
port
===========================================================================
===========================================================================
Aktivní směrování:
       Cíl v síti     Síťová maska            Brána        Rozhraní  Metrika
          0.0.0.0          0.0.0.0     10.200.0.254    10.200.0.101       20
          0.0.0.0        128.0.0.0    172.17.88.255   172.17.88.100       1
       10.200.0.0    255.255.255.0     10.200.0.101    10.200.0.101       20
     10.200.0.101  255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255  255.255.255.255     10.200.0.101    10.200.0.101       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        128.0.0.0        128.0.0.0    172.17.88.255   172.17.88.100       1
       172.17.0.0      255.255.0.0    172.17.88.100   172.17.88.100       30
    172.17.88.100  255.255.255.255        127.0.0.1       127.0.0.1       30
   172.17.255.255  255.255.255.255    172.17.88.100   172.17.88.100       30
    213.226.253.5  255.255.255.255     10.200.0.254    10.200.0.101       1
        224.0.0.0        240.0.0.0     10.200.0.101    10.200.0.101       20
        224.0.0.0        240.0.0.0    172.17.88.100   172.17.88.100       30
  255.255.255.255  255.255.255.255     10.200.0.101    10.200.0.101       1
  255.255.255.255  255.255.255.255    172.17.88.100   172.17.88.100       1
Výchozí brána:     172.17.88.255
===========================================================================
Trvalé trasy:
  Žádné

C:\Documents and Settings\Administrator>
a tady konfig serveru
mode server
tls-server
;ipconfig-pool-persist ip.txt
local 10.0.13.26:1194
script-security 2
dev tap0
port 1194
rport 1194
lport 1194
proto tcp-server
ifconfig 172.17.88.255 255.255.0.0
push "route 172.17.88.255 255.255.0.0"
push "redirect-gateway def1"
;push "redirect-gateway 172.17.88.255"
push "dhcp-option DNS 172.17.88.255"
ifconfig-pool 172.17.88.100 172.17.88.159 255.255.0.0
duplicate-cn
client-to-client
keepalive 10 120
ca /root/openvpn/ca.crt
cert /root/openvpn/server.crt
key /root/openvpn/server.key
dh /root/openvpn/dh1024.pem
comp-lzo
;log-append cvpn.log
status openvpn-status.log
verb 5

ted už by to mělo vše fungovat, ale když na klientovy zadám ping 10.0.0.177 tak nenajde. je to stroj, který je v lokální síti openvpnserveru. díky.

thor5

Re: OpenVPN nepoužívá nastavené porty
« Odpověď #47 kdy: 01. 06. 2011, 09:52:47 »
ted uz to musi opravdu fungovat... takze co me napadlo dale:
1) stroj 10.0.0.177 má ze site VPN zakazany ping
2) mozna by misto pingu stalo zkusit traceroute, melo by tam byt videt minimalne, ze prvni skok je na 172.17.18.255 pak mozna budeme chytrejsi
3) zkusit se podivat do logu openvpn, obcas tam pristane neco zajimaveho, kdyz neco nejde
4) (tohle je uz ale nouze) zkusit misto TCP dat UDP na jinych portech (a bez rport, lport). Uz se mi totiz stalo, ze se vse tvarilo OK, ale pakety nesly. A po tehle uprave se to zazrakem rozchodilo, i kdyz nikde po ceste firewall (ani L2 transparentni) nebyl (asi nejaky bug).

Jarda001

Re: OpenVPN nepoužívá nastavené porty
« Odpověď #48 kdy: 01. 06. 2011, 10:30:37 »
ad 1)
stroj 10.0.0.177 má povolený ping od kohokoliv
ad 2)
traceroute neukáže žádnou adresu jen že vypršel časový limit
ad 3)
log clienta:
Jun 01 08:21:10 2011 us=453000 Current Parameter Settings:
Wed Jun 01 08:21:10 2011 us=453000   config = 'client.ovpn'
Wed Jun 01 08:21:10 2011 us=453000   mode = 0
Wed Jun 01 08:21:10 2011 us=453000   show_ciphers = DISABLED
Wed Jun 01 08:21:10 2011 us=453000   show_digests = DISABLED
Wed Jun 01 08:21:10 2011 us=453000   show_engines = DISABLED
Wed Jun 01 08:21:10 2011 us=453000   genkey = DISABLED
Wed Jun 01 08:21:10 2011 us=453000   key_pass_file = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=453000   show_tls_ciphers = DISABLED
Wed Jun 01 08:21:10 2011 us=453000 Connection profiles [default]:
Wed Jun 01 08:21:10 2011 us=453000   proto = tcp-client
Wed Jun 01 08:21:10 2011 us=453000   local = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=453000   local_port = 1194
Wed Jun 01 08:21:10 2011 us=453000   remote = '213.226.253.5'
Wed Jun 01 08:21:10 2011 us=453000   remote_port = 1194
Wed Jun 01 08:21:10 2011 us=453000   remote_float = ENABLED
Wed Jun 01 08:21:10 2011 us=453000   bind_defined = DISABLED
Wed Jun 01 08:21:10 2011 us=453000   bind_local = ENABLED
Wed Jun 01 08:21:10 2011 us=453000   connect_retry_seconds = 5
Wed Jun 01 08:21:10 2011 us=453000   connect_timeout = 10
Wed Jun 01 08:21:10 2011 us=453000   topology = 1
Wed Jun 01 08:21:10 2011 us=453000   tun_ipv6 = DISABLED
Wed Jun 01 08:21:10 2011 us=453000   ifconfig_local = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=453000   ifconfig_remote_netmask = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=453000   ifconfig_noexec = DISABLED
Wed Jun 01 08:21:10 2011 us=453000   ifconfig_nowarn = DISABLED
Wed Jun 01 08:21:10 2011 us=453000   shaper = 0
Wed Jun 01 08:21:10 2011 us=453000   tun_mtu = 1500
Wed Jun 01 08:21:10 2011 us=453000   tun_mtu_defined = ENABLED
Wed Jun 01 08:21:10 2011 us=453000   link_mtu = 1500
Wed Jun 01 08:21:10 2011 us=453000   link_mtu_defined = DISABLED
Wed Jun 01 08:21:10 2011 us=453000   tun_mtu_extra = 32
Wed Jun 01 08:21:10 2011 us=453000   tun_mtu_extra_defined = ENABLED
Wed Jun 01 08:21:10 2011 us=453000   fragment = 0
Wed Jun 01 08:21:10 2011 us=453000   mtu_discover_type = -1
Wed Jun 01 08:21:10 2011 us=453000   mtu_test = 0
Wed Jun 01 08:21:10 2011 us=546000   sockflags = 0
Wed Jun 01 08:21:10 2011 us=546000   fast_io = DISABLED
Wed Jun 01 08:21:10 2011 us=546000   lzo = 7
Wed Jun 01 08:21:10 2011 us=546000   route_script = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=546000   route_default_gateway = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=546000   route_default_metric = 0
Wed Jun 01 08:21:10 2011 us=546000   route_noexec = DISABLED
Wed Jun 01 08:21:10 2011 us=546000   route_delay = 4
Wed Jun 01 08:21:10 2011 us=546000   route_delay_window = 30
Wed Jun 01 08:21:10 2011 us=546000   route_delay_defined = ENABLED
Wed Jun 01 08:21:10 2011 us=546000   route_nopull = DISABLED
Wed Jun 01 08:21:10 2011 us=546000   route_gateway_via_dhcp = DISABLED
Wed Jun 01 08:21:10 2011 us=609000   max_routes = 100
Wed Jun 01 08:21:10 2011 us=609000   allow_pull_fqdn = DISABLED
Wed Jun 01 08:21:10 2011 us=609000   management_addr = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=609000   management_port = 0
Wed Jun 01 08:21:10 2011 us=609000   management_user_pass = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=609000   management_log_history_cache = 250
Wed Jun 01 08:21:10 2011 us=609000   management_echo_buffer_size = 100
Wed Jun 01 08:21:10 2011 us=609000   management_write_peer_info_file = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=609000   management_client_user = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=609000   management_client_group = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=609000   management_flags = 0
Wed Jun 01 08:21:10 2011 us=609000   shared_secret_file = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=609000   key_direction = 0
Wed Jun 01 08:21:10 2011 us=609000   ciphername_defined = ENABLED
Wed Jun 01 08:21:10 2011 us=609000   ciphername = 'BF-CBC'
Wed Jun 01 08:21:10 2011 us=656000   authname_defined = ENABLED
Wed Jun 01 08:21:10 2011 us=656000   authname = 'SHA1'
Wed Jun 01 08:21:10 2011 us=656000   prng_hash = 'SHA1'
Wed Jun 01 08:21:10 2011 us=656000   prng_nonce_secret_len = 16
Wed Jun 01 08:21:10 2011 us=656000   keysize = 0
Wed Jun 01 08:21:10 2011 us=656000   engine = DISABLED
Wed Jun 01 08:21:10 2011 us=656000   replay = ENABLED
Wed Jun 01 08:21:10 2011 us=656000   mute_replay_warnings = ENABLED
Wed Jun 01 08:21:10 2011 us=656000   replay_window = 64
Wed Jun 01 08:21:10 2011 us=656000   replay_time = 15
Wed Jun 01 08:21:10 2011 us=656000   packet_id_file = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=656000   use_iv = ENABLED
Wed Jun 01 08:21:10 2011 us=656000   test_crypto = DISABLED
Wed Jun 01 08:21:10 2011 us=656000   tls_server = DISABLED
Wed Jun 01 08:21:10 2011 us=656000   tls_client = ENABLED
Wed Jun 01 08:21:10 2011 us=656000   key_method = 2
Wed Jun 01 08:21:10 2011 us=656000   ca_file = 'ca.crt'
Wed Jun 01 08:21:10 2011 us=718000   ca_path = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=718000   dh_file = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=718000   cert_file = 'test.crt'
Wed Jun 01 08:21:10 2011 us=718000   priv_key_file = 'test.key'
Wed Jun 01 08:21:10 2011 us=718000   pkcs12_file = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=718000   cryptoapi_cert = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=718000   cipher_list = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=718000   tls_verify = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=718000   tls_remote = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=718000   crl_file = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=718000   ns_cert_type = 64
Wed Jun 01 08:21:10 2011 us=718000   remote_cert_ku = 0
Wed Jun 01 08:21:10 2011 us=718000   remote_cert_ku = 0
Wed Jun 01 08:21:10 2011 us=718000   remote_cert_ku = 0
Wed Jun 01 08:21:10 2011 us=718000   remote_cert_ku = 0
Wed Jun 01 08:21:10 2011 us=718000   remote_cert_ku = 0
Wed Jun 01 08:21:10 2011 us=765000   remote_cert_ku = 0
Wed Jun 01 08:21:10 2011 us=765000   remote_cert_ku = 0
Wed Jun 01 08:21:10 2011 us=765000   remote_cert_ku = 0
Wed Jun 01 08:21:10 2011 us=765000   remote_cert_ku = 0
Wed Jun 01 08:21:10 2011 us=765000   remote_cert_ku = 0
Wed Jun 01 08:21:10 2011 us=765000   remote_cert_ku = 0
Wed Jun 01 08:21:10 2011 us=765000   remote_cert_ku = 0
Wed Jun 01 08:21:10 2011 us=765000   remote_cert_ku = 0
Wed Jun 01 08:21:10 2011 us=765000   remote_cert_ku = 0
Wed Jun 01 08:21:10 2011 us=765000   remote_cert_ku = 0
Wed Jun 01 08:21:10 2011 us=765000   remote_cert_ku = 0
Wed Jun 01 08:21:10 2011 us=765000   remote_cert_eku = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=765000   tls_timeout = 2
Wed Jun 01 08:21:10 2011 us=765000   renegotiate_bytes = 0
Wed Jun 01 08:21:10 2011 us=765000   renegotiate_packets = 0
Wed Jun 01 08:21:10 2011 us=765000   renegotiate_seconds = 3600
Wed Jun 01 08:21:10 2011 us=765000   handshake_window = 60
Wed Jun 01 08:21:10 2011 us=812000   transition_window = 3600
Wed Jun 01 08:21:10 2011 us=812000   single_session = DISABLED
Wed Jun 01 08:21:10 2011 us=812000   push_peer_info = DISABLED
Wed Jun 01 08:21:10 2011 us=812000   tls_exit = DISABLED
Wed Jun 01 08:21:10 2011 us=812000   tls_auth_file = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=812000   pkcs11_protected_authentication = DISABLED
Wed Jun 01 08:21:10 2011 us=812000   pkcs11_protected_authentication = DISABLED
Wed Jun 01 08:21:10 2011 us=812000   pkcs11_protected_authentication = DISABLED
Wed Jun 01 08:21:10 2011 us=812000   pkcs11_protected_authentication = DISABLED
Wed Jun 01 08:21:10 2011 us=812000   pkcs11_protected_authentication = DISABLED
Wed Jun 01 08:21:10 2011 us=812000   pkcs11_protected_authentication = DISABLED
Wed Jun 01 08:21:10 2011 us=812000   pkcs11_protected_authentication = DISABLED
Wed Jun 01 08:21:10 2011 us=812000   pkcs11_protected_authentication = DISABLED
Wed Jun 01 08:21:10 2011 us=843000   pkcs11_protected_authentication = DISABLED
Wed Jun 01 08:21:10 2011 us=843000   pkcs11_protected_authentication = DISABLED
Wed Jun 01 08:21:10 2011 us=843000   pkcs11_protected_authentication = DISABLED
Wed Jun 01 08:21:10 2011 us=843000   pkcs11_protected_authentication = DISABLED
Wed Jun 01 08:21:10 2011 us=843000   pkcs11_protected_authentication = DISABLED
Wed Jun 01 08:21:10 2011 us=843000   pkcs11_protected_authentication = DISABLED
Wed Jun 01 08:21:10 2011 us=843000   pkcs11_protected_authentication = DISABLED
Wed Jun 01 08:21:10 2011 us=843000   pkcs11_protected_authentication = DISABLED
Wed Jun 01 08:21:10 2011 us=843000   pkcs11_private_mode = 00000000
Wed Jun 01 08:21:10 2011 us=843000   pkcs11_private_mode = 00000000
Wed Jun 01 08:21:10 2011 us=843000   pkcs11_private_mode = 00000000
Wed Jun 01 08:21:10 2011 us=843000   pkcs11_private_mode = 00000000
Wed Jun 01 08:21:10 2011 us=843000   pkcs11_private_mode = 00000000
Wed Jun 01 08:21:10 2011 us=890000   pkcs11_private_mode = 00000000
Wed Jun 01 08:21:10 2011 us=890000   pkcs11_private_mode = 00000000
Wed Jun 01 08:21:10 2011 us=890000   pkcs11_private_mode = 00000000
Wed Jun 01 08:21:10 2011 us=890000   pkcs11_private_mode = 00000000
Wed Jun 01 08:21:10 2011 us=890000   pkcs11_private_mode = 00000000
Wed Jun 01 08:21:10 2011 us=890000   pkcs11_private_mode = 00000000
Wed Jun 01 08:21:10 2011 us=890000   pkcs11_private_mode = 00000000
Wed Jun 01 08:21:10 2011 us=890000   pkcs11_private_mode = 00000000
Wed Jun 01 08:21:10 2011 us=890000   pkcs11_private_mode = 00000000
Wed Jun 01 08:21:10 2011 us=890000   pkcs11_private_mode = 00000000
Wed Jun 01 08:21:10 2011 us=890000   pkcs11_private_mode = 00000000
Wed Jun 01 08:21:10 2011 us=890000   pkcs11_cert_private = DISABLED
Wed Jun 01 08:21:10 2011 us=890000   pkcs11_cert_private = DISABLED
Wed Jun 01 08:21:10 2011 us=890000   pkcs11_cert_private = DISABLED
Wed Jun 01 08:21:10 2011 us=890000   pkcs11_cert_private = DISABLED
Wed Jun 01 08:21:10 2011 us=937000   pkcs11_cert_private = DISABLED
Wed Jun 01 08:21:10 2011 us=937000   pkcs11_cert_private = DISABLED
Wed Jun 01 08:21:10 2011 us=937000   pkcs11_cert_private = DISABLED
Wed Jun 01 08:21:10 2011 us=937000   pkcs11_cert_private = DISABLED
Wed Jun 01 08:21:10 2011 us=937000   pkcs11_cert_private = DISABLED
Wed Jun 01 08:21:10 2011 us=937000   pkcs11_cert_private = DISABLED
Wed Jun 01 08:21:10 2011 us=937000   pkcs11_cert_private = DISABLED
Wed Jun 01 08:21:10 2011 us=937000   pkcs11_cert_private = DISABLED
Wed Jun 01 08:21:10 2011 us=937000   pkcs11_cert_private = DISABLED
Wed Jun 01 08:21:10 2011 us=937000   pkcs11_cert_private = DISABLED
Wed Jun 01 08:21:10 2011 us=937000   pkcs11_cert_private = DISABLED
Wed Jun 01 08:21:10 2011 us=937000   pkcs11_cert_private = DISABLED
Wed Jun 01 08:21:10 2011 us=937000   pkcs11_pin_cache_period = -1
Wed Jun 01 08:21:10 2011 us=937000   pkcs11_id = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=937000   pkcs11_id_management = DISABLED
Wed Jun 01 08:21:10 2011 us=984000   server_network = 0.0.0.0
Wed Jun 01 08:21:10 2011 us=984000   server_netmask = 0.0.0.0
Wed Jun 01 08:21:10 2011 us=984000   server_bridge_ip = 0.0.0.0
Wed Jun 01 08:21:10 2011 us=984000   server_bridge_netmask = 0.0.0.0
Wed Jun 01 08:21:10 2011 us=984000   server_bridge_pool_start = 0.0.0.0
Wed Jun 01 08:21:10 2011 us=984000   server_bridge_pool_end = 0.0.0.0
Wed Jun 01 08:21:10 2011 us=984000   ifconfig_pool_defined = DISABLED
Wed Jun 01 08:21:10 2011 us=984000   ifconfig_pool_start = 0.0.0.0
Wed Jun 01 08:21:10 2011 us=984000   ifconfig_pool_end = 0.0.0.0
Wed Jun 01 08:21:10 2011 us=984000   ifconfig_pool_netmask = 0.0.0.0
Wed Jun 01 08:21:10 2011 us=984000   ifconfig_pool_persist_filename = '[UNDEF]'
Wed Jun 01 08:21:10 2011 us=984000   ifconfig_pool_persist_refresh_freq = 600
Wed Jun 01 08:21:10 2011 us=984000   n_bcast_buf = 256
Wed Jun 01 08:21:10 2011 us=984000   tcp_queue_limit = 64
Wed Jun 01 08:21:10 2011 us=984000   real_hash_size = 256
Wed Jun 01 08:21:11 2011 us=31000   virtual_hash_size = 256
Wed Jun 01 08:21:11 2011 us=31000   client_connect_script = '[UNDEF]'
Wed Jun 01 08:21:11 2011 us=31000   learn_address_script = '[UNDEF]'
Wed Jun 01 08:21:11 2011 us=31000   client_disconnect_script = '[UNDEF]'
Wed Jun 01 08:21:11 2011 us=31000   client_config_dir = '[UNDEF]'
Wed Jun 01 08:21:11 2011 us=31000   ccd_exclusive = DISABLED
Wed Jun 01 08:21:11 2011 us=31000   tmp_dir = '[UNDEF]'
Wed Jun 01 08:21:11 2011 us=31000   push_ifconfig_defined = DISABLED
Wed Jun 01 08:21:11 2011 us=31000   push_ifconfig_local = 0.0.0.0
Wed Jun 01 08:21:11 2011 us=31000   push_ifconfig_remote_netmask = 0.0.0.0
Wed Jun 01 08:21:11 2011 us=31000   enable_c2c = DISABLED
Wed Jun 01 08:21:11 2011 us=31000   duplicate_cn = DISABLED
Wed Jun 01 08:21:11 2011 us=31000   cf_max = 0
Wed Jun 01 08:21:11 2011 us=31000   cf_per = 0
Wed Jun 01 08:21:11 2011 us=31000   max_clients = 1024
Wed Jun 01 08:21:11 2011 us=31000   max_routes_per_client = 256
Wed Jun 01 08:21:11 2011 us=62000   auth_user_pass_verify_script = '[UNDEF]'
Wed Jun 01 08:21:11 2011 us=62000   auth_user_pass_verify_script_via_file = DISABLED
Wed Jun 01 08:21:11 2011 us=62000   ssl_flags = 0
Wed Jun 01 08:21:11 2011 us=62000   client = DISABLED
Wed Jun 01 08:21:11 2011 us=62000   pull = ENABLED
Wed Jun 01 08:21:11 2011 us=62000   auth_user_pass_file = '[UNDEF]'
Wed Jun 01 08:21:11 2011 us=62000   show_net_up = DISABLED
Wed Jun 01 08:21:11 2011 us=62000   route_method = 2
Wed Jun 01 08:21:11 2011 us=62000   ip_win32_defined = DISABLED
Wed Jun 01 08:21:11 2011 us=62000   ip_win32_type = 3
Wed Jun 01 08:21:11 2011 us=62000   dhcp_masq_offset = 0
Wed Jun 01 08:21:11 2011 us=62000   dhcp_lease_time = 31536000
Wed Jun 01 08:21:11 2011 us=62000   tap_sleep = 0
Wed Jun 01 08:21:11 2011 us=62000   dhcp_options = DISABLED
Wed Jun 01 08:21:11 2011 us=62000   dhcp_renew = DISABLED
Wed Jun 01 08:21:11 2011 us=62000   dhcp_pre_release = DISABLED
Wed Jun 01 08:21:11 2011 us=93000   dhcp_release = DISABLED
Wed Jun 01 08:21:11 2011 us=93000   domain = '[UNDEF]'
Wed Jun 01 08:21:11 2011 us=93000   netbios_scope = '[UNDEF]'
Wed Jun 01 08:21:11 2011 us=93000   netbios_node_type = 0
Wed Jun 01 08:21:11 2011 us=93000   disable_nbt = DISABLED
Wed Jun 01 08:21:11 2011 us=93000 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov  8 2010
Wed Jun 01 08:21:11 2011 us=109000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jun 01 08:21:11 2011 us=484000 LZO compression initialized
Wed Jun 01 08:21:11 2011 us=484000 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Jun 01 08:21:11 2011 us=484000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Jun 01 08:21:11 2011 us=500000 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Jun 01 08:21:11 2011 us=500000 Local Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed Jun 01 08:21:11 2011 us=500000 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Jun 01 08:21:11 2011 us=500000 Local Options hash (VER=V4): '31fdf004'
Wed Jun 01 08:21:11 2011 us=500000 Expected Remote Options hash (VER=V4): '3e6d1056'
Wed Jun 01 08:21:11 2011 us=500000 Attempting to establish TCP connection with 213.226.253.5:1194
Wed Jun 01 08:21:11 2011 us=531000 TCP connection established with 213.226.253.5:1194
Wed Jun 01 08:21:11 2011 us=531000 TCPv4_CLIENT link local (bound): [undef]:1194
Wed Jun 01 08:21:11 2011 us=531000 TCPv4_CLIENT link remote: 213.226.253.5:1194
Wed Jun 01 08:21:11 2011 us=546000 TLS: Initial packet from 213.226.253.5:1194, sid=46cf00d4 41dc89d6
Wed Jun 01 08:21:11 2011 us=812000 VERIFY OK: depth=1, /C=CZ/ST=VYSOCINA/L=Chotebor/O=xxxas_/OU=IT/CN=pam/emailAddress=it.manager@xxx.cz
Wed Jun 01 08:21:11 2011 us=812000 VERIFY OK: nsCertType=SERVER
Wed Jun 01 08:21:11 2011 us=812000 VERIFY OK: depth=0, /C=CZ/ST=VYSOCINA/O=xxxas_/OU=IT/CN=pam/emailAddress=it.manager@xxx.cz
Wed Jun 01 08:21:12 2011 us=968000 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 01 08:21:12 2011 us=968000 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 01 08:21:12 2011 us=968000 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 01 08:21:12 2011 us=968000 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 01 08:21:12 2011 us=984000 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 01 08:21:12 2011 us=984000 [pam] Peer Connection Initiated with 213.226.253.5:1194
Wed Jun 01 08:21:15 2011 us=109000 SENT CONTROL [pam]: 'PUSH_REQUEST' (status=1)
Wed Jun 01 08:21:15 2011 us=281000 PUSH: Received control message: 'PUSH_REPLY,route 172.17.88.255 255.255.0.0,route-gateway 172.17.88.255,redirect-gateway def1,dhcp-option DNS 172.17.88.255,ping 10,ping-restart 120,ifconfig 172.17.88.100 255.255.0.0'
Wed Jun 01 08:21:15 2011 us=281000 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 01 08:21:15 2011 us=281000 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 01 08:21:15 2011 us=281000 OPTIONS IMPORT: route options modified
Wed Jun 01 08:21:15 2011 us=281000 OPTIONS IMPORT: route-related options modified
Wed Jun 01 08:21:15 2011 us=281000 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 01 08:21:15 2011 us=312000 ROUTE default_gateway=10.200.0.254
Wed Jun 01 08:21:15 2011 us=328000 TAP-WIN32 device [Připojení k místní síti 3] opened: \\.\Global\{91D8FE2B-1684-45F3-B02F-FEE9EB1A89B1}.tap
Wed Jun 01 08:21:15 2011 us=328000 TAP-Win32 Driver Version 9.7
Wed Jun 01 08:21:15 2011 us=328000 TAP-Win32 MTU=1500
Wed Jun 01 08:21:15 2011 us=328000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.17.88.100/255.255.0.0 on interface {91D8FE2B-1684-45F3-B02F-FEE9EB1A89B1} [DHCP-serv: 172.17.0.0, lease-time: 31536000]
Wed Jun 01 08:21:15 2011 us=328000 DHCP option string: 0604ac11 58ff
Wed Jun 01 08:21:15 2011 us=343000 Successful ARP Flush on interface [196612] {91D8FE2B-1684-45F3-B02F-FEE9EB1A89B1}
Wed Jun 01 08:21:19 2011 us=296000 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Jun 01 08:21:19 2011 us=296000 C:\WINDOWS\system32\route.exe ADD 213.226.253.5 MASK 255.255.255.255 10.200.0.254
Wed Jun 01 08:21:19 2011 us=375000 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 172.17.88.255
Wed Jun 01 08:21:19 2011 us=437000 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 172.17.88.255
Wed Jun 01 08:21:19 2011 us=484000 C:\WINDOWS\system32\route.exe ADD 172.17.88.255 MASK 255.255.0.0 172.17.88.255
Pýid nˇ trasy se nezdaýilo: Zadaně parametr masky je neplatně. (Cˇl & maska) != Cˇl.
Wed Jun 01 08:21:19 2011 us=546000 Initialization Sequence Completed

ad4)
udp nefungovalo přes fw vůbec.

díky za pomoc.

thor5

Re: OpenVPN nepoužívá nastavené porty
« Odpověď #49 kdy: 01. 06. 2011, 11:04:47 »
Napred kdyz jsem cetl log tak jsem si rikal, ze nemusi souhlasit sifrovani dat na serveru  a v klientu, ale pak jsem to docetl na konec a je to divne a moc to po pravde nechapu. Tohle:
Citace
Wed Jun 01 08:21:19 2011 us=296000 C:\WINDOWS\system32\route.exe ADD 213.226.253.5 MASK 255.255.255.255 10.200.0.254
Wed Jun 01 08:21:19 2011 us=375000 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 172.17.88.255
Wed Jun 01 08:21:19 2011 us=437000 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 172.17.88.255
Wed Jun 01 08:21:19 2011 us=484000 C:\WINDOWS\system32\route.exe ADD 172.17.88.255 MASK 255.255.0.0 172.17.88.255
Pýid nˇ trasy se nezdaýilo: Zadaně parametr masky je neplatně. (Cˇl & maska) != Cˇl.
Wed Jun 01 08:21:19 2011 us=546000 Initialization Sequence Completed
znamena, ze route.exe skoncil s chybou, ale uz se nedozvime ktery z tech ctyrech tu chybu vratil.vzhledem k tomu, ze ty tri prvni jsou normalni (ma je kazdy, kdo da gateway redirect) tak asi je spatne ten posledni. Jenze tam nevim co by melo byt spatne. Jedine, co muzu doporucit jeste vyzkouset, je zkusit zmenit IP adresu brany na 172.17.88.254 (Uz jsem videl, ze vidle se s 255 moc nemusi, mysli si, ze je to broadcast i kdyz to neni sit /24... - ale myslim, ze tenhle bug MS uz opravil)

Jeste bych se zkusil kouknout na log serveru, mozna bude nejaka zajimavost i tam. (Kazdopadne ted musim letet na statnice, takze pokracovani vecer :))


Jarda001

Re: OpenVPN nepoužívá nastavené porty
« Odpověď #50 kdy: 02. 06. 2011, 07:52:45 »
takže úpraveno. výsledek ještě horší. vůbec to nenasěmruje bránu:
log serveru
Thu Jun  2 07:42:25 2011 us=622689 Current Parameter Settings:
Thu Jun  2 07:42:25 2011 us=639854   config = 'server.ovpn'
Thu Jun  2 07:42:25 2011 us=639886   mode = 1
Thu Jun  2 07:42:25 2011 us=639900   persist_config = DISABLED
Thu Jun  2 07:42:25 2011 us=639913   persist_mode = 1
Thu Jun  2 07:42:25 2011 us=639926   show_ciphers = DISABLED
Thu Jun  2 07:42:25 2011 us=639938   show_digests = DISABLED
Thu Jun  2 07:42:25 2011 us=639951   show_engines = DISABLED
Thu Jun  2 07:42:25 2011 us=639963   genkey = DISABLED
Thu Jun  2 07:42:25 2011 us=639976   key_pass_file = '[UNDEF]'
Thu Jun  2 07:42:25 2011 us=639988   show_tls_ciphers = DISABLED
Thu Jun  2 07:42:25 2011 us=640007 Connection profiles [default]:
Thu Jun  2 07:42:25 2011 us=640023   proto = tcp-server
Thu Jun  2 07:42:25 2011 us=640036   local = '10.0.13.26:1194'
Thu Jun  2 07:42:25 2011 us=640049   local_port = 1194
Thu Jun  2 07:42:25 2011 us=640311   ifconfig_local = '172.17.88.254'
Thu Jun  2 07:42:25 2011 us=640324   ifconfig_remote_netmask = '255.255.0.0'
Thu Jun  2 07:42:25 2011 us=640337   ifconfig_noexec = DISABLED
Thu Jun  2 07:42:25 2011 us=640350   ifconfig_nowarn = DISABLED
Thu Jun  2 07:42:25 2011 us=643035   pkcs11_id_management = DISABLED
Thu Jun  2 07:42:25 2011 us=643057   server_network = 0.0.0.0
Thu Jun  2 07:42:25 2011 us=643072   server_netmask = 0.0.0.0
Thu Jun  2 07:42:25 2011 us=643086   server_bridge_ip = 0.0.0.0
Thu Jun  2 07:42:25 2011 us=643099   server_bridge_netmask = 0.0.0.0
Thu Jun  2 07:42:25 2011 us=643113   server_bridge_pool_start = 0.0.0.0
Thu Jun  2 07:42:25 2011 us=643126   server_bridge_pool_end = 0.0.0.0
Thu Jun  2 07:42:25 2011 us=643139   push_entry = 'route 172.17.88.254 255.255.0.0'
Thu Jun  2 07:42:25 2011 us=643152   push_entry = 'redirect-gateway def1'
Thu Jun  2 07:42:25 2011 us=643164   push_entry = 'redirect-gateway 172.17.88.254'
Thu Jun  2 07:42:25 2011 us=643177   push_entry = 'dhcp-option DNS 172.17.88.254'
Thu Jun  2 07:42:25 2011 us=643189   push_entry = 'ping 10'
Thu Jun  2 07:42:25 2011 us=643202   push_entry = 'ping-restart 120'
Thu Jun  2 07:42:25 2011 us=643214   ifconfig_pool_defined = ENABLED
Thu Jun  2 07:42:25 2011 us=643228   ifconfig_pool_start = 172.17.88.100
Thu Jun  2 07:42:25 2011 us=643241   ifconfig_pool_end = 172.17.88.159
Thu Jun  2 07:42:25 2011 us=643255   ifconfig_pool_netmask = 255.255.0.0
Thu Jun  2 07:42:25 2011 us=643268   ifconfig_pool_persist_filename = '[UNDEF]'
Thu Jun  2 07:42:25 2011 us=643280   ifconfig_pool_persist_refresh_freq = 600
Thu Jun  2 07:42:25 2011 us=643292   n_bcast_buf = 256
Thu Jun  2 07:42:25 2011 us=643305   tcp_queue_limit = 64
Thu Jun  2 07:42:25 2011 us=643317   real_hash_size = 256
Thu Jun  2 07:42:25 2011 us=643329   virtual_hash_size = 256
Thu Jun  2 07:42:25 2011 us=643342   client_connect_script = '[UNDEF]'
Thu Jun  2 07:42:25 2011 us=643354   learn_address_script = '[UNDEF]'
Thu Jun  2 07:42:25 2011 us=643366   client_disconnect_script = '[UNDEF]'
Thu Jun  2 07:42:25 2011 us=643379   client_config_dir = '[UNDEF]'
Thu Jun  2 07:42:25 2011 us=643391   ccd_exclusive = DISABLED
Thu Jun  2 07:42:25 2011 us=643403   tmp_dir = '[UNDEF]'
Thu Jun  2 07:42:25 2011 us=643416   push_ifconfig_defined = DISABLED
Thu Jun  2 07:42:25 2011 us=643429   push_ifconfig_local = 0.0.0.0
Thu Jun  2 07:42:25 2011 us=643442   push_ifconfig_remote_netmask = 0.0.0.0
Thu Jun  2 07:42:25 2011 us=643455   enable_c2c = ENABLED
Thu Jun  2 07:42:25 2011 us=643467   duplicate_cn = ENABLED
Thu Jun  2 07:42:25 2011 us=643480   cf_max = 0
Thu Jun  2 07:42:25 2011 us=643492   cf_per = 0
Thu Jun  2 07:42:25 2011 us=643504   max_clients = 1024
Thu Jun  2 07:42:25 2011 us=643522   max_routes_per_client = 256
Thu Jun  2 07:42:25 2011 us=643535   auth_user_pass_verify_script = '[UNDEF]'
Thu Jun  2 07:42:25 2011 us=643555   auth_user_pass_verify_script_via_file = DISABLED
Thu Jun  2 07:42:25 2011 us=643568   ssl_flags = 0
Thu Jun  2 07:42:25 2011 us=643581   port_share_host = '[UNDEF]'
Thu Jun  2 07:42:25 2011 us=643593   port_share_port = 0
Thu Jun  2 07:42:25 2011 us=643605   client = DISABLED
Thu Jun  2 07:42:25 2011 us=643618   pull = DISABLED
Thu Jun  2 07:42:25 2011 us=643630   auth_user_pass_file = '[UNDEF]'
Thu Jun  2 07:42:25 2011 us=643646 OpenVPN 2.1.1 i686-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Jan  5 2010
Thu Jun  2 07:42:25 2011 us=652892 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jun  2 07:42:25 2011 us=730901 Diffie-Hellman initialized with 1024 bit key
Thu Jun  2 07:42:29 2011 us=624837 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jun  2 07:42:29 2011 us=656829 WARNING: file '/root/openvpn/server.key' is group or others accessible
Thu Jun  2 07:42:29 2011 us=678663 TLS-Auth MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Jun  2 07:42:29 2011 us=683938 TUN/TAP device tap0 opened
Thu Jun  2 07:42:29 2011 us=687549 TUN/TAP TX queue length set to 100
Thu Jun  2 07:42:29 2011 us=694943 /sbin/ip link set dev tap0 up mtu 1500
Thu Jun  2 07:42:29 2011 us=696367 /sbin/ip addr add dev tap0 172.17.88.254/16 broadcast 172.17.255.255
Thu Jun  2 07:42:29 2011 us=697822 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Jun  2 07:42:29 2011 us=697878 Listening for incoming TCP connection on 10.0.13.26:1194
Thu Jun  2 07:42:29 2011 us=697907 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Jun  2 07:42:29 2011 us=697927 TCPv4_SERVER link local (bound): 10.0.13.26:1194
Thu Jun  2 07:42:29 2011 us=697940 TCPv4_SERVER link remote: [undef]
Thu Jun  2 07:42:29 2011 us=697963 MULTI: multi_init called, r=256 v=256
Thu Jun  2 07:42:29 2011 us=697997 IFCONFIG POOL: base=172.17.88.100 size=60
Thu Jun  2 07:42:29 2011 us=698030 MULTI: TCP INIT maxclients=1024 maxevents=1028
Thu Jun  2 07:42:29 2011 us=698065 Initialization Sequence Completed
Thu Jun  2 07:42:33 2011 us=696788 MULTI: multi_create_instance called
Thu Jun  2 07:42:33 2011 us=696860 Re-using SSL/TLS context
Thu Jun  2 07:42:33 2011 us=696897 LZO compression initialized
Thu Jun  2 07:42:33 2011 us=697004 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Jun  2 07:42:33 2011 us=697036 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Jun  2 07:42:33 2011 us=697082 Local Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Jun  2 07:42:33 2011 us=697096 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Jun  2 07:42:33 2011 us=697120 Local Options hash (VER=V4): '3e6d1056'
Thu Jun  2 07:42:33 2011 us=697139 Expected Remote Options hash (VER=V4): '31fdf004'
Thu Jun  2 07:42:33 2011 us=697175 TCP connection established with xxx.xxx.xxx.27:1194
Thu Jun  2 07:42:33 2011 us=697194 Socket Buffers: R=[131072->131072] S=[131072->131072]
Thu Jun  2 07:42:33 2011 us=697212 TCPv4_SERVER link local: [undef]
Thu Jun  2 07:42:33 2011 us=697226 TCPv4_SERVER link remote: xxx.xxx.xxx.27:1194
RThu Jun  2 07:42:33 2011 us=697426 xxx.xxx.xxx.27:1194 TLS: Initial packet from xxx.xxx.xxx.27:1194, sid=eb028a74 ab4b550e
WRRWWWWRWRWRWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRThu Jun  2 07:42:34 2011 us=212829 xxx.xxx.xxx.27:1194 VERIFY OK: depth=1, /C=CZ/ST=VYSOCINA/L=Chotebor/O=xxxas_/OU=IT/CN=pam/emailAddress=it.manager@xxx.cz
Thu Jun  2 07:42:34 2011 us=213058 xxx.xxx.xxx.27:1194 VERIFY OK: depth=0, /C=CZ/ST=VYSOCINA/O=xxxas_/OU=IT/CN=test/emailAddress=it.manager@xxx.cz
WRWRWRWWWWRWRWWWRWRWRWRWRRRRWRWRWRThu Jun  2 07:42:34 2011 us=534230 xxx.xxx.xxx.27:1194 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jun  2 07:42:34 2011 us=534281 xxx.xxx.xxx.27:1194 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun  2 07:42:34 2011 us=534347 xxx.xxx.xxx.27:1194 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jun  2 07:42:34 2011 us=534363 xxx.xxx.xxx.27:1194 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WWWRRThu Jun  2 07:42:34 2011 us=805300 xxx.xxx.xxx.27:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jun  2 07:42:34 2011 us=805345 xxx.xxx.xxx.27:1194 [test] Peer Connection Initiated with xxx.xxx.xxx.27:1194
WWRThu Jun  2 07:42:36 2011 us=745318 test/xxx.xxx.xxx.27:1194 PUSH: Received control message: 'PUSH_REQUEST'
Thu Jun  2 07:42:36 2011 us=745423 test/xxx.xxx.xxx.27:1194 SENT CONTROL [test]: 'PUSH_REPLY,route 172.17.88.254 255.255.0.0,redirect-gateway def1,redirect-gateway 172.17.88.254,dhcp-option DNS 172.17.88.254,ping 10,ping-restart 120,ifconfig 172.17.88.100 255.255.0.0' (status=1)
WWWWRRWWRWRW
log clienta
Thu Jun 02 07:42:11 2011 us=203000 TCP/UDP: Closing socket
Thu Jun 02 07:42:11 2011 us=203000 SIGUSR1[soft,connection-reset] received, process restarting
Thu Jun 02 07:42:11 2011 us=203000 Restart pause, 5 second(s)
Thu Jun 02 07:42:16 2011 us=203000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Jun 02 07:42:16 2011 us=203000 Re-using SSL/TLS context
Thu Jun 02 07:42:16 2011 us=203000 LZO compression initialized
Thu Jun 02 07:42:16 2011 us=203000 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Jun 02 07:42:16 2011 us=203000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Jun 02 07:42:16 2011 us=203000 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Jun 02 07:42:16 2011 us=203000 Local Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Jun 02 07:42:16 2011 us=203000 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Jun 02 07:42:16 2011 us=203000 Local Options hash (VER=V4): '31fdf004'
Thu Jun 02 07:42:16 2011 us=203000 Expected Remote Options hash (VER=V4): '3e6d1056'
Thu Jun 02 07:42:16 2011 us=203000 Attempting to establish TCP connection with xxx.xxx.xxx.5:1194
Thu Jun 02 07:42:19 2011 us=703000 TCP: connect to xxx.xxx.xxx.5:1194 failed, will try again in 5 seconds: Connection refused (WSAECONNREFUSED)
Thu Jun 02 07:42:24 2011 us=765000 TCP connection established with xxx.xxx.xxx.5:1194
Thu Jun 02 07:42:24 2011 us=765000 TCPv4_CLIENT link local (bound): [undef]:1194
Thu Jun 02 07:42:24 2011 us=765000 TCPv4_CLIENT link remote: xxx.xxx.xxx.5:1194
Thu Jun 02 07:42:24 2011 us=781000 TLS: Initial packet from xxx.xxx.xxx.5:1194, sid=1b325f34 84054665
Thu Jun 02 07:42:24 2011 us=984000 VERIFY OK: depth=1, /C=CZ/ST=VYSOCINA/L=Chotebor/O=xxx.as_/OU=IT/CN=pam/emailAddress=it.manager@xxx..cz
Thu Jun 02 07:42:24 2011 us=984000 VERIFY OK: nsCertType=SERVER
Thu Jun 02 07:42:24 2011 us=984000 VERIFY OK: depth=0, /C=CZ/ST=VYSOCINA/O=xxx.as_/OU=IT/CN=pam/emailAddress=it.manager@xxx..cz
Thu Jun 02 07:42:25 2011 us=828000 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jun 02 07:42:25 2011 us=828000 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 02 07:42:25 2011 us=828000 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jun 02 07:42:25 2011 us=828000 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 02 07:42:25 2011 us=843000 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jun 02 07:42:25 2011 us=843000 [pam] Peer Connection Initiated with xxx.xxx.xxx.5:1194
Thu Jun 02 07:42:27 2011 us=828000 SENT CONTROL [pam]: 'PUSH_REQUEST' (status=1)
Thu Jun 02 07:42:28 2011 us=15000 PUSH: Received control message: 'PUSH_REPLY,route 172.17.88.254 255.255.0.0,redirect-gateway def1,redirect-gateway 172.17.88.254,dhcp-option DNS 172.17.88.254,ping 10,ping-restart 120,ifconfig 172.17.88.100 255.255.0.0'
Thu Jun 02 07:42:28 2011 us=15000 Options error: unknown --redirect-gateway flag: 172.17.88.254
Thu Jun 02 07:42:28 2011 us=15000 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jun 02 07:42:28 2011 us=15000 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jun 02 07:42:28 2011 us=15000 OPTIONS IMPORT: route options modified
Thu Jun 02 07:42:28 2011 us=15000 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jun 02 07:42:28 2011 us=15000 Preserving previous TUN/TAP instance: Připojení k místní síti 3
Thu Jun 02 07:42:28 2011 us=15000 Initialization Sequence Completed

thor5

Re: OpenVPN nepoužívá nastavené porty
« Odpověď #51 kdy: 02. 06. 2011, 08:45:31 »
Citace
Thu Jun 02 07:42:28 2011 us=15000 PUSH: Received control message: 'PUSH_REPLY,route 172.17.88.254 255.255.0.0,redirect-gateway def1,redirect-gateway 172.17.88.254,dhcp-option DNS 172.17.88.254,ping 10,ping-restart 120,ifconfig 172.17.88.100 255.255.0.0'
Thu Jun 02 07:42:28 2011 us=15000 Options error: unknown --redirect-gateway flag: 172.17.88.254

ono totiz prikaz redirect-gateway zna parametry jen local, def1 a jeste par dalsich, ale ne IP adresu. tento prikaz tedy vyhodte. Bude tam jen redirect-gateway def1, ten druhy s IP ne. (IP adresu brany si vymysli klient sam podle IP a routy serveru s VPN.)

Doufam, ze tohle je posledni chytak :)

Jarda001

Re: OpenVPN nepoužívá nastavené porty
« Odpověď #52 kdy: 02. 06. 2011, 09:24:36 »

ono totiz prikaz redirect-gateway zna parametry jen local, def1 a jeste par dalsich, ale ne IP adresu. tento prikaz tedy vyhodte. Bude tam jen redirect-gateway def1, ten druhy s IP ne. (IP adresu brany si vymysli klient sam podle IP a routy serveru s VPN.)

Doufam, ze tohle je posledni chytak :)
[/quote]
dle vaší rady jsme to zapoznámkoval, furt to nejde.
log clienta:
WRWWRWRRRWWRWRWRRWWRWRWRRWWRWRWRRWWRWRWRRWWRWRWRRWWRWWWWRWRRRWWWRWRWRRWWRWRWRRWWRWRWRRWWRWRWRRRRRRRWWRWRWRRWWRWRWRRWWWWWRRRRRRWWWRRRRWWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWRrWrWrWrWrWrWrWrWrWRwRwWRThu Jun 02 09:21:04 2011 us=750000 Current Parameter Settings:
Thu Jun 02 09:21:04 2011 us=750000   config = 'client.ovpn'
Thu Jun 02 09:21:05 2011 us=406000   server_network = 0.0.0.0
Thu Jun 02 09:21:05 2011 us=406000   server_netmask = 0.0.0.0
Thu Jun 02 09:21:05 2011 us=406000   server_bridge_ip = 0.0.0.0
Thu Jun 02 09:21:05 2011 us=453000   server_bridge_netmask = 0.0.0.0
Thu Jun 02 09:21:05 2011 us=453000   server_bridge_pool_start = 0.0.0.0
Thu Jun 02 09:21:05 2011 us=453000   server_bridge_pool_end = 0.0.0.0
Thu Jun 02 09:21:05 2011 us=453000   ifconfig_pool_defined = DISABLED
Thu Jun 02 09:21:05 2011 us=453000   ifconfig_pool_start = 0.0.0.0
Thu Jun 02 09:21:05 2011 us=453000   ifconfig_pool_end = 0.0.0.0
Thu Jun 02 09:21:05 2011 us=453000   ifconfig_pool_netmask = 0.0.0.0
Thu Jun 02 09:21:05 2011 us=453000   ifconfig_pool_persist_filename = '[UNDEF]'
Thu Jun 02 09:21:05 2011 us=453000   ifconfig_pool_persist_refresh_freq = 600
Thu Jun 02 09:21:05 2011 us=562000 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov  8 2010
Thu Jun 02 09:21:05 2011 us=562000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Jun 02 09:21:05 2011 us=890000 LZO compression initialized
Thu Jun 02 09:21:05 2011 us=890000 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Jun 02 09:21:05 2011 us=906000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Jun 02 09:21:05 2011 us=921000 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Jun 02 09:21:05 2011 us=921000 Local Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Jun 02 09:21:05 2011 us=921000 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Jun 02 09:21:05 2011 us=921000 Local Options hash (VER=V4): '31fdf004'
Thu Jun 02 09:21:05 2011 us=921000 Expected Remote Options hash (VER=V4): '3e6d1056'
Thu Jun 02 09:21:05 2011 us=921000 Attempting to establish TCP connection with xxx..5:1194
Thu Jun 02 09:21:05 2011 us=921000 TCP connection established with xxx..5:1194
Thu Jun 02 09:21:05 2011 us=921000 TCPv4_CLIENT link local (bound): [undef]:1194
Thu Jun 02 09:21:05 2011 us=921000 TCPv4_CLIENT link remote: xxx..5:1194
Thu Jun 02 09:21:05 2011 us=937000 TLS: Initial packet from xxx..5:1194, sid=a468ffc3 fb79c212
Thu Jun 02 09:21:06 2011 us=171000 VERIFY OK: depth=1, /C=CZ/ST=VYSOCINA/L=Chotebor/O=xxx.as_/OU=IT/CN=pam/emailAddress=it.manager@xxx..cz
Thu Jun 02 09:21:06 2011 us=171000 VERIFY OK: nsCertType=SERVER
Thu Jun 02 09:21:06 2011 us=171000 VERIFY OK: depth=0, /C=CZ/ST=VYSOCINA/O=xxx.as_/OU=IT/CN=pam/emailAddress=it.manager@xxx..cz
Thu Jun 02 09:21:07 2011 us=62000 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jun 02 09:21:07 2011 us=62000 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 02 09:21:07 2011 us=62000 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jun 02 09:21:07 2011 us=62000 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 02 09:21:07 2011 us=78000 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jun 02 09:21:07 2011 us=78000 [pam] Peer Connection Initiated with xxx..5:1194
Thu Jun 02 09:21:09 2011 us=390000 SENT CONTROL [pam]: 'PUSH_REQUEST' (status=1)
Thu Jun 02 09:21:09 2011 us=578000 PUSH: Received control message: 'PUSH_REPLY,route 172.17.88.254 255.255.0.0,redirect-gateway def1,dhcp-option DNS 172.17.88.254,ping 10,ping-restart 120,ifconfig 172.17.88.100 255.255.0.0'
Thu Jun 02 09:21:09 2011 us=578000 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jun 02 09:21:09 2011 us=578000 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jun 02 09:21:09 2011 us=578000 OPTIONS IMPORT: route options modified
Thu Jun 02 09:21:09 2011 us=578000 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jun 02 09:21:09 2011 us=609000 ROUTE default_gateway=10.200.0.254
Thu Jun 02 09:21:09 2011 us=609000 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Thu Jun 02 09:21:09 2011 us=609000 OpenVPN ROUTE: failed to parse/resolve route for host/network: 172.17.88.254
Thu Jun 02 09:21:09 2011 us=609000 TAP-WIN32 device [Připojení k místní síti 3] opened: \\.\Global\{91D8FE2B-1684-45F3-B02F-FEE9EB1A89B1}.tap
Thu Jun 02 09:21:09 2011 us=625000 TAP-Win32 Driver Version 9.7
Thu Jun 02 09:21:09 2011 us=625000 TAP-Win32 MTU=1500
Thu Jun 02 09:21:09 2011 us=640000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.17.88.100/255.255.0.0 on interface {91D8FE2B-1684-45F3-B02F-FEE9EB1A89B1} [DHCP-serv: 172.17.0.0, lease-time: 31536000]
Thu Jun 02 09:21:09 2011 us=640000 DHCP option string: 0604ac11 58fe
Thu Jun 02 09:21:09 2011 us=640000 Successful ARP Flush on interface [3] {91D8FE2B-1684-45F3-B02F-FEE9EB1A89B1}
Thu Jun 02 09:21:13 2011 us=703000 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Thu Jun 02 09:21:13 2011 us=703000 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
Thu Jun 02 09:21:13 2011 us=703000 Initialization Sequence Completed


Díky za pomoc.

thor5

Re: OpenVPN nepoužívá nastavené porty
« Odpověď #53 kdy: 02. 06. 2011, 09:51:29 »
zajimave. Krici ze nezna cestu k defaultni route. Pridejte tedy jak log pozaduje do konfigurace  route-gateway 172.17.88.254. (Jeste se mi nestalo ze by nepochopil z dodanych rout kam to ma smerovat, ale je pravda, ze vetsinou pouzivam tun, misto tap coz je pro presmerovani veskereho provozu kapku jine)

Jarda001

Re: OpenVPN nepoužívá nastavené porty
« Odpověď #54 kdy: 02. 06. 2011, 10:34:59 »
zajimave. Krici ze nezna cestu k defaultni route. Pridejte tedy jak log pozaduje do konfigurace  route-gateway 172.17.88.254. (Jeste se mi nestalo ze by nepochopil z dodanych rout kam to ma smerovat, ale je pravda, ze vetsinou pouzivam tun, misto tap coz je pro presmerovani veskereho provozu kapku jine)
to samé, myslíte že to mám změnit na tun?
případně jak?

thor5

Re: OpenVPN nepoužívá nastavené porty
« Odpověď #55 kdy: 02. 06. 2011, 10:59:19 »
v logu stejna hlaska? tak tomu prestavam rozumnet... ted je to o tom, ze klient konecne pochopil co je brana, ale tu branu mu nejak musite sdelit a to mel zaridit ten route-gateway.

co se tyce tap/tun: v principu by to melo byt jedno, jde jen o to, ze v tap se posila uplne vse, co se v danem segmentu site, kde je nakonfigurovano vpn, nachazi. Tzn. i pro vzdaleny PC nepotrebne veci. V modu tun je to ciste routovani, takze VPN ma vlastni segment site a co se do nej/z nej/ posila, je zalezitost jen toho, jak se nastavi push route a co routuje defaultni brana. Takze muzete to zkusit, ale predpokladam, ze se vyskytnou jine chyby, eventualne projde vse bez chyb a nepujde to, protoze budou blbe nakonfigurovane routy (to chce prave predstavu jak routovani funguje). Ale jinak si na tun nemuzu stezovat :) provozuju pres nej i sambu.

Jarda001

Re: OpenVPN nepoužívá nastavené porty
« Odpověď #56 kdy: 02. 06. 2011, 11:06:50 »
v logu stejna hlaska? tak tomu prestavam rozumnet... ted je to o tom, ze klient konecne pochopil co je brana, ale tu branu mu nejak musite sdelit a to mel zaridit ten route-gateway.

co se tyce tap/tun: v principu by to melo byt jedno, jde jen o to, ze v tap se posila uplne vse, co se v danem segmentu site, kde je nakonfigurovano vpn, nachazi. Tzn. i pro vzdaleny PC nepotrebne veci. V modu tun je to ciste routovani, takze VPN ma vlastni segment site a co se do nej/z nej/ posila, je zalezitost jen toho, jak se nastavi push route a co routuje defaultni brana. Takze muzete to zkusit, ale predpokladam, ze se vyskytnou jine chyby, eventualne projde vse bez chyb a nepujde to, protoze budou blbe nakonfigurovane routy (to chce prave predstavu jak routovani funguje). Ale jinak si na tun nemuzu stezovat :) provozuju pres nej i sambu.

no právě.
jak jsemjiž psal, cílem je aby client se dostal na stroj 10.0.0.177 umístěný v lokální síti serveru openvpn. vše ostatní je druhotný... clientů bude asi tak 10-12. a právě je mi taky divný že to tu routu nebere. nemáte náhodou funkční konfigurák který by mi to řešil? díky.

thor5

Re: OpenVPN nepoužívá nastavené porty
« Odpověď #57 kdy: 02. 06. 2011, 12:10:38 »
aktualne jsem musel zmizet do skoly. jakmile se vratim, tak neco zkusim pro tun sesmolit :)

Jarda001

Re: OpenVPN nepoužívá nastavené porty
« Odpověď #58 kdy: 02. 06. 2011, 14:37:29 »
aktualne jsem musel zmizet do skoly. jakmile se vratim, tak neco zkusim pro tun sesmolit :)

ok díky. rád počkám.

thor5

Re: OpenVPN nepoužívá nastavené porty
« Odpověď #59 kdy: 02. 06. 2011, 18:46:55 »
tak pokud jsem se nikde nesekl, melo by fungovat toto:

server
------
Kód: [Vybrat]
proto tcp  #nebo tcp-server, zalezi na verzi openvpn
dev tun

ca /root/openvpn/ca.crt
cert /root/openvpn/server.crt
key /root/openvpn/server.key
dh /root/openvpn/dh1024.pem

server 172.17.88.0 255.255.255.0 #sit se rozdeli na \30 podsite, pricemz .1 je vzdy server.
                                 #pak bude .0-sit serveru,.1-server,.2-tunel na serveru,.3-broadcast
                                 #.4-sit klienta 1,.5-tunel na klienta1,.6-ip klienta1,.7-broadcast
                                 #.8-sit klienta 2,.9-tunel na klienta2,.10-ip klienta2,.11-broadcast,...
push "redirect-gateway def1"     #donuceni klientu k presmerovani toku pres server
push "dhcp-option DNS 10.200.0.254"     #pripadne 10.0.0.255, kterou vyuziva i server, nevim jaky DNS pouzivate
                                        #pokud ma byt server zaroven i DNS, potrebujete jeste nejaky
                                        #DNS (proxy) server (bind, nebo jednodussi dnsmasq,
                                        # ale ten je zaroven i dhcp, i kdyz to lze vypnout)

keepalive 10 120
cipher AES-256-CBC   # silnejsi AES
comp-lzo

ifconfig-pool-persist openvpn-ipp.txt #db IP klientu

duplicate-cn
client-to-client
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log #aktivni relace
verb 3
----------------------------------------------------
klient
------
Kód: [Vybrat]
client
dev tun
proto tcp
remote XY 1194
resolv-retry 10
nobind
persist-key
ca "ca.crt"
cert "klient1.crt"
key "klient1.key"
cipher AES-256-CBC
comp-lzo
verb 3
ostatni IP adresy v ostatnich sitich jsou z VPN dostupne, pokud na ne muze i server...