OpenVPN nejde ping z win klienta na server

[Honza]

Ahoj

mám takový problém. Pročetl jsem diskuze ale zatím mi nic nepomohlo. Hraju si s openVPN a mam udělaný ve vmware na ubuntu 14 vpn server a pak mam jednoho ubuntu klienta který bez problemu funguje ale problém mam s win klientem. Použil jsem pro test stejný certifikat a kliče jako na linuxu když jsem už vedel že jsou funkční a v nich problém nebude (ubuntu klienta jsem vypnul) stahl jsem si aplikaci na win openVPN GUI a zapl jsem ho s konfigurakem co jsem mel na ubuntu klientovi (vše jako správce a s vypnutým firewallem).
Podle openVPN gui na win proběhne připojení uspesne a přideli mi IP 10.8.0.2 ale ping na virtualni rozhraní serveru 10.8.0.1 nejde ani v jednom směru pouze na 192.168.14.128 což je adresa serveru.

Konfigurace serveru:

Kód: [Vybrat]

port 1194
proto udp
dev tap
mode server
tls-server

ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

server 10.8.0.0 255.255.255.0

duplicate-cn
client-to-client

#push "redirect-gateway"
#push "dhcp-option DNS 192.168.14.1"
#push "route 192.168.14.0 255.255.255.255"


keepalive 30 120
comp-lzo

user nobody
group nogroup

persist-key
persist-tun


verb 3
mute 20
Konfigurace klienta:

Kód: [Vybrat]

client
dev tap
tls-client
pull
mute 10
proto udp
remote 192.168.14.128 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert klient.crt
key klient.key
comp-lzo
verb 3

A vypis z openPVN GUI

Kód: [Vybrat]

Sun Oct 12 10:03:01 2014 NOTE: --user option is not implemented on Windows
Sun Oct 12 10:03:01 2014 NOTE: --group option is not implemented on Windows
Sun Oct 12 10:03:01 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  7 2014
Sun Oct 12 10:03:01 2014 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Sun Oct 12 10:03:01 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Oct 12 10:03:01 2014 Need hold release from management interface, waiting...
Sun Oct 12 10:03:01 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Oct 12 10:03:01 2014 MANAGEMENT: CMD 'state on'
Sun Oct 12 10:03:01 2014 MANAGEMENT: CMD 'log all on'
Sun Oct 12 10:03:02 2014 MANAGEMENT: CMD 'hold off'
Sun Oct 12 10:03:02 2014 MANAGEMENT: CMD 'hold release'
Sun Oct 12 10:03:02 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Oct 12 10:03:02 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Oct 12 10:03:02 2014 UDPv4 link local: [undef]
Sun Oct 12 10:03:02 2014 UDPv4 link remote: [AF_INET]192.168.14.128:1194
Sun Oct 12 10:03:02 2014 MANAGEMENT: >STATE:1413100982,WAIT,,,
Sun Oct 12 10:03:02 2014 MANAGEMENT: >STATE:1413100982,AUTH,,,
Sun Oct 12 10:03:02 2014 TLS: Initial packet from [AF_INET]192.168.14.128:1194, sid=47120c0e 6a56d10f
Sun Oct 12 10:03:02 2014 VERIFY OK: depth=1, C=CZ, ST=CZ, L=Ostrava, O=vsb, OU=MyOrganizationalUnit, CN=vsb CA, name=EasyRSA, emailAddress=me@myhost.mydomain
Sun Oct 12 10:03:02 2014 VERIFY OK: depth=0, C=CZ, ST=CZ, L=Ostrava, O=vsb, OU=MyOrganizationalUnit, CN=server, name=EasyRSA, emailAddress=me@myhost.mydomain
Sun Oct 12 10:03:02 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Oct 12 10:03:02 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 12 10:03:02 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Oct 12 10:03:02 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 12 10:03:02 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Oct 12 10:03:02 2014 [server] Peer Connection Initiated with [AF_INET]192.168.14.128:1194
Sun Oct 12 10:03:03 2014 MANAGEMENT: >STATE:1413100983,GET_CONFIG,,,
Sun Oct 12 10:03:04 2014 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Oct 12 10:03:04 2014 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,ping 30,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0'
Sun Oct 12 10:03:04 2014 OPTIONS IMPORT: timers and/or timeouts modified
Sun Oct 12 10:03:04 2014 OPTIONS IMPORT: --ifconfig/up options modified
Sun Oct 12 10:03:04 2014 OPTIONS IMPORT: route-related options modified
Sun Oct 12 10:03:04 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Oct 12 10:03:04 2014 MANAGEMENT: >STATE:1413100984,ASSIGN_IP,,10.8.0.2,
Sun Oct 12 10:03:04 2014 open_tun, tt->ipv6=0
Sun Oct 12 10:03:04 2014 TAP-WIN32 device [Připojení k místní síti 2] opened: \\.\Global\{775D8B25-28CC-4117-B38F-C61CA6AC3BB1}.tap
Sun Oct 12 10:03:04 2014 TAP-Windows Driver Version 9.21
Sun Oct 12 10:03:04 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {775D8B25-28CC-4117-B38F-C61CA6AC3BB1} [DHCP-serv: 10.8.0.0, lease-time: 31536000]
Sun Oct 12 10:03:04 2014 Successful ARP Flush on interface [14] {775D8B25-28CC-4117-B38F-C61CA6AC3BB1}
Sun Oct 12 10:03:09 2014 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Sun Oct 12 10:03:09 2014 Initialization Sequence Completed
Sun Oct 12 10:03:09 2014 MANAGEMENT: >STATE:1413100989,CONNECTED,SUCCESS,10.8.0.2,192.168.14.128

Take mi příjde divné že ve win nějak nejde pak ten klient vypnout, respektive přideli adresu 10.8.0.2 na rozhraní ale když pak ukončím openVPN GUI tak ta adresa tam stále zustane až dokud nerestartuju system, takže pokud ukončím openVPN GUI a zapnu ho znova tak už se ani nepřipojí a hodí chybu.
Už mě nenapadá kde by mohla být chyba. Tuším že to bude něco s tím že jsou všechny stroje ve vmware.

[Reklama]

[Honza]

Tak jsem zkusil přidat dw gateway a stale nic, zkusil jsem i dva klienty a jestli nahodou nepujde ping mezi nimi ale taky nic. Proste z toho win se pingnu jen na fyzicke rozhrani serveru ale na to virtualni tap to nejde i když mam adresu a po čase vpn napíše že tun/tam rozhrani bylo zavřeno a že čeka na ukončení ale neukončí se a je třeba resartovat win.

[pomozsi]

Problem bude predevsim v nastaveni. Vyzkousejte nejaky example ze stranek openvpn. Podle toho co uvadite, zkuste pouzit redirect-gateway, nebo si upravte routovaci tabulku...

[Honza]

redirect-gateway jsem zkoušel a i route add -net 10.0.1.0 netmask 255.255.255.0 gw ip_adresa_open_vpn_serveru

tak zkusím nějaky example tedy jestli bude na strankach openvpn neco pro win klienta, ale zkoušel jsem nekolik tutorialu a všechny dopadly stejne... linux klient jde ale win ne.

[Dzavy]

Ohledně toho, že si drží IP i po odpojení - koukni do konfigurace TAP-Win32 adaptéru, záložka Advanced, na Media Status. Normálně by tam mělo být Application Controlled.

[Reklama]

[Honza]

To tam mam

Dám sem ještě log z win. Normálně se to připoji, přidělí adresu a tváří se to že to jde ale ping nejde. Po chvíli to napíše Closing TUN/TAP interface a tak to zustane a nahoře v okne to stále píše že se čeká na odpojení pak už to nejde až do restartu win znova ani zapnout.

Kód: [Vybrat]

Sun Oct 12 16:13:34 2014 NOTE: --user option is not implemented on Windows
Sun Oct 12 16:13:34 2014 NOTE: --group option is not implemented on Windows
Sun Oct 12 16:13:34 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  7 2014
Sun Oct 12 16:13:34 2014 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Sun Oct 12 16:13:34 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Oct 12 16:13:34 2014 Need hold release from management interface, waiting...
Sun Oct 12 16:13:34 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Oct 12 16:13:34 2014 MANAGEMENT: CMD 'state on'
Sun Oct 12 16:13:34 2014 MANAGEMENT: CMD 'log all on'
Sun Oct 12 16:13:34 2014 MANAGEMENT: CMD 'hold off'
Sun Oct 12 16:13:34 2014 MANAGEMENT: CMD 'hold release'
Sun Oct 12 16:13:34 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Oct 12 16:13:35 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Oct 12 16:13:35 2014 UDPv4 link local: [undef]
Sun Oct 12 16:13:35 2014 UDPv4 link remote: [AF_INET]192.168.1.109:1194
Sun Oct 12 16:13:35 2014 MANAGEMENT: >STATE:1413123215,WAIT,,,
Sun Oct 12 16:13:35 2014 MANAGEMENT: >STATE:1413123215,AUTH,,,
Sun Oct 12 16:13:35 2014 TLS: Initial packet from [AF_INET]192.168.1.109:1194, sid=181b7407 62ce5ee7
Sun Oct 12 16:13:35 2014 VERIFY OK: depth=1, C=CZ, ST=CZ, L=Ostrava, O=vsb, OU=MyOrganizationalUnit, CN=vsb CA, name=EasyRSA, emailAddress=me@myhost.mydomain
Sun Oct 12 16:13:35 2014 VERIFY OK: depth=0, C=CZ, ST=CZ, L=Ostrava, O=vsb, OU=MyOrganizationalUnit, CN=server, name=EasyRSA, emailAddress=me@myhost.mydomain
Sun Oct 12 16:13:35 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Oct 12 16:13:35 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 12 16:13:35 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Oct 12 16:13:35 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 12 16:13:35 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Oct 12 16:13:35 2014 [server] Peer Connection Initiated with [AF_INET]192.168.1.109:1194
Sun Oct 12 16:13:36 2014 MANAGEMENT: >STATE:1413123216,GET_CONFIG,,,
Sun Oct 12 16:13:37 2014 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Oct 12 16:13:37 2014 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,ping 30,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0'
Sun Oct 12 16:13:37 2014 OPTIONS IMPORT: timers and/or timeouts modified
Sun Oct 12 16:13:37 2014 OPTIONS IMPORT: --ifconfig/up options modified
Sun Oct 12 16:13:37 2014 OPTIONS IMPORT: route-related options modified
Sun Oct 12 16:13:37 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Oct 12 16:13:37 2014 MANAGEMENT: >STATE:1413123217,ASSIGN_IP,,10.8.0.2,
Sun Oct 12 16:13:37 2014 open_tun, tt->ipv6=0
Sun Oct 12 16:13:37 2014 TAP-WIN32 device [Připojení k místní síti 3] opened: \\.\Global\{8E17777D-FFB4-49E1-9371-E79CE906FB3B}.tap
Sun Oct 12 16:13:37 2014 TAP-Windows Driver Version 9.21
Sun Oct 12 16:13:37 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {8E17777D-FFB4-49E1-9371-E79CE906FB3B} [DHCP-serv: 10.8.0.0, lease-time: 31536000]
Sun Oct 12 16:13:37 2014 Successful ARP Flush on interface [21] {8E17777D-FFB4-49E1-9371-E79CE906FB3B}
Sun Oct 12 16:13:42 2014 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Sun Oct 12 16:13:42 2014 Initialization Sequence Completed
Sun Oct 12 16:13:42 2014 MANAGEMENT: >STATE:1413123222,CONNECTED,SUCCESS,10.8.0.2,192.168.1.109
Sun Oct 12 16:19:09 2014 [server] Inactivity timeout (--ping-restart), restarting
Sun Oct 12 16:19:09 2014 SIGUSR1[soft,ping-restart] received, process restarting
Sun Oct 12 16:19:09 2014 MANAGEMENT: >STATE:1413123549,RECONNECTING,ping-restart,,
Sun Oct 12 16:19:09 2014 Restart pause, 2 second(s)
Sun Oct 12 16:19:11 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Oct 12 16:19:11 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Oct 12 16:19:11 2014 UDPv4 link local: [undef]
Sun Oct 12 16:19:11 2014 UDPv4 link remote: [AF_INET]192.168.1.109:1194
Sun Oct 12 16:19:11 2014 MANAGEMENT: >STATE:1413123551,WAIT,,,
Sun Oct 12 16:19:11 2014 MANAGEMENT: >STATE:1413123551,AUTH,,,
Sun Oct 12 16:19:11 2014 TLS: Initial packet from [AF_INET]192.168.1.109:1194, sid=7b208ca2 211014eb
Sun Oct 12 16:19:11 2014 VERIFY OK: depth=1, C=CZ, ST=CZ, L=Ostrava, O=vsb, OU=MyOrganizationalUnit, CN=vsb CA, name=EasyRSA, emailAddress=me@myhost.mydomain
Sun Oct 12 16:19:11 2014 VERIFY OK: depth=0, C=CZ, ST=CZ, L=Ostrava, O=vsb, OU=MyOrganizationalUnit, CN=server, name=EasyRSA, emailAddress=me@myhost.mydomain
Sun Oct 12 16:19:11 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Oct 12 16:19:11 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 12 16:19:11 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Oct 12 16:19:11 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 12 16:19:11 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Oct 12 16:19:11 2014 [server] Peer Connection Initiated with [AF_INET]192.168.1.109:1194
Sun Oct 12 16:19:12 2014 MANAGEMENT: >STATE:1413123552,GET_CONFIG,,,
Sun Oct 12 16:19:13 2014 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Oct 12 16:19:13 2014 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,ping 30,ping-restart 120,ifconfig 10.8.0.3 255.255.255.0'
Sun Oct 12 16:19:13 2014 OPTIONS IMPORT: timers and/or timeouts modified
Sun Oct 12 16:19:13 2014 OPTIONS IMPORT: --ifconfig/up options modified
Sun Oct 12 16:19:13 2014 OPTIONS IMPORT: route-related options modified
Sun Oct 12 16:19:13 2014 Preserving previous TUN/TAP instance: Připojení k místní síti 3
Sun Oct 12 16:19:13 2014 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Sun Oct 12 16:19:13 2014 Closing TUN/TAP interface