I can add a rule using UFW firewall to allow a single known IP 192.168.1.32 to access my test webserver (192.168.1.48 (on a local mostly trusted network) on Ubuntu 14.04 using:
sudo ufw allow proto tcp from 192.168.1.23 to 192.168.1.48 port 80
Is there a way I can add a range of addressees (e.g. 192.168.1.30-192.168.1.50 to allow more machines on my current network)? Using 192.168.1.30-192.168.1.50 and 192.168.1.30-192.168.1.50 don’t work and results in ERROR: Bad source address.
asked Jul 9, 2015 at 14:30
WilfWilf
29.1k16 gold badges103 silver badges162 bronze badges
5
You need to use a binary number (2,4,8,16, 32) so either you use a bigger or a smaller range. Exactly 20 hosts just is not possible with a bitmask in a single rule:
-
16 hosts (192.168.1.16 to 192.168.1.31):
sudo ufw allow proto tcp from 192.168.1.16/28 to 192.168.1.48 port 80Details
Address: 192.168.1.16 11000000.10101000.00000001.0001 0000 Rule Mask: 255.255.255.240 = 28 11111111.11111111.11111111.1111 0000 Wildcard: 0.0.0.15 00000000.00000000.00000000.0000 1111 HostMin: 192.168.1.16 11000000.10101000.00000001.0001 0000 HostMax: 192.168.1.31 11000000.10101000.00000001.0000 1111 -
32 hosts (192.168.1.0 — 192.168.1.31)
sudo ufw allow proto tcp from 192.168.1.0/27 to 192.168.1.48 port 80Details
Address: 192.168.1.0 11000000.10101000.00000001.000 00000 Rule Mask: 255.255.255.224 = 27 11111111.11111111.11111111.111 00000 Wildcard: 0.0.0.31 00000000.00000000.00000000.000 11111 HostMin: 192.168.1.0 11000000.10101000.00000001.000 00000 HostMax: 192.168.1.31 11000000.10101000.00000001.000 11111 -
64 hosts (192.168.1.0 — 192.168.1.63)
sudo ufw allow proto tcp from 192.168.1.0/26 to 192.168.1.48 port 80Details
Address: 192.168.1.0 11000000.10101000.00000001.00 000000 Rule Mask: 255.255.255.192 = 26 11111111.11111111.11111111.11 000000 Wildcard: 0.0.0.63 00000000.00000000.00000000.00 111111 HostMin: 192.168.1.0 11000000.10101000.00000001.00 000000 HostMax: 192.168.1.63 11000000.10101000.00000001.00 111111
Explanation
I can’t give a better explanation than wikipedia
Fabby
34.1k38 gold badges96 silver badges191 bronze badges
answered Jul 9, 2015 at 17:36
A.B.A.B.
87.7k21 gold badges242 silver badges317 bronze badges
4
Allow Incoming from Specific IP Address or Subnet
To allow incoming connections from a specific IP address or subnet, specify the source. For example, run this command:
sudo ufw allow from 192.168.1.0/24 to any port 22
OR
sudo ufw allow from 192.168.1.0/24 to 192.168.1.48 port 80
answered Apr 6, 2021 at 3:34
RenderlifeRenderlife
611 silver badge1 bronze badge
I like this
sudo ufw allow from 192.168.1.0/24 to any port 22
I use ufw all the time, I like the numbering scheme as well which helps me keep track of the packet flow:
sudo ufw insert 1 allow in proto tcp from 192.168.1.0/24 to any port
22 comment "SSH Network Connection"
answered Mar 9, 2022 at 19:34
TdsanTdsan
211 bronze badge
You asked: «Can someone explain why this problem occurs in the first place?«
Based on what is reported in the official OpenVPN FAQ I bet it’s caused by a routing problem within the OpenVPN engine.
To better clarify the scenario, let me refer to following diagram:
Here you can see:
- an OpenVPN «server» connected to the HEADQUARTER internal network (10.0.1.0/24)
- an OpenVPN «client» running at a Remote Site, and connected to the remote 192.168.1.0/24 network
Also
- we’re assuming that the OpenVPN tunnel is established and:
- OpenVPN «server» is reachable via its own tun interface, with address 10.10.0.1. Also the P2P address, used by the tun interface is 10.10.0.2 (this is important for later discussion, so let’s emphasize it)
- OpenVPN «client» has a tun interface with IP 10.10.0.2
Now, let’s assume that:
- the OpenVPN «Client» has redefined it’s default gateway, so to redirect within the tunnel all the outgoing IP traffic;
- the OpenVPN «Client» has IP_FORWARDING enabled and, as such, can route packets coming from its internal LAN (192.168.1.0/24) (I’m emphasizing this point, as it’s critical for our discussion).
With such a scenario in place, let’s check in detail what happens when R_PC1 (192.168.1.2) send a packet, like an echo-request, to L_PC1 (10.0.1.2):
- after leaving R_PC1 NIC, the packet reach OpenVPN client;
- OpenVPN client (that is configured to act as a common router), route it according to it’s routing table. As it’s default-gateway is the tunnel, it sends the packet to the tunnel;
- Packet reach the tun interface of the OpenVPN server. OpenVPN will «see» it and, as it (OpenVPN server) knows that 10.0.1.2 is an address belonging to its LAN subnet, it «forward» the packet, from TUN to LAN;
- Packet reach L_PC1.
So everything is fine…
Now let’s check what happens with the echo-reply that L_PC1 reply to R_PC1.
- echo-reply leaves L_PC1 NIC and reach OpenVPN server LAN interface (10.0.1.1);
Now, if we want OpenVPN Server being able to reach the remote site, we need to define the routing with a «static route». Something like:
route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.10.0.2
Please note the P2P address used as gateway.
Such static routes will operate at OS-level. In other words, it’s needed for the operating system to properly route the packet. It means something like: «Please, all the traffic addressed to 192.168.1.0/24 subnet needs to be forwarded to the OpenVPN engine, with whom the OS is able to talk via the P2P address». Thanks to such static route, now…
- the packet leaves the OS-routing context and reaches OpenVPN. The OpenVPN instance running on the OpenVPN Server. So, at this point, the OS has nothing more to do and all the routing (within the VPN) is left to the OpenVPN server software.
So, now, the problem is: how, the openvpn server software, will be able to decide the route of a packet, with SRC_IP 10.0.1.2 and DST_IP 192.168.1.2?
Please note that, based on the configuration of OpenVPN server, it knows nothing about the 192.168.1.0/24 network, nor the 192.168.1.2 host. It’s not a connected client. It’s not a local client.
And so?
OpenVPN, also, knows that it is not the «OS-Router», so it doesn’t really want (and can….) send the packet back to the local gateway. So the only option, here, is to raise an error. Exactly the error you’re experiencing
To say it with the language of the FAQ: «…it doesn’t know how to route the packet to this machine, so it drops the packet…«.
How can we solve the problem?
As you can see from the official documentation, the option iroute serves exactly to our scope:
--iroute network [netmask]
Generate an internal route to a specific client. The netmask
parameter, if omitted, defaults to 255.255.255.255.
This directive can be used to route a fixed subnet from the server
to a particular client, regardless of where the client is
connecting from. Remember that you must also add the route to the
system routing table as well (such as by using the --route
directive). The reason why two routes are needed is that the
--route directive routes the packet from the kernel to OpenVPN.
Once in OpenVPN, the --iroute directive routes to the specific
client.
So you need a:
--iroute 192.168.1.0 255.255.255.0
to be applied (to the server) when your OpenVPN client connect, for example via an ad-hoc configuration file defined on the server (client-config-dir, etc.).
Should you wonder why this problem does not happen at step 2) above, my understanding is that OpenVPN Client knows how to route it, ’cause it knows that the VPN-tunnel is a default-gateway.
The same cannot be done at OpenVPN Server, ’cause there the default gateway is tipically not overridden. Also, consider that you could have a single OpenVPN server with plenty of OpenVPN client: each client knows how to reach the server but… how can, the server, decide which is the client acting as a gateway for an unknown subnet?
As for your first question(Can the required rules be written in a generic/one-off way?), I’m sorry but I’m not getting your very problem. Can you rephrase providing more details?
Содержание
- OpenVPN Support Forum
- Error: MULTI: bad source address from client [192.168.0.2], packet dropped
- Error: MULTI: bad source address from client [192.168.0.2], packet dropped
- OpenVPN Support Forum
- MULTI: bad source address from client[::], packetd dropped
- MULTI: bad source address from client[::], packetd dropped
- OpenVPN Support Forum
- [Solved] Problem when connecting Samba
- [Solved] Problem when connecting Samba
- Re: Problem when connecting Samba
- Re: Problem when connecting Samba
- Re: [Solved] Problem when connecting Samba
- Into.the.Void.
- 17/05/2008
- Openvpn – MULTI: bad source address from client – solution
- 33 Responses to “Openvpn – MULTI: bad source address from client – solution”
OpenVPN Support Forum
Community Support Forum
Error: MULTI: bad source address from client [192.168.0.2], packet dropped
Error: MULTI: bad source address from client [192.168.0.2], packet dropped
Post by sValentine » Wed Sep 23, 2020 5:05 pm
I have a server that with one user it is working just fine, but when I gave the client to my brother he is connecting to the server without any problems, but when he is trying to access anything on the internet it is not working, and I get this message rapeatally «MULTI: bad source address from client [192.168.0.2], packet dropped». The thing is on my VM machine I have no problem, I even tried on my father’s laptop, and the same, no problem, the internet is working fine, I can connect to my server and download via shared network files with max internet speed.
At first I didn’t had this option «duplicate-cn», but I saw some messages saying to other users to add that, but even with it, it’s still not working on my brothers PC, but I didn’t expected to work, from what I understood from that, it is used when 2 users are connection at the same time with same credentials, but it doesn’t affect if they are connecting at different times, only one.
The thing is, if I’m connected to his PC via TeamViewer, I can still maintain control, but anything else is not working related to internet. If he has WhatsApp opened via browser, he is reciving the messages, but he can’t send. We tried to get some files from the server (shared via network), and the transfer is starting at max speed, but after a few seconds it is dropping to 0 for a few seconds, then goes up to max, then down and keeps repeating this.
What can the problem be, and what can I do?
dev-node «ServerVPN»
mode server
port 40450
proto tcp4-server
dev tun
tls-server
tls-auth «E:\Program Files\OpenVPN\easy-rsa\keys\ta.key» 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca «E:\Program Files\OpenVPN\easy-rsa\keys\ca.crt»
cert «E:\Program Files\OpenVPN\easy-rsa\keys\ServerVPN.crt»
key «E:\Program Files\OpenVPN\easy-rsa\keys\ServerVPN.key»
dh «E:\Program Files\OpenVPN\easy-rsa\keys\dh2048.pem»
server 10.10.10.0 255.255.255.0
client-to-client
keepalive 10 120
cipher AES-128-CBC
comp-lzo
client-config-dir «E:\Program Files\OpenVPN\config»
route-delay 5
route-method exe
push «route 192.168.0.0 255.255.255.0»
route 192.168.182.0 255.255.255.0
remote 5.12.201.67
client
port 40450
proto tcp4-client
dev tun
tls-client
tls-auth «C:\Program Files\OpenVPN\config\ta.key» 1
remote-cert-tls server
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
Источник
OpenVPN Support Forum
Community Support Forum
MULTI: bad source address from client[::], packetd dropped
MULTI: bad source address from client[::], packetd dropped
Post by kelvin22 » Sun Jan 17, 2016 9:56 am
Been banging my head for 2 days now with this error.
ca /root/vpn/ca.crt
cert /root/vpn/srv.crt
key /root/vpn/srv.key
dh /root/vpn/dh.pem
server 10.77.198.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir cust-client-cfg
#need to access 169.254.0.0 subnet
push «route 169.254.0.0 255.255.0.0»
#redirect traffic
push «redirect-gateway def1»
#set DNS
push «dhcp-options DNS 10.77.198.2»
#don’t enbable unless u want clients to see each other
#client-to-client
keepalive 10 120
tls-auth /root/vpn/hmac.key 0
comp-lzo
max-clients 10
plugin /usr/lib64/openvpn/openvpn-plugin-auth-pam.so openvpn login USERNAME password PASSWORD
cipher AES-256-CBC
auth SHA512
keysize 256
user nobody
group nobody
status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 4
################
client.ovpn (connection via OpenVPN GUI on Windows)
setenv FORWARD_COMPATIBLE 1
client
proto tcp
remote
port 443
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
auth-user-pass
comp-lzo
verb 3
setenv PUSH_PEER_INFO
cipher AES-256-CBC
auth SHA512
keysize 256
——BEGIN CERTIFICATE——
***
——END CERTIFICATE——
key-direction 1
#
# 2048 bit OpenVPN static key (Server Agent)
#
——BEGIN OpenVPN Static key V1——
***
——END OpenVPN Static key V1——
eno1 is external ip
eno2: flags=4163 mtu 1500
inet 169.254.55.223 netmask 255.255.0.0 broadcast 169.254.255.255
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
tun0: flags=4305 mtu 1500
inet 10.77.198.1 netmask 255.255.255.255 destination 10.77.198.2
iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 27 packets, 5234 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 27 packets, 5234 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 14 packets, 942 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 14 packets, 942 bytes)
pkts bytes target prot opt in out source destination
Data Channel Encrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key
:54549 Data Channel Encrypt: Using 512 bit message hash ‘SHA512’ for HMAC authentication
:54549 Data Channel Decrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key
:54549 Data Channel Decrypt: Using 512 bit message hash ‘SHA512’ for HMAC authentication
:54549 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
:54549 [master] Peer Connection Initiated with [AF_INET] :54549
master/ :54549 OPTIONS IMPORT: reading client specific options from: cust-client-cfg/master
master/ :54549 MULTI: Learn: 10.77.198.10 -> master/ :54549
master/ :54549 MULTI: primary virtual IP for master/ :54549: 10.77.198.10
master/ :54549 PUSH: Received control message: ‘PUSH_REQUEST’
master/ :54549 send_push_reply(): safe_cap=940
master/ :54549 SENT CONTROL [master]: ‘PUSH_REPLY,route 169.254.0.0 255.255.0.0,redirect-gateway def1,dhcp-options DNS 10.77.198.2,route 10.77.198.1,topology net30,ping 10,ping-restart 120,ifconfig 10.77.198.10 10.77.198.9’ (status=1)
master/ :54549 MULTI: bad source address from client [::], packet dropped
I seem to able to connect, auth is passed. ip is assigned on client side, but i can’t seem to be able to route traffic through the vpn.
Can someone post a set of iptables rules that properly route packets between my interfaces?
Источник
OpenVPN Support Forum
Community Support Forum
[Solved] Problem when connecting Samba
[Solved] Problem when connecting Samba
Post by cakemaker » Sat Dec 25, 2010 4:14 pm
I have read the HowTo in details and google a lot. I guess my problem may be ISP related but not sure. Here’s the details and hope you can help.
My goal is to connect to a samba server on a pc behind the openvpn server (subnet 192.168.1.0).
The openvpn server is on CentOS, and I am using openvpn 2.0.9-1 .
The openvpn client (netbook, WinXP) connects to internet thru a mobile (bluetooth + gprs)
I can ping and visit http server in the same subnet.
What I think I do correctly:
The two conf files below are very much the standard one. Besides, I have
— run «echo 1 > /proc/sys/net/ipv4/ip_forward» on the openvpn server
— set a static route 10.8.0.0 to the openvpn server on my Tomato-router (gateway of the 192.subnet)
— update smb.conf so that 10.8.0.0/24 is included under «hosts allow»
— update iptables & /etc/hosts.allow of the samba pc
— update iptables of the openvpn server by «iptables -A INPUT -i tun+ -j ACCEPT»
— update iptables of the openvpn server by «iptables -A FORWARE -i tun+ -j ACCEPT»
What I don’t understand:
When I run «net use z: \192.168.1.2sharename /USER:myusername» from a command prompt window, I get the following message on the server log
10.55.171.180 is the ip# assigned by my ISP as I can see in the output of «ipconfig /all»
123.136.11.171, as find by a WhoIs site, belongs to my ISP .
Is it kind of scenario that standard openvpn setting not cater for?
I am lacking idea where and how to move on.
Thanks in advance for your help.
Re: Problem when connecting Samba
Post by cakemaker » Sun Dec 26, 2010 5:11 pm
What I don’t understand (as mentioned above) is that the server log «bad source address from client [10.55.171.180]» while 10.55.171.180 is just the ip.addr of the openvpn client. How comes the server report the client as bad source .
Anyway, I google further and find this —> http://openvpn.net/index.php/open-sourc . iledq.html
So, this (bad source address) error message means it doesn’t know how to route the packet to (10.55.171.180) this machine for whatever reason (am I correct?)
okay, as what is advised by lot of other hopefully relevant materials from google, I try the «client-config-dir ccd» approach.
My server.conf now has 3 more lines
(yes, I know it is not practical because this ip.addr 10.55.171.180 change everytime when I dialup on the road. I treat it as a learning/debug process.)
The result is
==========
When I try to connect the samba, no more «bad source address» error is reported.
But still, I cannot connect the samba server.
In addition, Wireshark on openvpn server pc reports lot of Checksum errors
for packets with
Source: the openvpn server : 1194
Dest’n: 123.136.11.xxx(still belongs to my ISP) : 24595
while oppsite direction packets look fine.
And, the «0xb851» repeats as constant on every packet while the 0x7b26 change everytime.
Sorry for my poor English/presentation. Hope you can follow my explanation. Thanks a lot for any help or idea.
Re: Problem when connecting Samba
Post by cakemaker » Mon Dec 27, 2010 6:02 am
I move the openvpn server to the same machine of samba.
Keep the basic setting as of my first post.
I still can see the «bad source address» error on server log.
But, I can connect the samba server now.
One thing may worth mention is that my original openvpn server is on a vbox vm.
Not sure if it also affect the result.
Re: [Solved] Problem when connecting Samba
Post by gladiatr72 » Mon Dec 27, 2010 4:35 pm
Your English is quite passable—you’re undoubtedly much better with English than I am with. well. anything that’s not English, so let’s leave it at that.
Ignore this. This is an issue that crops up with certain ethernet drivers. Hopefully if/when your ethernet card decides to check out, it doesn’t do so in a way that is so subtle as to make it necessary to try to figure out if these messages are legitimate!
When you get a moment, please post the logs from your server and client systems as well as the routing tables on both ends.
If your vpn tunnel is solid, your ISP will become irrelevant when it comes to communication between your client and the server network.
Источник
Into.the.Void.
17/05/2008
Openvpn – MULTI: bad source address from client – solution
Problematic Configuration:
OpenVPN server config:
dev tun
port 1194
proto udp
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
persist-key
persist-tun
server 10.8.0.0 255.255.255.0
keepalive 10 30
client-to-client
comp-lzo
ifconfig-pool-persist ipp.txt
status /etc/openvpn/openvpn-status.log
verb 3
push «redirect-gateway»
OpenVPN client config:
dev tun
client
proto udp
persist-tun
persist-key
resolv-retry infinite
mute-replay-warnings
remote REMOTE.HOST 1194
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client1.crt
key /etc/openvpn/client1.key
comp-lzo
verb 3
The problem:
Using the above config files I continuously got errors like this on the server syslog:
May 1 00:00:00 hostname ovpn-openvpn[22563]: client1/X.Y.Z.W:1194 MULTI: bad source address from client [10.10.1.11], packet dropped
where X.Y.Z.W is my public IP and 10.10.1.11 is the Lan IP of the machine that makes the connection to the openvpn server.
The solution:
OpenVPN server config:
dev tun
port 1194
proto udp
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
persist-key
persist-tun
server 10.8.0.0 255.255.255.0
keepalive 10 30
client-to-client
comp-lzo
ifconfig-pool-persist ipp.txt
status /etc/openvpn/openvpn-status.log
verb 3
push «redirect-gateway»
client-config-dir ccd
route 10.10.1.0 255.255.255.0
Then I created the /etc/openvpn/ccd/ dir and put inside a file named client1 with the following contents:
# cat /etc/openvpn/ccd/client1
iroute 10.10.1.0 255.255.255.0
Client configuration stays the same.
All should be fine now and in your server logs you will now see entries like this:
May 1 00:00:00 hostname ovpn-openvpn[27096]: client1/X.Y.Z.W:1194 MULTI: Learn: 10.10.1.11 -> client1/X.Y.Z.W:1194
Hint: If you want your clients to be able to access the internet through the VPN tunnel you _must_ create NAT.
a typical config on a debian acting as the OpenVPN server:
# cat /etc/network/interfaces
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address A.B.C.D
netmask 255.255.255.0
gateway A.B.C.E
network A.B.C.0
broadcast A.B.C.255
post-up iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.1/24 -j MASQUERADE
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
Filed by kargig at 11:49 under Encryption,Internet,Linux,Networking,Privacy
33 Comments | 119,174 views
33 Responses to “Openvpn – MULTI: bad source address from client – solution”
Αυτά τα OpenVPN είναι του σατανά. Βάλε παιδάκι μου Cisco , τουλάχιστον να ξέρεις που βρίζεις. Είτε θα παίζει out-of-the-box είτε θα ξέρεις ακριβώς ποιον να σκυλοβρισεις
Καλά καλά…μόλις βρω λίγο χρόνο θα κάνω και ένα post για ένα cisco vpn που έστησα τελευταία. Ούτε εκείνο ήταν αναίμακτο 😛
I did the same thing, but I’m still getting the message. I’m not bridging, so it should be simple. I can pin any machine from the vpn server network, I can surf and I can even see the Windows network that’s sitting on the back of the vpn server. I created the CCD directory and I wrote a route in the main config file and an iroute in the ccd directory and there is no change at all. I’m getting the “MULTI: bad source address from client” message right after I connect.
I have the same issue, I created the CCD directory and I wrote a route in the main config file and an iroute in the ccd directory and there is no change at all. I’m getting the “MULTI: bad source address from client” message every 5seconds right after I connect even though everything is working fine.
One difference in fact, the IP addresses on the message, are the same: the IP address of the WAN connection to the VPN server.
I have been hung up on this for a few days. I finally came across your site and your solution fixed my issue. Thanks!
This worked for me after a minor change.
The thing to note is that your “client1” file may not be the same… it’s whatever you’ve called your clients, I’ve set this based on user names (and the same with the ssl keys). As soon as I set the client names correctly it worked like a charm!
Make sure that /etc/openvpn/ccd/* is world-readable. Test it. Otherwise, openvpn cannot learn the routes listed in the these files.
Hi I have the very same issue, and can not route internet traffic through openvpn from the client.
I have enclosed my server.conf file and the openvpn.log file
I have been on this for days and are totally stuck on this. Any help would be highly appriciated
# Which local IP address should OpenVPN
# listen on? (optional)
local 69.10.145.131
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
# TCP or UDP server?
;proto tcp
proto udp
# “dev tun” will create a routed IP tunnel,
# “dev tap” will create an ethernet tunnel.
# Use “dev tap0” if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use “dev-node” for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun0
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don’t need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the “easy-rsa” directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see “pkcs12” directive in man page).
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
# push “route 10.8.0.0 255.255.255.0”
# Maintain a record of client virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS’s bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
# push “route 10.8.0.0 255.255.255.0”
push “route 192.168.1.0/24 255.255.255.0”
# route-up “route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.0”
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory “ccd” for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name “Thelonious”
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
client-config-dir ccd
route 192.168.1.0 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious’ private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using “dev tun” and “server” directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
# route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client’s network config if
# client’s local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client’s local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
push “dhcp-option DNS 10.8.0.1”
# push “redirect-gateway”
push “redirect-gateway def1”
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
#push “dhcp-option DNS 10.8.0.1”
;push “dhcp-option WINS 10.8.0.1”
# Uncomment this directive to allow different
# clients to be able to “see” each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server’s TUN/TAP interface.
#
# client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE “COMMON NAME”,
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an “HMAC firewall”
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn –genkey –secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be ‘0’
# on the server and ‘1’ on the clients.
;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
max-clients 100
# It’s a good idea to reduce the OpenVPN
# daemon’s privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the “Program FilesOpenVPNlog” directory).
# Use log or log-append to override this default.
# “log” will truncate the log file on OpenVPN startup,
# while “log-append” will append to it. Use one
# or the other (but not both).
log openvpn.log
log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
Tue Jan 27 09:53:30 2009 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar 8 2007
Tue Jan 27 09:53:30 2009 Diffie-Hellman initialized with 1024 bit key
Tue Jan 27 09:53:30 2009 WARNING: file ‘/etc/openvpn/easy-rsa/keys/server.key’ is group or others accessible
Tue Jan 27 09:53:30 2009 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Jan 27 09:53:30 2009 TUN/TAP device tun0 opened
Tue Jan 27 09:53:30 2009 /sbin/ip link set dev tun0 up mtu 1500
Tue Jan 27 09:53:30 2009 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Jan 27 09:53:30 2009 /sbin/ip route add 192.168.1.0/29 via 10.8.0.2
Tue Jan 27 09:53:30 2009 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Tue Jan 27 09:53:30 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jan 27 09:53:30 2009 GID set to nobody
Tue Jan 27 09:53:30 2009 UID set to nobody
Tue Jan 27 09:53:30 2009 UDPv4 link local (bound): 69.10.145.131:1194
Tue Jan 27 09:53:30 2009 UDPv4 link remote: [undef]
Tue Jan 27 09:53:30 2009 MULTI: multi_init called, r=256 v=256
Tue Jan 27 09:53:30 2009 IFCONFIG POOL: base=10.8.0.4 size=62
Tue Jan 27 09:53:30 2009 IFCONFIG POOL LIST
Tue Jan 27 09:53:30 2009 client-1,10.8.0.4
Tue Jan 27 09:53:30 2009 Initialization Sequence Completed
Tue Jan 27 09:53:38 2009 MULTI: multi_create_instance called
Tue Jan 27 09:53:38 2009 119.137.85.240:2114 Re-using SSL/TLS context
Tue Jan 27 09:53:38 2009 119.137.85.240:2114 LZO compression initialized
Tue Jan 27 09:53:38 2009 119.137.85.240:2114 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Jan 27 09:53:38 2009 119.137.85.240:2114 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jan 27 09:53:38 2009 119.137.85.240:2114 Local Options hash (VER=V4): ‘530fdded’
Tue Jan 27 09:53:38 2009 119.137.85.240:2114 Expected Remote Options hash (VER=V4): ‘41690919’
Tue Jan 27 09:53:38 2009 119.137.85.240:2114 TLS: Initial packet from 119.137.85.240:2114, sid=d23409ff 25428a75
Tue Jan 27 09:53:41 2009 119.137.85.240:2114 VERIFY OK: depth=1, /C=DK/ST=CPH/L=COPENHAGEN/O=CTcash_Limited/OU=IT/CN=server/emailAddress=on@awtoc.net
Tue Jan 27 09:53:41 2009 119.137.85.240:2114 VERIFY OK: depth=0, /C=DK/ST=CPH/O=CTcash_Limited/OU=IT/CN=client-1/emailAddress=on@awtoc.net
Tue Jan 27 09:53:42 2009 119.137.85.240:2114 Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
Tue Jan 27 09:53:42 2009 119.137.85.240:2114 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Tue Jan 27 09:53:42 2009 119.137.85.240:2114 Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
Tue Jan 27 09:53:42 2009 119.137.85.240:2114 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Tue Jan 27 09:53:42 2009 119.137.85.240:2114 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Jan 27 09:53:42 2009 119.137.85.240:2114 [client-1] Peer Connection Initiated with 119.137.85.240:2114
Tue Jan 27 09:53:42 2009 client-1/119.137.85.240:2114 OPTIONS IMPORT: reading client specific options from: ccd/client-1
Tue Jan 27 09:53:42 2009 client-1/119.137.85.240:2114 MULTI: Learn: 10.8.0.6 -> client-1/119.137.85.240:2114
Tue Jan 27 09:53:42 2009 client-1/119.137.85.240:2114 MULTI: primary virtual IP for client-1/119.137.85.240:2114: 10.8.0.6
Tue Jan 27 09:53:42 2009 client-1/119.137.85.240:2114 MULTI: internal route 10.10.1.0/24 -> client-1/119.137.85.240:2114
Tue Jan 27 09:53:42 2009 client-1/119.137.85.240:2114 MULTI: Learn: 10.10.1.0/24 -> client-1/119.137.85.240:2114
Tue Jan 27 09:53:43 2009 client-1/119.137.85.240:2114 PUSH: Received control message: ‘PUSH_REQUEST’
Tue Jan 27 09:53:43 2009 client-1/119.137.85.240:2114 SENT CONTROL [client-1]: ‘PUSH_REPLY,route 192.168.1.0/24 255.255.255.0,dhcp-option DNS 10.8.0.1,redirect-gateway def1,route 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5’ (status=1)
Tue Jan 27 09:53:45 2009 client-1/119.137.85.240:2114 MULTI: bad source address from client [192.168.1.103], packet dropped
Tue Jan 27 09:53:45 2009 client-1/119.137.85.240:2114 MULTI: bad source address from client [192.168.1.103], packet dropped
Tue Jan 27 09:53:46 2009 client-1/119.137.85.240:2114 MULTI: bad source address from client [192.168.1.103], packet dropped
Tue Jan 27 09:53:48 2009 client-1/119.137.85.240:2114 MULTI: bad source address from client [192.168.1.103], packet dropped
Tue Jan 27 09:53:51 2009 client-1/119.137.85.240:2114 MULTI: bad source address from client [192.168.1.103], packet dropped
Tue Jan 27 09:53:51 2009 client-1/119.137.85.240:2114 MULTI: bad source address from client [192.168.1.103], packet dropped
Tue Jan 27 09:53:51 2009 client-1/119.137.85.240:2114 MULTI: bad source address from client [192.168.1.103], packet dropped
“openvpn.log” 78L, 7410C
Thank you !I did the same problem!
I finally came across your site and your solution fixed my issue. Thanks!
Источник
Hi,
I have a server that with one user it is working just fine, but when I gave the client to my brother he is connecting to the server without any problems, but when he is trying to access anything on the internet it is not working, and I get this message rapeatally «MULTI: bad source address from client [192.168.0.2], packet dropped». The thing is on my VM machine I have no problem, I even tried on my father’s laptop, and the same, no problem, the internet is working fine, I can connect to my server and download via shared network files with max internet speed.
At first I didn’t had this option «duplicate-cn», but I saw some messages saying to other users to add that, but even with it, it’s still not working on my brothers PC, but I didn’t expected to work, from what I understood from that, it is used when 2 users are connection at the same time with same credentials, but it doesn’t affect if they are connecting at different times, only one.
The thing is, if I’m connected to his PC via TeamViewer, I can still maintain control, but anything else is not working related to internet. If he has WhatsApp opened via browser, he is reciving the messages, but he can’t send. We tried to get some files from the server (shared via network), and the transfer is starting at max speed, but after a few seconds it is dropping to 0 for a few seconds, then goes up to max, then down and keeps repeating this.
What can the problem be, and what can I do?
Server
dev-node «ServerVPN»
mode server
port 40450
proto tcp4-server
dev tun
tls-server
tls-auth «E:\Program Files\OpenVPN\easy-rsa\keys\ta.key» 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca «E:\Program Files\OpenVPN\easy-rsa\keys\ca.crt»
cert «E:\Program Files\OpenVPN\easy-rsa\keys\ServerVPN.crt»
key «E:\Program Files\OpenVPN\easy-rsa\keys\ServerVPN.key»
dh «E:\Program Files\OpenVPN\easy-rsa\keys\dh2048.pem»
server 10.10.10.0 255.255.255.0
duplicate-cn
client-to-client
keepalive 10 120
cipher AES-128-CBC
comp-lzo
persist-key
persist-tun
client-config-dir «E:\Program Files\OpenVPN\config»
verb 4
route-delay 5
route-method exe
push «route 192.168.0.0 255.255.255.0»
route 192.168.182.0 255.255.255.0
Client
remote 5.12.201.67
client
port 40450
proto tcp4-client
dev tun
tls-client
tls-auth «C:\Program Files\OpenVPN\config\ta.key» 1
remote-cert-tls server
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca «C:\Program Files\OpenVPN\config\ca.crt»
cert «C:\Program Files\OpenVPN\config\ClientVPN.crt»
key «C:\Program Files\OpenVPN\config\ClientVPN.key»
cipher AES-128-CBC
comp-lzo
persist-key
persist-tun
verb 4
mute 20
Server log
Code: Select all
Wed Sep 23 19:37:37 2020 us=689460 Current Parameter Settings:
Wed Sep 23 19:37:37 2020 us=689460 config = 'ServerVPN.ovpn'
Wed Sep 23 19:37:37 2020 us=689460 mode = 1
Wed Sep 23 19:37:37 2020 us=689460 show_ciphers = DISABLED
Wed Sep 23 19:37:37 2020 us=689460 show_digests = DISABLED
Wed Sep 23 19:37:37 2020 us=689460 show_engines = DISABLED
Wed Sep 23 19:37:37 2020 us=689460 genkey = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 key_pass_file = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 show_tls_ciphers = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 connect_retry_max = 0
Wed Sep 23 19:37:37 2020 us=690436 Connection profiles [0]:
Wed Sep 23 19:37:37 2020 us=690436 proto = tcp4-server
Wed Sep 23 19:37:37 2020 us=690436 local = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 local_port = '40450'
Wed Sep 23 19:37:37 2020 us=690436 remote = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 remote_port = '40450'
Wed Sep 23 19:37:37 2020 us=690436 remote_float = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 bind_defined = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 bind_local = ENABLED
Wed Sep 23 19:37:37 2020 us=690436 bind_ipv6_only = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 connect_retry_seconds = 5
Wed Sep 23 19:37:37 2020 us=690436 connect_timeout = 120
Wed Sep 23 19:37:37 2020 us=690436 socks_proxy_server = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 socks_proxy_port = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 tun_mtu = 1500
Wed Sep 23 19:37:37 2020 us=690436 tun_mtu_defined = ENABLED
Wed Sep 23 19:37:37 2020 us=690436 link_mtu = 1500
Wed Sep 23 19:37:37 2020 us=690436 link_mtu_defined = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 tun_mtu_extra = 32
Wed Sep 23 19:37:37 2020 us=690436 tun_mtu_extra_defined = ENABLED
Wed Sep 23 19:37:37 2020 us=690436 mtu_discover_type = -1
Wed Sep 23 19:37:37 2020 us=690436 fragment = 0
Wed Sep 23 19:37:37 2020 us=690436 mssfix = 1450
Wed Sep 23 19:37:37 2020 us=690436 explicit_exit_notification = 0
Wed Sep 23 19:37:37 2020 us=690436 Connection profiles END
Wed Sep 23 19:37:37 2020 us=690436 remote_random = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 ipchange = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 dev = 'tun'
Wed Sep 23 19:37:37 2020 us=690436 dev_type = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 dev_node = 'ServerVPN'
Wed Sep 23 19:37:37 2020 us=690436 lladdr = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 topology = 1
Wed Sep 23 19:37:37 2020 us=690436 ifconfig_local = '10.10.10.1'
Wed Sep 23 19:37:37 2020 us=690436 ifconfig_remote_netmask = '10.10.10.2'
Wed Sep 23 19:37:37 2020 us=690436 ifconfig_noexec = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 ifconfig_nowarn = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 ifconfig_ipv6_local = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 ifconfig_ipv6_netbits = 0
Wed Sep 23 19:37:37 2020 us=690436 ifconfig_ipv6_remote = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 shaper = 0
Wed Sep 23 19:37:37 2020 us=690436 mtu_test = 0
Wed Sep 23 19:37:37 2020 us=690436 mlock = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 keepalive_ping = 10
Wed Sep 23 19:37:37 2020 us=690436 keepalive_timeout = 120
Wed Sep 23 19:37:37 2020 us=690436 inactivity_timeout = 0
Wed Sep 23 19:37:37 2020 us=690436 ping_send_timeout = 10
Wed Sep 23 19:37:37 2020 us=690436 ping_rec_timeout = 240
Wed Sep 23 19:37:37 2020 us=690436 ping_rec_timeout_action = 2
Wed Sep 23 19:37:37 2020 us=690436 ping_timer_remote = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 remap_sigusr1 = 0
Wed Sep 23 19:37:37 2020 us=690436 persist_tun = ENABLED
Wed Sep 23 19:37:37 2020 us=690436 persist_local_ip = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 persist_remote_ip = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 persist_key = ENABLED
Wed Sep 23 19:37:37 2020 us=690436 passtos = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 resolve_retry_seconds = 1000000000
Wed Sep 23 19:37:37 2020 us=690436 resolve_in_advance = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 username = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 groupname = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 chroot_dir = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 cd_dir = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 writepid = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 up_script = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 down_script = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 down_pre = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 up_restart = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 up_delay = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 daemon = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 inetd = 0
Wed Sep 23 19:37:37 2020 us=690436 log = ENABLED
Wed Sep 23 19:37:37 2020 us=690436 suppress_timestamps = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 machine_readable_output = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 nice = 0
Wed Sep 23 19:37:37 2020 us=690436 verbosity = 4
Wed Sep 23 19:37:37 2020 us=690436 mute = 0
Wed Sep 23 19:37:37 2020 us=690436 gremlin = 0
Wed Sep 23 19:37:37 2020 us=690436 status_file = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 status_file_version = 1
Wed Sep 23 19:37:37 2020 us=690436 status_file_update_freq = 60
Wed Sep 23 19:37:37 2020 us=690436 occ = ENABLED
Wed Sep 23 19:37:37 2020 us=690436 rcvbuf = 0
Wed Sep 23 19:37:37 2020 us=690436 sndbuf = 0
Wed Sep 23 19:37:37 2020 us=690436 sockflags = 0
Wed Sep 23 19:37:37 2020 us=690436 fast_io = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 comp.alg = 2
Wed Sep 23 19:37:37 2020 us=690436 comp.flags = 1
Wed Sep 23 19:37:37 2020 us=690436 route_script = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 route_default_gateway = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 route_default_metric = 0
Wed Sep 23 19:37:37 2020 us=690436 route_noexec = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 route_delay = 5
Wed Sep 23 19:37:37 2020 us=690436 route_delay_window = 30
Wed Sep 23 19:37:37 2020 us=690436 route_delay_defined = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 route_nopull = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 route_gateway_via_dhcp = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 allow_pull_fqdn = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 route 10.10.10.0/255.255.255.0/default (not set)/default (not set)
Wed Sep 23 19:37:37 2020 us=690436 route 192.168.182.0/255.255.255.0/default (not set)/default (not set)
Wed Sep 23 19:37:37 2020 us=690436 management_addr = '127.0.0.1'
Wed Sep 23 19:37:37 2020 us=690436 management_port = '25340'
Wed Sep 23 19:37:37 2020 us=690436 management_user_pass = 'stdin'
Wed Sep 23 19:37:37 2020 us=690436 management_log_history_cache = 250
Wed Sep 23 19:37:37 2020 us=690436 management_echo_buffer_size = 100
Wed Sep 23 19:37:37 2020 us=690436 management_write_peer_info_file = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 management_client_user = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 management_client_group = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 management_flags = 6
Wed Sep 23 19:37:37 2020 us=690436 shared_secret_file = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 key_direction = 0
Wed Sep 23 19:37:37 2020 us=690436 ciphername = 'AES-128-CBC'
Wed Sep 23 19:37:37 2020 us=690436 ncp_enabled = ENABLED
Wed Sep 23 19:37:37 2020 us=690436 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Wed Sep 23 19:37:37 2020 us=690436 authname = 'SHA1'
Wed Sep 23 19:37:37 2020 us=690436 prng_hash = 'SHA1'
Wed Sep 23 19:37:37 2020 us=690436 prng_nonce_secret_len = 16
Wed Sep 23 19:37:37 2020 us=690436 keysize = 0
Wed Sep 23 19:37:37 2020 us=690436 engine = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 replay = ENABLED
Wed Sep 23 19:37:37 2020 us=690436 mute_replay_warnings = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 replay_window = 64
Wed Sep 23 19:37:37 2020 us=690436 replay_time = 15
Wed Sep 23 19:37:37 2020 us=690436 packet_id_file = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 use_iv = ENABLED
Wed Sep 23 19:37:37 2020 us=690436 test_crypto = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 tls_server = ENABLED
Wed Sep 23 19:37:37 2020 us=690436 tls_client = DISABLED
Wed Sep 23 19:37:37 2020 us=690436 key_method = 2
Wed Sep 23 19:37:37 2020 us=690436 ca_file = 'E:Program FilesOpenVPNeasy-rsakeysca.crt'
Wed Sep 23 19:37:37 2020 us=690436 ca_path = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 dh_file = 'E:Program FilesOpenVPNeasy-rsakeysdh2048.pem'
Wed Sep 23 19:37:37 2020 us=690436 cert_file = 'E:Program FilesOpenVPNeasy-rsakeysServerVPN.crt'
Wed Sep 23 19:37:37 2020 us=690436 extra_certs_file = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 priv_key_file = 'E:Program FilesOpenVPNeasy-rsakeysServerVPN.key'
Wed Sep 23 19:37:37 2020 us=690436 pkcs12_file = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 cryptoapi_cert = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 cipher_list = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 cipher_list_tls13 = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 tls_cert_profile = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 tls_verify = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 tls_export_cert = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 verify_x509_type = 0
Wed Sep 23 19:37:37 2020 us=690436 verify_x509_name = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 crl_file = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 ns_cert_type = 0
Wed Sep 23 19:37:37 2020 us=690436 remote_cert_ku[i] = 0
Wed Sep 23 19:37:37 2020 us=690436 remote_cert_ku[i] = 0
Wed Sep 23 19:37:37 2020 us=690436 remote_cert_ku[i] = 0
Wed Sep 23 19:37:37 2020 us=690436 remote_cert_ku[i] = 0
Wed Sep 23 19:37:37 2020 us=690436 remote_cert_ku[i] = 0
Wed Sep 23 19:37:37 2020 us=690436 remote_cert_ku[i] = 0
Wed Sep 23 19:37:37 2020 us=690436 remote_cert_ku[i] = 0
Wed Sep 23 19:37:37 2020 us=690436 remote_cert_ku[i] = 0
Wed Sep 23 19:37:37 2020 us=690436 remote_cert_ku[i] = 0
Wed Sep 23 19:37:37 2020 us=690436 remote_cert_ku[i] = 0
Wed Sep 23 19:37:37 2020 us=690436 remote_cert_ku[i] = 0
Wed Sep 23 19:37:37 2020 us=690436 remote_cert_ku[i] = 0
Wed Sep 23 19:37:37 2020 us=690436 remote_cert_ku[i] = 0
Wed Sep 23 19:37:37 2020 us=690436 remote_cert_ku[i] = 0
Wed Sep 23 19:37:37 2020 us=690436 remote_cert_ku[i] = 0
Wed Sep 23 19:37:37 2020 us=690436 remote_cert_ku[i] = 0
Wed Sep 23 19:37:37 2020 us=690436 remote_cert_eku = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=690436 ssl_flags = 0
Wed Sep 23 19:37:37 2020 us=690436 tls_timeout = 2
Wed Sep 23 19:37:37 2020 us=691413 renegotiate_bytes = -1
Wed Sep 23 19:37:37 2020 us=691413 renegotiate_packets = 0
Wed Sep 23 19:37:37 2020 us=691413 renegotiate_seconds = 3600
Wed Sep 23 19:37:37 2020 us=691413 handshake_window = 60
Wed Sep 23 19:37:37 2020 us=691413 transition_window = 3600
Wed Sep 23 19:37:37 2020 us=691413 single_session = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 push_peer_info = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 tls_exit = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 tls_auth_file = 'E:Program FilesOpenVPNeasy-rsakeysta.key'
Wed Sep 23 19:37:37 2020 us=691413 tls_crypt_file = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_protected_authentication = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_protected_authentication = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_protected_authentication = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_protected_authentication = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_protected_authentication = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_protected_authentication = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_protected_authentication = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_protected_authentication = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_protected_authentication = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_protected_authentication = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_protected_authentication = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_protected_authentication = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_protected_authentication = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_protected_authentication = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_protected_authentication = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_protected_authentication = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_private_mode = 00000000
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_private_mode = 00000000
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_private_mode = 00000000
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_private_mode = 00000000
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_private_mode = 00000000
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_private_mode = 00000000
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_private_mode = 00000000
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_private_mode = 00000000
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_private_mode = 00000000
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_private_mode = 00000000
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_private_mode = 00000000
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_private_mode = 00000000
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_private_mode = 00000000
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_private_mode = 00000000
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_private_mode = 00000000
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_private_mode = 00000000
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_cert_private = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_cert_private = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_cert_private = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_cert_private = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_cert_private = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_cert_private = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_cert_private = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_cert_private = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_cert_private = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_cert_private = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_cert_private = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_cert_private = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_cert_private = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_cert_private = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_cert_private = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_cert_private = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_pin_cache_period = -1
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_id = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=691413 pkcs11_id_management = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 server_network = 10.10.10.0
Wed Sep 23 19:37:37 2020 us=691413 server_netmask = 255.255.255.0
Wed Sep 23 19:37:37 2020 us=691413 server_network_ipv6 = ::
Wed Sep 23 19:37:37 2020 us=691413 server_netbits_ipv6 = 0
Wed Sep 23 19:37:37 2020 us=691413 server_bridge_ip = 0.0.0.0
Wed Sep 23 19:37:37 2020 us=691413 server_bridge_netmask = 0.0.0.0
Wed Sep 23 19:37:37 2020 us=691413 server_bridge_pool_start = 0.0.0.0
Wed Sep 23 19:37:37 2020 us=691413 server_bridge_pool_end = 0.0.0.0
Wed Sep 23 19:37:37 2020 us=691413 push_entry = 'route 192.168.0.0 255.255.255.0'
Wed Sep 23 19:37:37 2020 us=691413 push_entry = 'route 10.10.10.0 255.255.255.0'
Wed Sep 23 19:37:37 2020 us=691413 push_entry = 'topology net30'
Wed Sep 23 19:37:37 2020 us=691413 push_entry = 'ping 10'
Wed Sep 23 19:37:37 2020 us=691413 push_entry = 'ping-restart 120'
Wed Sep 23 19:37:37 2020 us=691413 ifconfig_pool_defined = ENABLED
Wed Sep 23 19:37:37 2020 us=691413 ifconfig_pool_start = 10.10.10.4
Wed Sep 23 19:37:37 2020 us=691413 ifconfig_pool_end = 10.10.10.251
Wed Sep 23 19:37:37 2020 us=691413 ifconfig_pool_netmask = 0.0.0.0
Wed Sep 23 19:37:37 2020 us=691413 ifconfig_pool_persist_filename = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=691413 ifconfig_pool_persist_refresh_freq = 600
Wed Sep 23 19:37:37 2020 us=691413 ifconfig_ipv6_pool_defined = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 ifconfig_ipv6_pool_base = ::
Wed Sep 23 19:37:37 2020 us=691413 ifconfig_ipv6_pool_netbits = 0
Wed Sep 23 19:37:37 2020 us=691413 n_bcast_buf = 256
Wed Sep 23 19:37:37 2020 us=691413 tcp_queue_limit = 64
Wed Sep 23 19:37:37 2020 us=691413 real_hash_size = 256
Wed Sep 23 19:37:37 2020 us=691413 virtual_hash_size = 256
Wed Sep 23 19:37:37 2020 us=691413 client_connect_script = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=691413 learn_address_script = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=691413 client_disconnect_script = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=691413 client_config_dir = 'E:Program FilesOpenVPNconfig'
Wed Sep 23 19:37:37 2020 us=691413 ccd_exclusive = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 tmp_dir = 'C:UsersValentinAppDataLocalTemp'
Wed Sep 23 19:37:37 2020 us=691413 push_ifconfig_defined = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 push_ifconfig_local = 0.0.0.0
Wed Sep 23 19:37:37 2020 us=691413 push_ifconfig_remote_netmask = 0.0.0.0
Wed Sep 23 19:37:37 2020 us=691413 push_ifconfig_ipv6_defined = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 push_ifconfig_ipv6_local = ::/0
Wed Sep 23 19:37:37 2020 us=691413 push_ifconfig_ipv6_remote = ::
Wed Sep 23 19:37:37 2020 us=691413 enable_c2c = ENABLED
Wed Sep 23 19:37:37 2020 us=691413 duplicate_cn = ENABLED
Wed Sep 23 19:37:37 2020 us=691413 cf_max = 0
Wed Sep 23 19:37:37 2020 us=691413 cf_per = 0
Wed Sep 23 19:37:37 2020 us=691413 max_clients = 1024
Wed Sep 23 19:37:37 2020 us=691413 max_routes_per_client = 256
Wed Sep 23 19:37:37 2020 us=691413 auth_user_pass_verify_script = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=691413 auth_user_pass_verify_script_via_file = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 auth_token_generate = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 auth_token_lifetime = 0
Wed Sep 23 19:37:37 2020 us=691413 client = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 pull = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 auth_user_pass_file = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=691413 show_net_up = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 route_method = 2
Wed Sep 23 19:37:37 2020 us=691413 block_outside_dns = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 ip_win32_defined = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 ip_win32_type = 3
Wed Sep 23 19:37:37 2020 us=691413 dhcp_masq_offset = 0
Wed Sep 23 19:37:37 2020 us=691413 dhcp_lease_time = 31536000
Wed Sep 23 19:37:37 2020 us=691413 tap_sleep = 5
Wed Sep 23 19:37:37 2020 us=691413 dhcp_options = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 dhcp_renew = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 dhcp_pre_release = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 domain = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=691413 netbios_scope = '[UNDEF]'
Wed Sep 23 19:37:37 2020 us=691413 netbios_node_type = 0
Wed Sep 23 19:37:37 2020 us=691413 disable_nbt = DISABLED
Wed Sep 23 19:37:37 2020 us=691413 OpenVPN 2.4.9 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 16 2020
Wed Sep 23 19:37:37 2020 us=691413 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Sep 23 19:37:37 2020 us=691413 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Enter Management Password:
Wed Sep 23 19:37:37 2020 us=692389 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Sep 23 19:37:37 2020 us=692389 Need hold release from management interface, waiting...
Wed Sep 23 19:37:38 2020 us=189474 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Sep 23 19:37:38 2020 us=290063 MANAGEMENT: CMD 'state on'
Wed Sep 23 19:37:38 2020 us=290063 MANAGEMENT: CMD 'log all on'
Wed Sep 23 19:37:38 2020 us=431669 MANAGEMENT: CMD 'echo all on'
Wed Sep 23 19:37:38 2020 us=432646 MANAGEMENT: CMD 'bytecount 5'
Wed Sep 23 19:37:38 2020 us=434600 MANAGEMENT: CMD 'hold off'
Wed Sep 23 19:37:38 2020 us=435575 MANAGEMENT: CMD 'hold release'
Wed Sep 23 19:37:38 2020 us=436552 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Wed Sep 23 19:37:38 2020 us=440458 Diffie-Hellman initialized with 2048 bit key
Wed Sep 23 19:37:38 2020 us=441436 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Sep 23 19:37:38 2020 us=441436 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Sep 23 19:37:38 2020 us=441436 TLS-Auth MTU parms [ L:1656 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Wed Sep 23 19:37:38 2020 us=441436 interactive service msg_channel=0
Wed Sep 23 19:37:38 2020 us=442411 ROUTE_GATEWAY 192.168.100.1/255.255.255.0 I=11 HWADDR=2c:f0:5d:3e:9b:dc
Wed Sep 23 19:37:38 2020 us=442411 open_tun
Wed Sep 23 19:37:38 2020 us=443388 TAP-WIN32 device [ServerVPN] opened: \.Global{6645A50D-42D9-4D2E-AA16-B258F8E3CBF4}.tap
Wed Sep 23 19:37:38 2020 us=443388 TAP-Windows Driver Version 9.24
Wed Sep 23 19:37:38 2020 us=443388 TAP-Windows MTU=1500
Wed Sep 23 19:37:38 2020 us=444365 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.10.10.1/255.255.255.252 on interface {6645A50D-42D9-4D2E-AA16-B258F8E3CBF4} [DHCP-serv: 10.10.10.2, lease-time: 31536000]
Wed Sep 23 19:37:38 2020 us=444365 Sleeping for 5 seconds...
Wed Sep 23 19:37:43 2020 us=444511 Successful ARP Flush on interface [12] {6645A50D-42D9-4D2E-AA16-B258F8E3CBF4}
Wed Sep 23 19:37:43 2020 us=445488 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Sep 23 19:37:43 2020 us=445488 MANAGEMENT: >STATE:1600879063,ASSIGN_IP,,10.10.10.1,,,,
Wed Sep 23 19:37:43 2020 us=445488 MANAGEMENT: >STATE:1600879063,ADD_ROUTES,,,,,,
Wed Sep 23 19:37:43 2020 us=445488 C:WINDOWSsystem32route.exe ADD 192.168.182.0 MASK 255.255.255.0 10.10.10.2
Wed Sep 23 19:37:43 2020 us=445488 env_block: add PATH=C:WINDOWSSystem32;C:WINDOWS;C:WINDOWSSystem32Wbem
Wed Sep 23 19:37:43 2020 us=467948 C:WINDOWSsystem32route.exe ADD 10.10.10.0 MASK 255.255.255.0 10.10.10.2
Wed Sep 23 19:37:43 2020 us=467948 env_block: add PATH=C:WINDOWSSystem32;C:WINDOWS;C:WINDOWSSystem32Wbem
Wed Sep 23 19:37:43 2020 us=488457 Data Channel MTU parms [ L:1656 D:1450 EF:124 EB:412 ET:32 EL:3 ]
Wed Sep 23 19:37:43 2020 us=488457 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Sep 23 19:37:43 2020 us=488457 Listening for incoming TCP connection on [AF_INET][undef]:40450
Wed Sep 23 19:37:43 2020 us=488457 TCPv4_SERVER link local (bound): [AF_INET][undef]:40450
Wed Sep 23 19:37:43 2020 us=488457 TCPv4_SERVER link remote: [AF_UNSPEC]
Wed Sep 23 19:37:43 2020 us=488457 MULTI: multi_init called, r=256 v=256
Wed Sep 23 19:37:43 2020 us=488457 IFCONFIG POOL: base=10.10.10.4 size=62, ipv6=0
Wed Sep 23 19:37:43 2020 us=488457 MULTI: TCP INIT maxclients=60 maxevents=64
Wed Sep 23 19:37:43 2020 us=488457 Initialization Sequence Completed
Wed Sep 23 19:37:43 2020 us=488457 MANAGEMENT: >STATE:1600879063,CONNECTED,SUCCESS,10.10.10.1,,,,
Wed Sep 23 19:38:57 2020 us=108811 MULTI: multi_create_instance called
Wed Sep 23 19:38:57 2020 us=108811 Re-using SSL/TLS context
Wed Sep 23 19:38:57 2020 us=108811 LZO compression initializing
Wed Sep 23 19:38:57 2020 us=108811 Control Channel MTU parms [ L:1656 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Wed Sep 23 19:38:57 2020 us=108811 Data Channel MTU parms [ L:1656 D:1450 EF:124 EB:412 ET:32 EL:3 ]
Wed Sep 23 19:38:57 2020 us=108811 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1592,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Sep 23 19:38:57 2020 us=108811 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1592,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Sep 23 19:38:57 2020 us=108811 TCP connection established with [AF_INET]82.76.234.38:57287
Wed Sep 23 19:38:57 2020 us=108811 TCPv4_SERVER link local: (not bound)
Wed Sep 23 19:38:57 2020 us=108811 TCPv4_SERVER link remote: [AF_INET]82.76.234.38:57287
Wed Sep 23 19:38:58 2020 us=106887 82.76.234.38:57287 TLS: Initial packet from [AF_INET]82.76.234.38:57287, sid=3fd59485 56635d1e
Wed Sep 23 19:38:58 2020 us=175248 82.76.234.38:57287 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Wed Sep 23 19:38:58 2020 us=175248 82.76.234.38:57287 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=ClientVPN, name=changeme, emailAddress=mail@host.domain
Wed Sep 23 19:38:58 2020 us=177201 82.76.234.38:57287 peer info: IV_VER=2.4.9
Wed Sep 23 19:38:58 2020 us=177201 82.76.234.38:57287 peer info: IV_PLAT=win
Wed Sep 23 19:38:58 2020 us=177201 82.76.234.38:57287 peer info: IV_PROTO=2
Wed Sep 23 19:38:58 2020 us=177201 82.76.234.38:57287 peer info: IV_NCP=2
Wed Sep 23 19:38:58 2020 us=177201 82.76.234.38:57287 peer info: IV_LZ4=1
Wed Sep 23 19:38:58 2020 us=177201 82.76.234.38:57287 peer info: IV_LZ4v2=1
Wed Sep 23 19:38:58 2020 us=177201 82.76.234.38:57287 peer info: IV_LZO=1
Wed Sep 23 19:38:58 2020 us=177201 82.76.234.38:57287 peer info: IV_COMP_STUB=1
Wed Sep 23 19:38:58 2020 us=177201 82.76.234.38:57287 peer info: IV_COMP_STUBv2=1
Wed Sep 23 19:38:58 2020 us=177201 82.76.234.38:57287 peer info: IV_TCPNL=1
Wed Sep 23 19:38:58 2020 us=177201 82.76.234.38:57287 peer info: IV_GUI_VER=OpenVPN_GUI_11
Wed Sep 23 19:38:58 2020 us=181108 82.76.234.38:57287 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Wed Sep 23 19:38:58 2020 us=181108 82.76.234.38:57287 [ClientVPN] Peer Connection Initiated with [AF_INET]82.76.234.38:57287
Wed Sep 23 19:38:58 2020 us=182084 ClientVPN/82.76.234.38:57287 OPTIONS IMPORT: reading client specific options from: E:Program FilesOpenVPNconfigClientVPN
Wed Sep 23 19:38:58 2020 us=182084 ClientVPN/82.76.234.38:57287 MULTI: Learn: 10.10.10.5 -> ClientVPN/82.76.234.38:57287
Wed Sep 23 19:38:58 2020 us=182084 ClientVPN/82.76.234.38:57287 MULTI: primary virtual IP for ClientVPN/82.76.234.38:57287: 10.10.10.5
Wed Sep 23 19:38:58 2020 us=182084 ClientVPN/82.76.234.38:57287 MULTI: internal route 192.168.182.0/24 -> ClientVPN/82.76.234.38:57287
Wed Sep 23 19:38:58 2020 us=182084 ClientVPN/82.76.234.38:57287 MULTI: Learn: 192.168.182.0/24 -> ClientVPN/82.76.234.38:57287
Wed Sep 23 19:38:59 2020 us=265123 ClientVPN/82.76.234.38:57287 PUSH: Received control message: 'PUSH_REQUEST'
Wed Sep 23 19:38:59 2020 us=265123 ClientVPN/82.76.234.38:57287 SENT CONTROL [ClientVPN]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 10.10.10.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.10.10.5 10.10.10.6,peer-id 0,cipher AES-256-GCM' (status=1)
Wed Sep 23 19:38:59 2020 us=265123 ClientVPN/82.76.234.38:57287 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Sep 23 19:38:59 2020 us=265123 ClientVPN/82.76.234.38:57287 Data Channel MTU parms [ L:1584 D:1450 EF:52 EB:412 ET:32 EL:3 ]
Wed Sep 23 19:38:59 2020 us=265123 ClientVPN/82.76.234.38:57287 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Sep 23 19:38:59 2020 us=265123 ClientVPN/82.76.234.38:57287 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Sep 23 19:38:59 2020 us=490716 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [::], packet dropped
Wed Sep 23 19:39:05 2020 us=811213 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:05 2020 us=857113 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:06 2020 us=740927 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:06 2020 us=783897 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:06 2020 us=856165 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:07 2020 us=431377 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:07 2020 us=472394 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:07 2020 us=773184 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:07 2020 us=817131 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:07 2020 us=817131 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:08 2020 us=482189 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:08 2020 us=809347 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:08 2020 us=868919 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:09 2020 us=800587 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:10 2020 us=478341 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:10 2020 us=807452 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:10 2020 us=849445 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:10 2020 us=849445 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:11 2020 us=843615 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:12 2020 us=184445 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:12 2020 us=227415 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:12 2020 us=580942 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:12 2020 us=881731 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:13 2020 us=226468 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:13 2020 us=588783 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:13 2020 us=812423 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:13 2020 us=857346 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:13 2020 us=984303 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:14 2020 us=488223 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:14 2020 us=593696 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:14 2020 us=833937 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:14 2020 us=984332 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:15 2020 us=239222 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:15 2020 us=991197 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:16 2020 us=606450 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:16 2020 us=892591 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:16 2020 us=933607 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:17 2020 us=827188 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:17 2020 us=873088 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:17 2020 us=916058 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:17 2020 us=916058 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:18 2020 us=4928 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:18 2020 us=501036 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:18 2020 us=831124 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:18 2020 us=882884 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:18 2020 us=926829 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:18 2020 us=926829 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:19 2020 us=253011 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:19 2020 us=508878 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:19 2020 us=838966 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:19 2020 us=887795 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:20 2020 us=514766 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:20 2020 us=623167 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:20 2020 us=861456 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:20 2020 us=922005 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:20 2020 us=986460 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:21 2020 us=852803 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:21 2020 us=899679 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:22 2020 us=17847 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:22 2020 us=528604 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:22 2020 us=875295 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:22 2020 us=925100 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:23 2020 us=267883 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:23 2020 us=897785 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:24 2020 us=273772 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:24 2020 us=779646 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:24 2020 us=936877 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:24 2020 us=991567 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:25 2020 us=281614 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:25 2020 us=793348 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:25 2020 us=867569 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:25 2020 us=932024 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:26 2020 us=529697 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:26 2020 us=800213 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:26 2020 us=889083 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:27 2020 us=296321 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:28 2020 us=802225 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:28 2020 us=937971 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:29 2020 us=1449 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:29 2020 us=915538 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:29 2020 us=971204 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:29 2020 us=971204 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:30 2020 us=952678 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:30 2020 us=995648 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:31 2020 us=299368 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:32 2020 us=803318 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:32 2020 us=953713 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:33 2020 us=3519 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:36 2020 us=965549 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:37 2020 us=7542 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:42 2020 us=755757 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:43 2020 us=760669 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:44 2020 us=767534 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:46 2020 us=616221 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:46 2020 us=782241 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:47 2020 us=625039 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:47 2020 us=762738 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:47 2020 us=808638 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:48 2020 us=94779 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:48 2020 us=630927 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:48 2020 us=766674 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:48 2020 us=817457 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:49 2020 us=97739 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:49 2020 us=773539 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:49 2020 us=818462 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:50 2020 us=105581 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:50 2020 us=632939 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:50 2020 us=783334 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:51 2020 us=775551 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:51 2020 us=820474 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:51 2020 us=915203 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:52 2020 us=120288 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:52 2020 us=918162 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:53 2020 us=926980 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:54 2020 us=634033 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:55 2020 us=776644 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:55 2020 us=822544 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:55 2020 us=941688 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:56 2020 us=122357 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:57 2020 us=174146 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:58 2020 us=180034 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:59 2020 us=185923 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:39:59 2020 us=952547 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:40:01 2020 us=186958 ClientVPN/82.76.234.38:57287 MULTI: bad source address from client [192.168.0.2], packet dropped
Wed Sep 23 19:40:03 2020 us=481946 TCP/UDP: Closing socket
Wed Sep 23 19:40:03 2020 us=481946 TCP/UDP: Closing socket
Wed Sep 23 19:40:03 2020 us=481946 C:WINDOWSsystem32route.exe DELETE 192.168.182.0 MASK 255.255.255.0 10.10.10.2
Wed Sep 23 19:40:03 2020 us=481946 env_block: add PATH=C:WINDOWSSystem32;C:WINDOWS;C:WINDOWSSystem32Wbem
Wed Sep 23 19:40:03 2020 us=504408 C:WINDOWSsystem32route.exe DELETE 10.10.10.0 MASK 255.255.255.0 10.10.10.2
Wed Sep 23 19:40:03 2020 us=504408 env_block: add PATH=C:WINDOWSSystem32;C:WINDOWS;C:WINDOWSSystem32Wbem
Wed Sep 23 19:40:03 2020 us=524917 Closing TUN/TAP interface
Wed Sep 23 19:40:03 2020 us=554214 TAP: DHCP address released
Wed Sep 23 19:40:03 2020 us=554214 SIGTERM[hard,] received, process exiting
Wed Sep 23 19:40:03 2020 us=554214 MANAGEMENT: >STATE:1600879203,EXITING,SIGTERM,,,,,
Client log
Code: Select all
Wed Sep 23 19:38:56 2020 OpenVPN 2.4.9 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 16 2020
Wed Sep 23 19:38:56 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Sep 23 19:38:56 2020 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Enter Management Password:
Wed Sep 23 19:38:56 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Sep 23 19:38:56 2020 Need hold release from management interface, waiting...
Wed Sep 23 19:38:57 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Sep 23 19:38:57 2020 MANAGEMENT: CMD 'state on'
Wed Sep 23 19:38:57 2020 MANAGEMENT: CMD 'log all on'
Wed Sep 23 19:38:57 2020 MANAGEMENT: CMD 'echo all on'
Wed Sep 23 19:38:57 2020 MANAGEMENT: CMD 'bytecount 5'
Wed Sep 23 19:38:57 2020 MANAGEMENT: CMD 'hold off'
Wed Sep 23 19:38:57 2020 MANAGEMENT: CMD 'hold release'
Wed Sep 23 19:38:57 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Sep 23 19:38:57 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Sep 23 19:38:57 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]5.12.176.126:40450
Wed Sep 23 19:38:57 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Sep 23 19:38:57 2020 Attempting to establish TCP connection with [AF_INET]5.12.176.126:40450 [nonblock]
Wed Sep 23 19:38:57 2020 MANAGEMENT: >STATE:1600879137,TCP_CONNECT,,,,,,
Wed Sep 23 19:38:58 2020 TCP connection established with [AF_INET]5.12.176.126:40450
Wed Sep 23 19:38:58 2020 TCPv4_CLIENT link local: (not bound)
Wed Sep 23 19:38:58 2020 TCPv4_CLIENT link remote: [AF_INET]5.12.176.126:40450
Wed Sep 23 19:38:58 2020 MANAGEMENT: >STATE:1600879138,WAIT,,,,,,
Wed Sep 23 19:38:58 2020 MANAGEMENT: >STATE:1600879138,AUTH,,,,,,
Wed Sep 23 19:38:58 2020 TLS: Initial packet from [AF_INET]5.12.176.126:40450, sid=2c6d7114 0c3860f8
Wed Sep 23 19:38:58 2020 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Wed Sep 23 19:38:58 2020 VERIFY KU OK
Wed Sep 23 19:38:58 2020 Validating certificate extended key usage
Wed Sep 23 19:38:58 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Sep 23 19:38:58 2020 VERIFY EKU OK
Wed Sep 23 19:38:58 2020 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Wed Sep 23 19:38:58 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Wed Sep 23 19:38:58 2020 [changeme] Peer Connection Initiated with [AF_INET]5.12.176.126:40450
Wed Sep 23 19:38:59 2020 MANAGEMENT: >STATE:1600879139,GET_CONFIG,,,,,,
Wed Sep 23 19:38:59 2020 SENT CONTROL [changeme]: 'PUSH_REQUEST' (status=1)
Wed Sep 23 19:38:59 2020 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 10.10.10.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.10.10.5 10.10.10.6,peer-id 0,cipher AES-256-GCM'
Wed Sep 23 19:38:59 2020 OPTIONS IMPORT: timers and/or timeouts modified
Wed Sep 23 19:38:59 2020 OPTIONS IMPORT: --ifconfig/up options modified
Wed Sep 23 19:38:59 2020 OPTIONS IMPORT: route options modified
Wed Sep 23 19:38:59 2020 OPTIONS IMPORT: peer-id set
Wed Sep 23 19:38:59 2020 OPTIONS IMPORT: adjusting link_mtu to 1659
Wed Sep 23 19:38:59 2020 OPTIONS IMPORT: data channel crypto options modified
Wed Sep 23 19:38:59 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Sep 23 19:38:59 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Sep 23 19:38:59 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Sep 23 19:38:59 2020 interactive service msg_channel=0
Wed Sep 23 19:38:59 2020 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 I=15 HWADDR=00:d8:61:7c:79:d3
Wed Sep 23 19:38:59 2020 open_tun
Wed Sep 23 19:38:59 2020 TAP-WIN32 device [Local Area Connection] opened: \.Global{AEB57E0B-48B9-4B90-84FC-90CBE04B7BB1}.tap
Wed Sep 23 19:38:59 2020 TAP-Windows Driver Version 9.24
Wed Sep 23 19:38:59 2020 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.10.10.5/255.255.255.252 on interface {AEB57E0B-48B9-4B90-84FC-90CBE04B7BB1} [DHCP-serv: 10.10.10.6, lease-time: 31536000]
Wed Sep 23 19:38:59 2020 Successful ARP Flush on interface [16] {AEB57E0B-48B9-4B90-84FC-90CBE04B7BB1}
Wed Sep 23 19:38:59 2020 MANAGEMENT: >STATE:1600879139,ASSIGN_IP,,10.10.10.5,,,,
Wed Sep 23 19:39:04 2020 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Wed Sep 23 19:39:04 2020 MANAGEMENT: >STATE:1600879144,ADD_ROUTES,,,,,,
Wed Sep 23 19:39:04 2020 C:Windowssystem32route.exe ADD 192.168.0.0 MASK 255.255.255.0 10.10.10.6
Wed Sep 23 19:39:04 2020 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Wed Sep 23 19:39:04 2020 Route addition via IPAPI succeeded [adaptive]
Wed Sep 23 19:39:04 2020 C:Windowssystem32route.exe ADD 10.10.10.0 MASK 255.255.255.0 10.10.10.6
Wed Sep 23 19:39:04 2020 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Wed Sep 23 19:39:04 2020 Route addition via IPAPI succeeded [adaptive]
Wed Sep 23 19:39:04 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Sep 23 19:39:04 2020 Initialization Sequence Completed
Wed Sep 23 19:39:04 2020 MANAGEMENT: >STATE:1600879144,CONNECTED,SUCCESS,10.10.10.5,5.12.176.126,40450,192.168.0.2,62278
Wed Sep 23 19:40:03 2020 Connection reset, restarting [-1]
Wed Sep 23 19:40:03 2020 SIGUSR1[soft,connection-reset] received, process restarting
Wed Sep 23 19:40:03 2020 MANAGEMENT: >STATE:1600879203,RECONNECTING,connection-reset,,,,,
Wed Sep 23 19:40:03 2020 Restart pause, 5 second(s)
Wed Sep 23 19:40:08 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]5.12.176.126:40450
Wed Sep 23 19:40:08 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Sep 23 19:40:08 2020 Attempting to establish TCP connection with [AF_INET]5.12.176.126:40450 [nonblock]
Wed Sep 23 19:40:08 2020 MANAGEMENT: >STATE:1600879208,TCP_CONNECT,,,,,,
I’m new to Ansible. I’m trying to write a playbook to configure UFW. My task reads as such:
- name: Allow SSH in UFW
ufw:
rule: allow
port: 22
proto: tcp
from_ip:
- "{{ item }}"
with_items:
- 192.168.0.0/24
- 10.200.3.0/24
- 10.200.2.0/24
The result that I get back when running the playbook is:
failed: [192.168.255.20] (item=192.168.0.0/24) => {"changed": false, "item": "192.168.0.0/24", "msg": "ERROR: Bad source addressn"}
failed: [192.168.255.20] (item=10.200.3.0/24) => {"changed": false, "item": "10.200.3.0/24", "msg": "ERROR: Bad source addressn"}
failed: [192.168.255.20] (item=10.200.2.0/24) => {"changed": false, "item": "10.200.2.0/24", "msg": "ERROR: Bad source addressn"}
I can’t find anything in the Ansible UFW documentation, or in UFW itself, that would stop this from working. If I remove the ‘with_items’ loop and enter each IP subnet separately they all work, but that could make for some really long playbooks down the road. Can anyone tell me what I’ve done wrong?
The documentation I was working from is here: https://docs.ansible.com/ansible/latest/modules/ufw_module.html?highlight=ufw
Edit: Including text from running in verbose mode:
failed: [192.168.255.20] (item=10.200.2.0/24) => {
"changed": false,
"invocation": {
"module_args": {
"app": null,
"comment": null,
"default": null,
"delete": false,
"direction": null,
"from_ip": "['10.200.2.0/24']",
"from_port": null,
"insert": null,
"interface": null,
"log": false,
"logging": null,
"port": 22,
"proto": "tcp",
"route": false,
"rule": "allow",
"state": null,
"to_ip": "any",
"to_port": "22"
}
},
"item": "10.200.2.0/24",
"msg": "ERROR: Bad source addressn"
I run a VPS which I would like to secure using UFW, allowing connections only to port 80.
However, in order to be able to administer it remotely, I need to keep port 22 open and make it reachable from home.
I know that UFW can be configured to allow connections to a port only from specific IP address:
ufw allow proto tcp from 123.123.123.123 to any port 22
But my IP address is dynamic, so this is not yet the solution.
The question is: I have dynamic DNS resolution with DynDNS, so is it possible to create a Rule using the domain instead of the IP?
I already tried this:
ufw allow proto tcp from mydomain.dyndns.org to any port 22
but I got ERROR: Bad source address
slm♦
356k112 gold badges753 silver badges860 bronze badges
asked Sep 20, 2013 at 21:20
I don’t believe this is possible with ufw. ufw is just a frontend to iptables which also lacks this feature, so one approach would be to create a crontab entry which would periodically run and check if the IP address has changed. If it has then it will update it.
You might be tempted to do this:
$ iptables -A INPUT -p tcp --src mydomain.dyndns.org --dport 22 -j ACCEPT
But this will resolve the hostname to an IP and use that for the rule, so if the IP later changes this rule will become invalid.
Alternative idea
You could create a script like so, called, iptables_update.bash.
#!/bin/bash
#allow a dyndns name
HOSTNAME=HOST_NAME_HERE
LOGFILE=LOGFILE_NAME_HERE
Current_IP=$(host $HOSTNAME | cut -f4 -d' ')
if [ $LOGFILE = "" ] ; then
iptables -I INPUT -i eth1 -s $Current_IP -j ACCEPT
echo $Current_IP > $LOGFILE
else
Old_IP=$(cat $LOGFILE)
if [ "$Current_IP" = "$Old_IP" ] ; then
echo IP address has not changed
else
iptables -D INPUT -i eth1 -s $Old_IP -j ACCEPT
iptables -I INPUT -i eth1 -s $Current_IP -j ACCEPT
/etc/init.d/iptables save
echo $Current_IP > $LOGFILE
echo iptables have been updated
fi
fi
source: Using IPTables with Dynamic IP hostnames like dyndns.org
With this script saved you could create a crontab entry like so in the file /etc/crontab:
*/5 * * * * root /etc/iptables_update.bash > /dev/null 2>&1
This entry would then run the script every 5 minutes, checking to see if the IP address assigned to the hostname has changed. If so then it will create a new rule allowing it, while deleting the old rule for the old IP address.
answered Sep 20, 2013 at 23:31
slm♦slm
356k112 gold badges753 silver badges860 bronze badges
8
I know this is old but I ran across it and ended up with this solution in the end which seems even better because no log file is needed and it very easy to add additional hosts as needed. Works like a charm!
Source:
http://rdstash.blogspot.ch/2013/09/allow-host-with-dynamic-ip-through.html
#!/bin/bash
DYNHOST=$1
DYNHOST=${DYNHOST:0:28}
DYNIP=$(host $DYNHOST | grep -iE "[0-9]+.[0-9]+.[0-9]+.[0-9]+" |cut -f4 -d' '|head -n 1)
# Exit if invalid IP address is returned
case $DYNIP in
0.0.0.0 )
exit 1 ;;
255.255.255.255 )
exit 1 ;;
esac
# Exit if IP address not in proper format
if ! [[ $DYNIP =~ (([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]) ]]; then
exit 1
fi
# If chain for remote doesn't exist, create it
if ! /sbin/iptables -L $DYNHOST -n >/dev/null 2>&1 ; then
/sbin/iptables -N $DYNHOST >/dev/null 2>&1
fi
# Check IP address to see if the chain matches first; skip rest of script if update is not needed
if ! /sbin/iptables -n -L $DYNHOST | grep -iE " $DYNIP " >/dev/null 2>&1 ; then
# Flush old rules, and add new
/sbin/iptables -F $DYNHOST >/dev/null 2>&1
/sbin/iptables -I $DYNHOST -s $DYNIP -j ACCEPT
# Add chain to INPUT filter if it doesn't exist
if ! /sbin/iptables -C INPUT -t filter -j $DYNHOST >/dev/null 2>&1 ; then
/sbin/iptables -t filter -I INPUT -j $DYNHOST
fi
fi
answered Jul 28, 2015 at 20:26
DomDom
3114 silver badges6 bronze badges
2
Based on previous answers I updated the following as bash script that works on Debian Jessie
#!/bin/bash
HOSTNAME=dynamichost.domain.com
LOGFILE=$HOME/ufw.log
Current_IP=$(host $HOSTNAME | head -n1 | cut -f4 -d ' ')
if [ ! -f $LOGFILE ]; then
/usr/sbin/ufw allow from $Current_IP to any port 22 proto tcp
echo $Current_IP > $LOGFILE
else
Old_IP=$(cat $LOGFILE)
if [ "$Current_IP" = "$Old_IP" ] ; then
echo IP address has not changed
else
/usr/sbin/ufw delete allow from $Old_IP to any port 22 proto tcp
/usr/sbin/ufw allow from $Current_IP to any port 22 proto tcp
echo $Current_IP > $LOGFILE
echo iptables have been updated
fi
fi
Tim Kennedy
19k4 gold badges37 silver badges57 bronze badges
answered Mar 21, 2017 at 14:27
5
Based on all answers before I combined them. No logfile needed. Tested on Ubuntu 18.04
#!/bin/bash
HOSTNAME=YOUR.DNS.NAME.HERE
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
new_ip=$(host $HOSTNAME | head -n1 | cut -f4 -d ' ')
old_ip=$(/usr/sbin/ufw status | grep $HOSTNAME | head -n1 | tr -s ' ' | cut -f3 -d ' ')
if [ "$new_ip" = "$old_ip" ] ; then
echo IP address has not changed
else
if [ -n "$old_ip" ] ; then
/usr/sbin/ufw delete allow from $old_ip to any
fi
/usr/sbin/ufw allow from $new_ip to any comment $HOSTNAME
echo iptables have been updated
fi
You can add a port to the rules with «port» parameter. e.G.:
if [ -n "$old_ip" ] ; then
/usr/sbin/ufw delete allow from $old_ip to any port 22
fi
/usr/sbin/ufw allow from $new_ip to any port 22 comment $HOSTNAME
answered Aug 6, 2019 at 11:15
SebastianSebastian
611 silver badge2 bronze badges
1
Here is a version in python which can add or remove ipv4 and ipv6 rules if the hostname resolves to multiple endpoints (ufw). Note that my scenario was slightly different as I started with an «Allow everything» profile.
Based on the version from Tim Kennedy and Mattias Pettersson
#!/usr/bin/env python
# Only allow a particular HOSTNAME to access the given port...
# from https://unix.stackexchange.com/a/534117/66983
# and https://unix.stackexchange.com/a/91711/66983
# If the ufw table is empty you might need to execute the script twice (as inserting on top will not work properly)
# crontab -e and add '*/5 * * * * root /path/to/update_ufw.py > /dev/null 2>&1'
HOSTNAME="<hostname>"
PORT=<port>
import os
import subprocess
if os.geteuid() != 0:
print("This script must be run as root")
exit(1)
def run(cmd):
process = subprocess.Popen(['bash', '-c', cmd],
stdout=subprocess.PIPE)
stdout, stderr = process.communicate()
return stdout.decode('utf-8')
new_ip_output = run("getent ahosts "{}" | awk '{{ print $1 }}'".format(HOSTNAME))
new_ips=set(new_ip_output.split())
old_ip_output = run("/usr/sbin/ufw status | grep {} | head -n1 | tr -s ' ' | cut -f3 -d ' '".format(HOSTNAME))
old_ips=set(old_ip_output.split())
if old_ips == new_ips:
print ("All IPs still OK.")
else:
# add new IPs
for new_ip in new_ips:
if new_ip not in old_ips:
out = run("/usr/sbin/ufw insert 1 allow from {} to any port {} comment {}".format(new_ip, PORT, HOSTNAME))
print(out)
# remove old IPs
for old_ip in old_ips:
if old_ip not in new_ips:
out = run("/usr/sbin/ufw delete allow from {} to any port {}".format(old_ip, PORT))
print(out)
# add deny rule
out = run("/usr/sbin/ufw deny {}".format(PORT))
print(out)
answered Sep 6, 2020 at 19:10
2
If you have multiple hosts for same DNS, you can use this script.
#!/bin/bash
# 1. hostname
# How to use:
# ./ufw unix.stackexchange.com 5432
declare HOSTNAME=$1
declare PORT=$2
declare OLD_HOSTS_FILE=$HOME/$HOSTNAME.$PORT.backup
declare OLD_HOSTS_CONTENT=$(cat $OLD_HOSTS_FILE)
declare NEW_HOSTS_CONTENT=$(getent hosts $HOSTNAME | awk '{ print $1 }' | sort)
# Check if hosts is equals
declare OLD_HOSTS_CONTENT64=$(echo $OLD_HOSTS_CONTENT | base64)
declare NEW_HOSTS_CONTENT64=$(echo $NEW_HOSTS_CONTENT | base64)
if [ "$OLD_HOSTS_CONTENT64" == "$NEW_HOSTS_CONTENT64" ] ; then
echo IP address has not changed
exit
fi
# Remove old hosts
for Old_IP in "${HOSTS[@]}"
do
echo Remove old host $Old_IP
/usr/sbin/ufw delete allow from $Old_IP to any port $PORT proto tcp
done
# Add new hosts
declare -a HOSTS=($NEW_HOSTS_CONTENT)
for Current_IP in "${HOSTS[@]}"
do
echo Add host $Current_IP
/usr/sbin/ufw allow from $Current_IP to any port $PORT proto tcp
done
echo $NEW_HOSTS_CONTENT > $OLD_HOSTS_FILE
crontab:
*/5 * * * * root /etc/ufw_config.bash unix.stackexchange.com 22 > /dev/null 2>&1
*/5 * * * * root /etc/ufw_config.bash example.com 22 > /dev/null 2>&1
answered Nov 8, 2021 at 14:29
DavidDavid
1112 bronze badges
1
Instead of a script to update the IP rule, you can use port knocking, which will allow an specific source address after an specific sequence of ports have been blocked by the firewall.
In my experience the sequence won’t unlock at the first try (depending of the traffic going on). So I made this script to simplify the task (let’s call it sshk.sh):
#!/bin/bash
SSHPORT=$1
USER=$2
SERVER=$3
if [[ $3 = "" ]]; then
echo "Usage: $0 [PORT] [USER] [SERVER] [SEQ1 2 3 ...]";
exit;
fi
echo "Connecting..."
OPEN=$(nmap -p$SSHPORT $SERVER | grep " open ")
while [[ $OPEN == "" ]]; do
knock $SERVER "${@:4}"
OPEN=$(nmap -p$SSHPORT $SERVER | grep " open ")
if [[ $OPEN == "" ]]; then
echo -n "."
sleep 1;
fi
done
echo "Done.";
ssh -p$SSHPORT $USER@$SERVER
With this script, if the port is already open, it won’t knock again.
And in your VPS, install knockd and edit /etc/knockd.conf. This is my config (which will use UFW and it will remove the rule automatically after 1 hour, to prevent leaving garbage in your firewall rules):
[options]
UseSyslog
LogFile = /var/log/knockd.log
[allowUFW]
sequence = 7007,1457,3939,924,2022
seq_timeout = 15
start_command = ufw_from + %IP%
cmd_timeout = 3600
stop_command = ufw_from - %IP%
tcpflags = syn
In your home terminal you execute (you can create another script or an alias to simplify):
./sshk.sh 22 myuser@my.vps.com 7007 1457 3939 924 2022
Important Notes:
- The longer the sequence of numbers, the longer it will take to succeed.
- Try to keep the sequence from 3 to 5 numbers (under 3, it is not very secure, above 5 may take too long).
- Do not use consecutive numbers (as scanners may probe in sequence)
- You can use shorter
cmd_timeoutsetting as once you login, it will keep you logged even when the rule is reverted. I use 1 hour, as I may want to keep logging in during that time. - It is better not to use the default SSH port
- Use public key with password for stronger security
More about it:
https://www.howtogeek.com/442733/how-to-use-port-knocking-on-linux-and-why-you-shouldnt/
answered Jun 8, 2022 at 22:17
lepelepe
3814 silver badges9 bronze badges
1
I based on the last comment of Sebastian, but for multiple ports, and added an IP check that I found on the web. Since duckdns sometimes crashes and servers don’t respond with the IP. host == «Found»
This works for me.
#!/bin/bash
function valid_ip()
{
local ip=$1
local stat=1
if [[ $ip =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
OIFS=$IFS
IFS='.'
ip=($ip)
IFS=$OIFS
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255
&& ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
stat=$?
fi
return $stat
}
HOSTNAME=YOUR.DNS.NAME.HERE
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
new_ip=$(host $HOSTNAME | head -n1 | cut -f4 -d ' ')
old_ip=$(/usr/sbin/ufw status | grep $HOSTNAME | head -n1 | tr -s ' ' | cut -f3 -d ' ')
if ! valid_ip $new_ip;
then
exit 1
fi
if [ "$new_ip" = "$old_ip" ] ; then
exit 0
else
if [ -n "$old_ip" ] ; then
/usr/sbin/ufw delete allow from $old_ip to any port 22,6556 proto tcp
fi
/usr/sbin/ufw allow from $new_ip to any port 22,6556 proto tcp comment $HOSTNAME
echo "iptables have been modified by change of ip $new_ip"
exit 0
fi
answered May 21, 2020 at 1:52
4
In this example which is a bit more complex, we are using multiple domains listed in a text file domains.txt to build a whitelist of IPs, and we prevent IPs from being deleted from UFW whitelist until 300 seconds after they were last observed in a DNS result.
The syntax of my ufw command is somewhat different as I have slightly different use case of allowing the traffic to route across specific interfaces.
I set this script to run at boot time in rc.local and it does a good job of maintaining the UFW with the whitelist, with minimal CPU consumption.
I should note that this solution is not really scalable to more than 100-200 domains because of CPU load of ufw command and the latency required for each ufw command, and for more than this number of domains (and probably less too) we should probably write the iptables rules into /etc/ufw/user.rules manually, and then «ufw reload»…. which would likely be a much more scalable approach.
It generates alot of DNS traffic, so best to use an internal caching DNS server (e.g. Pihole, etc.) and point the host towards it.
#!/bin/bash
declare -A ip_whitelist_lastseen_times
while :
do
echo "Reading domains..."
DOMAINS=$(cat domains.txt)
rm ip_whitelist.txt
# Generate whitelist based upon DNS query
echo "Generating whitelist..."
for DOMAIN in ${DOMAINS[@]}
do
host $DOMAIN | grep 'has address' | cut -f4 -d ' ' >> ip_whitelist.txt
done
echo "Whitelist generated, now we will sort it and remove non-unique entries. "
cat ip_whitelist.txt | sort | uniq > ip_whitelist_unique.txt
echo "Indexing whitelist into array"
# Read the whitelist into array.
unset new_ip_list
IFS=$'n' read -r -d '' -a new_ip_list < <( cat ip_whitelist_unique.txt && printf '' )
echo "Reading list of currently loaded rules."
# Get the UFW current list of IPs with WHITELIST description
# Read the existing entries, into an array.
unset old_ip_list
IFS=$'n' read -r -d '' -a old_ip_list < <( /usr/sbin/ufw status | grep "WHITELIST" | tr -s ' ' | cut -f1 -d ' ' && printf '' )
echo "resetting and Flipping array of whitelist"
# Flipping array, so it can be searched by index
# -searching array by index is faster than looping through the
# same array in bash repeatedly for every new/old entry
# and then making same comparisons repeatedly
unset new_ip_list_index
declare -A new_ip_list_index
for new_ip in "${new_ip_list[@]}"
do
new_ip_list_index[$new_ip]=1
done
echo "resetting and flipping array of currently loaded rules"
unset old_ip_list_index
declare -A old_ip_list_index
for new_ip in "${old_ip_list[@]}"
do
old_ip_list_index[$new_ip]=1
done
#: for each new IP, check if it is in the existing list of IPs
#: If it is not, then we need to add a rule
echo "iterating to add rules"
for new_ip in "${new_ip_list[@]}"
do
if [ ! -v "old_ip_list_index[$new_ip]" ] ; then
/usr/sbin/ufw route allow in on enp5s0f0 out on enp5s0f1 from 192.168.0.0/24 to $new_ip port 80 proto tcp comment WHITELIST
/usr/sbin/ufw route allow in on enp5s0f0 out on enp5s0f1 from 192.168.0.0/24 to $new_ip port 443 proto tcp comment WHITELIST
sleep 0.5
fi
# Here we will make a array entry indicating the last time the host was seen in the whitelist
ip_whitelist_lastseen_times[$new_ip]=$(date '+%s')
done
echo "iterating to remove rules"
#: for each existing IP in the ufw status list, if it is not in the new host list, it is due for removal
current_time=$(date '+%s')
for old_ip in "${old_ip_list[@]}"
do
if [ ! -v "new_ip_list_index[$old_ip]" ] ; then
# marking eligible for deletion by calculating delta
delta=$current_time
if [ -v "ip_whitelist_lastseen_times[$old_ip]" ] ; then
let "delta = $current_time - ${ip_whitelist_lastseen_times[$old_ip]}"
fi
if [ "$delta" -gt "300" ] ; then
/usr/sbin/ufw route delete allow in on enp5s0f0 out on enp5s0f1 from 192.168.0.0/24 to $old_ip port 443 proto tcp
/usr/sbin/ufw route delete allow in on enp5s0f0 out on enp5s0f1 from 192.168.0.0/24 to $old_ip port 80 proto tcp
sleep 0.5
unset ip_whitelist_lastseen_times[$old_ip]
fi
fi
done
sleep 30
done
answered Jan 30, 2022 at 5:36
- Печать
Страницы: [1] 2 3 Все Вниз
Тема: Помогите пожалуйста с OpenVPN (Прочитано 5898 раз)
0 Пользователей и 1 Гость просматривают эту тему.
sdilshod
Всем привет!
Потребовалось настроить openvpn на приватном сервере. Соответственно до этого не разу не пришлось над этим заниматься. В сети нашел инфу как настроить openvpn http://eax.me/openvpn. Следовал по инструкциям, установил openvpn, easy-rsa и сгенерировал сертификаты, ключи и т.д. То есть проста тупа следовал по инструкции. Вообщем проделал все что там было сказано и в конце запустил сервис openvpn, запустился.
Команда sudo openvpn —config client.conf вроде успешно отработало, но в логах openvpn
MULTI: bad source address from client [94.230.225.244], packet dropped
Поискал в сети и нашел что нужна добавлять дополнителные опции в конфиг сервера и создать файл ccd для клиента. Но после этого сервер и клиент не пингуется и если убрать те дополнителных опции в конфиге сервера, сервер и клиент пингуется, но в логах ошибка packet dropped.
конфиг сервера
—
конфиг клиента
—-
ccd для клиента — iroute 94.230.225.0 255.255.255.0
Это все нужна чтобы у меня заработало скайп. В нашей страны многие пользователи испытыпает трудность со скайпом и есть предположение что скайп заблокировали. Посоветовали попробовать настроить себе впн сервер через привать сервер на который имею доступ.
Зарание спасибо!
« Последнее редактирование: 18 Ноября 2016, 09:51:08 от sdilshod »
fisher74
Возвращайте закомметированные строки и показывайте диагостику
с сервера
ip a; ip r
sysctl ipv4.ip_forward
sudo iptables-save
с клиента достаточно ip a; ip r
Стоп. Клиент на windows7? Отключите брандмауер и перезапустите сервер OVPN и клиента.
« Последнее редактирование: 18 Ноября 2016, 09:53:04 от fisher74 »
sdilshod
« Последнее редактирование: 18 Ноября 2016, 09:44:23 от sdilshod »
sdilshod
>>Стоп. Клиент на windows7? Отключите брандмауер и перезапустите сервер OVPN и клиента.
Клиент linux. Ubuntu
fisher74
ОК, но клиент не запущен
на сервере команду ошибся
sysctl net.ipv4.ip_forward
Пользователь добавил сообщение 18 Ноября 2016, 09:57:02:
запускайте клиента
Если интерфейс tunX появится, то снова показывайте ip a;ip r
« Последнее редактирование: 18 Ноября 2016, 09:57:02 от fisher74 »
sdilshod
sysctl net.ipv4.ip_forward выдает net.ipv4.ip_forward = 1
Если включить те опции(ccd) на сервере, то при попытки подключение с клиента выдает ошибку
Fri Nov 18 11:58:03 2016 TCP: connect to [AF_INET]82.146.34.142:1194 failed, will try again in 5 seconds: Connection timed out
fisher74
уберите route из конфига сервера, а ccd оставьте
sdilshod
Убрал route, оставил ccd. Клиент запускается
В логах openvpn
Результат вывода команды ip a;ip r
Пользователь добавил сообщение 18 Ноября 2016, 10:50:46:
fisher74 скажите пожалуйста, такая проблема можеть из за например каких-то огранечение со стороны моего провайдера?
Пользователь добавил сообщение 18 Ноября 2016, 11:46:06:
Вопрос все еще актуально. Помгите плиз.
Если за оплату, то можем обсуждать и это
« Последнее редактирование: 18 Ноября 2016, 11:46:06 от sdilshod »
fisher74
ip a; ip r с клиента ещё покажите
sdilshod
Результат выдачи команде ip a; ip r с запускам клиента openvpn
fisher74
а теперь ещё раз ip r с сервера при подключенном клиенте
sdilshod
fisher74
в сервере ccd-файл этого клиента не забыли?
sudo grep ccd /etc/openvpn/server.conf
sudo cat /etc/openvpn/ccd/*
sdilshod
fisher74 спасибо за помощь.
ccd файла не забывал, потом добавил еще одну опцию и сейчас содержание такое
ifconfig-push 10.128.10.9 10.128.10.10
iroute 10.128.0.0 255.255.255.0
В логах все еще есть дропы, но скайп сейчас работает. Настроил скайп через проксе и с подключенным к openvpn. Правда иногда гугл на запрос перенаправляет на страницу где нужна вводить капчу.
Спасибо еще раз!! 
fisher74
Правда иногда гугл на запрос перенаправляет на страницу где нужна вводить капчу.
У меня дома так даже без прокси частенько бывает (Ростелеком)
- Печать
Страницы: [1] 2 3 Все Вверх
I use OpenVPN and connection via pc to pc works fine while android doesnt. I get the following error: Bad source address
I tried android connecting with apps with the same error such as: OpenVPN Connect and OpenVPN For Android
My Server configuration:
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\Program Files\OpenVPN\config\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
# TCP or UDP server?
;proto tcp
proto udp
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/ca.crt
cert /etc/openvpn/archsrv.crt
key /etc/openvpn/archsrv.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh /etc/openvpn/dh2048.pem
# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
;topology subnet
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses. You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
#comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "Program FilesOpenVPNlog" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
log openvpn.log
;log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20My client openvpn configuration:
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote ***.***.***.*** 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca /storage/emulated/0/openvpnconf/ca.crt
#cert /storage/emulated/0/openvpnconf/client.crt
#key /storage/emulated/0/openvpnconf/client.key
# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo
# Set log file verbosity.
verb 5
# Silence repeating messages
;mute 20
pkcs12 /storage/emulated/0/openvpnconf/client.p12Server verbosity mode 9 log in the beginning:
at Feb 27 22:14:18 2016 us=288081 Current Parameter Settings:
Sat Feb 27 22:14:18 2016 us=288179 config = '/etc/openvpn/server.conf'
Sat Feb 27 22:14:18 2016 us=288206 mode = 1
Sat Feb 27 22:14:18 2016 us=288229 persist_config = DISABLED
Sat Feb 27 22:14:18 2016 us=288252 persist_mode = 1
Sat Feb 27 22:14:18 2016 us=288275 show_ciphers = DISABLED
Sat Feb 27 22:14:18 2016 us=288297 show_digests = DISABLED
Sat Feb 27 22:14:18 2016 us=288318 show_engines = DISABLED
Sat Feb 27 22:14:18 2016 us=288341 genkey = DISABLED
Sat Feb 27 22:14:18 2016 us=288364 key_pass_file = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=288386 show_tls_ciphers = DISABLED
Sat Feb 27 22:14:18 2016 us=288409 Connection profiles [default]:
Sat Feb 27 22:14:18 2016 us=288431 proto = udp
Sat Feb 27 22:14:18 2016 us=288453 local = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=288476 local_port = 1194
Sat Feb 27 22:14:18 2016 us=288498 remote = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=288520 remote_port = 1194
Sat Feb 27 22:14:18 2016 us=288543 remote_float = DISABLED
Sat Feb 27 22:14:18 2016 us=288564 bind_defined = DISABLED
Sat Feb 27 22:14:18 2016 us=288586 bind_local = ENABLED
Sat Feb 27 22:14:18 2016 us=288609 connect_retry_seconds = 5
Sat Feb 27 22:14:18 2016 us=288631 connect_timeout = 10
Sat Feb 27 22:14:18 2016 us=288653 connect_retry_max = 0
Sat Feb 27 22:14:18 2016 us=288676 socks_proxy_server = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=288698 socks_proxy_port = 0
Sat Feb 27 22:14:18 2016 us=288720 socks_proxy_retry = DISABLED
Sat Feb 27 22:14:18 2016 us=288743 tun_mtu = 1500
Sat Feb 27 22:14:18 2016 us=288764 tun_mtu_defined = ENABLED
Sat Feb 27 22:14:18 2016 us=288787 link_mtu = 1500
Sat Feb 27 22:14:18 2016 us=288809 link_mtu_defined = DISABLED
Sat Feb 27 22:14:18 2016 us=288831 tun_mtu_extra = 0
Sat Feb 27 22:14:18 2016 us=288853 tun_mtu_extra_defined = DISABLED
Sat Feb 27 22:14:18 2016 us=288875 mtu_discover_type = -1
Sat Feb 27 22:14:18 2016 us=288897 fragment = 0
Sat Feb 27 22:14:18 2016 us=288920 mssfix = 1450
Sat Feb 27 22:14:18 2016 us=288942 explicit_exit_notification = 0
Sat Feb 27 22:14:18 2016 us=288964 Connection profiles END
Sat Feb 27 22:14:18 2016 us=288987 remote_random = DISABLED
Sat Feb 27 22:14:18 2016 us=289008 ipchange = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=289030 dev = 'tun'
Sat Feb 27 22:14:18 2016 us=289053 dev_type = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=289075 dev_node = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=289097 lladdr = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=289119 topology = 1
Sat Feb 27 22:14:18 2016 us=289141 tun_ipv6 = DISABLED
Sat Feb 27 22:14:18 2016 us=289163 ifconfig_local = '10.8.0.1'
Sat Feb 27 22:14:18 2016 us=289186 ifconfig_remote_netmask = '10.8.0.2'
Sat Feb 27 22:14:18 2016 us=289208 ifconfig_noexec = DISABLED
Sat Feb 27 22:14:18 2016 us=289230 ifconfig_nowarn = DISABLED
Sat Feb 27 22:14:18 2016 us=289253 ifconfig_ipv6_local = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=289275 ifconfig_ipv6_netbits = 0
Sat Feb 27 22:14:18 2016 us=289297 ifconfig_ipv6_remote = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=289320 shaper = 0
Sat Feb 27 22:14:18 2016 us=289342 mtu_test = 0
Sat Feb 27 22:14:18 2016 us=289364 mlock = DISABLED
Sat Feb 27 22:14:18 2016 us=289387 keepalive_ping = 10
Sat Feb 27 22:14:18 2016 us=289409 keepalive_timeout = 120
Sat Feb 27 22:14:18 2016 us=289431 inactivity_timeout = 0
Sat Feb 27 22:14:18 2016 us=289454 ping_send_timeout = 10
Sat Feb 27 22:14:18 2016 us=289476 ping_rec_timeout = 240
Sat Feb 27 22:14:18 2016 us=289498 ping_rec_timeout_action = 2
Sat Feb 27 22:14:18 2016 us=289520 ping_timer_remote = DISABLED
Sat Feb 27 22:14:18 2016 us=289542 remap_sigusr1 = 0
Sat Feb 27 22:14:18 2016 us=289564 persist_tun = ENABLED
Sat Feb 27 22:14:18 2016 us=289586 persist_local_ip = DISABLED
Sat Feb 27 22:14:18 2016 us=289608 persist_remote_ip = DISABLED
Sat Feb 27 22:14:18 2016 us=289630 persist_key = ENABLED
Sat Feb 27 22:14:18 2016 us=289653 passtos = DISABLED
Sat Feb 27 22:14:18 2016 us=289675 resolve_retry_seconds = 1000000000
Sat Feb 27 22:14:18 2016 us=289707 username = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=289731 groupname = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=289752 chroot_dir = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=289778 cd_dir = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=289800 writepid = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=289822 up_script = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=289846 down_script = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=289867 down_pre = DISABLED
Sat Feb 27 22:14:18 2016 us=289889 up_restart = DISABLED
Sat Feb 27 22:14:18 2016 us=289912 up_delay = DISABLED
Sat Feb 27 22:14:18 2016 us=289934 daemon = DISABLED
Sat Feb 27 22:14:18 2016 us=289956 inetd = 0
Sat Feb 27 22:14:18 2016 us=289979 log = ENABLED
Sat Feb 27 22:14:18 2016 us=290001 suppress_timestamps = DISABLED
Sat Feb 27 22:14:18 2016 us=290023 nice = 0
Sat Feb 27 22:14:18 2016 us=290047 verbosity = 9
Sat Feb 27 22:14:18 2016 us=290069 mute = 0
Sat Feb 27 22:14:18 2016 us=290091 gremlin = 0
Sat Feb 27 22:14:18 2016 us=290114 status_file = 'openvpn-status.log'
Sat Feb 27 22:14:18 2016 us=290136 status_file_version = 1
Sat Feb 27 22:14:18 2016 us=290159 status_file_update_freq = 60
Sat Feb 27 22:14:18 2016 us=290181 occ = ENABLED
Sat Feb 27 22:14:18 2016 us=290203 rcvbuf = 0
Sat Feb 27 22:14:18 2016 us=290226 sndbuf = 0
Sat Feb 27 22:14:18 2016 us=290248 mark = 0
Sat Feb 27 22:14:18 2016 us=290269 sockflags = 0
Sat Feb 27 22:14:18 2016 us=290292 fast_io = DISABLED
Sat Feb 27 22:14:18 2016 us=290314 lzo = 0
Sat Feb 27 22:14:18 2016 us=290336 route_script = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=290359 route_default_gateway = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=290382 route_default_metric = 0
Sat Feb 27 22:14:18 2016 us=290404 route_noexec = DISABLED
Sat Feb 27 22:14:18 2016 us=290427 route_delay = 0
Sat Feb 27 22:14:18 2016 us=290450 route_delay_window = 30
Sat Feb 27 22:14:18 2016 us=290473 route_delay_defined = DISABLED
Sat Feb 27 22:14:18 2016 us=290496 route_nopull = DISABLED
Sat Feb 27 22:14:18 2016 us=290518 route_gateway_via_dhcp = DISABLED
Sat Feb 27 22:14:18 2016 us=290541 max_routes = 100
Sat Feb 27 22:14:18 2016 us=290564 allow_pull_fqdn = DISABLED
Sat Feb 27 22:14:18 2016 us=290588 route 10.8.0.0/255.255.255.0/nil/nil
Sat Feb 27 22:14:18 2016 us=290610 management_addr = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=290634 management_port = 0
Sat Feb 27 22:14:18 2016 us=290656 management_user_pass = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=290679 management_log_history_cache = 250
Sat Feb 27 22:14:18 2016 us=290702 management_echo_buffer_size = 100
Sat Feb 27 22:14:18 2016 us=290724 management_write_peer_info_file = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=290748 management_client_user = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=290770 management_client_group = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=290794 management_flags = 0
Sat Feb 27 22:14:18 2016 us=290816 shared_secret_file = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=290838 key_direction = 0
Sat Feb 27 22:14:18 2016 us=290862 ciphername_defined = ENABLED
Sat Feb 27 22:14:18 2016 us=290884 ciphername = 'BF-CBC'
Sat Feb 27 22:14:18 2016 us=290907 authname_defined = ENABLED
Sat Feb 27 22:14:18 2016 us=290929 authname = 'SHA1'
Sat Feb 27 22:14:18 2016 us=290951 prng_hash = 'SHA1'
Sat Feb 27 22:14:18 2016 us=290974 prng_nonce_secret_len = 16
Sat Feb 27 22:14:18 2016 us=290997 keysize = 0
Sat Feb 27 22:14:18 2016 us=291019 engine = DISABLED
Sat Feb 27 22:14:18 2016 us=291041 replay = ENABLED
Sat Feb 27 22:14:18 2016 us=291064 mute_replay_warnings = DISABLED
Sat Feb 27 22:14:18 2016 us=291086 replay_window = 64
Sat Feb 27 22:14:18 2016 us=291155 replay_time = 15
Sat Feb 27 22:14:18 2016 us=291186 packet_id_file = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=291208 use_iv = ENABLED
Sat Feb 27 22:14:18 2016 us=291231 test_crypto = DISABLED
Sat Feb 27 22:14:18 2016 us=291253 tls_server = ENABLED
Sat Feb 27 22:14:18 2016 us=291275 tls_client = DISABLED
Sat Feb 27 22:14:18 2016 us=291299 key_method = 2
Sat Feb 27 22:14:18 2016 us=291332 ca_file = '/etc/openvpn/ca.crt'
Sat Feb 27 22:14:18 2016 us=291356 ca_path = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=291379 dh_file = '/etc/openvpn/dh2048.pem'
Sat Feb 27 22:14:18 2016 us=291401 cert_file = '/etc/openvpn/archsrv.crt'
Sat Feb 27 22:14:18 2016 us=291425 extra_certs_file = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=291448 priv_key_file = '/etc/openvpn/archsrv.key'
Sat Feb 27 22:14:18 2016 us=291470 pkcs12_file = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=291493 cipher_list = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=291515 tls_verify = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=291538 tls_export_cert = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=291561 verify_x509_type = 0
Sat Feb 27 22:14:18 2016 us=291583 verify_x509_name = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=291605 crl_file = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=291629 ns_cert_type = 0
Sat Feb 27 22:14:18 2016 us=291651 remote_cert_ku[i] = 0
Sat Feb 27 22:14:18 2016 us=291673 remote_cert_ku[i] = 0
Sat Feb 27 22:14:18 2016 us=291697 remote_cert_ku[i] = 0
Sat Feb 27 22:14:18 2016 us=291719 remote_cert_ku[i] = 0
Sat Feb 27 22:14:18 2016 us=291741 remote_cert_ku[i] = 0
Sat Feb 27 22:14:18 2016 us=291764 remote_cert_ku[i] = 0
Sat Feb 27 22:14:18 2016 us=291786 remote_cert_ku[i] = 0
Sat Feb 27 22:14:18 2016 us=291808 remote_cert_ku[i] = 0
Sat Feb 27 22:14:18 2016 us=291831 remote_cert_ku[i] = 0
Sat Feb 27 22:14:18 2016 us=291854 remote_cert_ku[i] = 0
Sat Feb 27 22:14:18 2016 us=291876 remote_cert_ku[i] = 0
Sat Feb 27 22:14:18 2016 us=291899 remote_cert_ku[i] = 0
Sat Feb 27 22:14:18 2016 us=291922 remote_cert_ku[i] = 0
Sat Feb 27 22:14:18 2016 us=291944 remote_cert_ku[i] = 0
Sat Feb 27 22:14:18 2016 us=291967 remote_cert_ku[i] = 0
Sat Feb 27 22:14:18 2016 us=291989 remote_cert_ku[i] = 0
Sat Feb 27 22:14:18 2016 us=292011 remote_cert_eku = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=292034 ssl_flags = 0
Sat Feb 27 22:14:18 2016 us=292057 tls_timeout = 2
Sat Feb 27 22:14:18 2016 us=292079 renegotiate_bytes = 0
Sat Feb 27 22:14:18 2016 us=292102 renegotiate_packets = 0
Sat Feb 27 22:14:18 2016 us=292125 renegotiate_seconds = 3600
Sat Feb 27 22:14:18 2016 us=292147 handshake_window = 60
Sat Feb 27 22:14:18 2016 us=292170 transition_window = 3600
Sat Feb 27 22:14:18 2016 us=292192 single_session = DISABLED
Sat Feb 27 22:14:18 2016 us=292215 push_peer_info = DISABLED
Sat Feb 27 22:14:18 2016 us=292237 tls_exit = DISABLED
Sat Feb 27 22:14:18 2016 us=292259 tls_auth_file = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=292285 server_network = 10.8.0.0
Sat Feb 27 22:14:18 2016 us=292309 server_netmask = 255.255.255.0
Sat Feb 27 22:14:18 2016 us=292338 server_network_ipv6 = ::
Sat Feb 27 22:14:18 2016 us=292362 server_netbits_ipv6 = 0
Sat Feb 27 22:14:18 2016 us=292387 server_bridge_ip = 0.0.0.0
Sat Feb 27 22:14:18 2016 us=292412 server_bridge_netmask = 0.0.0.0
Sat Feb 27 22:14:18 2016 us=292437 server_bridge_pool_start = 0.0.0.0
Sat Feb 27 22:14:18 2016 us=292463 server_bridge_pool_end = 0.0.0.0
Sat Feb 27 22:14:18 2016 us=292486 push_entry = 'redirect-gateway def1 bypass-dhcp'
Sat Feb 27 22:14:18 2016 us=292510 push_entry = 'dhcp-option DNS 10.8.0.1'
Sat Feb 27 22:14:18 2016 us=292532 push_entry = 'route 10.8.0.1'
Sat Feb 27 22:14:18 2016 us=292554 push_entry = 'topology net30'
Sat Feb 27 22:14:18 2016 us=292578 push_entry = 'ping 10'
Sat Feb 27 22:14:18 2016 us=292600 push_entry = 'ping-restart 120'
Sat Feb 27 22:14:18 2016 us=292623 ifconfig_pool_defined = ENABLED
Sat Feb 27 22:14:18 2016 us=292648 ifconfig_pool_start = 10.8.0.4
Sat Feb 27 22:14:18 2016 us=292673 ifconfig_pool_end = 10.8.0.251
Sat Feb 27 22:14:18 2016 us=292699 ifconfig_pool_netmask = 0.0.0.0
Sat Feb 27 22:14:18 2016 us=292721 ifconfig_pool_persist_filename = 'ipp.txt'
Sat Feb 27 22:14:18 2016 us=292745 ifconfig_pool_persist_refresh_freq = 600
Sat Feb 27 22:14:18 2016 us=292768 ifconfig_ipv6_pool_defined = DISABLED
Sat Feb 27 22:14:18 2016 us=292793 ifconfig_ipv6_pool_base = ::
Sat Feb 27 22:14:18 2016 us=292825 ifconfig_ipv6_pool_netbits = 0
Sat Feb 27 22:14:18 2016 us=292849 n_bcast_buf = 256
Sat Feb 27 22:14:18 2016 us=292871 tcp_queue_limit = 64
Sat Feb 27 22:14:18 2016 us=292895 real_hash_size = 256
Sat Feb 27 22:14:18 2016 us=292918 virtual_hash_size = 256
Sat Feb 27 22:14:18 2016 us=292940 client_connect_script = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=292963 learn_address_script = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=292986 client_disconnect_script = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=293009 client_config_dir = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=293032 ccd_exclusive = DISABLED
Sat Feb 27 22:14:18 2016 us=293054 tmp_dir = '/tmp'
Sat Feb 27 22:14:18 2016 us=293077 push_ifconfig_defined = DISABLED
Sat Feb 27 22:14:18 2016 us=293102 push_ifconfig_local = 0.0.0.0
Sat Feb 27 22:14:18 2016 us=293127 push_ifconfig_remote_netmask = 0.0.0.0
Sat Feb 27 22:14:18 2016 us=293149 push_ifconfig_ipv6_defined = DISABLED
Sat Feb 27 22:14:18 2016 us=293174 push_ifconfig_ipv6_local = ::/0
Sat Feb 27 22:14:18 2016 us=293198 push_ifconfig_ipv6_remote = ::
Sat Feb 27 22:14:18 2016 us=293220 enable_c2c = DISABLED
Sat Feb 27 22:14:18 2016 us=293244 duplicate_cn = DISABLED
Sat Feb 27 22:14:18 2016 us=293266 cf_max = 0
Sat Feb 27 22:14:18 2016 us=293289 cf_per = 0
Sat Feb 27 22:14:18 2016 us=293312 max_clients = 1024
Sat Feb 27 22:14:18 2016 us=293335 max_routes_per_client = 256
Sat Feb 27 22:14:18 2016 us=293357 auth_user_pass_verify_script = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=293381 auth_user_pass_verify_script_via_file = DISABLED
Sat Feb 27 22:14:18 2016 us=293404 port_share_host = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=293426 port_share_port = 0
Sat Feb 27 22:14:18 2016 us=293450 client = DISABLED
Sat Feb 27 22:14:18 2016 us=293472 pull = DISABLED
Sat Feb 27 22:14:18 2016 us=293495 auth_user_pass_file = '[UNDEF]'
Sat Feb 27 22:14:18 2016 us=293520 OpenVPN 2.3.9 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 3 2016
Sat Feb 27 22:14:18 2016 us=293555 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09
Sat Feb 27 22:14:18 2016 us=293756 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sat Feb 27 22:14:18 2016 us=294221 Diffie-Hellman initialized with 2048 bit key
Sat Feb 27 22:14:18 2016 us=294970 PRNG init md=SHA1 size=36
Sat Feb 27 22:14:18 2016 us=295012 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Sat Feb 27 22:14:18 2016 us=295044 TLS-Auth MTU parms [ L:1541 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sat Feb 27 22:14:18 2016 us=295068 MTU DYNAMIC mtu=1450, flags=2, 1541 -> 1450
Sat Feb 27 22:14:18 2016 us=295103 Socket Buffers: R=[163840->163840] S=[163840->163840]
Sat Feb 27 22:14:18 2016 us=295250 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=enp2s8 HWADDR=00:13:d4:d0:db:1e
Sat Feb 27 22:14:18 2016 us=296096 TUN/TAP device tun0 opened
Sat Feb 27 22:14:18 2016 us=296158 TUN/TAP TX queue length set to 100
Sat Feb 27 22:14:18 2016 us=296206 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Feb 27 22:14:18 2016 us=296280 /usr/bin/ip link set dev tun0 up mtu 1500
Sat Feb 27 22:14:18 2016 us=298557 /usr/bin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Sat Feb 27 22:14:18 2016 us=300802 /usr/bin/ip route add 10.8.0.0/24 via 10.8.0.2
Sat Feb 27 22:14:18 2016 us=304478 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:12 ET:0 EL:3 ]
Sat Feb 27 22:14:18 2016 us=304559 UDPv4 link local (bound): [undef]
Sat Feb 27 22:14:18 2016 us=304597 UDPv4 link remote: [undef]
Sat Feb 27 22:14:18 2016 us=304639 MULTI: multi_init called, r=256 v=256
Sat Feb 27 22:14:18 2016 us=304725 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sat Feb 27 22:14:18 2016 us=304779 ifconfig_pool_read(), in='client,10.8.0.4', TODO: IPv6
Sat Feb 27 22:14:18 2016 us=304817 succeeded -> ifconfig_pool_set()
Sat Feb 27 22:14:18 2016 us=304877 IFCONFIG POOL LIST
Sat Feb 27 22:14:18 2016 us=304913 client,10.8.0.4
Sat Feb 27 22:14:18 2016 us=304967 PO_INIT maxevents=4 flags=0x00000002
Sat Feb 27 22:14:18 2016 us=305019 Initialization Sequence Completed
Sat Feb 27 22:14:18 2016 us=305053 SCHEDULE: schedule_find_least NULL
Sat Feb 27 22:14:18 2016 us=305087 PO_CTL rwflags=0x0001 ev=5 arg=0x080ff608
Sat Feb 27 22:14:18 2016 us=305122 PO_CTL rwflags=0x0001 ev=6 arg=0x080ff568
Sat Feb 27 22:14:18 2016 us=305163 I/O WAIT TR|Tw|SR|Sw [10/0]
Sat Feb 27 22:14:28 2016 us=315233 event_wait returned 0
Sat Feb 27 22:14:28 2016 us=315299 I/O WAIT status=0x0020
Sat Feb 27 22:14:28 2016 us=315326 MULTI: REAP range 0 -> 16
Sat Feb 27 22:14:28 2016 us=315512 SCHEDULE: schedule_find_least NULL
Sat Feb 27 22:14:28 2016 us=315537 PO_CTL rwflags=0x0001 ev=5 arg=0x080ff608
Sat Feb 27 22:14:28 2016 us=315560 PO_CTL rwflags=0x0001 ev=6 arg=0x080ff568
Sat Feb 27 22:14:28 2016 us=315588 I/O WAIT TR|Tw|SR|Sw [10/0]
Sat Feb 27 22:14:38 2016 us=325639 event_wait returned 0
Sat Feb 27 22:14:38 2016 us=325702 I/O WAIT status=0x0020
Sat Feb 27 22:14:38 2016 us=325728 MULTI: REAP range 16 -> 32
Sat Feb 27 22:14:38 2016 us=325752 SCHEDULE: schedule_find_least NULL
Sat Feb 27 22:14:38 2016 us=325777 PO_CTL rwflags=0x0001 ev=5 arg=0x080ff608
Sat Feb 27 22:14:38 2016 us=325799 PO_CTL rwflags=0x0001 ev=6 arg=0x080ff568
Sat Feb 27 22:14:38 2016 us=325827 I/O WAIT TR|Tw|SR|Sw [10/0]
Sat Feb 27 22:14:48 2016 us=335878 event_wait returned 0
Sat Feb 27 22:14:48 2016 us=335939 I/O WAIT status=0x0020
Sat Feb 27 22:14:48 2016 us=335966 MULTI: REAP range 32 -> 48
Sat Feb 27 22:14:48 2016 us=335989 SCHEDULE: schedule_find_least NULL
Sat Feb 27 22:14:48 2016 us=336013 PO_CTL rwflags=0x0001 ev=5 arg=0x080ff608
Sat Feb 27 22:14:48 2016 us=336036 PO_CTL rwflags=0x0001 ev=6 arg=0x080ff568
Sat Feb 27 22:14:48 2016 us=336064 I/O WAIT TR|Tw|SR|Sw [10/0]
Sat Feb 27 22:14:58 2016 us=346114 event_wait returned 0
Sat Feb 27 22:14:58 2016 us=346179 I/O WAIT status=0x0020
Sat Feb 27 22:14:58 2016 us=346207 MULTI: REAP range 48 -> 64
Sat Feb 27 22:14:58 2016 us=346232 SCHEDULE: schedule_find_least NULL
Sat Feb 27 22:14:58 2016 us=346257 PO_CTL rwflags=0x0001 ev=5 arg=0x080ff608
Sat Feb 27 22:14:58 2016 us=346280 PO_CTL rwflags=0x0001 ev=6 arg=0x080ff568
Sat Feb 27 22:14:58 2016 us=346309 I/O WAIT TR|Tw|SR|Sw [10/0]
Sat Feb 27 22:15:08 2016 us=356361 event_wait returned 0
Sat Feb 27 22:15:08 2016 us=356427 I/O WAIT status=0x0020
Sat Feb 27 22:15:08 2016 us=356455 MULTI: REAP range 64 -> 80
Sat Feb 27 22:15:08 2016 us=356481 SCHEDULE: schedule_find_least NULL
Sat Feb 27 22:15:08 2016 us=356506 PO_CTL rwflags=0x0001 ev=5 arg=0x080ff608
Sat Feb 27 22:15:08 2016 us=356531 PO_CTL rwflags=0x0001 ev=6 arg=0x080ff568
Sat Feb 27 22:15:08 2016 us=356560 I/O WAIT TR|Tw|SR|Sw [10/0]
Sat Feb 27 22:15:18 2016 us=366611 event_wait returned 0
Sat Feb 27 22:15:18 2016 us=366672 I/O WAIT status=0x0020
Sat Feb 27 22:15:18 2016 us=366699 MULTI: REAP range 80 -> 96
Sat Feb 27 22:15:18 2016 us=366724 SCHEDULE: schedule_find_least NULL
Sat Feb 27 22:15:18 2016 us=366749 PO_CTL rwflags=0x0001 ev=5 arg=0x080ff608
Sat Feb 27 22:15:18 2016 us=366772 PO_CTL rwflags=0x0001 ev=6 arg=0x080ff568
Sat Feb 27 22:15:18 2016 us=366801 I/O WAIT TR|Tw|SR|Sw [10/0]
Sat Feb 27 22:15:28 2016 us=376852 event_wait returned 0
Sat Feb 27 22:15:28 2016 us=376914 I/O WAIT status=0x0020
Sat Feb 27 22:15:28 2016 us=376940 MULTI: REAP range 96 -> 112
Sat Feb 27 22:15:28 2016 us=377059 SCHEDULE: schedule_find_least NULL
Sat Feb 27 22:15:28 2016 us=377086 PO_CTL rwflags=0x0001 ev=5 arg=0x080ff608
Sat Feb 27 22:15:28 2016 us=377110 PO_CTL rwflags=0x0001 ev=6 arg=0x080ff568
Sat Feb 27 22:15:28 2016 us=377138 I/O WAIT TR|Tw|SR|Sw [10/0]
Sat Feb 27 22:15:36 2016 us=290521 PO_WAIT[0,0] fd=5 rev=0x00000001 rwflags=0x0001 arg=0x080ff608
Sat Feb 27 22:15:36 2016 us=290588 event_wait returned 1
Sat Feb 27 22:15:36 2016 us=290615 I/O WAIT status=0x0001
Sat Feb 27 22:15:36 2016 us=290639 MULTI: REAP range 112 -> 128
Sat Feb 27 22:15:36 2016 us=290679 UDPv4 read returned 14
Sat Feb 27 22:15:36 2016 us=290722 MULTI: multi_create_instance called
Sat Feb 27 22:15:36 2016 us=290785 ***.***.***.***:11324 Re-using SSL/TLS context
Sat Feb 27 22:15:36 2016 us=290811 ***.***.***.***:11324 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Sat Feb 27 22:15:36 2016 us=290839 ***.***.***.***:11324 TLS: tls_session_init: entry
Sat Feb 27 22:15:36 2016 us=290872 ***.***.***.***:11324 PID packet_id_init tcp_mode=0 seq_backtrack=64 time_backtrack=15
Sat Feb 27 22:15:36 2016 us=290983 ***.***.***.***:11324 PID packet_id_init tcp_mode=0 seq_backtrack=64 time_backtrack=15
Sat Feb 27 22:15:36 2016 us=291009 ***.***.***.***:11324 TLS: tls_session_init: new session object, sid=0d3e4041 45eb75dd
Sat Feb 27 22:15:36 2016 us=291031 ***.***.***.***:11324 TLS: tls_session_init: entry
Sat Feb 27 22:15:36 2016 us=291056 ***.***.***.***:11324 PID packet_id_init tcp_mode=0 seq_backtrack=64 time_backtrack=15
Sat Feb 27 22:15:36 2016 us=291173 ***.***.***.***:11324 PID packet_id_init tcp_mode=0 seq_backtrack=64 time_backtrack=15
Sat Feb 27 22:15:36 2016 us=291203 ***.***.***.***:11324 TLS: tls_session_init: new session object, sid=00120bff cfe4179c
Sat Feb 27 22:15:36 2016 us=291231 ***.***.***.***:11324 Control Channel MTU parms [ L:1541 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sat Feb 27 22:15:36 2016 us=291253 ***.***.***.***:11324 MTU DYNAMIC mtu=1450, flags=2, 1541 -> 1450
Sat Feb 27 22:15:36 2016 us=291279 ***.***.***.***:11324 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:12 ET:0 EL:3 ]
Sat Feb 27 22:15:36 2016 us=291337 ***.***.***.***:11324 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Feb 27 22:15:36 2016 us=291360 ***.***.***.***:11324 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Feb 27 22:15:36 2016 us=291397 ***.***.***.***:11324 Local Options hash (VER=V4): '239669a8'
Sat Feb 27 22:15:36 2016 us=291430 ***.***.***.***:11324 Expected Remote Options hash (VER=V4): '3514370b'
Sat Feb 27 22:15:36 2016 us=291458 ***.***.***.***:11324 SENT PING
Sat Feb 27 22:15:36 2016 us=291480 ***.***.***.***:11324 TIMER: coarse timer wakeup 1 seconds
Sat Feb 27 22:15:36 2016 us=291519 ***.***.***.***:11324 TLS: tls_multi_process: i=0 state=S_INITIAL, mysid=0d3e4041 45eb75dd, stored-sid=00000000 00000000, stored-ip=[undef]
Sat Feb 27 22:15:36 2016 us=291549 ***.***.***.***:11324 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=00120bff cfe4179c, stored-sid=00000000 00000000, stored-ip=[undef]
Sat Feb 27 22:15:36 2016 us=291580 ***.***.***.***:11324 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[undef]
Sat Feb 27 22:15:36 2016 us=291608 ***.***.***.***:11324 RANDOM USEC=75565
Sat Feb 27 22:15:36 2016 us=291642 ***.***.***.***:11324 SCHEDULE: schedule_add_modify wakeup=[Sat Feb 27 22:15:37 2016 us=367192] pri=0
Sat Feb 27 22:15:36 2016 us=291671 ***.***.***.***:11324 GET INST BY REAL: 62.140.137.125:11324 [created]
Sat Feb 27 22:15:36 2016 us=291708 ***.***.***.***:11324 UDPv4 READ [14] from [AF_INET]62.140.137.125:11324: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=996ad152 a793e64e [ ] pid=0 DATA
Sat Feb 27 22:15:36 2016 us=291734 ***.***.***.***:11324 TLS: control channel, op=P_CONTROL_HARD_RESET_CLIENT_V2, IP=[AF_INET]62.140.137.125:11324
Sat Feb 27 22:15:36 2016 us=291773 ***.***.***.***:11324 TLS: initial packet test, i=0 state=S_INITIAL, mysid=0d3e4041 45eb75dd, rec-sid=996ad152 a793e64e, rec-ip=[AF_INET]62.140.137.125:11324, stored-sid=00000000 00000000, stored-ip=[undef]
Sat Feb 27 22:15:36 2016 us=291816 ***.***.***.***:11324 TLS: initial packet test, i=1 state=S_INITIAL, mysid=00120bff cfe4179c, rec-sid=996ad152 a793e64e, rec-ip=[AF_INET]***.***.***.***:11324, stored-sid=00000000 00000000, stored-ip=[undef]
Sat Feb 27 22:15:36 2016 us=291855 ***.***.***.***:11324 TLS: initial packet test, i=2 state=S_UNDEF, mysid=00000000 00000000, rec-sid=996ad152 a793e64e, rec-ip=[AF_INET]***.***.***.***:11324, stored-sid=00000000 00000000, stored-ip=[undef]
Sat Feb 27 22:15:36 2016 us=291896 ***.***.***.***:11324 TLS: Initial packet from [AF_INET]***.***.***.***:11324, sid=996ad152 a793e64e
Sat Feb 27 22:15:36 2016 us=291922 ***.***.***.***:11324 TLS: received control channel packet s#=0 sid=996ad152 a793e64e
Sat Feb 27 22:15:36 2016 us=291944 ***.***.***.***:11324 ACK reliable_schedule_now
Sat Feb 27 22:15:36 2016 us=291967 ***.***.***.***:11324 ACK read ID 0 (buf->len=0)
Sat Feb 27 22:15:36 2016 us=291990 ***.***.***.***:11324 ACK RWBS rel->size=8 rel->packet_id=00000000 id=00000000 ret=1
Sat Feb 27 22:15:36 2016 us=292012 ***.***.***.***:11324 ACK mark active incoming ID 0
Sat Feb 27 22:15:36 2016 us=292033 ***.***.***.***:11324 ACK acknowledge ID 0 (ack->len=1)
Sat Feb 27 22:15:36 2016 us=292073 ***.***.***.***:11324 TLS: tls_multi_process: i=0 state=S_INITIAL, mysid=0d3e4041 45eb75dd, stored-sid=996ad152 a793e64e, stored-ip=[AF_INET]62.140.137.125:11324
Sat Feb 27 22:15:36 2016 us=292097 ***.***.***.***:11324 TLS: tls_process: chg=0 ks=S_INITIAL lame=S_UNDEF to_link->len=0 wakeup=604800
Sat Feb 27 22:15:36 2016 us=292120 ***.***.***.***:11324 ACK mark active outgoing ID 0
Sat Feb 27 22:15:36 2016 us=292145 ***.***.***.***:11324 TLS: Initial Handshake, sid=0d3e4041 45eb75dd
Sat Feb 27 22:15:36 2016 us=292170 ***.***.***.***:11324 ACK reliable_can_send active=1 current=1 : [1] 0
Sat Feb 27 22:15:36 2016 us=292193 ***.***.***.***:11324 ACK reliable_send ID 0 (size=4 to=2)
Sat Feb 27 22:15:36 2016 us=292215 ***.***.***.***:11324 ACK write ID 0 (ack->len=1, n=1)
Sat Feb 27 22:15:36 2016 us=292237 ***.***.***.***:11324 Reliable -> TCP/UDP
Sat Feb 27 22:15:36 2016 us=292261 ***.***.***.***:11324 ACK reliable_send_timeout 2 [1] 0
Sat Feb 27 22:15:36 2016 us=292283 ***.***.***.***:11324 TLS: tls_process: timeout set to 2
Sat Feb 27 22:15:36 2016 us=292315 ***.***.***.***:11324 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=00120bff cfe4179c, stored-sid=00000000 00000000, stored-ip=[undef]
Sat Feb 27 22:15:36 2016 us=292346 ***.***.***.***:11324 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[undef]
Sat Feb 27 22:15:36 2016 us=292383 SCHEDULE: schedule_find_least wakeup=[Sat Feb 27 22:15:37 2016 us=367192] pri=945732764
Sat Feb 27 22:15:36 2016 us=292407 PO_CTL rwflags=0x0002 ev=5 arg=0x080ff608
Sat Feb 27 22:15:36 2016 us=292429 PO_CTL rwflags=0x0000 ev=6 arg=0x080ff568
Sat Feb 27 22:15:36 2016 us=292456 I/O WAIT Tr|Tw|Sr|SW [1/74790]
Sat Feb 27 22:15:36 2016 us=292483 PO_WAIT[0,0] fd=5 rev=0x00000004 rwflags=0x0002 arg=0x080ff608
Sat Feb 27 22:15:36 2016 us=292505 event_wait returned 1
Sat Feb 27 22:15:36 2016 us=292526 I/O WAIT status=0x0002
Sat Feb 27 22:15:36 2016 us=292565 ***.***.***.***:11324 UDPv4 WRITE [26] to [AF_INET]***.***.***.***:11324: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=0d3e4041 45eb75dd [ 0 sid=996ad152 a793e64e ] pid=0 DATA
Sat Feb 27 22:15:36 2016 us=292623 ***.***.***.***:11324 UDPv4 write returned 26
Sat Feb 27 22:15:36 2016 us=292660 ***.***.***.***:11324 TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=0d3e4041 45eb75dd, stored-sid=996ad152 a793e64e, stored-ip=[AF_INET]***.***.***.***:11324
Sat Feb 27 22:15:36 2016 us=292684 ***.***.***.***:11324 TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
Sat Feb 27 22:15:36 2016 us=292708 ***.***.***.***:11324 ACK reliable_can_send active=1 current=0 : [1] 0
Sat Feb 27 22:15:36 2016 us=292729 ***.***.***.***:11324 Incoming Ciphertext -> TLS
Sat Feb 27 22:15:36 2016 us=292799 ***.***.***.***:11324 SSL state (accept): before/accept initialization
Sat Feb 27 22:15:36 2016 us=292850 ***.***.***.***:11324 TLS: tls_process: chg=1 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
Sat Feb 27 22:15:36 2016 us=292875 ***.***.***.***:11324 ACK reliable_can_send active=1 current=0 : [1] 0
Sat Feb 27 22:15:36 2016 us=292905 ***.***.***.***:11324 ACK reliable_send_timeout 2 [1] 0
Sat Feb 27 22:15:36 2016 us=292927 ***.***.***.***:11324 TLS: tls_process: timeout set to 2
Sat Feb 27 22:15:36 2016 us=292970 ***.***.***.***:11324 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=00120bff cfe4179c, stored-sid=00000000 00000000, stored-ip=[undef]
Sat Feb 27 22:15:36 2016 us=293002 62.140.137.125:11324 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[undef]
Sat Feb 27 22:15:36 2016 us=293029 PO_CTL rwflags=0x0001 ev=5 arg=0x080ff608
Sat Feb 27 22:15:36 2016 us=293051 PO_CTL rwflags=0x0001 ev=6 arg=0x080ff568
Sat Feb 27 22:15:36 2016 us=293077 I/O WAIT TR|Tw|SR|Sw [1/74169]
Sat Feb 27 22:15:36 2016 us=340974 PO_WAIT[0,0] fd=5 rev=0x00000001 rwflags=0x0001 arg=0x080ff608
Sat Feb 27 22:15:36 2016 us=341004 event_wait returned 1
Sat Feb 27 22:15:36 2016 us=341035 I/O WAIT status=0x0001
Sat Feb 27 22:15:36 2016 us=341061 UDPv4 read returned 26Server verbosity mode 9 log that I truncated in the end :
Sat Feb 27 22:16:04 2016 us=642645 I/O WAIT status=0x0001
Sat Feb 27 22:16:04 2016 us=642670 UDPv4 read returned 101
Sat Feb 27 22:16:04 2016 us=642696 GET INST BY REAL: ***.***.***.***:11324 [succeeded]
Sat Feb 27 22:16:04 2016 us=642769 client/***.***.***.***:11324 UDPv4 READ [101] from [AF_INET]***.***.***.***:11324: P_DATA_V1 kid=0 DATA 6e6c6d18 1e070da1 21c927da 524d47ba c9cf26a3 cf1bf258 15ed4cc8 0ba2642[more...]
Sat Feb 27 22:16:04 2016 us=642796 client/***.***.***.***:11324 TLS: tls_pre_decrypt, key_id=0, IP=[AF_INET]***.***.***.***:11324
Sat Feb 27 22:16:04 2016 us=642825 client/***.***.***.***:11324 DECRYPT IV: cf1bf258 15ed4cc8
Sat Feb 27 22:16:04 2016 us=642882 client/***.***.***.***:11324 DECRYPT TO: 00000065 45000041 288f4000 4011fe06 0a080006 0a080001 30470035 002d42a[more...]
Sat Feb 27 22:16:04 2016 us=642925 client/***.***.***.***:11324 PID_TEST [0] [SSL-0] [00000000111111111111555555556666666666666>>>>>>>>>>>>>>>>>>>>>>>] 0:100 0:101 t=1456607764[0] r=[0,64,15,0,1] sl=[28,64,64,272]
Sat Feb 27 22:16:04 2016 us=642959 client/***.***.***.***:11324 GET INST BY VIRT: 10.8.0.6 -> client/***.***.***.***:11324 via 10.8.0.6
Sat Feb 27 22:16:04 2016 us=642984 PO_CTL rwflags=0x0000 ev=5 arg=0x080ff608
Sat Feb 27 22:16:04 2016 us=643008 PO_CTL rwflags=0x0002 ev=6 arg=0x080ff568
Sat Feb 27 22:16:04 2016 us=643035 I/O WAIT Tr|TW|Sr|Sw [4/106108]
Sat Feb 27 22:16:04 2016 us=643062 PO_WAIT[1,0] fd=6 rev=0x00000004 rwflags=0x0002 arg=0x080ff568
Sat Feb 27 22:16:04 2016 us=643084 event_wait returned 1
Sat Feb 27 22:16:04 2016 us=643107 I/O WAIT status=0x0008
Sat Feb 27 22:16:04 2016 us=643129 client/***.***.***.***:11324 TUN WRITE [65]
Sat Feb 27 22:16:04 2016 us=643167 client/***.***.***.***:11324 write to TUN/TAP returned 65
Sat Feb 27 22:16:04 2016 us=643192 PO_CTL rwflags=0x0001 ev=5 arg=0x080ff608
Sat Feb 27 22:16:04 2016 us=643215 PO_CTL rwflags=0x0001 ev=6 arg=0x080ff568
Sat Feb 27 22:16:04 2016 us=643241 I/O WAIT TR|Tw|SR|Sw [4/106108]
Sat Feb 27 22:16:05 2016 us=155452 event_wait returned -1Last edited by Xenios (2016-04-14 14:47:56)