Hi,
I need help please
How do I solve this?
* Server *
Operating system:
Code: Select all
[root@serverVPN openvpn]# uname -a
Linux serverVPN 3.10.0-514.26.1.el7.x86_64 #1 SMP Thu Jun 29 16:05:25 UTC 2017 x86_64 x86_64 x86_64 GNU/LinuxNetwork setup:
Code: Select all
[root@serverVPN openvpn]# ifconfig
enp30s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.229 netmask 255.255.255.0 broadcast 192.168.1.255
ether 1c:c1:de:fa:cc:46 txqueuelen 1000 (Ethernet)
RX packets 62973 bytes 4818326 (4.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17121 bytes 2580059 (2.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
server.conf
Code: Select all
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/serverVPN.crt
key /etc/openvpn/easy-rsa/2.0/keys/serverVPN.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log /etc/openvpn/config---.log
verb 4
Server log (at —verb 4 )
Code: Select all
Sun Jul 16 14:24:48 2017 us=837542 Current Parameter Settings:
Sun Jul 16 14:24:48 2017 us=837659 config = 'server.conf'
Sun Jul 16 14:24:48 2017 us=837683 mode = 1
Sun Jul 16 14:24:48 2017 us=837700 persist_config = DISABLED
Sun Jul 16 14:24:48 2017 us=837715 persist_mode = 1
Sun Jul 16 14:24:48 2017 us=837731 show_ciphers = DISABLED
Sun Jul 16 14:24:48 2017 us=837746 show_digests = DISABLED
Sun Jul 16 14:24:48 2017 us=837761 show_engines = DISABLED
Sun Jul 16 14:24:48 2017 us=837777 genkey = DISABLED
Sun Jul 16 14:24:48 2017 us=837792 key_pass_file = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=837808 show_tls_ciphers = DISABLED
Sun Jul 16 14:24:48 2017 us=837824 connect_retry_max = 0
Sun Jul 16 14:24:48 2017 us=837839 Connection profiles [0]:
Sun Jul 16 14:24:48 2017 us=837855 proto = udp
Sun Jul 16 14:24:48 2017 us=837871 local = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=837886 local_port = '1194'
Sun Jul 16 14:24:48 2017 us=837902 remote = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=837917 remote_port = '1194'
Sun Jul 16 14:24:48 2017 us=837932 remote_float = DISABLED
Sun Jul 16 14:24:48 2017 us=837947 bind_defined = DISABLED
Sun Jul 16 14:24:48 2017 us=837962 bind_local = ENABLED
Sun Jul 16 14:24:48 2017 us=837977 bind_ipv6_only = DISABLED
Sun Jul 16 14:24:48 2017 us=837993 connect_retry_seconds = 5
Sun Jul 16 14:24:48 2017 us=838008 connect_timeout = 120
Sun Jul 16 14:24:48 2017 us=838023 socks_proxy_server = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=838039 socks_proxy_port = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=838054 tun_mtu = 1500
Sun Jul 16 14:24:48 2017 us=838069 tun_mtu_defined = ENABLED
Sun Jul 16 14:24:48 2017 us=838085 link_mtu = 1500
Sun Jul 16 14:24:48 2017 us=838100 link_mtu_defined = DISABLED
Sun Jul 16 14:24:48 2017 us=838115 tun_mtu_extra = 0
Sun Jul 16 14:24:48 2017 us=838130 tun_mtu_extra_defined = DISABLED
Sun Jul 16 14:24:48 2017 us=838145 mtu_discover_type = -1
Sun Jul 16 14:24:48 2017 us=838165 fragment = 0
Sun Jul 16 14:24:48 2017 us=838181 mssfix = 1450
Sun Jul 16 14:24:48 2017 us=838199 explicit_exit_notification = 0
Sun Jul 16 14:24:48 2017 us=838215 Connection profiles END
Sun Jul 16 14:24:48 2017 us=838230 remote_random = DISABLED
Sun Jul 16 14:24:48 2017 us=838264 ipchange = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=838282 dev = 'tun'
Sun Jul 16 14:24:48 2017 us=838298 dev_type = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=838313 dev_node = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=838328 lladdr = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=838344 topology = 1
Sun Jul 16 14:24:48 2017 us=838359 ifconfig_local = '10.8.0.1'
Sun Jul 16 14:24:48 2017 us=838375 ifconfig_remote_netmask = '10.8.0.2'
Sun Jul 16 14:24:48 2017 us=838390 ifconfig_noexec = DISABLED
Sun Jul 16 14:24:48 2017 us=838405 ifconfig_nowarn = DISABLED
Sun Jul 16 14:24:48 2017 us=838420 ifconfig_ipv6_local = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=838436 ifconfig_ipv6_netbits = 0
Sun Jul 16 14:24:48 2017 us=838451 ifconfig_ipv6_remote = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=838466 shaper = 0
Sun Jul 16 14:24:48 2017 us=838481 mtu_test = 0
Sun Jul 16 14:24:48 2017 us=838497 mlock = DISABLED
Sun Jul 16 14:24:48 2017 us=838512 keepalive_ping = 10
Sun Jul 16 14:24:48 2017 us=838528 keepalive_timeout = 120
Sun Jul 16 14:24:48 2017 us=838543 inactivity_timeout = 0
Sun Jul 16 14:24:48 2017 us=838558 ping_send_timeout = 10
Sun Jul 16 14:24:48 2017 us=838573 ping_rec_timeout = 240
Sun Jul 16 14:24:48 2017 us=838589 ping_rec_timeout_action = 2
Sun Jul 16 14:24:48 2017 us=838604 ping_timer_remote = DISABLED
Sun Jul 16 14:24:48 2017 us=838619 remap_sigusr1 = 0
Sun Jul 16 14:24:48 2017 us=838634 persist_tun = ENABLED
Sun Jul 16 14:24:48 2017 us=838650 persist_local_ip = DISABLED
Sun Jul 16 14:24:48 2017 us=838665 persist_remote_ip = DISABLED
Sun Jul 16 14:24:48 2017 us=838680 persist_key = ENABLED
Sun Jul 16 14:24:48 2017 us=838695 passtos = DISABLED
Sun Jul 16 14:24:48 2017 us=838711 resolve_retry_seconds = 1000000000
Sun Jul 16 14:24:48 2017 us=838726 resolve_in_advance = DISABLED
Sun Jul 16 14:24:48 2017 us=838751 username = 'nobody'
Sun Jul 16 14:24:48 2017 us=838769 groupname = 'nobody'
Sun Jul 16 14:24:48 2017 us=838784 chroot_dir = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=838799 cd_dir = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=838814 selinux_context = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=838829 writepid = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=838844 up_script = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=838859 down_script = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=838875 down_pre = DISABLED
Sun Jul 16 14:24:48 2017 us=838890 up_restart = DISABLED
Sun Jul 16 14:24:48 2017 us=838905 up_delay = DISABLED
Sun Jul 16 14:24:48 2017 us=838920 daemon = DISABLED
Sun Jul 16 14:24:48 2017 us=838935 inetd = 0
Sun Jul 16 14:24:48 2017 us=838950 log = ENABLED
Sun Jul 16 14:24:48 2017 us=838965 suppress_timestamps = DISABLED
Sun Jul 16 14:24:48 2017 us=838980 machine_readable_output = DISABLED
Sun Jul 16 14:24:48 2017 us=838996 nice = 0
Sun Jul 16 14:24:48 2017 us=839011 verbosity = 4
Sun Jul 16 14:24:48 2017 us=839026 mute = 0
Sun Jul 16 14:24:48 2017 us=839041 gremlin = 0
Sun Jul 16 14:24:48 2017 us=839056 status_file = 'openvpn-status.log'
Sun Jul 16 14:24:48 2017 us=839071 status_file_version = 1
Sun Jul 16 14:24:48 2017 us=839086 status_file_update_freq = 60
Sun Jul 16 14:24:48 2017 us=839102 occ = ENABLED
Sun Jul 16 14:24:48 2017 us=839117 rcvbuf = 0
Sun Jul 16 14:24:48 2017 us=839132 sndbuf = 0
Sun Jul 16 14:24:48 2017 us=839147 mark = 0
Sun Jul 16 14:24:48 2017 us=839162 sockflags = 0
Sun Jul 16 14:24:48 2017 us=839177 fast_io = DISABLED
Sun Jul 16 14:24:48 2017 us=839211 comp.alg = 2
Sun Jul 16 14:24:48 2017 us=839229 comp.flags = 1
Sun Jul 16 14:24:48 2017 us=839245 route_script = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=839260 route_default_gateway = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=839276 route_default_metric = 0
Sun Jul 16 14:24:48 2017 us=839291 route_noexec = DISABLED
Sun Jul 16 14:24:48 2017 us=839307 route_delay = 0
Sun Jul 16 14:24:48 2017 us=839322 route_delay_window = 30
Sun Jul 16 14:24:48 2017 us=839337 route_delay_defined = DISABLED
Sun Jul 16 14:24:48 2017 us=839353 route_nopull = DISABLED
Sun Jul 16 14:24:48 2017 us=839369 route_gateway_via_dhcp = DISABLED
Sun Jul 16 14:24:48 2017 us=839384 allow_pull_fqdn = DISABLED
Sun Jul 16 14:24:48 2017 us=839401 route 10.8.0.0/255.255.255.0/default (not set)/default (not set)
Sun Jul 16 14:24:48 2017 us=839417 management_addr = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=839432 management_port = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=839448 management_user_pass = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=839463 management_log_history_cache = 250
Sun Jul 16 14:24:48 2017 us=839479 management_echo_buffer_size = 100
Sun Jul 16 14:24:48 2017 us=839495 management_write_peer_info_file = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=839510 management_client_user = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=839525 management_client_group = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=839541 management_flags = 0
Sun Jul 16 14:24:48 2017 us=839556 shared_secret_file = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=839572 key_direction = 0
Sun Jul 16 14:24:48 2017 us=839588 ciphername = 'AES-256-CBC'
Sun Jul 16 14:24:48 2017 us=839604 ncp_enabled = ENABLED
Sun Jul 16 14:24:48 2017 us=839619 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Sun Jul 16 14:24:48 2017 us=839635 authname = 'SHA1'
Sun Jul 16 14:24:48 2017 us=839650 prng_hash = 'SHA1'
Sun Jul 16 14:24:48 2017 us=839665 prng_nonce_secret_len = 16
Sun Jul 16 14:24:48 2017 us=839681 keysize = 0
Sun Jul 16 14:24:48 2017 us=839696 engine = DISABLED
Sun Jul 16 14:24:48 2017 us=839711 replay = ENABLED
Sun Jul 16 14:24:48 2017 us=839726 mute_replay_warnings = DISABLED
Sun Jul 16 14:24:48 2017 us=839742 replay_window = 64
Sun Jul 16 14:24:48 2017 us=839757 replay_time = 15
Sun Jul 16 14:24:48 2017 us=839773 packet_id_file = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=839788 use_iv = ENABLED
Sun Jul 16 14:24:48 2017 us=839803 test_crypto = DISABLED
Sun Jul 16 14:24:48 2017 us=839831 tls_server = ENABLED
Sun Jul 16 14:24:48 2017 us=839848 tls_client = DISABLED
Sun Jul 16 14:24:48 2017 us=839864 key_method = 2
Sun Jul 16 14:24:48 2017 us=839880 ca_file = '/etc/openvpn/easy-rsa/2.0/keys/ca.crt'
Sun Jul 16 14:24:48 2017 us=839895 ca_path = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=839911 dh_file = '/etc/openvpn/easy-rsa/2.0/keys/dh2048.pem'
Sun Jul 16 14:24:48 2017 us=839927 cert_file = '/etc/openvpn/easy-rsa/2.0/keys/serverVPN.crt'
Sun Jul 16 14:24:48 2017 us=839943 extra_certs_file = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=839959 priv_key_file = '/etc/openvpn/easy-rsa/2.0/keys/serverVPN.key'
Sun Jul 16 14:24:48 2017 us=839975 pkcs12_file = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=839990 cipher_list = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=840006 tls_verify = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=840021 tls_export_cert = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=840036 verify_x509_type = 0
Sun Jul 16 14:24:48 2017 us=840052 verify_x509_name = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=840067 crl_file = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=840082 ns_cert_type = 0
Sun Jul 16 14:24:48 2017 us=840097 remote_cert_ku[i] = 0
Sun Jul 16 14:24:48 2017 us=840112 remote_cert_ku[i] = 0
Sun Jul 16 14:24:48 2017 us=840127 remote_cert_ku[i] = 0
Sun Jul 16 14:24:48 2017 us=840142 remote_cert_ku[i] = 0
Sun Jul 16 14:24:48 2017 us=840157 remote_cert_ku[i] = 0
Sun Jul 16 14:24:48 2017 us=840172 remote_cert_ku[i] = 0
Sun Jul 16 14:24:48 2017 us=840202 remote_cert_ku[i] = 0
Sun Jul 16 14:24:48 2017 us=840219 remote_cert_ku[i] = 0
Sun Jul 16 14:24:48 2017 us=840234 remote_cert_ku[i] = 0
Sun Jul 16 14:24:48 2017 us=840249 remote_cert_ku[i] = 0
Sun Jul 16 14:24:48 2017 us=840264 remote_cert_ku[i] = 0
Sun Jul 16 14:24:48 2017 us=840279 remote_cert_ku[i] = 0
Sun Jul 16 14:24:48 2017 us=840294 remote_cert_ku[i] = 0
Sun Jul 16 14:24:48 2017 us=840309 remote_cert_ku[i] = 0
Sun Jul 16 14:24:48 2017 us=840324 remote_cert_ku[i] = 0
Sun Jul 16 14:24:48 2017 us=840339 remote_cert_ku[i] = 0
Sun Jul 16 14:24:48 2017 us=840354 remote_cert_eku = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=840370 ssl_flags = 0
Sun Jul 16 14:24:48 2017 us=840385 tls_timeout = 2
Sun Jul 16 14:24:48 2017 us=840400 renegotiate_bytes = -1
Sun Jul 16 14:24:48 2017 us=840416 renegotiate_packets = 0
Sun Jul 16 14:24:48 2017 us=840431 renegotiate_seconds = 3600
Sun Jul 16 14:24:48 2017 us=840447 handshake_window = 60
Sun Jul 16 14:24:48 2017 us=840463 transition_window = 3600
Sun Jul 16 14:24:48 2017 us=840478 single_session = DISABLED
Sun Jul 16 14:24:48 2017 us=840494 push_peer_info = DISABLED
Sun Jul 16 14:24:48 2017 us=840509 tls_exit = DISABLED
Sun Jul 16 14:24:48 2017 us=840525 tls_auth_file = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=840541 tls_crypt_file = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=840556 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:24:48 2017 us=840572 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:24:48 2017 us=840588 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:24:48 2017 us=840603 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:24:48 2017 us=840618 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:24:48 2017 us=840634 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:24:48 2017 us=840649 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:24:48 2017 us=840664 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:24:48 2017 us=840680 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:24:48 2017 us=840695 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:24:48 2017 us=840710 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:24:48 2017 us=840726 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:24:48 2017 us=840741 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:24:48 2017 us=840756 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:24:48 2017 us=840772 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:24:48 2017 us=840795 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:24:48 2017 us=840813 pkcs11_private_mode = 00000000
Sun Jul 16 14:24:48 2017 us=840829 pkcs11_private_mode = 00000000
Sun Jul 16 14:24:48 2017 us=840845 pkcs11_private_mode = 00000000
Sun Jul 16 14:24:48 2017 us=840861 pkcs11_private_mode = 00000000
Sun Jul 16 14:24:48 2017 us=840876 pkcs11_private_mode = 00000000
Sun Jul 16 14:24:48 2017 us=840891 pkcs11_private_mode = 00000000
Sun Jul 16 14:24:48 2017 us=840907 pkcs11_private_mode = 00000000
Sun Jul 16 14:24:48 2017 us=840922 pkcs11_private_mode = 00000000
Sun Jul 16 14:24:48 2017 us=840937 pkcs11_private_mode = 00000000
Sun Jul 16 14:24:48 2017 us=840952 pkcs11_private_mode = 00000000
Sun Jul 16 14:24:48 2017 us=840968 pkcs11_private_mode = 00000000
Sun Jul 16 14:24:48 2017 us=840983 pkcs11_private_mode = 00000000
Sun Jul 16 14:24:48 2017 us=840998 pkcs11_private_mode = 00000000
Sun Jul 16 14:24:48 2017 us=841013 pkcs11_private_mode = 00000000
Sun Jul 16 14:24:48 2017 us=841028 pkcs11_private_mode = 00000000
Sun Jul 16 14:24:48 2017 us=841044 pkcs11_private_mode = 00000000
Sun Jul 16 14:24:48 2017 us=841059 pkcs11_cert_private = DISABLED
Sun Jul 16 14:24:48 2017 us=841075 pkcs11_cert_private = DISABLED
Sun Jul 16 14:24:48 2017 us=841090 pkcs11_cert_private = DISABLED
Sun Jul 16 14:24:48 2017 us=841105 pkcs11_cert_private = DISABLED
Sun Jul 16 14:24:48 2017 us=841120 pkcs11_cert_private = DISABLED
Sun Jul 16 14:24:48 2017 us=841136 pkcs11_cert_private = DISABLED
Sun Jul 16 14:24:48 2017 us=841151 pkcs11_cert_private = DISABLED
Sun Jul 16 14:24:48 2017 us=841166 pkcs11_cert_private = DISABLED
Sun Jul 16 14:24:48 2017 us=841182 pkcs11_cert_private = DISABLED
Sun Jul 16 14:24:48 2017 us=841197 pkcs11_cert_private = DISABLED
Sun Jul 16 14:24:48 2017 us=841212 pkcs11_cert_private = DISABLED
Sun Jul 16 14:24:48 2017 us=841228 pkcs11_cert_private = DISABLED
Sun Jul 16 14:24:48 2017 us=841258 pkcs11_cert_private = DISABLED
Sun Jul 16 14:24:48 2017 us=841275 pkcs11_cert_private = DISABLED
Sun Jul 16 14:24:48 2017 us=841291 pkcs11_cert_private = DISABLED
Sun Jul 16 14:24:48 2017 us=841306 pkcs11_cert_private = DISABLED
Sun Jul 16 14:24:48 2017 us=841322 pkcs11_pin_cache_period = -1
Sun Jul 16 14:24:48 2017 us=841338 pkcs11_id = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=841354 pkcs11_id_management = DISABLED
Sun Jul 16 14:24:48 2017 us=841371 server_network = 10.8.0.0
Sun Jul 16 14:24:48 2017 us=841394 server_netmask = 255.255.255.0
Sun Jul 16 14:24:48 2017 us=841419 server_network_ipv6 = ::
Sun Jul 16 14:24:48 2017 us=841435 server_netbits_ipv6 = 0
Sun Jul 16 14:24:48 2017 us=841453 server_bridge_ip = 0.0.0.0
Sun Jul 16 14:24:48 2017 us=841471 server_bridge_netmask = 0.0.0.0
Sun Jul 16 14:24:48 2017 us=841488 server_bridge_pool_start = 0.0.0.0
Sun Jul 16 14:24:48 2017 us=841505 server_bridge_pool_end = 0.0.0.0
Sun Jul 16 14:24:48 2017 us=841521 push_entry = 'route 192.168.1.0 255.255.255.0'
Sun Jul 16 14:24:48 2017 us=841537 push_entry = 'dhcp-option DNS 8.8.8.8'
Sun Jul 16 14:24:48 2017 us=841553 push_entry = 'route 10.8.0.0 255.255.255.0'
Sun Jul 16 14:24:48 2017 us=841568 push_entry = 'topology net30'
Sun Jul 16 14:24:48 2017 us=841584 push_entry = 'ping 10'
Sun Jul 16 14:24:48 2017 us=841599 push_entry = 'ping-restart 120'
Sun Jul 16 14:24:48 2017 us=841614 ifconfig_pool_defined = ENABLED
Sun Jul 16 14:24:48 2017 us=841631 ifconfig_pool_start = 10.8.0.4
Sun Jul 16 14:24:48 2017 us=841649 ifconfig_pool_end = 10.8.0.251
Sun Jul 16 14:24:48 2017 us=841667 ifconfig_pool_netmask = 0.0.0.0
Sun Jul 16 14:24:48 2017 us=841682 ifconfig_pool_persist_filename = 'ipp.txt'
Sun Jul 16 14:24:48 2017 us=841698 ifconfig_pool_persist_refresh_freq = 600
Sun Jul 16 14:24:48 2017 us=841714 ifconfig_ipv6_pool_defined = DISABLED
Sun Jul 16 14:24:48 2017 us=841731 ifconfig_ipv6_pool_base = ::
Sun Jul 16 14:24:48 2017 us=841746 ifconfig_ipv6_pool_netbits = 0
Sun Jul 16 14:24:48 2017 us=841762 n_bcast_buf = 256
Sun Jul 16 14:24:48 2017 us=841786 tcp_queue_limit = 64
Sun Jul 16 14:24:48 2017 us=841803 real_hash_size = 256
Sun Jul 16 14:24:48 2017 us=841819 virtual_hash_size = 256
Sun Jul 16 14:24:48 2017 us=841835 client_connect_script = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=841851 learn_address_script = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=841867 client_disconnect_script = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=841883 client_config_dir = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=841898 ccd_exclusive = DISABLED
Sun Jul 16 14:24:48 2017 us=841914 tmp_dir = '/tmp'
Sun Jul 16 14:24:48 2017 us=841930 push_ifconfig_defined = DISABLED
Sun Jul 16 14:24:48 2017 us=841947 push_ifconfig_local = 0.0.0.0
Sun Jul 16 14:24:48 2017 us=841965 push_ifconfig_remote_netmask = 0.0.0.0
Sun Jul 16 14:24:48 2017 us=841981 push_ifconfig_ipv6_defined = DISABLED
Sun Jul 16 14:24:48 2017 us=841997 push_ifconfig_ipv6_local = ::/0
Sun Jul 16 14:24:48 2017 us=842014 push_ifconfig_ipv6_remote = ::
Sun Jul 16 14:24:48 2017 us=842030 enable_c2c = ENABLED
Sun Jul 16 14:24:48 2017 us=842045 duplicate_cn = DISABLED
Sun Jul 16 14:24:48 2017 us=842061 cf_max = 0
Sun Jul 16 14:24:48 2017 us=842077 cf_per = 0
Sun Jul 16 14:24:48 2017 us=842092 max_clients = 10
Sun Jul 16 14:24:48 2017 us=842107 max_routes_per_client = 256
Sun Jul 16 14:24:48 2017 us=842123 auth_user_pass_verify_script = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=842139 auth_user_pass_verify_script_via_file = DISABLED
Sun Jul 16 14:24:48 2017 us=842154 auth_token_generate = DISABLED
Sun Jul 16 14:24:48 2017 us=842169 auth_token_lifetime = 0
Sun Jul 16 14:24:48 2017 us=842196 port_share_host = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=842218 port_share_port = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=842234 client = DISABLED
Sun Jul 16 14:24:48 2017 us=842250 pull = DISABLED
Sun Jul 16 14:24:48 2017 us=842266 auth_user_pass_file = '[UNDEF]'
Sun Jul 16 14:24:48 2017 us=842284 OpenVPN 2.4.3 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 21 2017
Sun Jul 16 14:24:48 2017 us=842309 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Sun Jul 16 14:24:48 2017 us=842651 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sun Jul 16 14:24:48 2017 us=862802 Diffie-Hellman initialized with 2048 bit key
Sun Jul 16 14:24:48 2017 us=863640 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Sun Jul 16 14:24:48 2017 us=863682 ECDH curve secp384r1 added
Sun Jul 16 14:24:48 2017 us=863869 TLS-Auth MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sun Jul 16 14:24:48 2017 us=864170 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enp30s0 HWADDR=1c:c1:de:fa:cc:46
Sun Jul 16 14:24:48 2017 us=864467 TUN/TAP device tun0 opened
Sun Jul 16 14:24:48 2017 us=864522 TUN/TAP TX queue length set to 100
Sun Jul 16 14:24:48 2017 us=864548 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jul 16 14:24:48 2017 us=864576 /sbin/ip link set dev tun0 up mtu 1500
Sun Jul 16 14:24:48 2017 us=866066 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Sun Jul 16 14:24:48 2017 us=867778 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Sun Jul 16 14:24:48 2017 us=869847 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sun Jul 16 14:24:48 2017 us=870372 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Jul 16 14:24:48 2017 us=870442 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Jul 16 14:24:48 2017 us=870478 UDPv4 link local (bound): [AF_INET][undef]:1194
Sun Jul 16 14:24:48 2017 us=870495 UDPv4 link remote: [AF_UNSPEC]
Sun Jul 16 14:24:48 2017 us=870515 GID set to nobody
Sun Jul 16 14:24:48 2017 us=870534 UID set to nobody
Sun Jul 16 14:24:48 2017 us=870560 MULTI: multi_init called, r=256 v=256
Sun Jul 16 14:24:48 2017 us=870601 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sun Jul 16 14:24:48 2017 us=870640 ifconfig_pool_read(), in='cliente01,10.8.0.4', TODO: IPv6
Sun Jul 16 14:24:48 2017 us=870661 succeeded -> ifconfig_pool_set()
Sun Jul 16 14:24:48 2017 us=870676 ifconfig_pool_read(), in='cvalencia,10.8.0.8', TODO: IPv6
Sun Jul 16 14:24:48 2017 us=870691 succeeded -> ifconfig_pool_set()
Sun Jul 16 14:24:48 2017 us=870705 ifconfig_pool_read(), in='jbrugman,10.8.0.12', TODO: IPv6
Sun Jul 16 14:24:48 2017 us=870720 succeeded -> ifconfig_pool_set()
Sun Jul 16 14:24:48 2017 us=870734 ifconfig_pool_read(), in='ccorvala,10.8.0.16', TODO: IPv6
Sun Jul 16 14:24:48 2017 us=870748 succeeded -> ifconfig_pool_set()
Sun Jul 16 14:24:48 2017 us=870762 ifconfig_pool_read(), in='nduque,10.8.0.20', TODO: IPv6
Sun Jul 16 14:24:48 2017 us=870776 succeeded -> ifconfig_pool_set()
Sun Jul 16 14:24:48 2017 us=870790 ifconfig_pool_read(), in='ocontrer,10.8.0.24', TODO: IPv6
Sun Jul 16 14:24:48 2017 us=870804 succeeded -> ifconfig_pool_set()
Sun Jul 16 14:24:48 2017 us=870820 IFCONFIG POOL LIST
Sun Jul 16 14:24:48 2017 us=870836 cliente01,10.8.0.4
Sun Jul 16 14:24:48 2017 us=870852 cvalencia,10.8.0.8
Sun Jul 16 14:24:48 2017 us=870867 jbrugman,10.8.0.12
Sun Jul 16 14:24:48 2017 us=870882 ccorvala,10.8.0.16
Sun Jul 16 14:24:48 2017 us=870897 nduque,10.8.0.20
Sun Jul 16 14:24:48 2017 us=870912 ocontrer,10.8.0.24
Sun Jul 16 14:24:48 2017 us=870962 Initialization Sequence Completed
Sun Jul 16 14:24:57 2017 us=890547 event_wait : Interrupted system call (code=4)
Sun Jul 16 14:24:57 2017 us=890791 TCP/UDP: Closing socket
Sun Jul 16 14:24:57 2017 us=890864 /sbin/ip route del 10.8.0.0/24
RTNETLINK answers: Operation not permitted
Sun Jul 16 14:24:57 2017 us=892625 ERROR: Linux route delete command failed: external program exited with error status: 2
Sun Jul 16 14:24:57 2017 us=892673 Closing TUN/TAP interface
Sun Jul 16 14:24:57 2017 us=892711 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2
RTNETLINK answers: Operation not permitted
Sun Jul 16 14:24:57 2017 us=894467 Linux ip addr del failed: external program exited with error status: 2
Sun Jul 16 14:24:57 2017 us=906437 SIGINT[hard,] received, process exiting
This is the error:
Code: Select all
RTNETLINK answers: Operation not permitted
Sun Jul 16 14:24:57 2017 us=892625 ERROR: Linux route delete command failed: external program exited with error status: 2
Sun Jul 16 14:24:57 2017 us=892673 Closing TUN/TAP interface
Sun Jul 16 14:24:57 2017 us=892711 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2
RTNETLINK answers: Operation not permitted
Sun Jul 16 14:24:57 2017 us=894467 Linux ip addr del failed: external program exited with error status: 2
Sun Jul 16 14:24:57 2017 us=906437 SIGINT[hard,] received, process exiting* Client *
Operating system:
Code: Select all
C:Userssony>ver
Microsoft Windows [Versión 6.3.9600]Client.ovpn
Code: Select all
client
proto udp
dev tun
ca ca.crt
dh dh2048.pem
cert cliente01.crt
key cliente01.key
remote xxx.xxx.xxx.xxx 1194
cipher AES-256-CBC
verb 4
;mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobindClient log (at —verb 4)
Code: Select all
Sun Jul 16 14:42:26 2017 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_protected_authentication = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_private_mode = 00000000
Sun Jul 16 14:42:26 2017 pkcs11_private_mode = 00000000
Sun Jul 16 14:42:26 2017 pkcs11_private_mode = 00000000
Sun Jul 16 14:42:26 2017 pkcs11_private_mode = 00000000
Sun Jul 16 14:42:26 2017 pkcs11_private_mode = 00000000
Sun Jul 16 14:42:26 2017 pkcs11_private_mode = 00000000
Sun Jul 16 14:42:26 2017 pkcs11_private_mode = 00000000
Sun Jul 16 14:42:26 2017 pkcs11_private_mode = 00000000
Sun Jul 16 14:42:26 2017 pkcs11_private_mode = 00000000
Sun Jul 16 14:42:26 2017 pkcs11_private_mode = 00000000
Sun Jul 16 14:42:26 2017 pkcs11_private_mode = 00000000
Sun Jul 16 14:42:26 2017 pkcs11_private_mode = 00000000
Sun Jul 16 14:42:26 2017 pkcs11_private_mode = 00000000
Sun Jul 16 14:42:26 2017 pkcs11_private_mode = 00000000
Sun Jul 16 14:42:26 2017 pkcs11_private_mode = 00000000
Sun Jul 16 14:42:26 2017 pkcs11_private_mode = 00000000
Sun Jul 16 14:42:26 2017 pkcs11_cert_private = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_cert_private = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_cert_private = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_cert_private = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_cert_private = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_cert_private = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_cert_private = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_cert_private = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_cert_private = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_cert_private = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_cert_private = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_cert_private = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_cert_private = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_cert_private = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_cert_private = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_cert_private = DISABLED
Sun Jul 16 14:42:26 2017 pkcs11_pin_cache_period = -1
Sun Jul 16 14:42:26 2017 pkcs11_id = '[UNDEF]'
Sun Jul 16 14:42:26 2017 pkcs11_id_management = DISABLED
Sun Jul 16 14:42:26 2017 server_network = 0.0.0.0
Sun Jul 16 14:42:26 2017 server_netmask = 0.0.0.0
Sun Jul 16 14:42:26 2017 server_network_ipv6 = ::
Sun Jul 16 14:42:26 2017 server_netbits_ipv6 = 0
Sun Jul 16 14:42:26 2017 server_bridge_ip = 0.0.0.0
Sun Jul 16 14:42:26 2017 server_bridge_netmask = 0.0.0.0
Sun Jul 16 14:42:26 2017 server_bridge_pool_start = 0.0.0.0
Sun Jul 16 14:42:26 2017 server_bridge_pool_end = 0.0.0.0
Sun Jul 16 14:42:26 2017 ifconfig_pool_defined = DISABLED
Sun Jul 16 14:42:26 2017 ifconfig_pool_start = 0.0.0.0
Sun Jul 16 14:42:26 2017 ifconfig_pool_end = 0.0.0.0
Sun Jul 16 14:42:26 2017 ifconfig_pool_netmask = 0.0.0.0
Sun Jul 16 14:42:26 2017 ifconfig_pool_persist_filename = '[UNDEF]'
Sun Jul 16 14:42:26 2017 ifconfig_pool_persist_refresh_freq = 600
Sun Jul 16 14:42:26 2017 ifconfig_ipv6_pool_defined = DISABLED
Sun Jul 16 14:42:26 2017 ifconfig_ipv6_pool_base = ::
Sun Jul 16 14:42:26 2017 ifconfig_ipv6_pool_netbits = 0
Sun Jul 16 14:42:26 2017 n_bcast_buf = 256
Sun Jul 16 14:42:26 2017 tcp_queue_limit = 64
Sun Jul 16 14:42:26 2017 real_hash_size = 256
Sun Jul 16 14:42:26 2017 virtual_hash_size = 256
Sun Jul 16 14:42:26 2017 client_connect_script = '[UNDEF]'
Sun Jul 16 14:42:26 2017 learn_address_script = '[UNDEF]'
Sun Jul 16 14:42:26 2017 client_disconnect_script = '[UNDEF]'
Sun Jul 16 14:42:26 2017 client_config_dir = '[UNDEF]'
Sun Jul 16 14:42:26 2017 ccd_exclusive = DISABLED
Sun Jul 16 14:42:26 2017 tmp_dir = 'C:UserssonyAppDataLocalTemp'
Sun Jul 16 14:42:26 2017 push_ifconfig_defined = DISABLED
Sun Jul 16 14:42:26 2017 push_ifconfig_local = 0.0.0.0
Sun Jul 16 14:42:26 2017 push_ifconfig_remote_netmask = 0.0.0.0
Sun Jul 16 14:42:26 2017 push_ifconfig_ipv6_defined = DISABLED
Sun Jul 16 14:42:26 2017 push_ifconfig_ipv6_local = ::/0
Sun Jul 16 14:42:26 2017 push_ifconfig_ipv6_remote = ::
Sun Jul 16 14:42:26 2017 enable_c2c = DISABLED
Sun Jul 16 14:42:26 2017 duplicate_cn = DISABLED
Sun Jul 16 14:42:26 2017 cf_max = 0
Sun Jul 16 14:42:26 2017 cf_per = 0
Sun Jul 16 14:42:26 2017 max_clients = 1024
Sun Jul 16 14:42:26 2017 max_routes_per_client = 256
Sun Jul 16 14:42:26 2017 auth_user_pass_verify_script = '[UNDEF]'
Sun Jul 16 14:42:26 2017 auth_user_pass_verify_script_via_file = DISABLED
Sun Jul 16 14:42:26 2017 client = ENABLED
Sun Jul 16 14:42:26 2017 pull = ENABLED
Sun Jul 16 14:42:26 2017 auth_user_pass_file = '[UNDEF]'
Sun Jul 16 14:42:26 2017 show_net_up = DISABLED
Sun Jul 16 14:42:26 2017 route_method = 0
Sun Jul 16 14:42:26 2017 block_outside_dns = DISABLED
Sun Jul 16 14:42:26 2017 ip_win32_defined = DISABLED
Sun Jul 16 14:42:26 2017 ip_win32_type = 3
Sun Jul 16 14:42:26 2017 dhcp_masq_offset = 0
Sun Jul 16 14:42:26 2017 dhcp_lease_time = 31536000
Sun Jul 16 14:42:26 2017 tap_sleep = 0
Sun Jul 16 14:42:26 2017 dhcp_options = DISABLED
Sun Jul 16 14:42:26 2017 dhcp_renew = DISABLED
Sun Jul 16 14:42:26 2017 dhcp_pre_release = DISABLED
Sun Jul 16 14:42:26 2017 dhcp_release = DISABLED
Sun Jul 16 14:42:26 2017 domain = '[UNDEF]'
Sun Jul 16 14:42:26 2017 netbios_scope = '[UNDEF]'
Sun Jul 16 14:42:26 2017 netbios_node_type = 0
Sun Jul 16 14:42:26 2017 disable_nbt = DISABLED
Sun Jul 16 14:42:26 2017 OpenVPN 2.3.13 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Nov 3 2016
Sun Jul 16 14:42:26 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Jul 16 14:42:26 2017 library versions: OpenSSL 1.0.1u 22 Sep 2016, LZO 2.09
Sun Jul 16 14:42:26 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Sun Jul 16 14:42:26 2017 Need hold release from management interface, waiting...
Sun Jul 16 14:42:27 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Sun Jul 16 14:42:27 2017 MANAGEMENT: CMD 'state on'
Sun Jul 16 14:42:27 2017 MANAGEMENT: CMD 'log all on'
Sun Jul 16 14:42:27 2017 MANAGEMENT: CMD 'hold off'
Sun Jul 16 14:42:27 2017 MANAGEMENT: CMD 'hold release'
Sun Jul 16 14:42:27 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Jul 16 14:42:27 2017 LZO compression initialized
Sun Jul 16 14:42:27 2017 Control Channel MTU parms [ L:1558 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sun Jul 16 14:42:27 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Jul 16 14:42:27 2017 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
Sun Jul 16 14:42:27 2017 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Sun Jul 16 14:42:27 2017 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Sun Jul 16 14:42:27 2017 Local Options hash (VER=V4): '22188c5b'
Sun Jul 16 14:42:27 2017 Expected Remote Options hash (VER=V4): 'a8f55717'
Sun Jul 16 14:42:27 2017 UDPv4 link local: [undef]
Sun Jul 16 14:42:27 2017 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Sun Jul 16 14:42:27 2017 MANAGEMENT: >STATE:1500230547,WAIT,,,
Sun Jul 16 14:42:33 2017 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)Thank you for your help.
1
1
Centos7
Проблемы на самом деле у меня две:
Первая —
openvpn —config /etc/openvpn/server.conf — так openvpn запускается и клиент коннектится
systemctl start openvpn@server — так выпадает с ошибкой
systemctl status openvpn@server
● openvpn@u7wrm89.service — OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2018-07-13 06:51:18 EDT; 13s ago
Process: 2324 ExecStart=/usr/sbin/openvpn —cd /etc/openvpn/ —config %i.conf (code=exited, status=1/FAILURE)
Main PID: 2324 (code=exited, status=1/FAILURE)
Jul 13 06:51:18 server systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server…
Jul 13 06:51:18 server openvpn[2324]: Options error: In [CMD-LINE]:1: Error opening configuration file: server.conf
Jul 13 06:51:18 server openvpn[2324]: Use —help for more information.
Jul 13 06:51:18 server systemd[1]: openvpn@server.service: main process exited, code=exited, status=1/FAILURE
Jul 13 06:51:18 server systemd[1]: Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On server.
Jul 13 06:51:18 server systemd[1]: Unit openvpn@server.service entered failed state.
Jul 13 06:51:18 server systemd[1]: openvpn@server.service failed.
Feriwalld выключен, SElinux тоже.
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing — SELinux security policy is enforced.
# permissive — SELinux prints warnings instead of enforcing.
# disabled — No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted — Targeted processes are protected,
# minimum — Modification of targeted policy. Only selected processes are protected.
# mls — Multi Level Security protection.
SELINUXTYPE=targeted
log openvpn
cat /var/log/openvpn.log
Fri Jul 13 06:52:21 2018 OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
Fri Jul 13 06:52:21 2018 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Fri Jul 13 06:52:21 2018 Diffie-Hellman initialized with 2048 bit key
Fri Jul 13 06:52:21 2018 TUN/TAP device tun0 opened
Fri Jul 13 06:52:21 2018 TUN/TAP TX queue length set to 100
Fri Jul 13 06:52:21 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Jul 13 06:52:21 2018 /sbin/ip link set dev tun0 up mtu 1500
Fri Jul 13 06:52:21 2018 /sbin/ip addr add dev tun0
192.168.50.1/24 broadcast 192.168.50.255
Fri Jul 13 06:52:21 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Jul 13 06:52:21 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Jul 13 06:52:21 2018 UDPv4 link local (bound): [AF_INET][undef]:1194
Fri Jul 13 06:52:21 2018 UDPv4 link remote: [AF_UNSPEC]
Fri Jul 13 06:52:21 2018 GID set to nobody
Fri Jul 13 06:52:21 2018 UID set to nobody
Fri Jul 13 06:52:21 2018 MULTI: multi_init called, r=256 v=256
Fri Jul 13 06:52:21 2018 IFCONFIG POOL: base=192.168.50.2 size=252, ipv6=0
Fri Jul 13 06:52:21 2018 IFCONFIG POOL LIST
Fri Jul 13 06:52:21 2018 Initialization Sequence Completed
Fri Jul 13 06:52:28 2018 event_wait : Interrupted system call (code=4)
Fri Jul 13 06:52:29 2018 event_wait : Interrupted system call (code=4)
Fri Jul 13 06:52:29 2018 Closing TUN/TAP interface
Fri Jul 13 06:52:29 2018 /sbin/ip addr del dev tun0
192.168.50.1/24
RTNETLINK answers: Operation not permitted
Fri Jul 13 06:52:29 2018 Linux ip addr del failed: external program exited with error status: 2
Fri Jul 13 06:52:29 2018 SIGINT[hard,] received, process exiting
Вторая — палится IP провайдера моего, а не ВПН. Но это надо NAT и iptables. Мне бы пока с первым решить.
Содержание
- Не может подключится сервер к openVPN серверу
- Маршрут
- OpenVPN Support Forum
- [Solved] Routing not working, can’t connect to lan devices
- [Solved] Routing not working, can’t connect to lan devices
- Re: Routing not working, can’t connect to lan devices
- Re: Routing not working, can’t connect to lan devices
- OpenVPN Support Forum
- [Solved]CCD
- [Solved]CCD
- Re: CCD
- Re: CCD
- Re: CCD
- Re: CCD
- Re: CCD
- Re: CCD
- Re: CCD
- Re: CCD
- Re: CCD
- Re: CCD
- Не запускается OpenVPN
Не может подключится сервер к openVPN серверу
Входные данные: Первый сервер, далее vpn_1 Второй сервер, далее vpn_2. Все сервера работают под Debian 10 и настроены по этому мануалу: https://www.8host.com/blog/nastrojka-servera-openvpn-v-debian-10/
После того как поднял несколько серверов с openVPN проверял работоспособность. К каждому VPN серверу клиент может подключиться.
Теперь пытаюсь vpn_1 сервер подключить к vpn_2 серверу, после чего терминал зависает, логи:
server_vpn1#: openvpn —client —config ./config.ovpn
Схема, которую хочу получить: client1->vpn_1->vpn_2->internet
Что-то не работает разметка сообщений. Только code работает
Спасибо за ответ, очень информативный.
p.s теги не работают, копирую примеры с разметки тоже самое.
Вот видишь, ты уже совершенствуешься, респект. Конфиги не читал, хоть и стало красиво. Вангую, терминал виснет потому, что сервер1 получает дефолтный маршрут и начинает гнать трафик к клиенту через сервер2, что, конечно, ломает существующее подключение.
Маршрут
Походу так и есть, проверил логи на server_2 и там показывает что клиент подключился, проблема с маршрутом, только не понимаю как исправить это.
После того как закрыл подключение к server_2 vpn и когда вернулся терминал к работе остался этот маршрут:
Логи при подключении к server_2
Возможно, проблема в том Что используются все tun0, укажи другой.
Менял на tun0,1,2, тоже самое.
только не понимаю как исправить это.
Проблему с чем? Вы можете описать чего достичь хотите?
Получилось подключится server_1 -> server_2 и трафик ходит правильно server_1 -> server_2 -> internet. Вот только перестал подключаться клиент к server_1:
Когда пытаюсь подключится к серверу в логах есть информация о клиенте:
Когда разорвал соединение между server_1 и server_2 клиент подключится автоматично:
p.s. openvpn писал что должен добавить к конфигурации float, не вникал зачем это.
Мне кажется что после подключения server_1 -> server_2, client не может подключится к server_1, так как теперь весь трафик ходит через server_2.
Думал что весь трафик пересылается к серверу_2 и поэтому подменил сертификаты с client_сервера_2 к конфигу client_server_1.ovpn, но тогда начал получать логи типа: Authenticate/Decrypt packet error: packet HMAC authentication failed
Схема, которую хочу получить: client1->vpn_1->vpn_2->internet
Покажите с сервер 1 выхлопы
# ip r s table all
Сегодня переключился на Ubuntu на клиенской машине и попытался подключится, оказывается тут больше логов чем на windows:
После того как добавил —float, клиент подключился, но без интернета.
Логи с server_1:
client local ip wlo1: 192.168.0.129
Стало лучше, частично появился интернет. Телеграм работает, вайбер — нет. Так же с сайтами: 2ip.ru — нет google — да speedtest.net — нет linux.org.ru — да
И это подключение получается только с параметром float, без него будет ошибка:
в конфиги ovpn mssfix 1200 пишу от балды с перезакладом но вполне должно работать
Спасибо Вам! На linux’e Все работает отлично. Есть только странные логи на сервере (каждую секунду такие логи кидает):
несмотря на логи с packet dropped все работает на Ubuntu.
Пытался так же подключится с windows и mac к серверу_1, но проблема все еще привствует. server log:
client windows log part 1:
TLS Error: TLS key negotiation failed
Как бэ намекает.
Тот же конфиг на Ubuntu работает, а на остальных система нет.
Проблема присутствует только тогда, когда server_1 подключен к server_2 для Windows
Тот же конфиг на Ubuntu работает, а на остальных система нет.
У вас пути до сертов &etc как прописаны, полный путь или нет? Попробуйте для начала прописать полные пути.
Проблема присутствует только тогда, когда server_1 подключен к server_2 для Windows
Не распарсил. Поясните плиз.
Проблема с подключением клиента к сервер_1, есть только в случае, если server_1 подключен к server_2. Клиент на виндовсе не может подключиться к впн. Так только я отключаю подключение между серверами, клиент автоматически подключается к сервер_1.
У вас пути до сертов &etc как прописаны, полный путь или нет? Попробуйте для начала прописать полные пути.
Вы говорите о сертификатах в конфиге? — есла да, сертификаты находятся вместе с конфигом внутри.
На всякий случай уточню, когда проверяете у вас случайно server_1 и клиент не в одной локалке находятся?
Нет, все в разных сетях. Сервера имеют выделенный ИР в разных сетях, а клиент выходит с роутера с обычного домашнего провайдера.
Клиент спокойно подключается к отдельным серверам без проблем (когда нет подключения между server_1 и server_2)
Вот смущает это:
—cipher set to ‘AES-256-CBC’ but missing in —data-ciphers (AES-256-GCM:AES-128-GCM)
У вас версии openssl и openvpn между офтопик и онтопик не сильно разные ?
Здравствуй, здравствуй, 
anc мордастый 😉 /Шутка/
Не смущайтесь, это всего лишь эхо …
Ну и по отдельности все же работает. Клиент с виндовс может подключиться к server_1 или server_2.
Есть идеи у Вас?
На всякий случай обобщу текущую ситуацию:
1. На любых других системах кроме виндоус работает.
2. Подобная ситуация возникает только на виндоус. Тут уточняющий вопрос, на любой или это конкретная машинка?
3. В случае если разорвать тунель между сервер1 и сервер2 то начинает работать и на этой винде
4. Винда так же как и другие клиенты находиться «где-то в инете»
5. Сервер1 и Сервер2 с 09.08.21 09:54:08 не перезагружались.
Почти все верно, на apple mac тоже не работает, вместе с виндой.
Ничего не вижу 🙁 Давайте ещё раз выхлопы посмотрим с server1:
ip r s table all
ip ru
iptables-save
Я нашел мануал тот что мне нужно, на основе первого мануала, может ресетнуть сервера и еще раз попытаться, только по нормальному мануалу сделать: https://gist.github.com/gushmazuko/a74debe24bcabb0bbedf5695cb703a12 ?
В мануале уже видно, что разница в конфигах есть, а у меня ее нет. Может поэтому различные проблемы с подключением и с логами Bad packet..
Источник
OpenVPN Support Forum
Community Support Forum
[Solved] Routing not working, can’t connect to lan devices
[Solved] Routing not working, can’t connect to lan devices
Post by robster » Sat Nov 11, 2017 2:42 pm
I set up my openVPN server and clients are able to connect.
I would like to enable the clients to access the other devices in my lan.
Therefor I enabled IP Forwarding and added the push route in my openvpn.conf, which looks like:
My goal is that clients will be members of the 192.168.0.0 subnet and access other devices in that subnet.
When my client connects this is the log:
Once connected my client can access the internet and gets the WAN IP of my server, but the client is not able to connect to other lan devices.
What am I missing here? Where can I continue looking?
Any help is very much appriciated!
Re: Routing not working, can’t connect to lan devices
Post by TinCanTech » Sat Nov 11, 2017 3:04 pm
NOTE:
- Your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN
- You are advised to change your server LAN to a more unique RFC1918 compliant subnet.
For example: 192.168.143.0/24
That could be the reason ..
Please post your client log at —verb 4
Re: Routing not working, can’t connect to lan devices
Post by robster » Sat Nov 11, 2017 7:36 pm
Thanks for the advice. I will change the subnet at some point. But for now it would be too much effort and I consider it rather a last option before I go crazy
This is the server log at verbose 4 when my client connects.
Источник
OpenVPN Support Forum
Community Support Forum
[Solved]CCD
[Solved]CCD
Post by corsairetc » Wed May 06, 2015 10:11 am
Hello,
I have working configuration with ccd directive, but I am only able to ping from server LAN (192.168.2.0) to client LAN (192.168.10.0) to client (192.168.10.1) not to other hosts in LAN 192.168.10.0
I solved previous thread topic18746.html
Re: CCD
Post by Traffic » Wed May 06, 2015 10:30 am
The least you could do is post your new configs ..
Re: CCD
Post by corsairetc » Wed May 06, 2015 11:04 am
Re: CCD
Post by maikcat » Wed May 06, 2015 11:12 am
did you enabled ip forwarding on your client?
also please post your current configs used & contents of ccd files.
Re: CCD
Post by corsairetc » Wed May 06, 2015 11:38 am
Re: CCD
Post by maikcat » Wed May 06, 2015 12:11 pm
reconnect and check if your client has .22 ip
also use the full path to your ccd directory in your server config
Re: CCD
Post by corsairetc » Wed May 06, 2015 12:34 pm
Re: CCD
Post by maikcat » Wed May 06, 2015 12:49 pm
the ifconfig-push line should be entered in your ccd file not server.conf.
Re: CCD
Post by corsairetc » Mon May 11, 2015 4:59 am
Re: CCD
Post by maikcat » Mon May 11, 2015 5:27 am
ok from a pc on your client side try to:
ping clients lan ip
ping client vpn ip
ping servers vpn ip
ping servers lan ip
post the results please.
Re: CCD
Post by corsairetc » Tue May 12, 2015 5:36 am
ping clients lan ip — pass
ping client vpn ip — pass
ping servers vpn ip — pass
ping servers lan ip — pass
Now it start ping from server to pc in client vpn lan and reverse.
Last thing which I need is hoe to provide my own dnmasq dhcp&dns to vpn.
Источник
Не запускается OpenVPN
Добрый день! Пытаюсь настроить OpenVPN на удаленном сервере. После всех настроек, при запуске сервиса выдает сбой. В логе видны некоторые ошибки, но их природа не вполне понятна, ровно как и способ их устранения. Если кто сталкивался с таким, буду очень благодарен за помощь. Версия openvpn 2.3.2, дистр CentOS 6.5. Лог прилагается
Tue Oct 7 22:58:24 2014 event_wait : Interrupted system call (code=4) Tue Oct 7 22:58:24 2014 /sbin/ip route del 10.84.84.0/24 RTNETLINK answers: Operation not permitted Tue Oct 7 22:58:24 2014 ERROR: Linux route delete command failed: external program exited with error status: 2 Tue Oct 7 22:58:24 2014 Closing TUN/TAP interface Tue Oct 7 22:58:24 2014 /sbin/ip addr del dev tun0 local 10.84.84.1 peer 10.84.84.2 RTNETLINK answers: Operation not permitted Tue Oct 7 22:58:24 2014 Linux ip addr del failed: external program exited with error status: 2 Tue Oct 7 22:58:25 2014 SIGTERM[hard,] received, process exiting Tue Oct 7 22:58:26 2014 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013 Tue Oct 7 22:58:26 2014 Diffie-Hellman initialized with 2048 bit key Tue Oct 7 22:58:26 2014 Socket Buffers: R=[124928->131072] S=[124928->131072] Tue Oct 7 22:58:26 2014 ROUTE_GATEWAY 37.1.216.211 Tue Oct 7 22:58:26 2014 TUN/TAP device tun0 opened Tue Oct 7 22:58:26 2014 TUN/TAP TX queue length set to 100 Tue Oct 7 22:58:26 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Oct 7 22:58:26 2014 /sbin/ip link set dev tun0 up mtu 1500 Tue Oct 7 22:58:26 2014 /sbin/ip addr add dev tun0 local 10.84.84.1 peer 10.84.84.2 Tue Oct 7 22:58:26 2014 /sbin/ip route add 10.84.84.0/24 via 10.84.84.2 Tue Oct 7 22:58:26 2014 GID set to openvpn Tue Oct 7 22:58:26 2014 UID set to openvpn Tue Oct 7 22:58:26 2014 UDPv4 link local (bound): [undef] Tue Oct 7 22:58:26 2014 UDPv4 link remote: [undef] Tue Oct 7 22:58:26 2014 MULTI: multi_init called, r=256 v=256 Tue Oct 7 22:58:26 2014 IFCONFIG POOL: base=10.84.84.4 size=62, ipv6=0 Tue Oct 7 22:58:26 2014 IFCONFIG POOL LIST Tue Oct 7 22:58:26 2014 Initialization Sequence Completed
Источник
I recently installed openVPN and configured it with my client1.ovpn file:
client
dev tun
proto udp
remote 10.8.0.1 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
key-direction 1
cipher AES-128-CBC
auth SHA256
comp-lzo
verb 3
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
my server.conf file:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-128-CBC # AES
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
When I do the command
sudo openvpn --config client1.ovpn
I get this error in the terminal:
Sat Aug 12 21:57:10 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL
(OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Sat Aug 12 21:57:10 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016,
LZO 2.08
Sat Aug 12 21:57:10 2017 Control Channel Authentication: tls-auth
using INLINE static key file
Sat Aug 12 21:57:10 2017 Outgoing Control Channel Authentication:
Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Aug 12 21:57:10 2017 Incoming Control Channel Authentication:
Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Aug 12 21:57:10 2017 Socket Buffers: R=[212992->212992] S=[212992-
>212992]
Sat Aug 12 21:57:10 2017 NOTE: UID/GID downgrade will be delayed
because of --client, --pull, or --up-delay
Sat Aug 12 21:57:10 2017 UDPv4 link local: [undef]
Sat Aug 12 21:57:10 2017 UDPv4 link remote: [AF_INET]10.8.0.1:1194
Sat Aug 12 21:57:10 2017 TLS: Initial packet from
[AF_INET]10.8.0.1:1194, sid=640d1419 b8d9a3ee
Sat Aug 12 21:57:10 2017 VERIFY OK: depth=1, C=US, ST=CA, L=Los
Angeles, O=Fort-Funston, OU=Community, CN=Fort-Funston CA,
name=Server, emailAddress=fasching.ryan@gmail.com
Sat Aug 12 21:57:10 2017 Validating certificate key usage
Sat Aug 12 21:57:10 2017 ++ Certificate has key usage 00a0, expects
00a0
Sat Aug 12 21:57:10 2017 VERIFY KU OK
Sat Aug 12 21:57:10 2017 Validating certificate extended key usage
Sat Aug 12 21:57:10 2017 ++ Certificate has EKU (str) TLS Web Server
Authentication, expects TLS Web Server Authentication
Sat Aug 12 21:57:10 2017 VERIFY EKU OK
Sat Aug 12 21:57:10 2017 VERIFY OK: depth=0, C=US, ST=CA, L=Los
Angeles, O=Fort-Funston, OU=Community, CN=Ryan, name=Server,
emailAddress=fasching.ryan@gmail.com
Sat Aug 12 21:57:10 2017 Data Channel Encrypt: Cipher 'AES-128-CBC'
initialized with 128 bit key
Sat Aug 12 21:57:10 2017 Data Channel Encrypt: Using 256 bit message
hash 'SHA256' for HMAC authentication
Sat Aug 12 21:57:10 2017 Data Channel Decrypt: Cipher 'AES-128-CBC'
initialized with 128 bit key
Sat Aug 12 21:57:10 2017 Data Channel Decrypt: Using 256 bit message
hash 'SHA256' for HMAC authentication
Sat Aug 12 21:57:10 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3
DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Aug 12 21:57:10 2017 [Ryan] Peer Connection Initiated with
[AF_INET]10.8.0.1:1194
Sat Aug 12 21:57:12 2017 SENT CONTROL [Ryan]: 'PUSH_REQUEST'
(status=1)
Sat Aug 12 21:57:12 2017 PUSH: Received control message:
'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS
208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology
net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Sat Aug 12 21:57:12 2017 OPTIONS IMPORT: timers and/or timeouts
modified
Sat Aug 12 21:57:12 2017 OPTIONS IMPORT: --ifconfig/up options
modified
Sat Aug 12 21:57:12 2017 OPTIONS IMPORT: route options modified
Sat Aug 12 21:57:12 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-
option options modified
Sat Aug 12 21:57:12 2017 WARNING: potential conflict between --remote
address [10.8.0.1] and --ifconfig address pair [10.8.0.6, 10.8.0.5] --
this is a warning only that is triggered when local/remote addresses
exist within the same /24 subnet as --ifconfig endpoints. (silence
this warning with --ifconfig-nowarn)
Sat Aug 12 21:57:12 2017 ROUTE_GATEWAY 10.15.65.1/255.255.255.0
IFACE=wlp1s0 HWADDR=d0:57:7b:09:c7:c0
Sat Aug 12 21:57:12 2017 TUN/TAP device tun1 opened
Sat Aug 12 21:57:12 2017 TUN/TAP TX queue length set to 100
Sat Aug 12 21:57:12 2017 do_ifconfig, tt->ipv6=0, tt-
>did_ifconfig_ipv6_setup=0
Sat Aug 12 21:57:12 2017 /sbin/ip link set dev tun1 up mtu 1500
Sat Aug 12 21:57:12 2017 /sbin/ip addr add dev tun1 local 10.8.0.6
peer 10.8.0.5
Sat Aug 12 21:57:12 2017 /sbin/ip route add 10.8.0.1/32 via 10.15.65.1
RTNETLINK answers: File exists
Sat Aug 12 21:57:12 2017 ERROR: Linux route add command failed:
external program exited with error status: 2
Sat Aug 12 21:57:12 2017 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Sat Aug 12 21:57:12 2017 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Sat Aug 12 21:57:12 2017 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
RTNETLINK answers: File exists
Sat Aug 12 21:57:12 2017 ERROR: Linux route add command failed:
external program exited with error status: 2
Sat Aug 12 21:57:12 2017 GID set to nogroup
Sat Aug 12 21:57:12 2017 UID set to nobody
Sat Aug 12 21:57:12 2017 Initialization Sequence Completed
I also cannot connect to the internet while openvpn is in use in the terminal. It isn’t until I hit crtl+c before I’m able to connect to the internet again.
After ctrl+c I get these errors as well:
^CSat Aug 12 21:57:56 2017 event_wait : Interrupted system call
(code=4)
Sat Aug 12 21:57:56 2017 /sbin/ip route del 10.8.0.1/32
RTNETLINK answers: Operation not permitted
Sat Aug 12 21:57:56 2017 ERROR: Linux route delete command failed:
external program exited with error status: 2
Sat Aug 12 21:57:56 2017 /sbin/ip route del 0.0.0.0/1
RTNETLINK answers: Operation not permitted
Sat Aug 12 21:57:56 2017 ERROR: Linux route delete command failed:
external program exited with error status: 2
Sat Aug 12 21:57:56 2017 /sbin/ip route del 128.0.0.0/1
RTNETLINK answers: Operation not permitted
Sat Aug 12 21:57:56 2017 ERROR: Linux route delete command failed:
external program exited with error status: 2
Sat Aug 12 21:57:56 2017 Closing TUN/TAP interface
Sat Aug 12 21:57:56 2017 /sbin/ip addr del dev tun1 local 10.8.0.6
peer 10.8.0.5
RTNETLINK answers: Operation not permitted
Sat Aug 12 21:57:56 2017 Linux ip addr del failed: external program
exited with error status: 2
Sat Aug 12 21:57:56 2017 SIGINT[hard,] received, process exiting
I have been trying to find an answer to this question a lot on google already with no luck. What is causing this error of » ERROR: Linux route add command failed:
external program exited with error status: 2″ as well as being able to connect to the internet when using. Thanks.
- Печать
Страницы: [1] Вниз
Тема: Не могу подключиться к своему Openvpn (Прочитано 6747 раз)
0 Пользователей и 1 Гость просматривают эту тему.
S_POWER
Развернул OpenVPN на своём Ubuntu server 16.04, сделал всё по инструкции, служба работает, в ifconfig появился tun0, но клиент под windows не соеденяется. По разному менял настройки, всё равно результата нет.
Конфиг сервера
Конфиг клиента
Лог сервера
Лог клиента
Клиентские ключи, а так же ca.crt и ta.key в папке конфига клиента, серверные понятное дело на месте.
ipv4_forwarding включен
сервер за роутером, порт 1194 переброшен
openssl не трогал.
Если можно объясните попроще что не так, пользуюсь ubuntu меньше месяца,поэтому даже не понимаю в чём может быть проблема, помимо неправильных конфигов.
« Последнее редактирование: 04 Октября 2016, 07:59:49 от SATAN_POWER »
kalek
ls -l /etc/openvpn/keys/?
S_POWER
root@ubuntuserver:~# ls -l /etc/openvpn/keys/
итого 40
-rw-r--r-- 1 root root 4250 окт 3 02:14 01.pem
-rw-r--r-- 1 root root 1403 окт 3 02:13 ca.crt
-rw------- 1 root root 916 окт 3 02:13 ca.key
-rw-r--r-- 1 root root 245 окт 3 02:14 dh1024.pem
-rw-r--r-- 1 root root 4250 окт 3 02:14 server.crt
-rw-r--r-- 1 root root 733 окт 3 02:14 server.csr
-rw------- 1 root root 916 окт 3 02:14 server.key
-rw-r--r-- 1 root root 636 окт 3 02:15 ta.key
« Последнее редактирование: 04 Октября 2016, 08:01:26 от SATAN_POWER »
kalek
Еще
routeи
ifconfig
Кроме того стоит выполнить
sudo chmod 600 /etc/openvpn/keys/ta.keyчтоб на него не ругалось.
S_POWER
root@ubuntuserver:~# route
Таблица маршутизации ядра протокола IP
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 100 0 0 enp2s4
10.0.0.0 * 255.255.255.0 U 0 0 0 tun0
10.15.0.0 10.0.0.2 255.255.255.0 UG 0 0 0 tun0
link-local * 255.255.0.0 U 1000 0 0 tun0
192.168.1.0 * 255.255.255.0 U 100 0 0 enp2s4
root@ubuntuserver:~# ifconfig
enp2s4 Link encap:Ethernet HWaddr 00:16:17:b6:a0:cd
inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fd4d:2151:7a64:0:94a0:da2f:63db:be44/64 Scope:Общий
inet6 addr: fd4d:2151:7a64:0:99bd:f3a5:c1e2:19e1/64 Scope:Общий
inet6 addr: fe80::216:17ff:feb6:a0cd/64 Scope:Link
inet6 addr: fd4d:2151:7a64:0:311e:cd55:6df7:d5c4/64 Scope:Общий
inet6 addr: fd4d:2151:7a64:0:216:17ff:feb6:a0cd/64 Scope:Общий
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15516809 errors:0 dropped:0 overruns:0 frame:0
TX packets:19105302 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:17641284188 (17.6 GB) TX bytes:19876678193 (19.8 GB)
lo Link encap:Локальная петля (Loopback)
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:353323 errors:0 dropped:0 overruns:0 frame:0
TX packets:353323 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:1157858637 (1.1 GB) TX bytes:1157858637 (1.1 GB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.0.1 P-t-P:10.0.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
kalek
Судя по логу
Mon Oct 3 04:14:32 2016 217.118.78.105:54617 CRL: cannot read: /etc/openvpn/keys/01.pemругается на список отзыва сертификатов.
Mon Oct 3 04:14:32 2016 217.118.78.105:54617 TLS_ERROR: BIO read tls_read_plaintext error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Для проверки можно попробовать его отключить — закомментировать строчку
crl-verify /etc/openvpn/keys/01.pemЕсли заведется, дальше надо смотреть, все ли в порядке с этим файлом.
S_POWER
Спасибо!
Крайне удивлён, но заработало!
Что интересно я не генерировал список отзыва, 01.pem появился после генерации ключей сервера, 02.pem после генерации ключей клиента.
Возможно ли что в список 01 был занесён текущий клиент, из за того что я генерировал ключи 2 раза?
Можно ли где то посмотреть список всех выданных сертификатов?
- Печать
Страницы: [1] Вверх
I followed this guide to set up an OpenVPN server:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04
OpenVPN server is a VPS on Ubuntu-18.04-x86_64
Client is Raspberry Pi 3 B+ on Raspbian Stretch Lite
Problem: client successfully connects to server (Initialization Sequence Completed) but there is no internet connection.
Pinging www.google.com works.
Asking for public IP works: it outputs the server’s IP.
But downloading something (e.g. using wget or apt install) doesn’t work.
Edit: I tried to connect to the same server with another client (Windows 10), I get the same problem, the internet connection doesn’t work. I guess the issue comes from the server (VPS) not from the client side.
server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
client.ovpn
client
dev tun
proto udp
remote XXX.XXX.XXX.XXX 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
auth SHA256
verb 3
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
<ca>
-snip-
</ca>
<cert>
-snip-
</cert>
<key>
-snip-
</key>
<tls-auth>
-snip-
</tls-auth>
/etc/sysctl.conf (server)
net.ipv4.ip_forward=1
/etc/ufw/before.rules (server)
I added these lines:
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
ufw status (server)
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp LIMIT IN Anywhere
1194/udp ALLOW IN Anywhere
22/tcp (v6) LIMIT IN Anywhere (v6)
1194/udp (v6) ALLOW IN Anywhere (v6)
OpenVPN Client output during connection
OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Socket Buffers: R=[163840->163840] S=[163840->163840]
UDP link local: (not bound)
UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=3eb50ad7 3b03202e
VERIFY OK: depth=1, CN=Easy-RSA CA
Validating certificate key usage
++ Certificate has key usage 00a0, expects 00a0
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0, CN=server
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
[server] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
OPTIONS IMPORT: peer-id set
OPTIONS IMPORT: adjusting link_mtu to 1624
OPTIONS IMPORT: data channel crypto options modified
Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
/etc/openvpn/update-resolv-conf tun0 1500 1552 10.8.0.6 10.8.0.5 init
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
/sbin/ip route add XXX.XXX.XXX.XXX/32 via 192.168.1.1
RTNETLINK answers: File exists
ERROR: Linux route add command failed: external program exited with error status: 2
/sbin/ip route add 0.0.0.0/1 via 10.8.0.5
/sbin/ip route add 128.0.0.0/1 via 10.8.0.5
/sbin/ip route add 10.8.0.1/32 via 10.8.0.5
GID set to nogroup
UID set to nobody
Initialization Sequence Completed
OpenVPN Client output when I disconnect
event_wait : Interrupted system call (code=4)
/sbin/ip route del 10.8.0.1/32
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
/sbin/ip route del XXX.XXX.XXX.XXX/32
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
/sbin/ip route del 0.0.0.0/1
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
/sbin/ip route del 128.0.0.0/1
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
Closing TUN/TAP interface
/sbin/ip addr del dev tun0 local 10.8.0.6 peer 10.8.0.5
RTNETLINK answers: Operation not permitted
Linux ip addr del failed: external program exited with error status: 2
/etc/openvpn/update-resolv-conf tun0 1500 1552 10.8.0.6 10.8.0.5 init
Cannot write to /run/resolvconf/lock
WARNING: Failed running command (--up/--down): external program exited with error status: 1
Exiting due to fatal error
/etc/resolv.conf (client)
# Generated by resolvconf
domain home
nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 192.168.1.1
Client routing table
VPN off
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
XXX.XXX.XX.XX 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
VPN on
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
XXX.XXX.XX.XX 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
128.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
mtr google.com (client)
Host Loss% Snt Last Avg Best Wrst StDev
1. 10.8.0.1 1.6% 62 55.3 541.2 53.9 2056. 669.3
2. 0.0% 62 55.2 561.6 54.0 2277. 685.9
3. 10.95.48.15 0.0% 62 56.3 563.4 53.9 2228. 691.4
4. 10.95.48.10 0.0% 62 57.5 577.0 55.6 2236. 688.9
5. be100-1258.gsw-1-a9.fr.eu 0.0% 62 65.4 567.7 63.2 2172. 671.9
6. ???
7. 108.170.244.193 0.0% 62 64.8 563.5 63.4 2163. 672.7
8. 216.239.59.209 0.0% 59 65.6 530.8 63.0 2162. 650.7
9. par21s11-in-f4.1e100.net 0.0% 59 64.4 522.3 63.5 2093. 647.6
I have recently made an openVPN server, and I can sometimes connect (using openVPN on elementryOS) and access the internet flawlessly, but the majority of the time I connect but get DNS errors when trying to access a website.
My friend is able to connect perfectly fine from a mac using tunnelblick.
When I start it and it doesnt work I get this output:
root@cclient:~# openvpn --config /home/user/vpn/client.ovpn
Thu Aug 11 09:40:30 2016 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Thu Aug 11 09:40:30 2016 Control Channel Authentication: tls-auth using INLINE static key file
Thu Aug 11 09:40:30 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 11 09:40:30 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 11 09:40:30 2016 Socket Buffers: R=[212992->131072] S=[212992->131072]
Thu Aug 11 09:40:30 2016 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Aug 11 09:40:30 2016 UDPv4 link local: [undef]
Thu Aug 11 09:40:30 2016 UDPv4 link remote: [AF_INET]99.139.69.XX:1194
Thu Aug 11 09:40:30 2016 TLS: Initial packet from [AF_INET]99.139.69.94:1194, sid=dcc35439 e95aefe1
Thu Aug 11 09:40:30 2016 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Marvin, OU=MyOrganizationalUnit, CN=Marvin CA, name=server, emailAddress=LALALALA@gmail.com
Thu Aug 11 09:40:30 2016 Validating certificate key usage
Thu Aug 11 09:40:30 2016 ++ Certificate has key usage 00a0, expects 00a0
Thu Aug 11 09:40:30 2016 VERIFY KU OK
Thu Aug 11 09:40:30 2016 Validating certificate extended key usage
Thu Aug 11 09:40:30 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Aug 11 09:40:30 2016 VERIFY EKU OK
Thu Aug 11 09:40:30 2016 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Marvin, OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=LALALALA@gmail.com
Thu Aug 11 09:40:30 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Aug 11 09:40:30 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 11 09:40:30 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Aug 11 09:40:30 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 11 09:40:30 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Aug 11 09:40:30 2016 [server] Peer Connection Initiated with [AF_INET]99.139.69.94:1194
Thu Aug 11 09:40:32 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Aug 11 09:40:32 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9'
Thu Aug 11 09:40:32 2016 OPTIONS IMPORT: timers and/or timeouts modified
Thu Aug 11 09:40:32 2016 OPTIONS IMPORT: --ifconfig/up options modified
Thu Aug 11 09:40:32 2016 OPTIONS IMPORT: route options modified
Thu Aug 11 09:40:32 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Aug 11 09:40:32 2016 ROUTE_GATEWAY 10.245.243.254/255.255.252.0 IFACE=wlan0 HWADDR=b4:6d:83:25:c7:95
Thu Aug 11 09:40:32 2016 TUN/TAP device tun0 opened
Thu Aug 11 09:40:32 2016 TUN/TAP TX queue length set to 100
Thu Aug 11 09:40:32 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Aug 11 09:40:32 2016 /sbin/ip link set dev tun0 up mtu 1500
Thu Aug 11 09:40:32 2016 /sbin/ip addr add dev tun0 local 10.8.0.10 peer 10.8.0.9
Thu Aug 11 09:40:32 2016 /sbin/ip route add 99.139.69.XX/32 via 10.245.XXX.254
RTNETLINK answers: File exists
Thu Aug 11 09:40:32 2016 ERROR: Linux route add command failed: external program exited with error status: 2
Thu Aug 11 09:40:32 2016 /sbin/ip route add 0.0.0.0/1 via 10.8.0.9
Thu Aug 11 09:40:32 2016 /sbin/ip route add 128.0.0.0/1 via 10.8.0.9
Thu Aug 11 09:40:32 2016 /sbin/ip route add 10.8.0.1/32 via 10.8.0.9
Thu Aug 11 09:40:32 2016 GID set to nogroup
Thu Aug 11 09:40:32 2016 UID set to nobody
Thu Aug 11 09:40:32 2016 Initialization Sequence Completed
Then when I press ^C I get
Thu Aug 11 09:44:57 2016 event_wait : Interrupted system call (code=4)
Thu Aug 11 09:44:57 2016 /sbin/ip route del 10.8.0.1/32
RTNETLINK answers: Operation not permitted
Thu Aug 11 09:44:57 2016 ERROR: Linux route delete command failed: external program exited with error status: 2
Thu Aug 11 09:44:57 2016 /sbin/ip route del 99.139.69.94/32
RTNETLINK answers: Operation not permitted
Thu Aug 11 09:44:57 2016 ERROR: Linux route delete command failed: external program exited with error status: 2
Thu Aug 11 09:44:57 2016 /sbin/ip route del 0.0.0.0/1
RTNETLINK answers: Operation not permitted
Thu Aug 11 09:44:57 2016 ERROR: Linux route delete command failed: external program exited with error status: 2
Thu Aug 11 09:44:57 2016 /sbin/ip route del 128.0.0.0/1
RTNETLINK answers: Operation not permitted
Thu Aug 11 09:44:57 2016 ERROR: Linux route delete command failed: external program exited with error status: 2
Thu Aug 11 09:44:57 2016 Closing TUN/TAP interface
Thu Aug 11 09:44:57 2016 /sbin/ip addr del dev tun0 local 10.8.0.10 peer 10.8.0.9
RTNETLINK answers: Operation not permitted
Thu Aug 11 09:44:57 2016 Linux ip addr del failed: external program exited with error status: 2
Thu Aug 11 09:44:57 2016 SIGINT[hard,] received, process exiting
This is my client.ovpn
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 99.139.69.XX 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key
key-direction 1
# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=CA, L=SanFrancisco, O=Marvin, OU=MyOrganizationalUnit, CN=Marvin CA/name=server/emailAddress=LALALA@gmail.com
Validity
Not Before: Aug 7 20:11:38 2016 GMT
Not After : Aug 5 20:11:38 2026 GMT
Subject: C=US, ST=CA, L=SanFrancisco, O=Marvin, OU=MyOrganizationalUnit, CN=theo/name=server/emailAddress=LALALA@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
keyid:
DirName:/C=US/ST=CA/L=SanFrancisco/O=Marvin/OU=MyOrganizationalUnit/CN=Marvin CA/name=server/emailAddress=LALALA@gmail.com
serial:
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:client
Signature Algorithm: sha256WithRSAEncryption
<STUFF HERE>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
After pulling the latest version and generating new files, I cant connect to the vpn anymore.
Any ideas? I’m using same external IP, same port; before this update, the vpn was working fine.
Thank you.
Thu Sep 27 17:41:25 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Thu Sep 27 17:41:25 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Sep 27 17:41:25 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Thu Sep 27 17:41:25 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Sep 27 17:41:25 2018 Need hold release from management interface, waiting...
Thu Sep 27 17:41:25 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Sep 27 17:41:25 2018 MANAGEMENT: CMD 'state on'
Thu Sep 27 17:41:25 2018 MANAGEMENT: CMD 'log all on'
Thu Sep 27 17:41:25 2018 MANAGEMENT: CMD 'echo all on'
Thu Sep 27 17:41:26 2018 MANAGEMENT: CMD 'bytecount 5'
Thu Sep 27 17:41:26 2018 MANAGEMENT: CMD 'hold off'
Thu Sep 27 17:41:26 2018 MANAGEMENT: CMD 'hold release'
Thu Sep 27 17:41:26 2018 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Sep 27 17:41:26 2018 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Sep 27 17:41:26 2018 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Sep 27 17:41:26 2018 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Sep 27 17:41:26 2018 MANAGEMENT: >STATE:1538059286,RESOLVE,,,,,,
Thu Sep 27 17:41:26 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]myip:myport
Thu Sep 27 17:41:26 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Sep 27 17:41:26 2018 UDP link local: (not bound)
Thu Sep 27 17:41:26 2018 UDP link remote: [AF_INET]myip:myport
Thu Sep 27 17:41:26 2018 MANAGEMENT: >STATE:1538059286,WAIT,,,,,,
Thu Sep 27 17:42:26 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 27 17:42:26 2018 TLS Error: TLS handshake failed
Thu Sep 27 17:42:26 2018 SIGUSR1[soft,tls-error] received, process restarting
Thu Sep 27 17:42:26 2018 MANAGEMENT: >STATE:1538059346,RECONNECTING,tls-error,,,,,
Thu Sep 27 17:42:26 2018 Restart pause, 5 second(s)
Thu Sep 27 17:42:31 2018 MANAGEMENT: >STATE:1538059351,RESOLVE,,,,,,