LINUX.ORG.RU
ФорумAdmin

openvpn поверх tor

 , ,


0

1

Не идет трафик через туннель если его завернуть tor, напрямую работает. torrc:

#SocksBindAddress 127.0.0.1
AllowUnverifiedNodes middle,rendezvous
Log notice file /var/log/tor/torrc-0
RunAsDaemon 1
User debian-tor
CircuitBuildTimeout 30
NumEntryGuards 6
KeepalivePeriod 60
NewCircuitPeriod 15
#########################################################
SocksPort 9050 PreferSOCKSNoAuth
ControlPort 9051
ExitNodes {us}
DataDirectory /var/lib/tor0
PidFile /var/run/tor/tor-0.pid
openvpn.conf
client
dev tun
proto tcp
socks-proxy-retry
socks-proxy 127.0.0.1 9050
remote uk1.vpnkeys.com 80
remote 178.62.34.213 80
resolv-retry infinite
tun-mtu 1500
key-direction 1
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
auth-user-pass
route-method exe
route-delay 2

<ca>
-----BEGIN CERTIFICATE-----
MIIExDCCA6ygAwIBAgIJAJ+le+CjnRmWMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
VQQGEwJMVjENMAsGA1UECBMEUmlnYTENMAsGA1UEBxMEUmlnYTERMA8GA1UEChMI
V29ybGRWUE4xETAPBgNVBAsTCFdvcmxkVlBOMREwDwYDVQQDEwhXb3JsZFZQTjER
MA8GA1UEKRMIV29ybGRWUE4xIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRAd29ybGR2
cG4ubmV0MB4XDTE1MTAyMzE3NDIwNloXDTI1MTAyMDE3NDIwNlowgZwxCzAJBgNV
BAYTAkxWMQ0wCwYDVQQIEwRSaWdhMQ0wCwYDVQQHEwRSaWdhMREwDwYDVQQKEwhX
b3JsZFZQTjERMA8GA1UECxMIV29ybGRWUE4xETAPBgNVBAMTCFdvcmxkVlBOMREw
DwYDVQQpEwhXb3JsZFZQTjEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEB3b3JsZHZw
bi5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB5A4zBZwtkxLV
vnFDyZEpV9+GlLzYn7SKSUhw98HbZnSAbNGF5TZkzacjdje7/pK7M2rh6JGyAGC9
kJ3xyBh0u9wFMsS0q1XGIAdOATr6sts6gpLSV3C8n8udkpZiDi9LZu1xBxk7gGB6
YaSwR5kPoi5XMFpzC2v4WTN2MR7AJQjwU9XMa7J4aXCZdZfiqVsUyxeLYSFJSZKO
S7+X76NhUmAisK12GD54lryuR5y5thMvc2oAN8Rm2IdovfDTbbSqGqpxI/OSXJEb
pX/bNgt5mJSD6WfyfvoJmIzT+C1FhPjOe+1Q4r1SQv60uPFf/xMwFI45qHp7L+mH
e7EBiiFZAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQU3ptlDD25LUjztw5Ln3+EIhWH
cL0wgdEGA1UdIwSByTCBxoAU3ptlDD25LUjztw5Ln3+EIhWHcL2hgaKkgZ8wgZwx
CzAJBgNVBAYTAkxWMQ0wCwYDVQQIEwRSaWdhMQ0wCwYDVQQHEwRSaWdhMREwDwYD
VQQKEwhXb3JsZFZQTjERMA8GA1UECxMIV29ybGRWUE4xETAPBgNVBAMTCFdvcmxk
VlBOMREwDwYDVQQpEwhXb3JsZFZQTjEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEB3
b3JsZHZwbi5uZXSCCQCfpXvgo50ZljAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
BQUAA4IBAQA869ZTA28B9X+4X294TFdEVgpHWIhj/yQAnxH6LbgBWSwGBPtBa2uk
ZUnyDdev7XZZtAk7UwDGKBpbck9HFqPCEuy9fBZwOaDLmf28WaaejliDogVZ6za3
oRUAhdyTQajDCBNyek2UolAfS0WfCcOwb9LZbdLCZZl/RvOlxXMJRZhw2xB2FyQq
10ZS7gMsAckN5B7Uaq5QN0q+WjY17gL0Y94Pl6ZyWBtbv2a7B2rlyIIh6RPb+bNm
+JJfdLU4zVnmMukQ0vgcYITfxFem0ZG8Q6rrsfs9OqJzMb5GYBik73Rj2ynrHLM1
cO8tzHzlOMQyrM8apAqSch09dl/ZwYhH
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
2ff6476cd88e2d7024bc2cafc5365d2a
8582427054d87e2044b9dd2f62a90da5
c60bc43b3b81a05830567f0d1134b79f
b7c516ce9e9b8a746daf56221919380c
bf5ef8c4d4fc4261e44ae66fa14a3eb5
3f46f26dcdb5221e909513043036ee04
642b353b8938ee2b9d6f8af67552b6a4
ec695aca71cc835baec7a15300dace4f
efe8063efd01cca38f934bcac47380fa
76443c19e484e103125cff13ec995eca
f0be52d9badfad42e81edde12ef21ccc
cdb3fd18f6d00c9f26f5c2861b966a3d
0a9accf10d6c15e3fd9ea3d0336d6e16
06ac86ff1bfe62006440d67fede4e4fc
3b548fee73eaa5ec3e8f3e055dc1bef6
a158aeee98201ec87ed56dbbb50c5362
-----END OpenVPN Static key V1-----
</tls-auth>
Username : vpnkeys Password : yeeuuwi лог opeenvpn:
 openvpn --config /etc/openvpn/client/uk1.vpnkeys.com.tcp.ovpn 
Wed Jul  5 22:29:02 2017 DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: In OpenVPN 2.4 proxy connection retries are handled like regular connections. Use connect-retry-max 1 to get a similar behavior as before.
Wed Jul  5 22:29:02 2017 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
Wed Jul  5 22:29:02 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Enter Auth Username: vpnkeys
Enter Auth Password: *******
Wed Jul  5 22:29:12 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul  5 22:29:12 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul  5 22:29:12 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:9050
Wed Jul  5 22:29:12 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Wed Jul  5 22:29:12 2017 Attempting to establish TCP connection with [AF_INET]127.0.0.1:9050 [nonblock]
Wed Jul  5 22:29:12 2017 TCP connection established with [AF_INET]127.0.0.1:9050
Wed Jul  5 22:29:12 2017 TCP_CLIENT link local: (not bound)
Wed Jul  5 22:29:12 2017 TCP_CLIENT link remote: [AF_INET]127.0.0.1:9050
Wed Jul  5 22:29:13 2017 TLS: Initial packet from [AF_INET]127.0.0.1:9050, sid=6ce0274a 6a291259
Wed Jul  5 22:29:13 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jul  5 22:29:14 2017 VERIFY OK: depth=1, C=LV, ST=Riga, L=Riga, O=WorldVPN, OU=WorldVPN, CN=WorldVPN, name=WorldVPN, emailAddress=support@worldvpn.net
Wed Jul  5 22:29:14 2017 VERIFY OK: nsCertType=SERVER
Wed Jul  5 22:29:14 2017 VERIFY OK: depth=0, C=LV, ST=Riga, L=Riga, O=WorldVPN, OU=WorldVPN, CN=WorldVPN, name=WorldVPN, emailAddress=support@worldvpn.net
Wed Jul  5 22:29:15 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jul  5 22:29:15 2017 [WorldVPN] Peer Connection Initiated with [AF_INET]127.0.0.1:9050
Wed Jul  5 22:29:16 2017 SENT CONTROL [WorldVPN]: 'PUSH_REQUEST' (status=1)
Wed Jul  5 22:29:17 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,dhcp-option DNS 10.8.2.0,route 10.8.4.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.4.98 10.8.4.97,peer-id 0,cipher AES-256-GCM'
Wed Jul  5 22:29:17 2017 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jul  5 22:29:17 2017 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul  5 22:29:17 2017 OPTIONS IMPORT: route options modified
Wed Jul  5 22:29:17 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jul  5 22:29:17 2017 OPTIONS IMPORT: peer-id set
Wed Jul  5 22:29:17 2017 OPTIONS IMPORT: adjusting link_mtu to 1627
Wed Jul  5 22:29:17 2017 OPTIONS IMPORT: data channel crypto options modified
Wed Jul  5 22:29:17 2017 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul  5 22:29:17 2017 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul  5 22:29:17 2017 ROUTE_GATEWAY 192.168.122.1/255.255.255.0 IFACE=ens3 HWADDR=52:54:00:a7:d7:75
Wed Jul  5 22:29:17 2017 TUN/TAP device tun0 opened
Wed Jul  5 22:29:17 2017 TUN/TAP TX queue length set to 100
Wed Jul  5 22:29:17 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jul  5 22:29:17 2017 /sbin/ip link set dev tun0 up mtu 1500
Wed Jul  5 22:29:17 2017 /sbin/ip addr add dev tun0 local 10.8.4.98 peer 10.8.4.97
Wed Jul  5 22:29:19 2017 /sbin/ip route add 127.0.0.1/32 via 192.168.122.1
Wed Jul  5 22:29:19 2017 /sbin/ip route add 0.0.0.0/1 via 10.8.4.97
Wed Jul  5 22:29:19 2017 /sbin/ip route add 128.0.0.0/1 via 10.8.4.97
Wed Jul  5 22:29:19 2017 /sbin/ip route add 10.8.4.1/32 via 10.8.4.97
Wed Jul  5 22:29:19 2017 Initialization Sequence Completed
Wed Jul  5 22:31:27 2017 [WorldVPN] Inactivity timeout (--ping-restart), restarting
Wed Jul  5 22:31:27 2017 SIGUSR1[soft,ping-restart] received, process restarting
Wed Jul  5 22:31:27 2017 Restart pause, 5 second(s)
Wed Jul  5 22:31:32 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:9050
Wed Jul  5 22:31:32 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Wed Jul  5 22:31:32 2017 Attempting to establish TCP connection with [AF_INET]127.0.0.1:9050 [nonblock]
Wed Jul  5 22:31:32 2017 TCP connection established with [AF_INET]127.0.0.1:9050
Wed Jul  5 22:31:37 2017 recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=115)
Wed Jul  5 22:31:37 2017 SIGUSR1[soft,init_instance] received, process restarting
Wed Jul  5 22:31:37 2017 Restart pause, 5 second(s)
Wed Jul  5 22:31:42 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:9050
Wed Jul  5 22:31:42 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Wed Jul  5 22:31:42 2017 Attempting to establish TCP connection with [AF_INET]127.0.0.1:9050 [nonblock]
Wed Jul  5 22:31:42 2017 TCP connection established with [AF_INET]127.0.0.1:9050
Wed Jul  5 22:31:47 2017 recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=115)
Wed Jul  5 22:31:47 2017 SIGUSR1[soft,init_instance] received, process restarting
Wed Jul  5 22:31:47 2017 Restart pause, 5 second(s)
Wed Jul  5 22:31:52 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:9050
Wed Jul  5 22:31:52 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Wed Jul  5 22:31:52 2017 Attempting to establish TCP connection with [AF_INET]127.0.0.1:9050 [nonblock]
Wed Jul  5 22:31:52 2017 TCP connection established with [AF_INET]127.0.0.1:9050
Wed Jul  5 22:31:57 2017 recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=115)
Wed Jul  5 22:31:57 2017 SIGUSR1[soft,init_instance] received, process restarting
Wed Jul  5 22:31:57 2017 Restart pause, 5 second(s)
Туннель поднимается, получает адреса, после поднятия туннеля сервер openvpn пингуется, по внешнему адресу, прописываем через dev tun0, либо через 10.8.4.97 маршрут и трафик не идет, ни пинги, ни телнетом на порт. Может сталкивался кто? Еще нюанс, tor порт слушает, но пока не рестартанеш openvpn и tor, туннель снова не поднимется. В iptables пусто.

так openvpn добавляет маршруты в таблицу. Как оно тебе будет работать, тор у тебя отваливается пытаясь трафик гнать через tun... думай как роуты разрулить, чтобы трафик от тора шел напрямую, а не через tun.

ving2 ()
Ответ на: комментарий от JoIIyRoger

Можно и так, но какое то корявое решение... Может как то пометить трафик по gid и его отправлять через интерфейс основного прова.

ving2 ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.