LINUX.ORG.RU
ФорумAdmin

Openvpn на Openwrt и клиент iOS

 , ,


0

1

Доброй день, друзья!

Есть роутер Асус rt-51u, прошит OpenWrt. На нем поднят openvpn сервер, проблема в том, что я не могу подключиться к нему с iOS устройства (клиент на устройстве родной). С винды соединяется и работает, незнаю насколько полноценно, но ip меняется и к локальным хостам в домашней сети доступ есть. Самое интересное в этом, что с асусовской прошивкой все работало на ура. Но, в родной есть особенности, заставившие ее менять.

Вот конфиг сервера:

local 0.0.0.0
port 1194
proto udp
dev tun

topology subnet

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key

dh /etc/openvpn/dh.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "redirect-gateway def1"

cipher AES-256-CBC


client-to-client

keepalive 15 60

max-clients 2

persist-key
persist-tun

status openvpn-status.log

verb 0
mute 20

Вот клиента(виндового, работающего)
client
dev tun
proto udp
remote 0.0.0.0 1194
persist-key
persist-tun
cipher AES-256-CBC
keepalive 15 60
auth-user-pass
verb 3

Ключи и сертификаты в теле файла лежат

Вот его лог из винды:

21-01-26 06:27:50 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

2021-01-26 06:27:50 OpenVPN 2.5.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 28 2020

2021-01-26 06:27:50 Windows version 10.0 (Windows 10 or greater) 64bit

2021-01-26 06:27:50 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
Enter Management Password:

2021-01-26 06:27:50 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340

2021-01-26 06:27:50 Need hold release from management interface, waiting...

2021-01-26 06:27:51 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340

2021-01-26 06:27:51 MANAGEMENT: CMD 'state on'

2021-01-26 06:27:51 MANAGEMENT: CMD 'log all on'

2021-01-26 06:27:51 MANAGEMENT: CMD 'echo all on'

2021-01-26 06:27:51 MANAGEMENT: CMD 'bytecount 5'

2021-01-26 06:27:51 MANAGEMENT: CMD 'hold off'

2021-01-26 06:27:51 MANAGEMENT: CMD 'hold release'

2021-01-26 06:27:51 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

2021-01-26 06:27:51 TCP/UDP: Preserving recently used remote address: [AF_INET]0.0.0.0:1194

2021-01-26 06:27:51 Socket Buffers: R=[65536->65536] S=[65536->65536]

2021-01-26 06:27:51 UDP link local (bound): [AF_INET][undef]:1194

2021-01-26 06:27:51 UDP link remote: [AF_INET]0.0.0.0:1194

2021-01-26 06:27:51 MANAGEMENT: >STATE:1611631671,WAIT,,,,,,

2021-01-26 06:27:53 MANAGEMENT: >STATE:1611631673,AUTH,,,,,,

2021-01-26 06:27:53 TLS: Initial packet from [AF_INET]0.0.0.0:1194, sid=fb3d5349 1a6f6327

2021-01-26 06:27:53 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

2021-01-26 06:27:53 VERIFY OK: depth=0, CN=server

2021-01-26 06:27:53 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 1024 bit RSA

2021-01-26 06:27:53 [server] Peer Connection Initiated with [AF_INET]0.0.0.0:1194

2021-01-26 06:27:54 MANAGEMENT: >STATE:1611631674,GET_CONFIG,,,,,,

2021-01-26 06:27:54 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

2021-01-26 06:28:00 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

2021-01-26 06:28:00 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'

2021-01-26 06:28:00 OPTIONS IMPORT: timers and/or timeouts modified

2021-01-26 06:28:00 OPTIONS IMPORT: --ifconfig/up options modified

2021-01-26 06:28:00 OPTIONS IMPORT: route options modified

2021-01-26 06:28:00 OPTIONS IMPORT: route-related options modified

2021-01-26 06:28:00 OPTIONS IMPORT: peer-id set

2021-01-26 06:28:00 OPTIONS IMPORT: adjusting link_mtu to 1624

2021-01-26 06:28:00 OPTIONS IMPORT: data channel crypto options modified

2021-01-26 06:28:00 Data Channel: using negotiated cipher 'AES-256-GCM'

2021-01-26 06:28:00 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2021-01-26 06:28:00 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2021-01-26 06:28:00 interactive service msg_channel=620

2021-01-26 06:28:00 ROUTE_GATEWAY 172.16.197.211/255.255.255.0 I=12 HWADDR=82:15:13:6f:70:78

2021-01-26 06:28:00 open_tun

2021-01-26 06:28:00 tap-windows6 device [OpenVPN TAP-Windows6] opened

2021-01-26 06:28:00 TAP-Windows Driver Version 9.24 

2021-01-26 06:28:00 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]

2021-01-26 06:28:00 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {BCC9137E-C3AD-4C43-AB91-DE8F8B4686CB} [DHCP-serv: 10.8.0.254, lease-time: 31536000]

2021-01-26 06:28:00 Successful ARP Flush on interface [45] {BCC9137E-C3AD-4C43-AB91-DE8F8B4686CB}
2021-01-26 06:28:00 MANAGEMENT: >STATE:1611631680,ASSIGN_IP,,10.8.0.2,,,,

2021-01-26 06:28:00 IPv4 MTU set to 1500 on interface 45 using service

2021-01-26 06:28:05 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up

2021-01-26 06:28:05 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 255.255.255.255 172.16.197.211
2021-01-26 06:28:05 Route addition via service succeeded

2021-01-26 06:28:05 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1

2021-01-26 06:28:05 Route addition via service succeeded

2021-01-26 06:28:05 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1

2021-01-26 06:28:05 Route addition via service succeeded

2021-01-26 06:28:05 Initialization Sequence Completed

2021-01-26 06:28:05 MANAGEMENT: >STATE:1611631685,CONNECTED,SUCCESS,10.8.0.2,0.0.0.0,1194,,

2021-01-26 06:34:02 MANAGEMENT: CMD 'signal SIGHUP'

2021-01-26 06:34:02 C:\Windows\system32\route.exe DELETE 0.0.0.0 MASK 255.255.255.255 172.16.197.211

2021-01-26 06:34:02 Route deletion via service succeeded

2021-01-26 06:34:02 C:\Windows\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 10.8.0.1

2021-01-26 06:34:02 Route deletion via service succeeded

2021-01-26 06:34:02 C:\Windows\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 10.8.0.1

2021-01-26 06:34:02 Route deletion via service succeeded

2021-01-26 06:34:02 Closing TUN/TAP interface

2021-01-26 06:34:02 TAP: DHCP address released

2021-01-26 06:34:02 SIGHUP[hard,] received, process restarting

2021-01-26 06:34:02 MANAGEMENT: >STATE:1611632042,RECONNECTING,SIGHUP,,,,,

2021-01-26 06:34:02 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

2021-01-26 06:34:02 OpenVPN 2.5.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 28 2020

2021-01-26 06:34:02 Windows version 10.0 (Windows 10 or greater) 64bit

2021-01-26 06:34:02 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10

2021-01-26 06:34:02 Restart pause, 5 second(s)

2021-01-26 06:34:07 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

2021-01-26 06:34:07 TCP/UDP: Preserving recently used remote address: [AF_INET]0.0.0.0:1194
2021-01-26 06:34:07 Socket Buffers: R=[65536->65536] S=[65536->65536]

2021-01-26 06:34:07 UDP link local (bound): [AF_INET][undef]:1194

2021-01-26 06:34:07 UDP link remote: [AF_INET]0.0.0.01194

2021-01-26 06:34:07  MANAGEMENT: >STATE:1611632047,WAIT,,,,,,

2021-01-26 06:34:07 MANAGEMENT: >STATE:1611632047,AUTH,,,,,,

2021-01-26 06:34:07 TLS: Initial packet from [AF_INET]0.0.0.01194, sid=f07a9c09 1ca93b66

2021-01-26 06:34:07 VERIFY OK: depth=0, CN=server

2021-01-26 06:34:07 WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'

2021-01-26 06:34:07 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1589', remote='link-mtu 1557'

2021-01-26 06:34:07 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'

2021-01-26 06:34:07 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 1024 bit RSA

2021-01-26 06:34:07 [server] Peer Connection Initiated with [AF_INET]0.0.0.0:1194

2021-01-26 06:34:08 MANAGEMENT: >STATE:1611632048,GET_CONFIG,,,,,,
2021-01-26 06:34:08 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

2021-01-26 06:34:08 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2021-01-26 06:34:08 OPTIONS IMPORT: timers and/or timeouts modified

2021-01-26 06:34:08 OPTIONS IMPORT: --ifconfig/up options modified

2021-01-26 06:34:08 OPTIONS IMPORT: route options modified

2021-01-26 06:34:08 OPTIONS IMPORT: route-related options modified

2021-01-26 06:34:08 OPTIONS IMPORT: peer-id set

2021-01-26 06:34:08 OPTIONS IMPORT: adjusting link_mtu to 1656

2021-01-26 06:34:08 OPTIONS IMPORT: data channel crypto options modified

2021-01-26 06:34:08 Data Channel: using negotiated cipher 'AES-256-GCM'

2021-01-26 06:34:08 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2021-01-26 06:34:08 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2021-01-26 06:34:08 interactive service msg_channel=620

2021-01-26 06:34:08 ROUTE_GATEWAY 172.16.197.211/255.255.255.0 I=12 HWADDR=82:15:13:6f:70:78

2021-01-26 06:34:08 open_tun

2021-01-26 06:34:08 tap-windows6 device [OpenVPN TAP-Windows6] opened

2021-01-26 06:34:08 TAP-Windows Driver Version 9.24 

2021-01-26 06:34:08 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {BCC9137E-C3AD-4C43-AB91-DE8F8B4686CB} [DHCP-serv: 10.8.0.0, lease-time: 31536000]

2021-01-26 06:34:08 Successful ARP Flush on interface [45] {BCC9137E-C3AD-4C43-AB91-DE8F8B4686CB}

2021-01-26 06:34:08 MANAGEMENT: >STATE:1611632048,ASSIGN_IP,,10.8.0.2,,,,

2021-01-26 06:34:08 IPv4 MTU set to 1500 on interface 45 using service

2021-01-26 06:34:13 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up

2021-01-26 06:34:13 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 255.255.255.255 172.16.197.211
2021-01-26 06:34:13 Route addition via service succeeded


2021-01-26 06:34:13 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1

2021-01-26 06:34:13 Route addition via service succeeded
2021-01-26 06:34:13 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1

2021-01-26 06:34:13 Route addition via service succeeded

Всё, что знал перепробовал, создавал отдельные ключи для каждого из клиентов, отсылал ключи на iOS в виде контейнера, как советовали на хабре, переводил iOS-ключ в rsa-формат, все тщетно:(

Потом нашёл такой же роутер с родной прошивкой и через ssh вытащил из него конфиги

Вот они:

daemon
server 0.0.0.0 255.255.255.0
proto udp
multihome
port 1194
dev tun21
cipher AES-128-CBC
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"
duplicate-cn
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn

status-version 2
status status 10

Клиент:

client
dev tun
proto udp
remote 0.0.0.0 1194
float
cipher AES-128-CBC
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>

Ключи у клиента тоже в теле файла. Вроде и различий особых нет, разве что авторизация, тем не менее один работает, другой нет.

Помогите разобраться, плиз...

Ответ на: комментарий от zgen
2021-01-21 23:23:07 ----- OpenVPN Start -----
OpenVPN core 3.git::2952f561 ios arm64 64-bit

2021-01-21 23:23:07 OpenVPN core 3.git::2952f561 ios arm64 64-bit

2021-01-21 23:23:07 Frame=512/2048/512 mssfix-ctrl=1250

2021-01-21 23:23:07 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
6 [persist-tun] 
7 [persist-key] 
8 [verb] [3] 

2021-01-21 23:23:07 EVENT: RESOLVE

2021-01-21 23:23:07 Contacting [0.0.0.0]:1194/UDP via UDP

2021-01-21 23:23:07 EVENT: WAIT

2021-01-21 23:23:07 Connecting to [0.0.0.0]:1194 (0.0.0.0) via UDPv4

2021-01-21 23:23:18 Server poll timeout, trying next remote entry...

2021-01-21 23:23:18 EVENT: RECONNECTING

2021-01-21 23:23:18 EVENT: RESOLVE

2021-01-21 23:23:18 Contacting [0.0.0.0]:1194/UDP via UDP

2021-01-21 23:23:18 EVENT: WAIT

2021-01-21 23:23:18 Connecting to [0.0.0.0]:1194 (0.0.0.0) via UDPv4

2021-01-21 23:23:23 EVENT: DISCONNECTED

2021-01-21 23:23:23 Raw stats on disconnect:
  BYTES_OUT : 210
  PACKETS_OUT : 15
  N_RECONNECT : 1

2021-01-21 23:23:23 Performance stats on disconnect:
  CPU usage (microseconds): 39559
  Network bytes per CPU second: 5308
  Tunnel bytes per CPU second: 0

2021-01-21 23:31:34 1

2021-01-21 23:31:34 ----- OpenVPN Start -----
OpenVPN core 3.git::2952f561 ios arm64 64-bit

2021-01-21 23:31:34 OpenVPN core 3.git::2952f561 ios arm64 64-bit

2021-01-21 23:31:34 Frame=512/2048/512 mssfix-ctrl=1250

2021-01-21 23:31:34 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
6 [persist-tun] 
7 [persist-key] 
8 [verb] [3] 

2021-01-21 23:31:34 EVENT: RESOLVE

2021-01-21 23:31:34 Contacting [0.0.0.0]:1194/UDP via UDP

2021-01-21 23:31:34 EVENT: WAIT

2021-01-21 23:31:34 Connecting to [0.0.0.0]:1194 (0.0.0.0) via UDPv4

2021-01-21 23:31:45 Server poll timeout, trying next remote entry...

2021-01-21 23:31:45 EVENT: RECONNECTING

2021-01-21 23:31:45 EVENT: RESOLVE

2021-01-21 23:31:45 Contacting [0.0.0.0]:1194/UDP via UDP

2021-01-21 23:31:45 EVENT: WAIT

2021-01-21 23:31:45 Connecting to [0.0.0.0]:1194 (0.0.0.0) via UDPv4

2021-01-21 23:31:55 Server poll timeout, trying next remote entry...

2021-01-21 23:31:55 EVENT: RECONNECTING

2021-01-21 23:31:55 EVENT: RESOLVE

2021-01-21 23:31:55 Contacting [0.0.0.0]:1194/UDP via UDP

2021-01-21 23:31:55 EVENT: WAIT

2021-01-21 23:31:55 Connecting to [0.0.0.0]:1194 (0.0.0.0) via UDPv4

2021-01-21 23:32:04 EVENT: CONNECTION_TIMEOUT [ERR]

2021-01-21 23:32:04 Raw stats on disconnect:
  BYTES_OUT : 406
  PACKETS_OUT : 29
  CONNECTION_TIMEOUT : 1
  N_RECONNECT : 2

2021-01-21 23:32:04 Performance stats on disconnect:
  CPU usage (microseconds): 56683
  Network bytes per CPU second: 7162
  Tunnel bytes per CPU second: 0

2021-01-21 23:32:04 EVENT: DISCONNECTED 
gringa ()
Ответ на: комментарий от gringa

Почему у тебя вместо адреса везде нули? Заменил для конспирации?
Замени только последний октет, а то непонятно кто на ком стоял.

Клиенты винды и iOS в разных сетях находятся у тебя?

zgen ★★★★★ ()
Ответ на: комментарий от zgen

Везде где ноли 87.228.3.0. За исключением одной строки в логе win-клиента

2021-01-26 06:34:13 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1

тут так и были ноли. Оба клиента заходят из интернета, с разных адресов или одного, это не меняет сути.

gringa ()
Ответ на: комментарий от zgen

Проверь точно не мешает, со стоковой прошивкой работало+я с любого адреса могу подключиться к роутеру по ssh.

А вот firewall действительно мешает, вчера удалось установить соединение с iOS, сайты правда не открывались. К сожалению, в процессе редактирования iptables устройство легло, поэтому пришлось переставлять openwrt. Сегодня буду по новой все делать.

Благодарю за подсказку.

gringa ()