Приветствую.
Имеется сервер. Настраивал, часть по гайдам с Didgital Ocean, часть, по исходнику скрипта с GitHub.
Не подключается клиент, на Debian. Сервер на Ubuntu. Географически, клиент и сервер в Европе. Скриптом, развернул и запустил - все работало. Но я хочу самостоятельно разобраться, в настройке.
Что я делал:
1. Настраивал iptables (разумеется, правильно указывая сетевые интерфейсы)
2. Настраивал ufw:
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o ens3 -j MASQUERADE
openvpn@serveropenvpn4. Указал:
net.ipv4.ip_forward=1Прилагаю логи:
Конфигурация сервера:
port 1194
proto udp # добавлялся пункт udp4
dev tun
ca ca.crt
cert Odin.crt
key Odin.key # This file should be kept secret
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC # Добавлялся пункт ncp-ciphers AES-256-CBC
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
explicit-exit-notify 1
Логи сервера:
GNU nano 6.2 /var/log/openvpn/openvpn.log
OpenVPN 2.5.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 29 2023
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
net_route_v4_best_gw query: dst 0.0.0.0
net_route_v4_best_gw result: 77.77.77.77 dev ens3
Diffie-Hellman initialized with 2048 bit key
Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
TUN/TAP device tun0 opened
net_iface_mtu_set: mtu 1500 for tun0
net_iface_up: set tun0 up
net_addr_v4_add: 10.8.0.1/24 dev tun0
Could not determine IPv4/IPv6 protocol. Using AF_INET
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDPv4 link local (bound): [AF_INET][undef]:1194
UDPv4 link remote: [AF_UNSPEC]
GID set to nogroup
UID set to nobody
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL IPv4: base=10.8.0.2 size=253
Initialization Sequence Completed
55.55.55.55:36868 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
55.55.55.55:36868 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
55.55.55.55:36868 TLS: Initial packet from [AF_INET]55.55.55.55:36868, sid=97cb096b d29bdb38
55.55.55.55:36868 VERIFY OK: depth=1, CN=Odin
55.55.55.55:36868 VERIFY OK: depth=0, CN=jotunn
55.55.55.55:36868 peer info: IV_VER=2.6.3
55.55.55.55:36868 peer info: IV_PLAT=linux
55.55.55.55:36868 peer info: IV_TCPNL=1
55.55.55.55:36868 peer info: IV_MTU=1600
55.55.55.55:36868 peer info: IV_NCP=2
55.55.55.55:36868 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
55.55.55.55:36868 peer info: IV_PROTO=990
Конфигурация клиента:
client
dev tun
proto udp
remote 77.77.77.77 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
# ca ca.crt
# cert client.crt
# key client.key
remote-cert-tls server
# tls-auth ta.key 1
cipher AES-256-GCM
auth SHA256
key-direction 1
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
Лог клиента:
Note: Kernel support for ovpn-dco missing, disabling data channel offload.
OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.11 19 Sep 2023, LZO 2.10
DCO version: N/A
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
TCP/UDP: Preserving recently used remote address: [AF_INET]77.77.77.77:1194
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDPv4 link local: (not bound)
UDPv4 link remote: [AF_INET]77.77.77.77:1194
NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
TLS: Initial packet from [AF_INET]77.77.77.77:1194, sid=d3827104 20841d32
VERIFY OK: depth=1, CN=Odin
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0, CN=Odin
Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
[Odin] Peer Connection Initiated with [AF_INET]77.77.77.77:1194
TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
TLS: tls_multi_process: initial untrusted session promoted to trusted
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
net_route_v4_best_gw query: dst 0.0.0.0
net_route_v4_best_gw result: via 192.168.1.1 dev enp0s7
ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enp0s7 HWADDR=fc:1f:19:4a:55:df
TUN/TAP device tun0 opened
net_iface_mtu_set: mtu 1500 for tun0
net_iface_up: set tun0 up
net_addr_v4_add: 10.8.0.2/24 dev tun0
/etc/openvpn/update-resolv-conf tun0 1500 0 10.8.0.2 255.255.255.0 init
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
net_route_v4_add: 77.77.77.77/32 via 192.168.1.1 dev [NULL] table 0 metric -1
net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
UID set to nobody
GID set to nogroup
Capabilities retained: CAP_NET_ADMIN
Initialization Sequence Completed
Data Channel: cipher 'AES-256-GCM', peer-id: 0
Timers: ping 10, ping-restart 120
Подскажите пожалуйста, что я делаю не правильно, и как исправить?
sudo cast 
ValdikSS
