LINUX.ORG.RU
ФорумAdmin

Проблема с OpenVPN клиентом


0

0

Тут такая вещь вылезла, раньше вроде нормально подключался, теперь говорит вот что:

% sudo openvpn --config client.conf Mon Nov 19 14:06:57 2007 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] [EPOLL] built on Nov 4 2007 Mon Nov 19 14:06:57 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Mon Nov 19 14:06:57 2007 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Mon Nov 19 14:06:57 2007 WARNING: file 'artem.key' is group or others accessible Mon Nov 19 14:06:57 2007 LZO compression initialized Mon Nov 19 14:06:57 2007 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Nov 19 14:06:57 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Mon Nov 19 14:06:57 2007 Local Options hash (VER=V4): '41690919' Mon Nov 19 14:06:57 2007 Expected Remote Options hash (VER=V4): '530fdded' Mon Nov 19 14:06:57 2007 UDPv4 link local: [undef] Mon Nov 19 14:06:57 2007 UDPv4 link remote: 172.22.16.65:1194 Mon Nov 19 14:06:59 2007 TLS Error: Unroutable control packet received from 172.22.16.65:1194 (si=3 op=P_ACK_V1) Mon Nov 19 14:06:59 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float) Mon Nov 19 14:07:00 2007 TLS: Initial packet from 172.22.16.65:1194, sid=a37347a3 12f603dc Mon Nov 19 14:07:00 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float) Mon Nov 19 14:07:00 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float) Mon Nov 19 14:07:00 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float) Mon Nov 19 14:07:00 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float) Mon Nov 19 14:07:00 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float) Mon Nov 19 14:07:00 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float) Mon Nov 19 14:07:01 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float) Mon Nov 19 14:07:01 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float) Mon Nov 19 14:07:01 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float) Mon Nov 19 14:07:01 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float)

Ну и так далее.

Конфиг:

client

dev tun

proto udp

remote 172.22.16.65 1194 resolv-retry infinite

nobind

persist-key persist-tun

ca ca.crt cert artem.crt key artem.key

comp-lzo

verb 3

В чем проблема?


Вот это каша... Вот что выдает:

% openvpn --config client.conf
Mon Nov 19 14:20:11 2007 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] [EPOLL] built on Nov  4 2007
Mon Nov 19 14:20:11 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Nov 19 14:20:11 2007 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Nov 19 14:20:11 2007 WARNING: file 'artem.key' is group or others accessible
Mon Nov 19 14:20:11 2007 LZO compression initialized
Mon Nov 19 14:20:11 2007 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Nov 19 14:20:11 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Nov 19 14:20:11 2007 Local Options hash (VER=V4): '41690919'
Mon Nov 19 14:20:11 2007 Expected Remote Options hash (VER=V4): '530fdded'
Mon Nov 19 14:20:11 2007 UDPv4 link local: [undef]
Mon Nov 19 14:20:11 2007 UDPv4 link remote: 172.22.16.65:1194
Mon Nov 19 14:20:11 2007 TLS: Initial packet from 172.22.16.65:1194, sid=ebd36649 ef2bd384
Mon Nov 19 14:20:11 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Nov 19 14:20:12 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Nov 19 14:20:12 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Nov 19 14:20:12 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Nov 19 14:20:12 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Nov 19 14:20:14 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Nov 19 14:20:14 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Nov 19 14:20:14 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Nov 19 14:20:14 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Nov 19 14:20:14 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Nov 19 14:20:14 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Nov 19 14:20:14 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Nov 19 14:20:14 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Nov 19 14:20:14 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Nov 19 14:20:14 2007 TCP/UDP: Incoming packet rejected from 172.17.50.11:1194[2], expected peer address: 172.22.16.65:1194 (allow this incoming source address/port by removing --remote or adding --float)

urandom
() автор топика
Ответ на: комментарий от urandom

Да, еще один момент, клиент за роутером, ипшник компа внутренней сети 192.168.1.2, снаружи 172.17.50.13, но тем не менее раньше было все пучком...

urandom
() автор топика

Такое можно наблюдать, если есть два канала и ответ на запросы openvpn идут с заголовком не того канала, откуда пришел запрос. Можно tcpdump -i интерфейс port 1194 посмотреть.

TuxR ★★★★
()
Ответ на: комментарий от TuxR

Хм, проблема с подключением видимо не в этом была, сейчас нормально соединяется, хотя все равно сообщения про отброшенные пакеты появляются, вот что tcpdump выдал (без поднятого впн соединения).

% sudo tcpdump -i eth0 port 1194
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:50:55.400278 IP 172.22.16.65.1194 > m16.32773: UDP, length 53
15:50:55.421068 IP 172.17.50.11.1194 > m16.32773: UDP, length 53
15:51:05.505444 IP 172.22.16.65.1194 > m16.32773: UDP, length 53
15:51:05.525485 IP 172.17.50.11.1194 > m16.32773: UDP, length 53

urandom
() автор топика
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.