LINUX.ORG.RU
решено ФорумGeneral

Openvpn нет ping-ов

 , , ,


0

2

Настраиваю openvpn на astra Linux. Все идёт хорошо, туннель поднимается между сервером и клиентом, между ними же идут пинги. Когда добавляю нового клиента, туннель между сервером и новым клиентом образуется, а пинги не идут. Формирую и настраиваю нового клиента так же, как и первого. В чем может быть проблема?

Ответ на: комментарий от Jopich1

Сервер

Port 1194

Proto tcp-server

Dev tun

Ca ca.crt

Cert server.crt

Key server.key

Dh dh1024.pem

Topology subnet

Tls-server

Tls-aut ta.key 0

Tls-timeout 120

Auth MD5

Cipher AES-128-CBC

server 10.8.0.0 255.255.255.0

Ifconfig-pool-persist ipp.txt

Push «route 192.168.8.0 255.255.255.0»

Route-gateway 10.8.0.1

Client-to-client

Client-config-dir

Keeoalive 10 120

Comp-lzo

Persist-key

Persist-tun

Status openvpn-status.log

Log openvpn.log

Verb 4

Mute 20

Script-security 2

Клиент

Client

Port 1194

Dev tun

Proto tcp-client

Ca ca.crt

Cert client.crt

Key client.key

Dh dh1024.pem

Tls-client

Tls-aut ta.key 1

Auth MD5

Cipher AES-128-CBC

Remote 192.168.8.156

Keeoalive 10 120

Comp-lzo

Persist-key

Persist-tun

Status openvpn-status.log

Log openvpn.log

Verb 4

Mute 20

Script-security 2

Remote-cert-tls server

sarrazin
() автор топика
Ответ на: комментарий от XMs

лог сервера


Tue Apr  3 13:26:16 2018 us=632593 Current Parameter Settings:
Tue Apr  3 13:26:16 2018 us=632835   config = '/etc/openvpn/server.conf'
Tue Apr  3 13:26:16 2018 us=632854   mode = 1
Tue Apr  3 13:26:16 2018 us=632868   persist_config = DISABLED
Tue Apr  3 13:26:16 2018 us=632881   persist_mode = 1
Tue Apr  3 13:26:16 2018 us=632894   show_ciphers = DISABLED
Tue Apr  3 13:26:16 2018 us=632907   show_digests = DISABLED
Tue Apr  3 13:26:16 2018 us=632920   show_engines = DISABLED
Tue Apr  3 13:26:16 2018 us=632934   genkey = DISABLED
Tue Apr  3 13:26:16 2018 us=632947   key_pass_file = '[UNDEF]'
Tue Apr  3 13:26:16 2018 us=632960   show_tls_ciphers = DISABLED
Tue Apr  3 13:26:16 2018 us=632973 Connection profiles [default]:
Tue Apr  3 13:26:16 2018 us=632987   proto = tcp-server
Tue Apr  3 13:26:16 2018 us=633001   local = '[UNDEF]'
Tue Apr  3 13:26:16 2018 us=633014   local_port = 1194
Tue Apr  3 13:26:16 2018 us=633027   remote = '[UNDEF]'
Tue Apr  3 13:26:16 2018 us=633040   remote_port = 1194
Tue Apr  3 13:26:16 2018 us=633053   remote_float = DISABLED
Tue Apr  3 13:26:16 2018 us=633066   bind_defined = DISABLED
Tue Apr  3 13:26:16 2018 us=633079   bind_local = ENABLED
Tue Apr  3 13:26:16 2018 us=633092 NOTE: --mute triggered...
Tue Apr  3 13:26:16 2018 us=633123 260 variation(s) on previous 20 message(s) suppressed by --mute
Tue Apr  3 13:26:16 2018 us=633150 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 22 2012
Tue Apr  3 13:26:16 2018 us=633495 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Apr  3 13:26:16 2018 us=639119 Diffie-Hellman initialized with 1024 bit key
Tue Apr  3 13:26:16 2018 us=639837 WARNING: file '/etc/openvpn/server.key' is group or others accessible
Tue Apr  3 13:26:16 2018 us=701850 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Tue Apr  3 13:26:16 2018 us=701963 Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Tue Apr  3 13:26:16 2018 us=701983 Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Tue Apr  3 13:26:16 2018 us=702018 TLS-Auth MTU parms [ L:1556 D:164 EF:64 EB:0 ET:0 EL:0 ]
Tue Apr  3 13:26:16 2018 us=702082 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Apr  3 13:26:16 2018 us=756568 TUN/TAP device tun0 opened
Tue Apr  3 13:26:16 2018 us=756639 TUN/TAP TX queue length set to 100
Tue Apr  3 13:26:16 2018 us=756666 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Apr  3 13:26:16 2018 us=756717 /sbin/ifconfig tun0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Tue Apr  3 13:26:16 2018 us=917474 Data Channel MTU parms [ L:1556 D:1450 EF:56 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Apr  3 13:26:17 2018 us=12692 Listening for incoming TCP connection on [undef]
Tue Apr  3 13:26:17 2018 us=12938 TCPv4_SERVER link local (bound): [undef]
Tue Apr  3 13:26:17 2018 us=12955 TCPv4_SERVER link remote: [undef]
Tue Apr  3 13:26:17 2018 us=12989 MULTI: multi_init called, r=256 v=256
Tue Apr  3 13:26:17 2018 us=146855 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Tue Apr  3 13:26:17 2018 us=188952 IFCONFIG POOL LIST
Tue Apr  3 13:26:17 2018 us=189200 MULTI: TCP INIT maxclients=1024 maxevents=1028
Tue Apr  3 13:26:17 2018 us=189782 Initialization Sequence Completed
Tue Apr  3 13:26:23 2018 us=145237 MULTI: multi_create_instance called
Tue Apr  3 13:26:23 2018 us=145336 Re-using SSL/TLS context
Tue Apr  3 13:26:23 2018 us=145441 LZO compression initialized
Tue Apr  3 13:26:23 2018 us=145990 Control Channel MTU parms [ L:1556 D:164 EF:64 EB:0 ET:0 EL:0 ]
Tue Apr  3 13:26:23 2018 us=146055 Data Channel MTU parms [ L:1556 D:1450 EF:56 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Apr  3 13:26:23 2018 us=146180 Local Options String: 'V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-128-CBC,auth MD5,keysize 128,tls-auth,key-method 2,tls-server'
Tue Apr  3 13:26:23 2018 us=146195 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-128-CBC,auth MD5,keysize 128,tls-auth,key-method 2,tls-client'
Tue Apr  3 13:26:23 2018 us=146265 Local Options hash (VER=V4): '97daaa6d'
Tue Apr  3 13:26:23 2018 us=146286 Expected Remote Options hash (VER=V4): 'd06ae81f'
Tue Apr  3 13:26:23 2018 us=146336 TCP connection established with [AF_INET]192.168.8.157:41187
Tue Apr  3 13:26:23 2018 us=146355 TCPv4_SERVER link local: [undef]
Tue Apr  3 13:26:23 2018 us=146370 TCPv4_SERVER link remote: [AF_INET]192.168.8.157:41187
Tue Apr  3 13:26:24 2018 us=115502 192.168.8.157:41187 TLS: Initial packet from [AF_INET]192.168.8.157:41187, sid=7d0b834f a62eb952
Tue Apr  3 13:26:24 2018 us=236630 192.168.8.157:41187 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain
Tue Apr  3 13:26:24 2018 us=236803 192.168.8.157:41187 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=client2/name=changeme/emailAddress=mail@host.domain
Tue Apr  3 13:26:24 2018 us=321103 192.168.8.157:41187 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Apr  3 13:26:24 2018 us=321165 192.168.8.157:41187 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
Tue Apr  3 13:26:24 2018 us=321182 192.168.8.157:41187 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Apr  3 13:26:24 2018 us=321198 192.168.8.157:41187 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
Tue Apr  3 13:26:24 2018 us=399424 192.168.8.157:41187 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Apr  3 13:26:24 2018 us=399502 192.168.8.157:41187 [client2] Peer Connection Initiated with [AF_INET]192.168.8.157:41187
Tue Apr  3 13:26:24 2018 us=399584 client2/192.168.8.157:41187 OPTIONS IMPORT: reading client specific options from: ccd/client2
Tue Apr  3 13:26:24 2018 us=399728 client2/192.168.8.157:41187 Options error: Unrecognized option or missing parameter(s) in ccd/client2:3: irout (2.2.1)
Tue Apr  3 13:26:24 2018 us=399798 client2/192.168.8.157:41187 MULTI: Learn: 10.8.0.3 -> client2/192.168.8.157:41187
Tue Apr  3 13:26:24 2018 us=399816 client2/192.168.8.157:41187 MULTI: primary virtual IP for client2/192.168.8.157:41187: 10.8.0.3
Tue Apr  3 13:26:26 2018 us=572074 client2/192.168.8.157:41187 PUSH: Received control message: 'PUSH_REQUEST'
Tue Apr  3 13:26:26 2018 us=572143 client2/192.168.8.157:41187 send_push_reply(): safe_cap=960
Tue Apr  3 13:26:26 2018 us=572247 client2/192.168.8.157:41187 SENT CONTROL [client2]: 'PUSH_REPLY,route 192.168.8.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 192.168.115.2,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,route-gateway 10.8.0.1,ifconfig 10.8.0.3 255.255.255.0' (status=1)
sarrazin
() автор топика
Ответ на: комментарий от XMs

лог клиента

Tue Apr  3 13:26:23 2018 us=79461 Current Parameter Settings:
Tue Apr  3 13:26:23 2018 us=79710   config = '/etc/openvpn/client2.conf'
Tue Apr  3 13:26:23 2018 us=79728   mode = 0
Tue Apr  3 13:26:23 2018 us=79742   persist_config = DISABLED
Tue Apr  3 13:26:23 2018 us=79756   persist_mode = 1
Tue Apr  3 13:26:23 2018 us=79770   show_ciphers = DISABLED
Tue Apr  3 13:26:23 2018 us=79783   show_digests = DISABLED
Tue Apr  3 13:26:23 2018 us=79796   show_engines = DISABLED
Tue Apr  3 13:26:23 2018 us=79810   genkey = DISABLED
Tue Apr  3 13:26:23 2018 us=79823   key_pass_file = '[UNDEF]'
Tue Apr  3 13:26:23 2018 us=79836   show_tls_ciphers = DISABLED
Tue Apr  3 13:26:23 2018 us=79849 Connection profiles [default]:
Tue Apr  3 13:26:23 2018 us=79863   proto = tcp-client
Tue Apr  3 13:26:23 2018 us=79877   local = '[UNDEF]'
Tue Apr  3 13:26:23 2018 us=79890   local_port = 0
Tue Apr  3 13:26:23 2018 us=79904   remote = '192.168.8.156'
Tue Apr  3 13:26:23 2018 us=79917   remote_port = 1194
Tue Apr  3 13:26:23 2018 us=79931   remote_float = DISABLED
Tue Apr  3 13:26:23 2018 us=79944   bind_defined = DISABLED
Tue Apr  3 13:26:23 2018 us=79958   bind_local = DISABLED
Tue Apr  3 13:26:23 2018 us=79971 NOTE: --mute triggered...
Tue Apr  3 13:26:23 2018 us=80001 253 variation(s) on previous 20 message(s) suppressed by --mute
Tue Apr  3 13:26:23 2018 us=80028 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 22 2012
Tue Apr  3 13:26:23 2018 us=80203 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Apr  3 13:26:23 2018 us=81181 WARNING: file '/etc/openvpn/client2.key' is group or others accessible
Tue Apr  3 13:26:23 2018 us=81794 WARNING: file 'ta.key' is group or others accessible
Tue Apr  3 13:26:23 2018 us=81813 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Tue Apr  3 13:26:23 2018 us=81844 Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Tue Apr  3 13:26:23 2018 us=81862 Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Tue Apr  3 13:26:23 2018 us=81939 LZO compression initialized
Tue Apr  3 13:26:23 2018 us=82092 Control Channel MTU parms [ L:1556 D:164 EF:64 EB:0 ET:0 EL:0 ]
Tue Apr  3 13:26:23 2018 us=82180 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Apr  3 13:26:23 2018 us=82204 Data Channel MTU parms [ L:1556 D:1450 EF:56 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Apr  3 13:26:23 2018 us=82233 Local Options String: 'V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-128-CBC,auth MD5,keysize 128,tls-auth,key-method 2,tls-client'
Tue Apr  3 13:26:23 2018 us=82248 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-128-CBC,auth MD5,keysize 128,tls-auth,key-method 2,tls-server'
Tue Apr  3 13:26:23 2018 us=82268 Local Options hash (VER=V4): 'd06ae81f'
Tue Apr  3 13:26:23 2018 us=82286 Expected Remote Options hash (VER=V4): '97daaa6d'
Tue Apr  3 13:26:23 2018 us=92692 Attempting to establish TCP connection with [AF_INET]192.168.8.156:1194 [nonblock]
Tue Apr  3 13:26:24 2018 us=93462 TCP connection established with [AF_INET]192.168.8.156:1194
Tue Apr  3 13:26:24 2018 us=93548 TCPv4_CLIENT link local: [undef]
Tue Apr  3 13:26:24 2018 us=93572 TCPv4_CLIENT link remote: [AF_INET]192.168.8.156:1194
Tue Apr  3 13:26:24 2018 us=95239 TLS: Initial packet from [AF_INET]192.168.8.156:1194, sid=03dff593 3ef66ad3
Tue Apr  3 13:26:24 2018 us=175463 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain
Tue Apr  3 13:26:24 2018 us=175851 VERIFY OK: nsCertType=SERVER
Tue Apr  3 13:26:24 2018 us=175875 Validating certificate key usage
Tue Apr  3 13:26:24 2018 us=175903 ++ Certificate has key usage  00a0, expects 00a0
Tue Apr  3 13:26:24 2018 us=175918 VERIFY KU OK
Tue Apr  3 13:26:24 2018 us=175942 Validating certificate extended key usage
Tue Apr  3 13:26:24 2018 us=175989 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Apr  3 13:26:24 2018 us=176006 VERIFY EKU OK
Tue Apr  3 13:26:24 2018 us=176019 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=server/name=changeme/emailAddress=mail@host.domain
Tue Apr  3 13:26:24 2018 us=339215 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Apr  3 13:26:24 2018 us=339280 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
Tue Apr  3 13:26:24 2018 us=339298 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Apr  3 13:26:24 2018 us=339314 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
Tue Apr  3 13:26:24 2018 us=339400 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Apr  3 13:26:24 2018 us=339442 [server] Peer Connection Initiated with [AF_INET]192.168.8.156:1194
Tue Apr  3 13:26:26 2018 us=551063 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Apr  3 13:26:26 2018 us=592046 PUSH: Received control message: 'PUSH_REPLY,route 192.168.8.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 192.168.115.2,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,route-gateway 10.8.0.1,ifconfig 10.8.0.3 255.255.255.0'
Tue Apr  3 13:26:26 2018 us=592239 OPTIONS IMPORT: timers and/or timeouts modified
Tue Apr  3 13:26:26 2018 us=592257 OPTIONS IMPORT: --ifconfig/up options modified
Tue Apr  3 13:26:26 2018 us=592270 OPTIONS IMPORT: route options modified
Tue Apr  3 13:26:26 2018 us=592282 OPTIONS IMPORT: route-related options modified
Tue Apr  3 13:26:26 2018 us=592295 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Apr  3 13:26:26 2018 us=592510 ROUTE: default_gateway=UNDEF
Tue Apr  3 13:26:26 2018 us=598452 TUN/TAP device tun0 opened
Tue Apr  3 13:26:26 2018 us=598502 TUN/TAP TX queue length set to 100
Tue Apr  3 13:26:26 2018 us=598525 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Apr  3 13:26:26 2018 us=598563 /sbin/ifconfig tun0 10.8.0.3 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Tue Apr  3 13:26:26 2018 us=651669 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
Tue Apr  3 13:26:26 2018 us=651850 /sbin/route add -net 192.168.8.0 netmask 255.255.255.0 gw 10.8.0.1
Tue Apr  3 13:26:26 2018 us=654876 Initialization Sequence Completed
sarrazin
() автор топика
Ответ на: комментарий от lasthappy

да. я нашел причину. каким-то боком на втором клиенте прописывался автоматически левый маршрут, перенаправляющий пакеты неизвестно в каком направлении. удалил его и все заработало

sarrazin
() автор топика
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.
General