Допоможіть підняти OpenVPN

[Tomkat]

Доброго дня ! Вивчаючи дану тему було прочитано досить багато матеріалу, спробувано багато конфігів, але результат один - клієнт не підключається.
Система : Дебіан 5
Встановлено сервер OpenVPN з системного репозитарію, ключі згенеровано.
Клієнта використовую OpenVPN GUI for Windows з http://openvpn.se/
Чи можна знайти якусь більш-менш узагальнену інформацію , вияснити як саме має бути налаштовано . Дякую.

[anatolijd]

на це може бути багато причин - нема конекта з сервером, не знайдено ключ, не валідний ключ, клієнт немає привілеїв додати маршрут в клієнтську систему .
включіть логгінг на клієнті і на сервері і дивіться на чому процес зупиняється перед тим як піти на повторне з'єднання.

[pawel_chk]

Для початку не зле б було показати логи сервера і клієнта,тоді про щось можна говорити.. А загалом при допомозі гугла можно знайти повно описів підняття OpenVpn

[Tomkat]

Для початку не зле б було показати логи сервера і клієнта,тоді про щось можна говорити..

так, так, все вірно,  я поспішив поставити питання, логи залишились в іншому місці .доберусь до них, все розпишу ..

А загалом при допомозі гугла можно знайти повно описів підняття OpenVpn

я їх знайшов, багато.. всі різні спробував десь 4 чи 5 конфігів ... але все так ...
трохи піздніше викладу логи

[Tomkat]

Ось лог сервера

Код: [Вибрати]

Tue Dec  4 18:47:26 2012 193.23.23.2:13164 Re-using SSL/TLS context
Tue Dec  4 18:47:26 2012 193.23.23.2:13164 LZO compression initialized
Tue Dec  4 18:47:26 2012 193.23.23.2:13164 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0
Tue Dec  4 18:47:26 2012 193.23.23.2:13164 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32
Tue Dec  4 18:47:26 2012 193.23.23.2:13164 Local Options hash (VER=V4): '360696c5'
Tue Dec  4 18:47:26 2012 193.23.23.2:13164 Expected Remote Options hash (VER=V4): '13a273ba'
Tue Dec  4 18:47:26 2012 193.23.23.2:13164 TLS: Initial packet from 193.23.23.2:13164, sid=6a248dee
Tue Dec  4 18:47:26 2012 193.23.23.2:13164 VERIFY ERROR: depth=1, error=self signed certificate in c
Tue Dec  4 18:47:26 2012 193.23.23.2:13164 TLS_ERROR: BIO read tls_read_plaintext error: error:14089
Tue Dec  4 18:47:26 2012 193.23.23.2:13164 TLS Error: TLS object -> incoming plaintext read error
Tue Dec  4 18:47:26 2012 193.23.23.2:13164 TLS Error: TLS handshake failed
Tue Dec  4 18:47:26 2012 193.23.23.2:13164 SIGUSR1[soft,tls-error] received, client-instance restart
Tue Dec  4 18:48:28 2012 MULTI: multi_create_instance called
Tue Dec  4 18:48:28 2012 193.23.23.2:13241 Re-using SSL/TLS context
Tue Dec  4 18:48:28 2012 193.23.23.2:13241 LZO compression initialized
Tue Dec  4 18:48:28 2012 193.23.23.2:13241 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0
Tue Dec  4 18:48:28 2012 193.23.23.2:13241 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32
Tue Dec  4 18:48:28 2012 193.23.23.2:13241 Local Options hash (VER=V4): '360696c5'
Tue Dec  4 18:48:28 2012 193.23.23.2:13241 Expected Remote Options hash (VER=V4): '13a273ba'
Tue Dec  4 18:48:28 2012 193.23.23.2:13241 TLS: Initial packet from 193.23.23.2:13241, sid=1bfa361a
Tue Dec  4 18:48:28 2012 193.23.23.2:13241 VERIFY ERROR: depth=1, error=self signed certificate in c
Tue Dec  4 18:48:28 2012 193.23.23.2:13241 TLS_ERROR: BIO read tls_read_plaintext error: error:14089
Tue Dec  4 18:48:28 2012 193.23.23.2:13241 TLS Error: TLS object -> incoming plaintext read error
Tue Dec  4 18:48:28 2012 193.23.23.2:13241 TLS Error: TLS handshake failed
Tue Dec  4 18:48:28 2012 193.23.23.2:13241 SIGUSR1[soft,tls-error] received, client-instance restart




[Tomkat]

а ось лог клієнта

Код: [Вибрати]

Tue Dec 04 17:47:25 2012 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Tue Dec 04 17:47:25 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Dec 04 17:47:25 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Dec 04 17:47:25 2012 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Tue Dec 04 17:47:25 2012 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 04 17:47:25 2012 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 04 17:47:25 2012 LZO compression initialized
Tue Dec 04 17:47:25 2012 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Dec 04 17:47:25 2012 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Dec 04 17:47:25 2012 Local Options hash (VER=V4): '13a273ba'
Tue Dec 04 17:47:25 2012 Expected Remote Options hash (VER=V4): '360696c5'
Tue Dec 04 17:47:25 2012 UDPv4 link local: [undef]
Tue Dec 04 17:47:25 2012 UDPv4 link remote: 193.23.23.1:1194
Tue Dec 04 17:47:25 2012 TLS: Initial packet from 193.23.23.1:1194, sid=3a4de361 6b07916b
Tue Dec 04 17:47:25 2012 VERIFY OK: depth=1, /C=UA/ST=PL/L=Kremenchug/O=Home_server/CN=Home_server_CA/emailAddress=tomkat@userv.localhome
Tue Dec 04 17:47:25 2012 VERIFY OK: depth=0, /C=UA/ST=PL/L=Kremenchug/O=Home_server/CN=userv/emailAddress=tomkat@userv.localhome
Tue Dec 04 17:48:24 2012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Dec 04 17:48:24 2012 TLS Error: TLS handshake failed
Tue Dec 04 17:48:24 2012 TCP/UDP: Closing socket
Tue Dec 04 17:48:24 2012 SIGUSR1[soft,tls-error] received, process restarting
Tue Dec 04 17:48:24 2012 Restart pause, 2 second(s)
Tue Dec 04 17:48:26 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Dec 04 17:48:26 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Dec 04 17:48:26 2012 Re-using SSL/TLS context
Tue Dec 04 17:48:26 2012 LZO compression initialized
Tue Dec 04 17:48:26 2012 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Dec 04 17:48:26 2012 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Dec 04 17:48:26 2012 Local Options hash (VER=V4): '13a273ba'
Tue Dec 04 17:48:26 2012 Expected Remote Options hash (VER=V4): '360696c5'
Tue Dec 04 17:48:26 2012 UDPv4 link local: [undef]
Tue Dec 04 17:48:26 2012 UDPv4 link remote: 193.23.23.1:1194
Tue Dec 04 17:48:26 2012 TLS: Initial packet from 193.23.23.1:1194, sid=019cfea5 705c1ca8
Tue Dec 04 17:48:26 2012 VERIFY OK: depth=1, /C=UA/ST=PL/L=Kremenchug/O=Home_server/CN=Home_server_CA/emailAddress=tomkat@userv.localhome
Tue Dec 04 17:48:26 2012 VERIFY OK: depth=0, /C=UA/ST=PL/L=Kremenchug/O=Home_server/CN=userv/emailAddress=tomkat@userv.localhome
Tue Dec 04 17:48:31 2012 TCP/UDP: Closing socket
Tue Dec 04 17:48:31 2012 SIGTERM[hard,] received, process exiting


[Tomkat]

Змінив на
    proto tcp
отримав лог клієнта

Код: [Вибрати]

Tue Dec 04 22:17:46 2012 Attempting to establish TCP connection with 193.23.23.1:1194
Tue Dec 04 22:17:47 2012 TCP: connect to 193.23.23.1:1194 failed, will try again in 5 seconds
Tue Dec 04 22:17:53 2012 TCP: connect to 193.23.23.1:1194 failed, will try again in 5 seconds
Tue Dec 04 22:17:59 2012 TCP/UDP: Closing socket
Tue Dec 04 22:17:59 2012 SIGTERM[hard,init_instance] received, process exiting
телнетом теж не вдається причепитись ..В мене банально закрито порт ....
але я відкриваю його

Код: [Вибрати]

$IPT -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
але результат той самий

[pawel_chk]

на разі повернись до роботи через udp, виглядає на то що є проблеми зі створенням сертифікатів..  

#Dec  4 18:47:26 2012 193.23.23.2:13164 VERIFY ERROR: depth=1, error=self signed certificate in c#

покажи ще конфіг сервера.Сертифікат сервера в кліента використовуеться? Підніми рівень журналізаціі до 5-6.

Проходження пакетів можеш контролювати за доп. tcpdump або iptraf

і почитай от це http://forum.pfsense.org/index.php?topic=26365.0 - дуже схоже на твою ситуацію...

При створенні раджу користуватись скриптиком ../openvpn/easy-rsa/vars

[Tomkat]

покажи ще конфіг сервера

конфіг

Код: [Вибрати]

   port 1194

    # TCP or UDP server?
    ;proto tcp
    proto udp

    dev tap
    ;dev tun

    ca ca.crt
    cert userv.crt
    key userv.key  # This file should be kept secret

    dh dh1024.pem
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    keepalive 10 120
    tls-auth ta.key 0 # This file is secret
    comp-lzo
    ;max-clients 100
    ;user nobody
    ;group nobody
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3


Сертифікат сервера в кліента використовуеться?

тільки  ca.crt , dh1024.pem, ta.key та клієнтські

Підніми рівень журналізаціі до 5-6.

це verb 5 ?

При створенні раджу користуватись скриптиком ../openvpn/easy-rsa/vars

користувався, але хіба його достатньо ?
робив за схемою

Код: [Вибрати]

. ./vars
./clean-all
./build-ca
./pkitool user
./pkitool --server server
./build-dh
openvpn --genkey --secret keys/ta.key
але чому ж я не можу на 1194 порт Телнетом зайти відкрито ж ....

[pawel_chk]

конфіг

Код: [Вибрати]

   port 1194

    # TCP or UDP server?
    ;proto tcp
    proto udp

    dev tap
    ;dev tun

    ca ca.crt
    cert userv.crt
    key userv.key  # This file should be kept secret

    dh dh1024.pem
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    keepalive 10 120
    tls-auth ta.key 0 # This file is secret
    comp-lzo
    ;max-clients 100
    ;user nobody
    ;group nobody
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3


нібито потрібно ще:
mode server
tls-server

замість ifconfig-pool-persist....
на початок я б дав
server 192.168.0.0 255.255.255.0  (в такому випадку ір tun0 буде 192,168,0,1)

коли все запрацює тоді будеш розбиратись з ifconfig-pool-persist


юзера та групу теж бажано вказати (nobody nogroup)

Підніми рівень журналізаціі до 5-6.

це verb 5 ?

Саме так

але чому ж я не можу на 1194 порт Телнетом зайти відкрито ж ....

Тому що це на разі UDP порт..

Ще раз кажу - використовуй tcpdump,він чудово покаже проходження пакетів(любих,який фільтр напишеш так і покаже)..

для прикладу :
 tcpdump -i ppp0 not port 22 and port 1194   і побачиш тут все що стосується 1194 порта (TCP та UDP)

Також радив би відкатку почати в локальній мережі де гарантовано нема фаєрволів..

[Tomkat]

нібито потрібно ще:
mode server
tls-server

хм.. у прикладах не зустрічав , але пропишу, подивимось...

юзера та групу теж бажанно вказати

не питання ...
   user nobody
   group nobody

Тому що це на разі UDP порт..

так, змолов дурницю   але пробував і на TCP - не вийшло

Також радив би відкатку почати в локальній мережі де гарантовано нема фаєрволів..

саме так і роблю :
сервер має дві мережівки - одна у світ, інша - в мій комп з віндою ... от і намагаюсь тестувати ...

[Tomkat]

эээ, ще таке собі питяння

при включенні опції
   user nobody
   group nobody

сервер не стартує взагалі !

[Tomkat]

все зробив , як було сказано , лог клієнта

Код: [Вибрати]

00:08:54 2012 us=220958 Current Parameter Settings:
Wed Dec 05 00:08:54 2012 us=221009   config = 'client.ovpn'
Wed Dec 05 00:08:54 2012 us=221024   mode = 0
Wed Dec 05 00:08:54 2012 us=221037   show_ciphers = DISABLED
Wed Dec 05 00:08:54 2012 us=221049   show_digests = DISABLED
Wed Dec 05 00:08:54 2012 us=221061   show_engines = DISABLED
Wed Dec 05 00:08:54 2012 us=221073   genkey = DISABLED
Wed Dec 05 00:08:54 2012 us=221084   key_pass_file = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=221096   show_tls_ciphers = DISABLED
Wed Dec 05 00:08:54 2012 us=221107   proto = 0
Wed Dec 05 00:08:54 2012 us=221118   local = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=221131   remote_list[0] = {'193.23.23.1', 1194}
Wed Dec 05 00:08:54 2012 us=221142   remote_random = DISABLED
Wed Dec 05 00:08:54 2012 us=221154   local_port = 1194
Wed Dec 05 00:08:54 2012 us=221166   remote_port = 1194
Wed Dec 05 00:08:54 2012 us=221177   remote_float = DISABLED
Wed Dec 05 00:08:54 2012 us=221188   ipchange = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=221199   bind_local = DISABLED
Wed Dec 05 00:08:54 2012 us=221210   dev = 'tun'
Wed Dec 05 00:08:54 2012 us=221231   dev_type = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=221251   dev_node = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=221282   tun_ipv6 = DISABLED
Wed Dec 05 00:08:54 2012 us=221304   ifconfig_local = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=221324   ifconfig_remote_netmask = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=221343   ifconfig_noexec = DISABLED
Wed Dec 05 00:08:54 2012 us=221360   ifconfig_nowarn = DISABLED
Wed Dec 05 00:08:54 2012 us=221377   shaper = 0
Wed Dec 05 00:08:54 2012 us=221394   tun_mtu = 1500
Wed Dec 05 00:08:54 2012 us=221413   tun_mtu_defined = ENABLED
Wed Dec 05 00:08:54 2012 us=221430   link_mtu = 1500
Wed Dec 05 00:08:54 2012 us=221448   link_mtu_defined = DISABLED
Wed Dec 05 00:08:54 2012 us=221466   tun_mtu_extra = 0
Wed Dec 05 00:08:54 2012 us=221484   tun_mtu_extra_defined = DISABLED
Wed Dec 05 00:08:54 2012 us=221502   fragment = 0
Wed Dec 05 00:08:54 2012 us=221518   mtu_discover_type = -1
Wed Dec 05 00:08:54 2012 us=221536   mtu_test = 0
Wed Dec 05 00:08:54 2012 us=221553   mlock = DISABLED
Wed Dec 05 00:08:54 2012 us=221572   keepalive_ping = 0
Wed Dec 05 00:08:54 2012 us=221592   keepalive_timeout = 0
Wed Dec 05 00:08:54 2012 us=221610   inactivity_timeout = 0
Wed Dec 05 00:08:54 2012 us=221629   ping_send_timeout = 0
Wed Dec 05 00:08:54 2012 us=221647   ping_rec_timeout = 120
Wed Dec 05 00:08:54 2012 us=221666   ping_rec_timeout_action = 2
Wed Dec 05 00:08:54 2012 us=221685   ping_timer_remote = DISABLED
Wed Dec 05 00:08:54 2012 us=221705   remap_sigusr1 = 0
Wed Dec 05 00:08:54 2012 us=221725   explicit_exit_notification = 0
Wed Dec 05 00:08:54 2012 us=221742   persist_tun = ENABLED
Wed Dec 05 00:08:54 2012 us=221760   persist_local_ip = DISABLED
Wed Dec 05 00:08:54 2012 us=221777   persist_remote_ip = DISABLED
Wed Dec 05 00:08:54 2012 us=221795   persist_key = ENABLED
Wed Dec 05 00:08:54 2012 us=221815   mssfix = 1450
Wed Dec 05 00:08:54 2012 us=221836   resolve_retry_seconds = 1000000000
Wed Dec 05 00:08:54 2012 us=221857   connect_retry_seconds = 5
Wed Dec 05 00:08:54 2012 us=221876   username = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=221895   groupname = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=221913   chroot_dir = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=221933   cd_dir = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=221952   writepid = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=221970   up_script = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=221982   down_script = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=222000   down_pre = DISABLED
Wed Dec 05 00:08:54 2012 us=222014   up_restart = DISABLED
Wed Dec 05 00:08:54 2012 us=222025   up_delay = DISABLED
Wed Dec 05 00:08:54 2012 us=222037   daemon = DISABLED
Wed Dec 05 00:08:54 2012 us=222048   inetd = 0
Wed Dec 05 00:08:54 2012 us=222059   log = DISABLED
Wed Dec 05 00:08:54 2012 us=222071   suppress_timestamps = DISABLED
Wed Dec 05 00:08:54 2012 us=222082   nice = 0
Wed Dec 05 00:08:54 2012 us=222093   verbosity = 5
Wed Dec 05 00:08:54 2012 us=386430   mute = 0
Wed Dec 05 00:08:54 2012 us=386457   gremlin = 0
Wed Dec 05 00:08:54 2012 us=386477   status_file = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=386496   status_file_version = 1
Wed Dec 05 00:08:54 2012 us=386514   status_file_update_freq = 60
Wed Dec 05 00:08:54 2012 us=386532   occ = ENABLED
Wed Dec 05 00:08:54 2012 us=386551   rcvbuf = 0
Wed Dec 05 00:08:54 2012 us=386568   sndbuf = 0
Wed Dec 05 00:08:54 2012 us=386587   socks_proxy_server = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=386613   socks_proxy_port = 0
Wed Dec 05 00:08:54 2012 us=398775   socks_proxy_retry = DISABLED
Wed Dec 05 00:08:54 2012 us=398811   fast_io = DISABLED
Wed Dec 05 00:08:54 2012 us=398834   comp_lzo = ENABLED
Wed Dec 05 00:08:54 2012 us=398851   comp_lzo_adaptive = ENABLED
Wed Dec 05 00:08:54 2012 us=398868   route_script = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=398885   route_default_gateway = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=398902   route_noexec = DISABLED
Wed Dec 05 00:08:54 2012 us=398920   route_delay = 0
Wed Dec 05 00:08:54 2012 us=398937   route_delay_window = 30
Wed Dec 05 00:08:54 2012 us=398957   route_delay_defined = ENABLED
Wed Dec 05 00:08:54 2012 us=398977   management_addr = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=398999   management_port = 0
Wed Dec 05 00:08:54 2012 us=399018   management_user_pass = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=399039   management_log_history_cache = 250
Wed Dec 05 00:08:54 2012 us=399059   management_echo_buffer_size = 100
Wed Dec 05 00:08:54 2012 us=399079   management_query_passwords = DISABLED
Wed Dec 05 00:08:54 2012 us=419249   management_hold = DISABLED
Wed Dec 05 00:08:54 2012 us=419278   shared_secret_file = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=419300   key_direction = 2
Wed Dec 05 00:08:54 2012 us=419318   ciphername_defined = ENABLED
Wed Dec 05 00:08:54 2012 us=419358   ciphername = 'BF-CBC'
Wed Dec 05 00:08:54 2012 us=419379   authname_defined = ENABLED
Wed Dec 05 00:08:54 2012 us=419400   authname = 'SHA1'
Wed Dec 05 00:08:54 2012 us=419417   keysize = 0
Wed Dec 05 00:08:54 2012 us=419436   engine = DISABLED
Wed Dec 05 00:08:54 2012 us=419454   replay = ENABLED
Wed Dec 05 00:08:54 2012 us=419486   mute_replay_warnings = DISABLED
Wed Dec 05 00:08:54 2012 us=419507   replay_window = 64
Wed Dec 05 00:08:54 2012 us=419695   replay_time = 15
Wed Dec 05 00:08:54 2012 us=419740   packet_id_file = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=419761   use_iv = ENABLED
Wed Dec 05 00:08:54 2012 us=434700   test_crypto = DISABLED
Wed Dec 05 00:08:54 2012 us=434729   tls_server = DISABLED
Wed Dec 05 00:08:54 2012 us=434750   tls_client = ENABLED
Wed Dec 05 00:08:54 2012 us=434769   key_method = 2
Wed Dec 05 00:08:54 2012 us=434788   ca_file = 'ca.crt'
Wed Dec 05 00:08:54 2012 us=434813   dh_file = 'dh1024.pem'
Wed Dec 05 00:08:54 2012 us=434838   cert_file = 'tomkat.crt'
Wed Dec 05 00:08:54 2012 us=434858   priv_key_file = 'tomkat.key'
Wed Dec 05 00:08:54 2012 us=434876   pkcs12_file = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=434896   cryptoapi_cert = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=434916   cipher_list = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=434935   tls_verify = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=434953   tls_remote = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=434973   crl_file = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=434991   ns_cert_type = 0
Wed Dec 05 00:08:54 2012 us=435010   tls_timeout = 2
Wed Dec 05 00:08:54 2012 us=435028   renegotiate_bytes = 0
Wed Dec 05 00:08:54 2012 us=449076   renegotiate_packets = 0
Wed Dec 05 00:08:54 2012 us=449106   renegotiate_seconds = 3600
Wed Dec 05 00:08:54 2012 us=449126   handshake_window = 60
Wed Dec 05 00:08:54 2012 us=449145   transition_window = 3600
Wed Dec 05 00:08:54 2012 us=449163   single_session = DISABLED
Wed Dec 05 00:08:54 2012 us=449192   tls_exit = DISABLED
Wed Dec 05 00:08:54 2012 us=449213   tls_auth_file = 'ta.key'
Wed Dec 05 00:08:54 2012 us=449249   server_network = 0.0.0.0
Wed Dec 05 00:08:54 2012 us=449272   server_netmask = 0.0.0.0
Wed Dec 05 00:08:54 2012 us=449295   server_bridge_ip = 0.0.0.0
Wed Dec 05 00:08:54 2012 us=449317   server_bridge_netmask = 0.0.0.0
Wed Dec 05 00:08:54 2012 us=449339   server_bridge_pool_start = 0.0.0.0
Wed Dec 05 00:08:54 2012 us=449361   server_bridge_pool_end = 0.0.0.0
Wed Dec 05 00:08:54 2012 us=449382   ifconfig_pool_defined = DISABLED
Wed Dec 05 00:08:54 2012 us=449403   ifconfig_pool_start = 0.0.0.0
Wed Dec 05 00:08:54 2012 us=465329   ifconfig_pool_end = 0.0.0.0
Wed Dec 05 00:08:54 2012 us=465359   ifconfig_pool_netmask = 0.0.0.0
Wed Dec 05 00:08:54 2012 us=465381   ifconfig_pool_persist_filename = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=465402   ifconfig_pool_persist_refresh_freq = 600
Wed Dec 05 00:08:54 2012 us=465426   ifconfig_pool_linear = DISABLED
Wed Dec 05 00:08:54 2012 us=465454   n_bcast_buf = 256
Wed Dec 05 00:08:54 2012 us=465474   tcp_queue_limit = 64
Wed Dec 05 00:08:54 2012 us=465492   real_hash_size = 256
Wed Dec 05 00:08:54 2012 us=465511   virtual_hash_size = 256
Wed Dec 05 00:08:54 2012 us=465529   client_connect_script = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=465548   learn_address_script = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=465567   client_disconnect_script = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=465621   client_config_dir = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=465640   ccd_exclusive = DISABLED
Wed Dec 05 00:08:54 2012 us=465678   tmp_dir = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=480287   push_ifconfig_defined = DISABLED
Wed Dec 05 00:08:54 2012 us=480320   push_ifconfig_local = 0.0.0.0
Wed Dec 05 00:08:54 2012 us=480344   push_ifconfig_remote_netmask = 0.0.0.0
Wed Dec 05 00:08:54 2012 us=480365   enable_c2c = DISABLED
Wed Dec 05 00:08:54 2012 us=480383   duplicate_cn = DISABLED
Wed Dec 05 00:08:54 2012 us=480413   cf_max = 0
Wed Dec 05 00:08:54 2012 us=480434   cf_per = 0
Wed Dec 05 00:08:54 2012 us=480453   max_clients = 1024
Wed Dec 05 00:08:54 2012 us=480473   max_routes_per_client = 256
Wed Dec 05 00:08:54 2012 us=480493   client_cert_not_required = DISABLED
Wed Dec 05 00:08:54 2012 us=480513   username_as_common_name = DISABLED
Wed Dec 05 00:08:54 2012 us=480533   auth_user_pass_verify_script = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=480554   auth_user_pass_verify_script_via_file = DISABLED
Wed Dec 05 00:08:54 2012 us=480573   client = ENABLED
Wed Dec 05 00:08:54 2012 us=480592   pull = ENABLED
Wed Dec 05 00:08:54 2012 us=480611   auth_user_pass_file = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=493122   show_net_up = DISABLED
Wed Dec 05 00:08:54 2012 us=493151   route_method = 0
Wed Dec 05 00:08:54 2012 us=493172   ip_win32_defined = DISABLED
Wed Dec 05 00:08:54 2012 us=493189   ip_win32_type = 3
Wed Dec 05 00:08:54 2012 us=493208   dhcp_masq_offset = 0
Wed Dec 05 00:08:54 2012 us=493227   dhcp_lease_time = 31536000
Wed Dec 05 00:08:54 2012 us=493261   tap_sleep = 0
Wed Dec 05 00:08:54 2012 us=493281   dhcp_options = DISABLED
Wed Dec 05 00:08:54 2012 us=493300   dhcp_renew = DISABLED
Wed Dec 05 00:08:54 2012 us=493319   dhcp_pre_release = DISABLED
Wed Dec 05 00:08:54 2012 us=493337   dhcp_release = DISABLED
Wed Dec 05 00:08:54 2012 us=493355   domain = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=493374   netbios_scope = '[UNDEF]'
Wed Dec 05 00:08:54 2012 us=493393   netbios_node_type = 0
Wed Dec 05 00:08:54 2012 us=493412   disable_nbt = DISABLED
Wed Dec 05 00:08:54 2012 us=493441 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Wed Dec 05 00:08:54 2012 us=505659 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Dec 05 00:08:54 2012 us=505691 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Dec 05 00:08:54 2012 us=510413 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Wed Dec 05 00:08:54 2012 us=510466 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 05 00:08:54 2012 us=510496 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 05 00:08:54 2012 us=510539 LZO compression initialized
Wed Dec 05 00:08:54 2012 us=510723 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Dec 05 00:08:54 2012 us=521853 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 05 00:08:54 2012 us=521938 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Dec 05 00:08:54 2012 us=521963 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Dec 05 00:08:54 2012 us=522022 Local Options hash (VER=V4): '504e774e'
Wed Dec 05 00:08:54 2012 us=522065 Expected Remote Options hash (VER=V4): '14168603'
Wed Dec 05 00:08:54 2012 us=522124 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Dec 05 00:08:54 2012 us=522158 UDPv4 link local: [undef]
Wed Dec 05 00:08:54 2012 us=522186 UDPv4 link remote: 193.23.23.1:1194
Wed Dec 05 00:08:54 2012 us=528063 TLS: Initial packet from 193.23.23.1:1194, sid=8511c0b3 ca547c0a
Wed Dec 05 00:08:54 2012 us=637193 VERIFY OK: depth=1, /C=UA/ST=PL/L=Kremenchug/O=Home_server/CN=Home_server_CA/emailAddress=tomkat@userv.localhome
Wed Dec 05 00:08:54 2012 us=638115 VERIFY OK: depth=0, /C=UA/ST=PL/L=Kremenchug/O=Home_server/CN=userv/emailAddress=tomkat@userv.localhome
Wed Dec 05 00:09:55 2012 us=179856 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Dec 05 00:09:55 2012 us=179899 TLS Error: TLS handshake failed
Wed Dec 05 00:09:55 2012 us=180241 TCP/UDP: Closing socket
Wed Dec 05 00:09:55 2012 us=180344 SIGUSR1[soft,tls-error] received, process restarting
Wed Dec 05 00:09:55 2012 us=180367 Restart pause, 2 second(s)
Wed Dec 05 00:09:57 2012 us=179782 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Dec 05 00:09:57 2012 us=179819 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Dec 05 00:09:57 2012 us=179856 Re-using SSL/TLS context
Wed Dec 05 00:09:57 2012 us=179913 LZO compression initialized
Wed Dec 05 00:09:57 2012 us=180016 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Dec 05 00:09:57 2012 us=180143 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 05 00:09:57 2012 us=180198 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Dec 05 00:09:57 2012 us=180222 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Dec 05 00:09:57 2012 us=180260 Local Options hash (VER=V4): '504e774e'
Wed Dec 05 00:09:57 2012 us=180291 Expected Remote Options hash (VER=V4): '14168603'
Wed Dec 05 00:09:57 2012 us=180337 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Dec 05 00:09:57 2012 us=180363 UDPv4 link local: [undef]
Wed Dec 05 00:09:57 2012 us=180384 UDPv4 link remote: 193.23.23.1:1194
Wed Dec 05 00:09:57 2012 us=185291 TLS: Initial packet from 193.23.23.1:1194, sid=13d56c23 bfc2ce04
Wed Dec 05 00:09:57 2012 us=294457 VERIFY OK: depth=1, /C=UA/ST=PL/L=Kremenchug/O=Home_server/CN=Home_server_CA/emailAddress=tomkat@userv.localhome
Wed Dec 05 00:09:57 2012 us=295353 VERIFY OK: depth=0, /C=UA/ST=PL/L=Kremenchug/O=Home_server/CN=userv/emailAddress=tomkat@userv.localhome
Wed Dec 05 00:10:03 2012 us=358969 TCP/UDP: Closing socket
Wed Dec 05 00:10:03 2012 us=359161 SIGTERM[hard,] received, process exiting



[Михайло Даниленко]

Ось мій робочий конфіг, єдина принципова відмінність — використання tun замість tap (користувача openvpn створював сам, так дещо безпечніше, ніж з nobody — adduser --system):

Код: [Вибрати]

## VPN server with CA for internet sharing and management
port      1194
proto     udp
dev       tun
# we're mostly doing forwarding over pppoe, where packet size
# is 1492 - maybe this is useful... maybe not.
#tun-mtu   1492
ca        /etc/openvpn/ca.crt
cert      /etc/openvpn/server.crt
key       /etc/openvpn/server.key
dh        /etc/openvpn/dh1024.pem
server    192.168.3.0 255.255.255.0
client-config-dir /etc/openvpn/ccd
#ifconfig-pool-persist /var/run/openvpn/ipp.txt
## does not work due to absence of previous default gateway on client :/
#push     "redirect-gateway local def1"
push      "route 0.0.0.0 0.0.0.0"
client-to-client
keepalive 10 120
tls-auth  /etc/openvpn/ta.key 0
cipher    DES-EDE3-CBC
user      openvpn
group     openvpn
persist-key
persist-tun
status    /var/run/openvpn/openvpn.server.status
verb      3
#mute      20
## The End
Клієнт:

Код: [Вибрати]

# Client connection with CA
client
dev         tun0
proto       udp
remote      192.168.1.34 1194
user        openvpn
group       openvpn
persist-key
persist-tun
mute-replay-warnings
ca          /etc/openvpn/ca.crt
cert        /etc/openvpn/tsubasa.crt
key         /etc/openvpn/tsubasa.key
#ns-cert-type server
tls-auth    /etc/openvpn/ta.key 1
cipher      DES-EDE3-CBC
status /var/run/openvpn/openvpn.isbear.status
verb 3
mute 20
# The End


[Tomkat]

а конфіг клієнта можна ?