openvpn - bridge - am verzweifeln [Archiv] - linuxforen.de -- User helfen Usern

meinereinerseiner

10.12.05, 14:21

hi,

versuche verzweifelt linux/xp-clients an openvpn 2.0.5 auf suse 9.3 im
bridge modus zu knoten. die clients stehen in netzen die nicht mit meinen
192.168.100.0 kollidieren bzw. sind standallone-dialin.

der server hat die 192.168.100.4
Netz: 192.168.100.0/24
Standard-gw: 192.168.100.7 (DSL Router)

auf dem server ist das ip-forwarding eingeschaltet, aber keine firewall
aktiv!

lt. den logs sieht auch alles schön aus, nur geht eben nix - ich weis nicht
mehr weiter. würde ja sagen, das es an der bridge konfig liegt, aber
was?
Die bridge starte ich mit dem bridge-start script von:
http://openvpn.net/bridge.html
nur das ich am ende noch die default route wieder auf die .7 setze, weil
das script die killt und ich den dhcp server neu starte, weil er sonst nicht
das br0 interface bedient.

die server config:

port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server-bridge 192.168.100.4 255.255.255.0 192.168.100.225 192.168.100.249
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 6

die client config:

client
dev tap
dev-node tap1
proto udp
remote xxx.xxxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client2.crt
key client2.key
comp-lzo
verb 3

auf den server sieht die interface configuration so aus:

devil:/etc/openvpn # brctl show
bridge name bridge id STP enabled interfaces
br0 8000.00055d7d0990 no eth0
tap0
devil:/etc/openvpn # ifconfig
br0 Link encap:Ethernet HWaddr 00:05:5D:7D:09:90
inet addr:192.168.100.4 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::205:5dff:fe7d:990/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:179738 errors:0 dropped:0 overruns:0 frame:0
TX packets:140719 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:39813029 (37.9 Mb) TX bytes:28875696 (27.5 Mb)

eth0 Link encap:Ethernet HWaddr 00:05:5D:7D:09:90
inet6 addr: fe80::205:5dff:fe7d:990/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:259597 errors:0 dropped:0 overruns:0 frame:0
TX packets:167834 errors:0 dropped:0 overruns:0 carrier:0
collisions:309 txqueuelen:1000
RX bytes:60697445 (57.8 Mb) TX bytes:34027563 (32.4 Mb)
Interrupt:9 Base address:0xa800

tap0 Link encap:Ethernet HWaddr 9A:07:0D:01:5C:9B
inet6 addr: fe80::9807:dff:fe01:5c9b/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:1936 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

devil:/etc/openvpn # route -n
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.100.7 0.0.0.0 UG 0 0 0 br0

das logfile vom server:

Thu Dec 8 17:24:37 2005 us=349979 Current Parameter Settings:
Thu Dec 8 17:24:37 2005 us=350227 config = '/etc/openvpn/server.conf'
Thu Dec 8 17:24:37 2005 us=350262 mode = 1
Thu Dec 8 17:24:37 2005 us=350292 persist_config = DISABLED
Thu Dec 8 17:24:37 2005 us=350321 persist_mode = 1
Thu Dec 8 17:24:37 2005 us=350350 show_ciphers = DISABLED
Thu Dec 8 17:24:37 2005 us=350379 show_digests = DISABLED
Thu Dec 8 17:24:37 2005 us=350407 show_engines = DISABLED
Thu Dec 8 17:24:37 2005 us=350436 genkey = DISABLED
Thu Dec 8 17:24:37 2005 us=350465 key_pass_file = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=350495 show_tls_ciphers = DISABLED
Thu Dec 8 17:24:37 2005 us=350524 proto = 0
Thu Dec 8 17:24:37 2005 us=350567 local = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=350597 remote_list = NULL
Thu Dec 8 17:24:37 2005 us=350630 remote_random = DISABLED
Thu Dec 8 17:24:37 2005 us=350660 local_port = 1194
Thu Dec 8 17:24:37 2005 us=350689 remote_port = 1194
Thu Dec 8 17:24:37 2005 us=350718 remote_float = DISABLED
Thu Dec 8 17:24:37 2005 us=350747 ipchange = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=350776 bind_local = ENABLED
Thu Dec 8 17:24:37 2005 us=350805 dev = 'tap'
Thu Dec 8 17:24:37 2005 us=350835 dev_type = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=350864 dev_node = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=350893 tun_ipv6 = DISABLED
Thu Dec 8 17:24:37 2005 us=350923 ifconfig_local = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=350955 ifconfig_remote_netmask = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=350984 ifconfig_noexec = DISABLED
Thu Dec 8 17:24:37 2005 us=351014 ifconfig_nowarn = DISABLED
Thu Dec 8 17:24:37 2005 us=351043 shaper = 0
Thu Dec 8 17:24:37 2005 us=351072 tun_mtu = 1500
Thu Dec 8 17:24:37 2005 us=351101 tun_mtu_defined = ENABLED
Thu Dec 8 17:24:37 2005 us=351130 link_mtu = 1500
Thu Dec 8 17:24:37 2005 us=351159 link_mtu_defined = DISABLED
Thu Dec 8 17:24:37 2005 us=351188 tun_mtu_extra = 32
Thu Dec 8 17:24:37 2005 us=351217 tun_mtu_extra_defined = ENABLED
Thu Dec 8 17:24:37 2005 us=351247 fragment = 0
Thu Dec 8 17:24:37 2005 us=351277 mtu_discover_type = -1
Thu Dec 8 17:24:37 2005 us=351306 mtu_test = 0
Thu Dec 8 17:24:37 2005 us=351335 mlock = DISABLED
Thu Dec 8 17:24:37 2005 us=351364 keepalive_ping = 10
Thu Dec 8 17:24:37 2005 us=351393 keepalive_timeout = 120
Thu Dec 8 17:24:37 2005 us=351423 inactivity_timeout = 0
Thu Dec 8 17:24:37 2005 us=351452 ping_send_timeout = 10
Thu Dec 8 17:24:37 2005 us=351482 ping_rec_timeout = 240
Thu Dec 8 17:24:37 2005 us=351511 ping_rec_timeout_action = 2
Thu Dec 8 17:24:37 2005 us=351551 ping_timer_remote = DISABLED
Thu Dec 8 17:24:37 2005 us=351581 remap_sigusr1 = 0
Thu Dec 8 17:24:37 2005 us=351611 explicit_exit_notification = 0
Thu Dec 8 17:24:37 2005 us=351640 persist_tun = ENABLED
Thu Dec 8 17:24:37 2005 us=351668 persist_local_ip = DISABLED
Thu Dec 8 17:24:37 2005 us=351698 persist_remote_ip = DISABLED
Thu Dec 8 17:24:37 2005 us=351727 persist_key = ENABLED
Thu Dec 8 17:24:37 2005 us=351757 mssfix = 1450
Thu Dec 8 17:24:37 2005 us=351786 passtos = DISABLED
Thu Dec 8 17:24:37 2005 us=351816 resolve_retry_seconds = 1000000000
Thu Dec 8 17:24:37 2005 us=351845 connect_retry_seconds = 5
Thu Dec 8 17:24:37 2005 us=351875 username = 'nobody'
Thu Dec 8 17:24:37 2005 us=352109 groupname = 'nobody'
Thu Dec 8 17:24:37 2005 us=352141 chroot_dir = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=352170 cd_dir = '/etc/openvpn'
Thu Dec 8 17:24:37 2005 us=352199 writepid = '/var/run/openvpn/server.pid'
Thu Dec 8 17:24:37 2005 us=352228 up_script = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=352258 down_script = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=352291 down_pre = DISABLED
Thu Dec 8 17:24:37 2005 us=352320 up_restart = DISABLED
Thu Dec 8 17:24:37 2005 us=352349 up_delay = DISABLED
Thu Dec 8 17:24:37 2005 us=352378 daemon = ENABLED
Thu Dec 8 17:24:37 2005 us=352407 inetd = 0
Thu Dec 8 17:24:37 2005 us=352436 log = ENABLED
Thu Dec 8 17:24:37 2005 us=352465 suppress_timestamps = DISABLED
Thu Dec 8 17:24:37 2005 us=352522 nice = 0
Thu Dec 8 17:24:37 2005 us=352562 verbosity = 6
Thu Dec 8 17:24:37 2005 us=352591 mute = 0
Thu Dec 8 17:24:37 2005 us=352620 gremlin = 0
Thu Dec 8 17:24:37 2005 us=352650 status_file = 'openvpn-status.log'
Thu Dec 8 17:24:37 2005 us=352680 status_file_version = 1
Thu Dec 8 17:24:37 2005 us=352710 status_file_update_freq = 60
Thu Dec 8 17:24:37 2005 us=352739 occ = ENABLED
Thu Dec 8 17:24:37 2005 us=352768 rcvbuf = 65536
Thu Dec 8 17:24:37 2005 us=352797 sndbuf = 65536
Thu Dec 8 17:24:37 2005 us=352827 socks_proxy_server = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=352857 socks_proxy_port = 0
Thu Dec 8 17:24:37 2005 us=352886 socks_proxy_retry = DISABLED
Thu Dec 8 17:24:37 2005 us=352915 fast_io = DISABLED
Thu Dec 8 17:24:37 2005 us=352944 comp_lzo = ENABLED
Thu Dec 8 17:24:37 2005 us=352974 comp_lzo_adaptive = ENABLED
Thu Dec 8 17:24:37 2005 us=353003 route_script = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=353032 route_default_gateway = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=353062 route_noexec = DISABLED
Thu Dec 8 17:24:37 2005 us=353092 route_delay = 0
Thu Dec 8 17:24:37 2005 us=353122 route_delay_window = 30
Thu Dec 8 17:24:37 2005 us=353151 route_delay_defined = DISABLED
Thu Dec 8 17:24:37 2005 us=353181 management_addr = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=353211 management_port = 0
Thu Dec 8 17:24:37 2005 us=353240 management_user_pass = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=353270 management_log_history_cache = 250
Thu Dec 8 17:24:37 2005 us=353299 management_echo_buffer_size = 100
Thu Dec 8 17:24:37 2005 us=353328 management_query_passwords = DISABLED
Thu Dec 8 17:24:37 2005 us=353358 management_hold = DISABLED
Thu Dec 8 17:24:37 2005 us=353387 shared_secret_file = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=353418 key_direction = 0
Thu Dec 8 17:24:37 2005 us=353447 ciphername_defined = ENABLED
Thu Dec 8 17:24:37 2005 us=353479 ciphername = 'BF-CBC'
Thu Dec 8 17:24:37 2005 us=353509 authname_defined = ENABLED
Thu Dec 8 17:24:37 2005 us=353547 authname = 'SHA1'
Thu Dec 8 17:24:37 2005 us=353577 keysize = 0
Thu Dec 8 17:24:37 2005 us=353606 engine = DISABLED
Thu Dec 8 17:24:37 2005 us=353636 replay = ENABLED
Thu Dec 8 17:24:37 2005 us=353667 mute_replay_warnings = DISABLED
Thu Dec 8 17:24:37 2005 us=353696 replay_window = 64
Thu Dec 8 17:24:37 2005 us=353726 replay_time = 15
Thu Dec 8 17:24:37 2005 us=353755 packet_id_file = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=353785 use_iv = ENABLED
Thu Dec 8 17:24:37 2005 us=353815 test_crypto = DISABLED
Thu Dec 8 17:24:37 2005 us=353844 tls_server = ENABLED
Thu Dec 8 17:24:37 2005 us=353873 tls_client = DISABLED
Thu Dec 8 17:24:37 2005 us=353903 key_method = 2
Thu Dec 8 17:24:37 2005 us=353932 ca_file = 'ca.crt'
Thu Dec 8 17:24:37 2005 us=353961 dh_file = 'dh1024.pem'
Thu Dec 8 17:24:37 2005 us=353990 cert_file = 'server.crt'
Thu Dec 8 17:24:37 2005 us=354020 priv_key_file = 'server.key'
Thu Dec 8 17:24:37 2005 us=354049 pkcs12_file = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=354078 cipher_list = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=354107 tls_verify = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=354136 tls_remote = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=354165 crl_file = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=354194 ns_cert_type = 0
Thu Dec 8 17:24:37 2005 us=354224 tls_timeout = 2
Thu Dec 8 17:24:37 2005 us=354253 renegotiate_bytes = 0
Thu Dec 8 17:24:37 2005 us=354284 renegotiate_packets = 0
Thu Dec 8 17:24:37 2005 us=354314 renegotiate_seconds = 3600
Thu Dec 8 17:24:37 2005 us=354344 handshake_window = 60
Thu Dec 8 17:24:37 2005 us=354373 transition_window = 3600
Thu Dec 8 17:24:37 2005 us=354403 single_session = DISABLED
Thu Dec 8 17:24:37 2005 us=354432 tls_exit = DISABLED
Thu Dec 8 17:24:37 2005 us=354462 tls_auth_file = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=354497 server_network = 0.0.0.0
Thu Dec 8 17:24:37 2005 us=354539 server_netmask = 0.0.0.0
Thu Dec 8 17:24:37 2005 us=354597 server_bridge_ip = 192.168.100.4
Thu Dec 8 17:24:37 2005 us=354632 server_bridge_netmask = 255.255.255.0
Thu Dec 8 17:24:37 2005 us=354673 server_bridge_pool_start = 192.168.100.225
Thu Dec 8 17:24:37 2005 us=354708 server_bridge_pool_end = 192.168.100.249
Thu Dec 8 17:24:37 2005 us=354738 push_list = 'route-gateway 192.168.100.4,ping 10,ping-restart 120'
Thu Dec 8 17:24:37 2005 us=354768 ifconfig_pool_defined = ENABLED
Thu Dec 8 17:24:37 2005 us=354801 ifconfig_pool_start = 192.168.100.225
Thu Dec 8 17:24:37 2005 us=354835 ifconfig_pool_end = 192.168.100.249
Thu Dec 8 17:24:37 2005 us=354868 ifconfig_pool_netmask = 255.255.255.0
Thu Dec 8 17:24:37 2005 us=354899 ifconfig_pool_persist_filename = 'ipp.txt'
Thu Dec 8 17:24:37 2005 us=354929 ifconfig_pool_persist_refresh_freq = 600
Thu Dec 8 17:24:37 2005 us=354959 ifconfig_pool_linear = DISABLED
Thu Dec 8 17:24:37 2005 us=354989 n_bcast_buf = 256
Thu Dec 8 17:24:37 2005 us=355018 tcp_queue_limit = 64
Thu Dec 8 17:24:37 2005 us=355048 real_hash_size = 256
Thu Dec 8 17:24:37 2005 us=355078 virtual_hash_size = 256
Thu Dec 8 17:24:37 2005 us=355107 client_connect_script = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=355137 learn_address_script = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=355167 client_disconnect_script = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=355197 client_config_dir = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=355226 ccd_exclusive = DISABLED
Thu Dec 8 17:24:37 2005 us=355256 tmp_dir = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=355285 push_ifconfig_defined = DISABLED
Thu Dec 8 17:24:37 2005 us=355318 push_ifconfig_local = 0.0.0.0
Thu Dec 8 17:24:37 2005 us=355352 push_ifconfig_remote_netmask = 0.0.0.0
Thu Dec 8 17:24:37 2005 us=355381 enable_c2c = ENABLED
Thu Dec 8 17:24:37 2005 us=355410 duplicate_cn = DISABLED
Thu Dec 8 17:24:37 2005 us=355439 cf_max = 0
Thu Dec 8 17:24:37 2005 us=355469 cf_per = 0
Thu Dec 8 17:24:37 2005 us=355498 max_clients = 1024
Thu Dec 8 17:24:37 2005 us=355537 client_cert_not_required = DISABLED
Thu Dec 8 17:24:37 2005 us=355568 username_as_common_name = DISABLED
Thu Dec 8 17:24:37 2005 us=355598 auth_user_pass_verify_script = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=355628 auth_user_pass_verify_script_via_file = DISABLED
Thu Dec 8 17:24:37 2005 us=355658 client = DISABLED
Thu Dec 8 17:24:37 2005 us=355687 pull = DISABLED
Thu Dec 8 17:24:37 2005 us=355716 auth_user_pass_file = '[UNDEF]'
Thu Dec 8 17:24:37 2005 us=355751 OpenVPN 2.0_rc14 i686-suse-linux [SSL] [LZO] [EPOLL] built on Mar 19 2005
Thu Dec 8 17:24:37 2005 us=373368 Diffie-Hellman initialized with 1024 bit key
Thu Dec 8 17:24:37 2005 us=374958 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Dec 8 17:24:37 2005 us=439598 TUN/TAP device tap1 opened
Thu Dec 8 17:24:37 2005 us=439732 TUN/TAP TX queue length set to 100
Thu Dec 8 17:24:37 2005 us=439832 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:23 ET:32 EL:0 AF:3/1 ]
Thu Dec 8 17:24:37 2005 us=440795 GID set to nobody
Thu Dec 8 17:24:37 2005 us=440902 UID set to nobody
Thu Dec 8 17:24:37 2005 us=440957 Socket Buffers: R=[113664->131072] S=[113664->131072]
Thu Dec 8 17:24:37 2005 us=441019 UDPv4 link local (bound): [undef]:1194
Thu Dec 8 17:24:37 2005 us=441073 UDPv4 link remote: [undef]
Thu Dec 8 17:24:37 2005 us=441118 MULTI: multi_init called, r=256 v=256
Thu Dec 8 17:24:37 2005 us=441199 IFCONFIG POOL: base=192.168.100.225 size=25
Thu Dec 8 17:24:37 2005 us=441341 IFCONFIG POOL LIST
Thu Dec 8 17:24:37 2005 us=441374 client1,192.168.100.225
Thu Dec 8 17:24:37 2005 us=441403 client2,192.168.100.226
Thu Dec 8 17:24:37 2005 us=441477 Initialization Sequence Completed
Thu Dec 8 17:25:39 2005 us=396380 MULTI: multi_create_instance called
Thu Dec 8 17:25:39 2005 us=396532 84.59.226.115:10612 Re-using SSL/TLS context
Thu Dec 8 17:25:39 2005 us=396637 84.59.226.115:10612 LZO compression initialized
Thu Dec 8 17:25:39 2005 us=396974 84.59.226.115:10612 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Dec 8 17:25:39 2005 us=397093 84.59.226.115:10612 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:23 ET:32 EL:0 AF:3/1 ]
Thu Dec 8 17:25:39 2005 us=397166 84.59.226.115:10612 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Dec 8 17:25:39 2005 us=397192 84.59.226.115:10612 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Dec 8 17:25:39 2005 us=397267 84.59.226.115:10612 Local Options hash (VER=V4): 'f7df56b8'
Thu Dec 8 17:25:39 2005 us=397314 84.59.226.115:10612 Expected Remote Options hash (VER=V4): 'd79ca330'
Thu Dec 8 17:25:39 2005 us=397440 84.59.226.115:10612 UDPv4 READ [14] from 84.59.226.115:10612: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Thu Dec 8 17:25:39 2005 us=397487 84.59.226.115:10612 TLS: Initial packet from 84.59.226.115:10612, sid=b7b0b5dc d06919dc
Thu Dec 8 17:25:39 2005 us=397599 84.59.226.115:10612 UDPv4 WRITE [26] to 84.59.226.115:10612: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Thu Dec 8 17:25:39 2005 us=420443 84.59.226.115:10612 UDPv4 READ [22] from 84.59.226.115:10612: P_ACK_V1 kid=0 [ 0 ]
Thu Dec 8 17:25:39 2005 us=431965 84.59.226.115:10612 UDPv4 READ [114] from 84.59.226.115:10612: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100
Thu Dec 8 17:25:39 2005 us=432148 84.59.226.115:10612 UDPv4 WRITE [22] to 84.59.226.115:10612: P_ACK_V1 kid=0 [ 1 ]
Thu Dec 8 17:25:39 2005 us=435670 84.59.226.115:10612 UDPv4 READ [16] from 84.59.226.115:10612: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=2
Thu Dec 8 17:25:39 2005 us=462460 84.59.226.115:10612 UDPv4 WRITE [126] to 84.59.226.115:10612: P_CONTROL_V1 kid=0 [ 2 ] pid=1 DATA len=100
.
.
.
Thu Dec 8 17:25:39 2005 us=890461 84.59.226.115:10612 UDPv4 WRITE [22] to 84.59.226.115:10612: P_ACK_V1 kid=0 [ 19 ]
Thu Dec 8 17:25:39 2005 us=897843 84.59.226.115:10612 UDPv4 READ [114] from 84.59.226.115:10612: P_CONTROL_V1 kid=0 [ ] pid=20 DATA len=100
Thu Dec 8 17:25:39 2005 us=899594 84.59.226.115:10612 VERIFY OK: depth=1, /C=DE/ST=Berlin/L=Berlin/O=OpenVPN-TEST/CN=OpenVPN-CA/emailAddress=xxxx@xxxxx.de
Thu Dec 8 17:25:39 2005 us=900167 84.59.226.115:10612 VERIFY OK: depth=0, /C=DE/ST=Berlin/O=OpenVPN-TEST/CN=client2/emailAddress=xxxxx@xxxxx.de
Thu Dec 8 17:25:39 2005 us=900320 84.59.226.115:10612 UDPv4 WRITE [22] to 84.59.226.115:10612: P_ACK_V1 kid=0 [ 20 ]
.
.
.
Thu Dec 8 17:25:39 2005 us=977279 84.59.226.115:10612 UDPv4 READ [114] from 84.59.226.115:10612: P_CONTROL_V1 kid=0 [ ] pid=26 DATA len=100
Thu Dec 8 17:25:39 2005 us=977397 84.59.226.115:10612 UDPv4 WRITE [22] to 84.59.226.115:10612: P_ACK_V1 kid=0 [ 26 ]
Thu Dec 8 17:25:39 2005 us=980612 84.59.226.115:10612 UDPv4 READ [28] from 84.59.226.115:10612: P_CONTROL_V1 kid=0 [ ] pid=27 DATA len=14
Thu Dec 8 17:25:39 2005 us=981273 84.59.226.115:10612 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Dec 8 17:25:39 2005 us=981312 84.59.226.115:10612 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 8 17:25:39 2005 us=981460 84.59.226.115:10612 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Dec 8 17:25:39 2005 us=981493 84.59.226.115:10612 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 8 17:25:39 2005 us=981642 84.59.226.115:10612 UDPv4 WRITE [126] to 84.59.226.115:10612: P_CONTROL_V1 kid=0 [ 27 ] pid=26 DATA len=100
Thu Dec 8 17:25:39 2005 us=981822 84.59.226.115:10612 UDPv4 WRITE [114] to 84.59.226.115:10612: P_CONTROL_V1 kid=0 [ ] pid=27 DATA len=100
Thu Dec 8 17:25:39 2005 us=981987 84.59.226.115:10612 UDPv4 WRITE [80] to 84.59.226.115:10612: P_CONTROL_V1 kid=0 [ ] pid=28 DATA len=66
Thu Dec 8 17:25:40 2005 us=9394 84.59.226.115:10612 UDPv4 READ [22] from 84.59.226.115:10612: P_ACK_V1 kid=0 [ 26 ]
Thu Dec 8 17:25:40 2005 us=12998 84.59.226.115:10612 UDPv4 READ [22] from 84.59.226.115:10612: P_ACK_V1 kid=0 [ 27 ]
Thu Dec 8 17:25:40 2005 us=17072 84.59.226.115:10612 UDPv4 READ [22] from 84.59.226.115:10612: P_ACK_V1 kid=0 [ 28 ]
Thu Dec 8 17:25:40 2005 us=17173 84.59.226.115:10612 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Dec 8 17:25:40 2005 us=17257 84.59.226.115:10612 [client2] Peer Connection Initiated with 84.59.226.115:10612
Thu Dec 8 17:25:41 2005 us=185030 client2/84.59.226.115:10612 UDPv4 READ [104] from 84.59.226.115:10612: P_CONTROL_V1 kid=0 [ ] pid=28 DATA len=90
Thu Dec 8 17:25:41 2005 us=185257 client2/84.59.226.115:10612 PUSH: Received control message: 'PUSH_REQUEST'
Thu Dec 8 17:25:41 2005 us=185354 client2/84.59.226.115:10612 SENT CONTROL [client2]: 'PUSH_REPLY,route-gateway 192.168.100.4,ping 10,ping-restart 120,ifconfig 192.168.100.226 255.255.255.0' (status=1)
Thu Dec 8 17:25:41 2005 us=185459 client2/84.59.226.115:10612 UDPv4 WRITE [22] to 84.59.226.115:10612: P_ACK_V1 kid=0 [ 28 ]
Thu Dec 8 17:25:41 2005 us=185651 client2/84.59.226.115:10612 UDPv4 WRITE [114] to 84.59.226.115:10612: P_CONTROL_V1 kid=0 [ ] pid=29 DATA len=100
Thu Dec 8 17:25:41 2005 us=185791 client2/84.59.226.115:10612 UDPv4 WRITE [84] to 84.59.226.115:10612: P_CONTROL_V1 kid=0 [ ] pid=30 DATA len=70
Thu Dec 8 17:25:41 2005 us=213079 client2/84.59.226.115:10612 UDPv4 READ [22] from 84.59.226.115:10612: P_ACK_V1 kid=0 [ 29 ]
Thu Dec 8 17:25:41 2005 us=233706 client2/84.59.226.115:10612 UDPv4 READ [22] from 84.59.226.115:10612: P_ACK_V1 kid=0 [ 30 ]
Thu Dec 8 17:25:44 2005 us=497511 client2/84.59.226.115:10612 UDPv4 READ [77] from 84.59.226.115:10612: P_DATA_V1 kid=0 DATA len=76
Thu Dec 8 17:25:44 2005 us=497706 client2/84.59.226.115:10612 MULTI: Learn: 00:ff:d6:17:8e:00 -> client2/84.59.226.115:10612
Thu Dec 8 17:25:45 2005 us=423172 client2/84.59.226.115:10612 UDPv4 READ [77] from 84.59.226.115:10612: P_DATA_V1 kid=0 DATA len=76

und das log vom client:

C:\Programme\OpenVPN\config>openvpn client.ovpn
Thu Dec 08 18:31:21 2005 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005
Thu Dec 08 18:31:21 2005 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Dec 08 18:31:21 2005 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Dec 08 18:31:21 2005 LZO compression initialized
Thu Dec 08 18:31:21 2005 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Dec 08 18:31:21 2005 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Dec 08 18:31:21 2005 Local Options hash (VER=V4): 'd79ca330'
Thu Dec 08 18:31:21 2005 Expected Remote Options hash (VER=V4): 'f7df56b8'
Thu Dec 08 18:31:21 2005 UDPv4 link local: [undef]
Thu Dec 08 18:31:21 2005 UDPv4 link remote: 84.59.39.118:1194
Thu Dec 08 18:31:21 2005 TLS: Initial packet from 84.59.39.118:1194, sid=ea49e734 0a6a689d
Thu Dec 08 18:31:21 2005 VERIFY OK: depth=1, /C=DE/ST=Berlin/L=Berlin/O=OpenVPN-TEST/CN=OpenVPN-CA/emailAddress=xxxxx@xxxxx.de
Thu Dec 08 18:31:21 2005 VERIFY OK: depth=0, /C=DE/ST=Berlin/O=OpenVPN-TEST/CN=server/emailAddress=xxxx@xxxxx.de
Thu Dec 08 18:31:22 2005 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Dec 08 18:31:22 2005 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 08 18:31:22 2005 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Dec 08 18:31:22 2005 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 08 18:31:22 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Dec 08 18:31:22 2005 [server] Peer Connection Initiated with 84.59.39.118:1194
Thu Dec 08 18:31:23 2005 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Dec 08 18:31:23 2005 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.100.4,ping 10,ping-restart 120,ifconfig 192.168.100.226 255.255.255.0'
Thu Dec 08 18:31:23 2005 OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 08 18:31:23 2005 OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 08 18:31:23 2005 OPTIONS IMPORT: route options modified
Thu Dec 08 18:31:23 2005 TAP-WIN32 device [tap1] opened: \\.\Global\{D6178E00-80EA-4D1D-AE77-8384F681B2B2}.tap
Thu Dec 08 18:31:23 2005 TAP-Win32 Driver Version 8.1
Thu Dec 08 18:31:23 2005 TAP-Win32 MTU=1500
Thu Dec 08 18:31:23 2005 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.100.226/255.255.255.0 on interface {D6178E00-80EA-4D1D-AE77-8384F681B2B2} [DHCP-serv: 192.168.100.0, lease-time: 31536000]
Thu Dec 08 18:31:23 2005 Successful ARP Flush on interface [65540] {D6178E00-80EA-4D1D-AE77-8384F681B2B2}
Thu Dec 08 18:31:23 2005 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Thu Dec 08 18:31:23 2005 Route: Waiting for TUN/TAP interface to come up...
Thu Dec 08 18:31:24 2005 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Thu Dec 08 18:31:24 2005 Initialization Sequence Completed

so, hoffe mal das war nicht zu viel des guten

thx
der tom

meinereinerseiner

12.12.05, 14:24

die lösung:
in der server.conf statt "dev tap" einfach nur "dev tap0" und schon gehts.

der tom

bbatman

05.01.06, 13:36

moin,

ich habe das gleiche vor uns habe daher einfach alles kopiert mit einer einschränkung, das bridgescript habe ich einfach so genommen wie es von der Site gekommen ist.

Ich habe aber auch eine leicht andere Konfiguration,

und zwar

OPENVPN Server

2 Netzwerkkarten

1x 192.168.1.2 (loakl) ;-) eth0
1x xxx.xxx.xxx.xxx extern eth1

die externe ist an einem Router angeschlossen und der router ist als gateway eingetragen auf der netzwerkkarte,

ist von außen pingbar und alles roger

jetzt hab ich die br0 auf eth0 gelegt erste frage kann das richtig sein?

nun wenn ich dies tue kann ich in der openvpn-status.log sehen das der client sich angemeldet hat und welche ip er hat usw.

nur einen schönheitsfehler hat das ganze, ich kann nichts pingen nichts erreichen halt einfach nichts tun außer das er da ist.

wo kann mein fehgler liegen?

danke

meinereinerseiner

05.01.06, 20:04

moin,

poste mal deine config vom client und server und das bridge script. dann sieht mann eher was.

achja, die ip von eth1 ist das eine offizielle externe, oder eine aus dem
reservierten privaten bereich?

das tap device wird mit gebridged?

was sagt denn "ifconfig"?

der tom

bbatman

06.01.06, 14:05

danke für die schnelle antwort,

und zwar das läuft jetzt ich habe jetzt an das lokale netz eth0 die bridge gesetzt und es geht, nur leider habe ich ein problem, ich nutze den server auch als gateway für eth1 also feste ip adressen und habe mir jetzt eine FORWARD Regel zusammengebaut, nur leider nicht so wie ich das eigentlich wollte

ich nutze firehol, und lasse mein standart schreiben, dannach flushe ich halt FORWARD und dachte alles wäre gut?

interface br0 local
server all accept
client all accept

interface tap0 tunnel
server all accept
client all accept

interface eth1 wan
server http accept
server https accept
server ntp accept
server pop3 accept
server smtp accept
server dns accept
server icmp accept
server custom openvpn tcp/1194 default accept
#server all accept

client http accept
client https accept
client ntp accept
client pop3 accept
client smtp accept
client dns accept
client icmp accept
client custom openvpn tcp/1194 default accept
#client all accept

forward.sh
#!/bin/sh

iptables -P FORWARD DROP
iptables --flush FORWARD
iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A FORWARD -p tcp --sport 443 -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
iptables -A FORWARD -p udp --sport 110 -j ACCEPT
iptables -A FORWARD -p tcp --sport 123 -j ACCEPT
iptables -A FORWARD -p udp --sport 123 -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -p udp --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp --sport 53 -j ACCEPT
iptables -A FORWARD -p udp --sport 53 -j ACCEPT
iptables -A FORWARD -p tcp --sport 1194 -j ACCEPT
iptables -A FORWARD -p udp --sport 1194 -j ACCEPT

nur leider geht jetzt über die bridge nichts anderes mehr wie kann ich den nun 192.168.1.0 alles erlauben?

onlineuser

17.08.07, 08:16

Hi,

hab auch eine Frage zum Thema OpenVPN. Habe einen LinkSys Wrt54GL, habe darauf eine Ethernet Brigde zwischen eth1 und br0 gesetzt. Mittels OpenVPN kommt man dann übers tap Interface ins lokale Netz. Soweit funktioniert alles. Zum Testen hab ich OpenVPN nicht mit Zetifikaten onfiguriert, sondern nur mit einem secret-Keyfile.

Wenn ich per TCP verbinde, kann der Server nur einen Client auf Port 1194 anmelden. Wenn ich es über UDP probiere, können sich zwar mehrere Clients einloggen, jedoch immer nur der letzt-eingeloggte Client hat eine Verbindung ins lokale Netz (br0). Woran liegt das?

Liebe Grüsse.