PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : Verbindung mit Openvpn und weiter ins netz


user72
21.02.10, 19:07
Hallo Leute

folgendes Senario: Leptop über openvpn zu einen Server verbinden und den ganzen Datenverkehr darüber leiten ins Internet

Leptop IP 192.168.0.30 Win7 vpn IP 10.8.0.6
Router IP 192.168.0.1 Fritzbox
Server debian mit openvpn IP xxx.xxx.xxx im RZ

server kann ich vom Lep mit Ping 10.8.0.1 und 10.8.0.2 erreichen
vom server kann ich client nicht ping 10.8.0.6

ich glauge es ist ein route problem , und ich weiss auch nicht warum beim client "ROUTE default_gateway=192.168.0.1" gesetzt wird.
kann mir einer sagen wo mein fehler liegt.

openvpn.conf


port 1194
proto udp
dev tun0
ca keys/serverkey/ca.crt
cert keys/serverkey/serverkey.crt
key keys/serverkey/serverkey.key
dh keys/serverkey/dh2048.pem
server 10.8.0.0 255.255.0.0
push "route xxx.xxx.xxx.xxx 255.255.255.0"
crl-verify keys/serverkey/crl.pem
ifconfig-pool-persist servers/vpn1/logs/ipp.txt
cipher AES-128-CBC
user nobody
group nogroup
status servers/vpn1/logs/openvpn-status.log
log-append servers/vpn1/logs/openvpn.log
verb 5
mute 20
max-clients 100
keepalive 10 120
client-config-dir /etc/openvpn/servers/vpn1/ccd
tls-server
comp-lzo
persist-key
persist-tun
ccd-exclusive



openvpn.log Server


RWSun Feb 21 19:33:05 2010 us=745700 31 variation(s) on previous 20 message(s) suppressed by --mute
Sun Feb 21 19:33:05 2010 us=745747 event_wait : Interrupted system call (code=4)
Sun Feb 21 19:33:05 2010 us=746382 TCP/UDP: Closing socket
Sun Feb 21 19:33:05 2010 us=746422 /sbin/route del -net 10.8.0.0 netmask 255.255.0.0
SIOCDELRT: Operation not permitted
Sun Feb 21 19:33:05 2010 us=753025 ERROR: Linux route delete command failed: external program exited with error status: 7
Sun Feb 21 19:33:05 2010 us=753120 Closing TUN/TAP interface
Sun Feb 21 19:33:05 2010 us=753153 /sbin/ifconfig tun0 0.0.0.0
SIOCSIFADDR: Permission denied
SIOCSIFFLAGS: Permission denied
Sun Feb 21 19:33:05 2010 us=755617 Linux ip addr del failed: external program exited with error status: 255
Sun Feb 21 19:33:06 2010 us=6768 SIGTERM[hard,] received, process exiting
Sun Feb 21 19:33:06 2010 us=800205 Current Parameter Settings:
Sun Feb 21 19:33:06 2010 us=800279 config = '/etc/openvpn/vpn1.conf'
Sun Feb 21 19:33:06 2010 us=800293 mode = 1
Sun Feb 21 19:33:06 2010 us=800306 persist_config = DISABLED
Sun Feb 21 19:33:06 2010 us=800318 persist_mode = 1
Sun Feb 21 19:33:06 2010 us=800329 show_ciphers = DISABLED
Sun Feb 21 19:33:06 2010 us=800341 show_digests = DISABLED
Sun Feb 21 19:33:06 2010 us=800353 show_engines = DISABLED
Sun Feb 21 19:33:06 2010 us=800364 genkey = DISABLED
Sun Feb 21 19:33:06 2010 us=800376 key_pass_file = '[UNDEF]'
Sun Feb 21 19:33:06 2010 us=800388 show_tls_ciphers = DISABLED
Sun Feb 21 19:33:06 2010 us=800403 Connection profiles [default]:
Sun Feb 21 19:33:06 2010 us=800415 proto = udp
Sun Feb 21 19:33:06 2010 us=800427 local = '[UNDEF]'
Sun Feb 21 19:33:06 2010 us=800439 local_port = 1194
Sun Feb 21 19:33:06 2010 us=800451 remote = '[UNDEF]'
Sun Feb 21 19:33:06 2010 us=800463 remote_port = 1194
Sun Feb 21 19:33:06 2010 us=800474 remote_float = DISABLED
Sun Feb 21 19:33:06 2010 us=800486 bind_defined = DISABLED
Sun Feb 21 19:33:06 2010 us=800498 bind_local = ENABLED
Sun Feb 21 19:33:06 2010 us=800509 NOTE: --mute triggered...
Sun Feb 21 19:33:06 2010 us=800530 238 variation(s) on previous 20 message(s) suppressed by --mute
Sun Feb 21 19:33:06 2010 us=800546 OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Sun Feb 21 19:33:06 2010 us=835925 Diffie-Hellman initialized with 2048 bit key
Sun Feb 21 19:33:06 2010 us=836219 WARNING: file 'keys/serverkey/serverkey.key' is group or others accessible
Sun Feb 21 19:33:06 2010 us=836638 /usr/bin/openssl-vulnkey -q -b 2048 -m <modulus omitted>
Sun Feb 21 19:33:06 2010 us=955593 TLS-Auth MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Feb 21 19:33:06 2010 us=955856 ROUTE default_gateway=yyy.yyy.yyy.yyy
Sun Feb 21 19:33:06 2010 us=956122 TUN/TAP device tun0 opened
Sun Feb 21 19:33:06 2010 us=956154 TUN/TAP TX queue length set to 100
Sun Feb 21 19:33:06 2010 us=956185 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sun Feb 21 19:33:06 2010 us=958224 /sbin/route add -net 10.8.0.0 netmask 255.255.0.0 gw 10.8.0.2
Sun Feb 21 19:33:06 2010 us=959557 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Feb 21 19:33:06 2010 us=960706 GID set to nogroup
Sun Feb 21 19:33:06 2010 us=960789 UID set to nobody
Sun Feb 21 19:33:06 2010 us=960821 Socket Buffers: R=[110592->131072] S=[110592->131072]
Sun Feb 21 19:33:06 2010 us=960844 UDPv4 link local (bound): [undef]:1194
Sun Feb 21 19:33:06 2010 us=960856 UDPv4 link remote: [undef]
Sun Feb 21 19:33:06 2010 us=960879 MULTI: multi_init called, r=256 v=256
Sun Feb 21 19:33:06 2010 us=961191 IFCONFIG POOL: base=10.8.0.4 size=16382
Sun Feb 21 19:33:06 2010 us=961250 IFCONFIG POOL LIST
Sun Feb 21 19:33:06 2010 us=961275 client1key,10.8.0.4
Sun Feb 21 19:33:06 2010 us=961339 Initialization Sequence Completed


Client Log


Sun Feb 21 19:45:59 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Sun Feb 21 19:45:59 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Feb 21 19:45:59 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Feb 21 19:46:03 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Feb 21 19:46:03 2010 LZO compression initialized
Sun Feb 21 19:46:03 2010 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Feb 21 19:46:03 2010 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Feb 21 19:46:03 2010 Local Options hash (VER=V4): '66096c33'
Sun Feb 21 19:46:03 2010 Expected Remote Options hash (VER=V4): '691e95c7'
Sun Feb 21 19:46:03 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Feb 21 19:46:03 2010 UDPv4 link local: [undef]
Sun Feb 21 19:46:03 2010 UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Sun Feb 21 19:46:03 2010 TLS: Initial packet from xxx.xxx.xxx.xxx:1194, sid=eba9a683 a57ad7a2
Sun Feb 21 19:46:04 2010 VERIFY OK: depth=1, /C=DE/ST=SH/L=HH/O=My/emailAddress=admin@server.de
Sun Feb 21 19:46:04 2010 VERIFY OK: depth=0, /C=DE/ST=SH/L=HH/O=My/OU=Office/CN=serverkey/emailAddress=admin@server.de
Sun Feb 21 19:46:04 2010 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Feb 21 19:46:04 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Feb 21 19:46:04 2010 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Feb 21 19:46:04 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Feb 21 19:46:04 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Feb 21 19:46:04 2010 [serverkey] Peer Connection Initiated with 195.42.115.70:1194
Sun Feb 21 19:46:06 2010 SENT CONTROL [serverkey]: 'PUSH_REQUEST' (status=1)
Sun Feb 21 19:46:06 2010 PUSH: Received control message: 'PUSH_REPLY,route xxx.xxx.xxx.xxx 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Sun Feb 21 19:46:06 2010 OPTIONS IMPORT: timers and/or timeouts modified
Sun Feb 21 19:46:06 2010 OPTIONS IMPORT: --ifconfig/up options modified
Sun Feb 21 19:46:06 2010 OPTIONS IMPORT: route options modified
Sun Feb 21 19:46:06 2010 ROUTE default_gateway=192.168.0.1
Sun Feb 21 19:46:06 2010 TAP-WIN32 device [LAN-Verbindung 3] opened: \\.\Global\{E681E2F0-661C-40F8-A390-A6B9A4F1816D}.tap
Sun Feb 21 19:46:06 2010 TAP-Win32 Driver Version 9.6
Sun Feb 21 19:46:06 2010 TAP-Win32 MTU=1500
Sun Feb 21 19:46:06 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {E681E2F0-661C-40F8-A390-A6B9A4F1816D} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Sun Feb 21 19:46:06 2010 Successful ARP Flush on interface [16] {E681E2F0-661C-40F8-A390-A6B9A4F1816D}
Sun Feb 21 19:46:08 2010 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Sun Feb 21 19:46:08 2010 C:\WINDOWS\system32\route.exe ADD xxx.xxx.xxx.xxx MASK 255.255.255.0 10.8.0.5
Sun Feb 21 19:46:08 2010 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Sun Feb 21 19:46:08 2010 Initialization Sequence Completed



http://img11.yfrog.com/img11/124/unbenanntuho.jpg
honkstar
22.02.10, 07:40
Hallo,

bring mal etwas Licht ins Dunkle:
Dein Server im RZ ist verm. dein OpenVPN-Server, von dem du alles weiterleiten willst?
Dann ist iptables dein Freund, Stichwort nat


vom server kann ich client nicht ping 10.8.0.6
vom Deutsch mal abgesehen, wäre den Logs nach 10.8.0.4 eher das Ziel

Wenn du noch mehr miteinander verbinden willst, musst du die Routen auf den einzelnen Systemen überprüfen, damit alle Netze überall bekannt sind (und sei es über ein def. GW)

HTH