AbcLinuxu:/ Poradna / Linuxová poradna / Openvpn nevytvori zarizeni tun.

Štítky: distribuce, Gentoo, Internet, OpenVPN

Dotaz: Openvpn nevytvori zarizeni tun.

22.6.2007 11:57 OgeeN
Openvpn nevytvori zarizeni tun.

Přečteno: 1039×

Odpovědět | Admin

Ahoj, snazim se ted nakonfigurovat openvpn tunel mezi dvema linuxovymi servery. Jeden server je v modu server a druhy je v modu client(je za natem) Mod server funguje normalne. Problem mam s konfiguraci klienta. Kdyz se pokusim klienta spustit vrati se mi tohle:

Fri Jun 22 11:44:00 2007 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Feb  2 2007
Fri Jun 22 11:44:00 2007 IMPORTANT: OpenVPN's default port number
is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Jun 22 11:44:00 2007 WARNING: file '/etc/openvpn/client.key' is group or others accessible
Fri Jun 22 11:44:00 2007 LZO compression initialized
Fri Jun 22 11:44:00 2007 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Jun 22 11:44:00 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/
1 ]
Fri Jun 22 11:44:00 2007 Local Options hash (VER=V4): '41690919'
Fri Jun 22 11:44:00 2007 Expected Remote Options hash (VER=V4): '530fdded'
Fri Jun 22 11:44:00 2007 NOTE: UID/GID downgrade will be delayed because of --client, --pull
, or --up-delay
Fri Jun 22 11:44:00 2007 UDPv4 link local: [undef]
Fri Jun 22 11:44:00 2007 UDPv4 link remote: 194.212.213.246:1194
Fri Jun 22 11:44:00 2007 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Jun 22 11:44:02 2007 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Jun 22 11:44:04 2007 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Jun 22 11:44:06 2007 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Jun 22 11:44:08 2007 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Fri Jun 22 11:44:10 2007 NOTE: --mute triggered...

Dalsi problem je, ze se vubec nevytvori sitove zarizeni tun i kdyz je potrebny modul s ovladacem zavedeny v jadre.

Konfigurace serveru:

port 1194
proto udp
dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem

server 192.168.18.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "route 192.168.18.0 255.255.255.0"
client-to-client
#duplicate-cn
persist-key
persist-tun
keepalive 10 120

log-append /var/log/openvpn
status /var/run/openvpn/vpn.status 10
mute 5

user openvpn
comp-lzo
verb 3
max-clients 2

Konfigurace klienta:

tls-client
dev tun
proto udp
remote office.server.cz 1194
#resolv-retry infinite
nobind
user openvpn
group openvpn

pull

persist-key
persist-tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key

log-append /var/log/openvpn

ns-cert-type server

comp-lzo
verb 3
mute 5

Myslim si ze hlavni problem bude v tom, ze se na klientu nevytvori zarizeni tun.

Predem dekuju za rady.

Nástroje: Začni sledovat (1) ?

Odpovědi

22.6.2007 12:15 Scarabeus IV | skóre: 20 | blog: blogisek_o_gentoo | Praha
Rozbalit Rozbalit vše Re: Openvpn nevytvori zarizeni tun.

kdyz uz pouzivas openvpn tak si uprav initscript
do start si dej:

	modprobe tun
	tunctl -t tap0

a do stop:

	tunctl -d tap0
	rmmod tun

Potom kdyz si v konfigu nastavis dev tap0, tak by ti to melo fungovat.
Btw proc udp a ne tcp?

22.6.2007 12:37 OgeeN
Rozbalit Rozbalit vše Re: Openvpn nevytvori zarizeni tun.

modprobe uz v init skriptu je. tunctl nemam ani na serveru ani na klientu, pritom na serveru vse funguje jak ma. V jakem balicku tenhle programek najdu?

Na serveru je centos5 na klientu Centos4.

Dik za odpoved.

22.6.2007 13:07 Scarabeus IV | skóre: 20 | blog: blogisek_o_gentoo | Praha
Rozbalit Rozbalit vše Re: Openvpn nevytvori zarizeni tun.

V gentoo je to v baliku sys-apps/usermode-utilities.
Bohuzel ti nemuzu prozradit v jakem baliku je to pod centosem

22.6.2007 13:33 OgeeN
Rozbalit Rozbalit vše Re: Openvpn nevytvori zarizeni tun.

Tak uz sem se pohnul o trochu dal. Zmenil sem protokol na tcp a uz se mi vytvori tunely. Bohuzel tun zarizeni maji nejak zvlastne pridelene ip adresy.

Log z klienta:

Fri Jun 22 13:14:27 2007 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Fe
b  2 2007
Fri Jun 22 13:14:27 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an o
fficial port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the def
ault port.
Fri Jun 22 13:14:27 2007 LZO compression initialized
Fri Jun 22 13:14:27 2007 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jun 22 13:14:27 2007 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Jun 22 13:14:27 2007 Local Options hash (VER=V4): '69109d17'
Fri Jun 22 13:14:27 2007 Expected Remote Options hash (VER=V4): 'c0103fa8'
Fri Jun 22 13:14:27 2007 Attempting to establish TCP connection with 194.xxx.xxx.xxx:1194
Fri Jun 22 13:14:27 2007 TCP connection established with 194.xxx.xxx.xxx:1194
Fri Jun 22 13:14:27 2007 TCPv4_CLIENT link local: [undef]
Fri Jun 22 13:14:27 2007 TCPv4_CLIENT link remote: 194.xxx.xxx.xxx:1194
Fri Jun 22 13:14:28 2007 TLS: Initial packet from 194.xxx.xxx.xxx:1194, sid=988b07e3 5dfa8f7d
Fri Jun 22 13:14:28 2007 VERIFY OK: depth=1, /C=CZ/L=mesto/O=firma/CN=firma_CA/email
Address=root@firma.com
Fri Jun 22 13:14:28 2007 VERIFY OK: nsCertType=SERVER
Fri Jun 22 13:14:28 2007 VERIFY OK: depth=0, /C=CZ/L=mesto/O=firma/CN=server/emailAddre
ss=root@firma.com
Fri Jun 22 13:14:30 2007 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Jun 22 13:14:30 2007 NOTE: --mute triggered...
Fri Jun 22 13:14:30 2007 4 variation(s) on previous 5 message(s) suppressed by --mute
Fri Jun 22 13:14:30 2007 [server] Peer Connection Initiated with 194.xxx.xxx.xxx:1194
Fri Jun 22 13:14:31 2007 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Jun 22 13:14:31 2007 PUSH: Received control message: 'PUSH_REPLY,route 192.168.18.0 255.
255.255.0,route 192.168.18.0 255.255.255.248,ping 10,ping-restart 120,ifconfig 192.168.18.6
192.168.18.5'
Fri Jun 22 13:14:31 2007 OPTIONS IMPORT: timers and/or timeouts modified
Fri Jun 22 13:14:31 2007 OPTIONS IMPORT: --ifconfig/up options modified
Fri Jun 22 13:14:31 2007 OPTIONS IMPORT: route options modified
Fri Jun 22 13:14:31 2007 TUN/TAP device tun0 opened
Fri Jun 22 13:14:31 2007 /sbin/ip link set dev tun0 up mtu 1500
Fri Jun 22 13:14:31 2007 /sbin/ip addr add dev tun0 local 192.168.18.6 peer 192.168.18.5
Fri Jun 22 13:14:31 2007 /sbin/ip route add 192.168.18.0/24 via 192.168.18.5
Fri Jun 22 13:14:31 2007 /sbin/ip route add 192.168.18.0/29 via 192.168.18.5
Fri Jun 22 13:14:31 2007 Initialization Sequence Completed

Log ze serveru:

Fri Jun 22 13:14:07 2007 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar  8 2007
Fri Jun 22 13:14:07 2007 Diffie-Hellman initialized with 1024 bit key
Fri Jun 22 13:14:07 2007 TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jun 22 13:14:07 2007 TUN/TAP device tun0 opened
Fri Jun 22 13:14:07 2007 /sbin/ip link set dev tun0 up mtu 1500
Fri Jun 22 13:14:07 2007 /sbin/ip addr add dev tun0 local 192.168.18.1 peer 192.168.18.2
Fri Jun 22 13:14:07 2007 /sbin/ip route add 192.168.18.0/29 via 192.168.18.2
Fri Jun 22 13:14:07 2007 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Jun 22 13:14:07 2007 UID set to openvpn
Fri Jun 22 13:14:07 2007 Listening for incoming TCP connection on [undef]:1194
Fri Jun 22 13:14:07 2007 TCPv4_SERVER link local (bound): [undef]:1194
Fri Jun 22 13:14:07 2007 TCPv4_SERVER link remote: [undef]
Fri Jun 22 13:14:07 2007 MULTI: multi_init called, r=256 v=256
Fri Jun 22 13:14:07 2007 IFCONFIG POOL: base=192.168.18.4 size=1
Fri Jun 22 13:14:07 2007 MULTI: TCP INIT maxclients=2 maxevents=6
Fri Jun 22 13:14:07 2007 Initialization Sequence Completed
Fri Jun 22 13:14:09 2007 MULTI: multi_create_instance called
Fri Jun 22 13:14:09 2007 Re-using SSL/TLS context
Fri Jun 22 13:14:09 2007 LZO compression initialized
Fri Jun 22 13:14:09 2007 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jun 22 13:14:09 2007 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Jun 22 13:14:09 2007 Local Options hash (VER=V4): 'c0103fa8'
Fri Jun 22 13:14:09 2007 Expected Remote Options hash (VER=V4): '69109d17'
Fri Jun 22 13:14:09 2007 TCP connection established with 213.xxx.xxx.xxx:43726
Fri Jun 22 13:14:09 2007 TCPv4_SERVER link local: [undef]
Fri Jun 22 13:14:09 2007 TCPv4_SERVER link remote: 213.xxx.xxx.xxx:43726
Fri Jun 22 13:14:09 2007 213.xxx.xxx.xxx:43726 TLS: Initial packet from 213.xxx.xxx.xxx:43726, sid=bce544e6 4e9b82ef
Fri Jun 22 13:14:11 2007 213.xxx.xxx.xxx:43726 VERIFY OK: depth=1, /C=CZ/L=mesto/O=firma/CN=firma_CA/emailAdd
ress=root@firma.com
Fri Jun 22 13:14:11 2007 213.xxx.xxx.xxx:43726 VERIFY OK: depth=0, /C=CZ/L=mesto/O=firma/CN=client/emailAddress=
root@firma.com
Fri Jun 22 13:14:11 2007 213.xxx.xxx.xxx:43726 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Jun 22 13:14:11 2007 213.xxx.xxx.xxx:43726 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authe
ntication
Fri Jun 22 13:14:11 2007 213.xxx.xxx.xxx:43726 NOTE: --mute triggered...
Fri Jun 22 13:14:12 2007 213.xxx.xxx.xxx:43726 3 variation(s) on previous 5 message(s) suppressed by --mute
Fri Jun 22 13:14:12 2007 213.xxx.xxx.xxx:43726 [client] Peer Connection Initiated with 213.xxx.xxx.xxx:43726
Fri Jun 22 13:14:12 2007 client/213.xxx.xxx.xxx:43726 MULTI: Learn: 192.168.18.6 -> client/213.xxx.xxx.xxx:43726
Fri Jun 22 13:14:12 2007 client/213.xxx.xxx.xxx:43726 MULTI: primary virtual IP for client/213.xxx.xxx.xxx:43726: 192.168.18.6
Fri Jun 22 13:14:13 2007 client/213.xxx.xxx.xxx:43726 PUSH: Received control message: 'PUSH_REQUEST'
Fri Jun 22 13:14:13 2007 client/213.xxx.xxx.xxx:43726 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.18.0 255.255.2
55.0,route 192.168.18.0 255.255.255.248,ping 10,ping-restart 120,ifconfig 192.168.18.6 192.168.18.5' (status=1)

Stavajici konfigurace serveru:

port 1194
proto tcp-server
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 192.168.18.0 255.255.255.248
push "route 192.168.18.0 255.255.255.0"
client-to-client
persist-key
persist-tun
keepalive 10 120
log-append /var/log/openvpn
status /var/run/openvpn/vpn.status 10
mute 5
user openvpn
comp-lzo
verb 3
max-clients 2

Konfigurace klienta:

tls-client
proto tcp-client
remote office.baumatic.cz 1194
pull
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
log-append /var/log/openvpn
ns-cert-type server
comp-lzo
verb 3
mute 5

ip addr na serveru :

13: tun0: POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP mtu 1500 qdisc pfifo_fast qlen 100
    link/[65534]
    inet 192.168.18.1 peer 192.168.18.2/32 scope global tun0

ip addr na klientu:

9: tun0: POINTOPOINT,MULTICAST,NOARP,UP mtu 1500 qdisc pfifo_fast qlen 100
    link/[65534]
    inet 192.168.18.6 peer 192.168.18.5/32 scope global tun0

Z klienta na server se skrz tunel nepingnu.

Dik za odpoved.

22.6.2007 15:12 houska | skóre: 41 | blog: HW
Rozbalit Rozbalit vše Re: Openvpn nevytvori zarizeni tun.

proc tcp?

22.6.2007 15:52 svaca | skóre: 38
Rozbalit Rozbalit vše Re: Openvpn nevytvori zarizeni tun.

Rozhodne UDP, na UDP port je OpenVPN delana. Poskytuje vetsi vykon. Nemusi kontrolovat pakety ...

Never give up ! Stay ATARI !

22.6.2007 19:49 houska | skóre: 41 | blog: HW
Rozbalit Rozbalit vše Re: Openvpn nevytvori zarizeni tun.

souhlasim, reagoval jsem na Srarabea ...

22.6.2007 22:26 Melkor
Rozbalit Rozbalit vše Re: Openvpn nevytvori zarizeni tun.

To je sice hezke, ale uz nekoliktar jsem se setkal s tim, ze nejaky "odbornik" po ceste nastavil router tak, ze UDP zahazoval :-(

Nasledovala zmena konfigurace serveru a vsech prislusnych klientu ...
Takze TCP sice neni tak vykonne, ale o neco malo bezpecnejsi (ve smyslu transportu na amatersky konfigurovanych sitich).

9.4.2008 23:13 LuděkS | skóre: 31 | blog: publish | Liberec
Rozbalit Rozbalit vše Re: Openvpn nevytvori zarizeni tun.

Zdravím, chtěl bych se zeptat jak to dopadlo s vytvořením zařízení tun při startu openvpn.
Narazil jsem nyní na podobný problém a docela mne to překvapilo, protože u starších konfigurací to funguje. Díky za odpověď.

Založit nové vlákno • Nahoru

Tiskni Sdílej: