Portál AbcLinuxu, 26. dubna 2024 22:14


Dotaz: VPN - sieť

31.12.2015 12:17 prco | skóre: 6
VPN - sieť
Přečteno: 372×
Odpovědět | Admin
Příloha:
Zdravím, nevedel by mi niekto pomôcť s návrhom VPN? Problém je ten, že nedokážem vytvoriť spojenie, ktoré by umožňovalo vzájomnú komunikáciu medzi klientmi. Skúšal som TAP a TUN, ale bez úspechov. Ak by bol niekto ochotný a vysvetlil by mi problematiku tohto riešenia pretože sa s tým už trápim skoro dva týždne a bez výsledkov... Požiadavka je, aby prideľovanie IP adries prebehne pomocou certifikátov / CCD. Budem veľmi vďačný za pomoc.
Nástroje: Začni sledovat (1) ?Zašle upozornění na váš email při vložení nového komentáře.

Odpovědi

31.12.2015 13:59 NN
Rozbalit Rozbalit vše Re: VPN - sieť
Odpovědět | | Sbalit | Link | Blokovat | Admin
Jako problem bych videl identicke LAN za kazdym VPN klientem. Pokud takova zarizeni maji komunikovat mezi sebou a nemuzes konfigurovat rozdilne site, budes je muset zamaskovat.

Jak vypada tva aktualni konfigurace klient/server?
2.1.2016 18:12 prco | skóre: 6
Rozbalit Rozbalit vše Re: VPN - sieť
Ahoj, tak nakoniec sa mi to podarilo rozbehnúť, ale problém mám sem tam s clientom pod windowsom. Musím vypnúť firewall (snažil som sa manuálne pridať do esetu novú bezpečnú zónu, ale nefunguje to) a tak sa pripájať. A aj to nie vždy sa podarí. Niekedy je pripojenie s chybami a vôbec nepracuje. Musím vypnúť OpenVPN a zastaviť a znova spustiť sieťový adaptér "TAP-Windows Adapter V9". Na druhý alebo tretí pokus sa to podarí.Linuxový klienti sú bez akýchkoľvek komplikácii

Server:

port 17568
proto tcp
dev tun
server 10.86.0.0 255.255.255.0
ca vpn-server/ca.crt
cert vpn-server/server.crt
key vpn-server/server.key
dh vpn-server/dh2048.pem
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
verb 3
script-security 2
client-to-client
client-config-dir ccd/vpn-server
cipher AES256
log vpn-server/vpn-server.log
status vpn-server/status.log



Client:
client
dev tun
proto tcp
remote 89.66.32.45 17568 resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ns-cert-type server
script-security 2
pull

ca vpn-client/ca.crt
cert vpn-client/client1.crt
key vpn-client/client1.key
cipher AES256

log vpn-client/client1.log
status vpn-client/client1.log
2.1.2016 20:18 NN
Rozbalit Rozbalit vše Re: VPN - sieť
Pridej sem log toho problematickeho klieta, pls. Muze to byt problem v route, firewall, nebo treba chyba na ceste..
3.1.2016 12:47 prco | skóre: 6
Rozbalit Rozbalit vše Re: VPN - sieť
Je to client pod Windovsom - server a client sú na rovnakej sieti: 192.168.0.0/24
Sun Jan 03 12:28:41 2016 NOTE: --user option is not implemented on Windows
Sun Jan 03 12:28:41 2016 NOTE: --group option is not implemented on Windows
Sun Jan 03 12:28:41 2016 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 19 2015
Sun Jan 03 12:28:41 2016 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08
Sun Jan 03 12:28:42 2016 Attempting to establish TCP connection with [AF_INET]192.168.0.182:17568 [nonblock]
Sun Jan 03 12:28:43 2016 TCP connection established with [AF_INET]192.168.0.182:17568
Sun Jan 03 12:28:43 2016 TCPv4_CLIENT link local: [undef]
Sun Jan 03 12:28:43 2016 TCPv4_CLIENT link remote: [AF_INET]192.168.0.182:17568
Sun Jan 03 12:28:43 2016 [service] Peer Connection Initiated with [AF_INET]192.168.0.182:17568
Sun Jan 03 12:28:46 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Jan 03 12:28:46 2016 open_tun, tt->ipv6=0
Sun Jan 03 12:28:46 2016 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{8738C6A6-5D0C-46EA-B459-8C002D9B4DC3}.tap
Sun Jan 03 12:28:46 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.86.0.6/255.255.255.252 on interface {8738C6A6-5D0C-46EA-B459-8C002D9B4DC3} [DHCP-serv: 10.86.0.5, lease-time: 31536000]
Sun Jan 03 12:28:46 2016 Successful ARP Flush on interface [13] {8738C6A6-5D0C-46EA-B459-8C002D9B4DC3}
Sun Jan 03 12:29:21 2016 Warning: route gateway is not reachable on any active network adapters: 10.86.0.5
 Sun Jan 03 12:29:21 2016 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 03 12:29:21 2016 SYSTEM ROUTING TABLE
Sun Jan 03 12:29:21 2016 0.0.0.0 0.0.0.0 192.168.0.2 p=0 i=3 t=4 pr=3 a=2068 h=0 m=20/0/0/0/0
Sun Jan 03 12:29:21 2016 10.86.0.0 255.255.255.0 10.86.0.5 p=0 i=3 t=4 pr=3 a=0 h=0 m=21/0/0/0/0
 Sun Jan 03 12:29:21 2016 127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=2107 h=0 m=306/0/0/0/0
Sun Jan 03 12:29:21 2016 127.0.0.1 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=2107 h=0 m=306/0/0/0/0
Sun Jan 03 12:29:21 2016 127.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=2107 h=0 m=306/0/0/0/0
Sun Jan 03 12:29:21 2016 169.254.0.0 255.255.0.0 169.254.10.170 p=0 i=13 t=3 pr=2 a=2085 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 169.254.10.170 255.255.255.255 169.254.10.170 p=0 i=13 t=3 pr=2 a=2085 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 169.254.178.0 255.255.255.0 169.254.178.5 p=0 i=15 t=3 pr=2 a=1999 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 169.254.178.5 255.255.255.255 169.254.178.5 p=0 i=15 t=3 pr=2 a=1999 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 169.254.178.255 255.255.255.255 169.254.178.5 p=0 i=15 t=3 pr=2 a=1999 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 169.254.255.255 255.255.255.255 169.254.10.170 p=0 i=13 t=3 pr=2 a=2085 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 192.168.0.0 255.255.255.0 192.168.0.116 p=0 i=3 t=3 pr=2 a=2068 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 192.168.0.116 255.255.255.255 192.168.0.116 p=0 i=3 t=3 pr=2 a=2068 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 192.168.0.255 255.255.255.255 192.168.0.116 p=0 i=3 t=3 pr=2 a=2068 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 192.168.56.0 255.255.255.0 192.168.56.1 p=0 i=12 t=3 pr=2 a=2091 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 192.168.56.1 255.255.255.255 192.168.56.1 p=0 i=12 t=3 pr=2 a=2091 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 192.168.56.255 255.255.255.255 192.168.56.1 p=0 i=12 t=3 pr=2 a=2091 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 224.0.0.0 240.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=2107 h=0 m=306/0/0/0/0
Sun Jan 03 12:29:21 2016 224.0.0.0 240.0.0.0 192.168.56.1 p=0 i=12 t=3 pr=2 a=2095 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 224.0.0.0 240.0.0.0 169.254.10.170 p=0 i=13 t=3 pr=2 a=2095 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 224.0.0.0 240.0.0.0 169.254.178.5 p=0 i=15 t=3 pr=2 a=2094 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 224.0.0.0 240.0.0.0 192.168.0.116 p=0 i=3 t=3 pr=2 a=2093 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 255.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=2107 h=0 m=306/0/0/0/0
Sun Jan 03 12:29:21 2016 255.255.255.255 255.255.255.255 192.168.56.1 p=0 i=12 t=3 pr=2 a=2095 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 255.255.255.255 255.255.255.255 169.254.10.170 p=0 i=13 t=3 pr=2 a=2095 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 255.255.255.255 255.255.255.255 169.254.178.5 p=0 i=15 t=3 pr=2 a=2094 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 255.255.255.255 255.255.255.255 192.168.0.116 p=0 i=3 t=3 pr=2 a=2093 h=0 m=276/0/0/0/0
Sun Jan 03 12:29:21 2016 SYSTEM ADAPTER LIST
Sun Jan 03 12:29:21 2016 Bluetooth Device (Personal Area Network) #2
Sun Jan 03 12:29:21 2016 Index = 17
Sun Jan 03 12:29:21 2016 GUID = {58C0B9CF-750F-4B17-96BD-54394E737E1D}
Sun Jan 03 12:29:21 2016 IP = 0.0.0.0/0.0.0.0
Sun Jan 03 12:29:21 2016 MAC = 00:11:b1:08:af:80
Sun Jan 03 12:29:21 2016 GATEWAY = 0.0.0.0/255.255.255.255
Sun Jan 03 12:29:21 2016 DHCP SERV =
Sun Jan 03 12:29:21 2016 DHCP LEASE OBTAINED = Sun Jan 03 12:29:21 2016
Sun Jan 03 12:29:21 2016 DHCP LEASE EXPIRES = Sun Jan 03 12:29:21 2016
Sun Jan 03 12:29:21 2016 DNS SERV =
Sun Jan 03 12:29:21 2016 TechniSat DVB-PC TV Star PCI #2
Sun Jan 03 12:29:21 2016 Index = 15
Sun Jan 03 12:29:21 2016 GUID = {E9E8E678-ADDB-458C-BC47-1294EC2952D5}
Sun Jan 03 12:29:21 2016 IP = 169.254.178.5/255.255.255.0
Sun Jan 03 12:29:21 2016 MAC = 00:d0:d7:16:12:c0
Sun Jan 03 12:29:21 2016 GATEWAY = 0.0.0.0/255.255.255.255
Sun Jan 03 12:29:21 2016 DHCP SERV = 169.254.178.1/255.255.255.255
Sun Jan 03 12:29:21 2016 DHCP LEASE OBTAINED = Sun Jan 03 11:56:02 2016
Sun Jan 03 12:29:21 2016 DHCP LEASE EXPIRES = Tue May 17 17:29:06 2016
Sun Jan 03 12:29:21 2016 DNS SERV = 110.0.0.0/255.255.255.255
Sun Jan 03 12:29:21 2016 TAP-Windows Adapter V9
Sun Jan 03 12:29:21 2016 Index = 13
Sun Jan 03 12:29:21 2016 GUID = {8738C6A6-5D0C-46EA-B459-8C002D9B4DC3}
Sun Jan 03 12:29:21 2016 IP = 169.254.10.170/255.255.0.0 ///tomuto riadku vôbec nerozumiem - LAN sieť je 192.168.0.0 - 255.255.255.0, ale tam by mala byť IP adresa 10.86.0.6 - OpenVPN tak ukazuje. Je na zeleno a ukazuje pridelenú spomínanú adresu.
Sun Jan 03 12:29:21 2016 MAC = 00:ff:87:38:c6:a6
Sun Jan 03 12:29:21 2016 GATEWAY = 0.0.0.0/255.255.255.255
Sun Jan 03 12:29:21 2016 DHCP SERV = 0.0.0.0/255.255.255.255
Sun Jan 03 12:29:21 2016 DHCP LEASE OBTAINED = Sun Jan 03 12:29:21 2016
Sun Jan 03 12:29:21 2016 DHCP LEASE EXPIRES = Sun Jan 03 12:29:21 2016
Sun Jan 03 12:29:21 2016 DNS SERV =
Sun Jan 03 12:29:21 2016 Realtek PCIe GBE Family Controller
Sun Jan 03 12:29:21 2016 Index = 3
Sun Jan 03 12:29:21 2016 GUID = {BDFA701C-2D9A-48DF-8FC0-5D2E0A41045F}
Sun Jan 03 12:29:21 2016 IP = 192.168.0.116/255.255.255.0
Sun Jan 03 12:29:21 2016 MAC = 00:19:db:f7:5e:23
Sun Jan 03 12:29:21 2016 GATEWAY = 192.168.0.2/255.255.255.255
Sun Jan 03 12:29:21 2016 DHCP SERV = 192.168.0.2/255.255.255.255
Sun Jan 03 12:29:21 2016 DHCP LEASE OBTAINED = Sun Jan 03 11:56:06 2016
Sun Jan 03 12:29:21 2016 DHCP LEASE EXPIRES = Sun Jan 03 23:56:06 2016
Sun Jan 03 12:29:21 2016 DNS SERV = 192.168.0.2/255.255.255.255
Sun Jan 03 12:29:21 2016 VirtualBox Host-Only Ethernet Adapter
Sun Jan 03 12:29:21 2016 Index = 12
Sun Jan 03 12:29:21 2016 GUID = {D35CFE5A-2FDF-4AA8-9F9A-CB97C97234BB}
Sun Jan 03 12:29:21 2016 IP = 192.168.56.1/255.255.255.0
Sun Jan 03 12:29:21 2016 MAC = 08:00:27:00:48:19
Sun Jan 03 12:29:21 2016 GATEWAY = 0.0.0.0/255.255.255.255
Sun Jan 03 12:29:21 2016 DNS SERV =
Sun Jan 03 12:29:21 2016 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )
3.1.2016 13:05 prco | skóre: 6
Rozbalit Rozbalit vše Re: VPN - sieť
A takto vyzeral druhý pokus pripojenia k sieti:
Sun Jan 03 12:49:30 2016 NOTE: --user option is not implemented on Windows
Sun Jan 03 12:49:30 2016 NOTE: --group option is not implemented on Windows
Sun Jan 03 12:49:30 2016 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 19 2015
Sun Jan 03 12:49:30 2016 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08
Sun Jan 03 12:49:30 2016 Attempting to establish TCP connection with [AF_INET]192.168.0.182:14589 [nonblock]
Sun Jan 03 12:49:31 2016 TCP connection established with [AF_INET]192.168.0.182:14589
Sun Jan 03 12:49:31 2016 TCPv4_CLIENT link local: [undef]
Sun Jan 03 12:49:31 2016 TCPv4_CLIENT link remote: [AF_INET]192.168.0.182:14589
Sun Jan 03 12:49:32 2016 [service] Peer Connection Initiated with [AF_INET]192.168.0.182:14589
Sun Jan 03 12:49:34 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Jan 03 12:49:34 2016 open_tun, tt->ipv6=0
Sun Jan 03 12:49:34 2016 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{8738C6A6-5D0C-46EA-B459-8C002D9B4DC3}.tap
Sun Jan 03 12:49:34 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.86.0.6/255.255.255.252 on interface {8738C6A6-5D0C-46EA-B459-8C002D9B4DC3} [DHCP-serv: 10.86.0.5, lease-time: 31536000]
Sun Jan 03 12:49:34 2016 Successful ARP Flush on interface [13] {8738C6A6-5D0C-46EA-B459-8C002D9B4DC3}
Sun Jan 03 12:49:39 2016 Initialization Sequence Complet


Routovacia tabulka: (tej moc nerozumiem)
===========================================================================
Interface List
17...00 11 b1 08 af 80 ......Bluetooth Device (Personal Area Network) #2
15...00 d0 d7 16 12 c0 ......TechniSat DVB-PC TV Star PCI #2
13...00 ff 87 38 c6 a6 ......TAP-Windows Adapter V9
3...00 19 db f7 5e 23 ......Realtek PCIe GBE Family Controller
12...08 00 27 00 48 19 ......VirtualBox Host-Only Ethernet Adapter
1...........................Software Loopback Interface 1
7...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
9...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.2 192.168.0.116 20
10.86.0.0 255.255.255.0 10.86.0.5 10.86.0.6 20
10.86.0.4 255.255.255.252 On-link 10.86.0.6 276 // neviem čo je to za adresu - cez konfigurák na serveri prideľujem ifconfig-push 10.86.0.6 10.86.0.5
10.86.0.6 255.255.255.255 On-link 10.86.0.6 276
10.86.0.7 255.255.255.255 On-link 10.86.0.6 276 // to isté platí aj o tejto adrese
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
169.254.178.0 255.255.255.0 On-link 169.254.178.5 276
169.254.178.5 255.255.255.255 On-link 169.254.178.5 276
169.254.178.255 255.255.255.255 On-link 169.254.178.5 276
192.168.0.0 255.255.255.0 On-link 192.168.0.116 276
192.168.0.116 255.255.255.255 On-link 192.168.0.116 276
192.168.0.255 255.255.255.255 On-link 192.168.0.116 276
192.168.56.0 255.255.255.0 On-link 192.168.56.1 276
192.168.56.1 255.255.255.255 On-link 192.168.56.1 276
192.168.56.255 255.255.255.255 On-link 192.168.56.1 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.56.1 276
224.0.0.0 240.0.0.0 On-link 10.86.0.6 276
224.0.0.0 240.0.0.0 On-link 169.254.178.5 276
224.0.0.0 240.0.0.0 On-link 192.168.0.116 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.56.1 276
255.255.255.255 255.255.255.255 On-link 10.86.0.6 276
255.255.255.255 255.255.255.255 On-link 169.254.178.5 276
255.255.255.255 255.255.255.255 On-link 192.168.0.116 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
12 276 fe80::/64 On-link
13 276 fe80::/64 On-link
15 276 fe80::/64 On-link
3 276 fe80::/64 On-link
12 276 fe80::45bc:8cab:89ba:5e9c/128
On-link
3 276 fe80::8c4e:646b:d10d:bacf/128
On-link
15 276 fe80::c133:4e3c:b792:3aeb/128
On-link
13 276 fe80::d81d:ae05:4d41:aaa/128
On-link
1 306 ff00::/8 On-link
12 276 ff00::/8 On-link
13 276 ff00::/8 On-link
15 276 ff00::/8 On-link
3 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
31.12.2015 18:13 lertimir | skóre: 64 | blog: Par_slov
Rozbalit Rozbalit vše Re: VPN - sieť
Odpovědět | | Sbalit | Link | Blokovat | Admin
Tuším client-to-client direktiva komunikaci povoluje.
2.1.2016 18:13 prco | skóre: 6
Rozbalit Rozbalit vše Re: VPN - sieť
Áno, toto nastavenie používam.

Založit nové vláknoNahoru

Tiskni Sdílej: Linkuj Jaggni to Vybrali.sme.sk Google Del.icio.us Facebook

ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.