Portál AbcLinuxu, 6. května 2025 01:31

Dotaz: ovpn spojenie

30.1.2016 20:19 jany2 | skóre: 30 | blog: jany_blog
ovpn spojenie
Přečteno: 1255×
Odpovědět | Admin
Snazim sa rozbehnut ovpn, ale mam s tym dost problem. Postupoval som podla toho navodu. Urobil som nejake zmeny, napr. DNS servery som pouzil google 
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
Dalej som vynechal komplet nastavenie Packet Forwarding, pretoze som to pochopil tak, ze vpn klienti maju skrz vpn pristup do inetu (a toto ja nemam v umysle (chcem aby klienti mohli len na server a dalej uz nie)). Dalej som needitoval tiez 
/etc/ufw/before.rules
Cez generovanie certifikatov a klucov som sa dostal az na koniec a spustil som sluzbu, ktora bez problemov funguje. 
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
Problem mam pripojit sa ci uz z linuxu, alebo win na server.
Skusal som to z win_xp pomocou win openvpn klienta.
U klienta su potrebne tieto subory 
client1.crt
client1.key
client.ovpn
ca.crt
a hlavne spravne nakonfigurovany 
client.ovpn
Podla how to ma client.ovpn obsahovat aspon toto: 
remote 192.168.1.2 1194
ca ca.crt 
cert client.crt 
key client.key 
#pouzil som relativne cesty, kedze subory su spolu s client.ovpn v jednom adresary
a to je hadam aj vsetko. V konfiguracnom subore je toho ale trocha viac. Nejake example som nasiel a trocha som si ich upravil 
dev tun
proto udp-client
remote 192.168.1.2 1194
ca ca.crt
cert client01.crt #tak isto ako aj na servery
key client01.key #tak isto ako aj na servery
tls-client
port 1194
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
mute-replay-warnings
verb 6
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass login
dhcp-option DNS 8.8.8.8
route 192.168.1.0 255.255.255.0 10.8.0.1
redirect-gateway
Nechce sa pripojit ani s tymto nastavenim. Uz si nespominam co bolo v logu, ale ak sa to dlhsie nepripajalo, tak tam drblo nejaku blbu adresu 169.x.x.x (nie 10.8.0.x ako by malo).
Zatial to testujem len v LAN (vid obrazok a chcem sa pripojit jednym z PC (ktory je v switchi) na 10.8.0.1 (na obr je zle ( 10.0.0.1)).
Ak by toto fungovalo, chcel by som to skusit na wan.
Vyzera to ale na porod :)
Ak je potrebny log, tak ho sem mozem zajtra copnut (dnes uz fakt nevladzem :) )
upozornujem, ze v linuxe som vecny zaciatocnik ...
Nástroje: Začni sledovat (1) ?Zašle upozornění na váš email při vložení nového komentáře.

Odpovědi

30.1.2016 21:27 NN
Rozbalit Rozbalit vše Re: ovpn spojenie
Odpovědět | | Sbalit | Link | Blokovat | Admin
Nemusel si zakladat nove vlakno, ale nevadi.. Na Mikrotiku potrebujes pronatovat UDP 1194 na 192.168.1.2 z te verejne: 
/ip firewall nat add chain=dstnat dst-address=69.69.69.69 protocol=udp dst-port=1194 \
    action=dst-nat to-addresses=192.168.1.2 to-ports=1194
Ktera zaroven patri do konfigurace klenta: 
remote 90.60.90.60 1194
Mimochodem, kdyz uz mas ten Mikrotik mohl jsi VPN sestavit uz na nem, cela tahle sarada je uplne zbytecna..
31.1.2016 09:38 jany2 | skóre: 30 | blog: jany_blog
Rozbalit Rozbalit vše Re: ovpn spojenie
Nove vlakno som zalozil, preto, lebo uz sa to nehodilo k titulku (tap, alebo tun). V tomto by som chcel vlastne trocha rozobrat pochopenie a detaily OVPN.
Vlastne som aj trochu rad, ze si nacal mikrotik, pretoze ja som si najprv postavil ovpn na mikrotiku podla tohto navodu a znova som spojenie skusal, ale len v ramci LAN a v ramci LAN to funguje. Do WAN som to zatial neskusal, ale uz som si kupil 3G modem a mozem spojenie testovat.
Je mi to vlastne jedno ci bude OVPN na mikrotiku, alebo na linuxe x86, dolezite je, aby spravne fungovalo (podla mojich poziadaviek) a bolo dobre zabezpecene.
Spojenie niekedy nefunguje a clovek (laik) nema ponatie preco. Nepozna principy, nepozna nastroje ako to odsledovat a niekedy uplne staci jemne pozmenit urcitu direktivu v konfiguraku a odrazu vsetko funguje.
Siete, linux a celkovo vypoctova technika nie je mojou pracou, ale cisto len konickom (nestudoval som to). Aj ked na internete je spusta kvalitnych materialov pre studium i ked bohuzial na nestastie vacsinou su v anglickom jazyku (nie vzdy to dokazem spravne pochopit).
Vratme sa k tomu OVPN, preco sa klient nechce spojit so serverom. Zrejme podla toho navodu v client.ovpn nestacia 4 riadky s remote, ca,cert a key, ale je potrebne ho o nieco doplnit, napr. ze sa jedna o klienta, urcit protokol a pod...
Aj ked som pouzil akysi example, ktory som si upravil aby to bolo v sulade s konfigurakom na servery, tak ani vtedy sa to nepripojilo. Skusim tu este dat konfiguraky servera a klienta, ci niekto nenajde nejaku chybu.
thx
upozornujem, ze v linuxe som vecny zaciatocnik ...
31.1.2016 09:59 NN
Rozbalit Rozbalit vše Re: ovpn spojenie
Doporucuji ceskou knihu TCP/IP & DNS(Dostalek, Kabelova). Tam se napriklad dozvis, ze nektere "privatni" IP adresy nejsou smerovane v "internetu" a dalsi..
31.1.2016 10:35 jany2 | skóre: 30 | blog: jany_blog
Rozbalit Rozbalit vše Re: ovpn spojenie
Kniha je volne dostupna aj tu, tak som si ju stiahol, ale nemyslim si, ze po precitani budem guru. Chce to hodne trenovat a robit prakticke skusky/pokusy (teoria je sice dobra, ale prax je dolezitejsia). Poznam teoretikoch, ktori toho narozpravaju, ale maju problem prakticky urobit jednoduche veci.

odkaz na knihu byl smazán
upozornujem, ze v linuxe som vecny zaciatocnik ...
31.1.2016 14:51 jany2 | skóre: 30 | blog: jany_blog
Rozbalit Rozbalit vše Re: ovpn spojenie
Tak skusim tu dat este conf subory servera, klienta a log s klienta
server.conf 
port 1194

;proto tcp
proto udp

;dev tap
dev tun

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

dh dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

;server-bridge

;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248

;client-config-dir ccd
;route 10.9.0.0 255.255.255.252

;learn-address ./script

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

;client-to-client

;duplicate-cn

keepalive 10 120

;tls-auth ta.key 0 # This file is secret

;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

comp-lzo

;max-clients 100

user nobody
group nogroup

persist-key
persist-tun

status openvpn-status.log

;log         openvpn.log
;log-append  openvpn.log

verb 3

;mute 20
client.ovpn 
client

;dev tap
dev tun

;dev-node MyTap

;proto tcp
proto udp


remote 192.168.1.2 1194
;remote my-server-2 1194

;resolv-retry infinite

;nobind

# Downgrade privileges after initialization (non-Windows only)
#user nobody
#group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

;mute-replay-warnings

ca ca.crt
cert client01.crt
key client01.key


# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

;cipher x

comp-lzo

verb 3

;mute 20

route 192.168.1.0 255.255.255.0 10.8.0.1
a este log
Sun Jan 31 14:23:25 2016 OpenVPN 2.3.10 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jan  4 2016
Sun Jan 31 14:23:25 2016 Windows version 5.1 (Windows XP)
Sun Jan 31 14:23:25 2016 library versions: OpenSSL 1.0.1q 3 Dec 2015, LZO 2.09
Enter Management Password:
Sun Jan 31 14:23:25 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Sun Jan 31 14:23:25 2016 Need hold release from management interface, waiting...
Sun Jan 31 14:23:25 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Sun Jan 31 14:23:25 2016 MANAGEMENT: CMD 'state on'
Sun Jan 31 14:23:25 2016 MANAGEMENT: CMD 'log all on'
Sun Jan 31 14:23:25 2016 MANAGEMENT: CMD 'hold off'
Sun Jan 31 14:23:25 2016 MANAGEMENT: CMD 'hold release'
Sun Jan 31 14:23:25 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Jan 31 14:23:26 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 31 14:23:26 2016 UDPv4 link local (bound): [undef]
Sun Jan 31 14:23:26 2016 UDPv4 link remote: [AF_INET]192.168.1.2:1194
Sun Jan 31 14:23:26 2016 MANAGEMENT: >STATE:1454246606,WAIT,,,
Sun Jan 31 14:23:26 2016 MANAGEMENT: >STATE:1454246606,AUTH,,,
Sun Jan 31 14:23:26 2016 TLS: Initial packet from [AF_INET]192.168.1.2:1194, sid=83ba07e9 d24759ee
Sun Jan 31 14:23:26 2016 VERIFY OK: depth=1, C=FR, ST=PA, L=PARIS, O=Paris, OU=Paris-UNIT, CN=Paris CA, name=server, emailAddress=Paris@Paris.fr
Sun Jan 31 14:23:26 2016 VERIFY OK: depth=0, C=FR, ST=PA, L=PARIS, O=Paris, OU=Paris-UNIT, CN=server, name=server, emailAddress=Paris@Paris.fr
Sun Jan 31 14:23:31 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Jan 31 14:23:31 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 31 14:23:31 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Jan 31 14:23:31 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 31 14:23:31 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Jan 31 14:23:31 2016 [server] Peer Connection Initiated with [AF_INET]192.168.1.2:1194
Sun Jan 31 14:23:33 2016 MANAGEMENT: >STATE:1454246613,GET_CONFIG,,,
Sun Jan 31 14:23:34 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Jan 31 14:23:34 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Sun Jan 31 14:23:34 2016 OPTIONS IMPORT: timers and/or timeouts modified
Sun Jan 31 14:23:34 2016 OPTIONS IMPORT: --ifconfig/up options modified
Sun Jan 31 14:23:34 2016 OPTIONS IMPORT: route options modified
Sun Jan 31 14:23:34 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jan 31 14:23:34 2016 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=3 HWADDR=00:13:ce:60:30:16
Sun Jan 31 14:23:34 2016 ROUTE: bypass_host_route[0]=192.168.2.1
Sun Jan 31 14:23:34 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Jan 31 14:23:34 2016 MANAGEMENT: >STATE:1454246614,ASSIGN_IP,,10.8.0.6,
Sun Jan 31 14:23:34 2016 open_tun, tt->ipv6=0
Sun Jan 31 14:23:34 2016 TAP-WIN32 device [Lokálne pripojenie 2] opened: \\.\Global\{098516AC-5390-402B-91B8-EC9633F75C0C}.tap
Sun Jan 31 14:23:34 2016 TAP-Windows Driver Version 9.9 
Sun Jan 31 14:23:34 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {098516AC-5390-402B-91B8-EC9633F75C0C} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Sun Jan 31 14:23:34 2016 Successful ARP Flush on interface [4] {098516AC-5390-402B-91B8-EC9633F75C0C}
Sun Jan 31 14:23:39 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:23:39 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:23:44 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:23:44 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:23:45 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:23:45 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:23:46 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:23:46 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:23:47 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:23:47 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:23:48 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:23:48 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:23:49 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:23:49 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:23:50 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:23:50 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:23:52 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:23:52 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:23:53 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:23:53 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:23:54 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:23:54 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:23:55 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:23:55 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:23:56 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:23:56 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:23:57 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:23:57 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:23:58 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:23:58 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:23:59 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:23:59 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:24:00 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:24:00 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:24:02 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:24:02 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:24:03 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:24:03 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:24:04 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:24:04 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:24:05 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:24:05 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:24:06 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:24:06 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:24:07 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:24:07 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:24:08 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:24:08 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Jan 31 14:24:09 2016 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Jan 31 14:24:09 2016 C:\WINDOWS\system32\route.exe ADD 192.168.1.2 MASK 255.255.255.255 192.168.1.1 IF 3
Sun Jan 31 14:24:09 2016 Route addition via IPAPI succeeded [adaptive]
Sun Jan 31 14:24:09 2016 C:\WINDOWS\system32\route.exe ADD 192.168.2.1 MASK 255.255.255.255 192.168.1.1
Sun Jan 31 14:24:09 2016 Route addition via IPAPI succeeded [adaptive]
Sun Jan 31 14:24:09 2016 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Sun Jan 31 14:24:09 2016 Warning: route gateway is not reachable on any active network adapters: 10.8.0.5
Sun Jan 31 14:24:09 2016 Route addition via IPAPI failed [adaptive]
Sun Jan 31 14:24:09 2016 Route addition fallback to route.exe
Sun Jan 31 14:24:09 2016 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 31 14:24:10 2016 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Sun Jan 31 14:24:10 2016 Warning: route gateway is not reachable on any active network adapters: 10.8.0.5
Sun Jan 31 14:24:10 2016 Route addition via IPAPI failed [adaptive]
Sun Jan 31 14:24:10 2016 Route addition fallback to route.exe
Sun Jan 31 14:24:10 2016 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 31 14:24:10 2016 MANAGEMENT: >STATE:1454246650,ADD_ROUTES,,,
Sun Jan 31 14:24:10 2016 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.8.0.1
Sun Jan 31 14:24:10 2016 Warning: route gateway is not reachable on any active network adapters: 10.8.0.1
Sun Jan 31 14:24:10 2016 Route addition via IPAPI failed [adaptive]
Sun Jan 31 14:24:10 2016 Route addition fallback to route.exe
Sun Jan 31 14:24:10 2016 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 31 14:24:10 2016 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Sun Jan 31 14:24:10 2016 Warning: route gateway is not reachable on any active network adapters: 10.8.0.5
Sun Jan 31 14:24:10 2016 Route addition via IPAPI failed [adaptive]
Sun Jan 31 14:24:10 2016 Route addition fallback to route.exe
Sun Jan 31 14:24:10 2016 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
SYSTEM ROUTING TABLE
0.0.0.0 0.0.0.0 192.168.1.1 p=0 i=3 t=4 pr=3 a=980 h=0 m=25/-1/-1/-1/-1
127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=1007 h=0 m=1/-1/-1/-1/-1
192.168.1.0 255.255.255.0 192.168.1.7 p=0 i=3 t=3 pr=2 a=982 h=0 m=25/-1/-1/-1/-1
192.168.1.2 255.255.255.255 192.168.1.1 p=0 i=3 t=4 pr=3 a=1 h=0 m=1/-1/-1/-1/-1
192.168.1.7 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=982 h=0 m=25/-1/-1/-1/-1
192.168.1.255 255.255.255.255 192.168.1.7 p=0 i=3 t=3 pr=2 a=982 h=0 m=25/-1/-1/-1/-1
192.168.2.1 255.255.255.255 192.168.1.1 p=0 i=3 t=4 pr=3 a=1 h=0 m=1/-1/-1/-1/-1
224.0.0.0 240.0.0.0 192.168.1.7 p=0 i=3 t=3 pr=2 a=982 h=0 m=25/-1/-1/-1/-1
255.255.255.255 255.255.255.255 192.168.1.7 p=0 i=3 t=3 pr=2 a=1007 h=0 m=1/-1/-1/-1/-1
255.255.255.255 255.255.255.255 192.168.1.7 p=0 i=2 t=3 pr=2 a=1007 h=0 m=1/-1/-1/-1/-1
255.255.255.255 255.255.255.255 192.168.1.7 p=0 i=65542 t=3 pr=2 a=1001 h=0 m=1/-1/-1/-1/-1
255.255.255.255 255.255.255.255 192.168.1.7 p=0 i=4 t=3 pr=2 a=1007 h=0 m=1/-1/-1/-1/-1
SYSTEM ADAPTER LIST
TAP-Windows Adapter V9 - Packet Scheduler Miniport
  Index = 4
  GUID = {098516AC-5390-402B-91B8-EC9633F75C0C}
  IP = 0.0.0.0/0.0.0.0 
  MAC = 00:ff:09:85:16:ac
  GATEWAY =  
  DHCP SERV = 255.255.255.255 
  DHCP LEASE OBTAINED = Sun Jan 31 14:21:14 2016
  DHCP LEASE EXPIRES  = Tue Jan 19 04:14:07 2038
  DNS SERV =  
Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
  Index = 3
  GUID = {0867CEE4-FEBF-42A6-8CC5-B9DFB2B74B03}
  IP = 192.168.1.7/255.255.255.0 
  MAC = 00:13:ce:60:30:16
  GATEWAY = 192.168.1.1/0.0.0.0 
  DHCP SERV = 192.168.2.1 
  DHCP LEASE OBTAINED = Sun Jan 31 14:07:48 2016
  DHCP LEASE EXPIRES  = Wed Feb 03 14:07:48 2016
  DNS SERV = 192.168.1.1 
Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
  Index = 2
  GUID = {97B8AB14-3E29-4E4F-8ACD-0B7A41126419}
  IP = 0.0.0.0/0.0.0.0 
  MAC = 00:12:3f:fc:4b:3d
  GATEWAY =  
  DHCP SERV = 255.255.255.255 
  DHCP LEASE OBTAINED = Mon Dec 07 17:29:13 2015
  DHCP LEASE EXPIRES  = Tue Jan 19 04:14:07 2038
  DNS SERV =  
Bluetooth Device (Personal Area Network)
  Index = 65542
  GUID = {264634EB-5730-4CA7-B924-10D07ED7786C}
  IP = 0.0.0.0/0.0.0.0 
  MAC = 00:10:c6:cb:49:28
  GATEWAY =  
  DHCP SERV =  
  DHCP LEASE OBTAINED = Tue Jan 19 04:14:07 2038
  DHCP LEASE EXPIRES  = Tue Jan 19 04:14:07 2038
  DNS SERV =  
Sun Jan 31 14:24:11 2016 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )
Sun Jan 31 14:24:11 2016 MANAGEMENT: >STATE:1454246651,CONNECTED,ERROR,10.8.0.6,192.168.1.2
upozornujem, ze v linuxe som vecny zaciatocnik ...
31.1.2016 17:35 jany2 | skóre: 30 | blog: jany_blog
Rozbalit Rozbalit vše Re: ovpn spojenie
Akymsi zazrakom som sa pripojil z linuxu (NTB realna IP 192.168.1.5) na OVPN server (realna IP 192.168.1.2).
Cize aspon toto funguje :)
Server ifconfig 
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
NTB ifconfig 
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
Pouzity konfig u klienta 
dev tun
client
proto udp
remote 192.168.1.2 1194
ca ca.crt
cert client01.crt
key client01.key
port 1194
ping 15
ping-restart 45
ping-timer-rem
dhcp-option DNS 8.8.8.8
route 192.168.1.0 255.255.255.0 10.8.0.1
redirect-gateway
IP adresu pekne pridelilo, ale to je zatial vsetko, nedokazem ani pingnut.

S windows xp sa mi stale nepodarilo pripojit, ale aspon som sa posunul dalej (config je ten isty ako na linuxe). BTW win ma az tak netrapi, ale bolo by fajn, keby to aj tam fungovalo.Log s windowsu 
Sun Jan 31 17:04:44 2016 OpenVPN 2.3.10 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jan  4 2016
Sun Jan 31 17:04:44 2016 Windows version 5.1 (Windows XP)
Sun Jan 31 17:04:44 2016 library versions: OpenSSL 1.0.1q 3 Dec 2015, LZO 2.09
Sun Jan 31 17:04:44 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Jan 31 17:04:44 2016 UDPv4 link local (bound): [undef]
Sun Jan 31 17:04:44 2016 UDPv4 link remote: [AF_INET]192.168.1.2:1194
Sun Jan 31 17:04:49 2016 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
Sun Jan 31 17:04:49 2016 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Sun Jan 31 17:04:49 2016 [server] Peer Connection Initiated with [AF_INET]192.168.1.2:1194
Sun Jan 31 17:04:51 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Jan 31 17:04:51 2016 open_tun, tt->ipv6=0
Sun Jan 31 17:04:51 2016 TAP-WIN32 device [Lokálne pripojenie 2] opened: \\.\Global\{098516AC-5390-402B-91B8-EC9633F75C0C}.tap
Sun Jan 31 17:04:51 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {098516AC-5390-402B-91B8-EC9633F75C0C} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Sun Jan 31 17:04:51 2016 Successful ARP Flush on interface [4] {098516AC-5390-402B-91B8-EC9633F75C0C}
Sun Jan 31 17:05:11 2016 write to TUN/TAP  [State=AT0c Err=[c:\users\samuli\tap-windows-github\src\tapdrvr.c/2475] #O=8 Tx=[0,0] Rx=[0,38] IrpQ=[1,1,16] PktQ=[0,0,64] InjQ=[0,0,16]]: Údajová oblas? predaná systémovej slu?be je príli? malá.   (code=122)
Sun Jan 31 17:05:21 2016 write to TUN/TAP  [State=AT0c Err=[c:\users\samuli\tap-windows-github\src\tapdrvr.c/2475] #O=8 Tx=[0,0] Rx=[0,39] IrpQ=[1,1,16] PktQ=[0,0,64] InjQ=[0,0,16]]: Údajová oblas? predaná systémovej slu?be je príli? malá.   (code=122)
Sun Jan 31 17:05:26 2016 Warning: route gateway is not reachable on any active network adapters: 10.8.0.5
Sun Jan 31 17:05:26 2016 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 31 17:05:26 2016 Warning: route gateway is not reachable on any active network adapters: 10.8.0.5
Sun Jan 31 17:05:26 2016 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 31 17:05:27 2016 Warning: route gateway is not reachable on any active network adapters: 10.8.0.1
Sun Jan 31 17:05:27 2016 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 31 17:05:27 2016 Warning: route gateway is not reachable on any active network adapters: 10.8.0.5
Sun Jan 31 17:05:27 2016 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Jan 31 17:05:27 2016 SYSTEM ROUTING TABLE
Sun Jan 31 17:05:27 2016 0.0.0.0 0.0.0.0 192.168.1.1 p=0 i=3 t=4 pr=3 a=587 h=0 m=25/-1/-1/-1/-1
Sun Jan 31 17:05:27 2016 127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=10684 h=0 m=1/-1/-1/-1/-1
Sun Jan 31 17:05:27 2016 192.168.1.0 255.255.255.0 192.168.1.7 p=0 i=3 t=3 pr=2 a=590 h=0 m=25/-1/-1/-1/-1
Sun Jan 31 17:05:27 2016 192.168.1.2 255.255.255.255 192.168.1.1 p=0 i=3 t=4 pr=3 a=1 h=0 m=1/-1/-1/-1/-1
Sun Jan 31 17:05:27 2016 192.168.1.7 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=590 h=0 m=25/-1/-1/-1/-1
Sun Jan 31 17:05:27 2016 192.168.1.255 255.255.255.255 192.168.1.7 p=0 i=3 t=3 pr=2 a=590 h=0 m=25/-1/-1/-1/-1
Sun Jan 31 17:05:27 2016 192.168.2.1 255.255.255.255 192.168.1.1 p=0 i=3 t=4 pr=3 a=1 h=0 m=1/-1/-1/-1/-1
Sun Jan 31 17:05:27 2016 224.0.0.0 240.0.0.0 192.168.1.7 p=0 i=3 t=3 pr=2 a=590 h=0 m=25/-1/-1/-1/-1
Sun Jan 31 17:05:27 2016 255.255.255.255 255.255.255.255 192.168.1.7 p=0 i=3 t=3 pr=2 a=10684 h=0 m=1/-1/-1/-1/-1
Sun Jan 31 17:05:27 2016 255.255.255.255 255.255.255.255 192.168.1.7 p=0 i=2 t=3 pr=2 a=10684 h=0 m=1/-1/-1/-1/-1
Sun Jan 31 17:05:27 2016 255.255.255.255 255.255.255.255 192.168.1.7 p=0 i=65542 t=3 pr=2 a=10678 h=0 m=1/-1/-1/-1/-1
Sun Jan 31 17:05:27 2016 255.255.255.255 255.255.255.255 192.168.1.7 p=0 i=4 t=3 pr=2 a=10684 h=0 m=1/-1/-1/-1/-1
Sun Jan 31 17:05:27 2016 SYSTEM ADAPTER LIST
Sun Jan 31 17:05:27 2016 TAP-Windows Adapter V9 - Packet Scheduler Miniport
Sun Jan 31 17:05:27 2016   Index = 4
Sun Jan 31 17:05:27 2016   GUID = {098516AC-5390-402B-91B8-EC9633F75C0C}
Sun Jan 31 17:05:27 2016   IP = 0.0.0.0/0.0.0.0 
Sun Jan 31 17:05:27 2016   MAC = 00:ff:09:85:16:ac
Sun Jan 31 17:05:27 2016   GATEWAY =  
Sun Jan 31 17:05:27 2016   DHCP SERV = 255.255.255.255 
Sun Jan 31 17:05:27 2016   DHCP LEASE OBTAINED = Sun Jan 31 17:02:31 2016
Sun Jan 31 17:05:27 2016   DHCP LEASE EXPIRES  = Tue Jan 19 04:14:07 2038
Sun Jan 31 17:05:27 2016   DNS SERV =  
Sun Jan 31 17:05:27 2016 Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
Sun Jan 31 17:05:27 2016   Index = 3
Sun Jan 31 17:05:27 2016   GUID = {0867CEE4-FEBF-42A6-8CC5-B9DFB2B74B03}
Sun Jan 31 17:05:27 2016   IP = 192.168.1.7/255.255.255.0 
Sun Jan 31 17:05:27 2016   MAC = 00:13:ce:60:30:16
Sun Jan 31 17:05:27 2016   GATEWAY = 192.168.1.1/0.0.0.0 
Sun Jan 31 17:05:27 2016   DHCP SERV = 192.168.2.1 
Sun Jan 31 17:05:27 2016   DHCP LEASE OBTAINED = Sun Jan 31 16:55:37 2016
Sun Jan 31 17:05:27 2016   DHCP LEASE EXPIRES  = Wed Feb 03 16:55:37 2016
Sun Jan 31 17:05:27 2016   DNS SERV = 192.168.1.1 
Sun Jan 31 17:05:27 2016 Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
Sun Jan 31 17:05:27 2016   Index = 2
Sun Jan 31 17:05:27 2016   GUID = {97B8AB14-3E29-4E4F-8ACD-0B7A41126419}
Sun Jan 31 17:05:27 2016   IP = 0.0.0.0/0.0.0.0 
Sun Jan 31 17:05:27 2016   MAC = 00:12:3f:fc:4b:3d
Sun Jan 31 17:05:27 2016   GATEWAY =  
Sun Jan 31 17:05:27 2016   DHCP SERV = 255.255.255.255 
Sun Jan 31 17:05:27 2016   DHCP LEASE OBTAINED = Mon Dec 07 17:29:13 2015
Sun Jan 31 17:05:27 2016   DHCP LEASE EXPIRES  = Tue Jan 19 04:14:07 2038
Sun Jan 31 17:05:27 2016   DNS SERV =  
Sun Jan 31 17:05:27 2016 Bluetooth Device (Personal Area Network)
Sun Jan 31 17:05:27 2016   Index = 65542
Sun Jan 31 17:05:27 2016   GUID = {264634EB-5730-4CA7-B924-10D07ED7786C}
Sun Jan 31 17:05:27 2016   IP = 0.0.0.0/0.0.0.0 
Sun Jan 31 17:05:27 2016   MAC = 00:10:c6:cb:49:28
Sun Jan 31 17:05:27 2016   GATEWAY =  
Sun Jan 31 17:05:27 2016   DHCP SERV =  
Sun Jan 31 17:05:27 2016   DHCP LEASE OBTAINED = Tue Jan 19 04:14:07 2038
Sun Jan 31 17:05:27 2016   DHCP LEASE EXPIRES  = Tue Jan 19 04:14:07 2038
Sun Jan 31 17:05:27 2016   DNS SERV =  
Sun Jan 31 17:05:27 2016 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )
Sun Jan 31 17:05:31 2016 write to TUN/TAP  [State=AT0c Err=[c:\users\samuli\tap-windows-github\src\tapdrvr.c/2475] #O=8 Tx=[0,0] Rx=[0,40] IrpQ=[1,1,16] PktQ=[0,0,64] InjQ=[0,0,16]]: Údajová oblas? predaná systémovej slu?be je príli? malá.   (code=122)
Sun Jan 31 17:05:41 2016 write to TUN/TAP  [State=AT0c Err=[c:\users\samuli\tap-windows-github\src\tapdrvr.c/2475] #O=8 Tx=[0,0] Rx=[0,41] IrpQ=[1,1,16] PktQ=[0,0,64] InjQ=[0,0,16]]: Údajová oblas? predaná systémovej slu?be je príli? malá.   (code=122)
Sun Jan 31 17:05:52 2016 write to TUN/TAP  [State=AT0c Err=[c:\users\samuli\tap-windows-github\src\tapdrvr.c/2475] #O=8 Tx=[0,0] Rx=[0,42] IrpQ=[1,1,16] PktQ=[0,0,64] InjQ=[0,0,16]]: Údajová oblas? predaná systémovej slu?be je príli? malá.   (code=122)
Sun Jan 31 17:06:02 2016 write to TUN/TAP  [State=AT0c Err=[c:\users\samuli\tap-windows-github\src\tapdrvr.c/2475] #O=8 Tx=[0,0] Rx=[0,43] IrpQ=[1,1,16] PktQ=[0,0,64] InjQ=[0,0,16]]: Údajová oblas? predaná systémovej slu?be je príli? malá.   (code=122)
Sun Jan 31 17:06:12 2016 write to TUN/TAP  [State=AT0c Err=[c:\users\samuli\tap-windows-github\src\tapdrvr.c/2475] #O=8 Tx=[0,0] Rx=[0,44] IrpQ=[1,1,16] PktQ=[0,0,64] InjQ=[0,0,16]]: Údajová oblas? predaná systémovej slu?be je príli? malá.   (code=122)
Sun Jan 31 17:06:22 2016 write to TUN/TAP  [State=AT0c Err=[c:\users\samuli\tap-windows-github\src\tapdrvr.c/2475] #O=8 Tx=[0,0] Rx=[0,45] IrpQ=[1,1,16] PktQ=[0,0,64] InjQ=[0,0,16]]: Údajová oblas? predaná systémovej slu?be je príli? malá.   (code=122)
upozornujem, ze v linuxe som vecny zaciatocnik ...
1.2.2016 14:11 bigBRAMBOR | skóre: 37
Rozbalit Rozbalit vše Re: ovpn spojenie
jestli ti server jede na adrese 192.168.1.2 tak je pak blbost nahazovat mu jeste routu 192.168.1.0, kdyz uz tu sit msa dostupnou - ceho presne tim chces dosahnout?
1.2.2016 14:13 bigBRAMBOR | skóre: 37
Rozbalit Rozbalit vše Re: ovpn spojenie
dle logu jeste na jedny strane komprimujes, ale na druhe strane ne, to ti data neprojdou
1.2.2016 17:01 jany2 | skóre: 30 | blog: jany_blog
Rozbalit Rozbalit vše Re: ovpn spojenie
bez tej routy sa nespoji vobec. Pridal som comp-lzo, ale tak isto sa nepripoji. Neviem ako to funguje; musim ja v linuxe v iptables povolit ping ?
upozornujem, ze v linuxe som vecny zaciatocnik ...
2.2.2016 07:14 bigBRAMBOR | skóre: 37
Rozbalit Rozbalit vše Re: ovpn spojenie
bez routy ktera se nahazuje pri startu VPN se nespusti VPN ktera uz v tu dobu na adresy z te site, na kterou nahazujes routu, musí videt? Blbost, prestan to pytlikovat a zacni to delat poradne.
2.2.2016 18:34 jany2 | skóre: 30 | blog: jany_blog
Rozbalit Rozbalit vše Re: ovpn spojenie
Pozri sa sem, ja uz som v takom stadiu, ze to robim skoro pokus/omyl a ked tu routu zakomntujem, tak sa u klienta nevytvori ani tun. Ked by si pozrel na schemu siete na ktorej to skusam, tak vlastne tie PC su prepojene len switchom (su v LAN v jednom subnete).
upozornujem, ze v linuxe som vecny zaciatocnik ...
2.2.2016 21:38 GeorgeWH | skóre: 42
Rozbalit Rozbalit vše Re: ovpn spojenie
takze server aj klient su v jednej lan? tak vela stastia :D
3.2.2016 05:33 jany2 | skóre: 30 | blog: jany_blog
Rozbalit Rozbalit vše Re: ovpn spojenie
Preco ? Ja to chcem vyskusat v LAN a ak to bude fungovat, tak potom to chcem dalej testovat na WAN
upozornujem, ze v linuxe som vecny zaciatocnik ...
3.2.2016 07:29 bigBRAMBOR | skóre: 37
Rozbalit Rozbalit vše Re: ovpn spojenie
lokalne to nahodit musi jit, jestli to ma byt server pro roadwarriory, melo by byt v serveru jeste mode server, bez toho se nastavuje VPN 1:1.

muj configuk pro TUN vypada takhle: 
mode server
dev tun0
tls-server
port 1194
keepaliave 15 150
proto udp
server 192.168.150.0 255.255.255.0
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
persist-tun
persist-key
comp-lzo
teda neprepsal jsem vsechno, vynechal jsem nektere bezpecnostni veci, logovani, a hlavne routovani a redirect-gw ktere na lokalni zkouseni mit nemusis ale melo by to byt funkcni, posli sem kdyztak i log ze serveru ne jenom z klieta a prosim v konfiguraku neposilej zakomentovane řadky, akorat to komplikuje čtení a pochopení
3.2.2016 17:05 jany2 | skóre: 30 | blog: jany_blog
Rozbalit Rozbalit vše Re: ovpn spojenie
Nejedna sa o ziadny roadwarior (ani som nevedel co to je, ale po googleni som zistil :) )Tak aby v tom bol lepsi prehlad, tu je cisty server.conf 
port 1194
proto udp
dev tun
ca ca crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
a log zo servera pokial este nie je pripojeny ziadny klient. 
grep -i vpn /var/log/syslog
jany-EP41-UD3L openvpn # grep -i vpn /var/log/syslog
Feb  3 15:58:44 jany-EP41-UD3L NetworkManager[958]: info VPN: loaded org.freedesktop.NetworkManager.pptp
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1320]: OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1320]: Diffie-Hellman initialized with 2048 bit key
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1320]: Socket Buffers: R=[163840->131072] S=[163840->131072]
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1320]: ROUTE: default_gateway=UNDEF
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1320]: TUN/TAP device tun0 opened
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1320]: TUN/TAP TX queue length set to 100
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1320]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1320]: /sbin/ip link set dev tun0 up mtu 1500
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1320]: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1320]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1353]: GID set to nogroup
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1353]: UID set to nobody
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1353]: UDPv4 link local (bound): [undef]
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1353]: UDPv4 link remote: [undef]
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1353]: MULTI: multi_init called, r=256 v=256
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1353]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1353]: ifconfig_pool_read(), in='client01,10.8.0.4', TODO: IPv6
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1353]: succeeded -> ifconfig_pool_set()
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1353]: IFCONFIG POOL LIST
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1353]: client01,10.8.0.4
Feb  3 15:58:45 jany-EP41-UD3L ovpn-server[1353]: Initialization Sequence Completed
Ak sa klient pripoji, tak log na servery pokracuje 
Feb  3 16:44:49 jany-EP41-UD3L ovpn-server[1353]: 192.168.1.5:1194 TLS: Initial packet from [AF_INET]192.168.1.5:1194, sid=7879acdc 971a611a
Feb  3 16:44:49 jany-EP41-UD3L ovpn-server[1353]: 192.168.1.5:1194 VERIFY OK: depth=1, C=FR, ST=PA, L=PARIS, O=DEB-SKY, OU=DEB-SKY-UNIT, CN=DEB-SKY CA, name=server, emailAddress=deb-sky@deb.sky.fr
Feb  3 16:44:49 jany-EP41-UD3L ovpn-server[1353]: 192.168.1.5:1194 VERIFY OK: depth=0, C=FR, ST=PA, L=PARIS, O=DEB-SKY, OU=DEB-SKY-UNIT, CN=client01, name=server, emailAddress=deb-sky@deb-sky.fr
Feb  3 16:44:49 jany-EP41-UD3L ovpn-server[1353]: 192.168.1.5:1194 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb  3 16:44:49 jany-EP41-UD3L ovpn-server[1353]: 192.168.1.5:1194 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb  3 16:44:49 jany-EP41-UD3L ovpn-server[1353]: 192.168.1.5:1194 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb  3 16:44:49 jany-EP41-UD3L ovpn-server[1353]: 192.168.1.5:1194 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb  3 16:44:49 jany-EP41-UD3L ovpn-server[1353]: 192.168.1.5:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Feb  3 16:44:49 jany-EP41-UD3L ovpn-server[1353]: 192.168.1.5:1194 [client01] Peer Connection Initiated with [AF_INET]192.168.1.5:1194
Feb  3 16:44:49 jany-EP41-UD3L ovpn-server[1353]: client01/192.168.1.5:1194 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Feb  3 16:44:49 jany-EP41-UD3L ovpn-server[1353]: client01/192.168.1.5:1194 MULTI: Learn: 10.8.0.6 -> client01/192.168.1.5:1194
Feb  3 16:44:49 jany-EP41-UD3L ovpn-server[1353]: client01/192.168.1.5:1194 MULTI: primary virtual IP for client01/192.168.1.5:1194: 10.8.0.6
Feb  3 16:44:52 jany-EP41-UD3L ovpn-server[1353]: client01/192.168.1.5:1194 PUSH: Received control message: 'PUSH_REQUEST'
Feb  3 16:44:52 jany-EP41-UD3L ovpn-server[1353]: client01/192.168.1.5:1194 send_push_reply(): safe_cap=940
Feb  3 16:44:52 jany-EP41-UD3L ovpn-server[1353]: client01/192.168.1.5:1194 SENT CONTROL [client01]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
A tu je cisty client01.conf 
dev tun
client
proto udp
remote 192.168.1.2 1194
ca ca.crt
cert client01.crt
key client01.key
port 1194
ping 15
ping-restart 45
ping-timer-rem
dhcp-option DNS 8.8.8.8
route 192.168.1.0 255.255.255.0 10.8.0.1
redirect-gateway
comp-lzo
A log klienta 
Feb  3 16:44:39 jany-Latitude-D610 NetworkManager[801]: info VPN: loaded org.freedesktop.NetworkManager.pptp
Feb  3 16:44:42 jany-Latitude-D610 ovpn-client01[1234]: OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Feb  3 16:44:42 jany-Latitude-D610 ovpn-client01[1234]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Feb  3 16:44:42 jany-Latitude-D610 ovpn-client01[1234]: WARNING: file 'client01.key' is group or others accessible
Feb  3 16:44:42 jany-Latitude-D610 ovpn-client01[1237]: UDPv4 link local (bound): [undef]
Feb  3 16:44:42 jany-Latitude-D610 ovpn-client01[1237]: UDPv4 link remote: [AF_INET]192.168.1.2:1194
Feb  3 16:44:42 jany-Latitude-D610 ovpn-client01[1237]: write UDPv4: Network is unreachable (code=101)
Feb  3 16:44:44 jany-Latitude-D610 ovpn-client01[1237]: write UDPv4: Network is unreachable (code=101)
Feb  3 16:44:48 jany-Latitude-D610 ovpn-client01[1237]: [server] Peer Connection Initiated with [AF_INET]192.168.1.2:1194
Feb  3 16:44:51 jany-Latitude-D610 ovpn-client01[1237]: TUN/TAP device tun0 opened
Feb  3 16:44:51 jany-Latitude-D610 ovpn-client01[1237]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Feb  3 16:44:51 jany-Latitude-D610 ovpn-client01[1237]: /sbin/ip link set dev tun0 up mtu 1500
Feb  3 16:44:51 jany-Latitude-D610 ovpn-client01[1237]: /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Feb  3 16:44:51 jany-Latitude-D610 ovpn-client01[1237]: ERROR: Linux route add command failed: external program exited with error status: 2
Feb  3 16:44:51 jany-Latitude-D610 ovpn-client01[1237]: Initialization Sequence Completed
Su tam volajake 2 upozornenie, ze nebola povolena metoda overovania + nejaky error ohladom routy
upozornujem, ze v linuxe som vecny zaciatocnik ...
3.2.2016 21:52 bigBRAMBOR
Rozbalit Rozbalit vše Re: ovpn spojenie
Pro metodu overeni si najdi ta.key, taky si mas zmenit prava na kliči, ale to je jenom warning.

Ta routa na sit ve ktere jsi tam proste nema co delat...
4.2.2016 18:52 jany2 | skóre: 30 | blog: jany_blog
Rozbalit Rozbalit vše Re: ovpn spojenie
OK, tak som si este trocha confy okresal a nejak to v LAN uz funguje.
server.conf 
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key 
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
client.conf 
dev tun
client
proto udp
remote 192.168.1.2 1194
ca ca.crt
cert client01.crt
key client01.key
port 1194
dhcp-option DNS 8.8.8.8
comp-lzo
Ping funguje na oboch stranach.
Mohol by som sa teda pustit do testovania na wan. Ak tomu spravne rozumiem, tak zmeny robim v configu u klienta a to take, ze zmenim 
remote 192.168.1.2 1194
na
remote host_alebo_verejna_ip_servera 1194
Musim tam teraz pridat este aj routu ?
Na OVPN servery nemusim menit nic, ale este ako poznamenal NN, tak na routery by som mal prenatovat na stroj kde je OVPN server 
/ip firewall nat add chain=dstnat dst-address=60.90.60.90 protocol=udp dst-port=1194 \
    action=dst-nat to-addresses=192.168.1.2 to-ports=1194
Malo by to teraz fungovat ? Pytam sa preto, lebo, skusat to mozem az v sobotu
thx
upozornujem, ze v linuxe som vecny zaciatocnik ...
5.2.2016 08:32 bigBRAMBOR | skóre: 37
Rozbalit Rozbalit vše Re: ovpn spojenie
routu pridavat nemusis, pokud ti staci dostat se na VPN server, pokud potrebujes dal, musis to uz naroutovat.

ano, pokud to ma fungovat zvenci, musist ten port dostat z gw na vpn server. Jestli je ten zapis vporadku nevim, ja to nepouzivam, delam to v iptables.
6.2.2016 13:23 jany2 | skóre: 30 | blog: jany_blog
Rozbalit Rozbalit vše Re: ovpn spojenie

Zdravim.
Podla obrazku sa skusam pripajat z wan strany.
Na mikrotiku je natovany port 1194 na vonkajsiu IP Urobil som nasledovne:
OVPN server s IP 10.8.0.1
Na druhej strane je linuxovy VPN Client01 (je to NTB s 3G modemom)
client01.conf je ako pred tym, len zmeneny remote

dev tun
client
proto udp
remote 90.60.90.60 1194
ca ca.crt
cert client01.crt
key client01.key
port 1194
dhcp-option DNS 8.8.8.8
comp-lzo

Log z clienta

Feb  6 12:42:47 jany-Latitude-D610 NetworkManager[864]:  VPN: loaded org.freedesktop.NetworkManager.pptp
Feb  6 12:42:49 jany-Latitude-D610 ovpn-client01[1258]: OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Feb  6 12:42:49 jany-Latitude-D610 ovpn-client01[1258]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Feb  6 12:42:49 jany-Latitude-D610 ovpn-client01[1258]: WARNING: file 'client01.key' is group or others accessible
Feb  6 12:42:49 jany-Latitude-D610 ovpn-client01[1261]: UDPv4 link local (bound): [undef]
Feb  6 12:42:49 jany-Latitude-D610 ovpn-client01[1261]: UDPv4 link remote: [AF_INET]90.60.90.60:1194
Feb  6 12:42:49 jany-Latitude-D610 ovpn-client01[1261]: write UDPv4: Network is unreachable (code=101)
Feb  6 12:43:19 jany-Latitude-D610 ovpn-client01[1261]: message repeated 4 times: [ write UDPv4: Network is unreachable (code=101)]
Feb  6 12:43:49 jany-Latitude-D610 ovpn-client01[1261]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb  6 12:43:49 jany-Latitude-D610 ovpn-client01[1261]: TLS Error: TLS handshake failed
Feb  6 12:43:49 jany-Latitude-D610 ovpn-client01[1261]: SIGUSR1[soft,tls-error] received, process restarting
Feb  6 12:43:51 jany-Latitude-D610 ovpn-client01[1261]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Feb  6 12:43:51 jany-Latitude-D610 ovpn-client01[1261]: WARNING: file 'client01.key' is group or others accessible
Feb  6 12:43:51 jany-Latitude-D610 ovpn-client01[1261]: UDPv4 link local (bound): [undef]
Feb  6 12:43:51 jany-Latitude-D610 ovpn-client01[1261]: UDPv4 link remote: [AF_INET]90.60.90.60:1194
Feb  6 12:43:51 jany-Latitude-D610 ovpn-client01[1261]: write UDPv4: Network is unreachable (code=101)
Feb  6 12:44:22 jany-Latitude-D610 ovpn-client01[1261]: message repeated 4 times: [ write UDPv4: Network is unreachable (code=101)]
Feb  6 12:44:51 jany-Latitude-D610 ovpn-client01[1261]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb  6 12:44:51 jany-Latitude-D610 ovpn-client01[1261]: TLS Error: TLS handshake failed
Feb  6 12:44:51 jany-Latitude-D610 ovpn-client01[1261]: SIGUSR1[soft,tls-error] received, process restarting
Na routery vidim, ze chodia nejake pakety na 1194, ale na OVPN servery v logu nie je nic a na NTB sa samozrejme nevytvori ani tun.
upozornujem, ze v linuxe som vecny zaciatocnik ...
6.2.2016 15:42 jany2 | skóre: 30 | blog: jany_blog
Rozbalit Rozbalit vše Re: ovpn spojenie
Na mikrotiku mam vytvorene pravidlo 
83    ;;; OpenVPN
      chain=input action=accept protocol=tcp dst-port=1194 log=no log-prefix=""
a NAT 
21    ;;; test_vpn_na_192.168.1.2
      chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=1194 protocol=udp in-interface=pppo
      dst-port=1194 log=yes log-prefix=""
Log na mikrotiku 
15:15:46 firewall,info dstnat: in:pppoe-out1 out:(none), proto UDP, 151.152.153.154:60215->90.60.90.60:1194, len 42 
15:15:50 firewall,info dstnat: in:pppoe-out1 out:(none), proto UDP, 151.152.153.154:60215->90.60.90.60:1194, len 42 
15:15:58 firewall,info dstnat: in:pppoe-out1 out:(none), proto UDP, 151.152.153.154:60215->90.60.90.60:1194, len 42 
15:16:14 firewall,info dstnat: in:pppoe-out1 out:(none), proto UDP, 151.152.153.154:60215->90.60.90.60:1194, len 42 
15:16:47 firewall,info dstnat: in:pppoe-out1 out:(none), proto UDP, 151.152.153.154:60215->90.60.90.60:1194, len 42 
15:16:49 firewall,info dstnat: in:pppoe-out1 out:(none), proto UDP, 151.152.153.154:60215->90.60.90.60:1194, len 42 
15:16:53 firewall,info dstnat: in:pppoe-out1 out:(none), proto UDP, 151.152.153.154:60215->90.60.90.60:1194, len 42 
15:17:02 firewall,info dstnat: in:pppoe-out1 out:(none), proto UDP, 151.152.153.154:60215->90.60.90.60:1194, len 42
upozornujem, ze v linuxe som vecny zaciatocnik ...

Založit nové vláknoNahoru

Tiskni Sdílej: Linkuj Jaggni to Vybrali.sme.sk Google Del.icio.us Facebook

ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.