Portál AbcLinuxu, 8. května 2025 04:41
15.1.2022 20:36
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp5s0: mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 28:d2:44:52:8a:15 brd ff:ff:ff:ff:ff:ff
inet 169.254.5.226/16 brd 169.254.255.255 scope link enp5s0:avahi
valid_lft forever preferred_lft forever
3: wlp4s0: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:c2:c6:52:96:62 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.203/24 brd 192.168.0.255 scope global dynamic wlp4s0
valid_lft 254667sec preferred_lft 254667sec
inet6 fe80::2c2:c6ff:fe52:9662/64 scope link
valid_lft forever preferred_lft forever
4: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::a603:c48b:575b:d778/64 scope link stable-privacy
valid_lft forever preferred_lft forever
druhe pc
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 6c:0b:84:94:66:02 brd ff:ff:ff:ff:ff:ff
altname enp0s25
3: wlp2s0: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 04:56:e5:72:7e:82 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.182/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp2s0
valid_lft 257614sec preferred_lft 257614sec
inet6 fe80::1aed:b446:a012:e8e3/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 10.8.0.10 peer 10.8.0.9/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::1d37:709c:3bb7:b335/64 scope link stable-privacy
valid_lft forever preferred_lft forever
traceroute abclinuxu.cz
traceroute to abclinuxu.cz (171.25.221.158), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * *
ip route default via 192.168.0.1 dev wlp4s0 default dev enp5s0 scope link metric 1002 linkdown 169.254.0.0/16 dev enp5s0 proto kernel scope link src 169.254.5.226 linkdown 192.168.0.0/24 dev wlp4s0 proto kernel scope link src 192.168.0.203DHCP je nastavene na routri
ip route 0.0.0.0/1 via 10.8.0.5 dev tun0 default via 192.168.0.1 dev wlp2s0 proto dhcp metric 600 10.8.0.1 via 10.8.0.5 dev tun0 10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6 90.64.250.169 via 192.168.0.1 dev wlp2s0 128.0.0.0/1 via 10.8.0.5 dev tun0 192.168.0.0/24 dev wlp2s0 proto kernel scope link src 192.168.0.195 metric 600skúsim pozrieť ten firewal na routri ale pokiaľ viem nenastavoval som tam nic.
asi bude problem router.Asi ne.
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh.pem server 10.8.0.0 255.255.255.0 client-config-dir /etc/openvpn/ccd keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1
tail /var/log/openvpn/openvpn.log Mon Jan 17 21:46:50 2022 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2 Mon Jan 17 21:46:50 2022 Could not determine IPv4/IPv6 protocol. Using AF_INET Mon Jan 17 21:46:50 2022 Socket Buffers: R=[163840->163840] S=[163840->163840] Mon Jan 17 21:46:50 2022 UDPv4 link local (bound): [AF_INET][undef]:1194 Mon Jan 17 21:46:50 2022 UDPv4 link remote: [AF_UNSPEC] Mon Jan 17 21:46:50 2022 GID set to nogroup Mon Jan 17 21:46:50 2022 UID set to nobody Mon Jan 17 21:46:50 2022 MULTI: multi_init called, r=256 v=256 Mon Jan 17 21:46:50 2022 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 Mon Jan 17 21:46:50 2022 Initialization Sequence CompletedClient
dev tun proto udp remote 90.64.250.169 1194 route-nopull pull-filter ignore "dhcp-option DNS" ;resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun ca /etc/openvpn/client/ca.crt cert /etc/openvpn/client/mikilap.crt key /etc/openvpn/client/mikilap.key ;remote-cert-tls server tls-auth /etc/openvpn/client/ta.key 1 cipher AES-256-CBC status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log verb 3eeee zamotávam sa :( klient mi kape
16.1.2022 02:06
systemctl status openvpn@client
● openvpn@client.service - OpenVPN connection to client
Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Mon 2022-01-17 21:41:03 CET; 1s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 1292 ExecStart=/usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/openvpn --config /etc/openvpn/client.conf --writepid /
Main PID: 1292 (code=exited, status=1/FAILURE)
jan 17 21:41:03 debian systemd[1]: Failed to start OpenVPN connection to client.
journalctl -u openvpn@client snad řekne víc, pokud ne, tak ho spusť ručně, respektive teď koukám že to loguješ asi do /var/log/openvpn/openvpn.log
journalctl -u openvpn@client -- Logs begin at Mon 2022-01-17 20:54:33 CET, end at Mon 2022-01-17 22:03:41 CET. -- jan 17 20:54:36 debian systemd[1]: Starting OpenVPN connection to client... jan 17 20:54:36 debian systemd[1]: Started OpenVPN connection to client. jan 17 21:33:40 debian systemd[1]: Stopping OpenVPN connection to client... jan 17 21:33:40 debian systemd[1]: openvpn@client.service: Succeeded. jan 17 21:33:40 debian systemd[1]: Stopped OpenVPN connection to client. jan 17 21:33:57 debian systemd[1]: Starting OpenVPN connection to client... jan 17 21:33:57 debian systemd[1]: openvpn@client.service: Main process exited, code=exited, status=1/FAILURE jan 17 21:33:57 debian systemd[1]: openvpn@client.service: Failed with result 'exit-code'. jan 17 21:33:57 debian systemd[1]: Failed to start OpenVPN connection to client. jan 17 21:34:02 debian systemd[1]: openvpn@client.service: Service RestartSec=5s expired, scheduling restart. jan 17 21:34:02 debian systemd[1]: openvpn@client.service: Scheduled restart job, restart counter is at 1. jan 17 21:34:02 debian systemd[1]: Stopped OpenVPN connection to client. jan 17 21:34:02 debian systemd[1]: Starting OpenVPN connection to client... jan 17 21:34:02 debian systemd[1]: openvpn@client.service: Main process exited, code=exited, status=1/FAILURE jan 17 21:34:02 debian systemd[1]: openvpn@client.service: Failed with result 'exit-code'. jan 17 21:34:02 debian systemd[1]: Failed to start OpenVPN connection to client. jan 17 21:34:07 debian systemd[1]: openvpn@client.service: Service RestartSec=5s expired, scheduling restart. jan 17 21:34:07 debian systemd[1]: openvpn@client.service: Scheduled restart job, restart counter is at 2. jan 17 21:34:07 debian systemd[1]: Stopped OpenVPN connection to client. jan 17 21:34:07 debian systemd[1]: Starting OpenVPN connection to client... jan 17 21:34:07 debian systemd[1]: openvpn@client.service: Main process exited, code=exited, status=1/FAILURE jan 17 21:34:07 debian systemd[1]: openvpn@client.service: Failed with result 'exit-code'. jan 17 21:34:07 debian systemd[1]: Failed to start OpenVPN connection to client. jan 17 21:34:12 debian systemd[1]: openvpn@client.service: Service RestartSec=5s expired, scheduling restart. jan 17 21:34:12 debian systemd[1]: openvpn@client.service: Scheduled restart job, restart counter is at 3. jan 17 21:34:12 debian systemd[1]: Stopped OpenVPN connection to client. jan 17 21:34:12 debian systemd[1]: Starting OpenVPN connection to client... jan 17 21:34:13 debian systemd[1]: openvpn@client.service: Main process exited, code=exited, status=1/FAILURE jan 17 21:34:13 debian systemd[1]: openvpn@client.service: Failed with result 'exit-code'. jan 17 21:34:13 debian systemd[1]: Failed to start OpenVPN connection to client. jan 17 21:34:18 debian systemd[1]: openvpn@client.service: Service RestartSec=5s expired, scheduling restart. jan 17 21:34:18 debian systemd[1]: openvpn@client.service: Scheduled restart job, restart counter is at 4. jan 17 21:34:18 debian systemd[1]: Stopped OpenVPN connection to client. jan 17 21:34:18 debian systemd[1]: Starting OpenVPN connection to client... jan 17 21:34:18 debian systemd[1]: openvpn@client.service: Main process exited, code=exited, status=1/FAILURE jan 17 21:34:18 debian systemd[1]: openvpn@client.service: Failed with result 'exit-code'. jan 17 21:34:18 debian systemd[1]: Failed to start OpenVPN connection to client.tail /var/log/openvpn/openvpn.log
Mon Jan 17 22:05:57 2022 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. Use --help for more information.
ale na server sa nedostávaAch jo, to je zase popis „a co s tím máme jako dělat“. Potřebuješ se podívat na adresy na obou stranách, pingnout si, a koukat tcpdumpem (
tcpdump -ni eth0 icmp) jestli ping dojde na druhou stranu a jestli se vrátí odpověď.
systemctl start openvpn@client root@debian:~# tail -f /var/log/openvpn/openvpn.log Mon Jan 17 22:28:01 2022 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021 Mon Jan 17 22:28:01 2022 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 Mon Jan 17 22:28:01 2022 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jan 17 22:28:01 2022 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jan 17 22:28:01 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]90.64.250.169:1194 Mon Jan 17 22:28:01 2022 Socket Buffers: R=[212992->212992] S=[212992->212992] Mon Jan 17 22:28:01 2022 UDP link local: (not bound) Mon Jan 17 22:28:01 2022 UDP link remote: [AF_INET]90.64.250.169:1194 Mon Jan 17 22:28:01 2022 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delayip a s mi tun0 neukazuje teda vpn nevytorí. nemám ako ping tú siet
netstat -tlpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 431/sshd tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 527/smbd tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 519/mysqld tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 527/smbd tcp 0 0 0.0.0.0:82 0.0.0.0:* LISTEN 417/supernode tcp6 0 0 :::22 :::* LISTEN 431/sshd tcp6 0 0 :::445 :::* LISTEN 527/smbd tcp6 0 0 :::139 :::* LISTEN 527/smbd tcp6 0 0 :::80 :::* LISTEN 471/apache2
tcpdump -i enp1s0 port 1194 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp1s0, link-type EN10MB (Ethernet), capture size 262144 bytes 00:06:13.538759 IP OSK.52308 > debianeee.openvpn: UDP, length 42 00:06:13.540586 IP debianeee.openvpn > OSK.52308: UDP, length 54 00:06:15.759606 IP OSK.52308 > debianeee.openvpn: UDP, length 42 00:06:15.760001 IP debianeee.openvpn > OSK.52308: UDP, length 54 00:06:19.279420 IP OSK.52308 > debianeee.openvpn: UDP, length 42 00:06:19.279825 IP debianeee.openvpn > OSK.52308: UDP, length 54 00:06:27.037624 IP debianeee.openvpn > OSK.52308: UDP, length 42 00:06:27.155685 IP OSK.52308 > debianeee.openvpn: UDP, length 42 00:06:27.156142 IP debianeee.openvpn > OSK.52308: UDP, length 50 00:06:43.025091 IP debianeee.openvpn > OSK.52308: UDP, length 42 00:06:43.272473 IP OSK.52308 > debianeee.openvpn: UDP, length 42 00:06:43.272895 IP debianeee.openvpn > OSK.52308: UDP, length 50 00:06:47.458735 IP OSK.52308 > debianeee.openvpn: UDP, length 42 00:06:47.459454 IP debianeee.openvpn > OSK.52308: UDP, length 54 00:06:49.483576 IP debianeee.openvpn > OSK.52308: UDP, length 42 00:06:49.549136 IP OSK.52308 > debianeee.openvpn: UDP, length 42 00:06:49.549588 IP debianeee.openvpn > OSK.52308: UDP, length 50 ^C 17 packets captured 17 packets received by filter 0 packets dropped by kernel
# Generated by xtables-save v1.8.2 on Sat Jan 15 23:30:24 2022 *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.8.0.0/16 -o enp1s0 -j MASQUERADE -A POSTROUTING -o enp1s0 -j MASQUERADE COMMIT # Completed on Sat Jan 15 23:30:24 2022 # Generated by xtables-save v1.8.2 on Sat Jan 15 23:30:24 2022 *filter :INPUT DROP [10403:699410] :FORWARD ACCEPT [841033:790670663] :OUTPUT ACCEPT [682786:802016188] -A INPUT -m state --state INVALID -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
tail /var/log/openvpn/openvpn.log Mon Jan 17 22:01:08 2022 192.168.1.1:52308 SIGUSR1[soft,tls-error] received, client-instance restarting Mon Jan 17 22:03:19 2022 192.168.1.1:52308 TLS: Initial packet from [AF_INET]192.168.1.1:52308, sid=958d5c59 466f1b54 Mon Jan 17 22:04:19 2022 192.168.1.1:52308 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Mon Jan 17 22:04:19 2022 192.168.1.1:52308 TLS Error: TLS handshake failed Mon Jan 17 22:04:19 2022 192.168.1.1:52308 SIGUSR1[soft,tls-error] received, client-instance restarting Mon Jan 17 22:06:08 2022 192.168.1.1:52308 TLS: Initial packet from [AF_INET]192.168.1.1:52308, sid=57455945 15bc5fbb Mon Jan 17 22:07:08 2022 192.168.1.1:52308 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Mon Jan 17 22:07:08 2022 192.168.1.1:52308 TLS Error: TLS handshake failed Mon Jan 17 22:07:08 2022 192.168.1.1:52308 SIGUSR1[soft,tls-error] received, client-instance restarting Mon Jan 17 22:09:19 2022 192.168.1.1:52308 TLS: Initial packet from [AF_INET]192.168.1.1:52308, sid=aabe9108 5912139f
vyhadzuje mi to tu nepovolene zacky ked to sem len nakopirujemMusíš nahradit < HTML entitami <. Velmi zajímavé je, že traceroute dokázalo přeložit doménové jméno, takže DNS funguje (jaký DNS server máš nastavený? nebo se to vytáhlo z lokální cache?), ale přitom už první hop je *, takže i kdybys měl jako DNS gateway, tak na ni se traceroute nedostane, což je divné. Chtělo by to ty pingy mezi počítači a na gateway a koukat ve Wiresharku na všech místech (ideálně i na gatewayi) jestli dorazily. Případně jestli tam nebude vidět nějaká další anomálie - typicky jsou v síti vidět náhodné broadcasty a ARP requesty, řádově jeden za sekundu, a pokud je něco špatně, tak může být vidět broadcast storm.
Tiskni
Sdílej:
ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.
16.1.2022 10:11