Не поднимается site-to-site OpenVPN (решено)
-
Здравствуйте!
Помогите, пожалуйста! Бьюсь второй день. Решение, видимо, на ладони, но я его не вижу.Имеется офис и филиал, в обоих pfsense 2.0.1
Офис: LAN - 192.168.8.0, WAN 194.xxx.xxx.3
Филиал: LAN 192.168.65.0, WAN 213.yyy.yyy.211Конфиги:
Офис
dev ovpns6
dev-type tun
dev-node /dev/tun6
writepid /var/run/openvpn_server6.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 194.xxx.xxx.3
ifconfig 10.0.8.1 10.0.8.2
lport 1199
management /var/etc/openvpn/server6.sock unix
push "route 192.168.8.8 255.255.255.0"
route 192.168.65.0 255.255.255.0
secret /var/etc/openvpn/server6.secretФилиал
dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 213.yyy.yyy.211
lport 1199
management /var/etc/openvpn/client1.sock unix
remote 194.xxx.xxx.3 1199
ifconfig 10.0.8.2 10.0.8.1
route 192.168.8.8 255.255.255.0
secret /var/etc/openvpn/client1.secretТуннель не поднимается. Вот, что в логах:
Офис
Jun 7 11:45:38 openvpn[49604]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
Jun 7 11:45:38 openvpn[49604]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jun 7 11:45:38 openvpn[49604]: TUN/TAP device /dev/tun6 opened
Jun 7 11:45:38 openvpn[49604]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jun 7 11:45:38 openvpn[49604]: /sbin/ifconfig ovpns6 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up
Jun 7 11:45:38 openvpn[49604]: /usr/local/sbin/ovpn-linkup ovpns6 1500 1560 10.0.8.1 10.0.8.2 init
Jun 7 11:45:38 openvpn[51341]: UDPv4 link local (bound): [AF_INET]194.ххх.ххх.3:1199
Jun 7 11:45:38 openvpn[51341]: UDPv4 link remote: [undef]
Jun 7 11:48:49 openvpn[51341]: event_wait : Interrupted system call (code=4)
Jun 7 11:48:49 openvpn[51341]: /usr/local/sbin/ovpn-linkdown ovpns6 1500 1560 10.0.8.1 10.0.8.2 init
Jun 7 11:48:49 openvpn[51341]: SIGTERM[hard,] received, process exitingФилиал
Jun 7 08:11:05 openvpn[38387]: SIGUSR1[soft,ping-restart] received, process restarting
Jun 7 08:11:07 openvpn[38387]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jun 7 08:11:07 openvpn[38387]: Re-using pre-shared static key
Jun 7 08:11:07 openvpn[38387]: Preserving previous TUN/TAP instance: ovpnc1
Jun 7 08:11:07 openvpn[38387]: UDPv4 link local (bound): [AF_INET]213.ууу.ууу.211:1199
Jun 7 08:11:07 openvpn[38387]: UDPv4 link remote: [AF_INET]194.ххх.ххх.3:1199 -
Вопрос закрыт. Оказалось, козлил один из пэкеджей (я их несколько понаставил, поиграться). Через некоторое время перестала работать маршрутизация и веб-интерфейс (причем, без действий с моей стороны). Разбираться долго не стал, выпилил из конфига раздел с пэкеджами и отресторился с него. Все тикает.
-
Приветствую, уважаемые!
Не хочется плодить темы, проблема та же: не поднимается туннель OpenVPN.С одной стороны машинка на pfsense (ip 10.70.155.42)
с другой стороны сервер на винде (ip 10.71.32.172)
Вроде все настройки перенёс в pfsense, но канал не устанавливается.
Вот настройки pfsense:dev ovpnc1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 10.70.155.42 lport 5001 management /var/etc/openvpn/client1.sock unix remote 10.71.32.172 5001 secret /var/etc/openvpn/client1.secret comp-lzo ifconfig 192.168.253.253 192.168.253.254 verb 4
настройки openvpn виндового сервера:
remote 10.70.155.42 5001 local 10.71.32.172 lport 5001 proto udp cipher AES-128-CBC dev tun dev-node VPNZel route-method exe route-delay 10 ifconfig 192.168.253.254 192.168.253.253 route 192.168.31.0 255.255.255.0 secret static.txt #ping 10 comp-lzo verb 4 mute 10
Вот логи на pfsense:
Jul 4 13:44:36 openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001 Jul 4 13:44:36 openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001 Jul 4 13:45:36 openvpn[38464]: Inactivity timeout (--ping-restart), restarting Jul 4 13:45:36 openvpn[38464]: TCP/UDP: Closing socket Jul 4 13:45:36 openvpn[38464]: SIGUSR1[soft,ping-restart] received, process restarting Jul 4 13:45:36 openvpn[38464]: Restart pause, 2 second(s) Jul 4 13:45:38 openvpn[38464]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jul 4 13:45:38 openvpn[38464]: Re-using pre-shared static key Jul 4 13:45:38 openvpn[38464]: LZO compression initialized Jul 4 13:45:38 openvpn[38464]: Socket Buffers: R=[42080->65536] S=[57344->65536] Jul 4 13:45:38 openvpn[38464]: Preserving previous TUN/TAP instance: ovpnc1 Jul 4 13:45:38 openvpn[38464]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ] Jul 4 13:45:38 openvpn[38464]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Jul 4 13:45:38 openvpn[38464]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Jul 4 13:45:38 openvpn[38464]: Local Options hash (VER=V4): '39a50059' Jul 4 13:45:38 openvpn[38464]: Expected Remote Options hash (VER=V4): 'ba89014a' Jul 4 13:45:38 openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001 Jul 4 13:45:38 openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001 Jul 4 13:46:38 openvpn[38464]: Inactivity timeout (--ping-restart), restarting Jul 4 13:46:38 openvpn[38464]: TCP/UDP: Closing socket Jul 4 13:46:38 openvpn[38464]: SIGUSR1[soft,ping-restart] received, process restarting Jul 4 13:46:38 openvpn[38464]: Restart pause, 2 second(s) Jul 4 13:46:40 openvpn[38464]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jul 4 13:46:40 openvpn[38464]: Re-using pre-shared static key Jul 4 13:46:40 openvpn[38464]: LZO compression initialized Jul 4 13:46:40 openvpn[38464]: Socket Buffers: R=[42080->65536] S=[57344->65536] Jul 4 13:46:40 openvpn[38464]: Preserving previous TUN/TAP instance: ovpnc1 Jul 4 13:46:40 openvpn[38464]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ] Jul 4 13:46:40 openvpn[38464]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Jul 4 13:46:40 openvpn[38464]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Jul 4 13:46:40 openvpn[38464]: Local Options hash (VER=V4): '39a50059' Jul 4 13:46:40 openvpn[38464]: Expected Remote Options hash (VER=V4): 'ba89014a' Jul 4 13:46:40 openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001 Jul 4 13:46:40 openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001 Jul 4 13:47:40 openvpn[38464]: Inactivity timeout (--ping-restart), restarting Jul 4 13:47:40 openvpn[38464]: TCP/UDP: Closing socket Jul 4 13:47:40 openvpn[38464]: SIGUSR1[soft,ping-restart] received, process restarting Jul 4 13:47:40 openvpn[38464]: Restart pause, 2 second(s) Jul 4 13:47:42 openvpn[38464]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jul 4 13:47:42 openvpn[38464]: Re-using pre-shared static key Jul 4 13:47:42 openvpn[38464]: LZO compression initialized Jul 4 13:47:42 openvpn[38464]: Socket Buffers: R=[42080->65536] S=[57344->65536] Jul 4 13:47:42 openvpn[38464]: Preserving previous TUN/TAP instance: ovpnc1 Jul 4 13:47:42 openvpn[38464]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ] Jul 4 13:47:42 openvpn[38464]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Jul 4 13:47:42 openvpn[38464]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Jul 4 13:47:42 openvpn[38464]: Local Options hash (VER=V4): '39a50059' Jul 4 13:47:42 openvpn[38464]: Expected Remote Options hash (VER=V4): 'ba89014a' Jul 4 13:47:42 openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001 Jul 4 13:47:42 openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001
Логи openvpn на виндовом сервере:
Wed Jul 04 13:31:02 2012 us=500000 Current Parameter Settings: Wed Jul 04 13:31:02 2012 us=500000 config = 'zel.ovpn' Wed Jul 04 13:31:02 2012 us=500000 mode = 0 Wed Jul 04 13:31:02 2012 us=500000 show_ciphers = DISABLED Wed Jul 04 13:31:02 2012 us=500000 show_digests = DISABLED Wed Jul 04 13:31:02 2012 us=500000 show_engines = DISABLED Wed Jul 04 13:31:02 2012 us=500000 genkey = DISABLED Wed Jul 04 13:31:02 2012 us=500000 key_pass_file = '[UNDEF]' Wed Jul 04 13:31:02 2012 us=500000 show_tls_ciphers = DISABLED Wed Jul 04 13:31:02 2012 us=500000 Connection profiles [default]: Wed Jul 04 13:31:02 2012 us=500000 NOTE: --mute triggered... Wed Jul 04 13:31:02 2012 us=500000 213 variation(s) on previous 10 message(s) suppressed by --mute Wed Jul 04 13:31:02 2012 us=500000 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul 1 2011 Wed Jul 04 13:31:02 2012 us=500000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Wed Jul 04 13:31:02 2012 us=500000 Static Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Wed Jul 04 13:31:02 2012 us=500000 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 04 13:31:02 2012 us=500000 Static Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Wed Jul 04 13:31:02 2012 us=500000 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 04 13:31:02 2012 us=500000 LZO compression initialized Wed Jul 04 13:31:02 2012 us=500000 Socket Buffers: R=[8192->8192] S=[8192->8192] Wed Jul 04 13:31:02 2012 us=515000 ROUTE default_gateway=89.222.215.17 Wed Jul 04 13:31:02 2012 us=515000 TAP-WIN32 device [VPNZel] opened: \\.\Global\{52D930CD-275C-4B31-A784-61C7B4013BE0}.tap Wed Jul 04 13:31:02 2012 us=515000 TAP-Win32 Driver Version 9.8 Wed Jul 04 13:31:02 2012 us=515000 TAP-Win32 MTU=1500 Wed Jul 04 13:31:02 2012 us=531000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.253.254/255.255.255.252 on interface {52D930CD-275C-4B31-A784-61C7B4013BE0} [DHCP-serv: 192.168.253.253, lease-time: 31536000] Wed Jul 04 13:31:02 2012 us=531000 NOTE: FlushIpNetTable failed on interface [65542] {52D930CD-275C-4B31-A784-61C7B4013BE0} (status=1413) : Неверный индекс. Wed Jul 04 13:31:02 2012 us=531000 Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ] Wed Jul 04 13:31:02 2012 us=531000 Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Wed Jul 04 13:31:02 2012 us=531000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Wed Jul 04 13:31:02 2012 us=531000 Local Options hash (VER=V4): 'ba89014a' Wed Jul 04 13:31:02 2012 us=531000 Expected Remote Options hash (VER=V4): '39a50059' Wed Jul 04 13:31:02 2012 us=531000 UDPv4 link local (bound): 10.71.32.172:5001 Wed Jul 04 13:31:02 2012 us=531000 UDPv4 link remote: 10.70.155.42:5001 Wed Jul 04 13:31:11 2012 us=437000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:31:11 2012 us=437000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:31:21 2012 us=515000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:31:21 2012 us=515000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:31:32 2012 us=93000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:31:32 2012 us=93000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:31:42 2012 us=890000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:31:42 2012 us=890000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:31:53 2012 us=234000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:32:04 2012 us=125000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:32:04 2012 us=125000 NOTE: --mute triggered... Wed Jul 04 13:33:02 2012 us=406000 10 variation(s) on previous 10 message(s) suppressed by --mute Wed Jul 04 13:33:02 2012 us=406000 NOTE: failed to obtain options consistency info from peer -- this could occur if the remote peer is running a version of OpenVPN before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent OpenVPN from running (1360 bytes received from peer, 0 bytes authenticated data channel traffic) -- you can disable the options consistency check with --disable-occ. Wed Jul 04 13:33:05 2012 us=468000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:33:05 2012 us=468000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:33:15 2012 us=593000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:33:15 2012 us=593000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:33:25 2012 us=546000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:33:25 2012 us=546000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:33:35 2012 us=765000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:33:35 2012 us=765000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:33:45 2012 us=625000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:33:45 2012 us=625000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:33:57 2012 us=343000 NOTE: --mute triggered... Wed Jul 04 13:36:18 2012 us=296000 9 variation(s) on previous 10 message(s) suppressed by --mute Wed Jul 04 13:36:18 2012 us=296000 Peer Connection Initiated with 10.70.155.42:5001 Wed Jul 04 13:36:19 2012 us=62000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:36:19 2012 us=593000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:36:20 2012 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:36:28 2012 us=625000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:36:29 2012 us=859000 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up Wed Jul 04 13:36:29 2012 us=859000 C:\WINDOWS\system32\route.exe ADD 192.168.31.0 MASK 255.255.255.0 192.168.253.253 Wed Jul 04 13:36:29 2012 us=984000 Initialization Sequence Completed Wed Jul 04 13:36:38 2012 us=906000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:36:38 2012 us=906000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:36:48 2012 us=390000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:36:48 2012 us=390000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:36:58 2012 us=531000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:36:58 2012 us=531000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:37:08 2012 us=640000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:37:08 2012 us=640000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:37:20 2012 us=281000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:37:30 2012 us=921000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float) Wed Jul 04 13:37:30 2012 us=921000 NOTE: --mute triggered...
Порты 5001 на обоих серверах открыты, пинги идут в обе стороны.
Подскажите, чего я не учёл? -
Всё, проблема решена. Человеческим же языком было написано "allow this incoming source address/port by removing –remote or adding --float"
Добавил на виндовом клиенте опцию float, и соединение установилось. -
Коллеги. Прошу помощи, ибо после 3 дней войны с openvpn мысли иссякли, а глаз замылился.
В наличии имеются два пифа 2.0.1 (на 1.2.3 эту тему поднимал влёт). Настройки делаю только через веб-интерфейс. Пытаюсь поднять site-to-site на базе pki (с shared-keys тоже ничего не мог сделать).
1. На сервере сгенерировал три связки ключей: ca (центр сертификации), serv (серверный сертификат) и cln (пользовательский сертификат).
2. Настройки сервера:
2.1.```
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 188.Х.Х.Х
tls-server
server 10.0.0.0 255.255.255.248
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.0.1 10.0.0.2
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 02.2\. Правила фаера: Вкладка wan``` * * * WAN address 1194 (OpenVPN) * none OpenVPN
Вкладка openvpn```
-
-
-
-
-
- none OpenVPN ukk wizard
-
-
-
-
2.3\. ifconfig вывел:
ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::201:2ff:fedb:e96a%ovpns1 prefixlen 64 scopeid 0x7
inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff
nd6 options=3 <performnud,accept_rtadv>Opened by PID 39877
tun2: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
options=80000 <linkstate></linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>**3\. Настройки клиента:** 3.1\. Скопировал сертификат СА 3.2\. Скопировал общий ключ tls 3.3.
dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 79.y.y.y
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote 188.x.x.x 1194
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-auth /var/etc/openvpn/client1.tls-auth 13.4\. ifconfig
ovpnc1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
options=80000 <linkstate></linkstate></pointopoint,multicast>3.5\. Вкладка openvpn
* * * * * * none OpenVPN wizard
И вот при всех этих настройках в логе клиента вижу:
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Где я накосячил?
-
-
Как не странно, пока не убрал в shared-key закомментированные строки тоннель не поднимался.