Не поднимается site-to-site OpenVPN (решено)

boyarale

Здравствуйте!
Помогите, пожалуйста! Бьюсь второй день. Решение, видимо, на ладони, но я его не вижу.

Имеется офис и филиал, в обоих pfsense 2.0.1
Офис: LAN - 192.168.8.0, WAN 194.xxx.xxx.3
Филиал: LAN 192.168.65.0, WAN 213.yyy.yyy.211

Конфиги:

Офис

dev ovpns6
dev-type tun
dev-node /dev/tun6
writepid /var/run/openvpn_server6.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 194.xxx.xxx.3
ifconfig 10.0.8.1 10.0.8.2
lport 1199
management /var/etc/openvpn/server6.sock unix
push "route 192.168.8.8 255.255.255.0"
route 192.168.65.0 255.255.255.0
secret /var/etc/openvpn/server6.secret

Филиал
dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 213.yyy.yyy.211
lport 1199
management /var/etc/openvpn/client1.sock unix
remote 194.xxx.xxx.3 1199
ifconfig 10.0.8.2 10.0.8.1
route 192.168.8.8 255.255.255.0
secret /var/etc/openvpn/client1.secret

Туннель не поднимается. Вот, что в логах:

Офис

Jun 7 11:45:38 openvpn[49604]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
Jun 7 11:45:38 openvpn[49604]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jun 7 11:45:38 openvpn[49604]: TUN/TAP device /dev/tun6 opened
Jun 7 11:45:38 openvpn[49604]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jun 7 11:45:38 openvpn[49604]: /sbin/ifconfig ovpns6 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up
Jun 7 11:45:38 openvpn[49604]: /usr/local/sbin/ovpn-linkup ovpns6 1500 1560 10.0.8.1 10.0.8.2 init
Jun 7 11:45:38 openvpn[51341]: UDPv4 link local (bound): [AF_INET]194.ххх.ххх.3:1199
Jun 7 11:45:38 openvpn[51341]: UDPv4 link remote: [undef]
Jun 7 11:48:49 openvpn[51341]: event_wait : Interrupted system call (code=4)
Jun 7 11:48:49 openvpn[51341]: /usr/local/sbin/ovpn-linkdown ovpns6 1500 1560 10.0.8.1 10.0.8.2 init
Jun 7 11:48:49 openvpn[51341]: SIGTERM[hard,] received, process exiting

Филиал

Jun 7 08:11:05 openvpn[38387]: SIGUSR1[soft,ping-restart] received, process restarting
Jun 7 08:11:07 openvpn[38387]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jun 7 08:11:07 openvpn[38387]: Re-using pre-shared static key
Jun 7 08:11:07 openvpn[38387]: Preserving previous TUN/TAP instance: ovpnc1
Jun 7 08:11:07 openvpn[38387]: UDPv4 link local (bound): [AF_INET]213.ууу.ууу.211:1199
Jun 7 08:11:07 openvpn[38387]: UDPv4 link remote: [AF_INET]194.ххх.ххх.3:1199

boyarale

Вопрос закрыт. Оказалось, козлил один из пэкеджей (я их несколько понаставил, поиграться). Через некоторое время перестала работать маршрутизация и веб-интерфейс (причем, без действий с моей стороны). Разбираться долго не стал, выпилил из конфига раздел с пэкеджами и отресторился с него. Все тикает.

Sonya

Приветствую, уважаемые!
Не хочется плодить темы, проблема та же: не поднимается туннель OpenVPN.

С одной стороны машинка на pfsense (ip 10.70.155.42)
с другой стороны сервер на винде (ip 10.71.32.172)
Вроде все настройки перенёс в pfsense, но канал не устанавливается.
Вот настройки pfsense:

dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.70.155.42
lport 5001
management /var/etc/openvpn/client1.sock unix
remote 10.71.32.172 5001
secret /var/etc/openvpn/client1.secret 
comp-lzo
ifconfig 192.168.253.253 192.168.253.254
verb 4

настройки openvpn виндового сервера:

remote 10.70.155.42 5001
local 10.71.32.172
lport 5001
proto udp 
cipher AES-128-CBC
dev tun
dev-node VPNZel
route-method exe
route-delay 10
ifconfig 192.168.253.254 192.168.253.253
route 192.168.31.0 255.255.255.0
secret static.txt
#ping 10
comp-lzo
verb 4
mute 10

Вот логи на pfsense:

Jul 4 13:44:36 	openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001
Jul 4 13:44:36 	openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001
Jul 4 13:45:36 	openvpn[38464]: Inactivity timeout (--ping-restart), restarting
Jul 4 13:45:36 	openvpn[38464]: TCP/UDP: Closing socket
Jul 4 13:45:36 	openvpn[38464]: SIGUSR1[soft,ping-restart] received, process restarting
Jul 4 13:45:36 	openvpn[38464]: Restart pause, 2 second(s)
Jul 4 13:45:38 	openvpn[38464]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 4 13:45:38 	openvpn[38464]: Re-using pre-shared static key
Jul 4 13:45:38 	openvpn[38464]: LZO compression initialized
Jul 4 13:45:38 	openvpn[38464]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jul 4 13:45:38 	openvpn[38464]: Preserving previous TUN/TAP instance: ovpnc1
Jul 4 13:45:38 	openvpn[38464]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ]
Jul 4 13:45:38 	openvpn[38464]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jul 4 13:45:38 	openvpn[38464]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jul 4 13:45:38 	openvpn[38464]: Local Options hash (VER=V4): '39a50059'
Jul 4 13:45:38 	openvpn[38464]: Expected Remote Options hash (VER=V4): 'ba89014a'
Jul 4 13:45:38 	openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001
Jul 4 13:45:38 	openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001
Jul 4 13:46:38 	openvpn[38464]: Inactivity timeout (--ping-restart), restarting
Jul 4 13:46:38 	openvpn[38464]: TCP/UDP: Closing socket
Jul 4 13:46:38 	openvpn[38464]: SIGUSR1[soft,ping-restart] received, process restarting
Jul 4 13:46:38 	openvpn[38464]: Restart pause, 2 second(s)
Jul 4 13:46:40 	openvpn[38464]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 4 13:46:40 	openvpn[38464]: Re-using pre-shared static key
Jul 4 13:46:40 	openvpn[38464]: LZO compression initialized
Jul 4 13:46:40 	openvpn[38464]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jul 4 13:46:40 	openvpn[38464]: Preserving previous TUN/TAP instance: ovpnc1
Jul 4 13:46:40 	openvpn[38464]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ]
Jul 4 13:46:40 	openvpn[38464]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jul 4 13:46:40 	openvpn[38464]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jul 4 13:46:40 	openvpn[38464]: Local Options hash (VER=V4): '39a50059'
Jul 4 13:46:40 	openvpn[38464]: Expected Remote Options hash (VER=V4): 'ba89014a'
Jul 4 13:46:40 	openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001
Jul 4 13:46:40 	openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001
Jul 4 13:47:40 	openvpn[38464]: Inactivity timeout (--ping-restart), restarting
Jul 4 13:47:40 	openvpn[38464]: TCP/UDP: Closing socket
Jul 4 13:47:40 	openvpn[38464]: SIGUSR1[soft,ping-restart] received, process restarting
Jul 4 13:47:40 	openvpn[38464]: Restart pause, 2 second(s)
Jul 4 13:47:42 	openvpn[38464]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 4 13:47:42 	openvpn[38464]: Re-using pre-shared static key
Jul 4 13:47:42 	openvpn[38464]: LZO compression initialized
Jul 4 13:47:42 	openvpn[38464]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jul 4 13:47:42 	openvpn[38464]: Preserving previous TUN/TAP instance: ovpnc1
Jul 4 13:47:42 	openvpn[38464]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ]
Jul 4 13:47:42 	openvpn[38464]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jul 4 13:47:42 	openvpn[38464]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jul 4 13:47:42 	openvpn[38464]: Local Options hash (VER=V4): '39a50059'
Jul 4 13:47:42 	openvpn[38464]: Expected Remote Options hash (VER=V4): 'ba89014a'
Jul 4 13:47:42 	openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001
Jul 4 13:47:42 	openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001

Логи openvpn на виндовом сервере:

Wed Jul 04 13:31:02 2012 us=500000 Current Parameter Settings:
Wed Jul 04 13:31:02 2012 us=500000   config = 'zel.ovpn'
Wed Jul 04 13:31:02 2012 us=500000   mode = 0
Wed Jul 04 13:31:02 2012 us=500000   show_ciphers = DISABLED
Wed Jul 04 13:31:02 2012 us=500000   show_digests = DISABLED
Wed Jul 04 13:31:02 2012 us=500000   show_engines = DISABLED
Wed Jul 04 13:31:02 2012 us=500000   genkey = DISABLED
Wed Jul 04 13:31:02 2012 us=500000   key_pass_file = '[UNDEF]'
Wed Jul 04 13:31:02 2012 us=500000   show_tls_ciphers = DISABLED
Wed Jul 04 13:31:02 2012 us=500000 Connection profiles [default]:
Wed Jul 04 13:31:02 2012 us=500000 NOTE: --mute triggered...
Wed Jul 04 13:31:02 2012 us=500000 213 variation(s) on previous 10 message(s) suppressed by --mute
Wed Jul 04 13:31:02 2012 us=500000 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Wed Jul 04 13:31:02 2012 us=500000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jul 04 13:31:02 2012 us=500000 Static Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jul 04 13:31:02 2012 us=500000 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 04 13:31:02 2012 us=500000 Static Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jul 04 13:31:02 2012 us=500000 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 04 13:31:02 2012 us=500000 LZO compression initialized
Wed Jul 04 13:31:02 2012 us=500000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Jul 04 13:31:02 2012 us=515000 ROUTE default_gateway=89.222.215.17
Wed Jul 04 13:31:02 2012 us=515000 TAP-WIN32 device [VPNZel] opened: \\.\Global\{52D930CD-275C-4B31-A784-61C7B4013BE0}.tap
Wed Jul 04 13:31:02 2012 us=515000 TAP-Win32 Driver Version 9.8 
Wed Jul 04 13:31:02 2012 us=515000 TAP-Win32 MTU=1500
Wed Jul 04 13:31:02 2012 us=531000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.253.254/255.255.255.252 on interface {52D930CD-275C-4B31-A784-61C7B4013BE0} [DHCP-serv: 192.168.253.253, lease-time: 31536000]
Wed Jul 04 13:31:02 2012 us=531000 NOTE: FlushIpNetTable failed on interface [65542] {52D930CD-275C-4B31-A784-61C7B4013BE0} (status=1413) : Неверный индекс.  
Wed Jul 04 13:31:02 2012 us=531000 Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jul 04 13:31:02 2012 us=531000 Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Wed Jul 04 13:31:02 2012 us=531000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Wed Jul 04 13:31:02 2012 us=531000 Local Options hash (VER=V4): 'ba89014a'
Wed Jul 04 13:31:02 2012 us=531000 Expected Remote Options hash (VER=V4): '39a50059'
Wed Jul 04 13:31:02 2012 us=531000 UDPv4 link local (bound): 10.71.32.172:5001
Wed Jul 04 13:31:02 2012 us=531000 UDPv4 link remote: 10.70.155.42:5001
Wed Jul 04 13:31:11 2012 us=437000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:31:11 2012 us=437000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:31:21 2012 us=515000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:31:21 2012 us=515000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:31:32 2012 us=93000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:31:32 2012 us=93000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:31:42 2012 us=890000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:31:42 2012 us=890000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:31:53 2012 us=234000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:32:04 2012 us=125000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:32:04 2012 us=125000 NOTE: --mute triggered...
Wed Jul 04 13:33:02 2012 us=406000 10 variation(s) on previous 10 message(s) suppressed by --mute
Wed Jul 04 13:33:02 2012 us=406000 NOTE: failed to obtain options consistency info from peer -- this could occur if the remote peer is running a version of OpenVPN before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent OpenVPN from running (1360 bytes received from peer, 0 bytes authenticated data channel traffic) -- you can disable the options consistency check with --disable-occ.
Wed Jul 04 13:33:05 2012 us=468000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:05 2012 us=468000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:15 2012 us=593000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:15 2012 us=593000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:25 2012 us=546000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:25 2012 us=546000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:35 2012 us=765000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:35 2012 us=765000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:45 2012 us=625000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:45 2012 us=625000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:57 2012 us=343000 NOTE: --mute triggered...
Wed Jul 04 13:36:18 2012 us=296000 9 variation(s) on previous 10 message(s) suppressed by --mute
Wed Jul 04 13:36:18 2012 us=296000 Peer Connection Initiated with 10.70.155.42:5001
Wed Jul 04 13:36:19 2012 us=62000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:19 2012 us=593000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:20 2012 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:28 2012 us=625000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:29 2012 us=859000 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Wed Jul 04 13:36:29 2012 us=859000 C:\WINDOWS\system32\route.exe ADD 192.168.31.0 MASK 255.255.255.0 192.168.253.253
Wed Jul 04 13:36:29 2012 us=984000 Initialization Sequence Completed
Wed Jul 04 13:36:38 2012 us=906000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:38 2012 us=906000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:48 2012 us=390000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:48 2012 us=390000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:58 2012 us=531000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:58 2012 us=531000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:37:08 2012 us=640000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:37:08 2012 us=640000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:37:20 2012 us=281000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:37:30 2012 us=921000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:37:30 2012 us=921000 NOTE: --mute triggered...

Порты 5001 на обоих серверах открыты, пинги идут в обе стороны.
Подскажите, чего я не учёл?

Sonya

Всё, проблема решена. Человеческим же языком было написано "allow this incoming source address/port by removing –remote or adding --float"
Добавил на виндовом клиенте опцию float, и соединение установилось.

putinka

Коллеги. Прошу помощи, ибо после 3 дней войны с openvpn мысли иссякли, а глаз замылился.
В наличии имеются два пифа 2.0.1 (на 1.2.3 эту тему поднимал влёт). Настройки делаю только через веб-интерфейс. Пытаюсь поднять site-to-site на базе pki (с shared-keys тоже ничего не мог сделать).
1. На сервере сгенерировал три связки ключей: ca (центр сертификации), serv (серверный сертификат) и cln (пользовательский сертификат).
2. Настройки сервера:
2.1.```
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 188.Х.Х.Х
tls-server
server 10.0.0.0 255.255.255.248
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.0.1 10.0.0.2
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0

2.2\. Правила фаера:
Вкладка wan```
* 	* 	* 	WAN address 	1194 (OpenVPN) 	* 	none 	  	OpenVPN 

Вкладка openvpn```

• • • • • • none   OpenVPN ukk wizard

2.3\. ifconfig вывел:

ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::201:2ff:fedb:e96a%ovpns1 prefixlen 64 scopeid 0x7
inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff
nd6 options=3 <performnud,accept_rtadv>Opened by PID 39877
tun2: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
options=80000 <linkstate></linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>

**3\. Настройки клиента:**
3.1\. Скопировал сертификат СА
3.2\. Скопировал общий ключ tls
3.3.

dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 79.y.y.y
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote 188.x.x.x 1194
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-auth /var/etc/openvpn/client1.tls-auth 1

3.4\. ifconfig

ovpnc1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
options=80000 <linkstate></linkstate></pointopoint,multicast>

3.5\. Вкладка openvpn

* 	* 	* 	* 	* 	* 	none 	  	OpenVPN wizard  

И вот при всех этих настройках в логе клиента вижу:

WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

Где я накосячил?

putinka

Как не странно, пока не убрал в shared-key закомментированные строки тоннель не поднимался.