Не поднимается site-to-site OpenVPN (решено)



  • Здравствуйте!
    Помогите, пожалуйста! Бьюсь второй день. Решение, видимо, на ладони, но я его не вижу.

    Имеется офис и филиал, в обоих pfsense 2.0.1
    Офис: LAN - 192.168.8.0, WAN 194.xxx.xxx.3
    Филиал: LAN 192.168.65.0, WAN 213.yyy.yyy.211

    Конфиги:

    Офис

    dev ovpns6
    dev-type tun
    dev-node /dev/tun6
    writepid /var/run/openvpn_server6.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 194.xxx.xxx.3
    ifconfig 10.0.8.1 10.0.8.2
    lport 1199
    management /var/etc/openvpn/server6.sock unix
    push "route 192.168.8.8 255.255.255.0"
    route 192.168.65.0 255.255.255.0
    secret /var/etc/openvpn/server6.secret

    Филиал
    dev ovpnc1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 213.yyy.yyy.211
    lport 1199
    management /var/etc/openvpn/client1.sock unix
    remote 194.xxx.xxx.3 1199
    ifconfig 10.0.8.2 10.0.8.1
    route 192.168.8.8 255.255.255.0
    secret /var/etc/openvpn/client1.secret

    Туннель не поднимается. Вот, что в логах:

    Офис

    Jun 7 11:45:38 openvpn[49604]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
    Jun 7 11:45:38 openvpn[49604]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jun 7 11:45:38 openvpn[49604]: TUN/TAP device /dev/tun6 opened
    Jun 7 11:45:38 openvpn[49604]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Jun 7 11:45:38 openvpn[49604]: /sbin/ifconfig ovpns6 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up
    Jun 7 11:45:38 openvpn[49604]: /usr/local/sbin/ovpn-linkup ovpns6 1500 1560 10.0.8.1 10.0.8.2 init
    Jun 7 11:45:38 openvpn[51341]: UDPv4 link local (bound): [AF_INET]194.ххх.ххх.3:1199
    Jun 7 11:45:38 openvpn[51341]: UDPv4 link remote: [undef]
    Jun 7 11:48:49 openvpn[51341]: event_wait : Interrupted system call (code=4)
    Jun 7 11:48:49 openvpn[51341]: /usr/local/sbin/ovpn-linkdown ovpns6 1500 1560 10.0.8.1 10.0.8.2 init
    Jun 7 11:48:49 openvpn[51341]: SIGTERM[hard,] received, process exiting

    Филиал

    Jun 7 08:11:05 openvpn[38387]: SIGUSR1[soft,ping-restart] received, process restarting
    Jun 7 08:11:07 openvpn[38387]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jun 7 08:11:07 openvpn[38387]: Re-using pre-shared static key
    Jun 7 08:11:07 openvpn[38387]: Preserving previous TUN/TAP instance: ovpnc1
    Jun 7 08:11:07 openvpn[38387]: UDPv4 link local (bound): [AF_INET]213.ууу.ууу.211:1199
    Jun 7 08:11:07 openvpn[38387]: UDPv4 link remote: [AF_INET]194.ххх.ххх.3:1199



  • Вопрос закрыт. Оказалось, козлил один из пэкеджей (я их несколько понаставил, поиграться). Через некоторое время перестала работать маршрутизация и веб-интерфейс (причем, без действий с моей стороны). Разбираться долго не стал, выпилил из конфига раздел с пэкеджами и отресторился с него. Все тикает.



  • Приветствую, уважаемые!
    Не хочется плодить темы, проблема та же: не поднимается туннель OpenVPN.

    С одной стороны машинка на pfsense (ip 10.70.155.42)
    с другой стороны сервер на винде (ip 10.71.32.172)
    Вроде все настройки перенёс в pfsense, но канал не устанавливается.
    Вот настройки pfsense:

    
    dev ovpnc1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 10.70.155.42
    lport 5001
    management /var/etc/openvpn/client1.sock unix
    remote 10.71.32.172 5001
    secret /var/etc/openvpn/client1.secret 
    comp-lzo
    ifconfig 192.168.253.253 192.168.253.254
    verb 4
    
    

    настройки openvpn виндового сервера:

    
    remote 10.70.155.42 5001
    local 10.71.32.172
    lport 5001
    proto udp 
    cipher AES-128-CBC
    dev tun
    dev-node VPNZel
    route-method exe
    route-delay 10
    ifconfig 192.168.253.254 192.168.253.253
    route 192.168.31.0 255.255.255.0
    secret static.txt
    #ping 10
    comp-lzo
    verb 4
    mute 10
    
    

    Вот логи на pfsense:

    
    Jul 4 13:44:36 	openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001
    Jul 4 13:44:36 	openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001
    Jul 4 13:45:36 	openvpn[38464]: Inactivity timeout (--ping-restart), restarting
    Jul 4 13:45:36 	openvpn[38464]: TCP/UDP: Closing socket
    Jul 4 13:45:36 	openvpn[38464]: SIGUSR1[soft,ping-restart] received, process restarting
    Jul 4 13:45:36 	openvpn[38464]: Restart pause, 2 second(s)
    Jul 4 13:45:38 	openvpn[38464]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul 4 13:45:38 	openvpn[38464]: Re-using pre-shared static key
    Jul 4 13:45:38 	openvpn[38464]: LZO compression initialized
    Jul 4 13:45:38 	openvpn[38464]: Socket Buffers: R=[42080->65536] S=[57344->65536]
    Jul 4 13:45:38 	openvpn[38464]: Preserving previous TUN/TAP instance: ovpnc1
    Jul 4 13:45:38 	openvpn[38464]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ]
    Jul 4 13:45:38 	openvpn[38464]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Jul 4 13:45:38 	openvpn[38464]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Jul 4 13:45:38 	openvpn[38464]: Local Options hash (VER=V4): '39a50059'
    Jul 4 13:45:38 	openvpn[38464]: Expected Remote Options hash (VER=V4): 'ba89014a'
    Jul 4 13:45:38 	openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001
    Jul 4 13:45:38 	openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001
    Jul 4 13:46:38 	openvpn[38464]: Inactivity timeout (--ping-restart), restarting
    Jul 4 13:46:38 	openvpn[38464]: TCP/UDP: Closing socket
    Jul 4 13:46:38 	openvpn[38464]: SIGUSR1[soft,ping-restart] received, process restarting
    Jul 4 13:46:38 	openvpn[38464]: Restart pause, 2 second(s)
    Jul 4 13:46:40 	openvpn[38464]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul 4 13:46:40 	openvpn[38464]: Re-using pre-shared static key
    Jul 4 13:46:40 	openvpn[38464]: LZO compression initialized
    Jul 4 13:46:40 	openvpn[38464]: Socket Buffers: R=[42080->65536] S=[57344->65536]
    Jul 4 13:46:40 	openvpn[38464]: Preserving previous TUN/TAP instance: ovpnc1
    Jul 4 13:46:40 	openvpn[38464]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ]
    Jul 4 13:46:40 	openvpn[38464]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Jul 4 13:46:40 	openvpn[38464]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Jul 4 13:46:40 	openvpn[38464]: Local Options hash (VER=V4): '39a50059'
    Jul 4 13:46:40 	openvpn[38464]: Expected Remote Options hash (VER=V4): 'ba89014a'
    Jul 4 13:46:40 	openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001
    Jul 4 13:46:40 	openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001
    Jul 4 13:47:40 	openvpn[38464]: Inactivity timeout (--ping-restart), restarting
    Jul 4 13:47:40 	openvpn[38464]: TCP/UDP: Closing socket
    Jul 4 13:47:40 	openvpn[38464]: SIGUSR1[soft,ping-restart] received, process restarting
    Jul 4 13:47:40 	openvpn[38464]: Restart pause, 2 second(s)
    Jul 4 13:47:42 	openvpn[38464]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul 4 13:47:42 	openvpn[38464]: Re-using pre-shared static key
    Jul 4 13:47:42 	openvpn[38464]: LZO compression initialized
    Jul 4 13:47:42 	openvpn[38464]: Socket Buffers: R=[42080->65536] S=[57344->65536]
    Jul 4 13:47:42 	openvpn[38464]: Preserving previous TUN/TAP instance: ovpnc1
    Jul 4 13:47:42 	openvpn[38464]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ]
    Jul 4 13:47:42 	openvpn[38464]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Jul 4 13:47:42 	openvpn[38464]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Jul 4 13:47:42 	openvpn[38464]: Local Options hash (VER=V4): '39a50059'
    Jul 4 13:47:42 	openvpn[38464]: Expected Remote Options hash (VER=V4): 'ba89014a'
    Jul 4 13:47:42 	openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001
    Jul 4 13:47:42 	openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001
    
    

    Логи openvpn на виндовом сервере:

    
    Wed Jul 04 13:31:02 2012 us=500000 Current Parameter Settings:
    Wed Jul 04 13:31:02 2012 us=500000   config = 'zel.ovpn'
    Wed Jul 04 13:31:02 2012 us=500000   mode = 0
    Wed Jul 04 13:31:02 2012 us=500000   show_ciphers = DISABLED
    Wed Jul 04 13:31:02 2012 us=500000   show_digests = DISABLED
    Wed Jul 04 13:31:02 2012 us=500000   show_engines = DISABLED
    Wed Jul 04 13:31:02 2012 us=500000   genkey = DISABLED
    Wed Jul 04 13:31:02 2012 us=500000   key_pass_file = '[UNDEF]'
    Wed Jul 04 13:31:02 2012 us=500000   show_tls_ciphers = DISABLED
    Wed Jul 04 13:31:02 2012 us=500000 Connection profiles [default]:
    Wed Jul 04 13:31:02 2012 us=500000 NOTE: --mute triggered...
    Wed Jul 04 13:31:02 2012 us=500000 213 variation(s) on previous 10 message(s) suppressed by --mute
    Wed Jul 04 13:31:02 2012 us=500000 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
    Wed Jul 04 13:31:02 2012 us=500000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Wed Jul 04 13:31:02 2012 us=500000 Static Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Wed Jul 04 13:31:02 2012 us=500000 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Jul 04 13:31:02 2012 us=500000 Static Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Wed Jul 04 13:31:02 2012 us=500000 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Jul 04 13:31:02 2012 us=500000 LZO compression initialized
    Wed Jul 04 13:31:02 2012 us=500000 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Wed Jul 04 13:31:02 2012 us=515000 ROUTE default_gateway=89.222.215.17
    Wed Jul 04 13:31:02 2012 us=515000 TAP-WIN32 device [VPNZel] opened: \\.\Global\{52D930CD-275C-4B31-A784-61C7B4013BE0}.tap
    Wed Jul 04 13:31:02 2012 us=515000 TAP-Win32 Driver Version 9.8 
    Wed Jul 04 13:31:02 2012 us=515000 TAP-Win32 MTU=1500
    Wed Jul 04 13:31:02 2012 us=531000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.253.254/255.255.255.252 on interface {52D930CD-275C-4B31-A784-61C7B4013BE0} [DHCP-serv: 192.168.253.253, lease-time: 31536000]
    Wed Jul 04 13:31:02 2012 us=531000 NOTE: FlushIpNetTable failed on interface [65542] {52D930CD-275C-4B31-A784-61C7B4013BE0} (status=1413) : Неверный индекс.  
    Wed Jul 04 13:31:02 2012 us=531000 Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ]
    Wed Jul 04 13:31:02 2012 us=531000 Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Wed Jul 04 13:31:02 2012 us=531000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Wed Jul 04 13:31:02 2012 us=531000 Local Options hash (VER=V4): 'ba89014a'
    Wed Jul 04 13:31:02 2012 us=531000 Expected Remote Options hash (VER=V4): '39a50059'
    Wed Jul 04 13:31:02 2012 us=531000 UDPv4 link local (bound): 10.71.32.172:5001
    Wed Jul 04 13:31:02 2012 us=531000 UDPv4 link remote: 10.70.155.42:5001
    Wed Jul 04 13:31:11 2012 us=437000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:31:11 2012 us=437000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:31:21 2012 us=515000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:31:21 2012 us=515000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:31:32 2012 us=93000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:31:32 2012 us=93000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:31:42 2012 us=890000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:31:42 2012 us=890000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:31:53 2012 us=234000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:32:04 2012 us=125000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:32:04 2012 us=125000 NOTE: --mute triggered...
    Wed Jul 04 13:33:02 2012 us=406000 10 variation(s) on previous 10 message(s) suppressed by --mute
    Wed Jul 04 13:33:02 2012 us=406000 NOTE: failed to obtain options consistency info from peer -- this could occur if the remote peer is running a version of OpenVPN before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent OpenVPN from running (1360 bytes received from peer, 0 bytes authenticated data channel traffic) -- you can disable the options consistency check with --disable-occ.
    Wed Jul 04 13:33:05 2012 us=468000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:33:05 2012 us=468000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:33:15 2012 us=593000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:33:15 2012 us=593000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:33:25 2012 us=546000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:33:25 2012 us=546000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:33:35 2012 us=765000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:33:35 2012 us=765000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:33:45 2012 us=625000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:33:45 2012 us=625000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:33:57 2012 us=343000 NOTE: --mute triggered...
    Wed Jul 04 13:36:18 2012 us=296000 9 variation(s) on previous 10 message(s) suppressed by --mute
    Wed Jul 04 13:36:18 2012 us=296000 Peer Connection Initiated with 10.70.155.42:5001
    Wed Jul 04 13:36:19 2012 us=62000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:36:19 2012 us=593000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:36:20 2012 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:36:28 2012 us=625000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:36:29 2012 us=859000 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
    Wed Jul 04 13:36:29 2012 us=859000 C:\WINDOWS\system32\route.exe ADD 192.168.31.0 MASK 255.255.255.0 192.168.253.253
    Wed Jul 04 13:36:29 2012 us=984000 Initialization Sequence Completed
    Wed Jul 04 13:36:38 2012 us=906000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:36:38 2012 us=906000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:36:48 2012 us=390000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:36:48 2012 us=390000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:36:58 2012 us=531000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:36:58 2012 us=531000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:37:08 2012 us=640000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:37:08 2012 us=640000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:37:20 2012 us=281000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:37:30 2012 us=921000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
    Wed Jul 04 13:37:30 2012 us=921000 NOTE: --mute triggered...
    
    

    Порты 5001 на обоих серверах открыты, пинги идут в обе стороны.
    Подскажите, чего я не учёл?



  • Всё, проблема решена. Человеческим же языком было написано "allow this incoming source address/port by removing –remote or adding --float"
    Добавил на виндовом клиенте опцию float, и соединение установилось.



  • Коллеги. Прошу помощи, ибо после 3 дней войны с openvpn мысли иссякли, а глаз замылился.
    В наличии имеются два пифа 2.0.1 (на 1.2.3 эту тему поднимал влёт). Настройки делаю только через веб-интерфейс. Пытаюсь поднять site-to-site на базе pki (с shared-keys тоже ничего не мог сделать).
    1. На сервере сгенерировал три связки ключей: ca (центр сертификации), serv (серверный сертификат) и cln (пользовательский сертификат).
    2. Настройки сервера:
    2.1.```
    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 188.Х.Х.Х
    tls-server
    server 10.0.0.0 255.255.255.248
    client-config-dir /var/etc/openvpn-csc
    ifconfig 10.0.0.1 10.0.0.2
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0

    2.2\. Правила фаера:
    Вкладка wan```
    * 	* 	* 	WAN address 	1194 (OpenVPN) 	* 	none 	  	OpenVPN 
    

    Вкладка openvpn```

              • none   OpenVPN ukk wizard
    2.3\. ifconfig вывел:
    

    ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
    options=80000 <linkstate>inet6 fe80::201:2ff:fedb:e96a%ovpns1 prefixlen 64 scopeid 0x7
    inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff
    nd6 options=3 <performnud,accept_rtadv>Opened by PID 39877
    tun2: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
    options=80000 <linkstate></linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>

    **3\. Настройки клиента:**
    3.1\. Скопировал сертификат СА
    3.2\. Скопировал общий ключ tls
    3.3.
    

    dev ovpnc1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 79.y.y.y
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote 188.x.x.x 1194
    ca /var/etc/openvpn/client1.ca
    cert /var/etc/openvpn/client1.cert
    key /var/etc/openvpn/client1.key
    tls-auth /var/etc/openvpn/client1.tls-auth 1

    3.4\. ifconfig
    

    ovpnc1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
    options=80000 <linkstate></linkstate></pointopoint,multicast>

    3.5\. Вкладка openvpn
    
    * 	* 	* 	* 	* 	* 	none 	  	OpenVPN wizard  
    
    
    И вот при всех этих настройках в логе клиента вижу:
    

    WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

    Где я накосячил?


  • Как не странно, пока не убрал в shared-key закомментированные строки тоннель не поднимался.


Locked