Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Не поднимается site-to-site OpenVPN (решено)

    Russian
    3
    6
    3666
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      boyarale last edited by

      Здравствуйте!
      Помогите, пожалуйста! Бьюсь второй день. Решение, видимо, на ладони, но я его не вижу.

      Имеется офис и филиал, в обоих pfsense 2.0.1
      Офис: LAN - 192.168.8.0, WAN 194.xxx.xxx.3
      Филиал: LAN 192.168.65.0, WAN 213.yyy.yyy.211

      Конфиги:

      Офис

      dev ovpns6
      dev-type tun
      dev-node /dev/tun6
      writepid /var/run/openvpn_server6.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-128-CBC
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local 194.xxx.xxx.3
      ifconfig 10.0.8.1 10.0.8.2
      lport 1199
      management /var/etc/openvpn/server6.sock unix
      push "route 192.168.8.8 255.255.255.0"
      route 192.168.65.0 255.255.255.0
      secret /var/etc/openvpn/server6.secret

      Филиал
      dev ovpnc1
      dev-type tun
      dev-node /dev/tun1
      writepid /var/run/openvpn_client1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-128-CBC
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local 213.yyy.yyy.211
      lport 1199
      management /var/etc/openvpn/client1.sock unix
      remote 194.xxx.xxx.3 1199
      ifconfig 10.0.8.2 10.0.8.1
      route 192.168.8.8 255.255.255.0
      secret /var/etc/openvpn/client1.secret

      Туннель не поднимается. Вот, что в логах:

      Офис

      Jun 7 11:45:38 openvpn[49604]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
      Jun 7 11:45:38 openvpn[49604]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      Jun 7 11:45:38 openvpn[49604]: TUN/TAP device /dev/tun6 opened
      Jun 7 11:45:38 openvpn[49604]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
      Jun 7 11:45:38 openvpn[49604]: /sbin/ifconfig ovpns6 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up
      Jun 7 11:45:38 openvpn[49604]: /usr/local/sbin/ovpn-linkup ovpns6 1500 1560 10.0.8.1 10.0.8.2 init
      Jun 7 11:45:38 openvpn[51341]: UDPv4 link local (bound): [AF_INET]194.ххх.ххх.3:1199
      Jun 7 11:45:38 openvpn[51341]: UDPv4 link remote: [undef]
      Jun 7 11:48:49 openvpn[51341]: event_wait : Interrupted system call (code=4)
      Jun 7 11:48:49 openvpn[51341]: /usr/local/sbin/ovpn-linkdown ovpns6 1500 1560 10.0.8.1 10.0.8.2 init
      Jun 7 11:48:49 openvpn[51341]: SIGTERM[hard,] received, process exiting

      Филиал

      Jun 7 08:11:05 openvpn[38387]: SIGUSR1[soft,ping-restart] received, process restarting
      Jun 7 08:11:07 openvpn[38387]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      Jun 7 08:11:07 openvpn[38387]: Re-using pre-shared static key
      Jun 7 08:11:07 openvpn[38387]: Preserving previous TUN/TAP instance: ovpnc1
      Jun 7 08:11:07 openvpn[38387]: UDPv4 link local (bound): [AF_INET]213.ууу.ууу.211:1199
      Jun 7 08:11:07 openvpn[38387]: UDPv4 link remote: [AF_INET]194.ххх.ххх.3:1199

      1 Reply Last reply Reply Quote 0
      • B
        boyarale last edited by

        Вопрос закрыт. Оказалось, козлил один из пэкеджей (я их несколько понаставил, поиграться). Через некоторое время перестала работать маршрутизация и веб-интерфейс (причем, без действий с моей стороны). Разбираться долго не стал, выпилил из конфига раздел с пэкеджами и отресторился с него. Все тикает.

        1 Reply Last reply Reply Quote 0
        • S
          Sonya last edited by

          Приветствую, уважаемые!
          Не хочется плодить темы, проблема та же: не поднимается туннель OpenVPN.

          С одной стороны машинка на pfsense (ip 10.70.155.42)
          с другой стороны сервер на винде (ip 10.71.32.172)
          Вроде все настройки перенёс в pfsense, но канал не устанавливается.
          Вот настройки pfsense:

          
          dev ovpnc1
          dev-type tun
          dev-node /dev/tun1
          writepid /var/run/openvpn_client1.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto udp
          cipher AES-128-CBC
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          local 10.70.155.42
          lport 5001
          management /var/etc/openvpn/client1.sock unix
          remote 10.71.32.172 5001
          secret /var/etc/openvpn/client1.secret 
          comp-lzo
          ifconfig 192.168.253.253 192.168.253.254
          verb 4
          
          

          настройки openvpn виндового сервера:

          
          remote 10.70.155.42 5001
          local 10.71.32.172
          lport 5001
          proto udp 
          cipher AES-128-CBC
          dev tun
          dev-node VPNZel
          route-method exe
          route-delay 10
          ifconfig 192.168.253.254 192.168.253.253
          route 192.168.31.0 255.255.255.0
          secret static.txt
          #ping 10
          comp-lzo
          verb 4
          mute 10
          
          

          Вот логи на pfsense:

          
          Jul 4 13:44:36 	openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001
          Jul 4 13:44:36 	openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001
          Jul 4 13:45:36 	openvpn[38464]: Inactivity timeout (--ping-restart), restarting
          Jul 4 13:45:36 	openvpn[38464]: TCP/UDP: Closing socket
          Jul 4 13:45:36 	openvpn[38464]: SIGUSR1[soft,ping-restart] received, process restarting
          Jul 4 13:45:36 	openvpn[38464]: Restart pause, 2 second(s)
          Jul 4 13:45:38 	openvpn[38464]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
          Jul 4 13:45:38 	openvpn[38464]: Re-using pre-shared static key
          Jul 4 13:45:38 	openvpn[38464]: LZO compression initialized
          Jul 4 13:45:38 	openvpn[38464]: Socket Buffers: R=[42080->65536] S=[57344->65536]
          Jul 4 13:45:38 	openvpn[38464]: Preserving previous TUN/TAP instance: ovpnc1
          Jul 4 13:45:38 	openvpn[38464]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ]
          Jul 4 13:45:38 	openvpn[38464]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
          Jul 4 13:45:38 	openvpn[38464]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
          Jul 4 13:45:38 	openvpn[38464]: Local Options hash (VER=V4): '39a50059'
          Jul 4 13:45:38 	openvpn[38464]: Expected Remote Options hash (VER=V4): 'ba89014a'
          Jul 4 13:45:38 	openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001
          Jul 4 13:45:38 	openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001
          Jul 4 13:46:38 	openvpn[38464]: Inactivity timeout (--ping-restart), restarting
          Jul 4 13:46:38 	openvpn[38464]: TCP/UDP: Closing socket
          Jul 4 13:46:38 	openvpn[38464]: SIGUSR1[soft,ping-restart] received, process restarting
          Jul 4 13:46:38 	openvpn[38464]: Restart pause, 2 second(s)
          Jul 4 13:46:40 	openvpn[38464]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
          Jul 4 13:46:40 	openvpn[38464]: Re-using pre-shared static key
          Jul 4 13:46:40 	openvpn[38464]: LZO compression initialized
          Jul 4 13:46:40 	openvpn[38464]: Socket Buffers: R=[42080->65536] S=[57344->65536]
          Jul 4 13:46:40 	openvpn[38464]: Preserving previous TUN/TAP instance: ovpnc1
          Jul 4 13:46:40 	openvpn[38464]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ]
          Jul 4 13:46:40 	openvpn[38464]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
          Jul 4 13:46:40 	openvpn[38464]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
          Jul 4 13:46:40 	openvpn[38464]: Local Options hash (VER=V4): '39a50059'
          Jul 4 13:46:40 	openvpn[38464]: Expected Remote Options hash (VER=V4): 'ba89014a'
          Jul 4 13:46:40 	openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001
          Jul 4 13:46:40 	openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001
          Jul 4 13:47:40 	openvpn[38464]: Inactivity timeout (--ping-restart), restarting
          Jul 4 13:47:40 	openvpn[38464]: TCP/UDP: Closing socket
          Jul 4 13:47:40 	openvpn[38464]: SIGUSR1[soft,ping-restart] received, process restarting
          Jul 4 13:47:40 	openvpn[38464]: Restart pause, 2 second(s)
          Jul 4 13:47:42 	openvpn[38464]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
          Jul 4 13:47:42 	openvpn[38464]: Re-using pre-shared static key
          Jul 4 13:47:42 	openvpn[38464]: LZO compression initialized
          Jul 4 13:47:42 	openvpn[38464]: Socket Buffers: R=[42080->65536] S=[57344->65536]
          Jul 4 13:47:42 	openvpn[38464]: Preserving previous TUN/TAP instance: ovpnc1
          Jul 4 13:47:42 	openvpn[38464]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ]
          Jul 4 13:47:42 	openvpn[38464]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
          Jul 4 13:47:42 	openvpn[38464]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
          Jul 4 13:47:42 	openvpn[38464]: Local Options hash (VER=V4): '39a50059'
          Jul 4 13:47:42 	openvpn[38464]: Expected Remote Options hash (VER=V4): 'ba89014a'
          Jul 4 13:47:42 	openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001
          Jul 4 13:47:42 	openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001
          
          

          Логи openvpn на виндовом сервере:

          
          Wed Jul 04 13:31:02 2012 us=500000 Current Parameter Settings:
          Wed Jul 04 13:31:02 2012 us=500000   config = 'zel.ovpn'
          Wed Jul 04 13:31:02 2012 us=500000   mode = 0
          Wed Jul 04 13:31:02 2012 us=500000   show_ciphers = DISABLED
          Wed Jul 04 13:31:02 2012 us=500000   show_digests = DISABLED
          Wed Jul 04 13:31:02 2012 us=500000   show_engines = DISABLED
          Wed Jul 04 13:31:02 2012 us=500000   genkey = DISABLED
          Wed Jul 04 13:31:02 2012 us=500000   key_pass_file = '[UNDEF]'
          Wed Jul 04 13:31:02 2012 us=500000   show_tls_ciphers = DISABLED
          Wed Jul 04 13:31:02 2012 us=500000 Connection profiles [default]:
          Wed Jul 04 13:31:02 2012 us=500000 NOTE: --mute triggered...
          Wed Jul 04 13:31:02 2012 us=500000 213 variation(s) on previous 10 message(s) suppressed by --mute
          Wed Jul 04 13:31:02 2012 us=500000 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
          Wed Jul 04 13:31:02 2012 us=500000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
          Wed Jul 04 13:31:02 2012 us=500000 Static Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
          Wed Jul 04 13:31:02 2012 us=500000 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
          Wed Jul 04 13:31:02 2012 us=500000 Static Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
          Wed Jul 04 13:31:02 2012 us=500000 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
          Wed Jul 04 13:31:02 2012 us=500000 LZO compression initialized
          Wed Jul 04 13:31:02 2012 us=500000 Socket Buffers: R=[8192->8192] S=[8192->8192]
          Wed Jul 04 13:31:02 2012 us=515000 ROUTE default_gateway=89.222.215.17
          Wed Jul 04 13:31:02 2012 us=515000 TAP-WIN32 device [VPNZel] opened: \\.\Global\{52D930CD-275C-4B31-A784-61C7B4013BE0}.tap
          Wed Jul 04 13:31:02 2012 us=515000 TAP-Win32 Driver Version 9.8 
          Wed Jul 04 13:31:02 2012 us=515000 TAP-Win32 MTU=1500
          Wed Jul 04 13:31:02 2012 us=531000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.253.254/255.255.255.252 on interface {52D930CD-275C-4B31-A784-61C7B4013BE0} [DHCP-serv: 192.168.253.253, lease-time: 31536000]
          Wed Jul 04 13:31:02 2012 us=531000 NOTE: FlushIpNetTable failed on interface [65542] {52D930CD-275C-4B31-A784-61C7B4013BE0} (status=1413) : Неверный индекс.  
          Wed Jul 04 13:31:02 2012 us=531000 Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ]
          Wed Jul 04 13:31:02 2012 us=531000 Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
          Wed Jul 04 13:31:02 2012 us=531000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
          Wed Jul 04 13:31:02 2012 us=531000 Local Options hash (VER=V4): 'ba89014a'
          Wed Jul 04 13:31:02 2012 us=531000 Expected Remote Options hash (VER=V4): '39a50059'
          Wed Jul 04 13:31:02 2012 us=531000 UDPv4 link local (bound): 10.71.32.172:5001
          Wed Jul 04 13:31:02 2012 us=531000 UDPv4 link remote: 10.70.155.42:5001
          Wed Jul 04 13:31:11 2012 us=437000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:31:11 2012 us=437000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:31:21 2012 us=515000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:31:21 2012 us=515000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:31:32 2012 us=93000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:31:32 2012 us=93000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:31:42 2012 us=890000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:31:42 2012 us=890000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:31:53 2012 us=234000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:32:04 2012 us=125000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:32:04 2012 us=125000 NOTE: --mute triggered...
          Wed Jul 04 13:33:02 2012 us=406000 10 variation(s) on previous 10 message(s) suppressed by --mute
          Wed Jul 04 13:33:02 2012 us=406000 NOTE: failed to obtain options consistency info from peer -- this could occur if the remote peer is running a version of OpenVPN before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent OpenVPN from running (1360 bytes received from peer, 0 bytes authenticated data channel traffic) -- you can disable the options consistency check with --disable-occ.
          Wed Jul 04 13:33:05 2012 us=468000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:33:05 2012 us=468000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:33:15 2012 us=593000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:33:15 2012 us=593000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:33:25 2012 us=546000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:33:25 2012 us=546000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:33:35 2012 us=765000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:33:35 2012 us=765000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:33:45 2012 us=625000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:33:45 2012 us=625000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:33:57 2012 us=343000 NOTE: --mute triggered...
          Wed Jul 04 13:36:18 2012 us=296000 9 variation(s) on previous 10 message(s) suppressed by --mute
          Wed Jul 04 13:36:18 2012 us=296000 Peer Connection Initiated with 10.70.155.42:5001
          Wed Jul 04 13:36:19 2012 us=62000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:36:19 2012 us=593000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:36:20 2012 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:36:28 2012 us=625000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:36:29 2012 us=859000 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
          Wed Jul 04 13:36:29 2012 us=859000 C:\WINDOWS\system32\route.exe ADD 192.168.31.0 MASK 255.255.255.0 192.168.253.253
          Wed Jul 04 13:36:29 2012 us=984000 Initialization Sequence Completed
          Wed Jul 04 13:36:38 2012 us=906000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:36:38 2012 us=906000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:36:48 2012 us=390000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:36:48 2012 us=390000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:36:58 2012 us=531000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:36:58 2012 us=531000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:37:08 2012 us=640000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:37:08 2012 us=640000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:37:20 2012 us=281000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:37:30 2012 us=921000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
          Wed Jul 04 13:37:30 2012 us=921000 NOTE: --mute triggered...
          
          

          Порты 5001 на обоих серверах открыты, пинги идут в обе стороны.
          Подскажите, чего я не учёл?

          1 Reply Last reply Reply Quote 0
          • S
            Sonya last edited by

            Всё, проблема решена. Человеческим же языком было написано "allow this incoming source address/port by removing –remote or adding --float"
            Добавил на виндовом клиенте опцию float, и соединение установилось.

            1 Reply Last reply Reply Quote 0
            • P
              putinka last edited by

              Коллеги. Прошу помощи, ибо после 3 дней войны с openvpn мысли иссякли, а глаз замылился.
              В наличии имеются два пифа 2.0.1 (на 1.2.3 эту тему поднимал влёт). Настройки делаю только через веб-интерфейс. Пытаюсь поднять site-to-site на базе pki (с shared-keys тоже ничего не мог сделать).
              1. На сервере сгенерировал три связки ключей: ca (центр сертификации), serv (серверный сертификат) и cln (пользовательский сертификат).
              2. Настройки сервера:
              2.1.```
              dev ovpns1
              dev-type tun
              dev-node /dev/tun1
              writepid /var/run/openvpn_server1.pid
              #user nobody
              #group nobody
              script-security 3
              daemon
              keepalive 10 60
              ping-timer-rem
              persist-tun
              persist-key
              proto udp
              cipher AES-128-CBC
              up /usr/local/sbin/ovpn-linkup
              down /usr/local/sbin/ovpn-linkdown
              local 188.Х.Х.Х
              tls-server
              server 10.0.0.0 255.255.255.248
              client-config-dir /var/etc/openvpn-csc
              ifconfig 10.0.0.1 10.0.0.2
              tls-verify /var/etc/openvpn/server1.tls-verify.php
              lport 1194
              management /var/etc/openvpn/server1.sock unix
              ca /var/etc/openvpn/server1.ca
              cert /var/etc/openvpn/server1.cert
              key /var/etc/openvpn/server1.key
              dh /etc/dh-parameters.1024
              tls-auth /var/etc/openvpn/server1.tls-auth 0

              2.2\. Правила фаера:
              Вкладка wan```
              * 	* 	* 	WAN address 	1194 (OpenVPN) 	* 	none 	  	OpenVPN 
              

              Вкладка openvpn```

                        • none   OpenVPN ukk wizard
              2.3\. ifconfig вывел:
              

              ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
              options=80000 <linkstate>inet6 fe80::201:2ff:fedb:e96a%ovpns1 prefixlen 64 scopeid 0x7
              inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff
              nd6 options=3 <performnud,accept_rtadv>Opened by PID 39877
              tun2: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
              options=80000 <linkstate></linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>

              **3\. Настройки клиента:**
              3.1\. Скопировал сертификат СА
              3.2\. Скопировал общий ключ tls
              3.3.
              

              dev ovpnc1
              dev-type tun
              dev-node /dev/tun1
              writepid /var/run/openvpn_client1.pid
              #user nobody
              #group nobody
              script-security 3
              daemon
              keepalive 10 60
              ping-timer-rem
              persist-tun
              persist-key
              proto udp
              cipher AES-128-CBC
              up /usr/local/sbin/ovpn-linkup
              down /usr/local/sbin/ovpn-linkdown
              local 79.y.y.y
              tls-client
              client
              lport 0
              management /var/etc/openvpn/client1.sock unix
              remote 188.x.x.x 1194
              ca /var/etc/openvpn/client1.ca
              cert /var/etc/openvpn/client1.cert
              key /var/etc/openvpn/client1.key
              tls-auth /var/etc/openvpn/client1.tls-auth 1

              3.4\. ifconfig
              

              ovpnc1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
              options=80000 <linkstate></linkstate></pointopoint,multicast>

              3.5\. Вкладка openvpn
              
              * 	* 	* 	* 	* 	* 	none 	  	OpenVPN wizard  
              
              
              И вот при всех этих настройках в логе клиента вижу:
              

              WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

              Где я накосячил?
              1 Reply Last reply Reply Quote 0
              • P
                putinka last edited by

                Как не странно, пока не убрал в shared-key закомментированные строки тоннель не поднимался.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post