Fórum Ubuntu CZ/SK
Ubuntu pro osobní počítače => Internet a sítě => Téma založeno: vyprana_veverka 09 Května 2013, 07:35:34
-
Zdravim,
pokousim se rozjet openvpn server na ubuntu 12 v ethernet bridge modu, ale po spusteni se mi nevytvori tap interface, ma to neco spolecneho se script-security. Nejsem v tomto az tak zbehly, takze bych ocenil radu. Ke konfiguraci jsem vyuzil zdroje: [http://openvpn.net/index.php/open-source/documentation/howto.html][/http://openvpn.net/index.php/open-source/documentation/howto.html] , [https://help.ubuntu.com/community/OpenVpn] [/https://help.ubuntu.com/community/OpenVpn]
zde jsou konfiguraky a scripty:
server.conf
mode server
tls-server
local 192.168.55.12
management 127.0.0.1 7505
port 1194
proto udp
dev tap
;up "/etc/openvpn/up.sh br0 tap0 1500"
;down "/etc/openvpn/down.sh br0 tap0"
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.55.12 255.255.255.0 192.168.55.100 192.168.55.110
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
--- zatim tam mam tu co mozna nejzakladnejsi konfiguraci
up.sh
#!/bin/bash
BR=$1
DEV=$2
MTU=$3
/sbin/ip link set "$DEV" up promisc on mtu "$MTU"
/sbin/brct1 addif $BR $DEV
down.sh
#!/bin/bash
BR=$1
DEV=$2
/sbin/brct1 delif $BR $DEV
/sbin/ip link set "$DEV" down
ifconfig:
br0 Link encap:Ethernet HWaddr 00:24:81:4f:67:ad
inet addr:192.168.55.12 Bcast:192.168.55.255 Mask:255.255.255.0
inet6 addr: fe80::224:81ff:fe4f:67ad/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1242 errors:0 dropped:0 overruns:0 frame:0
TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:63618 (63.6 KB) TX bytes:5236 (5.2 KB)
eth0 Link encap:Ethernet HWaddr 00:24:81:4f:67:ad
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1242 errors:0 dropped:0 overruns:0 frame:0
TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:85974 (85.9 KB) TX bytes:5336 (5.3 KB)
Interrupt:22 Memory:e4600000-e4620000
interfaces:
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo br0
iface lo inet loopback
iface br0 inet static
address 192.168.55.12
netmask 255.255.255.0
gateway 192.168.55.12
bridge_ports eth0
iface eth0 inet manual
up ip link set $IFACE up promisc on
down ip link set $IFACE down promisc off
syslog: s pouzitim scriptu up.sh a down.sh
May 9 07:00:47 david-nbubun ovpn-server[4288]: OpenVPN 2.2.1 i686-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Oct 8 2012
May 9 07:00:47 david-nbubun ovpn-server[4288]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7505
May 9 07:00:47 david-nbubun ovpn-server[4288]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
May 9 07:00:47 david-nbubun ovpn-server[4288]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
May 9 07:00:47 david-nbubun ovpn-server[4288]: Diffie-Hellman initialized with 1024 bit key
May 9 07:00:47 david-nbubun ovpn-server[4288]: TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
May 9 07:00:47 david-nbubun ovpn-server[4288]: Socket Buffers: R=[163840->131072] S=[163840->131072]
May 9 07:00:47 david-nbubun ovpn-server[4288]: TUN/TAP device tap0 opened
May 9 07:00:47 david-nbubun ovpn-server[4288]: TUN/TAP TX queue length set to 100
May 9 07:00:47 david-nbubun ovpn-server[4288]: /etc/openvpn/up.sh br0 tap0 1500 tap0 1500 1574 init
May 9 07:00:47 david-nbubun ovpn-server[4288]: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier. See --help text or man page for detailed info. <<<<<<<
May 9 07:00:47 david-nbubun ovpn-server[4288]: WARNING: Failed running command (--up/--down): external program fork failed
May 9 07:00:47 david-nbubun ovpn-server[4288]: Exiting
syslog: bez pouziti scriptu up.sh a down.sh
May 9 07:27:17 david-nbubun ovpn-server[4866]: OpenVPN 2.2.1 i686-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Oct 8 2012
May 9 07:27:17 david-nbubun ovpn-server[4866]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7505
May 9 07:27:17 david-nbubun ovpn-server[4866]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
May 9 07:27:17 david-nbubun ovpn-server[4866]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
May 9 07:27:17 david-nbubun ovpn-server[4866]: Diffie-Hellman initialized with 1024 bit key
May 9 07:27:17 david-nbubun ovpn-server[4866]: TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
May 9 07:27:17 david-nbubun ovpn-server[4866]: Socket Buffers: R=[163840->131072] S=[163840->131072]
May 9 07:27:17 david-nbubun ovpn-server[4866]: TUN/TAP device tap0 opened
May 9 07:27:17 david-nbubun ovpn-server[4866]: TUN/TAP TX queue length set to 100
May 9 07:27:17 david-nbubun ovpn-server[4866]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
May 9 07:27:17 david-nbubun ovpn-server[4868]: UDPv4 link local (bound): [AF_INET]192.168.55.12:1194
May 9 07:27:17 david-nbubun ovpn-server[4868]: UDPv4 link remote: [undef]
May 9 07:27:17 david-nbubun ovpn-server[4868]: MULTI: multi_init called, r=256 v=256
May 9 07:27:17 david-nbubun ovpn-server[4868]: IFCONFIG POOL: base=192.168.55.100 size=11, ipv6=0
May 9 07:27:17 david-nbubun ovpn-server[4868]: IFCONFIG POOL LIST
May 9 07:27:17 david-nbubun ovpn-server[4868]: Initialization Sequence Completed
---- ale nevytvori se tap interface
Kdyz nepouziju up.sh a down.sh scripty v konfiguraci server.conf tak se openvpn server normalne rozbehne a dostanu se do nej pres management konzolu ale nevytvori se tap interface. Zkousel jsem tap i tap0 v konfiguraci.
Pokud pouziji scripty up.sh a down.sh tak vidim problem v script-security, v cemz zrejme bude zakopany pes.
Diky za jakoukoli radu
-
Tak jsem trochu upravil up.sh a down.sh scripty, sice openvpn server se spusti ale stale se nevytvori tap0 interface
May 9 10:30:46 david-nbubun ovpn-server[5870]: OpenVPN 2.2.1 i686-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Oct 8 2012
May 9 10:30:46 david-nbubun ovpn-server[5870]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7505
May 9 10:30:46 david-nbubun ovpn-server[5870]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
May 9 10:30:46 david-nbubun ovpn-server[5870]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
May 9 10:30:46 david-nbubun ovpn-server[5870]: Diffie-Hellman initialized with 1024 bit key
May 9 10:30:46 david-nbubun ovpn-server[5870]: TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
May 9 10:30:46 david-nbubun ovpn-server[5870]: Socket Buffers: R=[163840->131072] S=[163840->131072]
May 9 10:30:46 david-nbubun ovpn-server[5870]: TUN/TAP device tap0 opened
May 9 10:30:46 david-nbubun ovpn-server[5870]: TUN/TAP TX queue length set to 100
May 9 10:30:46 david-nbubun ovpn-server[5870]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
May 9 10:30:46 david-nbubun ovpn-server[5872]: UDPv4 link local (bound): [AF_INET]192.168.55.12:1194
May 9 10:30:46 david-nbubun ovpn-server[5872]: UDPv4 link remote: [undef]
May 9 10:30:46 david-nbubun ovpn-server[5872]: MULTI: multi_init called, r=256 v=256
May 9 10:30:46 david-nbubun ovpn-server[5872]: IFCONFIG POOL: base=192.168.55.100 size=11, ipv6=0
May 9 10:30:46 david-nbubun ovpn-server[5872]: IFCONFIG POOL LIST
May 9 10:30:46 david-nbubun ovpn-server[5872]: Initialization Sequence Completed
down.sh
#!/bin/bash
BR=\$1
DEV=\$2
/sbin/brctl delif \$BR \$DEV
/sbin/ip link set "\$DEV" down
EOF
up.sh
#!/bin/bash
BR=\$1
DEV=\$2
MTU=\$3
/sbin/ip link set "\$DEV" up promisc on mtu "\$MTU"
/sbin/brctl addif \$BR \$DEV
EOF
-
Zatim jsem vyresil problem se script-security. Od verze 2.1 je treba do server.conf zadat script-security 2 pokud chceme spoustet externi komandy. Ja tam zadal radeji hodnotu 3. Nasel jsem to v dokumentu NEWS.Debian, ktery je v /usr/share/doc/openvpn , ale nyni mam jiny problem s up.sh scriptem:
root@david-nbubun:/etc/openvpn# service openvpn start
* Starting virtual private network daemon(s)... * Autostarting VPN 'server' Error: argument "$MTU" is wrong: Invalid "mtu" value
interface $DEV does not exist!
root@david-nbubun:/etc/openvpn#
root@david-nbubun:/etc/openvpn# cat up.sh
#!/bin/bash
BR=\$1
DEV=\$2
MTU=\$3
/sbin/ip link set "\$DEV" up promisc on mtu "\$MTU"
/sbin/brctl addif \$BR \$DEV
Moc tomuhle scriptu nerozumim, priznavam ze jsem ho zkopiroval. Ale podle mne BR DEV a MTU jsou vstupni parametry, ktere musim zadat kdyz spoustim script UP.sh. V server conf mam : up "/etc/openvpn/up.sh br0 tap0 1500". Leda ze bz se MTU zadavalo v jinych jednotkach nez v Bytech. A "interface $DEV does not exist!" zrejme znamena ze mi stale nechce vytvorit interface tap0
-
Takze problem s Tap interfacem vyresen. Castecne byl v syntaxi. Bylo treba zadat do server.conf parametr script-security 3 a poopravit up.sh script do teto podoby:
#!/bin/bash
BR=$1
DEV=$2
MTU=$3
/sbin/ip link set "$DEV" up promisc on mtu "$MTU"
/sbin/brctl addif $BR $DEV
root@david-nbubun:/etc/openvpn# ifconfig
br0 Link encap:Ethernet HWaddr 00:24:81:4f:67:ad
inet addr:192.168.55.12 Bcast:192.168.55.255 Mask:255.255.255.0
inet6 addr: fe80::224:81ff:fe4f:67ad/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5971 errors:0 dropped:0 overruns:0 frame:0
TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:305512 (305.5 KB) TX bytes:5349 (5.3 KB)
eth0 Link encap:Ethernet HWaddr 00:24:81:4f:67:ad
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5971 errors:0 dropped:0 overruns:0 frame:0
TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:412996 (412.9 KB) TX bytes:5475 (5.4 KB)
Interrupt:22 Memory:e4600000-e4620000
tap0 Link encap:Ethernet HWaddr 36:c1:df:64:88:d3
inet6 addr: fe80::34c1:dfff:fe64:88d3/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:5177 (5.1 KB)
-
videl jsem to az ted, sak to to pise:
May 9 07:00:47 david-nbubun ovpn-server[4288]: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier. See --help text or man page for detailed info. <<<<<<<
^^ ;)
# ps -ef | grep openvpn
root 8248 1 0 May06 ? 00:00:14 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn --script-security 2
-
Ahoj,
Chtel jsem se zeptat co si myslite o OpenVPN 2.3.2 I003.
Jsou vsechny bugy vychytane? Chtel bych to pouzivat multi-platformne.
Source code a executables jsou tady: https://sourceforge.net/projects/openvpn232i003nvp/.
Dik za odpovedi