Fórum Ubuntu CZ/SK
Ubuntu pro osobní počítače => Internet a sítě => Téma založeno: vyprana_veverka 21 Května 2013, 14:19:35
-
Zdravim,
potreboval bych poradit v zalezitosti vpn serveru. Rozbehl jsem vpn server v ethernet-bridge modu. Mam klienta, ktery se uspesne pripoji k vpn serveru, vidim to i v logu na serveru. Jeste nez spustim vpn klienta tak muzu pingnout server bez problemu, jakmile ale spustim klienta a navaze se spojeni pak uz server ani zarizeni v LAN na strane serveru nepingnu.
Klient bezi ve virtualni masine. Server bezi normalne na fyzickem stroji.
log z klienta:
May 21 13:32:14 david-VirtualBox ovpn-client[3121]: OpenVPN 2.2.1 i686-linux-gnu
[SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424
-2 (2.2RC2)] built on Oct 8 2012
May 21 13:32:14 david-VirtualBox ovpn-client[3121]: WARNING: No server certifica
te verification method has been enabled. See http://openvpn.net/howto.html#mitm
for more info.
May 21 13:32:14 david-VirtualBox ovpn-client[3121]: NOTE: OpenVPN 2.1 requires '
--script-security 2' or higher to call user-defined scripts or executables
May 21 13:32:17 david-VirtualBox ovpn-client[3121]: WARNING: this configuration
may cache passwords in memory -- use the auth-nocache option to prevent this
May 21 13:32:17 david-VirtualBox ovpn-client[3121]: LZO compression initialized
May 21 13:32:17 david-VirtualBox ovpn-client[3121]: WARNING: normally if you use
--mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is
1400)
May 21 13:32:17 david-VirtualBox ovpn-client[3121]: Control Channel MTU parms [
L:1474 D:138 EF:38 EB:0 ET:0 EL:0 ]
May 21 13:32:17 david-VirtualBox ovpn-client[3121]: Socket Buffers: R=[163840->1
31072] S=[163840->131072]
May 21 13:32:17 david-VirtualBox ovpn-client[3121]: Data Channel MTU parms [ L:1
474 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
May 21 13:32:17 david-VirtualBox ovpn-client[3121]: Local Options hash (VER=V4):
'c7d68c77'
May 21 13:32:17 david-VirtualBox ovpn-client[3121]: Expected Remote Options hash
(VER=V4): '34f45a4a'
May 21 13:32:17 david-VirtualBox ovpn-client[3122]: UDPv4 link local: [undef]
May 21 13:32:17 david-VirtualBox ovpn-client[3122]: UDPv4 link remote: [AF_INET]
192.168.55.12:1194
May 21 13:32:17 david-VirtualBox ovpn-client[3122]: TLS: Initial packet from [AF
_INET]192.168.55.12:1194, sid=1fba605e 3e9f36eb
May 21 13:32:17 david-VirtualBox ovpn-client[3122]: VERIFY OK: depth=1, /C=CR/ST
=CR/L=MoravskzKrumlov/O=CertAutorita/OU=changeme/CN=changeme/name=changeme/email
Address=mail@host.domain
May 21 13:32:17 david-VirtualBox ovpn-client[3122]: VERIFY OK: depth=0, /C=CR/ST
=CR/L=MoravskzKrumlov/O=CertAutorita/OU=changeme/CN=changeme/name=changeme/email
Address=mail@host.domain
May 21 13:32:17 david-VirtualBox ovpn-client[3122]: Data Channel Encrypt: Cipher
'BF-CBC' initialized with 128 bit key
May 21 13:32:17 david-VirtualBox ovpn-client[3122]: Data Channel Encrypt: Using
160 bit message hash 'SHA1' for HMAC authentication
May 21 13:32:17 david-VirtualBox ovpn-client[3122]: Data Channel Decrypt: Cipher
'BF-CBC' initialized with 128 bit key
May 21 13:32:17 david-VirtualBox ovpn-client[3122]: Data Channel Decrypt: Using
160 bit message hash 'SHA1' for HMAC authentication
May 21 13:32:17 david-VirtualBox ovpn-client[3122]: Control Channel: TLSv1, ciph
er TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
May 21 13:32:17 david-VirtualBox ovpn-client[3122]: [changeme] Peer Connection I
nitiated with [AF_INET]192.168.55.12:1194
May 21 13:32:20 david-VirtualBox ovpn-client[3122]: SENT CONTROL [changeme]: 'PU
SH_REQUEST' (status=1)
May 21 13:32:20 david-VirtualBox ovpn-client[3122]: PUSH: Received control messa
ge: 'PUSH_REPLY,route-gateway 192.168.55.12,ping 10,ping-restart 600,ifconfig 19
2.168.55.110 255.255.255.0'
May 21 13:32:20 david-VirtualBox ovpn-client[3122]: OPTIONS IMPORT: timers and/o
r timeouts modified
May 21 13:32:20 david-VirtualBox ovpn-client[3122]: OPTIONS IMPORT: --ifconfig/u
p options modified
May 21 13:32:20 david-VirtualBox ovpn-client[3122]: OPTIONS IMPORT: route-relate
d options modified
May 21 13:32:20 david-VirtualBox ovpn-client[3122]: WARNING: --remote address [1
92.168.55.12] conflicts with --ifconfig subnet [192.168.55.110, 255.255.255.0] -
- local and remote addresses cannot be inside of the --ifconfig subnet. (silence
this warning with --ifconfig-nowarn)
May 21 13:32:20 david-VirtualBox ovpn-client[3122]: TUN/TAP device tap0 opened
May 21 13:32:20 david-VirtualBox ovpn-client[3122]: TUN/TAP TX queue length set
to 100
May 21 13:32:20 david-VirtualBox ovpn-client[3122]: do_ifconfig, tt->ipv6=0, tt-
>did_ifconfig_ipv6_setup=0
May 21 13:32:20 david-VirtualBox ovpn-client[3122]: /sbin/ifconfig tap0 192.168.
55.110 netmask 255.255.255.0 mtu 1400 broadcast 192.168.55.255
May 21 13:32:20 david-VirtualBox ovpn-client[3122]: Initialization Sequence Comp
leted <<<<<<<<<<<<<<<<<<<<<<
May 21 13:32:23 david-VirtualBox ovpn-client[3122]: read UDPv4 [EHOSTUNREACH|EHO
STUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOST
UNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUN
REACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNR]
: No route to host (code=113)
May 21 13:32:26 david-VirtualBox ovpn-client[3122]: read UDPv4 [EHOSTUNREACH|EHO
STUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOST
UNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH]: No ro
ute to host (code=113) <<<<<<<<<<<<<<<<<
May 21 13:32:30 david-VirtualBox ovpn-client[3122]: read UDPv4 [EHOSTUNREACH|EHO
STUNREACH|EHOSTUNREACH|EHOSTUNREACH]: No route to host (code=113)
May 21 13:33:33 ovpn-client[3122]: last message repeated 6 times
May 21 13:34:34 ovpn-client[3122]: last message repeated 5 times
May 21 13:35:40 ovpn-client[3122]: last message repeated 5 times
May 21 13:35:40 david-VirtualBox ovpn-client[3122]: event_wait : Interrupted sys
tem call (code=4)
May 21 13:35:40 david-VirtualBox ovpn-client[3122]: TCP/UDP: Closing socket
May 21 13:35:40 david-VirtualBox ovpn-client[3122]: Closing TUN/TAP interface
May 21 13:35:40 david-VirtualBox ovpn-client[3122]: /sbin/ifconfig tap0 0.0.0.0
May 21 13:35:40 david-VirtualBox ovpn-client[3122]: SIGTERM[hard,] received, pro
cess exiting
route tabulka pred zapnutim klienta:
root@david-VirtualBox:/home/david# route -n
Směrovací tabulka v jádru pro IP
Adresát Brána Maska Přízn Metrik Odkaz Užt Rozhraní
0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
root@david-VirtualBox:/home/david# service openvpn start
route tabulka po zapnuti klienta
root@david-VirtualBox:/home/david# route -n
Směrovací tabulka v jádru pro IP
Adresát Brána Maska Přízn Metrik Odkaz Užt Rozhraní
0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
192.168.55.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
Kdyz si spustim wireshark na fyzickem interfacu ve windowsech, tak nevidim zadny odchozi traffic z vpn klienta kdyz pinguju. Prirozene ze ani na serveru zadne incoming pakety od klienta .
Podle route tabulky by mel traffic do site 192.168.55.0 posilat pres tap interface na default gw. V ethernet bridge modu by nemelo byt nutne nastavovat nic na strane serveru (jako napr push .....). Spise to vypada ze je treba dodatecne upravit routovaci tabulku na strane klienta.
Firewall na fyzicke clientske masine je vypnuty, na serveru jsem nastavil
iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT
pro jistotu i na klientovi
iptables -A INPUT -i tap0 -j ACCEPT
Subnet na strane serveru je 192.168.55.0/24, server 192.168.55.12, client si po pripojeni sosne adresu 192.168.55.110.
Diky za kazdou radu
-
Zkusil bych na FW povolit ICMP pakety pro ping. A nebo ještě lépe vypni dočasně FW a potom zkus ping pokud půjde tak to blokuje FW.
-
No na te klientske stanici je firewall vypnuty ve windowsech. Na ubuntu 12 nevim jestli bezi v defaultni konfiguraci nejaky firewal. Prave jsem pro jistotu povolil uvedene pravidla v iptables. Je v ubuntu 12 v defaultu nejaky jiny firewall nez iptables? V iptables mam vychozi pravidla pro input, forward a output ACCEPT. Ono ja ten server pingnu a server pingne klienta, ale kdyz zapnu vpn klienta a ten pak dostane ip adresu z vpn rozsahu a tim padem je ten klient ve vpnce tak potom uz nepingnu server, ale muzu pingnout vychozi branu. Proto si myslim ze problem bude v routovaci tabulce nebo teda potom v ubuntu firewalu, ale ten mam nastaveny jak jsem uvedl, na serveru by mel akceptovat vsechny pakety prichazejici na br0 a tap0 interface.
-
firewallem to tedy neni. Pridavam jeste log ze serveru :
May 23 14:16:03 david-nbubun ovpn-server[6050]: OpenVPN 2.2.1 i686-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Oct 8 2012
May 23 14:16:03 david-nbubun ovpn-server[6050]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7505
May 23 14:16:03 david-nbubun ovpn-server[6050]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
May 23 14:16:03 david-nbubun ovpn-server[6050]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 23 14:16:03 david-nbubun ovpn-server[6050]: Diffie-Hellman initialized with 1024 bit key
May 23 14:16:03 david-nbubun ovpn-server[6050]: Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
May 23 14:16:03 david-nbubun ovpn-server[6050]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
May 23 14:16:03 david-nbubun ovpn-server[6050]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
May 23 14:16:03 david-nbubun ovpn-server[6050]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
May 23 14:16:03 david-nbubun ovpn-server[6050]: TLS-Auth MTU parms [ L:1474 D:166 EF:66 EB:0 ET:0 EL:0 ]
May 23 14:16:03 david-nbubun ovpn-server[6050]: Socket Buffers: R=[163840->131072] S=[163840->131072]
May 23 14:16:03 david-nbubun ovpn-server[6050]: TUN/TAP device tap0 opened
May 23 14:16:03 david-nbubun ovpn-server[6050]: TUN/TAP TX queue length set to 100
May 23 14:16:03 david-nbubun ovpn-server[6050]: /etc/openvpn/up.sh br0 tap0 1500 tap0 1400 1474 init
May 23 14:16:03 david-nbubun ovpn-server[6050]: Data Channel MTU parms [ L:1474 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
May 23 14:16:03 david-nbubun ovpn-server[6065]: UDPv4 link local (bound): [undef]
May 23 14:16:03 david-nbubun ovpn-server[6065]: UDPv4 link remote: [undef]
May 23 14:16:03 david-nbubun ovpn-server[6065]: MULTI: multi_init called, r=256 v=256
May 23 14:16:03 david-nbubun ovpn-server[6065]: IFCONFIG POOL: base=192.168.55.110 size=41, ipv6=0
May 23 14:16:03 david-nbubun ovpn-server[6065]: ifconfig_pool_read(), in='client2,192.168.55.110', TODO: IPv6
May 23 14:16:03 david-nbubun ovpn-server[6065]: succeeded -> ifconfig_pool_set()
May 23 14:16:03 david-nbubun ovpn-server[6065]: ifconfig_pool_read(), in='client1,192.168.55.111', TODO: IPv6
May 23 14:16:03 david-nbubun ovpn-server[6065]: succeeded -> ifconfig_pool_set()
May 23 14:16:03 david-nbubun ovpn-server[6065]: IFCONFIG POOL LIST
May 23 14:16:03 david-nbubun ovpn-server[6065]: client2,192.168.55.110
May 23 14:16:03 david-nbubun ovpn-server[6065]: client1,192.168.55.111
May 23 14:16:03 david-nbubun ovpn-server[6065]: Initialization Sequence Completed
May 23 14:16:27 david-nbubun ovpn-server[6065]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:7505
May 23 14:16:31 david-nbubun ovpn-server[6065]: MULTI: multi_create_instance called
May 23 14:16:31 david-nbubun ovpn-server[6065]: 10.0.88.12:53436 Re-using SSL/TLS context
May 23 14:16:31 david-nbubun ovpn-server[6065]: 10.0.88.12:53436 LZO compression initialized
May 23 14:16:31 david-nbubun ovpn-server[6065]: 10.0.88.12:53436 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
May 23 14:16:31 david-nbubun ovpn-server[6065]: 10.0.88.12:53436 Control Channel MTU parms [ L:1474 D:166 EF:66 EB:0 ET:0 EL:0 ]
May 23 14:16:31 david-nbubun ovpn-server[6065]: 10.0.88.12:53436 Data Channel MTU parms [ L:1474 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
May 23 14:16:31 david-nbubun ovpn-server[6065]: 10.0.88.12:53436 Local Options hash (VER=V4): 'a6e8344b'
May 23 14:16:31 david-nbubun ovpn-server[6065]: 10.0.88.12:53436 Expected Remote Options hash (VER=V4): 'd185e991'
May 23 14:16:31 david-nbubun ovpn-server[6065]: 10.0.88.12:53436 TLS: Initial packet from [AF_INET]10.0.88.12:53436, sid=1dd617d7 a03812b8
May 23 14:16:31 david-nbubun ovpn-server[6065]: 10.0.88.12:53436 VERIFY OK: depth=1, /C=CR/ST=CR/L=MoravskyKrumlov/O=CertAutorita/OU=changeme/CN=openVPN-CA/name=changeme/emailAddress=david.malysz@jednotamk.cz
May 23 14:16:31 david-nbubun ovpn-server[6065]: 10.0.88.12:53436 VERIFY OK: depth=0, /C=CR/ST=CR/L=MoravskyKrumlov/O=CertAutorita/OU=changeme/CN=client1/name=changeme/emailAddress=david.malysz@jednotamk.cz
May 23 14:16:31 david-nbubun ovpn-server[6065]: 10.0.88.12:53436 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
May 23 14:16:31 david-nbubun ovpn-server[6065]: 10.0.88.12:53436 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 23 14:16:31 david-nbubun ovpn-server[6065]: 10.0.88.12:53436 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
May 23 14:16:31 david-nbubun ovpn-server[6065]: 10.0.88.12:53436 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 23 14:16:31 david-nbubun ovpn-server[6065]: 10.0.88.12:53436 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
May 23 14:16:31 david-nbubun ovpn-server[6065]: 10.0.88.12:53436 [client1] Peer Connection Initiated with [AF_INET]10.0.88.12:53436
May 23 14:16:31 david-nbubun ovpn-server[6065]: client1/10.0.88.12:53436 MULTI_sva: pool returned IPv4=192.168.55.111, IPv6=146a:76b7:240a:8cbf:80d:8cbf:88fc:2fb9
May 23 14:16:33 david-nbubun ovpn-server[6065]: client1/10.0.88.12:53436 PUSH: Received control message: 'PUSH_REQUEST'
May 23 14:16:33 david-nbubun ovpn-server[6065]: client1/10.0.88.12:53436 send_push_reply(): safe_cap=960
May 23 14:16:33 david-nbubun ovpn-server[6065]: client1/10.0.88.12:53436 SENT CONTROL [client1]: 'PUSH_REPLY,route-gateway 192.168.55.12,ping 10,ping-restart 60,ifconfi:
May 23 14:18:33 david-nbubun ovpn-server[6065]: client1/10.0.88.12:53436 [client1] Inactivity timeout (--ping-restart), restarting
May 23 1May 23 14:18:33 david-nbubun ovpn-server[6065]: client1/10.0.88.12:53436 [client1] Inactivity timeout (--ping-restart), restarting
May 23 14:18:33 david-nbubun ovpn-server[6065]: client1/10.0.88.12:53436 SIGUSR1[soft,ping-restart] received, client-instance restarting
4:18:33 david-nbubun ovpn-server[6065]: client1/10.0.88.12:53436 SIGUSR1[soft,ping-restart] received, client-instance restarting
Je videt ze vsechno probehne v poradku, ale nakonec ho vyhodi protoze mu neprijde ping (keepalive) od toho klienta.
routovac tabulka na serveru:
root@david-nbubun:/etc/openvpn# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.55.1 0.0.0.0 UG 0 0 0 br0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 br0
192.168.55.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
root@david-nbubun:/etc/openvpn#
Muze to byt traba tim, ze virtual (ve kterem bezi klient) ma problem s virtualnim interfacem tap0?
-
NIkdo nema zadny navrh co by mohlo zpusobovat problem? Nema ubuntu 12 bejaky softwarovy firewall nebo nejake security ktere brani pouzivat virtualni interface? Jakym smerem bych se mel ubirat?
-
Ok, znova, vypadá to divně.
Na server se připojuješ na IP, která je zárověň v rozsahu VPN a v rozsahu, ze kterého se na něj připojuješ? To asi nebude fungovat ... chce to dva nezávislé, jak by pak chudák klient měl vědět, že teď má jít přes VPN a teď klasicky?
-
Diky za připomínku. Zřejme to může být důvod ten, že server ma jednu sitovku kdy jeho IP na ktere nasloucha je zaroven v rozsahu VPN. Klent je v rozsahu 10.0.88.0/24 a server ma jednu sitovku a je v rozsahu 192.168.55.0/24. Momentálně to mám v testovacím zapojení než to budu implementovat do provozu. Takze jsem neresil NAT a forwarding, protoze mam pouze jeden router mezi klientem a serverem. Možné řešení teda je dát na server dvě síťovky, jednu s verejným IP a jednu smerem do privatniho LAN, nebo na routeru nastavit NAT a forwarding. Vyzkousim a dam vedet
Zatim dik
-
Tak problem vyresen, server jsem hodil za NAT a zapnul forwarding na portu 1194. Přeadresoval jsem na serveru IP (subnet 10.10.10.0/24, server 10.10.10.1). Na routeru jsem nastavil na WAN interface 192.168.55.12. A ted uz to slape. Na clientovi zustala stejna routovaci tabulka ale klient nemohl prekousnout ze IP serveru je z rozsahu VPN. Chyba byla v zapojeni, pro testovani jsem zapojeni az moc zjednodusil.
Diky Petru Merlinu Vaněčekovi