OVPN

[Jester1]

Настроил OVPN на VPS.Подключение к VPN есть, но при этом не один сайт не грузится.

конфиг сервера

(Нажмите, чтобы показать/скрыть)

port 1194
proto udp
dev tun
ca ca.crt
cert ServerV4.crt
key ServerV4.key
dh dh2048.pem
tls-auth ta.key 0
cipher AES-256-CBC
server 10.0.0.0 255.255.255.0
keepalive 10 120
persist-key
persist-tun
client-config-dir ccd
status ServerV4-status.log
log /var/log/ServerV4.log
comp-lzo
verb 4
sndbuf 0
rcvbuf 0
push "redirect-gateway def1"
push "dhcp-options DNS 8.8.8.8"

конфиг клиента

(Нажмите, чтобы показать/скрыть)

client
dev tun
proto udp
remote 188.225.86.21 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert user1.crt
key user1.key
tls-auth ta.key 1
cipher AES-256-CBC
ns-cert-type server
comp-lzo
log /var/log/user1.log
verb 3
sndbuf 0
rcvbuf 0

лог сервеар после подключения

(Нажмите, чтобы показать/скрыть)

Sun Dec 10 00:32:15 2017 us=591887 MULTI: multi_create_instance called
Sun Dec 10 00:32:15 2017 us=592072 93.185.19.126:12452 Re-using SSL/TLS context
Sun Dec 10 00:32:15 2017 us=592152 93.185.19.126:12452 LZO compression initialized
Sun Dec 10 00:32:15 2017 us=592461 93.185.19.126:12452 Control Channel MTU parms [ L:1558 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sun Dec 10 00:32:15 2017 us=592483 93.185.19.126:12452 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
Sun Dec 10 00:32:15 2017 us=592528 93.185.19.126:12452 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,com$
Sun Dec 10 00:32:15 2017 us=592547 93.185.19.126:12452 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto$
Sun Dec 10 00:32:15 2017 us=592592 93.185.19.126:12452 Local Options hash (VER=V4): '162b04de'
Sun Dec 10 00:32:15 2017 us=592609 93.185.19.126:12452 Expected Remote Options hash (VER=V4): '9e7066d2'
Sun Dec 10 00:32:15 2017 us=592677 93.185.19.126:12452 TLS: Initial packet from [AF_INET]93.185.19.126:12452, sid=72fb7b09 65184370
Sun Dec 10 00:32:15 2017 us=810256 93.185.19.126:12452 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizatio$
Sun Dec 10 00:32:15 2017 us=810634 93.185.19.126:12452 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizatio$
Sun Dec 10 00:32:15 2017 us=911201 93.185.19.126:12452 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Dec 10 00:32:15 2017 us=911328 93.185.19.126:12452 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 10 00:32:15 2017 us=911356 93.185.19.126:12452 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Dec 10 00:32:15 2017 us=911378 93.185.19.126:12452 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 10 00:32:15 2017 us=982826 93.185.19.126:12452 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit $
Sun Dec 10 00:32:15 2017 us=982992 93.185.19.126:12452 [user1] Peer Connection Initiated with [AF_INET]93.185.19.126:12452
Sun Dec 10 00:32:15 2017 us=993765 user1/93.185.19.126:12452 MULTI_sva: pool returned IPv4=10.0.0.6, IPv6=(Not enabled)
Sun Dec 10 00:32:15 2017 us=993932 user1/93.185.19.126:12452 MULTI: Learn: 10.0.0.6 -> user1/93.185.19.126:12452
Sun Dec 10 00:32:15 2017 us=993960 user1/93.185.19.126:12452 MULTI: primary virtual IP for user1/93.185.19.126:12452: 10.0.0.6
Sun Dec 10 00:32:17 2017 us=106462 user1/93.185.19.126:12452 PUSH: Received control message: 'PUSH_REQUEST'
Sun Dec 10 00:32:17 2017 us=114716 user1/93.185.19.126:12452 send_push_reply(): safe_cap=940
Sun Dec 10 00:32:17 2017 us=114830 user1/93.185.19.126:12452 SENT CONTROL [user1]: 'PUSH_REPLY,redirect-gateway def1,dhcp-options DNS 8.$
Sun Dec 10 00:32:18 2017 us=319710 user1/93.185.19.126:12452 MULTI: bad source address from client [192.168.0.42], packet dropped
Sun Dec 10 00:32:18 2017 us=320035 user1/93.185.19.126:12452 MULTI: bad source address from client [192.168.0.42], packet dropped
Sun Dec 10 00:32:18 2017 us=320315 user1/93.185.19.126:12452 MULTI: bad source address from client [192.168.0.42], packet dropped
Sun Dec 10 00:32:18 2017 us=320376 user1/93.185.19.126:12452 MULTI: bad source address from client [192.168.0.42], packet dropped
Sun Dec 10 00:32:18 2017 us=474072 user1/93.185.19.126:12452 MULTI: bad source address from client [192.168.0.42], packet dropped
Sun Dec 10 00:32:18 2017 us=474248 user1/93.185.19.126:12452 MULTI: bad source address from client [192.168.0.42], packet dropped
Sun Dec 10 00:32:18 2017 us=477993 user1/93.185.19.126:12452 MULTI: bad source address from client [192.168.0.42], packet dropped
Sun Dec 10 00:32:18 2017 us=650584 user1/93.185.19.126:12452 MULTI: bad source address from client [192.168.0.42], packet dropped
Sun Dec 10 00:34:59 2017 us=643663 user1/93.185.19.126:12452 PID_ERR replay-window backtrack occurred [108] [SSL-0] [1111111112222222222$
Sun Dec 10 00:34:59 2017 us=643770 user1/93.185.19.126:12452 PID_ERR large diff [108] [SSL-0] [11111111122222222222222222222222222222223$

Sun Dec 10 00:34:59 2017 us=643785 user1/93.185.19.126:12452 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3050$
Sun Dec 10 00:36:34 2017 us=990236 user1/93.185.19.126:12452 MULTI: bad source address from client [192.168.0.42], packet dropped

лог клиента после подключения

(Нажмите, чтобы показать/скрыть)

  GNU nano 2.7.4                                                       Файл: user1.log                                                               

Sun Dec 10 03:32:15 2017 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Sun Dec 10 03:32:15 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Sun Dec 10 03:32:15 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 10 03:32:15 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 10 03:32:15 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]188.225.86.21:1194
Sun Dec 10 03:32:15 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Dec 10 03:32:15 2017 UDP link local: (not bound)
Sun Dec 10 03:32:15 2017 UDP link remote: [AF_INET]188.225.86.21:1194
Sun Dec 10 03:32:15 2017 TLS: Initial packet from [AF_INET]188.225.86.21:1194, sid=8d22d23b ad81e46e
Sun Dec 10 03:32:15 2017 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=EasyRSA, $
Sun Dec 10 03:32:15 2017 VERIFY OK: nsCertType=SERVER
Sun Dec 10 03:32:15 2017 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=ServerV4, name=EasyRSA, emailAd$
Sun Dec 10 03:32:15 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun Dec 10 03:32:15 2017 [ServerV4] Peer Connection Initiated with [AF_INET]188.225.86.21:1194
Sun Dec 10 03:32:17 2017 SENT CONTROL [ServerV4]: 'PUSH_REQUEST' (status=1)
Sun Dec 10 03:32:17 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-options DNS 8.8.8.8,route 10.0.0.1,topology net30,pin$
Sun Dec 10 03:32:17 2017 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:2: dhcp-options (2.4.0)
Sun Dec 10 03:32:17 2017 OPTIONS IMPORT: timers and/or timeouts modified
Sun Dec 10 03:32:17 2017 OPTIONS IMPORT: --ifconfig/up options modified
Sun Dec 10 03:32:17 2017 OPTIONS IMPORT: route options modified
Sun Dec 10 03:32:17 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Dec 10 03:32:17 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 10 03:32:17 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Dec 10 03:32:17 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 10 03:32:17 2017 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlp3s0 HWADDR=2c:d0:5a:3f:89:f4
Sun Dec 10 03:32:17 2017 TUN/TAP device tun0 opened
Sun Dec 10 03:32:17 2017 TUN/TAP TX queue length set to 100
Sun Dec 10 03:32:17 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Dec 10 03:32:17 2017 /sbin/ip link set dev tun0 up mtu 1500
Sun Dec 10 03:32:17 2017 /sbin/ip addr add dev tun0 local 10.0.0.6 peer 10.0.0.5
Sun Dec 10 03:32:17 2017 /sbin/ip route add 188.225.86.21/32 via 192.168.0.1
Sun Dec 10 03:32:17 2017 /sbin/ip route add 0.0.0.0/1 via 10.0.0.5

iptables save

(Нажмите, чтобы показать/скрыть)

# Generated by iptables-save v1.6.0 on Sun Dec 10 00:49:00 2017
*nat
:PREROUTING ACCEPT [3429781:4575918694]
:INPUT ACCEPT [3055:277396]
:OUTPUT ACCEPT [12:896]
:POSTROUTING ACCEPT [12:896]
-A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Dec 10 00:49:00 2017

[fisher74]

Код: [Выделить]

ip a; ip rс каждого из участников OVPN

[MooSE]

Подозреваю что в /etc/sysctl.conf надо добавить строку:

Код: [Выделить]

net.ipv4.ip_forward = 1

И применить эти изменения:

Код: [Выделить]

sysctl -p


[Jester1]

ip a;ip r клиента

(Нажмите, чтобы показать/скрыть)

root@debian:/home/alexandr# ip a;ip r
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp2s0f0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 20:89:84:5a:01:93 brd ff:ff:ff:ff:ff:ff
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 2c:d0:5a:3f:89:f4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.42/24 brd 192.168.0.255 scope global dynamic wlp3s0
       valid_lft 85797sec preferred_lft 85797sec
    inet6 fe80::2ed0:5aff:fe3f:89f4/64 scope link tentative dadfailed
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.0.0.6 peer 10.0.0.5/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::7cc5:5f21:34e5:8fd2/64 scope link flags 800
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.0.0.5 dev tun0
default via 192.168.0.1 dev wlp3s0 proto static metric 600
10.0.0.1 via 10.0.0.5 dev tun0
10.0.0.5 dev tun0 proto kernel scope link src 10.0.0.6
128.0.0.0/1 via 10.0.0.5 dev tun0
169.254.0.0/16 dev wlp3s0 scope link metric 1000
188.225.86.21 via 192.168.0.1 dev wlp3s0
192.168.0.0/24 dev wlp3s0 proto kernel scope link src 192.168.0.42 metric 600

ip a;ip r сервера

(Нажмите, чтобы показать/скрыть)

root@88828:~# ip a;ip r
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:d6:41:92 brd ff:ff:ff:ff:ff:ff
    inet 188.225.86.21/24 brd 188.225.86.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fed6:4192/64 scope link
       valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.0.0.1 peer 10.0.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
default via 188.225.86.1 dev eth0
10.0.0.0/24 via 10.0.0.2 dev tun0
10.0.0.2 dev tun0  proto kernel  scope link  src 10.0.0.1
188.225.86.0/24 dev eth0  proto kernel  scope link  src 188.225.86.21

Пользователь добавил сообщение 10 Декабря 2017, 16:50:14:net.ipv4.ip_forward = 1

Это уже было добавлено.

[fisher74]

Вот судя по выхлопам, вроде всё ОК. Но tracepath у ТС настойчиво лезет мимо туннеля.

Jester1, покажите как выглядит tracepath до какого-либо сервиса в интернете.
Желательно одновременно с ip r клиента

[Jester1]

tracepath

(Нажмите, чтобы показать/скрыть)

root@88828:~# tracepath www.youtube.com
 1?: [LOCALHOST]                                         pmtu 1500
 1:  5.23.48.1                                             5.502ms
 1:  5.23.48.1                                            13.180ms
 2:  bm18-1-gw.spb.runnet.ru                               0.404ms
 3:  spb-bm18-2-gw.runnet.ru                               1.036ms
 4:  msk-m9-1-gw.runnet.ru                                12.115ms
 5:  no reply
 6:  no reply
 7:  no reply
 8:  no reply
 9:  no reply
10:  no reply
11:  no reply
12:  no reply
13:  no reply
14:  no reply
15:  no reply
16:  no reply
17:  no reply
18:  no reply
19:  no reply
20:  no reply
21:  no reply
22:  no reply
23:  no reply
24:  no reply
25:  no reply
26:  no reply
27:  no reply
28:  no reply
29:  no reply
30:  no reply
     Too many hops: pmtu 1500
     Resume: pmtu 1500

ip r клиента

(Нажмите, чтобы показать/скрыть)

root@debian:/home/alexandr/openvpnuser# ip r
default via 192.168.0.1 dev wlp3s0 proto static metric 600
10.0.0.1 via 10.0.0.5 dev tun0
10.0.0.5 dev tun0 proto kernel scope link src 10.0.0.6
169.254.0.0/16 dev wlp3s0 scope link metric 1000
192.168.0.0/24 dev wlp3s0 proto kernel scope link src 192.168.0.42 metric 600[/soiler]

[fisher74]

А ну вот он у Вас опять упал (я про туннель)

[Jester1]

И в чем проблема?

[AnrDaemon]

В маршруте до VPN сервера, вероятно.

[fisher74]

Он там есть, сами смотрите

ххх.ууу.86.21 via 192.168.0.1 dev wlp3s0