Доброго времени суток уважаемые форумчани.
Борюсь в OpenVPN уже вторую ночь, но безрезультатно. Но начну с небольшой вводной части.
Где-то месяцев шесть назад, попала мне в руки халявная VPS на Centos'e, на пару недель. Много чего хотел я на ней опробовать, в том числе и VPN.
Нашел хороший гайд, благо таких в сети полно. Всё заработало, я доволен собой, скилл получен, гайд в закладки.
На праздниках решил, для личных нужд, поднять свою VPN'ку. Арендовал VPS с шестым Centos'ом. Также довольно быстро поднял OpenVPN демон. Клиентом выступает ноут с xubunt'ой 14.04.
Настройки клиента прописаны. И наступает волнующий момент, я запускаю OpenVPN клиент)
В логах ошибок нет - уже хороший знак. Поднялся tun интерфейс, и даже, не слетело ssh соединения до сервера.
Решил посмотреть, какой мне ip покажет 2ip.ru, но страница не отобразилась. Вот дела подумал я, пингую четыре восьмерки, а в ответ тишина. И команда
route возвращает пустоту. Но я помню, что раньше все удалось поднимать без танцев с бубном. Нагуглить, тоже нечего не удалось (хотя не исключаю, что плохо гуглю по ночам)). Вот обращаюсь к вам за помощью.
Дабы не мучить телепатов постараюсь приложить все нужную информацию.
serverport 443
local xxx.xx.xx.xx
proto tcp
dev tun0
server 10.10.10.0 255.255.255.0
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh4096.pem
tls-auth keys/tls.key 0
cipher AES-256-CBC
user nobody
group nobody
status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 10
max-clients 10
keepalive 12 120
tls-server
comp-lzo
iptables*nat
:PREROUTING ACCEPT [6615:448563]
:POSTROUTING ACCEPT [212:15390]
:OUTPUT ACCEPT [212:15390]
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j SNAT --to-source xxx.xx.xx.xx
COMMIT
# Completed on Fri Jan 15 00:44:10 2016
# Generated by iptables-save v1.4.7 on Fri Jan 15 00:44:10 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6119:813113]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
clientclient
remote xxx.xx.xx.xx 443
proto tcp
dhcp-option DNS 8.8.8.8
redirect-gateway def1
cipher AES-256-CBC
ca client/ca.crt
cert client/client.crt
key client/client.key
tls-auth client/tls.key 1
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 4
mute 20
log клиентаFri Jan 15 02:02:04 2016 us=93988 Current Parameter Settings:
Fri Jan 15 02:02:04 2016 us=94295 config = 'client.ovpn'
Fri Jan 15 02:02:04 2016 us=94358 mode = 0
Fri Jan 15 02:02:04 2016 us=94406 persist_config = DISABLED
Fri Jan 15 02:02:04 2016 us=94450 persist_mode = 1
Fri Jan 15 02:02:04 2016 us=94491 show_ciphers = DISABLED
Fri Jan 15 02:02:04 2016 us=94533 show_digests = DISABLED
Fri Jan 15 02:02:04 2016 us=94578 show_engines = DISABLED
Fri Jan 15 02:02:04 2016 us=94619 genkey = DISABLED
Fri Jan 15 02:02:04 2016 us=94668 key_pass_file = '[UNDEF]'
Fri Jan 15 02:02:04 2016 us=94723 show_tls_ciphers = DISABLED
Fri Jan 15 02:02:04 2016 us=94779 Connection profiles [default]:
Fri Jan 15 02:02:04 2016 us=94834 proto = tcp-client
Fri Jan 15 02:02:04 2016 us=94887 local = '[UNDEF]'
Fri Jan 15 02:02:04 2016 us=94941 local_port = 0
Fri Jan 15 02:02:04 2016 us=94994 remote = 'xxx.xx.xx.xx'
Fri Jan 15 02:02:04 2016 us=95049 remote_port = 443
Fri Jan 15 02:02:04 2016 us=95103 remote_float = DISABLED
Fri Jan 15 02:02:04 2016 us=95156 bind_defined = DISABLED
Fri Jan 15 02:02:04 2016 us=95209 bind_local = DISABLED
Fri Jan 15 02:02:04 2016 us=95262 NOTE: --mute triggered...
Fri Jan 15 02:02:04 2016 us=95357 256 variation(s) on previous 20 message(s) suppressed by --mute
Fri Jan 15 02:02:04 2016 us=95425 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Fri Jan 15 02:02:04 2016 us=97571 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Jan 15 02:02:04 2016 us=100033 Control Channel Authentication: using 'client/tls.key' as a OpenVPN static key file
Fri Jan 15 02:02:04 2016 us=100164 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 15 02:02:04 2016 us=100234 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 15 02:02:04 2016 us=100339 LZO compression initialized
Fri Jan 15 02:02:04 2016 us=100600 Control Channel MTU parms [ L:1560 D:168 EF:68 EB:0 ET:0 EL:0 ]
Fri Jan 15 02:02:04 2016 us=100907 Socket Buffers: R=[87380->131072] S=[16384->131072]
Fri Jan 15 02:02:04 2016 us=101034 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Jan 15 02:02:04 2016 us=101136 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Fri Jan 15 02:02:04 2016 us=101194 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Fri Jan 15 02:02:04 2016 us=101281 Local Options hash (VER=V4): '2f2c6498'
Fri Jan 15 02:02:04 2016 us=102478 Expected Remote Options hash (VER=V4): '9915e4a2'
Fri Jan 15 02:02:04 2016 us=102656 Attempting to establish TCP connection with [AF_INET]xxx.xx.xx.xx:443 [nonblock]
Fri Jan 15 02:02:05 2016 us=103099 TCP connection established with [AF_INET]xxx.xx.xx.xx:443
Fri Jan 15 02:02:05 2016 us=103211 TCPv4_CLIENT link local: [undef]
Fri Jan 15 02:02:05 2016 us=103242 TCPv4_CLIENT link remote: [AF_INET]xxx.xx.xx.xx:443
Fri Jan 15 02:02:05 2016 us=158105 TLS: Initial packet from [AF_INET]xxx.xx.xx.xx:443, sid=a05b9fb2 76befa8b
Fri Jan 15 02:02:05 2016 us=703002 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=RSA, emailAddress=me@myhost.mydomain
Fri Jan 15 02:02:05 2016 us=705134 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=RSA, emailAddress=me@myhost.mydomain
Fri Jan 15 02:02:08 2016 us=310721 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Jan 15 02:02:08 2016 us=310841 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 15 02:02:08 2016 us=310875 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Jan 15 02:02:08 2016 us=310906 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 15 02:02:08 2016 us=311075 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Fri Jan 15 02:02:08 2016 us=311138 [server] Peer Connection Initiated with [AF_INET]185.87.49.67:443
Fri Jan 15 02:02:10 2016 us=819423 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Jan 15 02:02:10 2016 us=946704 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,route 10.10.10.1,topology net30,ping 12,ping-restart 120,ifconfig 10.10.10.6 10.10.10.5'
Fri Jan 15 02:02:10 2016 us=947029 OPTIONS IMPORT: timers and/or timeouts modified
Fri Jan 15 02:02:10 2016 us=947130 OPTIONS IMPORT: --ifconfig/up options modified
Fri Jan 15 02:02:10 2016 us=947170 OPTIONS IMPORT: route options modified
Fri Jan 15 02:02:10 2016 us=947207 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Jan 15 02:02:10 2016 us=947714 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlan0 HWADDR=aa:bb:cc:dd:ee:ff
Fri Jan 15 02:02:10 2016 us=949208 TUN/TAP device tun0 opened
Fri Jan 15 02:02:10 2016 us=949386 TUN/TAP TX queue length set to 100
Fri Jan 15 02:02:10 2016 us=949495 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Jan 15 02:02:10 2016 us=949670 /sbin/ip link set dev tun0 up mtu 1500
Fri Jan 15 02:02:10 2016 us=971556 /sbin/ip addr add dev tun0 local 10.10.10.6 peer 10.10.10.5
Fri Jan 15 02:02:10 2016 us=984918 /sbin/ip route add xxx.xx.xx.xx/32 via 192.168.1.1
Fri Jan 15 02:02:10 2016 us=994721 /sbin/ip route add 0.0.0.0/1 via 10.10.10.5
Fri Jan 15 02:02:11 2016 us=1917 /sbin/ip route add 128.0.0.0/1 via 10.10.10.5
Fri Jan 15 02:02:11 2016 us=9336 /sbin/ip route add 10.10.10.1/32 via 10.10.10.5
Fri Jan 15 02:02:11 2016 us=26098 Initialization Sequence Completed
Решил, посмотреть на другие конфиги, хотя бы клиента. Зарегистрировался, на одном известном VPN-сервисе, получил пробный конфиг. Нечего кромольного в нем я не нашел, но маршруты прописались !) Выходит дело в настройках сервера.
client от популярного сервисаclient
remote 164.138.220.49 443
proto tcp
dhcp-option DNS 8.8.8.8
redirect-gateway def1
ca in_ca.crt
cert in_7216642.crt
key in_7216642.key
ns-cert-type server
dev tap
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 4
mute 20
log клиента
Fri Jan 15 02:09:41 2016 us=350198 Current Parameter Settings:
Fri Jan 15 02:09:41 2016 us=350468 config = 'Bulgaria, Sofia.ovpn'
Fri Jan 15 02:09:41 2016 us=350535 mode = 0
Fri Jan 15 02:09:41 2016 us=350594 persist_config = DISABLED
Fri Jan 15 02:09:41 2016 us=350652 persist_mode = 1
Fri Jan 15 02:09:41 2016 us=350708 show_ciphers = DISABLED
Fri Jan 15 02:09:41 2016 us=350762 show_digests = DISABLED
Fri Jan 15 02:09:41 2016 us=350817 show_engines = DISABLED
Fri Jan 15 02:09:41 2016 us=350871 genkey = DISABLED
Fri Jan 15 02:09:41 2016 us=350925 key_pass_file = '[UNDEF]'
Fri Jan 15 02:09:41 2016 us=350981 show_tls_ciphers = DISABLED
Fri Jan 15 02:09:41 2016 us=351035 Connection profiles [default]:
Fri Jan 15 02:09:41 2016 us=351091 proto = tcp-client
Fri Jan 15 02:09:41 2016 us=351146 local = '[UNDEF]'
Fri Jan 15 02:09:41 2016 us=351199 local_port = 0
Fri Jan 15 02:09:41 2016 us=351254 remote = '164.138.220.49'
Fri Jan 15 02:09:41 2016 us=351309 remote_port = 443
Fri Jan 15 02:09:41 2016 us=351363 remote_float = DISABLED
Fri Jan 15 02:09:41 2016 us=351416 bind_defined = DISABLED
Fri Jan 15 02:09:41 2016 us=351469 bind_local = DISABLED
Fri Jan 15 02:09:41 2016 us=351524 NOTE: --mute triggered...
Fri Jan 15 02:09:41 2016 us=351612 256 variation(s) on previous 20 message(s) suppressed by --mute
Fri Jan 15 02:09:41 2016 us=351683 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Fri Jan 15 02:09:41 2016 us=439245 WARNING: file 'in_7216642.key' is group or others accessible
Fri Jan 15 02:09:41 2016 us=451356 LZO compression initialized
Fri Jan 15 02:09:41 2016 us=451714 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jan 15 02:09:41 2016 us=451873 Socket Buffers: R=[87380->131072] S=[16384->131072]
Fri Jan 15 02:09:41 2016 us=451968 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Jan 15 02:09:41 2016 us=452047 Local Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Jan 15 02:09:41 2016 us=452089 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Jan 15 02:09:41 2016 us=452166 Local Options hash (VER=V4): '31fdf004'
Fri Jan 15 02:09:41 2016 us=452232 Expected Remote Options hash (VER=V4): '3e6d1056'
Fri Jan 15 02:09:41 2016 us=452329 Attempting to establish TCP connection with [AF_INET]164.138.220.49:443 [nonblock]
Fri Jan 15 02:09:42 2016 us=452762 TCP connection established with [AF_INET]164.138.220.49:443
Fri Jan 15 02:09:42 2016 us=452905 TCPv4_CLIENT link local: [undef]
Fri Jan 15 02:09:42 2016 us=452955 TCPv4_CLIENT link remote: [AF_INET]164.138.220.49:443
Fri Jan 15 02:09:42 2016 us=571677 TLS: Initial packet from [AF_INET]164.138.220.49:443, sid=9087a25a ff7de7b2
Fri Jan 15 02:09:44 2016 us=791642 VERIFY OK: depth=1, C=DE, ST=Bayern, L=Gunzenhausen, O=HideME, CN=HideME CA, emailAddress=feedback@hideme.ru
Fri Jan 15 02:09:44 2016 us=792470 VERIFY OK: nsCertType=SERVER
Fri Jan 15 02:09:44 2016 us=792520 VERIFY OK: depth=0, C=DE, ST=Bayern, L=Gunzenhausen, O=HideME, CN=server, emailAddress=feedback@hideme.ru
Fri Jan 15 02:09:49 2016 us=477231 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Jan 15 02:09:49 2016 us=477362 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 15 02:09:49 2016 us=477512 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Jan 15 02:09:49 2016 us=477554 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 15 02:09:49 2016 us=477713 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Jan 15 02:09:49 2016 us=477791 [server] Peer Connection Initiated with [AF_INET]164.138.220.49:443
Fri Jan 15 02:09:51 2016 us=548324 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Jan 15 02:09:51 2016 us=961797 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.102.0.1,ping 10,ping-restart 30,ifconfig 10.102.34.89 255.224.0.0'
Fri Jan 15 02:09:51 2016 us=962024 OPTIONS IMPORT: timers and/or timeouts modified
Fri Jan 15 02:09:51 2016 us=962063 OPTIONS IMPORT: --ifconfig/up options modified
Fri Jan 15 02:09:51 2016 us=962094 OPTIONS IMPORT: route-related options modified
Fri Jan 15 02:09:51 2016 us=962585 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlan0 HWADDR=e0:06:e6:3e:42:ef
Fri Jan 15 02:09:51 2016 us=963328 TUN/TAP device tap0 opened
Fri Jan 15 02:09:51 2016 us=963401 TUN/TAP TX queue length set to 100
Fri Jan 15 02:09:51 2016 us=963463 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Jan 15 02:09:51 2016 us=963538 /sbin/ip link set dev tap0 up mtu 1500
Fri Jan 15 02:09:51 2016 us=981106 /sbin/ip addr add dev tap0 10.102.34.89/11 broadcast 10.127.255.255
Fri Jan 15 02:09:52 2016 us=7098 /sbin/ip route add 164.138.220.49/32 via 192.168.1.1
Fri Jan 15 02:09:52 2016 us=10370 /sbin/ip route add 0.0.0.0/1 via 10.102.0.1
Fri Jan 15 02:09:52 2016 us=21317 /sbin/ip route add 128.0.0.0/1 via 10.102.0.1
Fri Jan 15 02:09:52 2016 us=28752 Initialization Sequence Completed
routeDestination Gateway Genmask Flags Metric Ref Use Iface
default 10.102.0.1 128.0.0.0 UG 0 0 0 tap0
default 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
10.96.0.0 * 255.224.0.0 U 0 0 0 tap0
128.0.0.0 10.102.0.1 128.0.0.0 UG 0 0 0 tap0
host-164-138-22 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0
192.168.1.0 * 255.255.255.0 U 9 0 0 wlan0
P.S. менял tun на tap, но без результатно
Р.Р.S. Если, что не так, уж простите, последний раз на форумах общался ещё учась в школе)