Это был крик отчаяния.
CLIENT:
Tue Nov 14 11:22:47 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Tue Nov 14 11:22:47 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Tue Nov 14 11:22:47 2017 Control Channel Authentication: tls-auth using INLINE static key file
Tue Nov 14 11:22:47 2017 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Nov 14 11:22:47 2017 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Nov 14 11:22:47 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Nov 14 11:22:47 2017 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Tue Nov 14 11:22:47 2017 UDPv4 link local: [undef]
Tue Nov 14 11:22:47 2017 UDPv4 link remote: [AF_INET]ip_address:port
Tue Nov 14 11:22:47 2017 TLS: Initial packet from [AF_INET]ip_address:port, sid=b7e7801f f2f1780a
Tue Nov 14 11:22:47 2017 VERIFY OK: depth=1, C=RU, ST=MSK, L=Moscow, O=SS, OU=SerUser, CN=SS CA, name=EasyRSA, emailAddress=sergey@User.net
Tue Nov 14 11:22:47 2017 Validating certificate key usage
Tue Nov 14 11:22:47 2017 ++ Certificate has key usage 00a0, expects 00a0
Tue Nov 14 11:22:47 2017 VERIFY KU OK
Tue Nov 14 11:22:47 2017 Validating certificate extended key usage
Tue Nov 14 11:22:47 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Nov 14 11:22:47 2017 VERIFY EKU OK
Tue Nov 14 11:22:47 2017 VERIFY OK: depth=0, C=RU, ST=MSK, L=Moscow, O=SS, OU=SerUser, CN=server1, name=EasyRSA, emailAddress=sergey@User.net
Tue Nov 14 11:22:47 2017 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Nov 14 11:22:47 2017 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Nov 14 11:22:47 2017 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Nov 14 11:22:47 2017 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Nov 14 11:22:47 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Nov 14 11:22:47 2017 [server1] Peer Connection Initiated with [AF_INET]ip_address:port
Tue Nov 14 11:22:49 2017 SENT CONTROL [server1]: 'PUSH_REQUEST' (status=1)
Tue Nov 14 11:22:49 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route 10.10.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.10.0.10 10.10.0.9'
Tue Nov 14 11:22:49 2017 OPTIONS IMPORT: timers and/or timeouts modified
Tue Nov 14 11:22:49 2017 OPTIONS IMPORT: --ifconfig/up options modified
Tue Nov 14 11:22:49 2017 OPTIONS IMPORT: route options modified
Tue Nov 14 11:22:49 2017 ROUTE_GATEWAY 10.122.254.1/255.255.255.0 IFACE=enp2s0 HWADDR=00:1f:c6:c1:06:6f
Tue Nov 14 11:22:49 2017 TUN/TAP device tun100 opened
Tue Nov 14 11:22:49 2017 TUN/TAP TX queue length set to 100
Tue Nov 14 11:22:49 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Nov 14 11:22:49 2017 /sbin/ip link set dev tun100 up mtu 1500
Tue Nov 14 11:22:49 2017 /sbin/ip addr add dev tun100 local 10.10.0.10 peer 10.10.0.9
Tue Nov 14 11:22:49 2017 /sbin/ip route add ip_address/32 via 10.122.254.1
RTNETLINK answers: File exists
Tue Nov 14 11:22:49 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Tue Nov 14 11:22:49 2017 /sbin/ip route add 0.0.0.0/1 via 10.10.0.9
Tue Nov 14 11:22:49 2017 /sbin/ip route add 128.0.0.0/1 via 10.10.0.9
Tue Nov 14 11:22:49 2017 /sbin/ip route add 10.10.0.0/24 via 10.10.0.9
Tue Nov 14 11:22:49 2017 GID set to nogroup
Tue Nov 14 11:22:49 2017 UID set to nobody
Tue Nov 14 11:22:49 2017 Initialization Sequence Completed
SERVER:
Tue Nov 14 11:22:47 2017 ip_address_2:40655 TLS: Initial packet from [AF_INET]ip_address_2:40655, sid=ff1ff827 0815c78b
Tue Nov 14 11:22:47 2017 ip_address_2:40655 VERIFY OK: depth=1, C=RU, ST=MSK, L=Moscow, O=SS, OU=SerUser, CN=SS CA, name=EasyRSA, emailAddress=sergey@User.net
Tue Nov 14 11:22:47 2017 ip_address_2:40655 VERIFY OK: depth=0, C=RU, ST=MSK, L=Moscow, O=SS, OU=SerUser, CN=msk-work001, name=EasyRSA, emailAddress=sergey@User.net
Tue Nov 14 11:22:47 2017 ip_address_2:40655 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Nov 14 11:22:47 2017 ip_address_2:40655 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Nov 14 11:22:47 2017 ip_address_2:40655 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Nov 14 11:22:47 2017 ip_address_2:40655 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Nov 14 11:22:47 2017 ip_address_2:40655 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Nov 14 11:22:47 2017 ip_address_2:40655 [msk-work001] Peer Connection Initiated with [AF_INET]ip_address_2:40655
Tue Nov 14 11:22:47 2017 MULTI: new connection by client 'msk-work001' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Tue Nov 14 11:22:47 2017 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/msk-work001
Tue Nov 14 11:22:47 2017 MULTI_sva: pool returned IPv4=10.10.0.10, IPv6=(Not enabled)
Tue Nov 14 11:22:47 2017 MULTI: Learn: 10.10.0.10 -> msk-work001/ip_address_2:40655
Tue Nov 14 11:22:47 2017 MULTI: primary virtual IP for msk-work001/ip_address_2:40655: 10.10.0.10
Tue Nov 14 11:22:47 2017 MULTI: internal route 10.122.254.1 -> msk-work001/ip_address_2:40655
Tue Nov 14 11:22:47 2017 MULTI: Learn: 10.122.254.1 -> msk-work001/ip_address_2:40655
Tue Nov 14 11:22:49 2017 msk-work001/ip_address_2:40655 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 14 11:22:49 2017 msk-work001/ip_address_2:40655 send_push_reply(): safe_cap=940
Tue Nov 14 11:22:49 2017 msk-work001/ip_address_2:40655 SENT CONTROL [msk-work001]: 'PUSH_REPLY,redirect-gateway def1,route 10.10.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.10.0.10 10.10.0.9' (status=1)