openvpn: depois de mudar para o modo de servidor, o cliente não cria dispositivo TUN

2

Eu tinha uma configuração que funcionava anteriormente com os arquivos de configuração usados em uma pergunta anterior

No entanto, eu mudei isso agora para a seguinte configuração usando o modo de servidor, tudo nos logs parece bem, no entanto, o cliente não cria qualquer interface tun, então eu não tenho nada para se conectar, presumivelmente, Eu preciso adicionar ou empurrar alguns comandos de rota, mas eu não tenho nenhuma ideia neste momento o que eu preciso fazer. Estou postando todos os meus arquivos de configuração relevantes

server.conf :

dev tun
server 10.8.117.0 255.255.255.0
ifconfig-pool-persist ipp.txt
tls-server
dh /home/lurscher/keys/dh1024.pem
ca /home/lurscher/keys/ca.crt
cert /home/lurscher/keys/vpnCh8TestServer.crt
key /home/lurscher/keys/vpnCh8TestServer.key
status openvpn-status.log
log         openvpn.log
comp-lzo
verb 3

e client.conf :

dev tun
remote my.server.com
tls-client
ca /home/chuckq/keys/ca.crt
cert /home/chuckq/keys/vpnCh8TestClient.crt
key /home/chuckq/keys/vpnCh8TestClient.key
ns-cert-type server
; port 1194
; user nobody
; group nogroup
status openvpn-status.log
log         openvpn.log
comp-lzo
verb 3

o servidor ifconfig mostra um dispositivo tun:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.117.1  P-t-P:10.8.117.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

No entanto, o cliente ifconfig não mostra nenhuma interface tun!

$ ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          POINTOPOINT NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

o log do cliente diz:

Tue May 17 23:27:09 2011 OpenVPN 2.1.0 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 12 2010
Tue May 17 23:27:09 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue May 17 23:27:09 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue May 17 23:27:09 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue May 17 23:27:09 2011 LZO compression initialized
Tue May 17 23:27:09 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue May 17 23:27:09 2011 TUN/TAP device tun0 opened
Tue May 17 23:27:09 2011 TUN/TAP TX queue length set to 100
Tue May 17 23:27:09 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue May 17 23:27:09 2011 Local Options hash (VER=V4): '41690919'
Tue May 17 23:27:09 2011 Expected Remote Options hash (VER=V4): '530fdded'
Tue May 17 23:27:09 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]
Tue May 17 23:27:09 2011 UDPv4 link local (bound): [undef]
Tue May 17 23:27:09 2011 UDPv4 link remote: [AF_INET]192.168.0.101:1194
Tue May 17 23:27:09 2011 TLS: Initial packet from [AF_INET]192.168.0.101:1194, sid=8e8bdc33 f4275407
Tue May 17 23:27:09 2011 VERIFY OK: depth=1, /C=CA/ST=Out/L=There/O=Ubuntu/OU=Home/CN=Ubuntu_CA/name=lurscher/[email protected]
Tue May 17 23:27:09 2011 VERIFY OK: nsCertType=SERVER
Tue May 17 23:27:09 2011 VERIFY OK: depth=0, /C=CA/ST=Out/L=There/O=Ubuntu/OU=Home/CN=vpnCh8TestServer/name=lurscher/[email protected]
Tue May 17 23:27:09 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 17 23:27:09 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 17 23:27:09 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 17 23:27:09 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 17 23:27:09 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue May 17 23:27:09 2011 [vpnCh8TestServer] Peer Connection Initiated with [AF_INET]192.168.0.101:1194
Tue May 17 23:27:10 2011 Initialization Sequence Completed

o registro de status do cliente:

OpenVPN STATISTICS
Updated,Tue May 17 23:30:09 2011
TUN/TAP read bytes,0
TUN/TAP write bytes,0
TCP/UDP read bytes,5604
TCP/UDP write bytes,4244
Auth read bytes,0
pre-compress bytes,0
post-compress bytes,0
pre-decompress bytes,0
post-decompress bytes,0
END

e o log do servidor diz:

Tue May 17 23:18:25 2011 OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 12 2010
Tue May 17 23:18:25 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue May 17 23:18:25 2011 WARNING: --keepalive option is missing from server config
Tue May 17 23:18:25 2011 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Tue May 17 23:18:25 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue May 17 23:18:25 2011 Diffie-Hellman initialized with 1024 bit key
Tue May 17 23:18:25 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue May 17 23:18:25 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue May 17 23:18:25 2011 ROUTE default_gateway=192.168.0.1
Tue May 17 23:18:25 2011 TUN/TAP device tun0 opened
Tue May 17 23:18:25 2011 TUN/TAP TX queue length set to 100
Tue May 17 23:18:25 2011 /sbin/ifconfig tun0 10.8.117.1 pointopoint 10.8.117.2 mtu 1500
Tue May 17 23:18:25 2011 /sbin/route add -net 10.8.117.0 netmask 255.255.255.0 gw 10.8.117.2
Tue May 17 23:18:25 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue May 17 23:18:25 2011 Socket Buffers: R=[126976->131072] S=[126976->131072]
Tue May 17 23:18:25 2011 UDPv4 link local (bound): [undef]
Tue May 17 23:18:25 2011 UDPv4 link remote: [undef]
Tue May 17 23:18:25 2011 MULTI: multi_init called, r=256 v=256
Tue May 17 23:18:25 2011 IFCONFIG POOL: base=10.8.117.4 size=62
Tue May 17 23:18:25 2011 IFCONFIG POOL LIST
Tue May 17 23:18:25 2011 vpnCh8TestClient,10.8.117.4
Tue May 17 23:18:25 2011 Initialization Sequence Completed
Tue May 17 23:27:22 2011 MULTI: multi_create_instance called
Tue May 17 23:27:22 2011 192.168.0.104:1194 Re-using SSL/TLS context
Tue May 17 23:27:22 2011 192.168.0.104:1194 LZO compression initialized
Tue May 17 23:27:22 2011 192.168.0.104:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue May 17 23:27:22 2011 192.168.0.104:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue May 17 23:27:22 2011 192.168.0.104:1194 Local Options hash (VER=V4): '530fdded'
Tue May 17 23:27:22 2011 192.168.0.104:1194 Expected Remote Options hash (VER=V4): '41690919'
Tue May 17 23:27:22 2011 192.168.0.104:1194 TLS: Initial packet from [AF_INET]192.168.0.104:1194, sid=8972b565 79323f68
Tue May 17 23:27:22 2011 192.168.0.104:1194 VERIFY OK: depth=1, /C=CA/ST=Out/L=There/O=Ubuntu/OU=Home/CN=Ubuntu_CA/name=lurscher/[email protected]
Tue May 17 23:27:22 2011 192.168.0.104:1194 VERIFY OK: depth=0, /C=CA/ST=Out/L=There/O=Ubuntu/OU=Home/CN=Ubuntu_CA/name=lurscher/[email protected]
Tue May 17 23:27:22 2011 192.168.0.104:1194 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 17 23:27:22 2011 192.168.0.104:1194 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 17 23:27:22 2011 192.168.0.104:1194 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 17 23:27:22 2011 192.168.0.104:1194 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 17 23:27:22 2011 192.168.0.104:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue May 17 23:27:22 2011 192.168.0.104:1194 [vpnCh8TestClient] Peer Connection Initiated with [AF_INET]192.168.0.104:1194
Tue May 17 23:27:22 2011 vpnCh8TestClient/192.168.0.104:1194 MULTI: Learn: 10.8.117.6 -> vpnCh8TestClient/192.168.0.104:1194
Tue May 17 23:27:22 2011 vpnCh8TestClient/192.168.0.104:1194 MULTI: primary virtual IP for vpnCh8TestClient/192.168.0.104:1194: 10.8.117.6

finalmente, o log de status do servidor:

OpenVPN CLIENT LIST
Updated,Tue May 17 23:36:25 2011
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
vpnCh8TestClient,192.168.0.104:1194,4244,5604,Tue May 17 23:27:22 2011
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.117.6,vpnCh8TestClient,192.168.0.104:1194,Tue May 17 23:27:22 2011
GLOBAL STATS
Max bcast/mcast queue length,0
END
    
por lurscher 18.05.2011 / 06:42

2 respostas

1

No uso da configuração do cliente:

client

A helper directive designed to simplify the configuration of OpenVPN's client mode. This directive is equivalent to:

 pull
 tls-client

Na configuração do servidor:

server 10.8.117.0 255.255.255.0

expande para

 mode server
 tls-server
 ifconfig 10.8.117.1 10.8.0.2 
 ifconfig-pool 10.8.117.4 10.8.117.251
 route 10.8.117.0 255.255.255.0

A helper directive designed to simplify the configuration of OpenVPN's server mode. This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. The server itself will take the ".1" address of the given network for use as the server-side endpoint of the local TUN/TAP interface.

For example, --server 10.8.0.0 255.255.255.0 expands as follows:

 mode server
 tls-server

 if dev tun:
   ifconfig 10.8.0.1 10.8.0.2 
   ifconfig-pool 10.8.0.4 10.8.0.251
   route 10.8.0.0 255.255.255.0
   if client-to-client:
     push "route 10.8.0.0 255.255.255.0"
   else
     push "route 10.8.0.1"

 if dev tap:
   ifconfig 10.8.0.1 255.255.255.0
   ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
   push "route-gateway 10.8.0.1"

Portanto, o tls-server explícito não é obrigatório.

    
por 23.12.2016 / 09:25
-1

Seu arquivo server.conf provavelmente está faltando algumas coisas. Para começar, não há nenhuma linha declarando um servidor:

mode server

Em segundo lugar, eu teria que presumir que seu cliente está nativamente em uma rede diferente. Em consequência, o servidor precisa enviar algumas rotas para o cliente, por exemplo:

push "route 10.x.y.z 255.255.255.0"

ou similar. Repita esta linha para todas as sub-redes disponíveis através da VPN.

Em terceiro lugar, você provavelmente precisará enviar um servidor DNS, um servidor WINS e uma opção de domínio, por exemplo,

push "dhcp-option DOMAIN my.domain"
push "dhcp-option DNS a.b.c.d"
push "dhcp-option WINS e.f.g.h"

E, finalmente, você precisará instruir o servidor para rotear os endereços do pool para os túneis no servidor, caso contrário, o tráfego não fluirá, assim:

route 10.8.117.0 255.255.255.0
    
por 18.05.2011 / 14:18