Instalamos um servidor OpenVPN em um roteador pfSense v2.0.1 com o "pacote de correção de pontes de conexão OpenVPN" para criar uma rede VPN em ponte. Seguimos este HOWTO: link
Quase tudo funciona bem, esperando que o dispositivo fique pronto para o cliente (Ubuntu 11.10 x64).
Aqui está o trecho do arquivo de log:
# openvpn --config client.conf --script-security 2
Wed Apr 18 18:36:49 2012 OpenVPN 2.2.0 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jul 4 2011
Wed Apr 18 18:36:49 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Apr 18 18:36:49 2012 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Enter Private Key Password:
Wed Apr 18 18:36:53 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Apr 18 18:36:53 2012 WARNING: file '/etc/openvpn/ta.key' is group or others accessible
Wed Apr 18 18:36:53 2012 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Wed Apr 18 18:36:53 2012 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 18 18:36:53 2012 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 18 18:36:53 2012 LZO compression initialized
Wed Apr 18 18:36:53 2012 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Apr 18 18:36:53 2012 Socket Buffers: R=[126976->131072] S=[126976->131072]
Wed Apr 18 18:36:53 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Apr 18 18:36:53 2012 Local Options hash (VER=V4): 'a7133b47'
Wed Apr 18 18:36:53 2012 Expected Remote Options hash (VER=V4): 'c5677ab3'
Wed Apr 18 18:36:53 2012 UDPv4 link local: [undef]
Wed Apr 18 18:36:53 2012 UDPv4 link remote: [AF_INET]9.9.9.9:9999
Wed Apr 18 18:36:53 2012 TLS: Initial packet from [AF_INET]9.9.9.9:9999, sid=e19da0d4 b45b5daf
Wed Apr 18 18:36:54 2012 VERIFY OK: depth=1, /C=DE/ST=state/L=City/O=Company/CN=pfsense/emailAddress=admin@domain
Wed Apr 18 18:36:54 2012 VERIFY OK: depth=0, /C=DE/ST=state/L=City/O=Company/CN=pfsense/emailAddress=admin@domain
Wed Apr 18 18:36:55 2012 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Apr 18 18:36:55 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 18 18:36:55 2012 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Apr 18 18:36:55 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 18 18:36:55 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Apr 18 18:36:55 2012 [pfsense] Peer Connection Initiated with [AF_INET]9.9.9.9:9999
Wed Apr 18 18:36:57 2012 SENT CONTROL [pfsense]: 'PUSH_REQUEST' (status=1)
Wed Apr 18 18:36:57 2012 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.0 255.0.0.0,dhcp-option DOMAIN local.domain,dhcp-option DNS 10.0.0.1,redirect-gateway def1,redirect-gateway local def1,ping 10,ping-restart 60'
Wed Apr 18 18:36:57 2012 OPTIONS IMPORT: timers and/or timeouts modified
Wed Apr 18 18:36:57 2012 OPTIONS IMPORT: route options modified
Wed Apr 18 18:36:57 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Apr 18 18:36:57 2012 ROUTE default_gateway=192.168.9.2
Wed Apr 18 18:36:57 2012 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Wed Apr 18 18:36:57 2012 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.0.0.0
Wed Apr 18 18:36:57 2012 TUN/TAP device tap0 opened
Wed Apr 18 18:36:57 2012 TUN/TAP TX queue length set to 100
Wed Apr 18 18:36:57 2012 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
Wed Apr 18 18:36:57 2012 Initialization Sequence Completed
Estamos confusos de que o cliente não use o comando "PUSH" enviado pelo servidor quando o dispositivo "tap0" for reiniciado. Um "ifconfig" no cliente não mostra nenhum dispositivo de toque, quando a conexão é estabelecida. Além disso, não há rotas definidas pela vpn definidas. Alguém tem uma ideia?