pfSense - conexão OpenVPN - tap - client: erro de gateway padrão

1

Instalamos um servidor OpenVPN em um roteador pfSense v2.0.1 com o "pacote de correção de pontes de conexão OpenVPN" para criar uma rede VPN em ponte. Seguimos este HOWTO: link

Quase tudo funciona bem, esperando que o dispositivo fique pronto para o cliente (Ubuntu 11.10 x64).

Aqui está o trecho do arquivo de log:

# openvpn --config client.conf --script-security 2
Wed Apr 18 18:36:49 2012 OpenVPN 2.2.0 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jul  4 2011
Wed Apr 18 18:36:49 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Apr 18 18:36:49 2012 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Enter Private Key Password:
Wed Apr 18 18:36:53 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Apr 18 18:36:53 2012 WARNING: file '/etc/openvpn/ta.key' is group or others accessible
Wed Apr 18 18:36:53 2012 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Wed Apr 18 18:36:53 2012 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 18 18:36:53 2012 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 18 18:36:53 2012 LZO compression initialized
Wed Apr 18 18:36:53 2012 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Apr 18 18:36:53 2012 Socket Buffers: R=[126976->131072] S=[126976->131072]
Wed Apr 18 18:36:53 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Apr 18 18:36:53 2012 Local Options hash (VER=V4): 'a7133b47'
Wed Apr 18 18:36:53 2012 Expected Remote Options hash (VER=V4): 'c5677ab3'
Wed Apr 18 18:36:53 2012 UDPv4 link local: [undef]
Wed Apr 18 18:36:53 2012 UDPv4 link remote: [AF_INET]9.9.9.9:9999
Wed Apr 18 18:36:53 2012 TLS: Initial packet from [AF_INET]9.9.9.9:9999, sid=e19da0d4 b45b5daf
Wed Apr 18 18:36:54 2012 VERIFY OK: depth=1, /C=DE/ST=state/L=City/O=Company/CN=pfsense/emailAddress=admin@domain
Wed Apr 18 18:36:54 2012 VERIFY OK: depth=0, /C=DE/ST=state/L=City/O=Company/CN=pfsense/emailAddress=admin@domain
Wed Apr 18 18:36:55 2012 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Apr 18 18:36:55 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 18 18:36:55 2012 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Apr 18 18:36:55 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 18 18:36:55 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Apr 18 18:36:55 2012 [pfsense] Peer Connection Initiated with [AF_INET]9.9.9.9:9999
Wed Apr 18 18:36:57 2012 SENT CONTROL [pfsense]: 'PUSH_REQUEST' (status=1)
Wed Apr 18 18:36:57 2012 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.0 255.0.0.0,dhcp-option DOMAIN local.domain,dhcp-option DNS 10.0.0.1,redirect-gateway def1,redirect-gateway local def1,ping 10,ping-restart 60'
Wed Apr 18 18:36:57 2012 OPTIONS IMPORT: timers and/or timeouts modified
Wed Apr 18 18:36:57 2012 OPTIONS IMPORT: route options modified
Wed Apr 18 18:36:57 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Apr 18 18:36:57 2012 ROUTE default_gateway=192.168.9.2
Wed Apr 18 18:36:57 2012 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Wed Apr 18 18:36:57 2012 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.0.0.0
Wed Apr 18 18:36:57 2012 TUN/TAP device tap0 opened
Wed Apr 18 18:36:57 2012 TUN/TAP TX queue length set to 100
Wed Apr 18 18:36:57 2012 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
Wed Apr 18 18:36:57 2012 Initialization Sequence Completed

Estamos confusos de que o cliente não use o comando "PUSH" enviado pelo servidor quando o dispositivo "tap0" for reiniciado. Um "ifconfig" no cliente não mostra nenhum dispositivo de toque, quando a conexão é estabelecida. Além disso, não há rotas definidas pela vpn definidas. Alguém tem uma ideia?

    
por Arny80Hexa 18.04.2012 / 19:01

1 resposta

1

Embora eu não seja um especialista, tive que fazer isso recentemente por mim mesmo. Não sei quais parâmetros de linha de comando você está usando, mas para que as opções "push" sejam recebidas, o cliente deve indicar que confia no servidor para mexer com sua tabela de roteamento, isso é feito especificando

--pull

Ou

--client

(Isso implica --pull)

Espero que isso ajude.

    
por 08.08.2012 / 00:00