Connection refused - VPN - Urgente!

1. Connection refused - VPN - Urgente!

rensantos
(usa Ubuntu)

Enviado em 16/03/2015 - 09:44h

Bom dia pessoal,

Estou com um problema urgentíssimo.
Troquei de servidor nesse final de semana e fiz os testes no domingo, com um ip, mas agora quando subo a vpn não está dando certo, as filiais estão todas fora, sem conseguir acessar o sistema aqui na matriz, alguém pode me dar uma ajuda, por favor?

As configurações do meu servidor:


##Protocolo de conexão
#proto tcp / proto udp
proto udp
# Porta do servico (padrao openvpn)
port 51001
# Drive da interface
dev tun
# Seguranca na VPN
script-security 2
# Configura o IP do Tunel
ifconfig 172.32.1.1 172.32.1.2
# Acrescenta rotas aos clientes, informações da rede local
push "route 192.168.1.0 255.255.255.0"
# Compactacao lib LZO
comp-lzo
# Pinga a cada 10 segundos e derruba a conexao apos 120 segundos
keepalive 10 120
float
#ifconfig-pool-persist ipp.txt
max-clients 1
persist-key
persist-tun
log-append /var/log/openvpn.log
verb 3
# Servidor TLS
tls-server
# Chaves necessarias
dh /etc/openvpn/keys/dh1024.pem
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/matriz.crt
key /etc/openvpn/keys/matriz.key
# Chave secreta do servidor
#tls-auth /etc/openvpn/keys/chave.key
status /var/log/openvpn.stats
# Executa scripts
up /etc/openvpn/scripts/filial1.sh

E da filial:


client
dev tun
proto udp
remote x.x.x.x --> o ip está certo
port 51001
pull
comp-lzo
keepalive 10 120
float
tls-client
persist-tun
persist-key
dh /etc/openvpn/keys/dh1024.pem
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/filial1.crt
key /etc/openvpn/keys/filial1.key
tls-auth /etc/openvpn/keys/chave.key
route-method exe
route-delay 2
script-security 2
remote-cert-tls server
ifconfig 172.32.1.2 172.32.1.1
log /etc/openvpn/filial1.log

Deixei essas regras nos 2 firewalls:


 /sbin/iptables -A INPUT -p udp --dport 51001 -j ACCEPT
 /sbin/iptables -A FORWARD -p udp --dport 51001 -j ACCEPT
 /sbin/iptables -A OUTPUT -p udp --dport 51001 -j ACCEPT
 /sbin/iptables -A INPUT -p udp --sport 51001 -j ACCEPT
 /sbin/iptables -A FORWARD -p udp --sport 51001 -j ACCEPT
 /sbin/iptables -A OUTPUT -p udp --sport 51001 -j ACCEPT

E na filial1 não sobe a interface da vpn (tun0)

Esse e o log na filial:


Mon Mar 16 09:42:09 2015 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec  1 2014
Mon Mar 16 09:42:09 2015 WARNING: using --pull/--client and --ifconfig together is probably not what you want
Mon Mar 16 09:42:09 2015 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Mar 16 09:42:09 2015 Control Channel Authentication: using '/etc/openvpn/keys/chave.key' as a OpenVPN static key file
Mon Mar 16 09:42:09 2015 LZO compression initialized
Mon Mar 16 09:42:09 2015 UDPv4 link local (bound): [undef]
Mon Mar 16 09:42:09 2015 UDPv4 link remote: [AF_INET]x.x.x.x:51001
Mon Mar 16 09:42:09 2015 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Mon Mar 16 09:42:11 2015 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Mon Mar 16 09:42:15 2015 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Mon Mar 16 09:42:23 2015 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]x.x.x.x:51001
Mon Mar 16 09:42:25 2015 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]x.x.x.x:51001
Mon Mar 16 09:42:29 2015 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]x.x.x.x:51001
Mon Mar 16 09:42:37 2015 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]x.x.x.x:51001

Obs.: o x.x.x.x é o ip da matriz

E aqui o log no servidor:


Tue Jan  1 20:20:05 2002 Socket Buffers: R=[229376->131072] S=[229376->131072]
Tue Jan  1 20:20:05 2002 Preserving previous TUN/TAP instance: tun0
Tue Jan  1 20:20:05 2002 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jan  1 20:20:05 2002 Local Options hash (VER=V4): '09ead35e'
Tue Jan  1 20:20:05 2002 Expected Remote Options hash (VER=V4): '32ab9cc9'
Tue Jan  1 20:20:05 2002 UDPv4 link local (bound): [undef]
Tue Jan  1 20:20:05 2002 UDPv4 link remote: [undef]
Tue Jan  1 20:20:05 2002 TLS: Initial packet from [AF_INET]y.y.y.y:51001, sid=03acb6bb b6cac87c
Tue Jan  1 20:20:05 2002 TLS Error: reading acknowledgement record from packet
Tue Jan  1 20:20:21 2002 TLS Error: reading acknowledgement record from packet
Tue Jan  1 20:20:53 2002 TLS: new session incoming connection from [AF_INET]y.y.y.y:51001
Tue Jan  1 20:20:53 2002 TLS Error: reading acknowledgement record from packet
Tue Jan  1 20:20:55 2002 TLS Error: reading acknowledgement record from packet
Tue Jan  1 20:20:59 2002 TLS Error: reading acknowledgement record from packet

Obs.: o y.y.y.y é o ip da filial1
O que estou fazendo de errado?

0 0

Quote

2. Re: Connection refused - VPN - Urgente!

rensantos
(usa Ubuntu)

Enviado em 16/03/2015 - 10:02h

Olha o que eu já achei de errado (o que a pressa faz com uma pessoa):
Descomentei a segunda linha abaixo, na matriz, que estava comentada e tinha na filial:


# Chave secreta do servidor
tls-auth /etc/openvpn/keys/chave.key

Agora o log da matriz:


Tue Jan  1 20:38:48 2002 Socket Buffers: R=[229376->131072] S=[229376->131072]
Tue Jan  1 20:38:48 2002 Preserving previous TUN/TAP instance: tun0
Tue Jan  1 20:38:48 2002 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jan  1 20:38:48 2002 Local Options hash (VER=V4): '7b726282'
Tue Jan  1 20:38:48 2002 Expected Remote Options hash (VER=V4): 'ebe38598'
Tue Jan  1 20:38:48 2002 UDPv4 link local (bound): [undef]
Tue Jan  1 20:38:48 2002 UDPv4 link remote: [undef]
Tue Jan  1 20:38:48 2002 TLS Error: Unroutable control packet received from [AF_INET]y.y.y.y:51001 (si=3 op=P_CONTROL_V1)
Tue Jan  1 20:38:49 2002 TLS Error: Unroutable control packet received from [AF_INET]y.y.y.y:51001 (si=3 op=P_CONTROL_V1)
Tue Jan  1 20:38:50 2002 TLS Error: Unroutable control packet received from [AF_INET]y.y.y.y:51001 (si=3 op=P_CONTROL_V1)
Tue Jan  1 20:38:51 2002 TLS Error: Unroutable control packet received from [AF_INET]y.y.y.y:51001 (si=3 op=P_CONTROL_V1)
Tue Jan  1 20:38:52 2002 TLS Error: Unroutable control packet received from [AF_INET]y.y.y.y:51001 (si=3 op=P_CONTROL_V1)
Tue Jan  1 20:38:53 2002 TLS Error: Unroutable control packet received from [AF_INET]y.y.y.y:51001 (si=3 op=P_CONTROL_V1)
Tue Jan  1 20:38:54 2002 TLS Error: Unroutable control packet received from [AF_INET]y.y.y.y:51001 (si=3 op=P_CONTROL_V1)

E da filial:


Mon Mar 16 10:00:25 2015 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec  1 2014
Mon Mar 16 10:00:25 2015 WARNING: using --pull/--client and --ifconfig together is probably not what you want
Mon Mar 16 10:00:25 2015 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Mar 16 10:00:25 2015 Control Channel Authentication: using '/etc/openvpn/keys/chave.key' as a OpenVPN static key file
Mon Mar 16 10:00:25 2015 LZO compression initialized
Mon Mar 16 10:00:25 2015 UDPv4 link local (bound): [undef]
Mon Mar 16 10:00:25 2015 UDPv4 link remote: [AF_INET]x.x.x.x:51001
Mon Mar 16 10:00:27 2015 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

Ainda assim não conecta, na matriz sobe a tun0, mas na filial não.

0 0

Quote

3. Re: Connection refused - VPN - Urgente!

jcoli
(usa Debian)

Enviado em 16/03/2015 - 10:17h

Eu tive esse problema.

Troquei o protocolo para tcp. Resolveu.

Jeferson Coli
---------------------
www.tecnocoli.com.br

0 0

Quote

4. Re: Connection refused - VPN - Urgente!

rensantos
(usa Ubuntu)

Enviado em 16/03/2015 - 10:33h

Oi Jeferson, troquei como você falou, agora na matriz o log está atualizando assim:


Tue Jan  1 21:08:11 2002 TCP connection established with [AF_INET]y.y.y.y:46416
Tue Jan  1 21:08:11 2002 TCPv4_SERVER link local (bound): [undef]
Tue Jan  1 21:08:11 2002 TCPv4_SERVER link remote: [AF_INET]y.y.y.y:46416
Tue Jan  1 21:08:11 2002 TLS: Initial packet from [AF_INET]y.y.y.y:46416, sid=d29d6e59 9204e8a7
Tue Jan  1 21:08:11 2002 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=BR/ST=PR/L=Cidade/O=Empresa/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain
Tue Jan  1 21:08:11 2002 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Tue Jan  1 21:08:11 2002 TLS Error: TLS object -> incoming plaintext read error
Tue Jan  1 21:08:11 2002 TLS Error: TLS handshake failed
Tue Jan  1 21:08:11 2002 Fatal TLS error (check_tls_errors_co), restarting
Tue Jan  1 21:08:11 2002 TCP/UDP: Closing socket
Tue Jan  1 21:08:11 2002 SIGUSR1[soft,tls-error] received, process restarting
Tue Jan  1 21:08:11 2002 Restart pause, 1 second(s)
Tue Jan  1 21:08:12 2002 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jan  1 21:08:12 2002 Re-using SSL/TLS context
Tue Jan  1 21:08:12 2002 LZO compression initialized
Tue Jan  1 21:08:12 2002 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
Tue Jan  1 21:08:12 2002 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Jan  1 21:08:12 2002 Preserving previous TUN/TAP instance: tun0
Tue Jan  1 21:08:12 2002 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jan  1 21:08:12 2002 Local Options hash (VER=V4): 'd595669d'
Tue Jan  1 21:08:12 2002 Expected Remote Options hash (VER=V4): 'fa5b43c2'
Tue Jan  1 21:08:12 2002 Listening for incoming TCP connection on [undef]

E na filial, assim:


Mon Mar 16 10:33:27 2015 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Mar 16 10:33:27 2015 Re-using SSL/TLS context
Mon Mar 16 10:33:27 2015 LZO compression initialized
Mon Mar 16 10:33:27 2015 Attempting to establish TCP connection with [AF_INET]x.x.x.x:51001 [nonblock]
Mon Mar 16 10:33:28 2015 TCP connection established with [AF_INET]x.x.x.x:51001
Mon Mar 16 10:33:28 2015 TCPv4_CLIENT link local: [undef]
Mon Mar 16 10:33:28 2015 TCPv4_CLIENT link remote: [AF_INET]x.x.x.x:51001
Mon Mar 16 10:33:28 2015 Connection reset, restarting [0]
Mon Mar 16 10:33:28 2015 SIGUSR1[soft,connection-reset] received, process restarting

E ainda não subiu a tun0 na filial.
Esse do certificado, na matriz, o que pode ser? Eu conferi, os arquivos estão certos tb.

0 0

Quote

5. Re: Connection refused - VPN - Urgente!

jcoli
(usa Debian)

Enviado em 16/03/2015 - 11:09h

Agora parece erro de certificado mesmo.

Só para esclarecer, eu montei a VPN para uma empresa usando o UDP. Eles mudaram de local e a internet não ficou lá essas coisas.
Não era 100% das vezes, mas esta sempre com esse erro.

Mudei para tcp, acabou o problema. Eu acho que como a internet é ruim, há muita perda de pacote.

Eu utilizo para conexões remotas de usuários, mas não muda quase nada.

meus scripts:
server:
port 1194
proto tcp
mssfix 1400
dev tun
tls-server

ca certs/ca.crt
cert certs/server.crt
key keys/server.key
dh keys/dh2048.pem

# Rede usada pelo tunel openvpn
server 10.254.0.0 255.255.255.0

# define o arquivo onde sera guardados os ips que os clientes obtiverem na conexao, assim os mesmos sempre irao pegar os
# mesmos ips
ifconfig-pool-persist ipp.txt

# Define a rota para a rede da filial poder enxergar a rede da matriz
push "route-delay 2 600"
push "route 192.168.0.0 255.255.255.0"
ping-timer-rem
keepalive 10 120

# Tipo de criptografia usada
cipher DES-EDE3-CBC

# habilita compressão no link VPN
comp-lzo

# Numero maximo de clientes (filiais)
max-clients 10

# usuário e grupo sob o qual o openvpn ira rodar
#user nobody
#group nogroup

script-security 2
username-as-common-name
client-cert-not-required
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf

# Permite um restart sem fechar a conexão e re-ler as chaves
persist-key
persist-tun

# Log de status das conexoes
status /var/log/openvpn/status.log

# define um arquivo de log, pois o default é o /var/log/syslog
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log

verb 6

# desabilita mensagens repetitivas, ou seja, erros ou conexoes em sequencia
# acima de 20, ele dropa.
mute 20

client:

float
port 1194
dev tun
proto tcp
comp-lzo
cipher DES-EDE3-CBC
remote sai-br.no-ip.biz
ping 10
persist-tun
persist-key
ca [inline]
auth-user-pass
client
verb 4
<ca>
-----BEGIN CERTIFICATE-----
MIIEvTCCA6WgAwIBAgIJAMfm8JKaR6XyMA0GCSqGSIb3DQEBBQUAMIGaMQswCQYD
dlaksjhlkashfkashfdjhgj........................................................................................................
-----END CERTIFICATE-----
</ca>

Jeferson Coli
---------------------
www.tecnocoli.com.br

0 0

Quote

6. Re: Connection refused - VPN - Urgente!

rensantos
(usa Ubuntu)

Enviado em 16/03/2015 - 12:02h

Oi Jeferson, já copiei de novo o mesmo certificado (que estava funcionando no domingo quando testei) e continua a mesma coisa, será que tem alguma outra coisa que eu possa fazer?
Ou o certo seria refazer todo certificado? Neste caso as configurações estão certas?

0 0

Quote

7. Re: Connection refused - VPN - Urgente!

jcoli
(usa Debian)

Enviado em 22/03/2015 - 05:57h

Tenho um manual aqui que usei pela primeira vez.
Me passa o seu email que lhe envio.

Abraços

Jeferson Coli
---------------------
www.tecnocoli.com.br

0 0

Quote