openVPN cliente com problema

mbrainiac
(usa Debian)

Enviado em 22/11/2013 - 22:29h

Caros linuxers,

Não sei o que falta, se falta alguma regra de firewall, bem não sei...

O server está ok.

Mas o client está dando falha e recusa, alguma sugestão?


*************************************************************************************************
Server 3G
root@debianPURO:/etc/openvpn# openvpn --config /etc/openvpn/server.conf

Fri Nov 22 22:07:27 2013 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 19 2013

Fri Nov 22 22:07:27 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Fri Nov 22 22:07:27 2013 Diffie-Hellman initialized with 1024 bit key

Fri Nov 22 22:07:27 2013 Control Channel Authentication: using '/etc/openvpn/keys/chave.key' as a OpenVPN static key file

Fri Nov 22 22:07:27 2013 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Nov 22 22:07:27 2013 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Nov 22 22:07:27 2013 TLS-Auth MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]

Fri Nov 22 22:07:27 2013 Socket Buffers: R=[163840->131072] S=[163840->131072]

Fri Nov 22 22:07:27 2013 ROUTE default_gateway=10.0.2.2

Fri Nov 22 22:07:27 2013 TUN/TAP device tun0 opened

Fri Nov 22 22:07:27 2013 TUN/TAP TX queue length set to 100

Fri Nov 22 22:07:27 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Fri Nov 22 22:07:27 2013 /sbin/ifconfig tun0 10.0.0.1 pointopoint 10.0.0.2 mtu 1500

Fri Nov 22 22:07:27 2013 /sbin/route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.2

Fri Nov 22 22:07:27 2013 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

Fri Nov 22 22:07:27 2013 UDPv4 link local (bound): [undef]

Fri Nov 22 22:07:27 2013 UDPv4 link remote: [undef]

Fri Nov 22 22:07:27 2013 MULTI: multi_init called, r=256 v=256

Fri Nov 22 22:07:27 2013 IFCONFIG POOL: base=10.0.0.4 size=62, ipv6=0

Fri Nov 22 22:07:27 2013 IFCONFIG POOL LIST

Fri Nov 22 22:07:27 2013 Initialization Sequence Completed


# /etc/openvpn/server.conf

proto udp

port 22222

dev tun0

server 10.0.0.0 255.255.255.0

push "route 10.0.0.2 255.255.255.0"

push "route 192.168.0.10 255.255.255.0"



push "route 10.0.2.15 255.255.255.0"

comp-lzo

keepalive 10 120

persist-key

persist-tun

float

ifconfig-pool-persist /etc/openvpn/ipp.txt

max-clients 10

#shaper 51200

tls-server

dh /etc/openvpn/keys/dh1024.pem

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/servidor.crt

key /etc/openvpn/keys/servidor.key



tls-auth /etc/openvpn/keys/chave.key 0



script-security 2



cipher AES-128-CBC #AES





push "explicit-exit-notify 3"



verb 3



# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).



# The loopback network interface

auto lo

iface lo inet loopback



# The primary network interface

allow-hotplug eth0

iface eth0 inet dhcp

# address 192.168.0.10

# gateway 192.168.0.1

# network 192.168.0.0

# netmask 255.255.255.0

root@debianPURO:/home/jga# ifconfig

eth0 Link encap:Ethernet Endereço de HW 08:00:27:e2:23:3f

inet end.: 10.0.2.15 Bcast:10.0.2.255 Masc:255.255.255.0

endereço inet6: fe80::a00:27ff:fee2:233f/64 Escopo:Link

UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1

RX packets:29 errors:0 dropped:0 overruns:0 frame:0

TX packets:95 errors:0 dropped:0 overruns:0 carrier:0

colisões:0 txqueuelen:1000

RX bytes:5183 (5.0 KiB) TX bytes:17846 (17.4 KiB)



lo Link encap:Loopback Local

inet end.: 127.0.0.1 Masc:255.0.0.0

endereço inet6: ::1/128 Escopo:Máquina

UP LOOPBACKRUNNING MTU:16436 Métrica:1

RX packets:8 errors:0 dropped:0 overruns:0 frame:0

TX packets:8 errors:0 dropped:0 overruns:0 carrier:0

colisões:0 txqueuelen:0

RX bytes:480 (480.0 B) TX bytes:480 (480.0 B)



tun0 Link encap:Não Especificado Endereço de HW 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

inet end.: 10.0.0.1 P-a-P:10.0.0.2 Masc:255.255.255.255

UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Métrica:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

colisões:0 txqueuelen:100

RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)











********************************************************************************************************************
Cliente dsl

root@debian:/etc/openvpn# openvpn --config /etc/openvpn/clientfile.conf

Fri Nov 22 23:18:03 2013 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 19 2013

Fri Nov 22 23:18:03 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Fri Nov 22 23:18:03 2013 Control Channel Authentication: using '/etc/openvpn/keys/chave.key' as a OpenVPN static key file

Fri Nov 22 23:18:03 2013 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Nov 22 23:18:03 2013 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Nov 22 23:18:03 2013 LZO compression initialized

Fri Nov 22 23:18:03 2013 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]

Fri Nov 22 23:18:03 2013 Socket Buffers: R=[163840->131072] S=[163840->131072]

Fri Nov 22 23:18:03 2013 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

Fri Nov 22 23:18:03 2013 Local Options hash (VER=V4): '272f1b58'

Fri Nov 22 23:18:03 2013 Expected Remote Options hash (VER=V4): 'a2e63101'

Fri Nov 22 23:18:03 2013 UDPv4 link local (bound): [undef]

Fri Nov 22 23:18:03 2013 UDPv4 link remote: [AF_INET]187.75.159.225:22222

Fri Nov 22 23:18:03 2013 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

Fri Nov 22 23:18:06 2013 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

Fri Nov 22 23:18:10 2013 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

Fri Nov 22 23:18:18 2013 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)



# /etc/openvpn/client.conf

remote brainiaclinux2.no-ip.biz

proto udp

port 22222



push route "10.0.0.1 255.255.255.0"

push route "192.168.50.10 10.64.64.64"







client

pull

dev tun

comp-lzo

keepalive 10 120

persist-key

persist-tun

float

#tls-client



ns-cert-type server

dh /etc/openvpn/keys/dh1024.pem

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/cliente1.crt

key /etc/openvpn/keys/cliente1.key

#tls-auth /etc/openvpn/keys/chave.key 1



script-security 2



resolv-retry infinite



cipher AES-128-CBC #AES



verb 3



# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).



# The loopback network interface

auto lo

iface lo inet loopback



# The primary network interface

allow-hotplug eth0

iface eth0 inet static

address 192.168.0.10

gateway 192.168.0.1

network 192.168.0.0

netmask 255.255.255.0



iptables
*nat

:PREROUTING ACCEPT [10:2048]

:INPUT ACCEPT [8:1392]

:OUTPUT ACCEPT [225:14693]

:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

# Completed on Fri Nov 22 23:23:41 2013

# Generated by iptables-save v1.4.14 on Fri Nov 22 23:23:41 2013

*filter

:INPUT ACCEPT [4982:5976768]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [3523:322412]

-A INPUT -i tun+ -j ACCEPT

-A FORWARD -i tun+ -j ACCEPT

COMMIT

# Completed on Fri Nov 22 23:23:41 2013


cliente não forma tunel




iptables

# Generated by iptables-save v1.4.14 on Fri Nov 22 22:21:20 2013

*nat

:PREROUTING ACCEPT [2:1152]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [15:1501]

:POSTROUTING ACCEPT [1:60]

-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

# Completed on Fri Nov 22 22:21:20 2013

# Generated by iptables-save v1.4.14 on Fri Nov 22 22:21:20 2013

*filter

:INPUT ACCEPT [24:4594]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [29:4651]

-A INPUT -i tun+ -j ACCEPT

-A FORWARD -i tun+ -j ACCEPT

COMMIT

# Completed on Fri Nov 22 22:21:20 2013

jhonesdb
(usa CentOS)

Enviado em 22/11/2013 - 22:42h

O servidor ta recusando, você tem que abrir a porta pra entrar no servidor, se não me engano seria a regra abaixo:

mbrainiac
(usa Debian)

Enviado em 22/11/2013 - 23:10h

Infelizmente deu :


root@debian:/home/jga# iptables -A INPUT -i $NIC_EXT -p udp --dport 22222 -j ACCEPT

Bad argument `udp'

Try `iptables -h' or 'iptables --help' for more information.

jhonesdb
(usa CentOS)

Enviado em 22/11/2013 - 23:46h

Troca a variavel $NIC_EXT por sua interface de rede!

mbrainiac
(usa Debian)

Enviado em 22/11/2013 - 23:52h

entrou

vou ligar o server

root@debian:/home/jga# iptables -A INPUT -i eth0 -p udp --dport 22222 -j ACCEPT

mbrainiac
(usa Debian)

Enviado em 23/11/2013 - 00:40h

Coloquei estas regras no cliente:

root@debian:/home/jga# iptables -A INPUT -i eth0 -p udp --dport 22222 -j ACCEPT

iptables -t filter -I INPUT -i tun0 -s 10.0.0.0/24 -j ACCEPT

iptables -t filter -I OUTPUT -p ALL -s 10.0.0.2 -j ACCEPT

iptables -t filter -I OUTPUT -o tun0 -d 10.0.0.0/24 -j ACCEPT





iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT


Mas ainda aparece a mensagem no cliente de refuse

jhonesdb
(usa CentOS)

Enviado em 23/11/2013 - 08:55h

E ta liberado essa porta no servidor? Porque e nele que ta bloqueando, reveja as regras de bloqueio e liberacao.

mbrainiac
(usa Debian)

Enviado em 23/11/2013 - 10:46h

Obrigado vou rever e retorno

magnopeem_rj
(usa Ubuntu)

Enviado em 26/11/2013 - 23:48h

Como esta seu server com a web ? tem algum firewall antes ? descreva para eu entender melhor

mbrainiac
(usa Debian)

Enviado em 27/11/2013 - 10:42h

Olá Magnopeem,

Tentei liberar a porta pelo iptable e liberei alguns ips para trafegar 10.0.0.1, e 10.0.0.2 do tuńeis e os ip's internos do serve e do cliente.

Liberei a porta do dlink DI 524.

Usei estas regras:

servidor com 3G
abrir porta
iptables -A INPUT -p udp --dport 22222 -j ACCEPT

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -A INPUT -p udp --dport 22 -j ACCEPT (liberar entrda no ssh)

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

iptables -t filter -I INPUT -i tun0 -s 10.0.0.0/24 -j ACCEPT

iptables -t filter -I OUTPUT -p ALL -s 10.0.0.1 -j ACCEPT

iptables -t filter -I OUTPUT -o tun0 -d 10.0.0.0/24 -j ACCEPT


iptables -t filter -A FORWARD -p udp -s 192.168.0.10/24 --dport 22222 -j ACCEPT

iptables -t filter -A FORWARD -p udp -d 192.168.0.10/24 --sport 22222 -j ACCEPT

iptables -t filter -A POSTROUTING -s udp -s 192.168.0.10/24 -d 10.0.0.0/24 -j ACCEPT

iptables -t filter -A POSTROUTING -d udp -s 192.168.0.10/24 -s 10.0.0.0/24 -j ACCEPT

iptables -I filter -A POSTROUTING -s udp -s 10.0.0.0/24 -o eth0 -j ACCEPT



cliente:com dsl

cliente
iptables -t filter -I INPUT -i tun0 -s 10.0.0.0/24 -j ACCEPT

iptables -t filter -I OUTPUT -p ALL -s 10.0.0.2 -j ACCEPT

iptables -t filter -I OUTPUT -o tun0 -d 10.0.0.0/24 -j ACCEPT
root@debian:/home/jga# iptables -A INPUT -i eth0 -p udp --dport 22222 -j ACCEPT



iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

magnopeem_rj
(usa Ubuntu)

Enviado em 29/01/2014 - 01:47h

Da uma olhadinha aqui... acho que vai te ajudar e muito.


http://3minfo.blogspot.com.br/2012/01/servidor-vpn-com-so-debian-e-clientes.html

brunarega
(usa Slackware)

Enviado em 29/01/2014 - 08:35h

notei alguns erros no arquivo de conf.

no server coloca:
dev tun (no lugar de dev tun0)

no client tira:
push route "10.0.0.1 255.255.255.0"
push route "192.168.50.10 10.64.64.64"
(o parâmetro "push" é utilizado apenas no servidor para forçar ao cliente que pegue essas configurações, o cliente usa o parâmetro pull)

Da uma lida nesse artigo pra entender melhor os parâmetros que você esta usando.
http://www.vivaolinux.com.br/artigo/Parametros-de-configuracao-de-VPN/