OPENVPN

Servery a sítě
1

Dobrý deň. Mám Fedoru 20 a chcem vytvoriť VPN spojenie za pomoci OPEN VPN. Ako server chcem mať fedoru a ako clienta počítač s windovsom. Som nováčik takže sa vopred ospravedlňujem ak riešim nejaké triviálne veci, ale už si vážne neviem dať rady. Server som spustil na Fedore ale nejde mi pripojiť nan clienta. Postupoval som podla návodu https://fedoraproject.org/wiki/Openvpn . Ale stále netuším, kde je problém.

Výpis logu z klienta:
Sat Mar 01 21:54:11 2014 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Enter Management Password:
Sat Mar 01 21:54:11 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Mar 01 21:54:11 2014 Need hold release from management interface, waiting…
Sat Mar 01 21:54:11 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Mar 01 21:54:11 2014 MANAGEMENT: CMD ‘state on’
Sat Mar 01 21:54:11 2014 MANAGEMENT: CMD ‘log all on’
Sat Mar 01 21:54:11 2014 MANAGEMENT: CMD ‘hold off’
Sat Mar 01 21:54:11 2014 MANAGEMENT: CMD ‘hold release’
Sat Mar 01 21:54:11 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Mar 01 21:54:12 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Mar 01 21:54:12 2014 MANAGEMENT: >STATE:1393707252,RESOLVE,
Sat Mar 01 21:54:14 2014 RESOLVE: Cannot resolve host address: <192.168.1.44>: Požadovaný názov je platný, no nenašli sa žiadne údaje požadovaného typu.

Log zo servera zo suboru openvpn.log:

Sat Mar 1 20:28:13 2014 us=149321 Current Parameter Settings:
Sat Mar 1 20:28:13 2014 us=366304 config = ‘server.conf’
Sat Mar 1 20:28:13 2014 us=367876 mode = 1
Sat Mar 1 20:28:13 2014 us=367938 persist_config = DISABLED
Sat Mar 1 20:28:13 2014 us=367955 persist_mode = 1
Sat Mar 1 20:28:13 2014 us=367966 show_ciphers = DISABLED
Sat Mar 1 20:28:13 2014 us=367977 show_digests = DISABLED
Sat Mar 1 20:28:13 2014 us=367987 show_engines = DISABLED
Sat Mar 1 20:28:13 2014 us=367998 genkey = DISABLED
Sat Mar 1 20:28:13 2014 us=368008 key_pass_file = ‘[UNDEF]’
Sat Mar 1 20:28:13 2014 us=368018 show_tls_ciphers = DISABLED
Sat Mar 1 20:28:13 2014 us=368029 Connection profiles [default]:
Sat Mar 1 20:28:13 2014 us=368050 proto = tcp-server
Sat Mar 1 20:28:13 2014 us=368061 local = ‘[UNDEF]’
Sat Mar 1 20:28:13 2014 us=368071 local_port = 1194
Sat Mar 1 20:28:13 2014 us=368081 remote = ‘[UNDEF]’
Sat Mar 1 20:28:13 2014 us=368091 remote_port = 1194
Sat Mar 1 20:28:13 2014 us=368101 remote_float = DISABLED
Sat Mar 1 20:28:13 2014 us=368110 bind_defined = DISABLED
Sat Mar 1 20:28:13 2014 us=368120 bind_local = ENABLED
Sat Mar 1 20:28:13 2014 us=368130 NOTE: --mute triggered…
Sat Mar 1 20:28:13 2014 us=368155 260 variation(s) on previous 20 message(s) suppressed by --mute
Sat Mar 1 20:28:13 2014 us=368167 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013
Sat Mar 1 20:28:13 2014 us=368300 WARNING: you are using user/group/chroot/setcon without persist-tun – this may cause restarts to fail
Sat Mar 1 20:28:13 2014 us=368316 WARNING: you are using user/group/chroot/setcon without persist-key – this may cause restarts to fail
Sat Mar 1 20:28:13 2014 us=470385 Diffie-Hellman initialized with 1024 bit key
Sat Mar 1 20:28:13 2014 us=880219 TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sat Mar 1 20:28:13 2014 us=880452 Socket Buffers: R=[87380->131072] S=[16384->131072]
Sat Mar 1 20:28:13 2014 us=880793 ROUTE: default_gateway=UNDEF
Sat Mar 1 20:28:14 2014 us=191242 TUN/TAP device tun0 opened
Sat Mar 1 20:28:14 2014 us=191449 TUN/TAP TX queue length set to 100
Sat Mar 1 20:28:14 2014 us=191564 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Mar 1 20:28:14 2014 us=191666 /usr/sbin/ip link set dev tun0 up mtu 1500
Sat Mar 1 20:28:14 2014 us=585017 /usr/sbin/ip addr add dev tun0 local 10.0.1.1 peer 10.0.1.2
Sat Mar 1 20:28:14 2014 us=995307 /usr/sbin/ip route add 10.0.1.0/24 via 10.0.1.2
Sat Mar 1 20:28:14 2014 us=997519 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Mar 1 20:28:14 2014 us=999945 GID set to nobody
Sat Mar 1 20:28:15 2014 us=13 UID set to nobody
Sat Mar 1 20:28:15 2014 us=38 Listening for incoming TCP connection on [undef]
Sat Mar 1 20:28:15 2014 us=66 TCPv4_SERVER link local (bound): [undef]
Sat Mar 1 20:28:15 2014 us=78 TCPv4_SERVER link remote: [undef]
Sat Mar 1 20:28:15 2014 us=93 MULTI: multi_init called, r=256 v=256
Sat Mar 1 20:28:15 2014 us=159 IFCONFIG POOL: base=10.0.1.4 size=62, ipv6=0
Sat Mar 1 20:28:15 2014 us=187 MULTI: TCP INIT maxclients=1024 maxevents=1028
Sat Mar 1 20:28:15 2014 us=218 Initialization Sequence Completed

nastavoval som aj povolenie portou a programu vo firewale.

2

RESOLVE: Cannot resolve host address: <192.168.1.44>: Požadovaný názov je platný, no nenašli sa žiadne údaje požadovaného typu.
A čo je toto?
Prečo to chce resolvit tuto adresu?.

Pošlete sem konfig od klienta i servera, tohle rozchodíme. Mám OpenVPN na několika počítačích - servery na BSD, Linuxu aj Windows 7 a Windows Server 2013. Klienti jsou jak Wokenní, tak Linuxové stroje. Vše funguje. Tak to musí chodit i u Vás.

Nepoužívejte TCP pro OpenVPN, nýbrž UDP!

3

Dobre ďakujem za radu, nevedel som, že použiť skôr UDP.

Tu je config servera ako som ho mal doteraz takže tam je TCP ešte. Certifikat a klúč serveru sú masina.crt .key .

port 1194
proto tcp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/masina.crt
key /etc/openvpn/masina.key
dh /etc/openvpn/dh1024.pem
server 10.9.8.0 255.255.255.0
push “route <192.168.1.44> 255.255.255.0″
push “dhcp-option DNS 8.8.8.8″
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
verb 3

Config clienta.
client
dev tun
proto tcp
remote <192.168.1.44> 1194
pull
route <192.168.1.44> 255.255.255.0 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 3
ca ca.crt
cert client1.crt
key client1.key
cipher AES-128-CBC
comp-lzo
verb 3

4

AJ po nastavení UDP to robí stále to isté.

5

Do skriptu klienta doplňte tučný řádek.
Odstraňte <> z příkazů remote a route.
Vy se vážně připojujete na vzdálenou IP 192.168.1.44 ?? (nu, podle logu asi jo.)
Jméno net_gateway je platné a resolvovatelné jméno počítače s vpn serverem?
Na jména certifikátů a klíčů doporučuji použít absolutné path (ale není to nutné)

client
dev tun
proto tcp
remote 192.168.1.44 1194
pull
route 192.168.1.44 255.255.255.0 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 3
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 3

6

Áno to je moja IP na lokálej sieti za routrom čo mám doma. Mám teda použiť IP priradenú routru ?

7

Jo.
Jestli se to dá resolvit (nslookup net_gateway , vyplivne Vám tu 192.168.1.44 ?)

Stejně mi to nějak nesedí, jak to vlastně máte pospojované?

Jaký máte lokální subnet? 192.168.1.0/24 ?
Pak ale adresa VPN nemůže být z tohoto rozsahu.
Pro subnet virtuálního tun zvolte jinou síť, cojávím třeba 172.30.133.0/24

To se chcete připojit zvenku přes veřejnou IP , případně přes router a NAT?
Nebo (jak zatím z dotazu vyplývá) je to všechno na jedné drátové síti. Což nechápu k čemu pak VPN

Takhle to má asi být:

client
dev tun
proto udp
remote IP_vzdáleného_počítače_s_VPN_serverem 1194
pull
route 192.168.1.0 255.255.255.0 net_gateway // tj. subnet maska vnitřní_IP_- serveru
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 3
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 3

8

Ospravedlnujem sa, ale to net_gateway tam nemalo vôbec byť, to tam ostalo z configu ktorý som mal ako vzor a upravil si ho.
Pre virtuálnu sieť mám zvolenú už inú to je pravda v serveri je zapísaná 10.9.8.0 a ak tam chcem mat viac klientov malo by to asi vyzerat takto napríklad ak sa nemýlim 10.9.8.0/24 ?
Zatiaľ to mám na LAN, ale to len preto, lebo sa to pokúšam rozbehať, potom to budem používať samozrejme ked budem mimo domu aby som sa mohol dostať k veciam čo mám na serveri uložené.

Už to viac menej funguje ďakujem, len sa vyskytol problém s cetifikátmi. Nechce ich overiť, pritom sú isto dobré, skúšal som vytvoriť aj nové, ale stále rovnaký problém.

Tu je config servera (uvádzam to len pre úplnosť):

dev tun
proto udp
port 1194
ca ca.crt
cert masina.crt
key masina.key
dh dh1024.pem
server 10.254.112.0/24 255.255.255.0
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
push “192.168.1.44 255.255.255.0″
push “dhcp-option DNS 8.8.8.8″
comp-lzo

Config clienta:

client
dev tun
proto udp
remote 192.168.1.44 1194
pull
route 10.254.112.0 255.255.255.0
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 3
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 3

a log z klienta
Sat Mar 08 20:02:57 2014 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Enter Management Password:
Sat Mar 08 20:02:57 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Mar 08 20:02:57 2014 Need hold release from management interface, waiting…
Sat Mar 08 20:02:57 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Mar 08 20:02:58 2014 MANAGEMENT: CMD ‘state on’
Sat Mar 08 20:02:58 2014 MANAGEMENT: CMD ‘log all on’
Sat Mar 08 20:02:58 2014 MANAGEMENT: CMD ‘hold off’
Sat Mar 08 20:02:58 2014 MANAGEMENT: CMD ‘hold release’
Sat Mar 08 20:02:58 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Mar 08 20:02:58 2014 UDPv4 link local: [undef]
Sat Mar 08 20:02:58 2014 UDPv4 link remote: [AF_INET]192.168.1.44:1194
Sat Mar 08 20:02:58 2014 MANAGEMENT: >STATE:1394305378,WAIT,
Sat Mar 08 20:02:58 2014 MANAGEMENT: >STATE:1394305378,AUTH,
Sat Mar 08 20:02:58 2014 TLS: Initial packet from [AF_INET]192.168.1.44:1194, sid=45e35d35 0d25c62e
Sat Mar 08 20:02:58 2014 VERIFY OK: depth=1, C=SK, ST=SK, L= , O=m, OU= , CN=server , name=server , emailAddress=nieco@gmail.com
Sat Mar 08 20:02:58 2014 VERIFY nsCertType ERROR: C=SK, ST=SK, L= , O= , OU=, CN=server, name=server, emailAddress=nieco@gmail.com, require nsCertType=SERVER
Sat Mar 08 20:02:58 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Mar 08 20:02:58 2014 TLS Error: TLS object -> incoming plaintext read error
Sat Mar 08 20:02:58 2014 TLS Error: TLS handshake failed
Sat Mar 08 20:02:58 2014 SIGUSR1[soft,tls-error] received, process restarting
Sat Mar 08 20:02:58 2014 MANAGEMENT: >STATE:1394305378,RECONNECTING,tls-error,
Sat Mar 08 20:02:58 2014 Restart pause, 2 second(s)

9

Ospravedlnujem sa, ale to net_gateway tam nemalo vôbec byť, to tam ostalo z configu ktorý som mal ako vzor a upravil si ho.
Pre virtuálnu sieť mám zvolenú už inú to je pravda v serveri je zapísaná 10.9.8.0 a ak tam chcem mat viac klientov malo by to asi vyzerat takto napríklad ak sa nemýlim 10.9.8.0/24 ?
Zatiaľ to mám na LAN, ale to len preto, lebo sa to pokúšam rozbehať, potom to budem používať samozrejme ked budem mimo domu aby som sa mohol dostať k veciam čo mám na serveri uložené.

Už to viac menej funguje ďakujem, len sa vyskytol problém s cetifikátmi. Nechce ich overiť, pritom sú isto dobré, skúšal som vytvoriť aj nové, ale stále rovnaký problém.

Tu je config servera (uvádzam to len pre úplnosť):

dev tun
proto udp
port 1194
ca ca.crt
cert masina.crt
key masina.key
dh dh1024.pem
server 10.254.112.0/24 255.255.255.0
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
push “192.168.1.44 255.255.255.0″
push “dhcp-option DNS 8.8.8.8″
comp-lzo

Config clienta:

client
dev tun
proto udp
remote 192.168.1.44 1194
pull
route 10.254.112.0 255.255.255.0
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 3
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 3

a log z klienta
Sat Mar 08 20:02:57 2014 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Enter Management Password:
Sat Mar 08 20:02:57 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Mar 08 20:02:57 2014 Need hold release from management interface, waiting…
Sat Mar 08 20:02:57 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Mar 08 20:02:58 2014 MANAGEMENT: CMD ‘state on’
Sat Mar 08 20:02:58 2014 MANAGEMENT: CMD ‘log all on’
Sat Mar 08 20:02:58 2014 MANAGEMENT: CMD ‘hold off’
Sat Mar 08 20:02:58 2014 MANAGEMENT: CMD ‘hold release’
Sat Mar 08 20:02:58 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Mar 08 20:02:58 2014 UDPv4 link local: [undef]
Sat Mar 08 20:02:58 2014 UDPv4 link remote: [AF_INET]192.168.1.44:1194
Sat Mar 08 20:02:58 2014 MANAGEMENT: >STATE:1394305378,WAIT,
Sat Mar 08 20:02:58 2014 MANAGEMENT: >STATE:1394305378,AUTH,
Sat Mar 08 20:02:58 2014 TLS: Initial packet from [AF_INET]192.168.1.44:1194, sid=45e35d35 0d25c62e
Sat Mar 08 20:02:58 2014 VERIFY OK: depth=1, C=SK, ST=SK, L= , O=m, OU= , CN=server , name=server , emailAddress=nieco@gmail.com
Sat Mar 08 20:02:58 2014 VERIFY nsCertType ERROR: C=SK, ST=SK, L= , O= , OU=, CN=server, name=server, emailAddress=nieco@gmail.com, require nsCertType=SERVER
Sat Mar 08 20:02:58 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Mar 08 20:02:58 2014 TLS Error: TLS object -> incoming plaintext read error
Sat Mar 08 20:02:58 2014 TLS Error: TLS handshake failed
Sat Mar 08 20:02:58 2014 SIGUSR1[soft,tls-error] received, process restarting
Sat Mar 08 20:02:58 2014 MANAGEMENT: >STATE:1394305378,RECONNECTING,tls-error,
Sat Mar 08 20:02:58 2014 Restart pause, 2 second(s)

10

A jak to vypadá na straně serveru? (log)

Pokud je problém s TLS, tak dost často to bývá způsobeno firewallem.
Projdou Vám UDP pakety skrze router?
Pozor - při UDP je každý příchozí paket vlastně příchozí spojení, i když je to odpověď na paket zevnitř.
Dále - máte certifikáty správně podepsané?

Podobné hlášky se řeší zde:
tady
https://forums.openvpn.net/topic8914.html
a
https://community.openvpn.net/openvpn/ticket/204

11

Zistil som, že ten port 1194 nemám ani otvorený aj keď som ho vo firewale na Serveri povolil. Tak som skúsil Firewall vypnúť prýkazom systemctl stop firewalld.service . Ale stále sa mi nedá spojiť a ani nie je ten port viditeľný. Zistoval som to za pomoci programu Nmap , jediný port ktorý je aktívny je tcp 22. V cofigu servera mam ten port ktory chcem zapisany, tak neviem prečo ho nepovolilo ?

A to podpisovanie certifikatov, sa nerobí automaticyk ked vytvaram vsetky kluce a certifikaty ? AKo prvy vytvorim CA, potom server, clientov a nakoniec DH.

12

Michal1010 napsal(a):

Zistil som, že ten port 1194 nemám ani otvorený

No, asi proto, že se ovpn server vůbec nespustí.

ps ax | grep vpn
Vám vypíše co?

A to podpisovanie certifikatov, sa nerobí
automaticyk ked vytvaram vsetky kluce a
certifikaty ? AKo prvy vytvorim CA, potom server,
clientov a nakoniec DH.
To je správně, ale při tom generování klíčů to má spoustu otázek, mimo jiné, jestli podepsat (self-signed)
a vy musíte odpovědět „y“ - jako že yo.

Zkuste ten server spustit v popředí:
openvpn --config /etc/openvpn/cojávím.conf

13

Po zadaní ps ax | grep vpn mi vypíše :

727 ? S 0:10 python -c from pyovpn.sagent.sagent_entry import openvpnas ; openvpnas() --logfile=/var/log/openvpnas.log --pidfile=/var/run/openvpnas.pid
952 ? Ss 0:00 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --cd /etc/openvpn/ --config server.conf
4385 pts/0 S+ 0:00 grep --color=auto vpn

Farba slova VPN je červená v každom, nevim či je to relevantné ?

Čo je horšie keď zadám openvpn --config /etc/openvpn/server.conf zistím, že v zložke nemám certifikáty, aj ked ony sú tam, som ich aj kontroloval.
Toto je výpis toho príkazu:

Options error: --dh fails with ‘dh1024.pem’: No such file or directory
Options error: --ca fails with ‘ca.crt’: No such file or directory
Options error: --cert fails with ‘masina.crt’: No such file or directory
Options error: --key fails with ‘masina.key’: No such file or directory
Options error: Please correct these errors.

Certifikáty som kopíroval takto cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh*.pem /etc/openvpn/

Takto som instaloval cely server.

  1. yum install openvpn.$HOSTTYPE easy-rsa
  2. Copy /usr/share/openvpn/easy-rsa/2.0 somewhere (like root’s home directory with cp -ai /usr/share/openvpn/easy-rsa/2.0 ~/easy-rsa).
  3. cd ~/easy-rsa
  4. Edit vars appropriately.
  5. . vars
  6. ./clean-all
  7. ./build-ca
  8. ./build-key $( hostname | cut -d. -f1 )
  9. ./build-dh
  10. mkdir /etc/openvpn/keys
  11. cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh*.pem /etc/openvpn/keys/
  12. cp -ai /usr/share/doc/openvpn-*/sample/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf
  13. Edit /etc/openvpn/server.conf appropriately to set your configuration and key paths, which are found in /etc/openvpn/keys/.
  14. Fix selinux context of files: restorecon -Rv /etc/openvpn
    15 ln -s /lib/systemd/system/openvpn@.service /etc/systemd/system/multi-user.target.wants/openvpn@server.service
  15. systemctl -f enable openvpn@server.service
  16. systemctl start openvpn@server.service

A áno potvrdzoval som ten certifikát, ked som ho vytváral, inak sa ani nedalo ísť dalej.

14

A to je co?
727 ? S 0:10 python -c from pyovpn.sagent.sagent_entry import openvpnas ; openvpnas() --logfile=/var/log/openvpnas.log --pidfile=/var/run/openvpnas.pid

Neblokuje Vám ten port 1194?
A do konfigu dej k těm klíčům a cerfitikátům absolutní path, vyhnete se problémům, že se to pak nenajde.
A když to spouštíte na popředí, tak nejprve musíte shodit tu službu (systemctl stop openvpn@server).

15

Absolútna cesta je napríklad takto "ca ca.crt " ? A berie to vlastne ktoré certifikáty ? Tie ktoré sa vytvoria v root adresári, alebo tie co su v /etc/openvpn/ ?
Čo je "727 ? S 0:10 python -c from pyovpn.sagent.sagent_entry import openvpnas ; openvpnas() --logfile=/var/log/openvpnas.log --pidfile=/var/run/openvpnas.pid " to vážne ja netuším, to mi vypísalo.
Neviem či mi ho niečo blokuje, vo Firewalle je povolený všade.
Aj po tom ako som zastavil ten server a skúsil ho pustit na popredí mi vypísalo to isté, že nemôže nájsť tie certifikáty

16

Kdyz nekdo pise absolutni cestu mysli tim od korenoveho adresare. Tedy
ca ca.crt NENI absolutni cesta
ca /etc/openvpn/key/ca.crt JE absolutni cesta
Pravdepodobne mate v konfiguraku pouze relativni, takze kdyz to pustite z jineho adresare, hleda to klice tam.

17

Aha, dobre, takže som zmenil na absolutnu cestu k tým súborom a už sa to rozbehlo po zadaní príkazu openvpn --config /etc/openvpn/server.conf
Výpis z toho je tu.

Tue Mar 11 09:02:55 2014 Diffie-Hellman initialized with 1024 bit key
Tue Mar 11 09:02:55 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
Tue Mar 11 09:02:55 2014 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlp4s0 HWADDR=5c:ac:4c:17:52:2b
Tue Mar 11 09:02:55 2014 TUN/TAP device tun0 opened
Tue Mar 11 09:02:55 2014 TUN/TAP TX queue length set to 100
Tue Mar 11 09:02:55 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Mar 11 09:02:55 2014 /usr/sbin/ip link set dev tun0 up mtu 1500
Tue Mar 11 09:02:55 2014 /usr/sbin/ip addr add dev tun0 local 10.254.112.1 peer 10.254.112.2
Tue Mar 11 09:02:55 2014 /usr/sbin/ip route add 10.254.112.0/24 via 10.254.112.2
Tue Mar 11 09:02:55 2014 UDPv4 link local (bound): [undef]
Tue Mar 11 09:02:55 2014 UDPv4 link remote: [undef]
Tue Mar 11 09:02:55 2014 MULTI: multi_init called, r=256 v=256
Tue Mar 11 09:02:55 2014 IFCONFIG POOL: base=10.254.112.4 size=62, ipv6=0
Tue Mar 11 09:02:55 2014 Initialization Sequence Completed

Potom som sa skúsil spojiť s klientom, ale bezúspešne, vypísalo.
Tue Mar 11 09:07:39 2014 192.168.1.17:57925 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 11 09:07:39 2014 192.168.1.17:57925 TLS Error: TLS handshake failed

Potom som išiel zistit ktoré porty sú otvorené a žial moj 1194 tam nebol.
Tu je vysledok scanu UDP portou.
PORT STATE SERVICE
68/udp open|filtered dhcpc
123/udp open|filtered ntp
5353/udp open|filtered zeroconf

18

Spusťte ten server opět jako službu a (jako root) zadejte
ifconfig

Výstup sem pošlete.

P.S. co to je ten openvpnas ?

19

Spravil som to a tu je výpis po ifconfig.


lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 2276  bytes 102668 (100.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2276  bytes 102668 (100.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

p7p1: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 20:6a:8a:0c:15:14  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.9.8.1  netmask 255.255.255.255  destination 10.9.8.2
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.14  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::5eac:4cff:fe17:522b  prefixlen 64  scopeid 0x20<link>
        ether 5c:ac:4c:17:52:2b  txqueuelen 1000  (Ethernet)
        RX packets 38  bytes 4118 (4.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 61  bytes 9104 (8.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

openvpnas.log je súbor kde sa ukladajú niektoré logy, dalšie logy sú v openvpn.log

20

V tom openvpnas.log je toto:

2014-03-11 11:17:07+0100 [-] LOCAL_ADDR wlp4s0 : bad local address name or interface is not up; must be 'all', 'localhost', a local IP address, or an interface name: util/cdict:298,net/net:449,net/net:527,internet/base:1175,internet/base:779,sagent/svcset:688,internet/defer:102,sagent/runxml:161,internet/defer:190,internet/defer:181,internet/defer:323,sagent/runxml:86,sagent/runxml:41,sagent/runxml:60,sagent/runxml:41,svc/svc:255,svc/svc:560,svc/svc:318,svc/svc:801,sagent/vpnsvc:45,sagent/vpnconfig:119,sagent/vpnconfig:127,sagent/vpnconfig:111,util/cdict:330,util/cdict:322,util/cdict:282,util/cdict:191,sagent/vpnconfig:20,util/cdict:330,util/cdict:322,util/cdict:298,net/net:449,net/net:527,util/error:61,util/error:44 (vpn.daemon.0.listen.ip_address) (vpn.daemon.0.listen)
2014-03-11 11:17:07+0100 [-] *** MyError.report ***
2014-03-11 11:17:07+0100 [-] Stack Traceback
2014-03-11 11:17:07+0100 [-] ('build/bdist.linux-x86_64/egg/pyovpn/svc/svc.py', 631, '_walk', None)
2014-03-11 11:17:07+0100 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/cqsvc.py', 177, 'start', None)
2014-03-11 11:17:07+0100 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/vpnconfig.py', 127, 'daemon_dict', None)
2014-03-11 11:17:07+0100 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/vpnconfig.py', 112, 'server_daemon_parms', None)
2014-03-11 11:17:07+0100 [-] 'ip_address': svc/svc:631,sagent/cqsvc:177,sagent/vpnconfig:127,sagent/vpnconfig:112 (exceptions.KeyError)
2014-03-11 11:17:07+0100 [-] *** MyError.report ***
2014-03-11 11:17:07+0100 [-] Stack Traceback
2014-03-11 11:17:07+0100 [-] ('/usr/local/openvpn_as/lib/python2.7/site-packages/Twisted-9.0.0-py2.7-linux-x86_64.egg/twisted/internet/defer.py', 323, '_runCallbacks', 'self.result = callback(self.result, *args, **kw)')
2014-03-11 11:17:07+0100 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/ipts.py', 145, 'parse_validate', None)
2014-03-11 11:17:07+0100 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/iptvpn.py', 139, 'parse_validate', None)
2014-03-11 11:17:07+0100 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/vpnconfig.py', 223, 'daemon_dict_port_forward', None)
2014-03-11 11:17:07+0100 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/vpnconfig.py', 112, 'server_daemon_parms', None)
2014-03-11 11:17:07+0100 [-] Service deferred error: 'ip_address': internet/defer:323,sagent/ipts:145,sagent/iptvpn:139,sagent/vpnconfig:223,sagent/vpnconfig:112 (exceptions.KeyError)
2014-03-11 11:17:07+0100 [-] *** MyError.report ***
2014-03-11 11:17:07+0100 [-] Stack Traceback
2014-03-11 11:17:07+0100 [-] ('build/bdist.linux-x86_64/egg/pyovpn/svc/svc.py', 631, '_walk', None)
2014-03-11 11:17:07+0100 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/wpsvc.py', 182, 'start', None)
2014-03-11 11:17:07+0100 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/iptlive.py', 57, 'parse_validate_callback', None)
2014-03-11 11:17:07+0100 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/vpnconfig.py', 223, 'daemon_dict_port_forward', None)
2014-03-11 11:17:07+0100 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/vpnconfig.py', 112, 'server_daemon_parms', None)
2014-03-11 11:17:07+0100 [-] 'ip_address': svc/svc:631,sagent/wpsvc:182,sagent/iptlive:57,sagent/vpnconfig:223,sagent/vpnconfig:112 (exceptions.KeyError)
2014-03-11 11:17:07+0100 [-] *** MyError.report ***
2014-03-11 11:17:07+0100 [-] Stack Traceback
2014-03-11 11:17:07+0100 [-] ('build/bdist.linux-x86_64/egg/pyovpn/svc/svc.py', 631, '_walk', None)
2014-03-11 11:17:07+0100 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/usersvc.py', 1145, 'start', None)
2014-03-11 11:17:07+0100 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/vpnconfig.py', 223, 'daemon_dict_port_forward', None)
2014-03-11 11:17:07+0100 [-] ('build/bdist.linux-x86_64/egg/pyovpn/sagent/vpnconfig.py', 112, 'server_daemon_parms', None)
2014-03-11 11:17:07+0100 [-] 'ip_address': svc/svc:631,sagent/usersvc:1145,sagent/vpnconfig:223,sagent/vpnconfig:112 (exceptions.KeyError)
2014-03-11 11:17:07+0100 [-] Server agent initialization failed (6/6 attempts) because the following network resources are unavailable: set(['wlp4s0'])
2014-03-11 11:17:07+0100 [-] Server Agent is inactive due to the following errors: {'errors': {'admin_ui.https.ip_address': [('error', "LOCAL_ADDR wlp4s0 : bad local address name or interface is not up; must be 'all', 'localhost', a local IP address, or an interface name: util/cdict:298,net/net:449,net/net:527,sagent/sagent_entry:14,sagent/sagent_entry:11,util/daemon:28,util/daemon:69,application/app:423,scripts/_twistd_unix:202,application/app:445,application/app:348,internet/base:1166,internet/base:1175,internet/base:779,sagent/svcset:688,internet/defer:102,sagent/runxml:161,internet/defer:190,internet/defer:181,internet/defer:323,sagent/runxml:86,sagent/runxml:41,sagent/runxml:60,sagent/runxml:41,svc/svc:255,svc/svc:631,sagent/websvc:284,sagent/websvc:166,sagent/websvc:88,util/cdict:263,util/cdict:298,net/net:449,net/net:527,util/error:61,util/error:44")], 'web': [('error', 'service failed to validate')], 'iptables_openvpn': [('error', "Service deferred error: 'ip_address': internet/defer:323,sagent/ipts:145,sagent/iptvpn:139,sagent/vpnconfig:223,sagent/vpnconfig:112 (exceptions.KeyError)")], 'cs.https.ip_address': [('error', "LOCAL_ADDR wlp4s0 : bad local address name or interface is not up; must be 'all', 'localhost', a local IP address, or an interface name: util/cdict:298,net/net:449,net/net:527,sagent/sagent_entry:14,sagent/sagent_entry:11,util/daemon:28,util/daemon:69,application/app:423,scripts/_twistd_unix:202,application/app:445,application/app:348,internet/base:1166,internet/base:1175,internet/base:779,sagent/svcset:688,internet/defer:102,sagent/runxml:161,internet/defer:190,internet/defer:181,internet/defer:323,sagent/runxml:86,sagent/runxml:41,sagent/runxml:60,sagent/runxml:41,svc/svc:255,svc/svc:631,sagent/websvc:284,sagent/websvc:166,sagent/websvc:86,util/cdict:260,util/cdict:298,net/net:449,net/net:527,util/error:61,util/error:44")], 'client_query': [('error', "'ip_address': svc/svc:631,sagent/cqsvc:177,sagent/vpnconfig:127,sagent/vpnconfig:112 (exceptions.KeyError)")], 'user': [('error', "'ip_address': svc/svc:631,sagent/usersvc:1145,sagent/vpnconfig:223,sagent/vpnconfig:112 (exceptions.KeyError)")], 'vpn.daemon.0.listen.ip_address': [('error', "LOCAL_ADDR wlp4s0 : bad local address name or interface is not up; must be 'all', 'localhost', a local IP address, or an interface name: util/cdict:298,net/net:449,net/net:527,application/app:445,application/app:348,internet/base:1166,internet/base:1175,internet/base:779,sagent/svcset:688,internet/defer:102,sagent/runxml:161,internet/defer:190,internet/defer:181,internet/defer:323,sagent/runxml:86,sagent/runxml:41,sagent/runxml:60,sagent/runxml:41,svc/svc:255,svc/svc:631,sagent/cqsvc:177,sagent/vpnconfig:127,sagent/vpnconfig:111,util/cdict:330,util/cdict:322,util/cdict:282,util/cdict:191,sagent/vpnconfig:20,util/cdict:330,util/cdict:322,util/cdict:298,net/net:449,net/net:527,util/error:61,util/error:44"), ('error', "LOCAL_ADDR wlp4s0 : bad local address name or interface is not up; must be 'all', 'localhost', a local IP address, or an interface name: util/cdict:298,net/net:449,net/net:527,internet/defer:102,sagent/runxml:161,internet/defer:190,internet/defer:181,internet/defer:323,sagent/runxml:86,sagent/runxml:41,sagent/runxml:60,sagent/runxml:41,svc/svc:255,svc/svc:631,sagent/ipts:198,sagent/ipts:136,internet/defer:190,internet/defer:181,internet/defer:323,sagent/ipts:145,sagent/iptvpn:139,sagent/vpnconfig:223,sagent/vpnconfig:111,util/cdict:330,util/cdict:322,util/cdict:282,util/cdict:191,sagent/vpnconfig:20,util/cdict:330,util/cdict:322,util/cdict:298,net/net:449,net/net:527,util/error:61,util/error:44"), ('error', "LOCAL_ADDR wlp4s0 : bad local address name or interface is not up; must be 'all', 'localhost', a local IP address, or an interface name: util/cdict:298,net/net:449,net/net:527,sagent/svcset:688,internet/defer:102,sagent/runxml:161,internet/defer:190,internet/defer:181,internet/defer:323,sagent/runxml:86,sagent/runxml:41,sagent/runxml:60,sagent/runxml:41,svc/svc:255,svc/svc:664,internet/defer:190,internet/defer:181,internet/defer:323,svc/svc:631,sagent/wpsvc:182,sagent/iptlive:57,sagent/vpnconfig:223,sagent/vpnconfig:111,util/cdict:330,util/cdict:322,util/cdict:282,util/cdict:191,sagent/vpnconfig:20,util/cdict:330,util/cdict:322,util/cdict:298,net/net:449,net/net:527,util/error:61,util/error:44"), ('error', "LOCAL_ADDR wlp4s0 : bad local address name or interface is not up; must be 'all', 'localhost', a local IP address, or an interface name: util/cdict:298,net/net:449,net/net:527,internet/base:779,sagent/svcset:688,internet/defer:102,sagent/runxml:161,internet/defer:190,internet/defer:181,internet/defer:323,sagent/runxml:86,sagent/runxml:41,sagent/runxml:60,sagent/runxml:41,svc/svc:255,svc/svc:664,internet/defer:190,internet/defer:181,internet/defer:323,svc/svc:631,sagent/usersvc:1145,sagent/vpnconfig:223,sagent/vpnconfig:111,util/cdict:330,util/cdict:322,util/cdict:282,util/cdict:191,sagent/vpnconfig:20,util/cdict:330,util/cdict:322,util/cdict:298,net/net:449,net/net:527,util/error:61,util/error:44")], 'iptables_live': [('error', "'ip_address': svc/svc:631,sagent/wpsvc:182,sagent/iptlive:57,sagent/vpnconfig:223,sagent/vpnconfig:112 (exceptions.KeyError)")]}, 'service_status': {'bridge': 'off', 'log': 'off', 'license': 'off', 'iptables_web': 'off', 'iptables_openvpn': 'off', 'ip6tables_openvpn': 'off', 'auth': 'off', 'ip6tables_live': 'off', 'client_query': 'off', 'api': 'off', 'web': 'off', 'db_push': 'off', 'iptables_live': 'off', 'crl': 'off', 'user': 'off'}}