Прошу помочь с таким вот вопросом- никак не пойму где неправ. Есть сервер (OpenBSD 4.6) который выполняет роль инет шлюза для небольшого офиса. На нем же запущен транспарентный Squid. На нем же запущен DHCP и OpenVPN (хотя и правильнее было бы вынести и сквид и опенвпн вDMZ но реальность такова). И никак не могу наладить связь между двумя офисами OpenVPN- нормально запускается на сервере, но связь не идет. Очень прошу помочь. Клиент в данном случае Windows XP. На стороне клиента файрволл отключен. С маршрутизацией сетей можно пока не парится - мне сейчас главное установить соединение. Вот конфиги
OpenVPN server
# 1. General settings
local 192.168.77.5
server 10.8.0.0 255.255.255.0
dev tun0
proto udp
port 9149
comp-lzo
verb 3
persist-key
persist-tun
keepalive 10 120
max-clients 100
client-to-client
# 2. Keys & certificates
# 2.1. Certificates
# Don't foget to assign appropriate modes for everey key or crt file
# chmod 700 /etc/openvpn/keys
# chmod 644 /etc/openvpn/keys/{ca.crt,dh1024.pem,server.crt}
# chmod 600 /etc/openvpn/keys/{server.key,ta.key}
ca /etc/openvpn/keys/server01/ca.crt
cert /etc/openvpn/keys/server01/server.crt
# 2.2. Keys
key /etc/openvpn/keys/server01/server.key
dh /etc/openvpn/keys/server01/dh1024.pem
# 2.3. Tls authentication
# If a tls-auth key is used on the server
# then every client must also have the key.
# 0 for server 1 for client
tls-server
tls-auth /etc/openvpn/keys/server01/ta.key 0
tls-timeout 120
# 3. Routing
push "route 192.168.77.0 255.255.255.0"
client-config-dir /etc/openvpn/ccd
route 10.8.0.0 255.255.255.0
route 192.168.99.0 255.255.255.0
route 192.168.33.0 255.255.255.0
# 4. Encryption
cipher BF-CBC
auth MD5
# 5. Security
# 5.1. Privilegies
# Downgrade privileges after initialization (non-Windows only)
#user _openvpn
#group _openvpn
# 5.2. Safe place to run
#chroot /var/empty
# 5.3. Logging
#status server01-status.log
#log openvpn.log
вывод OpenVPN при инициализации
Sat Apr 17 15:15:58 2010 OpenVPN 2.1_rc15 i386-unknown-openbsd4.6 [SSL] [LZO1] built on Jul 1 2009
Sat Apr 17 15:15:58 2010 WARNING: --keepalive option is missing from server config
Sat Apr 17 15:15:58 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Apr 17 15:15:58 2010 Diffie-Hellman initialized with 1024 bit key
Sat Apr 17 15:15:58 2010 Control Channel Authentication: using '/etc/openvpn/keys/server01/ta.key' as a OpenVPN static key file
Sat Apr 17 15:15:58 2010 Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Sat Apr 17 15:15:58 2010 Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Sat Apr 17 15:15:58 2010 TLS-Auth MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Sat Apr 17 15:15:58 2010 ROUTE default_gateway=xxx.xxx.xxx.xxx
Sat Apr 17 15:15:58 2010 /sbin/ifconfig tun0 destroy
Sat Apr 17 15:15:58 2010 /sbin/ifconfig tun0 create
Sat Apr 17 15:15:58 2010 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Sat Apr 17 15:15:58 2010 /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Sat Apr 17 15:15:58 2010 TUN/TAP device /dev/tun0 opened
Sat Apr 17 15:15:58 2010 /sbin/route add -net 10.8.0.0 10.8.0.2 -netmask 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2
Sat Apr 17 15:15:58 2010 /sbin/route add -net 192.168.99.0 10.8.0.2 -netmask 255.255.255.0
add net 192.168.99.0: gateway 10.8.0.2
Sat Apr 17 15:15:58 2010 /sbin/route add -net 192.168.33.0 10.8.0.2 -netmask 255.255.255.0
add net 192.168.33.0: gateway 10.8.0.2
Sat Apr 17 15:15:58 2010 /sbin/route add -net 10.8.0.0 10.8.0.2 -netmask 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2: File exists
Sat Apr 17 15:15:58 2010 ERROR: OpenBSD/NetBSD route add command failed: external program exited with error status: 1
Sat Apr 17 15:15:58 2010 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Apr 17 15:15:58 2010 Socket Buffers: R=[41600->65536] S=[9216->65536]
Sat Apr 17 15:15:58 2010 UDPv4 link local (bound): 192.168.77.5:9149
Sat Apr 17 15:15:58 2010 UDPv4 link remote: [undef]
Sat Apr 17 15:15:58 2010 MULTI: multi_init called, r=256 v=256
Sat Apr 17 15:15:58 2010 IFCONFIG POOL: base=10.8.0.4 size=62
Sat Apr 17 15:15:58 2010 Initialization Sequence Completed
Таблица маршрутеризации сервера
# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default xxx.xxx.xxx.xxx UGS 5 9721041 - 8 vr0
10.8.0/24 10.8.0.2 UGS 0 0 - 8 tun0
10.8.0.2 10.8.0.1 UH 3 0 - 4 tun0
127/8 127.0.0.1 UGRS 0 0 33200 8 lo0
127.0.0.1 127.0.0.1 UH 1 1716 33200 4 lo0
192.168.33/24 10.8.0.2 UGS 0 0 - 8 tun0
192.168.77/24 link#2 UC 6 0 - 4 vr1
192.168.77.5 00:26:5a:05:d6:89 UHLc 0 132 - 4 lo0
192.168.77.6 00:21:29:0d:7d:88 UHLc 0 5292900 - 4 vr1
192.168.77.106 link#2 UHLc 1 14714 - L 4 vr1
192.168.77.111 00:1e:8c:00:5e:3b UHLc 0 1436390 - 4 vr1
192.168.77.116 00:19:db:a8:3c:5e UHLc 1 87266 - 4 vr1
192.168.77.132 00:19:e3:0e:6c:da UHLc 0 168 - 4 vr1
192.168.99/24 10.8.0.2 UGS 0 0 - 8 tun0
xxx.xxx.xxx.xxx /30 link#1 UC 1 0 - 4 vr0
yyy.yyy.yyy.yyy 00:1e:f7:dd:e3:7f UHLc 1 0 - 4 vr0
224/4 127.0.0.1 URS 0 0 33200 8 lo0
Internet6:
…
# ifconfig tun0 (на сервере)
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
priority: 0
groups: tun
media: Ethernet autoselect
status: active
inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
OpenVPN client конфиг
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx
port 9149
resolv-retry infinite
persist-key
persist-tun
ca ..\\easy-rsa\\keys\\alpha_v01\\ca.crt
cert ..\\easy-rsa\\keys\\alpha_v01\\mainoffice.crt
key ..\\easy-rsa\\keys\\alpha_v01\\mainoffice.key
tls-client
tls-auth ..\\easy-rsa\\keys\\alpha_v01\\ta.key 1
ns-cert-type server
cipher BF-CBC
auth MD5
comp-lzo
verb 3
Вывод клиента при запуске
Sat Apr 17 13:59:18 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Sat Apr 17 13:59:18 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Apr 17 13:59:18 2010 Control Channel Authentication: using '..\easy-rsa\keys\alpha_v01\ta.key' as a OpenVPN static key file
Sat Apr 17 13:59:18 2010 Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Sat Apr 17 13:59:18 2010 Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Sat Apr 17 13:59:18 2010 LZO compression initialized
Sat Apr 17 13:59:18 2010 Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Sat Apr 17 13:59:18 2010 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Apr 17 13:59:18 2010 Local Options hash (VER=V4): '03fa487d'
Sat Apr 17 13:59:18 2010 Expected Remote Options hash (VER=V4): '1056bce3'
Sat Apr 17 13:59:18 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Apr 17 13:59:18 2010 UDPv4 link local (bound): [undef]:9149
Sat Apr 17 13:59:18 2010 UDPv4 link remote: xxx.xxx.xxx.xxx:9149
Sat Apr 17 13:59:18 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Sat Apr 17 13:59:20 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
………….
(code=10054)
Sat Apr 17 13:59:48 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Sat Apr 17 14:00:14 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Sat Apr 17 14:00:16 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Sat Apr 17 14:00:18 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Apr 17 14:00:18 2010 TLS Error: TLS handshake failed
Sat Apr 17 14:00:18 2010 TCP/UDP: Closing socket
Sat Apr 17 14:00:18 2010 SIGUSR1[soft,tls-error] received, process restarting
Sat Apr 17 14:00:18 2010 Restart pause, 2 second(s)
Sat Apr 17 14:00:20 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Apr 17 14:00:20 2010 Re-using SSL/TLS context
Sat Apr 17 14:00:20 2010 LZO compression initialized
Sat Apr 17 14:00:20 2010 Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Sat Apr 17 14:00:20 2010 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Apr 17 14:00:20 2010 Local Options hash (VER=V4): '03fa487d'
Sat Apr 17 14:00:20 2010 Expected Remote Options hash (VER=V4): '1056bce3'
Sat Apr 17 14:00:20 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Apr 17 14:00:20 2010 UDPv4 link local (bound): [undef]:9149
Sat Apr 17 14:00:20 2010 UDPv4 link remote: xxx.xxx.xxx.xxx:9149
Sat Apr 17 14:00:20 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Sat Apr 17 14:00:22 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
pf.conf
#############################################################################
## 1. Macros
## 1.1. Interfaces
ext_if = "vr0"
int_if = "vr1"
tun_if = "tun0"
## 1.2. Networks
vpn_remote_hosts = "{ 194.67.68.34, 194.67.68.35 }"
vpn_remote_net = "{ 10.8.0.0/24, 192.168.99.0/24, 192.168.33.0/24 }"
vpn_srv_addr_01 = "{ 192.168.77.5 }"
## 1.3. Ports and protos
tcp_udp = "{ tcp, udp }"
vpn_ext_port_01 = "9149"
vpn_srv_port_01 = "9149"
vpn_proto_01 = "udp"
## 1.4. ICMP
#ping and traceroute allowed only
icmp_good="icmp-type 8"
#############################################################################
## 2. Tables
table <rfc1918> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, \
0.0.0.0/8, 240.0.0.0/4, \
!192.168.99.0/24, !192.168.77.0/24, !192.168.33.0/24, !10.8.0.0/24 }
table <broadcasts> { 255.255.255.255, 10.255.255.255, \
192.168.255.255, 127.255.255.255 }
table <bruteforce> persist file "/etc/bruteforce"
table <blocked> persist file "/etc/blocked"
table <int_net> { 192.168.77.0/24, 192.168.33.0/24, 192.168.99.0/24, 10.8.0.0/24 }
#############################################################################
## 3. Options
set block-policy drop
set debug misc
set optimization normal
#############################################################################
## 4. Scrub
match in all scrub (no-df)
#############################################################################
## 6. NAT, Redirection, Binat
## 6.0. Squid RDR - !important place BEFORE NAT
rdr on $int_if inet proto tcp from <int_net> to any port www -> 127.0.0.1 port 3128
## 6.1. Translation
nat on $ext_if from !$ext_if to any -> $ext_if
## 6.2. Redirection
no nat on lo0 from any to any
no rdr on lo0 from any to any
#############################################################################
## 7. Filtration
## 7.1. Initial policy
block in log quick inet6 all
block in all
block out all
block quick from <bruteforce> to any
pass in on $int_if from <int_net> to $int_if keep state
pass out on $int_if from $int_if to <int_net> keep state
pass quick on $tun_if all
## 7.2. Loopback
pass quick on lo0 all
## 7.3. RFC 1918 accordance
block in quick on $ext_if inet from <rfc1918> to any
block out quick on $ext_if inet from any to <rfc1981>
## 7.4. Anti hackers rules
## 7.4.1. Antisoofing
antispoof log quick for $ext_if inet
antispoof log quick for $int_if inet
## 7.4.2. Bruteforce
pass inet proto tcp from any to <int_net> keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush global)
pass out log quick on $ext_if inet proto tcp from $ext_if port ssh to any keep state
## 7.6. ICMP
pass in quick inet proto icmp all $icmp_good keep state
pass out quick inet proto icmp all $icmp_good keep state
#7.6.1. Traceroute
pass out on $ext_if inet proto udp from $ext_if to any port 33433 >< 33626 keep state
pass in on $int_if inet proto udp from <int_net> to any port 33433 >< 33626 keep state
## 7.7. Internet porno browsing
pass in quick on $int_if inet proto tcp from <int_net> to 127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
pass out quick on $ext_if inet proto $tcp_udp from $ext_if to any keep state
pass out quick on $int_if inet proto $tcp_udp from <int_net> to any keep state
## 7.12 Vpn
pass in quick log on $ext_if inet proto $vpn_proto_01 from \
any to $ext_if port $vpn_ext_port_01 keep state
pass out log quick on $int_if proto $vpn_proto_01 from \
any to $vpn_srv_addr_01 port $vpn_srv_port_01 keep state
Вариант для распечатки
Открытые системы на сервере (VPN / OpenBSD)
(ok) on 17-Апр-10, 14:55 
