ubuntuusers.de

[openVPN] "TLS Error" - Konfiguration korrekt?

Status: Gelöst | Ubuntu-Version: Ubuntu 11.04 (Natty Narwhal)
Antworten |

klauschwein

Anmeldungsdatum:
21. Januar 2012

Beiträge: Zähle...

Hallo @ all,

als absolut Windows-Geschädigter habe ich mich im Rahmen meines Homeserver-Projekts (http://www.sysprofile.de/id161356) das erste mal mit Linux auseinander gesetzt. Dank der großartigen Tutorials der ubuntuusers-community habe ich das Ding auch zum Laufen bekommen. Dafür erstmal ein "Gute Arbeit, Danke!!"

Beim Einrichten von openVPN brauche ich aber mal Euer geschultes Auge, da ich hier teilweise wirklich nicht weiss, was ich da eigentlich mache... 😀

Der Server soll zunächst erstmal als Fileserver den sicheren Zugriff auf Daten im WAN ermöglichen. Den Zugriff via LAN habe ich schon zustande bekommen, die entsprechenden Freigaben und den Remotezugriff via NX eingerichtet. Alle Clients laufen auf Windows (XP & 7). Der Server läuft auf Ubuntu 11.04 und bezieht seinen WAN-Zugang über einen dLink DI524-Router (Provider: Kabel Deutschland).

Anbei zunächst der Log vom openVPN-Client:

Sat Jan 21 23:33:02 2012 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Sat Jan 21 23:33:02 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Jan 21 23:33:02 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 21 23:33:06 2012 LZO compression initialized
Sat Jan 21 23:33:06 2012 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Jan 21 23:33:06 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Sat Jan 21 23:33:06 2012 Local Options hash (VER=V4): 'c6c7c21a'
Sat Jan 21 23:33:06 2012 Expected Remote Options hash (VER=V4): '1a6d5c5d'
Sat Jan 21 23:33:06 2012 UDPv4 link local: [undef]
Sat Jan 21 23:33:06 2012 UDPv4 link remote: <DHCP.meines.Routers.zensiert>:1194
Sat Jan 21 23:34:06 2012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 21 23:34:06 2012 TLS Error: TLS handshake failed
Sat Jan 21 23:34:06 2012 TCP/UDP: Closing socket
Sat Jan 21 23:34:06 2012 SIGUSR1[soft,tls-error] received, process restarting
Sat Jan 21 23:34:06 2012 Restart pause, 2 second(s)
Sat Jan 21 23:34:08 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Jan 21 23:34:08 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 21 23:34:08 2012 Re-using SSL/TLS context
Sat Jan 21 23:34:08 2012 LZO compression initialized
Sat Jan 21 23:34:08 2012 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Jan 21 23:34:08 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Sat Jan 21 23:34:08 2012 Local Options hash (VER=V4): 'c6c7c21a'
Sat Jan 21 23:34:08 2012 Expected Remote Options hash (VER=V4): '1a6d5c5d'
Sat Jan 21 23:34:08 2012 UDPv4 link local: [undef]
Sat Jan 21 23:34:08 2012 UDPv4 link remote: <DHCP.meines.Routers.zensiert>:1194
Sat Jan 21 23:34:15 2012 TCP/UDP: Closing socket
Sat Jan 21 23:34:15 2012 SIGTERM[hard,] received, process exiting

Hier die server.conf:

#===================================
#           Config
#===================================
local 192.168.1.200
port 1194

# Die Revoke Liste überprüfen
#crl-verify /etc/ssl/crl.pem

# TCP oder UDP?
proto udp
mode server
tls-server

dev tap

#===================================
#           Server IP
#===================================
ifconfig 10.0.0.1 255.255.255.0
ifconfig-pool 10.0.0.2 10.0.0.9
#Server IP Adresse
#server 10.0.0.1 255.255.255.0 

#===================================
#           Zertifikate
#===================================
ca /etc/ssl/vpn-ca.pem
cert /etc/ssl/Zertifikate/server_cert.pem
key /etc/ssl/private/server_key.pem
dh /etc/ssl/dh2048.pem

#Die Selbe IP in der nächsten Sitzung vergeben
#ifconfig-pool-persist ipp.txt

#===================================
#           Routing
#===================================
push "route 192.168.1.0 255.255.255.0"
#push "dhcp-option DNS 192.168.1.xyz"
#push "redirect-gateway"
#push "route 0.0.0.0 0.0.0.0"

#===================================
#         Authentifizierung
#===================================
auth SHA1
#Verschlüsselungs Algorithmus
cipher aes-256-cbc

#Benutze Komprimierung
comp-lzo

#Rechte
user nobody
group nogroup
persist-key
persist-tun

#Erreichbarkeit
keepalive 10 120

#"Gesprächigkeit" des Tunnels
verb 5

...und die client.ovpn

#============================
#          Config
#============================
tls-client
pull
dev tap

#============================
#Protokoll/Serveradressierung
#============================
proto udp
remote <DHCP.meines.Routers.zensiert> 1194 # stimmt das überhaupt?
#Auflösen des Hostnames des Servers
resolv-retry infinite
#Localen Port festlegen oder freigeben
nobind
#Verbindung immer gleich halten
persist-key
persist-tun

#============================
#        Zertifikate
#============================
ca "C:\\Program Files (x86)\\OpenVPN\\config\\vpn-ca.pem"
cert "C:\\Program Files (x86)\\OpenVPN\\config\\srv_cert.pem"
key "C:\\Program Files (x86)\\OpenVPN\\config\\srv_key.pem"

#============================
#     Authentifizierung
#============================
cipher AES-256-CBC
#Komprimiernug
comp-lzo
#Authentifizierungsmethode
auth SHA1
#"Gesprächigkeit" des Tunnels
verb 3

Ich wäre Euch für Korrekturen meiner config super dankbar - sofern hier überhaupt der Fehler liegt. Ich knobel nun schon seit 2 Wochen, habe diverse Wikis, Tutorials, HowTo's gelesen und probiert und bekomme es trotzdem nicht gewürfelt.

Den Port 1194 (UDP) habe ich im Router freigegeben und auf die IP des Servers weitergeleitet. Die Zertifikate sind (anscheinend) auch okay. Gestartet habe ich den Server, ein Test der server.conf ergab keine Fehler (verb 5).

Vermutlich werde ich Euch mit meinem rudimentären Problem eher langweilen, hoffe aber trotzdem auf Eure Unterstützung. ☺

Nefarius

Avatar von Nefarius

Anmeldungsdatum:
11. Dezember 2008

Beiträge: 1275

Hi und willkommen!

Glückwunsch, für den Anfang fast alles richtig gemacht 😉 nur das Log vom Server wäre auch noch interessant. Außerdem wundert mich der Pfad deines Zertifikats etwas, hast du das nicht mit den easy-rsa-Scripts erstellt?

MfG
Nefarius

PS: wo hast du denn diese furchtbar veraltete Version von OpenVPN für Windows her? Aktuell ist v2.2.2

klauschwein

(Themenstarter)

Anmeldungsdatum:
21. Januar 2012

Beiträge: 8

Hi Nefarius,

thx füe Deine schnelle Antwort. Die certs habe ich mittels # openssl erstellt. Das Log-file vom Server liefer ich noch nach, das muss ich noch in die config aufnehmen. Im Zuge dessen werd ich auch den client mal aktualisieren 😀 ... der ist in der tat schon etwas angestaubt (ist mir noch garnicht aufgefallen^^) - aber hammerhart, dass der unter Win7 läuft!

Nefarius

Avatar von Nefarius

Anmeldungsdatum:
11. Dezember 2008

Beiträge: 1275

Soweit mir bekannt ist, funktionieren die Versionen vor dem 2.1 RC gar nicht richtig, da solltest du mal ansetzen 😀 Ich habe einiges an Erfahrung mit OpenVPN 😉

klauschwein

(Themenstarter)

Anmeldungsdatum:
21. Januar 2012

Beiträge: 8

So, also der Client ist jetzt auf Version 2.2.2. Server und Client rauschen aber immernoch aneinander vorbei.

log vom Client:

Sun Jan 22 08:50:56 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Sun Jan 22 08:50:56 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Jan 22 08:50:56 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Jan 22 08:51:03 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jan 22 08:51:03 2012 LZO compression initialized
Sun Jan 22 08:51:03 2012 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Jan 22 08:51:03 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 22 08:51:03 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Jan 22 08:51:03 2012 Local Options hash (VER=V4): 'c6c7c21a'
Sun Jan 22 08:51:03 2012 Expected Remote Options hash (VER=V4): '1a6d5c5d'
Sun Jan 22 08:51:03 2012 UDPv4 link local: [undef]
Sun Jan 22 08:51:03 2012 UDPv4 link remote: <DHCP.meines.Routers.zensiert>:1194
Sun Jan 22 08:52:03 2012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Jan 22 08:52:03 2012 TLS Error: TLS handshake failed
Sun Jan 22 08:52:03 2012 TCP/UDP: Closing socket
Sun Jan 22 08:52:03 2012 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 22 08:52:03 2012 Restart pause, 2 second(s)
Sun Jan 22 08:52:05 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Jan 22 08:52:05 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Jan 22 08:52:05 2012 Re-using SSL/TLS context
Sun Jan 22 08:52:05 2012 LZO compression initialized
Sun Jan 22 08:52:05 2012 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Jan 22 08:52:05 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 22 08:52:05 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Jan 22 08:52:05 2012 Local Options hash (VER=V4): 'c6c7c21a'
Sun Jan 22 08:52:05 2012 Expected Remote Options hash (VER=V4): '1a6d5c5d'
Sun Jan 22 08:52:05 2012 UDPv4 link local: [undef]
Sun Jan 22 08:52:05 2012 UDPv4 link remote: <DHCP.meines.Routers.zensiert>:1194

Das Logging habe ich in die server.conf mit aufgenommen:

verb 5
log-append /var/log/openvpn-status.log

mit dem Ergebnis:

Sun Jan 22 09:31:04 2012 us=236937 Current Parameter Settings:
Sun Jan 22 09:31:04 2012 us=237199   config = '/etc/openvpn/server.conf'
Sun Jan 22 09:31:04 2012 us=237248   mode = 1
Sun Jan 22 09:31:04 2012 us=237297   persist_config = DISABLED
Sun Jan 22 09:31:04 2012 us=237341   persist_mode = 1
Sun Jan 22 09:31:04 2012 us=237383   show_ciphers = DISABLED
Sun Jan 22 09:31:04 2012 us=237425   show_digests = DISABLED
Sun Jan 22 09:31:04 2012 us=237467   show_engines = DISABLED
Sun Jan 22 09:31:04 2012 us=237509   genkey = DISABLED
Sun Jan 22 09:31:04 2012 us=237552   key_pass_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=237595   show_tls_ciphers = DISABLED
Sun Jan 22 09:31:04 2012 us=237641 Connection profiles [default]:
Sun Jan 22 09:31:04 2012 us=237685   proto = udp
Sun Jan 22 09:31:04 2012 us=237728   local = '192.168.1.200'
Sun Jan 22 09:31:04 2012 us=237770   local_port = 1194
Sun Jan 22 09:31:04 2012 us=237813   remote = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=237855   remote_port = 1194
Sun Jan 22 09:31:04 2012 us=237897   remote_float = DISABLED
Sun Jan 22 09:31:04 2012 us=237939   bind_defined = DISABLED
Sun Jan 22 09:31:04 2012 us=237981   bind_local = ENABLED
Sun Jan 22 09:31:04 2012 us=238024   connect_retry_seconds = 5
Sun Jan 22 09:31:04 2012 us=238067   connect_timeout = 10
Sun Jan 22 09:31:04 2012 us=238109   connect_retry_max = 0
Sun Jan 22 09:31:04 2012 us=238151   socks_proxy_server = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=238261   socks_proxy_port = 0
Sun Jan 22 09:31:04 2012 us=238310   socks_proxy_retry = DISABLED
Sun Jan 22 09:31:04 2012 us=238358 Connection profiles END
Sun Jan 22 09:31:04 2012 us=238400   remote_random = DISABLED
Sun Jan 22 09:31:04 2012 us=238443   ipchange = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=238485   dev = 'tap'
Sun Jan 22 09:31:04 2012 us=238527   dev_type = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=238569   dev_node = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=238611   lladdr = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=238653   topology = 1
Sun Jan 22 09:31:04 2012 us=238695   tun_ipv6 = DISABLED
Sun Jan 22 09:31:04 2012 us=238738   ifconfig_local = '10.0.0.1'
Sun Jan 22 09:31:04 2012 us=238780   ifconfig_remote_netmask = '255.255.255.0'
Sun Jan 22 09:31:04 2012 us=238822   ifconfig_noexec = DISABLED
Sun Jan 22 09:31:04 2012 us=238865   ifconfig_nowarn = DISABLED
Sun Jan 22 09:31:04 2012 us=238907   shaper = 0
Sun Jan 22 09:31:04 2012 us=238949   tun_mtu = 1500
Sun Jan 22 09:31:04 2012 us=238991   tun_mtu_defined = ENABLED
Sun Jan 22 09:31:04 2012 us=239034   link_mtu = 1500
Sun Jan 22 09:31:04 2012 us=239076   link_mtu_defined = DISABLED
Sun Jan 22 09:31:04 2012 us=239118   tun_mtu_extra = 32
Sun Jan 22 09:31:04 2012 us=239160   tun_mtu_extra_defined = ENABLED
Sun Jan 22 09:31:04 2012 us=239203   fragment = 0
Sun Jan 22 09:31:04 2012 us=239246   mtu_discover_type = -1
Sun Jan 22 09:31:04 2012 us=239288   mtu_test = 0
Sun Jan 22 09:31:04 2012 us=239330   mlock = DISABLED
Sun Jan 22 09:31:04 2012 us=239372   keepalive_ping = 10
Sun Jan 22 09:31:04 2012 us=239415   keepalive_timeout = 120
Sun Jan 22 09:31:04 2012 us=239457   inactivity_timeout = 0
Sun Jan 22 09:31:04 2012 us=239499   ping_send_timeout = 10
Sun Jan 22 09:31:04 2012 us=239541   ping_rec_timeout = 240
Sun Jan 22 09:31:04 2012 us=239584   ping_rec_timeout_action = 2
Sun Jan 22 09:31:04 2012 us=239626   ping_timer_remote = DISABLED
Sun Jan 22 09:31:04 2012 us=239669   remap_sigusr1 = 0
Sun Jan 22 09:31:04 2012 us=239711   explicit_exit_notification = 0
Sun Jan 22 09:31:04 2012 us=239753   persist_tun = ENABLED
Sun Jan 22 09:31:04 2012 us=239795   persist_local_ip = DISABLED
Sun Jan 22 09:31:04 2012 us=239837   persist_remote_ip = DISABLED
Sun Jan 22 09:31:04 2012 us=239890   persist_key = ENABLED
Sun Jan 22 09:31:04 2012 us=239933   mssfix = 1450
Sun Jan 22 09:31:04 2012 us=239976   passtos = DISABLED
Sun Jan 22 09:31:04 2012 us=240019   resolve_retry_seconds = 1000000000
Sun Jan 22 09:31:04 2012 us=240061   username = 'nobody'
Sun Jan 22 09:31:04 2012 us=240103   groupname = 'nogroup'
Sun Jan 22 09:31:04 2012 us=240145   chroot_dir = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=240206   cd_dir = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=240249   writepid = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=240291   up_script = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=240334   down_script = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=240375   down_pre = DISABLED
Sun Jan 22 09:31:04 2012 us=240417   up_restart = DISABLED
Sun Jan 22 09:31:04 2012 us=240459   up_delay = DISABLED
Sun Jan 22 09:31:04 2012 us=240501   daemon = DISABLED
Sun Jan 22 09:31:04 2012 us=240544   inetd = 0
Sun Jan 22 09:31:04 2012 us=240585   log = ENABLED
Sun Jan 22 09:31:04 2012 us=240628   suppress_timestamps = DISABLED
Sun Jan 22 09:31:04 2012 us=240670   nice = 0
Sun Jan 22 09:31:04 2012 us=240723   verbosity = 5
Sun Jan 22 09:31:04 2012 us=240781   mute = 0
Sun Jan 22 09:31:04 2012 us=240839   gremlin = 0
Sun Jan 22 09:31:04 2012 us=240901   status_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=240960   status_file_version = 1
Sun Jan 22 09:31:04 2012 us=241019   status_file_update_freq = 60
Sun Jan 22 09:31:04 2012 us=241077   occ = ENABLED
Sun Jan 22 09:31:04 2012 us=241137   rcvbuf = 65536
Sun Jan 22 09:31:04 2012 us=241195   sndbuf = 65536
Sun Jan 22 09:31:04 2012 us=241254   sockflags = 0
Sun Jan 22 09:31:04 2012 us=241312   fast_io = DISABLED
Sun Jan 22 09:31:04 2012 us=241371   lzo = 7
Sun Jan 22 09:31:04 2012 us=241433   route_script = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=241492   route_default_gateway = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=241553   route_default_metric = 0
Sun Jan 22 09:31:04 2012 us=241612   route_noexec = DISABLED
Sun Jan 22 09:31:04 2012 us=241671   route_delay = 0
Sun Jan 22 09:31:04 2012 us=241731   route_delay_window = 30
Sun Jan 22 09:31:04 2012 us=241790   route_delay_defined = DISABLED
Sun Jan 22 09:31:04 2012 us=241863   route_nopull = DISABLED
Sun Jan 22 09:31:04 2012 us=241926   route_gateway_via_dhcp = DISABLED
Sun Jan 22 09:31:04 2012 us=241986   max_routes = 100
Sun Jan 22 09:31:04 2012 us=242045   allow_pull_fqdn = DISABLED
Sun Jan 22 09:31:04 2012 us=242101   management_addr = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=242156   management_port = 0
Sun Jan 22 09:31:04 2012 us=242267   management_user_pass = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=242338   management_log_history_cache = 250
Sun Jan 22 09:31:04 2012 us=242397   management_echo_buffer_size = 100
Sun Jan 22 09:31:04 2012 us=242454   management_write_peer_info_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=242512   management_client_user = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=242570   management_client_group = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=242628   management_flags = 0
Sun Jan 22 09:31:04 2012 us=242685   shared_secret_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=242743   key_direction = 0
Sun Jan 22 09:31:04 2012 us=242801   ciphername_defined = ENABLED
Sun Jan 22 09:31:04 2012 us=242856   ciphername = 'aes-256-cbc'
Sun Jan 22 09:31:04 2012 us=242914   authname_defined = ENABLED
Sun Jan 22 09:31:04 2012 us=242972   authname = 'SHA1'
Sun Jan 22 09:31:04 2012 us=243034   prng_hash = 'SHA1'
Sun Jan 22 09:31:04 2012 us=243092   prng_nonce_secret_len = 16
Sun Jan 22 09:31:04 2012 us=243149   keysize = 0
Sun Jan 22 09:31:04 2012 us=243207   engine = DISABLED
Sun Jan 22 09:31:04 2012 us=243261   replay = ENABLED
Sun Jan 22 09:31:04 2012 us=243319   mute_replay_warnings = DISABLED
Sun Jan 22 09:31:04 2012 us=243378   replay_window = 64
Sun Jan 22 09:31:04 2012 us=243739   replay_time = 15
Sun Jan 22 09:31:04 2012 us=243793   packet_id_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=243845   use_iv = ENABLED
Sun Jan 22 09:31:04 2012 us=243898   test_crypto = DISABLED
Sun Jan 22 09:31:04 2012 us=243949   tls_server = ENABLED
Sun Jan 22 09:31:04 2012 us=244001   tls_client = DISABLED
Sun Jan 22 09:31:04 2012 us=244053   key_method = 2
Sun Jan 22 09:31:04 2012 us=244105   ca_file = '/etc/ssl/vpn-ca.pem'
Sun Jan 22 09:31:04 2012 us=244156   ca_path = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=244208   dh_file = '/etc/ssl/dh2048.pem'
Sun Jan 22 09:31:04 2012 us=244260   cert_file = '/etc/ssl/Zertifikate/server_cert.pem'
Sun Jan 22 09:31:04 2012 us=244360   priv_key_file = '/etc/ssl/private/server_key.pem'
Sun Jan 22 09:31:04 2012 us=244415   pkcs12_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=244468   cipher_list = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=244521   tls_verify = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=244573   tls_remote = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=244625   crl_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=244677   ns_cert_type = 0
Sun Jan 22 09:31:04 2012 us=244734   remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=244798   remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=244855   remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=244910   remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=244966   remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245027   remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245088   remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245145   remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245203   remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245261   remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245317   remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245382   remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245436   remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245494   remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245553   remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245614   remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245674   remote_cert_eku = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=245733   tls_timeout = 2
Sun Jan 22 09:31:04 2012 us=245789   renegotiate_bytes = 0
Sun Jan 22 09:31:04 2012 us=245846   renegotiate_packets = 0
Sun Jan 22 09:31:04 2012 us=245904   renegotiate_seconds = 3600
Sun Jan 22 09:31:04 2012 us=245963   handshake_window = 60
Sun Jan 22 09:31:04 2012 us=246292   transition_window = 3600
Sun Jan 22 09:31:04 2012 us=246404   single_session = DISABLED
Sun Jan 22 09:31:04 2012 us=246462   push_peer_info = DISABLED
Sun Jan 22 09:31:04 2012 us=246516   tls_exit = DISABLED
Sun Jan 22 09:31:04 2012 us=246573   tls_auth_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=246633   pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=246700   pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=246759   pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=246817   pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=246875   pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=246935   pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=246990   pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247048   pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247106   pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247165   pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247223   pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247279   pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247338   pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247396   pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247455   pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247515   pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247576   pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=247638   pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=247699   pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=247759   pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=247819   pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=247881   pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=247939   pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=247995   pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248050   pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248106   pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248163   pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248220   pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248335   pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248399   pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248462   pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248522   pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248579   pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=248640   pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=248702   pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=248761   pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=248821   pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=248878   pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=248935   pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=248993   pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249051   pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249309   pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249377   pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249431   pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249490   pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249549   pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249603   pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249660   pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249721   pkcs11_pin_cache_period = -1
Sun Jan 22 09:31:04 2012 us=249782   pkcs11_id = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=249842   pkcs11_id_management = DISABLED
Sun Jan 22 09:31:04 2012 us=249957   server_network = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=250027   server_netmask = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=250092   server_bridge_ip = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=250157   server_bridge_netmask = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=250273   server_bridge_pool_start = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=250340   server_bridge_pool_end = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=250402   push_entry = 'route 192.168.1.0 255.255.255.0'
Sun Jan 22 09:31:04 2012 us=250460   push_entry = 'ping 10'
Sun Jan 22 09:31:04 2012 us=250523   push_entry = 'ping-restart 120'
Sun Jan 22 09:31:04 2012 us=250582   ifconfig_pool_defined = ENABLED
Sun Jan 22 09:31:04 2012 us=250645   ifconfig_pool_start = 10.0.0.2
Sun Jan 22 09:31:04 2012 us=250709   ifconfig_pool_end = 10.0.0.9
Sun Jan 22 09:31:04 2012 us=251008   ifconfig_pool_netmask = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=251082   ifconfig_pool_persist_filename = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=251142   ifconfig_pool_persist_refresh_freq = 600
Sun Jan 22 09:31:04 2012 us=251201   n_bcast_buf = 256
Sun Jan 22 09:31:04 2012 us=251262   tcp_queue_limit = 64
Sun Jan 22 09:31:04 2012 us=251320   real_hash_size = 256
Sun Jan 22 09:31:04 2012 us=251444   virtual_hash_size = 256
Sun Jan 22 09:31:04 2012 us=251510   client_connect_script = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=251571   learn_address_script = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=251629   client_disconnect_script = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=251689   client_config_dir = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=251748   ccd_exclusive = DISABLED
Sun Jan 22 09:31:04 2012 us=251805   tmp_dir = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=251866   push_ifconfig_defined = DISABLED
Sun Jan 22 09:31:04 2012 us=251933   push_ifconfig_local = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=251998   push_ifconfig_remote_netmask = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=252057   enable_c2c = DISABLED
Sun Jan 22 09:31:04 2012 us=252115   duplicate_cn = DISABLED
Sun Jan 22 09:31:04 2012 us=252171   cf_max = 0
Sun Jan 22 09:31:04 2012 us=252228   cf_per = 0
Sun Jan 22 09:31:04 2012 us=252487   max_clients = 1024
Sun Jan 22 09:31:04 2012 us=252569   max_routes_per_client = 256
Sun Jan 22 09:31:04 2012 us=252628   auth_user_pass_verify_script = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=252690   auth_user_pass_verify_script_via_file = DISABLED
Sun Jan 22 09:31:04 2012 us=252745   ssl_flags = 0
Sun Jan 22 09:31:04 2012 us=252801   port_share_host = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=252911   port_share_port = 0
Sun Jan 22 09:31:04 2012 us=252973   client = DISABLED
Sun Jan 22 09:31:04 2012 us=253034   pull = DISABLED
Sun Jan 22 09:31:04 2012 us=253088   auth_user_pass_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=253168 OpenVPN 2.1.3 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Mar 11 2011
Sun Jan 22 09:31:04 2012 us=253975 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sun Jan 22 09:31:04 2012 us=254093 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Jan 22 09:31:04 2012 us=611011 Diffie-Hellman initialized with 2048 bit key
Sun Jan 22 09:31:04 2012 us=612842 /usr/bin/openssl-vulnkey -q -b 2048 -m <modulus omitted>
Sun Jan 22 09:31:04 2012 us=939757 TLS-Auth MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Jan 22 09:31:04 2012 us=940008 Socket Buffers: R=[114688->131072] S=[114688->131072]
Sun Jan 22 09:31:04 2012 us=940180 TCP/UDP: Socket bind failed on local address [AF_INET]192.168.1.200:1194: Address already in use
Sun Jan 22 09:31:04 2012 us=940246 Exiting

Heute früh habe ich mich dann erstmal ganz elegant selbst ausgesperrt, indem ich die ufw angeschmissen habe... 😀 Also: Ab an den Server, Monitor und Peripherie anklemmen - weiter geht's!

Dabei habe ich folgendes entdeckt (Auszug aus boot.log):

 *   Autostarting VPN 'client'      * Starting virtual private network daemon(s)...                           [fail]

Dagegen werde ich mal anhand dieses Threads vorgehen.

Nefarius

Avatar von Nefarius

Anmeldungsdatum:
11. Dezember 2008

Beiträge: 1275

Sun Jan 22 09:31:04 2012 us=940180 TCP/UDP: Socket bind failed on local address [AF_INET]192.168.1.200:1194: Address already in use

Da lauscht scheinbar schon jemand. Bezüglich des Startup-Fehler: zeig mal ls -al /etc/openvpn her. Gleich dazu noch ein sudo netstat -tulpen.

Guten Morgen btw. 😀

klauschwein

(Themenstarter)

Anmeldungsdatum:
21. Januar 2012

Beiträge: 8

Guten Morgen ^^ ja, bei mir ist noch Samstag 😀

netstat liefert:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      0          8672        800/smbd        
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      0          8674        800/smbd        
tcp        0      0 0.0.0.0:7020            0.0.0.0:*               LISTEN      1000       12324       1811/nxagent    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          9368        1208/apache2    
tcp        0      0 127.0.0.1:7634          0.0.0.0:*               LISTEN      0          9124        1112/hddtemp    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          8632        807/sshd        
tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN      0          8753        863/cupsd       
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      115        11005       1620/sshd: nx@notty
tcp6       0      0 :::7020                 :::*                    LISTEN      1000       12323       1811/nxagent    
tcp6       0      0 :::22                   :::*                    LISTEN      0          8640        807/sshd        
tcp6       0      0 :::631                  :::*                    LISTEN      0          8754        863/cupsd       
tcp6       0      0 ::1:6010                :::*                    LISTEN      115        11004       1620/sshd: nx@notty
udp        0      0 0.0.0.0:39630           0.0.0.0:*                           105        8722        859/avahi-daemon: r
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           105        8720        859/avahi-daemon: r
udp   114240      0 0.0.0.0:631             0.0.0.0:*                           0          8757        863/cupsd       
udp        0      0 10.0.0.255:137          0.0.0.0:*                           0          16541       828/nmbd        
udp        0      0 10.0.0.1:137            0.0.0.0:*                           0          16540       828/nmbd        
udp        0      0 192.168.1.255:137       0.0.0.0:*                           0          8625        828/nmbd        
udp        0      0 192.168.1.200:137       0.0.0.0:*                           0          8624        828/nmbd        
udp        0      0 0.0.0.0:137             0.0.0.0:*                           0          8621        828/nmbd        
udp        0      0 10.0.0.255:138          0.0.0.0:*                           0          16543       828/nmbd        
udp        0      0 10.0.0.1:138            0.0.0.0:*                           0          16542       828/nmbd        
udp        0      0 192.168.1.255:138       0.0.0.0:*                           0          8627        828/nmbd        
udp        0      0 192.168.1.200:138       0.0.0.0:*                           0          8626        828/nmbd        
udp        0      0 0.0.0.0:138             0.0.0.0:*                           0          8622        828/nmbd        
udp        0      0 192.168.1.200:1194      0.0.0.0:*                           0          16338       2240/openvpn    
udp6       0      0 :::37071                :::*                                105        8723        859/avahi-daemon: r
udp6       0      0 :::5353                 :::*                                105        8721        859/avahi-daemon: r

und in /etc/openvpn tummeln sich:

insgesamt 32
drwxr-xr-x   3 root root  4096 2012-01-22 09:46 .
drwxr-xr-x 136 root root 12288 2012-01-22 08:43 ..
-rw-r--r--   1 root root   889 2012-01-22 10:00 client.conf
drwxr-xr-x   3 root root  4096 2012-01-06 12:53 easy-rsa2
-rw-------   1 root root     0 2012-01-06 13:17 ipp.txt
-rw-r--r--   1 root root  1514 2012-01-22 09:28 server.conf
-rwxr-xr-x   1 root root  1357 2011-03-11 02:03 update-resolv-conf

Nefarius

Avatar von Nefarius

Anmeldungsdatum:
11. Dezember 2008

Beiträge: 1275

Ist klar, dass du einen Fehler bekommst. Das Startskript enummeriert alle .conf-Dateien durch und versucht diese mit OpenVPN zu starten. Benenne die client.conf einfach in client.conf.bak um und starte den Dienst neu. Wenn er immer noch nicht will killall openvpn und nochmal starten.

klauschwein

(Themenstarter)

Anmeldungsdatum:
21. Januar 2012

Beiträge: 8

Danke!

Ich habe die client.conf umbenannt und den dienst neu gestartet. Es gibt wohl doch ein Problem mit den Zertifikaten:

Sun Jan 22 12:34:12 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Sun Jan 22 12:34:12 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Jan 22 12:34:12 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Jan 22 12:34:15 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jan 22 12:34:15 2012 LZO compression initialized
Sun Jan 22 12:34:15 2012 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Jan 22 12:34:15 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 22 12:34:15 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Jan 22 12:34:15 2012 Local Options hash (VER=V4): 'c6c7c21a'
Sun Jan 22 12:34:15 2012 Expected Remote Options hash (VER=V4): '1a6d5c5d'
Sun Jan 22 12:34:15 2012 UDPv4 link local: [undef]
Sun Jan 22 12:34:15 2012 UDPv4 link remote: <zensiert>:1194
Sun Jan 22 12:34:15 2012 TLS: Initial packet from <zensiert>:1194, sid=8cff47fa 08c4fb60
Sun Jan 22 12:34:16 2012 VERIFY OK: depth=1, /C=DE/ST=Thueringen/L=Erfurt
Sun Jan 22 12:34:16 2012 VERIFY ERROR: could not extract CN from X509 subject string ('/C=DE/ST=Thueringen') -- note that the username length is limited to 64 characters
Sun Jan 22 12:34:16 2012 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Jan 22 12:34:16 2012 TLS Error: TLS object -> incoming plaintext read error
Sun Jan 22 12:34:16 2012 TLS Error: TLS handshake failed
Sun Jan 22 12:34:16 2012 TCP/UDP: Closing socket
Sun Jan 22 12:34:16 2012 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 22 12:34:16 2012 Restart pause, 2 second(s)

Ich denke mal ich habe bei der "Nomenklatur" der Zertifikate nicht aufgepasst (evtl. case-sensitivity nicht beachtet?) - ich schätze da muss ich die wohl nochmal neu erstellen.

Nefarius

Avatar von Nefarius

Anmeldungsdatum:
11. Dezember 2008

Beiträge: 1275

Dann mach es diesmal am besten gleich mit einer richtigen Anleitung 😉

klauschwein

(Themenstarter)

Anmeldungsdatum:
21. Januar 2012

Beiträge: 8

Ja das mach ich. Ich habe auch im ersten Anlauf die Zertifikate mit dem easy-rsa script erstellt, aber da gab es doch Schwierigkeiten im Nachhinein noch Zertifikate auszustellen. Ich habe zumindest darüber gelesen...

Aber Dein Tutorial ist echt erste Sahne! So umfangreich und vor allem vollständig hätte ich mir das beim ersten Anlauf gewünscht. Da seh ich auch gerade, dass ich meinen "Dummy-user" mal umbenennen sollte.

klauschwein

(Themenstarter)

Anmeldungsdatum:
21. Januar 2012

Beiträge: 8

Sehr schön! Nach ein wenig Gebastel steht der Tunnel! Danke Nefarius 👍

hier noch einmal das Log vom client:

Mon Jan 23 09:59:36 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Mon Jan 23 09:59:36 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Jan 23 09:59:36 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Jan 23 09:59:36 2012 LZO compression initialized
Mon Jan 23 09:59:36 2012 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jan 23 09:59:36 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Jan 23 09:59:36 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Jan 23 09:59:36 2012 Local Options hash (VER=V4): 'c6c7c21a'
Mon Jan 23 09:59:36 2012 Expected Remote Options hash (VER=V4): '1a6d5c5d'
Mon Jan 23 09:59:36 2012 UDPv4 link local: [undef]
Mon Jan 23 09:59:36 2012 UDPv4 link remote: <zensiert>:1194
Mon Jan 23 09:59:36 2012 TLS: Initial packet from <zensiert>:1194, sid=355f3fee 3a0138a1
Mon Jan 23 09:59:36 2012 VERIFY OK: depth=1, /C=DE/ST=Thuer/L=Erfurt/O=VPN@LOKI/CN=VPN@LOKI_CA/emailAddress=damien_1427@gmx.de
Mon Jan 23 09:59:36 2012 VERIFY OK: depth=0, /C=DE/ST=Thuer/L=Erfurt/O=VPN@LOKI/CN=server/emailAddress=damien_1427@gmx.de
Mon Jan 23 09:59:36 2012 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1590', remote='link-mtu 1574'
Mon Jan 23 09:59:36 2012 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Mon Jan 23 09:59:36 2012 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mon Jan 23 09:59:36 2012 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jan 23 09:59:36 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jan 23 09:59:36 2012 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jan 23 09:59:36 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jan 23 09:59:36 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Jan 23 09:59:36 2012 [server] Peer Connection Initiated with <zensiert>:1194
Mon Jan 23 09:59:39 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Jan 23 09:59:39 2012 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.0.0.2 255.255.255.0'
Mon Jan 23 09:59:39 2012 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jan 23 09:59:39 2012 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jan 23 09:59:39 2012 OPTIONS IMPORT: route options modified
Mon Jan 23 09:59:39 2012 ROUTE default_gateway=192.168.1.1
Mon Jan 23 09:59:39 2012 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Mon Jan 23 09:59:39 2012 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.1.0
Mon Jan 23 09:59:39 2012 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{705AEC37-E736-4233-91EA-57E0B67280B9}.tap
Mon Jan 23 09:59:39 2012 TAP-Win32 Driver Version 9.9 
Mon Jan 23 09:59:39 2012 TAP-Win32 MTU=1500
Mon Jan 23 09:59:39 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.0.2/255.255.255.0 on interface {705AEC37-E736-4233-91EA-57E0B67280B9} [DHCP-serv: 10.0.0.0, lease-time: 31536000]
Mon Jan 23 09:59:39 2012 Successful ARP Flush on interface [16] {705AEC37-E736-4233-91EA-57E0B67280B9}
Mon Jan 23 09:59:44 2012 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Mon Jan 23 09:59:44 2012 Initialization Sequence Completed
Mon Jan 23 09:59:48 2012 Authenticate/Decrypt packet error: cipher final failed

Was hat es denn mit der letzten Zeile aufsich?

Gibt es eine einfache Möglichkeit die Verbindung via VPN zu testen? Im Moment greift der Win7-client ja immer lokal auf die Netzlaufwerke zu. So richtig scheint mein Rechner dem Ganzen noch nicht zu trauen, da die Verbindung als "Nicht identifiziertes Netzwerk" geführt wird und der angegebene DHCP-server auch nicht erreichbar ist.

Nefarius

Avatar von Nefarius

Anmeldungsdatum:
11. Dezember 2008

Beiträge: 1275

Mon Jan 23 09:59:36 2012 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1590', remote='link-mtu 1574'
Mon Jan 23 09:59:36 2012 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Mon Jan 23 09:59:36 2012 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'

Da steht auch schon, was es mit der letzten Meldung auf sich hat 😉 diese Werte müssen auf Server und Client gleich sein, du solltest die entsprechenden Schlüsselwörter noch in die Server-Config einfügen:

link-mtu 1590
cipher AES-256-CBC
keysize 256

Am besten testest du den Tunnel mal "von Außen", also über z.B. Notebook, welches über einen anderen Internetzugang im Netz hängt. "Nicht identifiziertes Netzwerk" kommt deshalb, weil kein Default Gateway mitgesendet wird. Dafür gibt es auch einen Fix, der aber nicht notwendig ist, wenn die Verbindung klappt.

klauschwein

(Themenstarter)

Anmeldungsdatum:
21. Januar 2012

Beiträge: 8

nice!

client-log:

Mon Jan 23 12:35:54 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Mon Jan 23 12:35:54 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Jan 23 12:35:54 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Jan 23 12:35:55 2012 LZO compression initialized
Mon Jan 23 12:35:55 2012 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jan 23 12:35:55 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Jan 23 12:35:55 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Jan 23 12:35:55 2012 Local Options hash (VER=V4): 'c6c7c21a'
Mon Jan 23 12:35:55 2012 Expected Remote Options hash (VER=V4): '1a6d5c5d'
Mon Jan 23 12:35:55 2012 UDPv4 link local: [undef]
Mon Jan 23 12:35:55 2012 UDPv4 link remote: <zensiert>:1194
Mon Jan 23 12:35:55 2012 TLS: Initial packet from <zensiert>:1194, sid=667077e6 6e31068c
Mon Jan 23 12:35:55 2012 VERIFY OK: depth=1, /C=DE/ST=Thuer/L=Erfurt/O=VPN@LOKI/CN=VPN@LOKI_CA/emailAddress=***@gmx.de
Mon Jan 23 12:35:55 2012 VERIFY OK: depth=0, /C=DE/ST=Thuer/L=Erfurt/O=VPN@LOKI/CN=server/emailAddress=***@gmx.de
Mon Jan 23 12:35:55 2012 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jan 23 12:35:55 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jan 23 12:35:55 2012 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jan 23 12:35:55 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jan 23 12:35:55 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Jan 23 12:35:55 2012 [server] Peer Connection Initiated with <zensiert>:1194
Mon Jan 23 12:35:57 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Jan 23 12:35:57 2012 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.0.0.2 255.255.255.0'
Mon Jan 23 12:35:57 2012 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jan 23 12:35:57 2012 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jan 23 12:35:57 2012 OPTIONS IMPORT: route options modified
Mon Jan 23 12:35:57 2012 ROUTE default_gateway=192.168.1.1
Mon Jan 23 12:35:57 2012 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Mon Jan 23 12:35:57 2012 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.1.0
Mon Jan 23 12:35:57 2012 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{705AEC37-E736-4233-91EA-57E0B67280B9}.tap
Mon Jan 23 12:35:57 2012 TAP-Win32 Driver Version 9.9 
Mon Jan 23 12:35:57 2012 TAP-Win32 MTU=1500
Mon Jan 23 12:35:57 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.0.2/255.255.255.0 on interface {705AEC37-E736-4233-91EA-57E0B67280B9} [DHCP-serv: 10.0.0.0, lease-time: 31536000]
Mon Jan 23 12:35:57 2012 Successful ARP Flush on interface [16] {705AEC37-E736-4233-91EA-57E0B67280B9}
Mon Jan 23 12:36:02 2012 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Mon Jan 23 12:36:02 2012 Initialization Sequence Completed

na dann werde ich mal testen und dann berichten - könnte heute Abend noch werden! Nefarius, dir erstmal noch ein dickes THX ☺

Wenn der Test erfolgreich war, setze ich den Thread auf <solved>.

Antworten |