klauschwein
Anmeldungsdatum: 21. Januar 2012
Beiträge: Zähle...
|
Hallo @ all, als absolut Windows-Geschädigter habe ich mich im Rahmen meines Homeserver-Projekts (http://www.sysprofile.de/id161356) das erste mal mit Linux auseinander gesetzt. Dank der großartigen Tutorials der ubuntuusers-community habe ich das Ding auch zum Laufen bekommen. Dafür erstmal ein "Gute Arbeit, Danke!!" Beim Einrichten von openVPN brauche ich aber mal Euer geschultes Auge, da ich hier teilweise wirklich nicht weiss, was ich da eigentlich mache... 😀 Der Server soll zunächst erstmal als Fileserver den sicheren Zugriff auf Daten im WAN ermöglichen. Den Zugriff via LAN habe ich schon zustande bekommen, die entsprechenden Freigaben und den Remotezugriff via NX eingerichtet. Alle Clients laufen auf Windows (XP & 7). Der Server läuft auf Ubuntu 11.04 und bezieht seinen WAN-Zugang über einen dLink DI524-Router (Provider: Kabel Deutschland). Anbei zunächst der Log vom openVPN-Client:
Sat Jan 21 23:33:02 2012 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Sat Jan 21 23:33:02 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Jan 21 23:33:02 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 21 23:33:06 2012 LZO compression initialized
Sat Jan 21 23:33:06 2012 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Jan 21 23:33:06 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Sat Jan 21 23:33:06 2012 Local Options hash (VER=V4): 'c6c7c21a'
Sat Jan 21 23:33:06 2012 Expected Remote Options hash (VER=V4): '1a6d5c5d'
Sat Jan 21 23:33:06 2012 UDPv4 link local: [undef]
Sat Jan 21 23:33:06 2012 UDPv4 link remote: <DHCP.meines.Routers.zensiert>:1194
Sat Jan 21 23:34:06 2012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 21 23:34:06 2012 TLS Error: TLS handshake failed
Sat Jan 21 23:34:06 2012 TCP/UDP: Closing socket
Sat Jan 21 23:34:06 2012 SIGUSR1[soft,tls-error] received, process restarting
Sat Jan 21 23:34:06 2012 Restart pause, 2 second(s)
Sat Jan 21 23:34:08 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Jan 21 23:34:08 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 21 23:34:08 2012 Re-using SSL/TLS context
Sat Jan 21 23:34:08 2012 LZO compression initialized
Sat Jan 21 23:34:08 2012 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Jan 21 23:34:08 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Sat Jan 21 23:34:08 2012 Local Options hash (VER=V4): 'c6c7c21a'
Sat Jan 21 23:34:08 2012 Expected Remote Options hash (VER=V4): '1a6d5c5d'
Sat Jan 21 23:34:08 2012 UDPv4 link local: [undef]
Sat Jan 21 23:34:08 2012 UDPv4 link remote: <DHCP.meines.Routers.zensiert>:1194
Sat Jan 21 23:34:15 2012 TCP/UDP: Closing socket
Sat Jan 21 23:34:15 2012 SIGTERM[hard,] received, process exiting Hier die server.conf:
#===================================
# Config
#===================================
local 192.168.1.200
port 1194
# Die Revoke Liste überprüfen
#crl-verify /etc/ssl/crl.pem
# TCP oder UDP?
proto udp
mode server
tls-server
dev tap
#===================================
# Server IP
#===================================
ifconfig 10.0.0.1 255.255.255.0
ifconfig-pool 10.0.0.2 10.0.0.9
#Server IP Adresse
#server 10.0.0.1 255.255.255.0
#===================================
# Zertifikate
#===================================
ca /etc/ssl/vpn-ca.pem
cert /etc/ssl/Zertifikate/server_cert.pem
key /etc/ssl/private/server_key.pem
dh /etc/ssl/dh2048.pem
#Die Selbe IP in der nächsten Sitzung vergeben
#ifconfig-pool-persist ipp.txt
#===================================
# Routing
#===================================
push "route 192.168.1.0 255.255.255.0"
#push "dhcp-option DNS 192.168.1.xyz"
#push "redirect-gateway"
#push "route 0.0.0.0 0.0.0.0"
#===================================
# Authentifizierung
#===================================
auth SHA1
#Verschlüsselungs Algorithmus
cipher aes-256-cbc
#Benutze Komprimierung
comp-lzo
#Rechte
user nobody
group nogroup
persist-key
persist-tun
#Erreichbarkeit
keepalive 10 120
#"Gesprächigkeit" des Tunnels
verb 5 ...und die client.ovpn
#============================
# Config
#============================
tls-client
pull
dev tap
#============================
#Protokoll/Serveradressierung
#============================
proto udp
remote <DHCP.meines.Routers.zensiert> 1194 # stimmt das überhaupt?
#Auflösen des Hostnames des Servers
resolv-retry infinite
#Localen Port festlegen oder freigeben
nobind
#Verbindung immer gleich halten
persist-key
persist-tun
#============================
# Zertifikate
#============================
ca "C:\\Program Files (x86)\\OpenVPN\\config\\vpn-ca.pem"
cert "C:\\Program Files (x86)\\OpenVPN\\config\\srv_cert.pem"
key "C:\\Program Files (x86)\\OpenVPN\\config\\srv_key.pem"
#============================
# Authentifizierung
#============================
cipher AES-256-CBC
#Komprimiernug
comp-lzo
#Authentifizierungsmethode
auth SHA1
#"Gesprächigkeit" des Tunnels
verb 3 Ich wäre Euch für Korrekturen meiner config super dankbar - sofern hier überhaupt der Fehler liegt. Ich knobel nun schon seit 2 Wochen, habe diverse Wikis, Tutorials, HowTo's gelesen und probiert und bekomme es trotzdem nicht gewürfelt. Den Port 1194 (UDP) habe ich im Router freigegeben und auf die IP des Servers weitergeleitet. Die Zertifikate sind (anscheinend) auch okay. Gestartet habe ich den Server, ein Test der server.conf ergab keine Fehler (verb 5). Vermutlich werde ich Euch mit meinem rudimentären Problem eher langweilen, hoffe aber trotzdem auf Eure Unterstützung. ☺
|
Nefarius
Anmeldungsdatum: 11. Dezember 2008
Beiträge: 1275
|
Hi und willkommen! Glückwunsch, für den Anfang fast alles richtig gemacht 😉 nur das Log vom Server wäre auch noch interessant. Außerdem wundert mich der Pfad deines Zertifikats etwas, hast du das nicht mit den easy-rsa -Scripts erstellt? MfG Nefarius PS: wo hast du denn diese furchtbar veraltete Version von OpenVPN für Windows her? Aktuell ist v2.2.2
|
klauschwein
(Themenstarter)
Anmeldungsdatum: 21. Januar 2012
Beiträge: 8
|
Hi Nefarius, thx füe Deine schnelle Antwort. Die certs habe ich mittels # openssl erstellt. Das Log-file vom Server liefer ich noch nach, das muss ich noch in die config aufnehmen. Im Zuge dessen werd ich auch den client mal aktualisieren 😀 ... der ist in der tat schon etwas angestaubt (ist mir noch garnicht aufgefallen^^) - aber hammerhart, dass der unter Win7 läuft!
|
Nefarius
Anmeldungsdatum: 11. Dezember 2008
Beiträge: 1275
|
Soweit mir bekannt ist, funktionieren die Versionen vor dem 2.1 RC gar nicht richtig, da solltest du mal ansetzen 😀 Ich habe einiges an Erfahrung mit OpenVPN 😉
|
klauschwein
(Themenstarter)
Anmeldungsdatum: 21. Januar 2012
Beiträge: 8
|
So, also der Client ist jetzt auf Version 2.2.2. Server und Client rauschen aber immernoch aneinander vorbei. log vom Client:
Sun Jan 22 08:50:56 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Sun Jan 22 08:50:56 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Jan 22 08:50:56 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Jan 22 08:51:03 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jan 22 08:51:03 2012 LZO compression initialized
Sun Jan 22 08:51:03 2012 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Jan 22 08:51:03 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 22 08:51:03 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Jan 22 08:51:03 2012 Local Options hash (VER=V4): 'c6c7c21a'
Sun Jan 22 08:51:03 2012 Expected Remote Options hash (VER=V4): '1a6d5c5d'
Sun Jan 22 08:51:03 2012 UDPv4 link local: [undef]
Sun Jan 22 08:51:03 2012 UDPv4 link remote: <DHCP.meines.Routers.zensiert>:1194
Sun Jan 22 08:52:03 2012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Jan 22 08:52:03 2012 TLS Error: TLS handshake failed
Sun Jan 22 08:52:03 2012 TCP/UDP: Closing socket
Sun Jan 22 08:52:03 2012 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 22 08:52:03 2012 Restart pause, 2 second(s)
Sun Jan 22 08:52:05 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Jan 22 08:52:05 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Jan 22 08:52:05 2012 Re-using SSL/TLS context
Sun Jan 22 08:52:05 2012 LZO compression initialized
Sun Jan 22 08:52:05 2012 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Jan 22 08:52:05 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 22 08:52:05 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Jan 22 08:52:05 2012 Local Options hash (VER=V4): 'c6c7c21a'
Sun Jan 22 08:52:05 2012 Expected Remote Options hash (VER=V4): '1a6d5c5d'
Sun Jan 22 08:52:05 2012 UDPv4 link local: [undef]
Sun Jan 22 08:52:05 2012 UDPv4 link remote: <DHCP.meines.Routers.zensiert>:1194 Das Logging habe ich in die server.conf mit aufgenommen:
verb 5
log-append /var/log/openvpn-status.log mit dem Ergebnis:
Sun Jan 22 09:31:04 2012 us=236937 Current Parameter Settings:
Sun Jan 22 09:31:04 2012 us=237199 config = '/etc/openvpn/server.conf'
Sun Jan 22 09:31:04 2012 us=237248 mode = 1
Sun Jan 22 09:31:04 2012 us=237297 persist_config = DISABLED
Sun Jan 22 09:31:04 2012 us=237341 persist_mode = 1
Sun Jan 22 09:31:04 2012 us=237383 show_ciphers = DISABLED
Sun Jan 22 09:31:04 2012 us=237425 show_digests = DISABLED
Sun Jan 22 09:31:04 2012 us=237467 show_engines = DISABLED
Sun Jan 22 09:31:04 2012 us=237509 genkey = DISABLED
Sun Jan 22 09:31:04 2012 us=237552 key_pass_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=237595 show_tls_ciphers = DISABLED
Sun Jan 22 09:31:04 2012 us=237641 Connection profiles [default]:
Sun Jan 22 09:31:04 2012 us=237685 proto = udp
Sun Jan 22 09:31:04 2012 us=237728 local = '192.168.1.200'
Sun Jan 22 09:31:04 2012 us=237770 local_port = 1194
Sun Jan 22 09:31:04 2012 us=237813 remote = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=237855 remote_port = 1194
Sun Jan 22 09:31:04 2012 us=237897 remote_float = DISABLED
Sun Jan 22 09:31:04 2012 us=237939 bind_defined = DISABLED
Sun Jan 22 09:31:04 2012 us=237981 bind_local = ENABLED
Sun Jan 22 09:31:04 2012 us=238024 connect_retry_seconds = 5
Sun Jan 22 09:31:04 2012 us=238067 connect_timeout = 10
Sun Jan 22 09:31:04 2012 us=238109 connect_retry_max = 0
Sun Jan 22 09:31:04 2012 us=238151 socks_proxy_server = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=238261 socks_proxy_port = 0
Sun Jan 22 09:31:04 2012 us=238310 socks_proxy_retry = DISABLED
Sun Jan 22 09:31:04 2012 us=238358 Connection profiles END
Sun Jan 22 09:31:04 2012 us=238400 remote_random = DISABLED
Sun Jan 22 09:31:04 2012 us=238443 ipchange = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=238485 dev = 'tap'
Sun Jan 22 09:31:04 2012 us=238527 dev_type = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=238569 dev_node = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=238611 lladdr = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=238653 topology = 1
Sun Jan 22 09:31:04 2012 us=238695 tun_ipv6 = DISABLED
Sun Jan 22 09:31:04 2012 us=238738 ifconfig_local = '10.0.0.1'
Sun Jan 22 09:31:04 2012 us=238780 ifconfig_remote_netmask = '255.255.255.0'
Sun Jan 22 09:31:04 2012 us=238822 ifconfig_noexec = DISABLED
Sun Jan 22 09:31:04 2012 us=238865 ifconfig_nowarn = DISABLED
Sun Jan 22 09:31:04 2012 us=238907 shaper = 0
Sun Jan 22 09:31:04 2012 us=238949 tun_mtu = 1500
Sun Jan 22 09:31:04 2012 us=238991 tun_mtu_defined = ENABLED
Sun Jan 22 09:31:04 2012 us=239034 link_mtu = 1500
Sun Jan 22 09:31:04 2012 us=239076 link_mtu_defined = DISABLED
Sun Jan 22 09:31:04 2012 us=239118 tun_mtu_extra = 32
Sun Jan 22 09:31:04 2012 us=239160 tun_mtu_extra_defined = ENABLED
Sun Jan 22 09:31:04 2012 us=239203 fragment = 0
Sun Jan 22 09:31:04 2012 us=239246 mtu_discover_type = -1
Sun Jan 22 09:31:04 2012 us=239288 mtu_test = 0
Sun Jan 22 09:31:04 2012 us=239330 mlock = DISABLED
Sun Jan 22 09:31:04 2012 us=239372 keepalive_ping = 10
Sun Jan 22 09:31:04 2012 us=239415 keepalive_timeout = 120
Sun Jan 22 09:31:04 2012 us=239457 inactivity_timeout = 0
Sun Jan 22 09:31:04 2012 us=239499 ping_send_timeout = 10
Sun Jan 22 09:31:04 2012 us=239541 ping_rec_timeout = 240
Sun Jan 22 09:31:04 2012 us=239584 ping_rec_timeout_action = 2
Sun Jan 22 09:31:04 2012 us=239626 ping_timer_remote = DISABLED
Sun Jan 22 09:31:04 2012 us=239669 remap_sigusr1 = 0
Sun Jan 22 09:31:04 2012 us=239711 explicit_exit_notification = 0
Sun Jan 22 09:31:04 2012 us=239753 persist_tun = ENABLED
Sun Jan 22 09:31:04 2012 us=239795 persist_local_ip = DISABLED
Sun Jan 22 09:31:04 2012 us=239837 persist_remote_ip = DISABLED
Sun Jan 22 09:31:04 2012 us=239890 persist_key = ENABLED
Sun Jan 22 09:31:04 2012 us=239933 mssfix = 1450
Sun Jan 22 09:31:04 2012 us=239976 passtos = DISABLED
Sun Jan 22 09:31:04 2012 us=240019 resolve_retry_seconds = 1000000000
Sun Jan 22 09:31:04 2012 us=240061 username = 'nobody'
Sun Jan 22 09:31:04 2012 us=240103 groupname = 'nogroup'
Sun Jan 22 09:31:04 2012 us=240145 chroot_dir = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=240206 cd_dir = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=240249 writepid = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=240291 up_script = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=240334 down_script = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=240375 down_pre = DISABLED
Sun Jan 22 09:31:04 2012 us=240417 up_restart = DISABLED
Sun Jan 22 09:31:04 2012 us=240459 up_delay = DISABLED
Sun Jan 22 09:31:04 2012 us=240501 daemon = DISABLED
Sun Jan 22 09:31:04 2012 us=240544 inetd = 0
Sun Jan 22 09:31:04 2012 us=240585 log = ENABLED
Sun Jan 22 09:31:04 2012 us=240628 suppress_timestamps = DISABLED
Sun Jan 22 09:31:04 2012 us=240670 nice = 0
Sun Jan 22 09:31:04 2012 us=240723 verbosity = 5
Sun Jan 22 09:31:04 2012 us=240781 mute = 0
Sun Jan 22 09:31:04 2012 us=240839 gremlin = 0
Sun Jan 22 09:31:04 2012 us=240901 status_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=240960 status_file_version = 1
Sun Jan 22 09:31:04 2012 us=241019 status_file_update_freq = 60
Sun Jan 22 09:31:04 2012 us=241077 occ = ENABLED
Sun Jan 22 09:31:04 2012 us=241137 rcvbuf = 65536
Sun Jan 22 09:31:04 2012 us=241195 sndbuf = 65536
Sun Jan 22 09:31:04 2012 us=241254 sockflags = 0
Sun Jan 22 09:31:04 2012 us=241312 fast_io = DISABLED
Sun Jan 22 09:31:04 2012 us=241371 lzo = 7
Sun Jan 22 09:31:04 2012 us=241433 route_script = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=241492 route_default_gateway = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=241553 route_default_metric = 0
Sun Jan 22 09:31:04 2012 us=241612 route_noexec = DISABLED
Sun Jan 22 09:31:04 2012 us=241671 route_delay = 0
Sun Jan 22 09:31:04 2012 us=241731 route_delay_window = 30
Sun Jan 22 09:31:04 2012 us=241790 route_delay_defined = DISABLED
Sun Jan 22 09:31:04 2012 us=241863 route_nopull = DISABLED
Sun Jan 22 09:31:04 2012 us=241926 route_gateway_via_dhcp = DISABLED
Sun Jan 22 09:31:04 2012 us=241986 max_routes = 100
Sun Jan 22 09:31:04 2012 us=242045 allow_pull_fqdn = DISABLED
Sun Jan 22 09:31:04 2012 us=242101 management_addr = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=242156 management_port = 0
Sun Jan 22 09:31:04 2012 us=242267 management_user_pass = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=242338 management_log_history_cache = 250
Sun Jan 22 09:31:04 2012 us=242397 management_echo_buffer_size = 100
Sun Jan 22 09:31:04 2012 us=242454 management_write_peer_info_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=242512 management_client_user = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=242570 management_client_group = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=242628 management_flags = 0
Sun Jan 22 09:31:04 2012 us=242685 shared_secret_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=242743 key_direction = 0
Sun Jan 22 09:31:04 2012 us=242801 ciphername_defined = ENABLED
Sun Jan 22 09:31:04 2012 us=242856 ciphername = 'aes-256-cbc'
Sun Jan 22 09:31:04 2012 us=242914 authname_defined = ENABLED
Sun Jan 22 09:31:04 2012 us=242972 authname = 'SHA1'
Sun Jan 22 09:31:04 2012 us=243034 prng_hash = 'SHA1'
Sun Jan 22 09:31:04 2012 us=243092 prng_nonce_secret_len = 16
Sun Jan 22 09:31:04 2012 us=243149 keysize = 0
Sun Jan 22 09:31:04 2012 us=243207 engine = DISABLED
Sun Jan 22 09:31:04 2012 us=243261 replay = ENABLED
Sun Jan 22 09:31:04 2012 us=243319 mute_replay_warnings = DISABLED
Sun Jan 22 09:31:04 2012 us=243378 replay_window = 64
Sun Jan 22 09:31:04 2012 us=243739 replay_time = 15
Sun Jan 22 09:31:04 2012 us=243793 packet_id_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=243845 use_iv = ENABLED
Sun Jan 22 09:31:04 2012 us=243898 test_crypto = DISABLED
Sun Jan 22 09:31:04 2012 us=243949 tls_server = ENABLED
Sun Jan 22 09:31:04 2012 us=244001 tls_client = DISABLED
Sun Jan 22 09:31:04 2012 us=244053 key_method = 2
Sun Jan 22 09:31:04 2012 us=244105 ca_file = '/etc/ssl/vpn-ca.pem'
Sun Jan 22 09:31:04 2012 us=244156 ca_path = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=244208 dh_file = '/etc/ssl/dh2048.pem'
Sun Jan 22 09:31:04 2012 us=244260 cert_file = '/etc/ssl/Zertifikate/server_cert.pem'
Sun Jan 22 09:31:04 2012 us=244360 priv_key_file = '/etc/ssl/private/server_key.pem'
Sun Jan 22 09:31:04 2012 us=244415 pkcs12_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=244468 cipher_list = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=244521 tls_verify = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=244573 tls_remote = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=244625 crl_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=244677 ns_cert_type = 0
Sun Jan 22 09:31:04 2012 us=244734 remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=244798 remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=244855 remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=244910 remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=244966 remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245027 remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245088 remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245145 remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245203 remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245261 remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245317 remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245382 remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245436 remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245494 remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245553 remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245614 remote_cert_ku[i] = 0
Sun Jan 22 09:31:04 2012 us=245674 remote_cert_eku = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=245733 tls_timeout = 2
Sun Jan 22 09:31:04 2012 us=245789 renegotiate_bytes = 0
Sun Jan 22 09:31:04 2012 us=245846 renegotiate_packets = 0
Sun Jan 22 09:31:04 2012 us=245904 renegotiate_seconds = 3600
Sun Jan 22 09:31:04 2012 us=245963 handshake_window = 60
Sun Jan 22 09:31:04 2012 us=246292 transition_window = 3600
Sun Jan 22 09:31:04 2012 us=246404 single_session = DISABLED
Sun Jan 22 09:31:04 2012 us=246462 push_peer_info = DISABLED
Sun Jan 22 09:31:04 2012 us=246516 tls_exit = DISABLED
Sun Jan 22 09:31:04 2012 us=246573 tls_auth_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=246633 pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=246700 pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=246759 pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=246817 pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=246875 pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=246935 pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=246990 pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247048 pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247106 pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247165 pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247223 pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247279 pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247338 pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247396 pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247455 pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247515 pkcs11_protected_authentication = DISABLED
Sun Jan 22 09:31:04 2012 us=247576 pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=247638 pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=247699 pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=247759 pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=247819 pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=247881 pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=247939 pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=247995 pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248050 pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248106 pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248163 pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248220 pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248335 pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248399 pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248462 pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248522 pkcs11_private_mode = 00000000
Sun Jan 22 09:31:04 2012 us=248579 pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=248640 pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=248702 pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=248761 pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=248821 pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=248878 pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=248935 pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=248993 pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249051 pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249309 pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249377 pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249431 pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249490 pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249549 pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249603 pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249660 pkcs11_cert_private = DISABLED
Sun Jan 22 09:31:04 2012 us=249721 pkcs11_pin_cache_period = -1
Sun Jan 22 09:31:04 2012 us=249782 pkcs11_id = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=249842 pkcs11_id_management = DISABLED
Sun Jan 22 09:31:04 2012 us=249957 server_network = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=250027 server_netmask = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=250092 server_bridge_ip = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=250157 server_bridge_netmask = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=250273 server_bridge_pool_start = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=250340 server_bridge_pool_end = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=250402 push_entry = 'route 192.168.1.0 255.255.255.0'
Sun Jan 22 09:31:04 2012 us=250460 push_entry = 'ping 10'
Sun Jan 22 09:31:04 2012 us=250523 push_entry = 'ping-restart 120'
Sun Jan 22 09:31:04 2012 us=250582 ifconfig_pool_defined = ENABLED
Sun Jan 22 09:31:04 2012 us=250645 ifconfig_pool_start = 10.0.0.2
Sun Jan 22 09:31:04 2012 us=250709 ifconfig_pool_end = 10.0.0.9
Sun Jan 22 09:31:04 2012 us=251008 ifconfig_pool_netmask = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=251082 ifconfig_pool_persist_filename = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=251142 ifconfig_pool_persist_refresh_freq = 600
Sun Jan 22 09:31:04 2012 us=251201 n_bcast_buf = 256
Sun Jan 22 09:31:04 2012 us=251262 tcp_queue_limit = 64
Sun Jan 22 09:31:04 2012 us=251320 real_hash_size = 256
Sun Jan 22 09:31:04 2012 us=251444 virtual_hash_size = 256
Sun Jan 22 09:31:04 2012 us=251510 client_connect_script = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=251571 learn_address_script = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=251629 client_disconnect_script = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=251689 client_config_dir = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=251748 ccd_exclusive = DISABLED
Sun Jan 22 09:31:04 2012 us=251805 tmp_dir = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=251866 push_ifconfig_defined = DISABLED
Sun Jan 22 09:31:04 2012 us=251933 push_ifconfig_local = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=251998 push_ifconfig_remote_netmask = 0.0.0.0
Sun Jan 22 09:31:04 2012 us=252057 enable_c2c = DISABLED
Sun Jan 22 09:31:04 2012 us=252115 duplicate_cn = DISABLED
Sun Jan 22 09:31:04 2012 us=252171 cf_max = 0
Sun Jan 22 09:31:04 2012 us=252228 cf_per = 0
Sun Jan 22 09:31:04 2012 us=252487 max_clients = 1024
Sun Jan 22 09:31:04 2012 us=252569 max_routes_per_client = 256
Sun Jan 22 09:31:04 2012 us=252628 auth_user_pass_verify_script = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=252690 auth_user_pass_verify_script_via_file = DISABLED
Sun Jan 22 09:31:04 2012 us=252745 ssl_flags = 0
Sun Jan 22 09:31:04 2012 us=252801 port_share_host = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=252911 port_share_port = 0
Sun Jan 22 09:31:04 2012 us=252973 client = DISABLED
Sun Jan 22 09:31:04 2012 us=253034 pull = DISABLED
Sun Jan 22 09:31:04 2012 us=253088 auth_user_pass_file = '[UNDEF]'
Sun Jan 22 09:31:04 2012 us=253168 OpenVPN 2.1.3 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Mar 11 2011
Sun Jan 22 09:31:04 2012 us=253975 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sun Jan 22 09:31:04 2012 us=254093 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Jan 22 09:31:04 2012 us=611011 Diffie-Hellman initialized with 2048 bit key
Sun Jan 22 09:31:04 2012 us=612842 /usr/bin/openssl-vulnkey -q -b 2048 -m <modulus omitted>
Sun Jan 22 09:31:04 2012 us=939757 TLS-Auth MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Jan 22 09:31:04 2012 us=940008 Socket Buffers: R=[114688->131072] S=[114688->131072]
Sun Jan 22 09:31:04 2012 us=940180 TCP/UDP: Socket bind failed on local address [AF_INET]192.168.1.200:1194: Address already in use
Sun Jan 22 09:31:04 2012 us=940246 Exiting Heute früh habe ich mich dann erstmal ganz elegant selbst ausgesperrt, indem ich die ufw angeschmissen habe... 😀
Also: Ab an den Server, Monitor und Peripherie anklemmen - weiter geht's! Dabei habe ich folgendes entdeckt (Auszug aus boot.log):
* Autostarting VPN 'client' * Starting virtual private network daemon(s)... [fail] Dagegen werde ich mal anhand dieses Threads vorgehen.
|
Nefarius
Anmeldungsdatum: 11. Dezember 2008
Beiträge: 1275
|
Sun Jan 22 09:31:04 2012 us=940180 TCP/UDP: Socket bind failed on local address [AF_INET]192.168.1.200:1194: Address already in use
Da lauscht scheinbar schon jemand. Bezüglich des Startup-Fehler: zeig mal ls -al /etc/openvpn her. Gleich dazu noch ein sudo netstat -tulpen . Guten Morgen btw. 😀
|
klauschwein
(Themenstarter)
Anmeldungsdatum: 21. Januar 2012
Beiträge: 8
|
Guten Morgen ^^ ja, bei mir ist noch Samstag 😀 netstat liefert:
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 0 8672 800/smbd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 0 8674 800/smbd
tcp 0 0 0.0.0.0:7020 0.0.0.0:* LISTEN 1000 12324 1811/nxagent
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 9368 1208/apache2
tcp 0 0 127.0.0.1:7634 0.0.0.0:* LISTEN 0 9124 1112/hddtemp
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 8632 807/sshd
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 0 8753 863/cupsd
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 115 11005 1620/sshd: nx@notty
tcp6 0 0 :::7020 :::* LISTEN 1000 12323 1811/nxagent
tcp6 0 0 :::22 :::* LISTEN 0 8640 807/sshd
tcp6 0 0 :::631 :::* LISTEN 0 8754 863/cupsd
tcp6 0 0 ::1:6010 :::* LISTEN 115 11004 1620/sshd: nx@notty
udp 0 0 0.0.0.0:39630 0.0.0.0:* 105 8722 859/avahi-daemon: r
udp 0 0 0.0.0.0:5353 0.0.0.0:* 105 8720 859/avahi-daemon: r
udp 114240 0 0.0.0.0:631 0.0.0.0:* 0 8757 863/cupsd
udp 0 0 10.0.0.255:137 0.0.0.0:* 0 16541 828/nmbd
udp 0 0 10.0.0.1:137 0.0.0.0:* 0 16540 828/nmbd
udp 0 0 192.168.1.255:137 0.0.0.0:* 0 8625 828/nmbd
udp 0 0 192.168.1.200:137 0.0.0.0:* 0 8624 828/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 0 8621 828/nmbd
udp 0 0 10.0.0.255:138 0.0.0.0:* 0 16543 828/nmbd
udp 0 0 10.0.0.1:138 0.0.0.0:* 0 16542 828/nmbd
udp 0 0 192.168.1.255:138 0.0.0.0:* 0 8627 828/nmbd
udp 0 0 192.168.1.200:138 0.0.0.0:* 0 8626 828/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 0 8622 828/nmbd
udp 0 0 192.168.1.200:1194 0.0.0.0:* 0 16338 2240/openvpn
udp6 0 0 :::37071 :::* 105 8723 859/avahi-daemon: r
udp6 0 0 :::5353 :::* 105 8721 859/avahi-daemon: r
und in /etc/openvpn tummeln sich:
insgesamt 32
drwxr-xr-x 3 root root 4096 2012-01-22 09:46 .
drwxr-xr-x 136 root root 12288 2012-01-22 08:43 ..
-rw-r--r-- 1 root root 889 2012-01-22 10:00 client.conf
drwxr-xr-x 3 root root 4096 2012-01-06 12:53 easy-rsa2
-rw------- 1 root root 0 2012-01-06 13:17 ipp.txt
-rw-r--r-- 1 root root 1514 2012-01-22 09:28 server.conf
-rwxr-xr-x 1 root root 1357 2011-03-11 02:03 update-resolv-conf
|
Nefarius
Anmeldungsdatum: 11. Dezember 2008
Beiträge: 1275
|
Ist klar, dass du einen Fehler bekommst. Das Startskript enummeriert alle .conf -Dateien durch und versucht diese mit OpenVPN zu starten. Benenne die client.conf einfach in client.conf.bak um und starte den Dienst neu. Wenn er immer noch nicht will killall openvpn und nochmal starten.
|
klauschwein
(Themenstarter)
Anmeldungsdatum: 21. Januar 2012
Beiträge: 8
|
Danke! Ich habe die client.conf umbenannt und den dienst neu gestartet. Es gibt wohl doch ein Problem mit den Zertifikaten: Sun Jan 22 12:34:12 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Sun Jan 22 12:34:12 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Jan 22 12:34:12 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Jan 22 12:34:15 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jan 22 12:34:15 2012 LZO compression initialized
Sun Jan 22 12:34:15 2012 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Jan 22 12:34:15 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 22 12:34:15 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Jan 22 12:34:15 2012 Local Options hash (VER=V4): 'c6c7c21a'
Sun Jan 22 12:34:15 2012 Expected Remote Options hash (VER=V4): '1a6d5c5d'
Sun Jan 22 12:34:15 2012 UDPv4 link local: [undef]
Sun Jan 22 12:34:15 2012 UDPv4 link remote: <zensiert>:1194
Sun Jan 22 12:34:15 2012 TLS: Initial packet from <zensiert>:1194, sid=8cff47fa 08c4fb60
Sun Jan 22 12:34:16 2012 VERIFY OK: depth=1, /C=DE/ST=Thueringen/L=Erfurt
Sun Jan 22 12:34:16 2012 VERIFY ERROR: could not extract CN from X509 subject string ('/C=DE/ST=Thueringen') -- note that the username length is limited to 64 characters
Sun Jan 22 12:34:16 2012 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Jan 22 12:34:16 2012 TLS Error: TLS object -> incoming plaintext read error
Sun Jan 22 12:34:16 2012 TLS Error: TLS handshake failed
Sun Jan 22 12:34:16 2012 TCP/UDP: Closing socket
Sun Jan 22 12:34:16 2012 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 22 12:34:16 2012 Restart pause, 2 second(s) Ich denke mal ich habe bei der "Nomenklatur" der Zertifikate nicht aufgepasst (evtl. case-sensitivity nicht beachtet?) - ich schätze da muss ich die wohl nochmal neu erstellen.
|
Nefarius
Anmeldungsdatum: 11. Dezember 2008
Beiträge: 1275
|
Dann mach es diesmal am besten gleich mit einer richtigen Anleitung 😉
|
klauschwein
(Themenstarter)
Anmeldungsdatum: 21. Januar 2012
Beiträge: 8
|
Ja das mach ich. Ich habe auch im ersten Anlauf die Zertifikate mit dem easy-rsa script erstellt, aber da gab es doch Schwierigkeiten im Nachhinein noch Zertifikate auszustellen. Ich habe zumindest darüber gelesen... Aber Dein Tutorial ist echt erste Sahne! So umfangreich und vor allem vollständig hätte ich mir das beim ersten Anlauf gewünscht. Da seh ich auch gerade, dass ich meinen "Dummy-user" mal umbenennen sollte.
|
klauschwein
(Themenstarter)
Anmeldungsdatum: 21. Januar 2012
Beiträge: 8
|
Sehr schön! Nach ein wenig Gebastel steht der Tunnel! Danke Nefarius 👍 hier noch einmal das Log vom client:
Mon Jan 23 09:59:36 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Mon Jan 23 09:59:36 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Jan 23 09:59:36 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Jan 23 09:59:36 2012 LZO compression initialized
Mon Jan 23 09:59:36 2012 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jan 23 09:59:36 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Jan 23 09:59:36 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Jan 23 09:59:36 2012 Local Options hash (VER=V4): 'c6c7c21a'
Mon Jan 23 09:59:36 2012 Expected Remote Options hash (VER=V4): '1a6d5c5d'
Mon Jan 23 09:59:36 2012 UDPv4 link local: [undef]
Mon Jan 23 09:59:36 2012 UDPv4 link remote: <zensiert>:1194
Mon Jan 23 09:59:36 2012 TLS: Initial packet from <zensiert>:1194, sid=355f3fee 3a0138a1
Mon Jan 23 09:59:36 2012 VERIFY OK: depth=1, /C=DE/ST=Thuer/L=Erfurt/O=VPN@LOKI/CN=VPN@LOKI_CA/emailAddress=damien_1427@gmx.de
Mon Jan 23 09:59:36 2012 VERIFY OK: depth=0, /C=DE/ST=Thuer/L=Erfurt/O=VPN@LOKI/CN=server/emailAddress=damien_1427@gmx.de
Mon Jan 23 09:59:36 2012 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1590', remote='link-mtu 1574'
Mon Jan 23 09:59:36 2012 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Mon Jan 23 09:59:36 2012 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mon Jan 23 09:59:36 2012 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jan 23 09:59:36 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jan 23 09:59:36 2012 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jan 23 09:59:36 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jan 23 09:59:36 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Jan 23 09:59:36 2012 [server] Peer Connection Initiated with <zensiert>:1194
Mon Jan 23 09:59:39 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Jan 23 09:59:39 2012 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.0.0.2 255.255.255.0'
Mon Jan 23 09:59:39 2012 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jan 23 09:59:39 2012 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jan 23 09:59:39 2012 OPTIONS IMPORT: route options modified
Mon Jan 23 09:59:39 2012 ROUTE default_gateway=192.168.1.1
Mon Jan 23 09:59:39 2012 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Mon Jan 23 09:59:39 2012 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.1.0
Mon Jan 23 09:59:39 2012 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{705AEC37-E736-4233-91EA-57E0B67280B9}.tap
Mon Jan 23 09:59:39 2012 TAP-Win32 Driver Version 9.9
Mon Jan 23 09:59:39 2012 TAP-Win32 MTU=1500
Mon Jan 23 09:59:39 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.0.2/255.255.255.0 on interface {705AEC37-E736-4233-91EA-57E0B67280B9} [DHCP-serv: 10.0.0.0, lease-time: 31536000]
Mon Jan 23 09:59:39 2012 Successful ARP Flush on interface [16] {705AEC37-E736-4233-91EA-57E0B67280B9}
Mon Jan 23 09:59:44 2012 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Mon Jan 23 09:59:44 2012 Initialization Sequence Completed
Mon Jan 23 09:59:48 2012 Authenticate/Decrypt packet error: cipher final failed Was hat es denn mit der letzten Zeile aufsich? Gibt es eine einfache Möglichkeit die Verbindung via VPN zu testen? Im Moment greift der Win7-client ja immer lokal auf die Netzlaufwerke zu. So richtig scheint mein Rechner dem Ganzen noch nicht zu trauen, da die Verbindung als "Nicht identifiziertes Netzwerk" geführt wird und der angegebene DHCP-server auch nicht erreichbar ist.
|
Nefarius
Anmeldungsdatum: 11. Dezember 2008
Beiträge: 1275
|
Mon Jan 23 09:59:36 2012 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1590', remote='link-mtu 1574'
Mon Jan 23 09:59:36 2012 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Mon Jan 23 09:59:36 2012 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Da steht auch schon, was es mit der letzten Meldung auf sich hat 😉 diese Werte müssen auf Server und Client gleich sein, du solltest die entsprechenden Schlüsselwörter noch in die Server-Config einfügen:
link-mtu 1590
cipher AES-256-CBC
keysize 256
Am besten testest du den Tunnel mal "von Außen", also über z.B. Notebook, welches über einen anderen Internetzugang im Netz hängt. "Nicht identifiziertes Netzwerk" kommt deshalb, weil kein Default Gateway mitgesendet wird. Dafür gibt es auch einen Fix, der aber nicht notwendig ist, wenn die Verbindung klappt.
|
klauschwein
(Themenstarter)
Anmeldungsdatum: 21. Januar 2012
Beiträge: 8
|
nice! client-log:
Mon Jan 23 12:35:54 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Mon Jan 23 12:35:54 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Jan 23 12:35:54 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Jan 23 12:35:55 2012 LZO compression initialized
Mon Jan 23 12:35:55 2012 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jan 23 12:35:55 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Jan 23 12:35:55 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Jan 23 12:35:55 2012 Local Options hash (VER=V4): 'c6c7c21a'
Mon Jan 23 12:35:55 2012 Expected Remote Options hash (VER=V4): '1a6d5c5d'
Mon Jan 23 12:35:55 2012 UDPv4 link local: [undef]
Mon Jan 23 12:35:55 2012 UDPv4 link remote: <zensiert>:1194
Mon Jan 23 12:35:55 2012 TLS: Initial packet from <zensiert>:1194, sid=667077e6 6e31068c
Mon Jan 23 12:35:55 2012 VERIFY OK: depth=1, /C=DE/ST=Thuer/L=Erfurt/O=VPN@LOKI/CN=VPN@LOKI_CA/emailAddress=***@gmx.de
Mon Jan 23 12:35:55 2012 VERIFY OK: depth=0, /C=DE/ST=Thuer/L=Erfurt/O=VPN@LOKI/CN=server/emailAddress=***@gmx.de
Mon Jan 23 12:35:55 2012 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jan 23 12:35:55 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jan 23 12:35:55 2012 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jan 23 12:35:55 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jan 23 12:35:55 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Jan 23 12:35:55 2012 [server] Peer Connection Initiated with <zensiert>:1194
Mon Jan 23 12:35:57 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Jan 23 12:35:57 2012 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.0.0.2 255.255.255.0'
Mon Jan 23 12:35:57 2012 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jan 23 12:35:57 2012 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jan 23 12:35:57 2012 OPTIONS IMPORT: route options modified
Mon Jan 23 12:35:57 2012 ROUTE default_gateway=192.168.1.1
Mon Jan 23 12:35:57 2012 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Mon Jan 23 12:35:57 2012 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.1.0
Mon Jan 23 12:35:57 2012 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{705AEC37-E736-4233-91EA-57E0B67280B9}.tap
Mon Jan 23 12:35:57 2012 TAP-Win32 Driver Version 9.9
Mon Jan 23 12:35:57 2012 TAP-Win32 MTU=1500
Mon Jan 23 12:35:57 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.0.2/255.255.255.0 on interface {705AEC37-E736-4233-91EA-57E0B67280B9} [DHCP-serv: 10.0.0.0, lease-time: 31536000]
Mon Jan 23 12:35:57 2012 Successful ARP Flush on interface [16] {705AEC37-E736-4233-91EA-57E0B67280B9}
Mon Jan 23 12:36:02 2012 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Mon Jan 23 12:36:02 2012 Initialization Sequence Completed na dann werde ich mal testen und dann berichten - könnte heute Abend noch werden!
Nefarius, dir erstmal noch ein dickes THX ☺ Wenn der Test erfolgreich war, setze ich den Thread auf <solved>.
|