Hallo,
ich habe versucht, auf meinem RaspberryPi einen VPN Server einzurichten, um meinen mobilen Datenverkehr über diesen VPN Tunnel zu schleusen. Das Ziel ist, in unsicheren Netzwerken trotzdem sicheren Datenverkehr mit dem Internet aufbauen zu können, indem der gesamte Netzwerkverkehr über den RPi und mein Heimnetzwerk geht. Zugleich will ich die Netzwerkteilnehmer des Heimnetzwerkes (bspw. NAS) erreichen.
Aufbau des Heimnetzwerks:
Der Router hat die IP Adresse 192.168.0.1
Der RPi hat die IP Adresse 192.168.0.5 und ist per WLAN verbunden.
Der Zugriffsversuch erfolgt über einen Laptop in einem öffentlichen WLAN. Der Laptop hat die öffentliche IP 178.xx.xx.xx (von wieistmeineip.de)
Das Heimnetzwerk ist über eine feste IP 166.xx.xx.xx zu erreichen
Server Konfiguration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | $ cat /etc/openvpn/openvpn.conf local 192.168.0.5 dev tun proto udp port 1194 ca /etc/openvpn/easy-rsa2/pki/ca.crt cert /etc/openvpn/easy-rsa2/pki/issued/server.crt key /etc/openvpn/easy-rsa2/pki/private/server.key dh /etc/openvpn/easy-rsa2/pki/dh2048.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 9.9.9.9" push "dhcp-option DNS 8.8.8.8" push "route 192.168.0.0 255.255.255.0" verb 4 persist-key persist-tun client-to-client comp-lzo user nobody group nogroup remote-cert-tls client keepalive 10 120 |
Zusätzlich habe ich ein init.d Skript erstellt, dass ip_forwarding aktiviert und iptables anpasst:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | $ cat /etc/init.d/rpivpn #! /bin/sh ### BEGIN INIT INFO # Provides: rpivpn # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: VPN initialization script ### END INIT INFO echo 'echo "1" > /proc/sys/net/ipv4/ip_forward' | sudo -s iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -F POSTROUTING iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j MASQUERADE |
Client Konfiguration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | $ cat laptop.ovpn client dev tun proto udp remote 166.xxx.xx.xx 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun ca /etc/openvpn/ca.crt cert /etc/openvpn/laptop.crt key /etc/openvpn/laptop.key comp-lzo verb 3 mute 20 remote-cert-tls server |
Was funktioniert?
Ich kann den Server starten. Der log sieht folgendermaßen aus:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 | $ sudo openvpn /etc/openvpn/openvpn.conf Thu Jan 7 20:03:28 2021 us=57855 Current Parameter Settings: Thu Jan 7 20:03:28 2021 us=58056 config = '/etc/openvpn/openvpn.conf' Thu Jan 7 20:03:28 2021 us=58111 mode = 1 Thu Jan 7 20:03:28 2021 us=58160 persist_config = DISABLED Thu Jan 7 20:03:28 2021 us=58210 persist_mode = 1 Thu Jan 7 20:03:28 2021 us=58258 show_ciphers = DISABLED Thu Jan 7 20:03:28 2021 us=58306 show_digests = DISABLED Thu Jan 7 20:03:28 2021 us=58355 show_engines = DISABLED Thu Jan 7 20:03:28 2021 us=58402 genkey = DISABLED Thu Jan 7 20:03:28 2021 us=58447 key_pass_file = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=58493 show_tls_ciphers = DISABLED Thu Jan 7 20:03:28 2021 us=58545 connect_retry_max = 0 Thu Jan 7 20:03:28 2021 us=58594 Connection profiles [0]: Thu Jan 7 20:03:28 2021 us=58645 proto = udp Thu Jan 7 20:03:28 2021 us=58693 local = '192.168.0.5' Thu Jan 7 20:03:28 2021 us=58740 local_port = '1194' Thu Jan 7 20:03:28 2021 us=58787 remote = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=58835 remote_port = '1194' Thu Jan 7 20:03:28 2021 us=58883 remote_float = DISABLED Thu Jan 7 20:03:28 2021 us=58932 bind_defined = DISABLED Thu Jan 7 20:03:28 2021 us=58980 bind_local = ENABLED Thu Jan 7 20:03:28 2021 us=59028 bind_ipv6_only = DISABLED Thu Jan 7 20:03:28 2021 us=59077 connect_retry_seconds = 5 Thu Jan 7 20:03:28 2021 us=59125 connect_timeout = 120 Thu Jan 7 20:03:28 2021 us=59173 socks_proxy_server = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=59221 socks_proxy_port = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=59269 tun_mtu = 1500 Thu Jan 7 20:03:28 2021 us=59317 tun_mtu_defined = ENABLED Thu Jan 7 20:03:28 2021 us=59365 link_mtu = 1500 Thu Jan 7 20:03:28 2021 us=59412 link_mtu_defined = DISABLED Thu Jan 7 20:03:28 2021 us=59460 tun_mtu_extra = 0 Thu Jan 7 20:03:28 2021 us=59507 tun_mtu_extra_defined = DISABLED Thu Jan 7 20:03:28 2021 us=59556 mtu_discover_type = -1 Thu Jan 7 20:03:28 2021 us=59603 fragment = 0 Thu Jan 7 20:03:28 2021 us=59651 mssfix = 1450 Thu Jan 7 20:03:28 2021 us=59698 explicit_exit_notification = 0 Thu Jan 7 20:03:28 2021 us=59747 Connection profiles END Thu Jan 7 20:03:28 2021 us=59794 remote_random = DISABLED Thu Jan 7 20:03:28 2021 us=59842 ipchange = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=59890 dev = 'tun' Thu Jan 7 20:03:28 2021 us=59937 dev_type = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=59984 dev_node = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=60031 lladdr = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=60079 topology = 1 Thu Jan 7 20:03:28 2021 us=60126 ifconfig_local = '10.8.0.1' Thu Jan 7 20:03:28 2021 us=60175 ifconfig_remote_netmask = '10.8.0.2' Thu Jan 7 20:03:28 2021 us=60223 ifconfig_noexec = DISABLED Thu Jan 7 20:03:28 2021 us=60271 ifconfig_nowarn = DISABLED Thu Jan 7 20:03:28 2021 us=60319 ifconfig_ipv6_local = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=60367 ifconfig_ipv6_netbits = 0 Thu Jan 7 20:03:28 2021 us=60414 ifconfig_ipv6_remote = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=60462 shaper = 0 Thu Jan 7 20:03:28 2021 us=60510 mtu_test = 0 Thu Jan 7 20:03:28 2021 us=60555 mlock = DISABLED Thu Jan 7 20:03:28 2021 us=60603 keepalive_ping = 10 Thu Jan 7 20:03:28 2021 us=60651 keepalive_timeout = 120 Thu Jan 7 20:03:28 2021 us=60698 inactivity_timeout = 0 Thu Jan 7 20:03:28 2021 us=60746 ping_send_timeout = 10 Thu Jan 7 20:03:28 2021 us=60794 ping_rec_timeout = 240 Thu Jan 7 20:03:28 2021 us=60841 ping_rec_timeout_action = 2 Thu Jan 7 20:03:28 2021 us=60889 ping_timer_remote = DISABLED Thu Jan 7 20:03:28 2021 us=60937 remap_sigusr1 = 0 Thu Jan 7 20:03:28 2021 us=60985 persist_tun = ENABLED Thu Jan 7 20:03:28 2021 us=61032 persist_local_ip = DISABLED Thu Jan 7 20:03:28 2021 us=61079 persist_remote_ip = DISABLED Thu Jan 7 20:03:28 2021 us=61127 persist_key = ENABLED Thu Jan 7 20:03:28 2021 us=61174 passtos = DISABLED Thu Jan 7 20:03:28 2021 us=61222 resolve_retry_seconds = 1000000000 Thu Jan 7 20:03:28 2021 us=61270 resolve_in_advance = DISABLED Thu Jan 7 20:03:28 2021 us=61318 username = 'nobody' Thu Jan 7 20:03:28 2021 us=61365 groupname = 'nogroup' Thu Jan 7 20:03:28 2021 us=61413 chroot_dir = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=61461 cd_dir = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=61508 writepid = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=61556 up_script = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=61604 down_script = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=61652 down_pre = DISABLED Thu Jan 7 20:03:28 2021 us=61699 up_restart = DISABLED Thu Jan 7 20:03:28 2021 us=61746 up_delay = DISABLED Thu Jan 7 20:03:28 2021 us=61794 daemon = DISABLED Thu Jan 7 20:03:28 2021 us=61841 inetd = 0 Thu Jan 7 20:03:28 2021 us=61887 log = DISABLED Thu Jan 7 20:03:28 2021 us=61935 suppress_timestamps = DISABLED Thu Jan 7 20:03:28 2021 us=61982 machine_readable_output = DISABLED Thu Jan 7 20:03:28 2021 us=62030 nice = 0 Thu Jan 7 20:03:28 2021 us=62077 verbosity = 4 Thu Jan 7 20:03:28 2021 us=62124 mute = 0 Thu Jan 7 20:03:28 2021 us=62171 gremlin = 0 Thu Jan 7 20:03:28 2021 us=62220 status_file = '/var/log/openvpn/openvpn-status.log' Thu Jan 7 20:03:28 2021 us=62269 status_file_version = 1 Thu Jan 7 20:03:28 2021 us=62316 status_file_update_freq = 60 Thu Jan 7 20:03:28 2021 us=62364 occ = ENABLED Thu Jan 7 20:03:28 2021 us=62411 rcvbuf = 0 Thu Jan 7 20:03:28 2021 us=62459 sndbuf = 0 Thu Jan 7 20:03:28 2021 us=62507 mark = 0 Thu Jan 7 20:03:28 2021 us=62555 sockflags = 0 Thu Jan 7 20:03:28 2021 us=62603 fast_io = DISABLED Thu Jan 7 20:03:28 2021 us=62650 comp.alg = 2 Thu Jan 7 20:03:28 2021 us=62698 comp.flags = 1 Thu Jan 7 20:03:28 2021 us=62745 route_script = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=62794 route_default_gateway = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=62842 route_default_metric = 0 Thu Jan 7 20:03:28 2021 us=62890 route_noexec = DISABLED Thu Jan 7 20:03:28 2021 us=62938 route_delay = 0 Thu Jan 7 20:03:28 2021 us=62986 route_delay_window = 30 Thu Jan 7 20:03:28 2021 us=63034 route_delay_defined = DISABLED Thu Jan 7 20:03:28 2021 us=63082 route_nopull = DISABLED Thu Jan 7 20:03:28 2021 us=63130 route_gateway_via_dhcp = DISABLED Thu Jan 7 20:03:28 2021 us=63178 allow_pull_fqdn = DISABLED Thu Jan 7 20:03:28 2021 us=63229 route 10.8.0.0/255.255.255.0/default (not set)/default (not set) Thu Jan 7 20:03:28 2021 us=63278 management_addr = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=63326 management_port = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=63375 management_user_pass = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=63424 management_log_history_cache = 250 Thu Jan 7 20:03:28 2021 us=63473 management_echo_buffer_size = 100 Thu Jan 7 20:03:28 2021 us=63522 management_write_peer_info_file = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=63572 management_client_user = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=63621 management_client_group = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=63669 management_flags = 0 Thu Jan 7 20:03:28 2021 us=63718 shared_secret_file = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=63767 key_direction = not set Thu Jan 7 20:03:28 2021 us=63814 ciphername = 'BF-CBC' Thu Jan 7 20:03:28 2021 us=63862 ncp_enabled = ENABLED Thu Jan 7 20:03:28 2021 us=63911 ncp_ciphers = 'AES-256-GCM:AES-128-GCM' Thu Jan 7 20:03:28 2021 us=63960 authname = 'SHA1' Thu Jan 7 20:03:28 2021 us=64008 prng_hash = 'SHA1' Thu Jan 7 20:03:28 2021 us=64056 prng_nonce_secret_len = 16 Thu Jan 7 20:03:28 2021 us=64104 keysize = 0 Thu Jan 7 20:03:28 2021 us=64152 engine = DISABLED Thu Jan 7 20:03:28 2021 us=64200 replay = ENABLED Thu Jan 7 20:03:28 2021 us=64247 mute_replay_warnings = DISABLED Thu Jan 7 20:03:28 2021 us=64296 replay_window = 64 Thu Jan 7 20:03:28 2021 us=64344 replay_time = 15 Thu Jan 7 20:03:28 2021 us=64392 packet_id_file = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=64441 use_iv = ENABLED Thu Jan 7 20:03:28 2021 us=64489 test_crypto = DISABLED Thu Jan 7 20:03:28 2021 us=64537 tls_server = ENABLED Thu Jan 7 20:03:28 2021 us=64585 tls_client = DISABLED Thu Jan 7 20:03:28 2021 us=64689 key_method = 2 Thu Jan 7 20:03:28 2021 us=64741 ca_file = '/etc/openvpn/easy-rsa2/pki/ca.crt' Thu Jan 7 20:03:28 2021 us=64791 ca_path = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=64840 dh_file = '/etc/openvpn/easy-rsa2/pki/dh2048.pem' Thu Jan 7 20:03:28 2021 us=64891 cert_file = '/etc/openvpn/easy-rsa2/pki/issued/server.crt' Thu Jan 7 20:03:28 2021 us=64941 extra_certs_file = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=64991 priv_key_file = '/etc/openvpn/easy-rsa2/pki/private/server.key' Thu Jan 7 20:03:28 2021 us=65041 pkcs12_file = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=65090 cipher_list = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=65138 cipher_list_tls13 = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=65187 tls_cert_profile = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=65236 tls_verify = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=65285 tls_export_cert = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=65333 verify_x509_type = 0 Thu Jan 7 20:03:28 2021 us=65383 verify_x509_name = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=65432 crl_file = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=65481 ns_cert_type = 0 Thu Jan 7 20:03:28 2021 us=65531 remote_cert_ku[i] = 65535 Thu Jan 7 20:03:28 2021 us=65580 remote_cert_ku[i] = 0 Thu Jan 7 20:03:28 2021 us=65628 remote_cert_ku[i] = 0 Thu Jan 7 20:03:28 2021 us=65676 remote_cert_ku[i] = 0 Thu Jan 7 20:03:28 2021 us=65724 remote_cert_ku[i] = 0 Thu Jan 7 20:03:28 2021 us=65773 remote_cert_ku[i] = 0 Thu Jan 7 20:03:28 2021 us=65821 remote_cert_ku[i] = 0 Thu Jan 7 20:03:28 2021 us=65870 remote_cert_ku[i] = 0 Thu Jan 7 20:03:28 2021 us=65918 remote_cert_ku[i] = 0 Thu Jan 7 20:03:28 2021 us=65966 remote_cert_ku[i] = 0 Thu Jan 7 20:03:28 2021 us=66015 remote_cert_ku[i] = 0 Thu Jan 7 20:03:28 2021 us=66063 remote_cert_ku[i] = 0 Thu Jan 7 20:03:28 2021 us=66111 remote_cert_ku[i] = 0 Thu Jan 7 20:03:28 2021 us=66159 remote_cert_ku[i] = 0 Thu Jan 7 20:03:28 2021 us=66208 remote_cert_ku[i] = 0 Thu Jan 7 20:03:28 2021 us=66255 remote_cert_ku[i] = 0 Thu Jan 7 20:03:28 2021 us=66305 remote_cert_eku = 'TLS Web Client Authentication' Thu Jan 7 20:03:28 2021 us=66355 ssl_flags = 0 Thu Jan 7 20:03:28 2021 us=66404 tls_timeout = 2 Thu Jan 7 20:03:28 2021 us=66452 renegotiate_bytes = -1 Thu Jan 7 20:03:28 2021 us=66501 renegotiate_packets = 0 Thu Jan 7 20:03:28 2021 us=66550 renegotiate_seconds = 3600 Thu Jan 7 20:03:28 2021 us=66599 handshake_window = 60 Thu Jan 7 20:03:28 2021 us=66647 transition_window = 3600 Thu Jan 7 20:03:28 2021 us=66696 single_session = DISABLED Thu Jan 7 20:03:28 2021 us=66745 push_peer_info = DISABLED Thu Jan 7 20:03:28 2021 us=66793 tls_exit = DISABLED Thu Jan 7 20:03:28 2021 us=66842 tls_auth_file = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=66891 tls_crypt_file = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=66940 pkcs11_protected_authentication = DISABLED Thu Jan 7 20:03:28 2021 us=66990 pkcs11_protected_authentication = DISABLED Thu Jan 7 20:03:28 2021 us=67040 pkcs11_protected_authentication = DISABLED Thu Jan 7 20:03:28 2021 us=67089 pkcs11_protected_authentication = DISABLED Thu Jan 7 20:03:28 2021 us=67139 pkcs11_protected_authentication = DISABLED Thu Jan 7 20:03:28 2021 us=67187 pkcs11_protected_authentication = DISABLED Thu Jan 7 20:03:28 2021 us=67237 pkcs11_protected_authentication = DISABLED Thu Jan 7 20:03:28 2021 us=67287 pkcs11_protected_authentication = DISABLED Thu Jan 7 20:03:28 2021 us=67337 pkcs11_protected_authentication = DISABLED Thu Jan 7 20:03:28 2021 us=67386 pkcs11_protected_authentication = DISABLED Thu Jan 7 20:03:28 2021 us=67455 pkcs11_protected_authentication = DISABLED Thu Jan 7 20:03:28 2021 us=67506 pkcs11_protected_authentication = DISABLED Thu Jan 7 20:03:28 2021 us=67556 pkcs11_protected_authentication = DISABLED Thu Jan 7 20:03:28 2021 us=67607 pkcs11_protected_authentication = DISABLED Thu Jan 7 20:03:28 2021 us=67656 pkcs11_protected_authentication = DISABLED Thu Jan 7 20:03:28 2021 us=67706 pkcs11_protected_authentication = DISABLED Thu Jan 7 20:03:28 2021 us=67757 pkcs11_private_mode = 00000000 Thu Jan 7 20:03:28 2021 us=67806 pkcs11_private_mode = 00000000 Thu Jan 7 20:03:28 2021 us=67856 pkcs11_private_mode = 00000000 Thu Jan 7 20:03:28 2021 us=67905 pkcs11_private_mode = 00000000 Thu Jan 7 20:03:28 2021 us=67955 pkcs11_private_mode = 00000000 Thu Jan 7 20:03:28 2021 us=68004 pkcs11_private_mode = 00000000 Thu Jan 7 20:03:28 2021 us=68053 pkcs11_private_mode = 00000000 Thu Jan 7 20:03:28 2021 us=68102 pkcs11_private_mode = 00000000 Thu Jan 7 20:03:28 2021 us=68150 pkcs11_private_mode = 00000000 Thu Jan 7 20:03:28 2021 us=68199 pkcs11_private_mode = 00000000 Thu Jan 7 20:03:28 2021 us=68247 pkcs11_private_mode = 00000000 Thu Jan 7 20:03:28 2021 us=68295 pkcs11_private_mode = 00000000 Thu Jan 7 20:03:28 2021 us=68344 pkcs11_private_mode = 00000000 Thu Jan 7 20:03:28 2021 us=68394 pkcs11_private_mode = 00000000 Thu Jan 7 20:03:28 2021 us=68442 pkcs11_private_mode = 00000000 Thu Jan 7 20:03:28 2021 us=68491 pkcs11_private_mode = 00000000 Thu Jan 7 20:03:28 2021 us=68540 pkcs11_cert_private = DISABLED Thu Jan 7 20:03:28 2021 us=68589 pkcs11_cert_private = DISABLED Thu Jan 7 20:03:28 2021 us=68638 pkcs11_cert_private = DISABLED Thu Jan 7 20:03:28 2021 us=68686 pkcs11_cert_private = DISABLED Thu Jan 7 20:03:28 2021 us=68735 pkcs11_cert_private = DISABLED Thu Jan 7 20:03:28 2021 us=68784 pkcs11_cert_private = DISABLED Thu Jan 7 20:03:28 2021 us=68832 pkcs11_cert_private = DISABLED Thu Jan 7 20:03:28 2021 us=68881 pkcs11_cert_private = DISABLED Thu Jan 7 20:03:28 2021 us=68929 pkcs11_cert_private = DISABLED Thu Jan 7 20:03:28 2021 us=68977 pkcs11_cert_private = DISABLED Thu Jan 7 20:03:28 2021 us=69025 pkcs11_cert_private = DISABLED Thu Jan 7 20:03:28 2021 us=69073 pkcs11_cert_private = DISABLED Thu Jan 7 20:03:28 2021 us=69121 pkcs11_cert_private = DISABLED Thu Jan 7 20:03:28 2021 us=69169 pkcs11_cert_private = DISABLED Thu Jan 7 20:03:28 2021 us=69218 pkcs11_cert_private = DISABLED Thu Jan 7 20:03:28 2021 us=69267 pkcs11_cert_private = DISABLED Thu Jan 7 20:03:28 2021 us=69317 pkcs11_pin_cache_period = -1 Thu Jan 7 20:03:28 2021 us=69365 pkcs11_id = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=69414 pkcs11_id_management = DISABLED Thu Jan 7 20:03:28 2021 us=69468 server_network = 10.8.0.0 Thu Jan 7 20:03:28 2021 us=69522 server_netmask = 255.255.255.0 Thu Jan 7 20:03:28 2021 us=69575 server_network_ipv6 = :: Thu Jan 7 20:03:28 2021 us=69625 server_netbits_ipv6 = 0 Thu Jan 7 20:03:28 2021 us=69678 server_bridge_ip = 0.0.0.0 Thu Jan 7 20:03:28 2021 us=69730 server_bridge_netmask = 0.0.0.0 Thu Jan 7 20:03:28 2021 us=69783 server_bridge_pool_start = 0.0.0.0 Thu Jan 7 20:03:28 2021 us=69835 server_bridge_pool_end = 0.0.0.0 Thu Jan 7 20:03:28 2021 us=69885 push_entry = 'redirect-gateway def1' Thu Jan 7 20:03:28 2021 us=69935 push_entry = 'dhcp-option DNS 9.9.9.9' Thu Jan 7 20:03:28 2021 us=69984 push_entry = 'dhcp-option DNS 8.8.8.8' Thu Jan 7 20:03:28 2021 us=70035 push_entry = 'route 192.168.0.0 255.255.255.0' Thu Jan 7 20:03:28 2021 us=70085 push_entry = 'route 10.8.0.0 255.255.255.0' Thu Jan 7 20:03:28 2021 us=70134 push_entry = 'topology net30' Thu Jan 7 20:03:28 2021 us=70182 push_entry = 'ping 10' Thu Jan 7 20:03:28 2021 us=70231 push_entry = 'ping-restart 120' Thu Jan 7 20:03:28 2021 us=70279 ifconfig_pool_defined = ENABLED Thu Jan 7 20:03:28 2021 us=70330 ifconfig_pool_start = 10.8.0.4 Thu Jan 7 20:03:28 2021 us=70382 ifconfig_pool_end = 10.8.0.251 Thu Jan 7 20:03:28 2021 us=70435 ifconfig_pool_netmask = 0.0.0.0 Thu Jan 7 20:03:28 2021 us=70484 ifconfig_pool_persist_filename = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=70535 ifconfig_pool_persist_refresh_freq = 600 Thu Jan 7 20:03:28 2021 us=70585 ifconfig_ipv6_pool_defined = DISABLED Thu Jan 7 20:03:28 2021 us=70637 ifconfig_ipv6_pool_base = :: Thu Jan 7 20:03:28 2021 us=70687 ifconfig_ipv6_pool_netbits = 0 Thu Jan 7 20:03:28 2021 us=70735 n_bcast_buf = 256 Thu Jan 7 20:03:28 2021 us=70784 tcp_queue_limit = 64 Thu Jan 7 20:03:28 2021 us=70833 real_hash_size = 256 Thu Jan 7 20:03:28 2021 us=70880 virtual_hash_size = 256 Thu Jan 7 20:03:28 2021 us=70927 client_connect_script = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=70976 learn_address_script = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=71024 client_disconnect_script = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=71073 client_config_dir = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=71121 ccd_exclusive = DISABLED Thu Jan 7 20:03:28 2021 us=71169 tmp_dir = '/tmp' Thu Jan 7 20:03:28 2021 us=71217 push_ifconfig_defined = DISABLED Thu Jan 7 20:03:28 2021 us=71271 push_ifconfig_local = 0.0.0.0 Thu Jan 7 20:03:28 2021 us=71323 push_ifconfig_remote_netmask = 0.0.0.0 Thu Jan 7 20:03:28 2021 us=71372 push_ifconfig_ipv6_defined = DISABLED Thu Jan 7 20:03:28 2021 us=71424 push_ifconfig_ipv6_local = ::/0 Thu Jan 7 20:03:28 2021 us=71476 push_ifconfig_ipv6_remote = :: Thu Jan 7 20:03:28 2021 us=71524 enable_c2c = ENABLED Thu Jan 7 20:03:28 2021 us=71572 duplicate_cn = DISABLED Thu Jan 7 20:03:28 2021 us=71620 cf_max = 0 Thu Jan 7 20:03:28 2021 us=71668 cf_per = 0 Thu Jan 7 20:03:28 2021 us=71716 max_clients = 1024 Thu Jan 7 20:03:28 2021 us=71764 max_routes_per_client = 256 Thu Jan 7 20:03:28 2021 us=71813 auth_user_pass_verify_script = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=71862 auth_user_pass_verify_script_via_file = DISABLED Thu Jan 7 20:03:28 2021 us=71911 auth_token_generate = DISABLED Thu Jan 7 20:03:28 2021 us=71959 auth_token_lifetime = 0 Thu Jan 7 20:03:28 2021 us=72007 port_share_host = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=72054 port_share_port = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=72102 client = DISABLED Thu Jan 7 20:03:28 2021 us=72149 pull = DISABLED Thu Jan 7 20:03:28 2021 us=72198 auth_user_pass_file = '[UNDEF]' Thu Jan 7 20:03:28 2021 us=72252 OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019 Thu Jan 7 20:03:28 2021 us=72327 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 Thu Jan 7 20:03:28 2021 us=73169 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet. Thu Jan 7 20:03:28 2021 us=74791 Diffie-Hellman initialized with 2048 bit key Thu Jan 7 20:03:28 2021 us=76602 TLS-Auth MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ] Thu Jan 7 20:03:28 2021 us=77028 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlan0 HWADDR=b8:27:eb:7d:78:c4 Thu Jan 7 20:03:28 2021 us=78549 TUN/TAP device tun0 opened Thu Jan 7 20:03:28 2021 us=78916 TUN/TAP TX queue length set to 100 Thu Jan 7 20:03:28 2021 us=79071 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Thu Jan 7 20:03:28 2021 us=79199 /sbin/ip link set dev tun0 up mtu 1500 Thu Jan 7 20:03:28 2021 us=88734 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2 Thu Jan 7 20:03:28 2021 us=97605 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2 Thu Jan 7 20:03:28 2021 us=105894 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] Thu Jan 7 20:03:28 2021 us=107328 Could not determine IPv4/IPv6 protocol. Using AF_INET Thu Jan 7 20:03:28 2021 us=107460 Socket Buffers: R=[180224->180224] S=[180224->180224] Thu Jan 7 20:03:28 2021 us=107561 UDPv4 link local (bound): [AF_INET]192.168.0.5:1194 Thu Jan 7 20:03:28 2021 us=107616 UDPv4 link remote: [AF_UNSPEC] Thu Jan 7 20:03:28 2021 us=107682 GID set to nogroup Thu Jan 7 20:03:28 2021 us=107749 UID set to nobody Thu Jan 7 20:03:28 2021 us=107823 MULTI: multi_init called, r=256 v=256 Thu Jan 7 20:03:28 2021 us=107941 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 Thu Jan 7 20:03:28 2021 us=108092 Initialization Sequence Completed |
Ich kann den Client mit dem Server verbinden:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 | $ sudo openvpn laptop.ovpn Thu Jan 7 20:04:45 2021 WARNING: file '/etc/openvpn/laptop.key' is group or others accessible Thu Jan 7 20:04:45 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2019 Thu Jan 7 20:04:45 2021 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 Thu Jan 7 20:04:45 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]166.xx.xx.xx:1194 Thu Jan 7 20:04:45 2021 Socket Buffers: R=[212992->212992] S=[212992->212992] Thu Jan 7 20:04:45 2021 UDP link local: (not bound) Thu Jan 7 20:04:45 2021 UDP link remote: [AF_INET]166.xx.xx.xx:1194 Thu Jan 7 20:04:45 2021 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Thu Jan 7 20:04:45 2021 TLS: Initial packet from [AF_INET]166.xx.xx.xx:1194, sid=2d8b4856 b27e4c11 Thu Jan 7 20:04:45 2021 VERIFY OK: depth=1, CN=Easy-RSA HAL Thu Jan 7 20:04:45 2021 VERIFY KU OK Thu Jan 7 20:04:45 2021 Validating certificate extended key usage Thu Jan 7 20:04:45 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Thu Jan 7 20:04:45 2021 VERIFY EKU OK Thu Jan 7 20:04:45 2021 VERIFY OK: depth=0, CN=server Thu Jan 7 20:04:45 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA Thu Jan 7 20:04:45 2021 [server] Peer Connection Initiated with [AF_INET]166.xx.xx.xx:1194 Thu Jan 7 20:04:46 2021 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Thu Jan 7 20:04:46 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 9.9.9.9,dhcp-option DNS 8.8.8.8,route 192.168.0.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' Thu Jan 7 20:04:46 2021 OPTIONS IMPORT: timers and/or timeouts modified Thu Jan 7 20:04:46 2021 OPTIONS IMPORT: --ifconfig/up options modified Thu Jan 7 20:04:46 2021 OPTIONS IMPORT: route options modified Thu Jan 7 20:04:46 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Thu Jan 7 20:04:46 2021 OPTIONS IMPORT: peer-id set Thu Jan 7 20:04:46 2021 OPTIONS IMPORT: adjusting link_mtu to 1625 Thu Jan 7 20:04:46 2021 OPTIONS IMPORT: data channel crypto options modified Thu Jan 7 20:04:46 2021 Data Channel: using negotiated cipher 'AES-256-GCM' Thu Jan 7 20:04:46 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Thu Jan 7 20:04:46 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Thu Jan 7 20:04:46 2021 ROUTE_GATEWAY 100.xx.xx.xx/255.252.0.0 IFACE=wlp3s0 HWADDR=bc:77:37:52:22:1d Thu Jan 7 20:04:46 2021 TUN/TAP device tun0 opened Thu Jan 7 20:04:46 2021 TUN/TAP TX queue length set to 100 Thu Jan 7 20:04:46 2021 /sbin/ip link set dev tun0 up mtu 1500 Thu Jan 7 20:04:46 2021 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 Thu Jan 7 20:04:46 2021 /sbin/ip route add 166.xx.xx.xx/32 via 100.xx.xx.xx RTNETLINK answers: File exists Thu Jan 7 20:04:46 2021 ERROR: Linux route add command failed: external program exited with error status: 2 Thu Jan 7 20:04:46 2021 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5 Thu Jan 7 20:04:46 2021 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5 Thu Jan 7 20:04:46 2021 /sbin/ip route add 192.168.0.0/24 via 10.8.0.5 Thu Jan 7 20:04:46 2021 /sbin/ip route add 10.8.0.0/24 via 10.8.0.5 Thu Jan 7 20:04:46 2021 GID set to nogroup Thu Jan 7 20:04:46 2021 UID set to nobody Thu Jan 7 20:04:46 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Thu Jan 7 20:04:46 2021 Initialization Sequence Completed |
Server log bei Verbindung:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | Thu Jan 7 20:04:45 2021 us=60578 MULTI: multi_create_instance called Thu Jan 7 20:04:45 2021 us=60928 178.xx.xx.xx:41824 Re-using SSL/TLS context Thu Jan 7 20:04:45 2021 us=61026 178.xx.xx.xx:41824 LZO compression initializing Thu Jan 7 20:04:45 2021 us=61651 178.xx.xx.xx:41824 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ] Thu Jan 7 20:04:45 2021 us=61765 178.xx.xx.xx:41824 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] Thu Jan 7 20:04:45 2021 us=61998 178.xx.xx.xx:41824 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server' Thu Jan 7 20:04:45 2021 us=62087 178.xx.xx.xx:41824 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client' Thu Jan 7 20:04:45 2021 us=62273 178.xx.xx.xx:41824 TLS: Initial packet from [AF_INET]178.xx.xx.xx:41824, sid=c375ef7c 4afbe939 Thu Jan 7 20:04:45 2021 us=201384 178.xx.xx.xx:41824 VERIFY OK: depth=1, CN=Easy-RSA HAL Thu Jan 7 20:04:45 2021 us=202435 178.xx.xx.xx:41824 VERIFY KU OK Thu Jan 7 20:04:45 2021 us=202528 178.xx.xx.xx:41824 Validating certificate extended key usage Thu Jan 7 20:04:45 2021 us=202589 178.xx.xx.xx:41824 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication Thu Jan 7 20:04:45 2021 us=202646 178.xx.xx.xx:41824 VERIFY EKU OK Thu Jan 7 20:04:45 2021 us=202697 178.xx.xx.xx:41824 VERIFY OK: depth=0, CN=laptop Thu Jan 7 20:04:45 2021 us=204592 178.xx.xx.xx:41824 peer info: IV_VER=2.4.7 Thu Jan 7 20:04:45 2021 us=204773 178.xx.xx.xx:41824 peer info: IV_PLAT=linux Thu Jan 7 20:04:45 2021 us=204835 178.xx.xx.xx:41824 peer info: IV_PROTO=2 Thu Jan 7 20:04:45 2021 us=204893 178.xx.xx.xx:41824 peer info: IV_NCP=2 Thu Jan 7 20:04:45 2021 us=204950 178.xx.xx.xx:41824 peer info: IV_LZ4=1 Thu Jan 7 20:04:45 2021 us=205005 178.xx.xx.xx:41824 peer info: IV_LZ4v2=1 Thu Jan 7 20:04:45 2021 us=205060 178.xx.xx.xx:41824 peer info: IV_LZO=1 Thu Jan 7 20:04:45 2021 us=205117 178.xx.xx.xx:41824 peer info: IV_COMP_STUB=1 Thu Jan 7 20:04:45 2021 us=205174 178.xx.xx.xx:41824 peer info: IV_COMP_STUBv2=1 Thu Jan 7 20:04:45 2021 us=205233 178.xx.xx.xx:41824 peer info: IV_TCPNL=1 Thu Jan 7 20:04:45 2021 us=240785 178.xx.xx.xx:41824 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA Thu Jan 7 20:04:45 2021 us=240959 178.xx.xx.xx:41824 [laptop] Peer Connection Initiated with [AF_INET]178.xx.xx.xx:41824 Thu Jan 7 20:04:45 2021 us=241087 laptop/178.xx.xx.xx:41824 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled) Thu Jan 7 20:04:45 2021 us=241316 laptop/178.xx.xx.xx:41824 MULTI: Learn: 10.8.0.6 -> laptop/178.xx.xx.xx:41824 Thu Jan 7 20:04:45 2021 us=241387 laptop/178.xx.xx.xx:41824 MULTI: primary virtual IP for laptop/178.xx.xx.xx:41824: 10.8.0.6 Thu Jan 7 20:04:46 2021 us=405577 laptop/178.xx.xx.xx:41824 PUSH: Received control message: 'PUSH_REQUEST' Thu Jan 7 20:04:46 2021 us=405937 laptop/178.xx.xx.xx:41824 SENT CONTROL [laptop]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 9.9.9.9,dhcp-option DNS 8.8.8.8,route 192.168.0.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1) Thu Jan 7 20:04:46 2021 us=406045 laptop/178.xx.xx.xx:41824 Data Channel: using negotiated cipher 'AES-256-GCM' Thu Jan 7 20:04:46 2021 us=406185 laptop/178.xx.xx.xx:41824 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ] Thu Jan 7 20:04:46 2021 us=406903 laptop/178.xx.xx.xx:41824 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Thu Jan 7 20:04:46 2021 us=407013 laptop/178.xx.xx.xx:41824 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key |
Was funktioniert nicht?
Ich kann weder eine Adresse im VPN/Heimnetzwerk erreichen (bspw. ein NAS), noch kann ich mich mit einer Internetseite verbinden.
Server log:
1 | Thu Jan 7 20:04:47 2021 us=480547 laptop/178.xx.xx.xx:41824 MULTI: bad source address from client [100.xx.xx.xx], packet dropped |
Die lokale IP Adresse des Laptops im öffentlichen WLAN ist:
1 2 3 4 5 6 7 8 9 10 11 12 | $ ifconfig enp10s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 14:fe:b5:aa:34:42 txqueuelen 1000 (Ethernet) lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255 wlp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 100.xx.xx.xx netmask 255.252.0.0 broadcast 100.xx.xx.xx |
Leider weiß ich nicht, was ich falsch gemacht habe und habe keinen Ansatzpunkt, an dem ich weiterarbeiten kann, um das Problem/die Konfiguration zu debuggen.
Ich wäre Euch dankbar, wenn ihr mir weiterhelfen könntet.
Beste Grüße
Moderiert von kB:
Aus dem Forum „Netzwerk und Internetzugang einrichten“ in einen besser passenden Forenbereich verschoben. Bitte beachte die als wichtig markierten Themen („Welche Themen gehören hier her und welche nicht?“) im jeweiligen Forum! Danke.
Bearbeitet von sebix:
Bitte wähle in Zukunft einen aussagekräftigen Titel!