Дмитрий Вагин

Извините, оказалось нужно добавить еще comp-lzo adaptive.

Подключил на домашнем интернете, все плохо( client dev tun proto udp cipher AES-256-CBC remote 91.191.231.34 1196 resolv-retry infinite nobind ncp-disable persist-key persist-tun ns-cert-type server verb 3 key-direction 1 <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- -----END OpenVPN Static key V1----- </tls-auth> <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- </key> Sep 16 23:18:04OpenVPN0SIGINT[hard,] received, process exiting Sep 16 23:18:07OpenVPN0OpenVPN 2.4.3 [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [AEAD] Sep 16 23:18:07OpenVPN0library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10 Sep 16 23:18:07OpenVPN0WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead. Sep 16 23:18:07OpenVPN0Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Sep 16 23:18:07OpenVPN0Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Sep 16 23:18:07OpenVPN0TCP/UDP: Preserving recently used remote address: [AF_INET]91.191.231.34:1196 Sep 16 23:18:07OpenVPN0Socket Buffers: R=[155648->155648] S=[155648->155648] Sep 16 23:18:07OpenVPN0UDP link local: (not bound) Sep 16 23:18:07OpenVPN0UDP link remote: [AF_INET]91.191.231.34:1196 Sep 16 23:18:07OpenVPN0NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Sep 16 23:18:07OpenVPN0TLS: Initial packet from [AF_INET]91.191.231.34:1196, sid=9d84a6c5 9d847b60 Sep 16 23:18:07OpenVPN0VERIFY SCRIPT OK: depth=1, C=RU, ST=Sverdlovskaya, L=Yekaterinburg, O=Ural-K, emailAddress=it-adm@tdural-k.ru, CN=tdural-k.ru-ca Sep 16 23:18:07OpenVPN0VERIFY OK: depth=1, C=RU, ST=Sverdlovskaya, L=Yekaterinburg, O=Ural-K, emailAddress=it-adm@tdural-k.ru, CN=tdural-k.ru-ca Sep 16 23:18:07OpenVPN0VERIFY OK: nsCertType=SERVER Sep 16 23:18:07OpenVPN0VERIFY SCRIPT OK: depth=0, C=RU, ST=Sverdlovskaya, L=Yekaterinburg, O=Ural-K, emailAddress=it-adm@tdural-k.ru, CN=ovpns3 Sep 16 23:18:07OpenVPN0VERIFY OK: depth=0, C=RU, ST=Sverdlovskaya, L=Yekaterinburg, O=Ural-K, emailAddress=it-adm@tdural-k.ru, CN=ovpns3 Sep 16 23:18:07OpenVPN0WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558' Sep 16 23:18:07OpenVPN0WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' Sep 16 23:18:07OpenVPN0Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Sep 16 23:18:07OpenVPN0[ovpns3] Peer Connection Initiated with [AF_INET]91.191.231.34:1196 Sep 16 23:18:07ndmNetwork::Interface::OpenVpn: "OpenVPN0": added host route to remote endpoint 91.191.231.34 via 5.189.60.1. Sep 16 23:18:08ndmCore::ConfigurationSaver: configuration saved. Sep 16 23:18:08ndmNetwork::Interface::IP: "GigabitEthernet0/Vlan2": global priority is 700. Sep 16 23:18:08ndmNetwork::Interface::IP: "OpenVPN0": global priority is 1000. Sep 16 23:18:08ndmCore::ConfigurationSaver: saving configuration... Sep 16 23:18:08OpenVPN0SENT CONTROL [ovpns3]: 'PUSH_REQUEST' (status=1) Sep 16 23:18:08OpenVPN0PUSH: Received control message: 'PUSH_REPLY,route 10.0.8.0 255.255.255.0,route 10.0.9.0 255.255.255.0,route 192.168.20.0 255.255.255.0,route 192.168.30.0 255.255.255.0,route 192.168.33.0 255.255.255.0,dhcp-option DNS 192.168.30.209,route 10.0.10.1,topology net30,ping 10,ping-restart 60,ifconfig 10.0.10.58 10.0.10.57' Sep 16 23:18:08OpenVPN0OPTIONS IMPORT: timers and/or timeouts modified Sep 16 23:18:08OpenVPN0OPTIONS IMPORT: --ifconfig/up options modified Sep 16 23:18:08OpenVPN0OPTIONS IMPORT: route options modified Sep 16 23:18:08OpenVPN0OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sep 16 23:18:08OpenVPN0Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Sep 16 23:18:08OpenVPN0Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sep 16 23:18:08OpenVPN0Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Sep 16 23:18:08OpenVPN0Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sep 16 23:18:08OpenVPN0TUN/TAP device tun0 opened Sep 16 23:18:08OpenVPN0TUN/TAP TX queue length set to 100 Sep 16 23:18:08OpenVPN0do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Sep 16 23:18:08ndmNetwork::Interface::IP: "OpenVPN0": IP address is 10.0.10.58/32. Sep 16 23:18:08ndmNetwork::Interface::OpenVpn: "OpenVPN0": TUN peer address is 10.0.10.57. Sep 16 23:18:08ndmNetwork::Interface::OpenVpn: "OpenVPN0": added host route to peer 10.0.10.57 via 10.0.10.58. Sep 16 23:18:09ndmNetwork::Interface::OpenVpn: "OpenVPN0": install accepted route to 10.0.8.0/255.255.255.0 via 10.0.10.57. Sep 16 23:18:09ndmNetwork::Interface::OpenVpn: "OpenVPN0": install accepted route to 10.0.9.0/255.255.255.0 via 10.0.10.57. Sep 16 23:18:09ndmNetwork::Interface::OpenVpn: "OpenVPN0": install accepted route to 192.168.20.0/255.255.255.0 via 10.0.10.57. Sep 16 23:18:09ndmNetwork::Interface::OpenVpn: "OpenVPN0": install accepted route to 192.168.30.0/255.255.255.0 via 10.0.10.57. Sep 16 23:18:09ndmNetwork::Interface::OpenVpn: "OpenVPN0": install accepted route to 192.168.33.0/255.255.255.0 via 10.0.10.57. Sep 16 23:18:09ndmNetwork::Interface::OpenVpn: "OpenVPN0": install accepted route to 10.0.10.1/255.255.255.255 via 10.0.10.57. Sep 16 23:18:09ndmNetwork::Interface::OpenVpn: "OpenVPN0": adding nameserver 192.168.30.209. Sep 16 23:18:09ndmDns::Manager: name server 192.168.30.209 added, domain (default). Sep 16 23:18:09ndmNetwork::RoutingTable: gateway 10.0.10.57 is unreachable via OpenVPN0. Sep 16 23:18:09ndmNetwork::Interface::OpenVpn: "OpenVPN0": failed to add a nameserver route. Sep 16 23:18:09OpenVPN0GID set to nobody Sep 16 23:18:09OpenVPN0UID set to nobody Sep 16 23:18:09OpenVPN0Initialization Sequence Completed Sep 16 23:18:12ndmCore::ConfigurationSaver: configuration saved. Sep 16 23:18:18OpenVPN0write to TUN/TAP : Invalid argument (code=22) Sep 16 23:20:09OpenVPN0Core::Syslog: last message repeated 11 times.

Перезагрузил роутер, вроде как заработало, пингуются днс имена внутренней сети, однако в логах вот такое выпадает Sep 14 14:12:54OpenVPN0OpenVPN 2.4.3 [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [AEAD] Sep 14 14:12:54OpenVPN0library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10 Sep 14 14:12:54OpenVPN0WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead. Sep 14 14:12:54OpenVPN0Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Sep 14 14:12:54OpenVPN0Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Sep 14 14:12:54OpenVPN0TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.30.1:1196 Sep 14 14:12:54OpenVPN0Socket Buffers: R=[155648->155648] S=[155648->155648] Sep 14 14:12:54OpenVPN0UDP link local: (not bound) Sep 14 14:12:54OpenVPN0UDP link remote: [AF_INET]192.168.30.1:1196 Sep 14 14:12:54OpenVPN0NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Sep 14 14:15:08ndmCore::System::Clock: system time has been changed. Sep 14 14:15:08ndmCore::System::Clock: system time has been changed. Sep 14 14:15:08ndmNtp::Client: time synchronized with "2.pool.ntp.org". Sep 14 14:15:08OpenVPN0[UNDEF] Inactivity timeout (--ping-restart), restarting Sep 14 14:15:08OpenVPN0SIGUSR1[soft,ping-restart] received, process restarting Sep 14 14:15:08OpenVPN0Restart pause, 5 second(s) Sep 14 14:15:13OpenVPN0WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead. Sep 14 14:15:13OpenVPN0TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.30.1:1196 Sep 14 14:15:13OpenVPN0Socket Buffers: R=[155648->155648] S=[155648->155648] Sep 14 14:15:13OpenVPN0UDP link local: (not bound) Sep 14 14:15:13OpenVPN0UDP link remote: [AF_INET]192.168.30.1:1196 Sep 14 14:16:13OpenVPN0TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sep 14 14:16:13OpenVPN0TLS Error: TLS handshake failed Sep 14 14:16:13OpenVPN0SIGTERM[soft,tls-error] received, process exiting Sep 14 14:16:13ndmService: "OpenVPN0": unexpectedly stopped.

Благодарю, но теперь сыпятся ошибки write to TUN/TAP : Invalid argument (code=22)

Здравствуйте, все никак не могу победить, помогите пожалуйста. client dev tun proto udp remote vpn.tdural-k.ru 1196 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server verb 3 key-direction 1 <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- </key> <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- -----END OpenVPN Static key V1----- </tls-auth> Sep 14 13:34:42OpenVPN0Authenticate/Decrypt packet error: cipher final failed Sep 14 13:35:22OpenVPN0Core::Syslog: last message repeated 4 times. Sep 14 13:35:32OpenVPN0[ovpns3] Inactivity timeout (--ping-restart), restarting Sep 14 13:35:32OpenVPN0SIGUSR1[soft,ping-restart] received, process restarting Sep 14 13:35:32OpenVPN0Restart pause, 5 second(s) Sep 14 13:35:32ndmNetwork::Interface::IP: "OpenVPN0": IP address cleared. Sep 14 13:35:33OpenVPN0Closing TUN/TAP interface Sep 14 13:35:33OpenVPN0SIGINT[hard,init_instance] received, process exiting Sep 14 13:35:35OpenVPN0OpenVPN 2.4.3 [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [AEAD] Sep 14 13:35:35OpenVPN0library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10 Sep 14 13:35:35OpenVPN0WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead. Sep 14 13:35:35OpenVPN0Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Sep 14 13:35:35OpenVPN0Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Sep 14 13:35:35OpenVPN0TCP/UDP: Preserving recently used remote address: [AF_INET]91.191.231.34:1196 Sep 14 13:35:35OpenVPN0Socket Buffers: R=[155648->155648] S=[155648->155648] Sep 14 13:35:35OpenVPN0UDP link local: (not bound) Sep 14 13:35:35OpenVPN0UDP link remote: [AF_INET]91.191.231.34:1196 Sep 14 13:35:35OpenVPN0NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Sep 14 13:35:35OpenVPN0TLS: Initial packet from [AF_INET]91.191.231.34:1196, sid=3224e7d6 87a15644 Sep 14 13:35:35OpenVPN0VERIFY SCRIPT OK: depth=1, C=RU, ST=Sverdlovskaya, L=Yekaterinburg, O=Ural-K, emailAddress=it-adm@tdural-k.ru, CN=tdural-k.ru-ca Sep 14 13:35:35OpenVPN0VERIFY OK: depth=1, C=RU, ST=Sverdlovskaya, L=Yekaterinburg, O=Ural-K, emailAddress=it-adm@tdural-k.ru, CN=tdural-k.ru-ca Sep 14 13:35:35OpenVPN0VERIFY OK: nsCertType=SERVER Sep 14 13:35:35OpenVPN0VERIFY SCRIPT OK: depth=0, C=RU, ST=Sverdlovskaya, L=Yekaterinburg, O=Ural-K, emailAddress=it-adm@tdural-k.ru, CN=ovpns3 Sep 14 13:35:35OpenVPN0VERIFY OK: depth=0, C=RU, ST=Sverdlovskaya, L=Yekaterinburg, O=Ural-K, emailAddress=it-adm@tdural-k.ru, CN=ovpns3 Sep 14 13:35:35OpenVPN0WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1558' Sep 14 13:35:35OpenVPN0WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC' Sep 14 13:35:35OpenVPN0WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256' Sep 14 13:35:35OpenVPN0WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' Sep 14 13:35:35OpenVPN0Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Sep 14 13:35:35OpenVPN0[ovpns3] Peer Connection Initiated with [AF_INET]91.191.231.34:1196 Sep 14 13:35:35ndmNetwork::Interface::OpenVpn: "OpenVPN0": added host route to remote endpoint 91.191.231.34 via 192.168.30.1. Sep 14 13:35:36OpenVPN0SENT CONTROL [ovpns3]: 'PUSH_REQUEST' (status=1) Sep 14 13:35:36OpenVPN0PUSH: Received control message: 'PUSH_REPLY,route 10.0.8.0 255.255.255.0,route 10.0.9.0 255.255.255.0,route 192.168.20.0 255.255.255.0,route 192.168.30.0 255.255.255.0,route 192.168.33.0 255.255.255.0,dhcp-option DNS 192.168.30.209,route 10.0.10.1,topology net30,ping 10,ping-restart 60,ifconfig 10.0.10.58 10.0.10.57' Sep 14 13:35:36OpenVPN0OPTIONS IMPORT: timers and/or timeouts modified Sep 14 13:35:36OpenVPN0OPTIONS IMPORT: --ifconfig/up options modified Sep 14 13:35:36OpenVPN0OPTIONS IMPORT: route options modified Sep 14 13:35:36OpenVPN0OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sep 14 13:35:36OpenVPN0Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sep 14 13:35:36OpenVPN0WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Sep 14 13:35:36OpenVPN0Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sep 14 13:35:36OpenVPN0Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Sep 14 13:35:36OpenVPN0WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Sep 14 13:35:36OpenVPN0Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sep 14 13:35:36OpenVPN0WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks. Sep 14 13:35:36OpenVPN0TUN/TAP device tun0 opened Sep 14 13:35:36OpenVPN0TUN/TAP TX queue length set to 100 Sep 14 13:35:36OpenVPN0do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Sep 14 13:35:36ndmNetwork::Interface::IP: "OpenVPN0": IP address is 10.0.10.58/32. Sep 14 13:35:36ndmNetwork::Interface::OpenVpn: "OpenVPN0": TUN peer address is 10.0.10.57. Sep 14 13:35:36ndmNetwork::Interface::OpenVpn: "OpenVPN0": added host route to peer 10.0.10.57 via 10.0.10.58. Sep 14 13:35:36ndmNetwork::Interface::OpenVpn: "OpenVPN0": install accepted route to 10.0.8.0/255.255.255.0 via 10.0.10.57. Sep 14 13:35:37ndmNetwork::Interface::OpenVpn: "OpenVPN0": install accepted route to 10.0.9.0/255.255.255.0 via 10.0.10.57. Sep 14 13:35:37ndmNetwork::Interface::OpenVpn: "OpenVPN0": install accepted route to 192.168.20.0/255.255.255.0 via 10.0.10.57. Sep 14 13:35:37ndmNetwork::Interface::OpenVpn: "OpenVPN0": install accepted route to 192.168.30.0/255.255.255.0 via 10.0.10.57. Sep 14 13:35:37ndmNetwork::Interface::OpenVpn: "OpenVPN0": install accepted route to 192.168.33.0/255.255.255.0 via 10.0.10.57. Sep 14 13:35:37ndmNetwork::Interface::OpenVpn: "OpenVPN0": install accepted route to 10.0.10.1/255.255.255.255 via 10.0.10.57. Sep 14 13:35:37ndmNetwork::Interface::OpenVpn: "OpenVPN0": adding nameserver 192.168.30.209. Sep 14 13:35:37ndmDns::Manager: name server 192.168.30.209 added, domain (default). Sep 14 13:35:37ndmNetwork::RoutingTable: gateway 10.0.10.57 is unreachable via OpenVPN0. Sep 14 13:35:37ndmNetwork::Interface::OpenVpn: "OpenVPN0": failed to add a nameserver route. Sep 14 13:35:37OpenVPN0GID set to nobody Sep 14 13:35:37OpenVPN0UID set to nobody Sep 14 13:35:37OpenVPN0Initialization Sequence Completed Sep 14 13:35:47OpenVPN0Authenticate/Decrypt packet error: cipher final failed Sep 14 13:36:28OpenVPN0Core::Syslog: last message repeated 4 times.