Александр Рыжов Posted July 19, 2017 Share Posted July 19, 2017 22 часа назад, Funeral_YAR сказал: вместо tls-auth /opt/etc/config/ta.key 1 @Сергей Молоков, возможно, после перезагрузки роутера к моменту старта openvpn USB-носитель ещё не был готов, поэтому решение работало неустойчиво. Quote Link to comment Share on other sites More sharing options...
Сергей Молоков Posted July 19, 2017 Share Posted July 19, 2017 3 минуты назад, Александр Рыжов сказал: USB-носитель ещё не был готов о каком USB-носителе вы сейчас говорите? Когда ovpn был на entware на флешке, все замечательно работало, сейчас без флешки, c компонентой из прошивки, ovpn не стартовал без key-direction 1 или я вас не понял? Quote Link to comment Share on other sites More sharing options...
Александр Рыжов Posted July 19, 2017 Share Posted July 19, 2017 Я решил, что у вас был прошивочный openvpn с ссылкой в конфиге на /opt/... Видимо, понял не правильно. Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted July 19, 2017 Share Posted July 19, 2017 20 часов назад, spirkaa сказал: С таким конфигом "OpenVPN в прошивке" не запускается. При этом клиент из opkg работает отлично. Jul 18 17:04:30 OpenVPN0 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode Jul 18 17:04:30 OpenVPN0 Options error: Parameter tls_verify can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. Jul 18 17:04:30 OpenVPN0 Use --help for more information. Jul 18 17:04:30 ndm Service: "OpenVPN": unexpectedly stopped. Примерно после 6-7 таких сообщений перестают открываться настройки интерфейса, вместо этого открывается окно добавления нового подключения - приходится удалять через cli и добавлять заново. Может быть это связано с другими протоколами, точнее их отсутствием - я отключил все и оставил только OpenVPN Поправлено, появится в новой сборке. Quote Link to comment Share on other sites More sharing options...
smp Posted August 5, 2017 Share Posted August 5, 2017 (edited) У меня не работает с таким конфигом (Соединение с сервером происходит, но горит серый значок "ожидание".): client dev tun proto udp sndbuf 0 rcvbuf 0 remote x.x.x.x 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA512 cipher AES-256-CBC comp-lzo key-direction 1 verb 3 <ca> </ca> <cert> </cert> <key> </key> <tls-auth> </tls-auth> server.conf: port 1194 proto udp dev tun sndbuf 0 rcvbuf 0 ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 cipher AES-256-CBC comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem log: Aug 06 01:08:15ndmNetwork::Interface::Supplicant: "OpenVPN0": authnentication is unchanged. Aug 06 01:08:15ndmNetwork::Interface::Base: "OpenVPN0": description saved. Aug 06 01:08:15ndmNetwork::Interface::IP: "OpenVPN0": IP address cleared. Aug 06 01:08:15ndmNetwork::Interface::IP: "OpenVPN0": global priority enabled. Aug 06 01:08:15ndmNetwork::Interface::IP: "OpenVPN0": TCP-MSS adjustment enabled. Aug 06 01:08:16ndmNetwork::Interface::OpenVpn: "OpenVPN0": configuration successfully saved. Aug 06 01:08:16ndmNetwork::Interface::OpenVpn: "OpenVPN0": enable automatic routes accept via tunnel. Aug 06 01:08:16ndmNetwork::Interface::OpenVpn: "OpenVPN0": set connection via ISP. Aug 06 01:08:16ndmNetwork::Interface::Base: "OpenVPN0": interface is up. Aug 06 01:08:16ndmNetwork::Interface::Base: "OpenVPN0": schedule cleared. Aug 06 01:08:16ndmCore::ConfigurationSaver: saving configuration... Aug 06 01:08:16OpenVPN0event_wait : Interrupted system call (code=4) Aug 06 01:08:17OpenVPN0Closing TUN/TAP interface Aug 06 01:08:17OpenVPN0SIGINT[hard,] received, process exiting Aug 06 01:08:19OpenVPN0OpenVPN 2.4.3 [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [AEAD] Aug 06 01:08:19OpenVPN0library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10 Aug 06 01:08:19OpenVPN0Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Aug 06 01:08:19OpenVPN0Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Aug 06 01:08:19OpenVPN0TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194 Aug 06 01:08:19OpenVPN0Socket Buffers: R=[155648->155648] S=[155648->155648] Aug 06 01:08:19OpenVPN0UDP link local: (not bound) Aug 06 01:08:19OpenVPN0UDP link remote: [AF_INET]x.x.x.x:1194 Aug 06 01:08:19OpenVPN0NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Aug 06 01:08:19OpenVPN0TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=38e6449d c6b08a03 Aug 06 01:08:19OpenVPN0VERIFY SCRIPT OK: depth=1, CN=ChangeMe Aug 06 01:08:19OpenVPN0VERIFY OK: depth=1, CN=ChangeMe Aug 06 01:08:19OpenVPN0VERIFY KU OK Aug 06 01:08:19OpenVPN0Validating certificate extended key usage Aug 06 01:08:19OpenVPN0++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Aug 06 01:08:19OpenVPN0VERIFY EKU OK Aug 06 01:08:19OpenVPN0VERIFY SCRIPT OK: depth=0, CN=server Aug 06 01:08:19OpenVPN0VERIFY OK: depth=0, CN=server Aug 06 01:08:20ndmCore::ConfigurationSaver: configuration saved. Aug 06 01:08:21OpenVPN0Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Aug 06 01:08:21OpenVPN0[server] Peer Connection Initiated with [AF_INET]x.x.x.x:1194 Aug 06 01:08:21ndmNetwork::Interface::OpenVpn: "OpenVPN0": added host route to remote endpoint x.x.x.x via x.x.x.x. Aug 06 01:08:23OpenVPN0SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Aug 06 01:08:23OpenVPN0PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0' Aug 06 01:08:23OpenVPN0OPTIONS IMPORT: timers and/or timeouts modified Aug 06 01:08:23OpenVPN0OPTIONS IMPORT: --ifconfig/up options modified Aug 06 01:08:23OpenVPN0OPTIONS IMPORT: route options modified Aug 06 01:08:23OpenVPN0OPTIONS IMPORT: route-related options modified Aug 06 01:08:23OpenVPN0OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Aug 06 01:08:23OpenVPN0Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Aug 06 01:08:23OpenVPN0Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication Aug 06 01:08:23OpenVPN0Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Aug 06 01:08:23OpenVPN0Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication Aug 06 01:08:23OpenVPN0TUN/TAP device tun0 opened Aug 06 01:08:23OpenVPN0TUN/TAP TX queue length set to 100 Aug 06 01:08:23OpenVPN0do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Aug 06 01:08:23ndmNetwork::Interface::IP: "OpenVPN0": IP address is 10.8.0.2/24. Aug 06 01:08:23ndmNetwork::Interface::OpenVpn: "OpenVPN0": adding nameserver 8.8.8.8. Aug 06 01:08:23ndmDns::Manager: name server 8.8.8.8 added, domain (default). Aug 06 01:08:23ndmNetwork::Interface::OpenVpn: "OpenVPN0": add route to nameserver 8.8.8.8 via 0.0.0.0 (OpenVPN0). Aug 06 01:08:23ndmNetwork::Interface::OpenVpn: "OpenVPN0": adding nameserver 8.8.4.4. Aug 06 01:08:23ndmDns::Manager: name server 8.8.4.4 added, domain (default). Aug 06 01:08:23ndmNetwork::Interface::OpenVpn: "OpenVPN0": add route to nameserver 8.8.4.4 via 0.0.0.0 (OpenVPN0). Aug 06 01:08:23OpenVPN0GID set to nobody Aug 06 01:08:23OpenVPN0UID set to nobody Aug 06 01:08:23OpenVPN0Initialization Sequence Completed Edited August 5, 2017 by smp Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted August 7, 2017 Share Posted August 7, 2017 В 8/6/2017 в 01:19, smp сказал: У меня не работает с таким конфигом (Соединение с сервером происходит, но горит серый значок "ожидание".): client dev tun proto udp sndbuf 0 rcvbuf 0 remote x.x.x.x 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA512 cipher AES-256-CBC comp-lzo key-direction 1 verb 3 <ca> </ca> <cert> </cert> <key> </key> <tls-auth> </tls-auth> server.conf: port 1194 proto udp dev tun sndbuf 0 rcvbuf 0 ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 cipher AES-256-CBC comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem log: Aug 06 01:08:15ndmNetwork::Interface::Supplicant: "OpenVPN0": authnentication is unchanged. Aug 06 01:08:15ndmNetwork::Interface::Base: "OpenVPN0": description saved. Aug 06 01:08:15ndmNetwork::Interface::IP: "OpenVPN0": IP address cleared. Aug 06 01:08:15ndmNetwork::Interface::IP: "OpenVPN0": global priority enabled. Aug 06 01:08:15ndmNetwork::Interface::IP: "OpenVPN0": TCP-MSS adjustment enabled. Aug 06 01:08:16ndmNetwork::Interface::OpenVpn: "OpenVPN0": configuration successfully saved. Aug 06 01:08:16ndmNetwork::Interface::OpenVpn: "OpenVPN0": enable automatic routes accept via tunnel. Aug 06 01:08:16ndmNetwork::Interface::OpenVpn: "OpenVPN0": set connection via ISP. Aug 06 01:08:16ndmNetwork::Interface::Base: "OpenVPN0": interface is up. Aug 06 01:08:16ndmNetwork::Interface::Base: "OpenVPN0": schedule cleared. Aug 06 01:08:16ndmCore::ConfigurationSaver: saving configuration... Aug 06 01:08:16OpenVPN0event_wait : Interrupted system call (code=4) Aug 06 01:08:17OpenVPN0Closing TUN/TAP interface Aug 06 01:08:17OpenVPN0SIGINT[hard,] received, process exiting Aug 06 01:08:19OpenVPN0OpenVPN 2.4.3 [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [AEAD] Aug 06 01:08:19OpenVPN0library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10 Aug 06 01:08:19OpenVPN0Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Aug 06 01:08:19OpenVPN0Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Aug 06 01:08:19OpenVPN0TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194 Aug 06 01:08:19OpenVPN0Socket Buffers: R=[155648->155648] S=[155648->155648] Aug 06 01:08:19OpenVPN0UDP link local: (not bound) Aug 06 01:08:19OpenVPN0UDP link remote: [AF_INET]x.x.x.x:1194 Aug 06 01:08:19OpenVPN0NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Aug 06 01:08:19OpenVPN0TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=38e6449d c6b08a03 Aug 06 01:08:19OpenVPN0VERIFY SCRIPT OK: depth=1, CN=ChangeMe Aug 06 01:08:19OpenVPN0VERIFY OK: depth=1, CN=ChangeMe Aug 06 01:08:19OpenVPN0VERIFY KU OK Aug 06 01:08:19OpenVPN0Validating certificate extended key usage Aug 06 01:08:19OpenVPN0++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Aug 06 01:08:19OpenVPN0VERIFY EKU OK Aug 06 01:08:19OpenVPN0VERIFY SCRIPT OK: depth=0, CN=server Aug 06 01:08:19OpenVPN0VERIFY OK: depth=0, CN=server Aug 06 01:08:20ndmCore::ConfigurationSaver: configuration saved. Aug 06 01:08:21OpenVPN0Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Aug 06 01:08:21OpenVPN0[server] Peer Connection Initiated with [AF_INET]x.x.x.x:1194 Aug 06 01:08:21ndmNetwork::Interface::OpenVpn: "OpenVPN0": added host route to remote endpoint x.x.x.x via x.x.x.x. Aug 06 01:08:23OpenVPN0SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Aug 06 01:08:23OpenVPN0PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0' Aug 06 01:08:23OpenVPN0OPTIONS IMPORT: timers and/or timeouts modified Aug 06 01:08:23OpenVPN0OPTIONS IMPORT: --ifconfig/up options modified Aug 06 01:08:23OpenVPN0OPTIONS IMPORT: route options modified Aug 06 01:08:23OpenVPN0OPTIONS IMPORT: route-related options modified Aug 06 01:08:23OpenVPN0OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Aug 06 01:08:23OpenVPN0Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Aug 06 01:08:23OpenVPN0Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication Aug 06 01:08:23OpenVPN0Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Aug 06 01:08:23OpenVPN0Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication Aug 06 01:08:23OpenVPN0TUN/TAP device tun0 opened Aug 06 01:08:23OpenVPN0TUN/TAP TX queue length set to 100 Aug 06 01:08:23OpenVPN0do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Aug 06 01:08:23ndmNetwork::Interface::IP: "OpenVPN0": IP address is 10.8.0.2/24. Aug 06 01:08:23ndmNetwork::Interface::OpenVpn: "OpenVPN0": adding nameserver 8.8.8.8. Aug 06 01:08:23ndmDns::Manager: name server 8.8.8.8 added, domain (default). Aug 06 01:08:23ndmNetwork::Interface::OpenVpn: "OpenVPN0": add route to nameserver 8.8.8.8 via 0.0.0.0 (OpenVPN0). Aug 06 01:08:23ndmNetwork::Interface::OpenVpn: "OpenVPN0": adding nameserver 8.8.4.4. Aug 06 01:08:23ndmDns::Manager: name server 8.8.4.4 added, domain (default). Aug 06 01:08:23ndmNetwork::Interface::OpenVpn: "OpenVPN0": add route to nameserver 8.8.4.4 via 0.0.0.0 (OpenVPN0). Aug 06 01:08:23OpenVPN0GID set to nobody Aug 06 01:08:23OpenVPN0UID set to nobody Aug 06 01:08:23OpenVPN0Initialization Sequence Completed А на странице соединений не пробовали значение приоритета поставить самым высоким? Именно с OpenVPN у вас проблем нет. Quote Link to comment Share on other sites More sharing options...
smp Posted August 7, 2017 Share Posted August 7, 2017 7 hours ago, Le ecureuil said: А на странице соединений не пробовали значение приоритета поставить самым высоким? Именно с OpenVPN у вас проблем нет. Да, это я ступил. Действительно заработало с самым высоким приоритетом. Quote Link to comment Share on other sites More sharing options...
sine_x Posted August 13, 2017 Share Posted August 13, 2017 Подскажите, на Viva (2.10.A.5.0-8) будет работать? Очень хорошая идея реализации данного типа туннелей, особенно если учесть, что унылые разрабы mikrotik-а так за столько лет и не реализовали нормальную поддержку OpenVPN, нет ни UDP ни сжатия ) Спасибо за работу. Quote Link to comment Share on other sites More sharing options...
AndreBA Posted August 13, 2017 Share Posted August 13, 2017 45 минут назад, sine_x сказал: Подскажите, на Viva (2.10.A.5.0-8) будет работать? Вы про прошивку спрашиваете? Цитата Версия 2.09 (журнал изменений), 2.10 (журнал изменений) и выше: Keenetic Start II Keenetic 4G III rev. B Keenetic Lite III rev. B Keenetic Giga III Keenetic Ultra II Keenetic Extra II Keenetic Air Находятся на активной стадии поддержки и разработки. Версия 2.09 (журнал изменений), 2.10 (журнал изменений) и выше — неофициальная: Keenetic Lite II Keenetic Lite III Keenetic Omni Keenetic Omni II Keenetic II Keenetic III Keenetic Giga II Keenetic Ultra Keenetic LTE Keenetic DSL Keenetic VOX Выпускается по инициативе разработчиков, официальная поддержка не оказывается. Проверенные временем версии (на данный момент 2.09.C.X) находятся в канале delta, тестовые версии (на данный момент 2.10.A.X) - как всегда в draft). Quote Link to comment Share on other sites More sharing options...
sine_x Posted August 13, 2017 Share Posted August 13, 2017 (edited) Я имел ввиду будет ли работать на VIVA? Сейчас у меня та4кая ситуация Цитата Конфигурация сервера dev tap persist-tun persist-key cipher AES-128-CBC auth SHA1 tls-client client resolv-retry infinite remote x.x.x.x 1194 udp verify-x509-name "x.x.NET" name remote-cert-tls server Конфигурация клиента VIVA dev tap persist-tun persist-key cipher AES-128-CBC auth SHA1 tls-client client resolv-retry infinite remote x.x.x.x 1194 udp remote-cert-tls server verify-x509-name "x.x.NET" name <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- </key> Лог подключения Aug 13 13:57:15OpenVPN0OpenVPN 2.4.3 [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [AEAD] Aug 13 13:57:15OpenVPN0library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10 Aug 13 13:57:15OpenVPN0TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x :1194 Aug 13 13:57:15OpenVPN0UDP link local (bound): [AF_INET][undef]:1194 Aug 13 13:57:15OpenVPN0UDP link remote: [AF_INET]x.x.x.x :1194 Aug 13 13:57:15OpenVPN0NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Aug 13 13:57:16OpenVPN0[DP.RU27.NET] Peer Connection Initiated with [AF_INET]x.x.x.x :1194 Aug 13 13:57:16ndmNetwork::Interface::OpenVpn: "OpenVPN0": added host route to remote endpoint x.x.x.x via PPPoE0. Aug 13 13:57:16ndmCore::ConfigurationSaver: configuration saved. Aug 13 13:57:17OpenVPN0TUN/TAP device tap0 opened Aug 13 13:57:17OpenVPN0GID set to nobody Aug 13 13:57:17OpenVPN0UID set to nobody Aug 13 13:57:17OpenVPN0Initialization Sequence CompletedAug 13 13:57:50OpenVPN0write to TUN/TAP : Input/output error (code=5) Aug 13 13:57:54OpenVPN0write to TUN/TAP : Input/output error (code=5) Aug 13 13:58:09OpenVPN0write to TUN/TAP : Input/output error (code=5) Aug 13 13:58:18OpenVPN0write to TUN/TAP : Input/output error (code=5) Aug 13 13:58:28OpenVPN0write to TUN/TAP : Input/output error (code=5) Aug 13 13:58:32OpenVPN0write to TUN/TAP : Input/output error (code=5) Получается, что не может получить ip адрес от DHCP? На windows стандартный клиент OpenVPN работает на ура, серверная часть реализована на базе pfsense. Edited August 13, 2017 by sine_x Quote Link to comment Share on other sites More sharing options...
Сергей Молоков Posted August 14, 2017 Share Posted August 14, 2017 Здравствуйте! Для использования OVPN обязательно ли в компонентах устанавливать клиент PPPoE, который не будет использоваться? На Keenetic II, не установлен клиент PPPoE, но имеется возможность создать соединение OVPN (хоть это единственный вариант, но по умолчанию он не выбран): На Keenetic III, Extra II, Lite II невозможно создать OVPN соединение, если установлен только клиент Open VPN, если установить еще клиента PPPoE (другие не пробовал), тогда возможно. У меня с Keenetic II глюк или так и должно быть (кажется логичным, не устанавливать компоненты, которые не используешь)? Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted August 14, 2017 Share Posted August 14, 2017 7 часов назад, Сергей Молоков сказал: Здравствуйте! Для использования OVPN обязательно ли в компонентах устанавливать клиент PPPoE, который не будет использоваться? На Keenetic II, не установлен клиент PPPoE, но имеется возможность создать соединение OVPN (хоть это единственный вариант, но по умолчанию он не выбран): На Keenetic III, Extra II, Lite II невозможно создать OVPN соединение, если установлен только клиент Open VPN, если установить еще клиента PPPoE (другие не пробовал), тогда возможно. У меня с Keenetic II глюк или так и должно быть (кажется логичным, не устанавливать компоненты, которые не используешь)? Да, это глюк, поставили в работу. Quote Link to comment Share on other sites More sharing options...
sine_x Posted August 14, 2017 Share Posted August 14, 2017 По моей ситуации выше, что-нибудь можете подсказать? Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted August 15, 2017 Share Posted August 15, 2017 20 часов назад, sine_x сказал: По моей ситуации выше, что-нибудь можете подсказать? Проверю, ситуацию с tap и DHCP не проверяли. Quote Link to comment Share on other sites More sharing options...
ICMP Posted August 15, 2017 Share Posted August 15, 2017 Добрый день! Скажите начались ли подвижки с серверной частью? Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted August 15, 2017 Share Posted August 15, 2017 1 час назад, ICMP сказал: Добрый день! Скажите начались ли подвижки с серверной частью? Проверяйте, пишите если не работает. По крайней мере проблем быть не должно. Quote Link to comment Share on other sites More sharing options...
Le ecureuil Posted August 15, 2017 Share Posted August 15, 2017 В 8/14/2017 в 18:02, sine_x сказал: По моей ситуации выше, что-нибудь можете подсказать? В следующем draft проверяйте, должно работать. Только не забудьте включить dhcp-клиент на Keenetic: > interface OpenVPN0 ip address dhcp > system config-save Quote Link to comment Share on other sites More sharing options...
sine_x Posted August 15, 2017 Share Posted August 15, 2017 1 минуту назад, Le ecureuil сказал: В следующем draft проверяйте, должно работать. Только не забудьте включить dhcp-клиент на Keenetic: > interface OpenVPN0 ip address dhcp > system config-save Хорошо, спасибо, о результатах отпишусь. Quote Link to comment Share on other sites More sharing options...
r13 Posted August 17, 2017 Share Posted August 17, 2017 (edited) @Le ecureuil Запустил OpenVPN в режиме сервера, конфиг следующий: Скрытый текст port 1194 proto udp dev tun sndbuf 0 rcvbuf 0 key-direction 0 cipher AES-256-CBC auth SHA256 topology subnet server 10.8.1.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 comp-lzo persist-key persist-tun verb 3 При подключении клиента почему-то используется шифрование AES-256-GCM вместо настроенного AES-256-CBC? PS В клиентском режиме все ок Скрытый текст Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Aug 17 20:54:37OpenVPN1 r13_iphone/213.87.157.182 SIGTERM[soft,remote-exit] received, client-instance exiting Aug 17 20:54:51OpenVPN1 213.87.157.182 TLS: Initial packet from [AF_INET6]::ffff:213.87.157.182:12347, sid=9f2903c2 0bd16693 Aug 17 20:54:54OpenVPN1 213.87.157.182 TLS: Initial packet from [AF_INET6]::ffff:213.87.157.182:42266, sid=4aa703f9 aaa1acde Aug 17 20:54:54OpenVPN1 213.87.157.182 VERIFY SCRIPT OK: depth=1, CN=ChangeMe Aug 17 20:54:54OpenVPN1 213.87.157.182 VERIFY OK: depth=1, CN=ChangeMe Aug 17 20:54:54OpenVPN1 213.87.157.182 VERIFY SCRIPT OK: depth=0, CN=r13_iphone Aug 17 20:54:54OpenVPN1 213.87.157.182 VERIFY OK: depth=0, CN=r13_iphone Aug 17 20:54:54OpenVPN1 213.87.157.182 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.1.1-212 Aug 17 20:54:54OpenVPN1 213.87.157.182 peer info: IV_VER=3.1.2 Aug 17 20:54:54OpenVPN1 213.87.157.182 peer info: IV_PLAT=ios Aug 17 20:54:54OpenVPN1 213.87.157.182 peer info: IV_NCP=2 Aug 17 20:54:54OpenVPN1 213.87.157.182 peer info: IV_TCPNL=1 Aug 17 20:54:54OpenVPN1 213.87.157.182 peer info: IV_PROTO=2 Aug 17 20:54:54OpenVPN1 213.87.157.182 peer info: IV_LZO=1 Aug 17 20:54:54OpenVPN1 213.87.157.182 peer info: IV_AUTO_SESS=1 Aug 17 20:54:54OpenVPN1 213.87.157.182 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Aug 17 20:54:54OpenVPN1 213.87.157.182 [r13_iphone] Peer Connection Initiated with [AF_INET6]::ffff:213.87.157.182:42266 Aug 17 20:54:54OpenVPN1 r13_iphone/213.87.157.182 MULTI_sva: pool returned IPv4=10.8.1.2, IPv6=(Not enabled) Aug 17 20:54:54OpenVPN1 r13_iphone/213.87.157.182 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_52e08346ed7ebcc7f167adc4a9d0ec5f.tmp Aug 17 20:54:54OpenVPN1 r13_iphone/213.87.157.182 MULTI: Learn: 10.8.1.2 -> r13_iphone/213.87.157.182 Aug 17 20:54:54OpenVPN1 r13_iphone/213.87.157.182 MULTI: primary virtual IP for r13_iphone/213.87.157.182: 10.8.1.2 Aug 17 20:54:54OpenVPN1 r13_iphone/213.87.157.182 PUSH: Received control message: 'PUSH_REQUEST' Aug 17 20:54:54OpenVPN1 r13_iphone/213.87.157.182 SENT CONTROL [r13_iphone]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.1.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.1.2 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1) Aug 17 20:54:54OpenVPN1 r13_iphone/213.87.157.182 Data Channel: using negotiated cipher 'AES-256-GCM' Aug 17 20:54:54OpenVPN1 r13_iphone/213.87.157.182 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Aug 17 20:54:54OpenVPN1 r13_iphone/213.87.157.182 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Лог с клиента Скрытый текст 2017-08-17 20:40:37 ----- OpenVPN Start ----- OpenVPN core 3.1.2 ios arm64 64-bit built on Dec 5 2016 12:50:25 2017-08-17 20:40:37 Frame=512/2048/512 mssfix-ctrl=1250 2017-08-17 20:40:37 UNUSED OPTIONS 4 [resolv-retry] [infinite] 5 [nobind] 6 [user] [nobody] 7 [group] [nogroup] 8 [persist-key] 9 [persist-tun] 15 [verb] [3] 20 [dh] [-----BEGIN DH PARAMETERS----- MI...] 2017-08-17 20:40:37 EVENT: RESOLVE 2017-08-17 20:40:37 Contacting *:1194 via UDP 2017-08-17 20:40:37 EVENT: WAIT 2017-08-17 20:40:37 SetTunnelSocket returned 1 2017-08-17 20:40:37 Connecting to [*]:1194 (*) via UDPv4 2017-08-17 20:40:37 EVENT: CONNECTING 2017-08-17 20:40:37 Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client 2017-08-17 20:40:37 Creds: UsernameEmpty/PasswordEmpty 2017-08-17 20:40:37 Peer Info: IV_GUI_VER=net.openvpn.connect.ios 1.1.1-212 IV_VER=3.1.2 IV_PLAT=ios IV_NCP=2 IV_TCPNL=1 IV_PROTO=2 IV_LZO=1 IV_AUTO_SESS=1 2017-08-17 20:40:38 VERIFY OK: depth=1 cert. version : 3 serial number : DE:71:84:25:5A:78:8F:66 issuer name : CN=ChangeMe subject name : CN=ChangeMe issued on : 2016-10-31 17:17:31 expires on : 2026-10-29 17:17:31 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true key usage : Key Cert Sign, CRL Sign 2017-08-17 20:40:38 VERIFY OK: depth=0 cert. version : 3 serial number : 01 issuer name : CN=ChangeMe subject name : CN=server issued on : 2016-10-31 18:37:03 expires on : 2026-10-29 18:37:03 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication 2017-08-17 20:40:38 NET Internet:ReachableViaWWAN/WR t------ 2017-08-17 20:40:38 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 2017-08-17 20:40:38 Session is ACTIVE 2017-08-17 20:40:38 EVENT: GET_CONFIG 2017-08-17 20:40:38 Sending PUSH_REQUEST to server... 2017-08-17 20:40:38 OPTIONS: 0 [redirect-gateway] [def1] [bypass-dhcp] 1 [dhcp-option] [DNS] [8.8.8.8] 2 [dhcp-option] [DNS] [8.8.4.4] 3 [route-gateway] [10.8.1.1] 4 [topology] [subnet] 5 [ping] [10] 6 [ping-restart] [120] 7 [ifconfig] [10.8.1.2] [255.255.255.0] 8 [peer-id] [0] 9 [cipher] [AES-256-GCM] 2017-08-17 20:40:38 PROTOCOL OPTIONS: cipher: AES-256-GCM digest: SHA256 compress: LZO peer ID: 0 2017-08-17 20:40:38 EVENT: ASSIGN_IP 2017-08-17 20:40:38 TunPersist: saving tun context: Session Name: * Layer: OSI_LAYER_3 Remote Address: * Tunnel Addresses: 10.8.1.2/24 -> 10.8.1.1 Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 BYPASS_DHCP IPv4 ] Block IPv6: no Add Routes: Exclude Routes: DNS Servers: 8.8.8.8 8.8.4.4 Search Domains: 2017-08-17 20:40:38 Connected via tun 2017-08-17 20:40:38 LZO-ASYM init swap=0 asym=0 2017-08-17 20:40:38 EVENT: CONNECTED @*:1194 (*) via /UDPv4 on tun/10.8.1.2/ gw=[10.8.1.1/] 2017-08-17 20:40:38 SetStatus Connected Edited August 17, 2017 by r13 Quote Link to comment Share on other sites More sharing options...
vlad Posted August 17, 2017 Share Posted August 17, 2017 2 часа назад, r13 сказал: При подключении клиента почему-то используется шифрование AES-256-GCM вместо настроенного AES-256-CBC? Добавьте в конфиг сервера ncp-disable 1 Quote Link to comment Share on other sites More sharing options...
r13 Posted August 18, 2017 Share Posted August 18, 2017 7 часов назад, vlad сказал: Добавьте в конфиг сервера ncp-disable Спасибо, так используется настроенное в конфиге шифрование. Quote Link to comment Share on other sites More sharing options...
ICMP Posted August 18, 2017 Share Posted August 18, 2017 12 часа назад, r13 сказал: Запустил OpenVPN в режиме сервера В компоненте есть серверная часть или вы из под Debian или Enware? Quote Link to comment Share on other sites More sharing options...
r13 Posted August 18, 2017 Share Posted August 18, 2017 36 минут назад, ICMP сказал: В компоненте есть серверная часть или вы из под Debian или Enware? Еще в самом начале @Le ecureuil писал что серверная часть тоже есть, так что встроенная, иначе сюда бы не писал 1 Quote Link to comment Share on other sites More sharing options...
T@rkus Posted August 18, 2017 Share Posted August 18, 2017 А как прописать в конфигурацию логин и пароль? Quote Link to comment Share on other sites More sharing options...
r13 Posted August 18, 2017 Share Posted August 18, 2017 19 минут назад, T@rkus сказал: А как прописать в конфигурацию логин и пароль? 1 Quote Link to comment Share on other sites More sharing options...
T@rkus Posted August 18, 2017 Share Posted August 18, 2017 (edited) 27 минут назад, r13 сказал: Вставил логин и пароль в конфиг. Теперь пишет мне Options error: If you use one of --cert or --key, you must use them both Вот сокращенный пример конфига client dev tun proto udp remote eu1.vyprvpn.com 1194 resolv-retry infinite nobind persist-key persist-tun persist-remote-ip verify-x509-name eu1.vyprvpn.com name comp-lzo keepalive 10 60 verb 3 <auth-user-pass> 0000000@gmail.com 00000 </auth-user-pass> <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </cert> Edited August 18, 2017 by T@rkus Quote Link to comment Share on other sites More sharing options...
r13 Posted August 18, 2017 Share Posted August 18, 2017 (edited) 13 минуты назад, T@rkus сказал: Вставил логин и пароль в конфиг. Теперь пишет мне Options error: If you use one of --cert or --key, you must use them both Вот сокращенный пример конфига Скрыть содержимое client dev tun proto udp remote eu1.vyprvpn.com 1194 resolv-retry infinite nobind persist-key persist-tun persist-remote-ip verify-x509-name eu1.vyprvpn.com name comp-lzo keepalive 10 60 verb 3 <auth-user-pass> 0000000@gmail.com 00000 </auth-user-pass> <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </cert> Удалить cert блок по идее исходя из текста ошибки. Edited August 18, 2017 by r13 1 Quote Link to comment Share on other sites More sharing options...
T@rkus Posted August 18, 2017 Share Posted August 18, 2017 15 минут назад, r13 сказал: Удалить cert блок по идее исходя из текста ошибки. Удалил cert блок OpenVPN поднялся. Quote Link to comment Share on other sites More sharing options...
T@rkus Posted August 18, 2017 Share Posted August 18, 2017 @r13 Только вот в конфиге ругается WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Aug 18 13:50:13OpenVPN1 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Aug 18 13:50:13OpenVPN1 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Aug 18 13:50:13OpenVPN1 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Aug 18 13:50:13OpenVPN1 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Aug 18 13:50:13OpenVPN1 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks. Quote Link to comment Share on other sites More sharing options...
r13 Posted August 18, 2017 Share Posted August 18, 2017 Просто warning что сервер использует не стойкое шифрование. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.