Linux OVPN, Verbindung geht, kein ping

[monthy]

Hallo Zusammen,

debian/lenny auf server und client seite.

server:
eth0=10.1.2.9
OVPN= 12.0.0.1

client=192.168.0.199
OVPN=12.0.0.2

Die Verbindung kommt zur Stande aber es geht kein ping durch. Komischerweise ging es einmal kurz und danach nie wieder. Ich habe sämtliche Foren und howtos durchgefüttern und getestet aber nichts klappt. Der Tunnel wird aufgebaut. IP wird vergeben aber das war es schon. Was ich sehe beim Aufbau ist, daß in der route kurz die route für das vpn reingeschoben wird aber dann wieder verschwindet. Da viele sagen, daß iptables verantwortlich sein kann, hab ich kurzer Hand das deinstalliert.

Hier mal meine logs:

Server:

fileserver:~# cat /etc/openvpn/server.conf
port 1194
proto udp
mode server
tls-server
dev tap0

server 12.0.0.0 255.255.255.0
push "route 10.1.2.0 255.255.255.0"

tun-mtu 1500
tun-mtu-extra 32
mssfix

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh2048.pem

client-to-client


keepalive 10 120
auth SHA1
cipher aes-256-cbc

comp-lzo
user nobody
group nogroup
max-clients 10

persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 5

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
#tls-auth easy-rsa/keys/ta.key 0 # This file is secret

fileserver:~# cat /proc/sys/net/ipv4/ip_forward
1

fileserver:~# ifconfig
br0 Link encap:Ethernet Hardware Adresse 00:ff:1b:fc:11:70
inet Adresse:10.1.2.9 Bcast:10.1.2.255 Maske:255.255.255.0
inet6-Adresse: fe80::2ff:1bff:fefc:1170/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:3152 errors:0 dropped:0 overruns:0 frame:0
TX packets:2264 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:299482 (292.4 KiB) TX bytes:436827 (426.5 KiB)

eth0 Link encap:Ethernet Hardware Adresse 08:00:27:35:89:66
inet6-Adresse: fe80::a00:27ff:fe35:8966/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metrik:1
RX packets:2966 errors:0 dropped:0 overruns:0 frame:0
TX packets:2286 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:328425 (320.7 KiB) TX bytes:439786 (429.4 KiB)

lo Link encap:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:16436 Metrik:1
RX packets:107 errors:0 dropped:0 overruns:0 frame:0
TX packets:107 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:9141 (8.9 KiB) TX bytes:9141 (8.9 KiB)

tap0 Link encap:Ethernet Hardware Adresse 00:ff:1b:fc:11:70
inet Adresse:12.0.0.1 Bcast:12.0.0.255 Maske:255.255.255.0
inet6-Adresse: fe80::2ff:1bff:fefc:1170/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metrik:1
RX packets:200 errors:0 dropped:0 overruns:0 frame:0
TX packets:290 errors:0 dropped:29 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:100
RX bytes:16261 (15.8 KiB) TX bytes:62623 (61.1 KiB)

fileserver:~# route
Kernel-IP-Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
12.0.0.0 * 255.255.255.0 U 0 0 0 tap0
10.1.2.0 * 255.255.255.0 U 0 0 0 br0
default router.mad 0.0.0.0 UG 0 0 0 br0

Client:

nm-network-applet-openvpn[openvpn]
description=monthy-vpn
connection-type=x509
remote=monthy.xxxx.net
port=1194
dev=tap
proto=udp
servercert-insecure=yes
ca=/etc/openvpn/ca.crt
cert=/etc/openvpn/nexoc.crt
key=/etc/openvpn/nexoc.key
comp-lzo=yes
shared-key=
local-ip=
remote-ip=
username=
cipher=AES-256-CBC
ta=
ta_dir=
routes=

nexoc:~# ifconfig
lo Link encap:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:16436 Metrik:1
RX packets:1198 errors:0 dropped:0 overruns:0 frame:0
TX packets:1198 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:86984 (84.9 KiB) TX bytes:86984 (84.9 KiB)

tap0 Link encap:Ethernet Hardware Adresse 8a:2e:3c:2f:4b:70
inet Adresse:12.0.0.2 Bcast:12.0.0.255 Maske:255.255.255.0
inet6-Adresse: fe80::882e:3cff:fe2f:4b70/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1412 Metrik:1
RX packets:168 errors:0 dropped:0 overruns:0 frame:0
TX packets:190 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:100
RX bytes:39158 (38.2 KiB) TX bytes:18264 (17.8 KiB)

wlan0 Link encap:Ethernet Hardware Adresse 00:21:6a:12:39:ba
inet Adresse:192.168.0.199 Bcast:192.168.0.255 Maske:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:3765 errors:0 dropped:0 overruns:0 frame:0
TX packets:3852 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:649538 (634.3 KiB) TX bytes:634194 (619.3 KiB)

wmaster0 Link encap:UNSPEC Hardware Adresse 00-21-6A-12-39-BA-00-00-00-00-00-00-00-00-00-00
UP RUNNING MTU:0 Metrik:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

nexoc:~# route
Kernel-IP-Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
f053149134.adsl 192.168.0.1 255.255.255.255 UGH 0 0 0 wlan0
192.168.0.0 * 255.255.255.0 U 0 0 0 wlan0
default * 0.0.0.0 U 0 0 0 tap0

Jeder kann sich selber pingen aber keinen anderen im LAN.

Ich bin absolut ratlos.

Danke für Tipps und Hilfen.

Gruß
monthy

 

[OSJF]

Wie ein Log vom Verbindungsaufbau sieht mir das nicht aus?

Wenn der Tunnel wirklich aktiv ist sollte in der routing tabelle der richtige Weg zu finden sein. Du sagst er verschwindet sofort, ich denke in dem moment bricht dein Tunnel weg.


Ich kann dir aus Erfahrung mit SOHO Routern sagen das "kein Ping" in der Regel von falscher Netzwerk/Subnetz Konfiguration her rührt. Mit OpenVPN habe ich leider seit Jahren nichts mehr gemacht.
Könntest du mal gucken ob es ein richtiges VPN-Verbindungslog gibt?

Edit: ich sehe in der server.conf von OpenVPN gibt es einige Log Funktionen. Die bitte mal anwerfen und Logfile vom Verbindungsaufbaue hier Posten.

 

[monthy]

Verbindungslog:

Thu Oct 29 23:54:19 2009 us=945289 Current Parameter Settings:
Thu Oct 29 23:54:19 2009 us=945676 config = '/etc/openvpn/server.conf'
Thu Oct 29 23:54:19 2009 us=945711 mode = 1
Thu Oct 29 23:54:19 2009 us=945744 persist_config = DISABLED
Thu Oct 29 23:54:19 2009 us=945777 persist_mode = 1
Thu Oct 29 23:54:19 2009 us=945809 show_ciphers = DISABLED
Thu Oct 29 23:54:19 2009 us=945840 show_digests = DISABLED
Thu Oct 29 23:54:19 2009 us=945872 show_engines = DISABLED
Thu Oct 29 23:54:19 2009 us=945903 genkey = DISABLED
Thu Oct 29 23:54:19 2009 us=945935 key_pass_file = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=945966 show_tls_ciphers = DISABLED
Thu Oct 29 23:54:19 2009 us=946037 Connection profiles [default]:
Thu Oct 29 23:54:19 2009 us=946071 proto = udp
Thu Oct 29 23:54:19 2009 us=946103 local = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=946135 local_port = 1194
Thu Oct 29 23:54:19 2009 us=946166 remote = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=946197 remote_port = 1194
Thu Oct 29 23:54:19 2009 us=946229 remote_float = DISABLED
Thu Oct 29 23:54:19 2009 us=946260 bind_defined = DISABLED
Thu Oct 29 23:54:19 2009 us=946292 bind_local = ENABLED
Thu Oct 29 23:54:19 2009 us=946323 connect_retry_seconds = 5
Thu Oct 29 23:54:19 2009 us=946354 connect_timeout = 10
Thu Oct 29 23:54:19 2009 us=946386 connect_retry_max = 0
Thu Oct 29 23:54:19 2009 us=946417 socks_proxy_server = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=946449 socks_proxy_port = 0
Thu Oct 29 23:54:19 2009 us=946480 socks_proxy_retry = DISABLED
Thu Oct 29 23:54:19 2009 us=946795 Connection profiles END
Thu Oct 29 23:54:19 2009 us=946830 remote_random = DISABLED
Thu Oct 29 23:54:19 2009 us=946862 ipchange = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=946894 dev = 'tap0'
Thu Oct 29 23:54:19 2009 us=946926 dev_type = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=946958 dev_node = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=946990 lladdr = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=947033 topology = 1
Thu Oct 29 23:54:19 2009 us=947075 tun_ipv6 = DISABLED
Thu Oct 29 23:54:19 2009 us=947107 ifconfig_local = '12.0.0.1'
Thu Oct 29 23:54:19 2009 us=947139 ifconfig_remote_netmask = '255.255.255.0'
Thu Oct 29 23:54:19 2009 us=947177 ifconfig_noexec = DISABLED
Thu Oct 29 23:54:19 2009 us=947210 ifconfig_nowarn = DISABLED
Thu Oct 29 23:54:19 2009 us=947242 shaper = 0
Thu Oct 29 23:54:19 2009 us=947274 tun_mtu = 1500
Thu Oct 29 23:54:19 2009 us=947305 tun_mtu_defined = ENABLED
Thu Oct 29 23:54:19 2009 us=947336 link_mtu = 1500
Thu Oct 29 23:54:19 2009 us=947368 link_mtu_defined = DISABLED
Thu Oct 29 23:54:19 2009 us=947400 tun_mtu_extra = 32
Thu Oct 29 23:54:19 2009 us=947431 tun_mtu_extra_defined = ENABLED
Thu Oct 29 23:54:19 2009 us=947463 fragment = 0
Thu Oct 29 23:54:19 2009 us=947535 mtu_discover_type = -1
Thu Oct 29 23:54:19 2009 us=947569 mtu_test = 0
Thu Oct 29 23:54:19 2009 us=947601 mlock = DISABLED
Thu Oct 29 23:54:19 2009 us=947633 keepalive_ping = 10
Thu Oct 29 23:54:19 2009 us=947664 keepalive_timeout = 120
Thu Oct 29 23:54:19 2009 us=947696 inactivity_timeout = 0
Thu Oct 29 23:54:19 2009 us=947727 ping_send_timeout = 10
Thu Oct 29 23:54:19 2009 us=947758 ping_rec_timeout = 240
Thu Oct 29 23:54:19 2009 us=947790 ping_rec_timeout_action = 2
Thu Oct 29 23:54:19 2009 us=947821 ping_timer_remote = DISABLED
Thu Oct 29 23:54:19 2009 us=947853 remap_sigusr1 = 0
Thu Oct 29 23:54:19 2009 us=947884 explicit_exit_notification = 0
Thu Oct 29 23:54:19 2009 us=947918 persist_tun = ENABLED
Thu Oct 29 23:54:19 2009 us=947991 persist_local_ip = DISABLED
Thu Oct 29 23:54:19 2009 us=948078 persist_remote_ip = DISABLED
Thu Oct 29 23:54:19 2009 us=948112 persist_key = ENABLED
Thu Oct 29 23:54:19 2009 us=948144 mssfix = 1450
Thu Oct 29 23:54:19 2009 us=948176 passtos = DISABLED
Thu Oct 29 23:54:19 2009 us=948208 resolve_retry_seconds = 1000000000
Thu Oct 29 23:54:19 2009 us=948240 username = 'nobody'
Thu Oct 29 23:54:19 2009 us=948271 groupname = 'nogroup'
Thu Oct 29 23:54:19 2009 us=948303 chroot_dir = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=948334 cd_dir = '/etc/openvpn'
Thu Oct 29 23:54:19 2009 us=948366 writepid = '/var/run/openvpn.server.pid'
Thu Oct 29 23:54:19 2009 us=948398 up_script = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=948429 down_script = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=948461 down_pre = DISABLED
Thu Oct 29 23:54:19 2009 us=948492 up_restart = DISABLED
Thu Oct 29 23:54:19 2009 us=948523 up_delay = DISABLED
Thu Oct 29 23:54:19 2009 us=948555 daemon = ENABLED
Thu Oct 29 23:54:19 2009 us=948587 inetd = 0
Thu Oct 29 23:54:19 2009 us=948618 log = ENABLED
Thu Oct 29 23:54:19 2009 us=948650 suppress_timestamps = DISABLED
Thu Oct 29 23:54:19 2009 us=948681 nice = 0
Thu Oct 29 23:54:19 2009 us=948713 verbosity = 5
Thu Oct 29 23:54:19 2009 us=948744 mute = 0
Thu Oct 29 23:54:19 2009 us=948775 gremlin = 0
Thu Oct 29 23:54:19 2009 us=948807 status_file = '/var/log/openvpn-status.log'
Thu Oct 29 23:54:19 2009 us=948839 status_file_version = 1
Thu Oct 29 23:54:19 2009 us=948870 status_file_update_freq = 60
Thu Oct 29 23:54:19 2009 us=948902 occ = ENABLED
Thu Oct 29 23:54:19 2009 us=948933 rcvbuf = 65536
Thu Oct 29 23:54:19 2009 us=948965 sndbuf = 65536
Thu Oct 29 23:54:19 2009 us=948996 sockflags = 0
Thu Oct 29 23:54:19 2009 us=949052 fast_io = DISABLED
Thu Oct 29 23:54:19 2009 us=949085 lzo = 7
Thu Oct 29 23:54:19 2009 us=949117 route_script = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=949149 route_default_gateway = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=949180 route_default_metric = 0
Thu Oct 29 23:54:19 2009 us=949226 route_noexec = DISABLED
Thu Oct 29 23:54:19 2009 us=949258 route_delay = 0
Thu Oct 29 23:54:19 2009 us=949290 route_delay_window = 30
Thu Oct 29 23:54:19 2009 us=949321 route_delay_defined = DISABLED
Thu Oct 29 23:54:19 2009 us=949353 route_nopull = DISABLED
Thu Oct 29 23:54:19 2009 us=949384 route_gateway_via_dhcp = DISABLED
Thu Oct 29 23:54:19 2009 us=949416 allow_pull_fqdn = DISABLED
Thu Oct 29 23:54:19 2009 us=949448 management_addr = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=949479 management_port = 0
Thu Oct 29 23:54:19 2009 us=949511 management_user_pass = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=949542 management_log_history_cache = 250
Thu Oct 29 23:54:19 2009 us=949573 management_echo_buffer_size = 100
Thu Oct 29 23:54:19 2009 us=949605 management_write_peer_info_file = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=949636 management_flags = 0
Thu Oct 29 23:54:19 2009 us=949668 shared_secret_file = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=949700 key_direction = 0
Thu Oct 29 23:54:19 2009 us=949731 ciphername_defined = ENABLED
Thu Oct 29 23:54:19 2009 us=949763 ciphername = 'aes-256-cbc'
Thu Oct 29 23:54:19 2009 us=949795 authname_defined = ENABLED
Thu Oct 29 23:54:19 2009 us=949827 authname = 'SHA1'
Thu Oct 29 23:54:19 2009 us=949858 keysize = 0
Thu Oct 29 23:54:19 2009 us=949890 engine = DISABLED
Thu Oct 29 23:54:19 2009 us=949921 replay = ENABLED
Thu Oct 29 23:54:19 2009 us=949953 mute_replay_warnings = DISABLED
Thu Oct 29 23:54:19 2009 us=949985 replay_window = 64
Thu Oct 29 23:54:19 2009 us=950016 replay_time = 15
Thu Oct 29 23:54:19 2009 us=950048 packet_id_file = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=950079 use_iv = ENABLED
Thu Oct 29 23:54:19 2009 us=950111 test_crypto = DISABLED
Thu Oct 29 23:54:19 2009 us=950142 tls_server = ENABLED
Thu Oct 29 23:54:19 2009 us=950174 tls_client = DISABLED
Thu Oct 29 23:54:19 2009 us=950206 key_method = 2
Thu Oct 29 23:54:19 2009 us=950237 ca_file = '/etc/openvpn/certs/ca.crt'
Thu Oct 29 23:54:19 2009 us=950269 ca_path = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=950300 dh_file = '/etc/openvpn/certs/dh2048.pem'
Thu Oct 29 23:54:19 2009 us=950332 cert_file = '/etc/openvpn/certs/server.crt'
Thu Oct 29 23:54:19 2009 us=950364 priv_key_file = '/etc/openvpn/certs/server.key'
Thu Oct 29 23:54:19 2009 us=950396 pkcs12_file = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=950427 cipher_list = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=950459 tls_verify = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=950490 tls_remote = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=950521 crl_file = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=950553 ns_cert_type = 0
Thu Oct 29 23:54:19 2009 us=950585 remote_cert_ku = 0
Thu Oct 29 23:54:19 2009 us=950616 remote_cert_ku = 0
Thu Oct 29 23:54:19 2009 us=950647 remote_cert_ku = 0
Thu Oct 29 23:54:19 2009 us=950678 remote_cert_ku = 0
Thu Oct 29 23:54:19 2009 us=950709 remote_cert_ku = 0
Thu Oct 29 23:54:19 2009 us=950740 remote_cert_ku = 0
Thu Oct 29 23:54:19 2009 us=950771 remote_cert_ku = 0
Thu Oct 29 23:54:19 2009 us=950802 remote_cert_ku = 0
Thu Oct 29 23:54:19 2009 us=950833 remote_cert_ku = 0
Thu Oct 29 23:54:19 2009 us=950864 remote_cert_ku = 0
Thu Oct 29 23:54:19 2009 us=950894 remote_cert_ku = 0
Thu Oct 29 23:54:19 2009 us=950925 remote_cert_ku = 0
Thu Oct 29 23:54:19 2009 us=950956 remote_cert_ku = 0
Thu Oct 29 23:54:19 2009 us=950987 remote_cert_ku = 0
Thu Oct 29 23:54:19 2009 us=951021 remote_cert_ku = 0
Thu Oct 29 23:54:19 2009 us=951066 remote_cert_ku = 0
Thu Oct 29 23:54:19 2009 us=951116 remote_cert_eku = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=951149 tls_timeout = 2
Thu Oct 29 23:54:19 2009 us=951180 renegotiate_bytes = 0
Thu Oct 29 23:54:19 2009 us=951212 renegotiate_packets = 0
Thu Oct 29 23:54:19 2009 us=951243 renegotiate_seconds = 3600
Thu Oct 29 23:54:19 2009 us=951275 handshake_window = 60
Thu Oct 29 23:54:19 2009 us=951306 transition_window = 3600
Thu Oct 29 23:54:19 2009 us=951350 single_session = DISABLED
Thu Oct 29 23:54:19 2009 us=951382 tls_exit = DISABLED
Thu Oct 29 23:54:19 2009 us=951413 tls_auth_file = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=951446 pkcs11_protected_authentication = DISABLED
Thu Oct 29 23:54:19 2009 us=951477 pkcs11_protected_authentication = DISABLED
Thu Oct 29 23:54:19 2009 us=951509 pkcs11_protected_authentication = DISABLED
Thu Oct 29 23:54:19 2009 us=951540 pkcs11_protected_authentication = DISABLED
Thu Oct 29 23:54:19 2009 us=951572 pkcs11_protected_authentication = DISABLED
Thu Oct 29 23:54:19 2009 us=951603 pkcs11_protected_authentication = DISABLED
Thu Oct 29 23:54:19 2009 us=951635 pkcs11_protected_authentication = DISABLED
Thu Oct 29 23:54:19 2009 us=951666 pkcs11_protected_authentication = DISABLED
Thu Oct 29 23:54:19 2009 us=951698 pkcs11_protected_authentication = DISABLED
Thu Oct 29 23:54:19 2009 us=951729 pkcs11_protected_authentication = DISABLED
Thu Oct 29 23:54:19 2009 us=951761 pkcs11_protected_authentication = DISABLED
Thu Oct 29 23:54:19 2009 us=951792 pkcs11_protected_authentication = DISABLED
Thu Oct 29 23:54:19 2009 us=951824 pkcs11_protected_authentication = DISABLED
Thu Oct 29 23:54:19 2009 us=951855 pkcs11_protected_authentication = DISABLED
Thu Oct 29 23:54:19 2009 us=951886 pkcs11_protected_authentication = DISABLED
Thu Oct 29 23:54:19 2009 us=951918 pkcs11_protected_authentication = DISABLED
Thu Oct 29 23:54:19 2009 us=951950 pkcs11_private_mode = 00000000
Thu Oct 29 23:54:19 2009 us=951982 pkcs11_private_mode = 00000000
Thu Oct 29 23:54:19 2009 us=952077 pkcs11_private_mode = 00000000
Thu Oct 29 23:54:19 2009 us=952111 pkcs11_private_mode = 00000000
Thu Oct 29 23:54:19 2009 us=952143 pkcs11_private_mode = 00000000
Thu Oct 29 23:54:19 2009 us=952174 pkcs11_private_mode = 00000000
Thu Oct 29 23:54:19 2009 us=952206 pkcs11_private_mode = 00000000
Thu Oct 29 23:54:19 2009 us=952237 pkcs11_private_mode = 00000000
Thu Oct 29 23:54:19 2009 us=952269 pkcs11_private_mode = 00000000
Thu Oct 29 23:54:19 2009 us=952300 pkcs11_private_mode = 00000000
Thu Oct 29 23:54:19 2009 us=952332 pkcs11_private_mode = 00000000
Thu Oct 29 23:54:19 2009 us=952363 pkcs11_private_mode = 00000000
Thu Oct 29 23:54:19 2009 us=952395 pkcs11_private_mode = 00000000
Thu Oct 29 23:54:19 2009 us=952426 pkcs11_private_mode = 00000000
Thu Oct 29 23:54:19 2009 us=952457 pkcs11_private_mode = 00000000
Thu Oct 29 23:54:19 2009 us=952489 pkcs11_private_mode = 00000000
Thu Oct 29 23:54:19 2009 us=952520 pkcs11_cert_private = DISABLED
Thu Oct 29 23:54:19 2009 us=952552 pkcs11_cert_private = DISABLED
Thu Oct 29 23:54:19 2009 us=952583 pkcs11_cert_private = DISABLED
Thu Oct 29 23:54:19 2009 us=952614 pkcs11_cert_private = DISABLED
Thu Oct 29 23:54:19 2009 us=952646 pkcs11_cert_private = DISABLED
Thu Oct 29 23:54:19 2009 us=952677 pkcs11_cert_private = DISABLED
Thu Oct 29 23:54:19 2009 us=952708 pkcs11_cert_private = DISABLED
Thu Oct 29 23:54:19 2009 us=952740 pkcs11_cert_private = DISABLED
Thu Oct 29 23:54:19 2009 us=952771 pkcs11_cert_private = DISABLED
Thu Oct 29 23:54:19 2009 us=952802 pkcs11_cert_private = DISABLED
Thu Oct 29 23:54:19 2009 us=952834 pkcs11_cert_private = DISABLED
Thu Oct 29 23:54:19 2009 us=952865 pkcs11_cert_private = DISABLED
Thu Oct 29 23:54:19 2009 us=952897 pkcs11_cert_private = DISABLED
Thu Oct 29 23:54:19 2009 us=952928 pkcs11_cert_private = DISABLED
Thu Oct 29 23:54:19 2009 us=952959 pkcs11_cert_private = DISABLED
Thu Oct 29 23:54:19 2009 us=952991 pkcs11_cert_private = DISABLED
Thu Oct 29 23:54:19 2009 us=953023 pkcs11_pin_cache_period = -1
Thu Oct 29 23:54:19 2009 us=953054 pkcs11_id = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=953086 pkcs11_id_management = DISABLED
Thu Oct 29 23:54:19 2009 us=953119 server_network = 12.0.0.0
Thu Oct 29 23:54:19 2009 us=953152 server_netmask = 255.255.255.0
Thu Oct 29 23:54:19 2009 us=953185 server_bridge_ip = 0.0.0.0
Thu Oct 29 23:54:19 2009 us=953218 server_bridge_netmask = 0.0.0.0
Thu Oct 29 23:54:19 2009 us=953264 server_bridge_pool_start = 0.0.0.0
Thu Oct 29 23:54:19 2009 us=953297 server_bridge_pool_end = 0.0.0.0
Thu Oct 29 23:54:19 2009 us=953329 push_list = 'route-gateway 12.0.0.1,ping 10,ping-restart 120'
Thu Oct 29 23:54:19 2009 us=953361 ifconfig_pool_defined = ENABLED
Thu Oct 29 23:54:19 2009 us=953394 ifconfig_pool_start = 12.0.0.2
Thu Oct 29 23:54:19 2009 us=953427 ifconfig_pool_end = 12.0.0.254
Thu Oct 29 23:54:19 2009 us=953460 ifconfig_pool_netmask = 255.255.255.0
Thu Oct 29 23:54:19 2009 us=953492 ifconfig_pool_persist_filename = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=953524 ifconfig_pool_persist_refresh_freq = 600
Thu Oct 29 23:54:19 2009 us=953556 n_bcast_buf = 256
Thu Oct 29 23:54:19 2009 us=953587 tcp_queue_limit = 64
Thu Oct 29 23:54:19 2009 us=953619 real_hash_size = 256
Thu Oct 29 23:54:19 2009 us=953651 virtual_hash_size = 256
Thu Oct 29 23:54:19 2009 us=953682 client_connect_script = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=953714 learn_address_script = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=953746 client_disconnect_script = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=953778 client_config_dir = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=953809 ccd_exclusive = DISABLED
Thu Oct 29 23:54:19 2009 us=953841 tmp_dir = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=953873 push_ifconfig_defined = DISABLED
Thu Oct 29 23:54:19 2009 us=953906 push_ifconfig_local = 0.0.0.0
Thu Oct 29 23:54:19 2009 us=953939 push_ifconfig_remote_netmask = 0.0.0.0
Thu Oct 29 23:54:19 2009 us=953971 enable_c2c = DISABLED
Thu Oct 29 23:54:19 2009 us=954002 duplicate_cn = DISABLED
Thu Oct 29 23:54:19 2009 us=954034 cf_max = 0
Thu Oct 29 23:54:19 2009 us=954203 cf_per = 0
Thu Oct 29 23:54:19 2009 us=954234 max_clients = 10
Thu Oct 29 23:54:19 2009 us=954265 max_routes_per_client = 256
Thu Oct 29 23:54:19 2009 us=954297 client_cert_not_required = DISABLED
Thu Oct 29 23:54:19 2009 us=954329 username_as_common_name = DISABLED
Thu Oct 29 23:54:19 2009 us=954360 auth_user_pass_verify_script = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=954392 auth_user_pass_verify_script_via_file = DISABLED
Thu Oct 29 23:54:19 2009 us=954424 port_share_host = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=954455 port_share_port = 0
Thu Oct 29 23:54:19 2009 us=954486 client = DISABLED
Thu Oct 29 23:54:19 2009 us=954518 pull = DISABLED
Thu Oct 29 23:54:19 2009 us=954550 auth_user_pass_file = '[UNDEF]'
Thu Oct 29 23:54:19 2009 us=954622 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Thu Oct 29 23:54:19 2009 us=983952 Diffie-Hellman initialized with 2048 bit key
Thu Oct 29 23:54:19 2009 us=987007 /usr/bin/openssl-vulnkey -q -b 2048 -m <modulus omitted>
Thu Oct 29 23:54:20 2009 us=417676 TLS-Auth MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Oct 29 23:54:20 2009 us=418232 TUN/TAP device tap0 opened
Thu Oct 29 23:54:20 2009 us=418301 TUN/TAP TX queue length set to 100
Thu Oct 29 23:54:20 2009 us=418351 /sbin/ifconfig tap0 12.0.0.1 netmask 255.255.255.0 mtu 1500 broadcast 12.0.0.255
Thu Oct 29 23:54:20 2009 us=429066 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Oct 29 23:54:20 2009 us=437218 GID set to nogroup
Thu Oct 29 23:54:20 2009 us=437809 UID set to nobody
Thu Oct 29 23:54:20 2009 us=437962 Socket Buffers: R=[124928->131072] S=[124928->131072]
Thu Oct 29 23:54:20 2009 us=438047 UDPv4 link local (bound): [undef]:1194
Thu Oct 29 23:54:20 2009 us=438092 UDPv4 link remote: [undef]
Thu Oct 29 23:54:20 2009 us=438195 MULTI: multi_init called, r=256 v=256
Thu Oct 29 23:54:20 2009 us=439070 IFCONFIG POOL: base=12.0.0.2 size=253
Thu Oct 29 23:54:20 2009 us=439289 Initialization Sequence Completed
Thu Oct 29 23:54:22 2009 us=16308 MULTI: multi_create_instance called
Thu Oct 29 23:54:22 2009 us=16601 188.xxx.126.64:51328 Re-using SSL/TLS context
Thu Oct 29 23:54:22 2009 us=16996 188.xxx.126.64:51328 LZO compression initialized
Thu Oct 29 23:54:22 2009 us=20343 188.xxx.126.64:51328 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Oct 29 23:54:22 2009 us=20394 188.xxx.126.64:51328 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Oct 29 23:54:22 2009 us=21284 188.xxx.126.64:51328 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Thu Oct 29 23:54:22 2009 us=21348 188.xxx.126.64:51328 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Thu Oct 29 23:54:22 2009 us=21967 188.xxx.126.64:51328 Local Options hash (VER=V4): '1a6d5c5d'
Thu Oct 29 23:54:22 2009 us=22001 188.xxx.126.64:51328 Expected Remote Options hash (VER=V4): 'c6c7c21a'
RThu Oct 29 23:54:22 2009 us=22647 188.xxx.126.64:51328 TLS: Initial packet from 188.xxx.126.64:51328, sid=25aaa664 ff057fb7
WRRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRThu Oct 29 23:54:23 2009 us=103563 188.xxx.126.64:51328 VERIFY OK: depth=1, /C=DE/ST=NIEDERSACHSEN/L=xxx/O=monthy-vpn/CN=monthy-vpn_CA/emailAddress=mail.mail@gmx.de
Thu Oct 29 23:54:23 2009 us=104840 188.xxx.126.64:51328 VERIFY OK: depth=0, /C=DE/ST=NIEDERSACHSEN/L=xxx/O=monthy-vpn/CN=corny/emailAddress=mail.mail@gmx.de
WRWRWRWRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRThu Oct 29 23:54:23 2009 us=406246 188.xxx.126.64:51328 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Oct 29 23:54:23 2009 us=406285 188.xxx.126.64:51328 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Oct 29 23:54:23 2009 us=406315 188.xxx.126.64:51328 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Oct 29 23:54:23 2009 us=406343 188.xxx.126.64:51328 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WWWRRRThu Oct 29 23:54:23 2009 us=469873 188.xxx.126.64:51328 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Oct 29 23:54:23 2009 us=469918 188.xxx.126.64:51328 [corny] Peer Connection Initiated with 188.xxx.126.64:51328
RThu Oct 29 23:54:25 2009 us=767823 corny/188.xxx.126.64:51328 PUSH: Received control message: 'PUSH_REQUEST'
Thu Oct 29 23:54:25 2009 us=768221 corny/188.xxx.126.64:51328 SENT CONTROL [corny]: 'PUSH_REPLY,route-gateway 12.0.0.1,ping 10,ping-restart 120,ifconfig 12.0.0.2 255.255.255.0' (status=1)
WWWRRRThu Oct 29 23:54:25 2009 us=850174 corny/188.xxx.126.64:51328 MULTI: Learn: 00:ff:58:eb:ab:ac -> corny/188.xxx.126.64:51328
wRwRwRwWRwRwWRwWRwWRwW

 

[OSJF]

Hmh.. ich kann da ehrlich gesagt nichts sehen. Oder moment....

PUSH_REQUEST und PUSH_REPLY ist IP per IKE/Auto-Config dingsbums?
Ich glaube hier müssen wir ansetzen.

Sowohl auf Client als auch auf Server ist die 12.0.0.0 Route nicht... una momenta, was ist das überhaupt für ein Netz? 12.0.0.0? Das ist kein RFC 1918 Netz? Und auf beiden Enpoints das gleiche Netz?

Edit: ok, wenn du da IKE AutoConfig benutzt kannst du wohl auf beiden Seiten das gleiche Netz haben. Aber ich denke dennoch das 12.0.0.0 nicht richtig ist. Korrigiert mich wenn ich falsch liege.
Und welche IP's versuchst du zu pingen? Die 12.0.0.0 oder die eth0 bzw. wlan0 Adressen?

 

[monthy]

zu dem 12.0.0.0: Im LAN kann ich addressen vergeben wie ich will.
Die Route wird kurz aufblitzen beim VPN start beim Client und verschwinden dann wieder flux. irgendwie hab ich das gefühl, daß er da was mauschelt mit der 0.0.0.0 0.0.0.0, da dieser eintrag nicht vorhanden ist, wenn kein connect vorhanden ist.

Daher schrieb ich am Anfang auch:

server:
eth0=10.1.2.9
OVPN= 12.0.0.1

client=192.168.0.199
OVPN=12.0.0.2

Was ich hätte noch schreiben könnte wäre, daß beim Server ein dyndns am Start ist. Aber das sollte eigentlich nicht das problem sein.

Und für mich als Laie, sind das Log eigentlich gut aus. Wüßte nicht, was falsch ist. Daher frage ich ja

[Edit]
Wenn ich im VPN bin, kann ich nur dessen IPs sinnvoll pingen. Also die 12.0.0.1 für server und 12.0.0.2 für den client. Weder hin noch zurück ist möglich. Das große Kuriose ist halt, daß es mal ging und ohne Änderung plötzlich nicht mehr.

 

[OSJF]

Jo das Log sieht für mich auch ok aus. Leider muss ich sagen das ich mit meinem Latein am Ende bin. Das es nicht geht weil die Routing Tabellen nicht richtig sind scheint klar, nur warum das so ist... keine Ahnung

Ich sehe du hast auf beiden Systemen ein tap0 interface, ich nehme an das ist ein virtuelles Interface was OpenVPN anlegt? Geht das nicht ohne? Ich habe hier ShrewSoft VPN auf meiner Windows Kiste, damit connecte auf einige Netgear und Draytek Router. Aber ohne IKE AutoConfig, sprich ich habe kein virtuelles interface. Er benutzt einfach meine lokale LAN Addresse. Das sollte ja bei OpenVPN auch drin sein oder?

Das große Kuriose ist halt, daß es mal ging und ohne Änderung plötzlich nicht mehr.

Hahaha... sowas bin ich eigentlich von Netgear Router gewöhnt. Wusste nicht das sowas auch bei OpenVPN vor kommt.

 

[monthy]

Wie peinlich, mag es gar nicht schreiben aber der Anstand fordert es. Es geht. Grund wird wohl ein Problem mit dem Script für bridging sein. Bevor openvpn startet, wird ein script gestartet, welches eth0=10.1.2.9 und tap0 in einer br0 zusammenfasst. Siehe ersten post bei server: ifconfig.
Eigentlich, so dachte ich, muß man sowas tolles haben, um von OVPN=12.0.0.0 zu LAN= 10.1.2.0 gehen zu können. Wie ich aber gesehen habe, kann man das mit dem parameter server-bridge bzw. push "route..." machen. <= denke ich.

Sehr unangenehm....

Das Kuriose: Die bridge war von anfang an dabei... Und warum ging es mal... Aber ich werd wohl keine Gedanken dies bzgl. weiter verschwenden und mich von dem script distanzieren. :-p