БЛОГ НА HUSL


Маршрутизация Linux, настройка OpenVPN

Автор вопроса: Михаил Пан-Асовский

Доброго времени суток!

Имеется VPS с белым ip-адресом на ОС Ubuntu. Пытаюсь настроить VPN-туннель уже несколько дней, но пока только перехожу от одной ошибки к другой. Сейчас предположительно имею проблемы с маршрутизацией, так как настраивал по различным руководствам, собирая своего монстра Франкенштейна.

Конфигурационный файл сервера выглядит вот так:


port 1194
proto tcp-server
dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem
tls-auth /etc/openvpn/ta.key 0

tls-server
cipher AES-128-CBC
keysize 128
auth SHA1
comp-lzo

sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"

server 10.8.0.0 255.255.255.0
route 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"

ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-timeout 15

user nobody
group nogroup
persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 4
mute 20

client-to-client
client-config-dir /etc/openvpn/ccd

Так же приложу конфигурацию клиента:

mode client

remote 185.18.54.226
redirect-gateway def1

port 1194
proto tcp-client
dev tun

tls-client
tls-timeout 15
cipher AES-128-CBC
keysize 128
key-direction 1
auth SHA1
comp-lzo

sndbuf 524288
rcvbuf 524288

resolv-retry infinite
nobind

user nobody
group nogroup
persist-key
persist-tun

mute 20
verb 3
log openvpn.log

# certificates

Сертификаты хранятся в этом же файле.

При попытке подключения клиента к серверу получаю ошибки в логах:

Options error: in --iroute 192.168.1.0 255.255.0.0 : Bad network/subnet specification
bad source address from client [255.255.255.252], packet dropped

Моей головы пока хватает только для того, чтобы понять, что неправильно настроены файлы ccd либо маршрутизация сервера, или самого клиента.

ccd-файл для клиента:

iroute 10.0.3.57 255.255.255.255
ifconfig-push 10.8.0.8 10.8.0.1 255.255.255.252

Таблицы маршрутизации сервера и клиента:

Сервер:

default         185.18.54.1     0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
185.18.54.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

Клиент:

default         _gateway        0.0.0.0         UG    100    0        0 enp7s0
10.0.0.0        0.0.0.0         255.255.0.0     U     100    0        0 enp7s0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 enp7s0

Буду крайне признателен разумному объяснению, что именно я делаю не так, и как сделать будет правильно.

Так же интересует как правильно настроить файлы ccd для каждого пользователя с учётом того, что каждый из пользователей будет попадать на сервер из разных сетей, таких как:

  1. Мобильная сеть.
  2. Домашняя точка Wi-Fi.
  3. Другие типы сетей.

Отвечаю на комментарии:

Содержимое ipp.txt

pnas,10.8.0.4

Логи с сервера с --verb 4

Mon Apr 25 23:58:54 2022 us=370615 Current Parameter Settings:
Mon Apr 25 23:58:54 2022 us=370689   config = '/etc/openvpn/server.conf'
Mon Apr 25 23:58:54 2022 us=370699   mode = 1
Mon Apr 25 23:58:54 2022 us=370707   persist_config = DISABLED
Mon Apr 25 23:58:54 2022 us=370715   persist_mode = 1
Mon Apr 25 23:58:54 2022 us=370722   show_ciphers = DISABLED
Mon Apr 25 23:58:54 2022 us=370730   show_digests = DISABLED
Mon Apr 25 23:58:54 2022 us=370737   show_engines = DISABLED
Mon Apr 25 23:58:54 2022 us=370744   genkey = DISABLED
Mon Apr 25 23:58:54 2022 us=370752   key_pass_file = '[UNDEF]'
Mon Apr 25 23:58:54 2022 us=370759   show_tls_ciphers = DISABLED
Mon Apr 25 23:58:54 2022 us=370767   connect_retry_max = 0
Mon Apr 25 23:58:54 2022 us=370774 Connection profiles [0]:
Mon Apr 25 23:58:54 2022 us=370782   proto = tcp-server
Mon Apr 25 23:58:54 2022 us=370790   local = '[UNDEF]'
Mon Apr 25 23:58:54 2022 us=370797   local_port = '1194'
Mon Apr 25 23:58:54 2022 us=370805   remote = '[UNDEF]'
Mon Apr 25 23:58:54 2022 us=370812   remote_port = '1194'
Mon Apr 25 23:58:54 2022 us=370819   remote_float = DISABLED
Mon Apr 25 23:58:54 2022 us=370827   bind_defined = DISABLED
Mon Apr 25 23:58:54 2022 us=370834 NOTE: --mute triggered...
Mon Apr 25 23:58:54 2022 us=370849 272 variation(s) on previous 20 message(s) suppressed by --mute
Mon Apr 25 23:58:54 2022 us=370857 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Mon Apr 25 23:58:54 2022 us=370876 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Mon Apr 25 23:58:54 2022 us=373165 Diffie-Hellman initialized with 2048 bit key
Mon Apr 25 23:58:54 2022 us=373540 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 25 23:58:54 2022 us=373554 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 25 23:58:54 2022 us=373567 TLS-Auth MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Mon Apr 25 23:58:54 2022 us=373871 ROUTE_GATEWAY 185.18.54.1/255.255.255.0 IFACE=eth0 HWADDR=52:54:00:1a:80:ab
Mon Apr 25 23:58:54 2022 us=375648 TUN/TAP device tun0 opened
Mon Apr 25 23:58:54 2022 us=375777 TUN/TAP TX queue length set to 100
Mon Apr 25 23:58:54 2022 us=375801 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Apr 25 23:58:54 2022 us=375816 /sbin/ip link set dev tun0 up mtu 1500
Mon Apr 25 23:58:54 2022 us=389813 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Mon Apr 25 23:58:54 2022 us=392080 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Mon Apr 25 23:58:54 2022 us=396473 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Mon Apr 25 23:58:54 2022 us=396847 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Apr 25 23:58:54 2022 us=396948 Socket Buffers: R=[87380->1048576] S=[87380->1048576]
Mon Apr 25 23:58:54 2022 us=396968 Listening for incoming TCP connection on [AF_INET][undef]:1194
Mon Apr 25 23:58:54 2022 us=396982 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Mon Apr 25 23:58:54 2022 us=396991 TCPv4_SERVER link remote: [AF_UNSPEC]
Mon Apr 25 23:58:54 2022 us=397006 GID set to nogroup
Mon Apr 25 23:58:54 2022 us=397063 UID set to nobody
Mon Apr 25 23:58:54 2022 us=397083 MULTI: multi_init called, r=256 v=256
Mon Apr 25 23:58:54 2022 us=397121 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Mon Apr 25 23:58:54 2022 us=397135 ifconfig_pool_read(), in='pnas,10.8.0.4', TODO: IPv6
Mon Apr 25 23:58:54 2022 us=397147 succeeded -> ifconfig_pool_set()
Mon Apr 25 23:58:54 2022 us=397157 IFCONFIG POOL LIST
Mon Apr 25 23:58:54 2022 us=397166 pnas,10.8.0.4
Mon Apr 25 23:58:54 2022 us=397265 MULTI: TCP INIT maxclients=1024 maxevents=1028
Mon Apr 25 23:58:54 2022 us=397998 Initialization Sequence Completed
Mon Apr 25 23:58:57 2022 us=835188 MULTI: multi_create_instance called
Mon Apr 25 23:58:57 2022 us=835479 Re-using SSL/TLS context
Mon Apr 25 23:58:57 2022 us=835755 LZO compression initializing
Mon Apr 25 23:58:57 2022 us=836187 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Mon Apr 25 23:58:57 2022 us=836251 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Mon Apr 25 23:58:57 2022 us=836388 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Mon Apr 25 23:58:57 2022 us=836400 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Mon Apr 25 23:58:57 2022 us=836481 TCP connection established with [AF_INET]109.252.196.160:8420
Mon Apr 25 23:58:57 2022 us=836493 TCPv4_SERVER link local: (not bound)
Mon Apr 25 23:58:57 2022 us=836504 TCPv4_SERVER link remote: [AF_INET]109.252.196.160:8420
Mon Apr 25 23:58:57 2022 us=842791 109.252.196.160:8420 TLS: Initial packet from [AF_INET]109.252.196.160:8420, sid=fc8cf0fb fb626ece
Mon Apr 25 23:58:58 2022 us=110895 109.252.196.160:8420 VERIFY OK: depth=1, CN=m.space
Mon Apr 25 23:58:58 2022 us=111107 109.252.196.160:8420 VERIFY OK: depth=0, CN=shatte
Mon Apr 25 23:58:58 2022 us=111478 109.252.196.160:8420 peer info: IV_VER=2.5.5
Mon Apr 25 23:58:58 2022 us=111833 109.252.196.160:8420 peer info: IV_PLAT=linux
Mon Apr 25 23:58:58 2022 us=111847 109.252.196.160:8420 peer info: IV_PROTO=6
Mon Apr 25 23:58:58 2022 us=111858 109.252.196.160:8420 peer info: IV_NCP=2
Mon Apr 25 23:58:58 2022 us=111870 109.252.196.160:8420 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-128-CBC
Mon Apr 25 23:58:58 2022 us=111881 109.252.196.160:8420 peer info: IV_LZ4=1
Mon Apr 25 23:58:58 2022 us=111892 109.252.196.160:8420 peer info: IV_LZ4v2=1
Mon Apr 25 23:58:58 2022 us=111903 109.252.196.160:8420 peer info: IV_LZO=1
Mon Apr 25 23:58:58 2022 us=111914 109.252.196.160:8420 peer info: IV_COMP_STUB=1
Mon Apr 25 23:58:58 2022 us=111924 109.252.196.160:8420 peer info: IV_COMP_STUBv2=1
Mon Apr 25 23:58:58 2022 us=111935 109.252.196.160:8420 peer info: IV_TCPNL=1
Mon Apr 25 23:58:58 2022 us=293127 109.252.196.160:8420 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Mon Apr 25 23:58:58 2022 us=293224 109.252.196.160:8420 [shatte] Peer Connection Initiated with [AF_INET]109.252.196.160:8420
Mon Apr 25 23:58:58 2022 us=293309 shatte/109.252.196.160:8420 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/shatte
Mon Apr 25 23:58:58 2022 us=293565 shatte/109.252.196.160:8420 MULTI: Learn: 10.8.0.4 -> shatte/109.252.196.160:8420
Mon Apr 25 23:58:58 2022 us=293584 shatte/109.252.196.160:8420 MULTI: primary virtual IP for shatte/109.252.196.160:8420: 10.8.0.4
Mon Apr 25 23:58:58 2022 us=293617 shatte/109.252.196.160:8420 MULTI: internal route 10.8.0.0/24 -> shatte/109.252.196.160:8420
Mon Apr 25 23:58:58 2022 us=293634 shatte/109.252.196.160:8420 MULTI: Learn: 10.8.0.0/24 -> shatte/109.252.196.160:8420
Mon Apr 25 23:58:58 2022 us=293652 shatte/109.252.196.160:8420 REMOVE PUSH ROUTE: 'route 10.8.0.0 255.255.255.0'
Mon Apr 25 23:58:59 2022 us=264212 shatte/109.252.196.160:8420 PUSH: Received control message: 'PUSH_REQUEST'
Mon Apr 25 23:58:59 2022 us=265266 shatte/109.252.196.160:8420 SENT CONTROL [shatte]: 'PUSH_REPLY,sndbuf 524288,rcvbuf 524288,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.4 10.8.0.1,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Apr 25 23:58:59 2022 us=265320 shatte/109.252.196.160:8420 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Apr 25 23:58:59 2022 us=265365 shatte/109.252.196.160:8420 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
Mon Apr 25 23:58:59 2022 us=265468 shatte/109.252.196.160:8420 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Apr 25 23:58:59 2022 us=265481 shatte/109.252.196.160:8420 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Apr 25 23:59:00 2022 us=443214 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:00 2022 us=443343 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:00 2022 us=443368 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:00 2022 us=491997 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:00 2022 us=647443 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:00 2022 us=749308 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:00 2022 us=895430 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:01 2022 us=189296 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:01 2022 us=313291 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:02 2022 us=116627 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:02 2022 us=240505 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:03 2022 us=936740 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:04 2022 us=65020 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:07 2022 us=777857 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:07 2022 us=869828 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:08 2022 us=695474 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:15 2022 us=200009 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:15 2022 us=248203 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:29 2022 us=796010 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:29 2022 us=844928 shatte/109.252.196.160:8420 MULTI: bad source address from client [192.168.1.68], packet dropped
Mon Apr 25 23:59:58 2022 us=745035 shatte/109.252.196.160:8420 NOTE: --mute triggered...

Источник

Ответы (0 шт):

licensed under cc by-sa 3.0 with attribution.