LINUX.ORG.RU
ФорумAdmin

Не может подключится сервер к openVPN серверу

 , ,


0

1

Входные данные: Первый сервер, далее vpn_1 Второй сервер, далее vpn_2. Все сервера работают под Debian 10 и настроены по этому мануалу: https://www.8host.com/blog/nastrojka-servera-openvpn-v-debian-10/

После того как поднял несколько серверов с openVPN проверял работоспособность. К каждому VPN серверу клиент может подключиться.

Теперь пытаюсь vpn_1 сервер подключить к vpn_2 серверу, после чего терминал зависает, логи:

Sat Jul 31 18:17:29 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
Sat Jul 31 18:17:29 2021 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Sat Jul 31 18:17:29 2021 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jul 31 18:17:29 2021 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jul 31 18:17:29 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]server_vpn2:1194
Sat Jul 31 18:17:29 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Jul 31 18:17:29 2021 UDP link local: (not bound)
Sat Jul 31 18:17:29 2021 UDP link remote: [AF_INET]server_vpn2:1194
Sat Jul 31 18:17:29 2021 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sat Jul 31 18:17:29 2021 TLS: Initial packet from [AF_INET]server_vpn2:1194, sid=9ddc72fa ddd275ca
Sat Jul 31 18:17:29 2021 VERIFY OK: depth=1, CN=Easy-RSA CA
Sat Jul 31 18:17:29 2021 VERIFY KU OK
Sat Jul 31 18:17:29 2021 Validating certificate extended key usage
Sat Jul 31 18:17:29 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Jul 31 18:17:29 2021 VERIFY EKU OK
Sat Jul 31 18:17:29 2021 VERIFY OK: depth=0, CN=server
Sat Jul 31 18:17:30 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sat Jul 31 18:17:30 2021 [server] Peer Connection Initiated with [AF_INET]server_vpn2:1194
Sat Jul 31 18:17:31 2021 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jul 31 18:17:31 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,block-outside-dns,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Sat Jul 31 18:17:31 2021 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.4.7)
Sat Jul 31 18:17:31 2021 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jul 31 18:17:31 2021 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jul 31 18:17:31 2021 OPTIONS IMPORT: route options modified
Sat Jul 31 18:17:31 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jul 31 18:17:31 2021 OPTIONS IMPORT: peer-id set
Sat Jul 31 18:17:31 2021 OPTIONS IMPORT: adjusting link_mtu to 1624
Sat Jul 31 18:17:31 2021 OPTIONS IMPORT: data channel crypto options modified
Sat Jul 31 18:17:31 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Jul 31 18:17:31 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jul 31 18:17:31 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jul 31 18:17:31 2021 ROUTE_GATEWAY server_vpn1/255.255.255.0 IFACE=eth0 HWADDR=22:54:00:fc:3b:b1
Sat Jul 31 18:17:31 2021 TUN/TAP device tun0 opened
Sat Jul 31 18:17:31 2021 TUN/TAP TX queue length set to 100
Sat Jul 31 18:17:31 2021 /sbin/ip link set dev tun0 up mtu 1500
Sat Jul 31 18:17:31 2021 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Sat Jul 31 18:17:31 2021 /sbin/ip route add server_vpn2/32 via server_vpn1
Sat Jul 31 18:17:31 2021 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Sat Jul 31 18:17:31 2021 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Sat Jul 31 18:17:31 2021 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Sat Jul 31 18:17:31 2021 GID set to nogroup
Sat Jul 31 18:17:31 2021 UID set to nobody
Sat Jul 31 18:17:31 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Jul 31 18:17:31 2021 Initialization Sequence Completed
Sat Jul 31 18:21:34 2021 [server] Inactivity timeout (--ping-restart), restarting
Sat Jul 31 18:21:34 2021 SIGUSR1[soft,ping-restart] received, process restarting
Sat Jul 31 18:21:34 2021 Restart pause, 5 second(s)
Sat Jul 31 18:21:39 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]server_vpn2:1194
Sat Jul 31 18:21:39 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Jul 31 18:21:39 2021 UDP link local: (not bound)
Sat Jul 31 18:21:39 2021 UDP link remote: [AF_INET]server_vpn2:1194
Sat Jul 31 18:21:39 2021 TLS: Initial packet from [AF_INET]server_vpn2:1194, sid=c839268b 87b99781
Sat Jul 31 18:21:39 2021 VERIFY OK: depth=1, CN=Easy-RSA CA
Sat Jul 31 18:21:39 2021 VERIFY KU OK
Sat Jul 31 18:21:39 2021 Validating certificate extended key usage
Sat Jul 31 18:21:39 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Jul 31 18:21:39 2021 VERIFY EKU OK
Sat Jul 31 18:21:39 2021 VERIFY OK: depth=0, CN=server
Sat Jul 31 18:21:39 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sat Jul 31 18:21:39 2021 [server] Peer Connection Initiated with [AF_INET]server_vpn2:1194
Sat Jul 31 18:21:40 2021 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jul 31 18:21:40 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,block-outside-dns,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Sat Jul 31 18:21:40 2021 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.4.7)
Sat Jul 31 18:21:40 2021 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jul 31 18:21:40 2021 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jul 31 18:21:40 2021 OPTIONS IMPORT: route options modified
Sat Jul 31 18:21:40 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jul 31 18:21:40 2021 OPTIONS IMPORT: peer-id set
Sat Jul 31 18:21:40 2021 OPTIONS IMPORT: adjusting link_mtu to 1624
Sat Jul 31 18:21:40 2021 OPTIONS IMPORT: data channel crypto options modified
Sat Jul 31 18:21:40 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Jul 31 18:21:40 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jul 31 18:21:40 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jul 31 18:21:40 2021 Preserving previous TUN/TAP instance: tun0
Sat Jul 31 18:21:40 2021 Initialization Sequence Completed
Sat Jul 31 18:26:02 2021 [server] Inactivity timeout (--ping-restart), restarting
Sat Jul 31 18:26:02 2021 SIGUSR1[soft,ping-restart] received, process restarting
Sat Jul 31 18:26:02 2021 Restart pause, 5 second(s)
Sat Jul 31 18:26:07 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]server_vpn2:1194
Sat Jul 31 18:26:07 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Jul 31 18:26:07 2021 UDP link local: (not bound)
Sat Jul 31 18:26:07 2021 UDP link remote: [AF_INET]server_vpn2:1194
Sat Jul 31 18:26:07 2021 TLS: Initial packet from [AF_INET]server_vpn2:1194, sid=a3b0f535 1ec34abd
Sat Jul 31 18:26:07 2021 VERIFY OK: depth=1, CN=Easy-RSA CA
Sat Jul 31 18:26:07 2021 VERIFY KU OK
Sat Jul 31 18:26:07 2021 Validating certificate extended key usage
Sat Jul 31 18:26:07 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Jul 31 18:26:07 2021 VERIFY EKU OK
Sat Jul 31 18:26:07 2021 VERIFY OK: depth=0, CN=server
Sat Jul 31 18:26:07 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sat Jul 31 18:26:07 2021 [server] Peer Connection Initiated with [AF_INET]server_vpn2:1194
Sat Jul 31 18:26:08 2021 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jul 31 18:26:08 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM'
Sat Jul 31 18:26:08 2021 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jul 31 18:26:08 2021 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jul 31 18:26:08 2021 OPTIONS IMPORT: route options modified
Sat Jul 31 18:26:08 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jul 31 18:26:08 2021 OPTIONS IMPORT: peer-id set
Sat Jul 31 18:26:08 2021 OPTIONS IMPORT: adjusting link_mtu to 1624
Sat Jul 31 18:26:08 2021 OPTIONS IMPORT: data channel crypto options modified
Sat Jul 31 18:26:08 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Jul 31 18:26:08 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jul 31 18:26:08 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Jul 31 18:26:08 2021 Preserving previous TUN/TAP instance: tun0
Sat Jul 31 18:26:08 2021 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Sat Jul 31 18:26:08 2021 /sbin/ip route del 10.8.0.1/32
Sat Jul 31 18:26:08 2021 ERROR: Linux route delete command failed: external program exited with error status: 2
Sat Jul 31 18:26:08 2021 /sbin/ip route del server_vpn2/32
Sat Jul 31 18:26:08 2021 ERROR: Linux route delete command failed: external program exited with error status: 2
Sat Jul 31 18:26:08 2021 /sbin/ip route del 0.0.0.0/1
Sat Jul 31 18:26:08 2021 ERROR: Linux route delete command failed: external program exited with error status: 2
Sat Jul 31 18:26:08 2021 /sbin/ip route del 128.0.0.0/1
Sat Jul 31 18:26:08 2021 ERROR: Linux route delete command failed: external program exited with error status: 2
Sat Jul 31 18:26:08 2021 Closing TUN/TAP interface
Sat Jul 31 18:26:08 2021 /sbin/ip addr del dev tun0 local 10.8.0.6 peer 10.8.0.5
Sat Jul 31 18:26:08 2021 Linux ip addr del failed: external program exited with error status: 2
Sat Jul 31 18:26:09 2021 ROUTE_GATEWAY server_vpn1/255.255.255.0 IFACE=eth0 HWADDR=22:54:00:fc:3b:b1
Sat Jul 31 18:26:09 2021 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Sat Jul 31 18:26:09 2021 Exiting due to fatal error[.code]


Конфиг vpn_1 и vpn_2 server.conf:

port 1194 / 443 (vpn_2)
 
proto udp / tcp (vpn_2)

dev tun

ca ca.crt
cert vpn_1.crt
key vpn_1.key  

dh dh.pem

server 10.8.0.0 255.255.255.0

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "block-outside-dns"

keepalive 10 120

tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256

user nobody
group nogroup

persist-key
persist-tun

verb 0

explicit-exit-notify 1

server_vpn1#: openvpn --client --config ./config.ovpn

config.ovpn

client

dev tun

proto tcp

remote server_vpn1 443

resolv-retry infinite

nobind

user nobody
group nogroup

persist-key
persist-tun

remote-cert-tls server

cipher AES-256-CBC
auth SHA256
key-direction 1


script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

verb 3

<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-auth>
...
</tls-auth>

Схема, которую хочу получить: client1->vpn_1->vpn_2->internet

Что-то не работает разметка сообщений. Только code работает



Последнее исправление: ecspl01t (всего исправлений: 5)

Ответ на: удаленный комментарий

Спасибо за ответ, очень информативный.

p.s теги не работают, копирую примеры с разметки тоже самое.

ecspl01t
() автор топика
Последнее исправление: ecspl01t (всего исправлений: 2)
Ответ на: комментарий от ecspl01t

Вот видишь, ты уже совершенствуешься, респект. Конфиги не читал, хоть и стало красиво. Вангую, терминал виснет потому, что сервер1 получает дефолтный маршрут и начинает гнать трафик к клиенту через сервер2, что, конечно, ломает существующее подключение.

anonymous
()
Ответ на: комментарий от anonymous

Маршрут

Походу так и есть, проверил логи на server_2 и там показывает что клиент подключился, проблема с маршрутом, только не понимаю как исправить это.

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         server_1.1   	0.0.0.0         UG    0      0        0 eth0
server_2  	server_1.1   	255.255.255.255 UGH   0      0        0 eth0
server_1.0   	0.0.0.0         255.255.255.0   U     0      0        0 eth0

После того как закрыл подключение к server_2 vpn и когда вернулся терминал к работе остался этот маршрут: 

server_2  	server_1.1   	255.255.255.255 UGH   0      0        0 eth0

Логи при подключении к server_2 

Wed Aug  4 19:02:24 2021 ROUTE_GATEWAY server_1/255.255.255.0 IFACE=eth0 HWADDR=22:54:00:fc:3b:b1
Wed Aug  4 19:02:24 2021 TUN/TAP device tun0 opened
Wed Aug  4 19:02:24 2021 TUN/TAP TX queue length set to 100
Wed Aug  4 19:02:24 2021 /sbin/ip link set dev tun0 up mtu 1500
Wed Aug  4 19:02:24 2021 /sbin/ip addr add dev tun0 local 10.10.0.6 peer 10.10.0.5
Wed Aug  4 19:02:24 2021 /etc/openvpn/update-resolv-conf tun0 1500 1554 10.10.0.6 10.10.0.5 init
Wed Aug  4 19:02:24 2021 /sbin/ip route add server_2/32 via server_1
RTNETLINK answers: File exists
Wed Aug  4 19:02:24 2021 ERROR: Linux route add command failed: external program exited with error status: 2
Wed Aug  4 19:02:24 2021 /sbin/ip route add 0.0.0.0/1 via 10.10.0.5
Wed Aug  4 19:02:24 2021 /sbin/ip route add 128.0.0.0/1 via 10.10.0.5
Wed Aug  4 19:02:24 2021 /sbin/ip route add 10.10.0.1/32 via 10.10.0.5
Wed Aug  4 19:02:24 2021 GID set to nogroup
Wed Aug  4 19:02:24 2021 UID set to nobody
Wed Aug  4 19:02:24 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Aug  4 19:02:24 2021 Initialization Sequence Completed
^C <- здесь закрыл подключение Wed Aug  4 19:03:05 2021 event_wait : Interrupted system call (code=4)
Wed Aug  4 19:03:05 2021 /sbin/ip route del 10.10.0.1/32
RTNETLINK answers: Operation not permitted
Wed Aug  4 19:03:05 2021 ERROR: Linux route delete command failed: external program exited with error status: 2
Wed Aug  4 19:03:05 2021 /sbin/ip route del server_2/32
RTNETLINK answers: Operation not permitted
Wed Aug  4 19:03:05 2021 ERROR: Linux route delete command failed: external program exited with error status: 2
Wed Aug  4 19:03:05 2021 /sbin/ip route del 0.0.0.0/1
RTNETLINK answers: Operation not permitted
Wed Aug  4 19:03:05 2021 ERROR: Linux route delete command failed: external program exited with error status: 2
Wed Aug  4 19:03:05 2021 /sbin/ip route del 128.0.0.0/1
RTNETLINK answers: Operation not permitted
Wed Aug  4 19:03:05 2021 ERROR: Linux route delete command failed: external program exited with error status: 2
Wed Aug  4 19:03:05 2021 Closing TUN/TAP interface
Wed Aug  4 19:03:05 2021 /sbin/ip addr del dev tun0 local 10.10.0.6 peer 10.10.0.5
RTNETLINK answers: Operation not permitted
Wed Aug  4 19:03:05 2021 Linux ip addr del failed: external program exited with error status: 2
Wed Aug  4 19:03:05 2021 /etc/openvpn/update-resolv-conf tun0 1500 1554 10.10.0.6 10.10.0.5 init
Wed Aug  4 19:03:05 2021 SIGINT[hard,] received, process exiting

ecspl01t
() автор топика
Ответ на: комментарий от anc

Кажется догадался

iptables -t mangle -A PREROUTING -i eth0  -m state --state NEW  -j CONNMARK --set-mark 0x200
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
ip rule add fwmark 0x200 table 1100
ip route add default via $YOU_GW_IP table 1100

anc ★★★★★
()
Ответ на: комментарий от anc

Получилось подключится server_1 -> server_2 и трафик ходит правильно server_1 -> server_2 -> internet. Вот только перестал подключаться клиент к server_1: 

2021-08-08 17:37:16 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2021-08-08 17:37:16 TLS Error: TLS handshake failed

Когда пытаюсь подключится к серверу в логах есть информация о клиенте: 

# cat openvpn-status.log
OpenVPN CLIENT LIST
Updated,Sat Jul 31 19:37:00 2021
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
UNDEF,client_ip:11419,108,182,Sat Jul 31 19:36:57 2021
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END

Когда разорвал соединение между server_1 и server_2 клиент подключится автоматично: 

Sun Aug 08 17:52:18 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Aug 08 17:52:18 2021 TLS Error: TLS handshake failed
Sun Aug 08 17:52:18 2021 SIGUSR1[soft,tls-error] received, process restarting
Sun Aug 08 17:52:18 2021 MANAGEMENT: >STATE:1628437938,RECONNECTING,tls-error,,,,,
Sun Aug 08 17:52:18 2021 Restart pause, 5 second(s)
Sun Aug 08 17:52:23 2021 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Aug 08 17:52:23 2021 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Aug 08 17:52:23 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]server_1:1194
Sun Aug 08 17:52:23 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Aug 08 17:52:23 2021 UDP link local: (not bound)
Sun Aug 08 17:52:23 2021 UDP link remote: [AF_INET]server_1:1194
Sun Aug 08 17:52:23 2021 MANAGEMENT: >STATE:1628437943,WAIT,,,,,,
Sun Aug 08 17:52:53 2021 TLS Error: Unroutable control packet received from [AF_INET]server_1:1194 (si=3 op=P_ACK_V1)
Sun Aug 08 17:52:55 2021 MANAGEMENT: >STATE:1628437975,AUTH,,,,,,
Sun Aug 08 17:52:55 2021 TLS: Initial packet from [AF_INET]server_1:1194, sid=6f9b473f 8a8922d5
Sun Aug 08 17:52:55 2021 VERIFY OK: depth=1, CN=Easy-RSA CA
Sun Aug 08 17:52:55 2021 VERIFY KU OK

p.s. openvpn писал что должен добавить к конфигурации float, не вникал зачем это.

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.10.0.5       128.0.0.0       UG    0      0        0 tun1
0.0.0.0         server_1.1   	0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.10.0.0       10.10.0.5       255.255.255.0   UG    0      0        0 tun1
10.10.0.1       10.10.0.5       255.255.255.255 UGH   0      0        0 tun1
10.10.0.5       0.0.0.0         255.255.255.255 UH    0      0        0 tun1
server_2  	server_1.1   	255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       10.10.0.5       128.0.0.0       UG    0      0        0 tun1
server_1.0   	0.0.0.0         255.255.255.0   U     0      0        0 eth0

Мне кажется что после подключения server_1 -> server_2, client не может подключится к server_1, так как теперь весь трафик ходит через server_2.

server_1 openvpn.log 

Sat Jul 31 19:54:58 2021 us=298155 MULTI: multi_create_instance called
Sat Jul 31 19:54:58 2021 us=298254 client_1:11409 Re-using SSL/TLS context
Sat Jul 31 19:54:58 2021 us=298422 client_1:11409 Control Channel MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Sat Jul 31 19:54:58 2021 us=298443 client_1:11409 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Sat Jul 31 19:54:58 2021 us=298500 client_1:11409 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Sat Jul 31 19:54:58 2021 us=298528 client_1:11409 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
RSat Jul 31 19:54:58 2021 us=298575 client_1:11409 TLS: Initial packet from [AF_INET]client_1:11409, sid=7adc1f3c 80e89aef
WRWWRWRWRWWSat Jul 31 19:55:58 2021 us=722524 client_1:11409 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jul 31 19:55:58 2021 us=722682 client_1:11409 TLS Error: TLS handshake failed
Sat Jul 31 19:55:58 2021 us=722868 client_1:11409 SIGUSR1[soft,tls-error] received, client-instance restarting

ecspl01t
() автор топика
Последнее исправление: ecspl01t (всего исправлений: 4)
Ответ на: комментарий от ecspl01t

Думал что весь трафик пересылается к серверу_2 и поэтому подменил сертификаты с client_сервера_2 к конфигу client_server_1.ovpn, но тогда начал получать логи типа: Authenticate/Decrypt packet error: packet HMAC authentication failed

ecspl01t
() автор топика
Ответ на: комментарий от anc

Схема, которую хочу получить: client1->vpn_1->vpn_2->internet

ecspl01t
() автор топика
Ответ на: комментарий от anc

# ip ru s 

0:	from all lookup local 
32765:	from all fwmark 0x200 lookup 1100 
32766:	from all lookup main 
32767:	from all lookup default

# ip r s table all 

default via server_1.1 dev eth0 table 1100 
0.0.0.0/1 via 10.10.0.5 dev tun1 
default via server_1.1 dev eth0 onlink 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 
10.10.0.0/24 via 10.10.0.5 dev tun1 
10.10.0.1 via 10.10.0.5 dev tun1 
10.10.0.5 dev tun1 proto kernel scope link src 10.10.0.6 
server_2 via server_1.1 dev eth0 
128.0.0.0/1 via 10.10.0.5 dev tun1 
server_1.0/24 dev eth0 proto kernel scope link src server_1 
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1 
local 10.10.0.6 dev tun1 table local proto kernel scope host src 10.10.0.6 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast server_1.0 dev eth0 table local proto kernel scope link src server_1 
local server_1 dev eth0 table local proto kernel scope host src server_1 
broadcast server_1.255 dev eth0 table local proto kernel scope link src server_1 
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun1 table local proto kernel metric 0 pref medium
local fe80::3bf4:223d:f231:2018 dev tun1 table local proto kernel metric 0 pref medium
local fe80::5054:ff:fefc:3bb1 dev eth0 table local proto kernel metric 0 pref medium
local fe80::9c27:db35:4531:1b99 dev tun0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun1 table local proto kernel metric 256 pref medium

ecspl01t
() автор топика
Ответ на: комментарий от ecspl01t

Сегодня переключился на Ubuntu на клиенской машине и попытался подключится, оказывается тут больше логов чем на windows: 

Mon Aug  9 08:56:56 2021 TCP/UDP: Incoming packet rejected from [AF_INET]server_2:1194[2], expected peer address: [AF_INET]server_1:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Aug  9 08:56:57 2021 TCP/UDP: Incoming packet rejected from [AF_INET]server_2:1194[2], expected peer address: [AF_INET]server_1:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Aug  9 08:56:59 2021 TCP/UDP: Incoming packet rejected from [AF_INET]server_2:1194[2], expected peer address: [AF_INET]server_1:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Aug  9 08:57:01 2021 TCP/UDP: Incoming packet rejected from [AF_INET]server_2:1194[2], expected peer address: [AF_INET]server_1:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Aug  9 08:57:04 2021 TCP/UDP: Incoming packet rejected from [AF_INET]server_2:1194[2], expected peer address: [AF_INET]server_1:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Aug  9 08:57:10 2021 TCP/UDP: Incoming packet rejected from [AF_INET]server_2:1194[2], expected peer address: [AF_INET]server_1:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Aug  9 08:57:12 2021 TCP/UDP: Incoming packet rejected from [AF_INET]server_2:1194[2], expected peer address: [AF_INET]server_1:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Aug  9 08:57:26 2021 TCP/UDP: Incoming packet rejected from [AF_INET]server_2:1194[2], expected peer address: [AF_INET]server_1:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Aug  9 08:57:28 2021 TCP/UDP: Incoming packet rejected from [AF_INET]server_2:1194[2], expected peer address: [AF_INET]server_1:1194 (allow this incoming source address/port by removing --remote or adding --float)
Mon Aug  9 08:57:56 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Aug  9 08:57:56 2021 TLS Error: TLS handshake failed

После того как добавил --float, клиент подключился, но без интернета.

Логи с server_1: 

Sun Aug  1 10:49:06 2021 us=63789 client1VPN/client_ip:11519 MULTI: bad source address from client [192.168.0.129], packet dropped
Sun Aug  1 10:49:06 2021 us=974853 client1VPN/client_ip:11519 PID_ERR replay-window backtrack occurred [1] [SSL-0] [0_00011111112222333334455555555666677777777778888888>>>>>>>>>>>>] 0:99 0:98 t=1627807746[0] r=[-1,64,15,1,1] sl=[29,64,64,528]
Sun Aug  1 10:49:06 2021 us=974919 client1VPN/client_ip:11519 MULTI: bad source address from client [192.168.0.129], packet dropped
Sun Aug  1 10:49:06 2021 us=977681 client1VPN/client_ip:11519 MULTI: bad source address from client [192.168.0.129], packet dropped
Sun Aug  1 10:49:07 2021 us=34601 client_ip:11466 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Aug  1 10:49:07 2021 us=34641 client_ip:11466 TLS Error: TLS handshake failed
Sun Aug  1 10:49:07 2021 us=34777 client_ip:11466 SIGUSR1[soft,tls-error] received, client-instance restarting
RSun Aug  1 10:49:07 2021 us=113635 client1VPN/client_ip:11519 MULTI: bad source address from client [192.168.0.129], packet dropped
RSun Aug  1 10:49:09 2021 us=40995 client1VPN/client_ip:11519 MULTI: bad source address from client [192.168.0.129], packet dropped
RSun Aug  1 10:49:09 2021 us=549999 client1VPN/client_ip:11519 MULTI: bad source address from client [192.168.0.129], packet dropped

client local ip wlo1: 192.168.0.129

ecspl01t
() автор топика
Последнее исправление: ecspl01t (всего исправлений: 1)
Ответ на: комментарий от anc

Стало лучше, частично появился интернет. Телеграм работает, вайбер - нет. Так же с сайтами: 2ip.ru - нет google - да speedtest.net - нет linux.org.ru - да

ecspl01t
() автор топика
Ответ на: комментарий от ecspl01t

И это подключение получается только с параметром float, без него будет ошибка: 

TCP/UDP: Incoming packet rejected from [AF_INET]server_2:1194[2], expected peer address: [AF_INET]server_1:1194 (allow this incoming source address/port by removing --remote or adding --float)

ecspl01t
() автор топика
Ответ на: комментарий от anc

Спасибо Вам! На linux'e Все работает отлично. Есть только странные логи на сервере (каждую секунду такие логи кидает):

RMon Aug  2 16:28:12 2021 us=203036 v1_client1/client_ip:11502 MULTI: bad source address from client [192.168.0.129(client_local_ip)], packet dropped
RMon Aug  2 16:28:12 2021 us=293464 v1_client1/client_ip:11502 MULTI: bad source address from client [192.168.0.129(client_local_ip)], packet dropped

несмотря на логи с packet dropped все работает на Ubuntu.

Пытался так же подключится с windows и mac к серверу_1, но проблема все еще привствует. server log: 

Mon Aug  2 16:11:22 2021 us=697375 MULTI: multi_create_instance called
Mon Aug  2 16:11:22 2021 us=697528 client_ip:11410 Re-using SSL/TLS context
Mon Aug  2 16:11:22 2021 us=697700 client_ip:11410 Control Channel MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Mon Aug  2 16:11:22 2021 us=697724 client_ip:11410 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Mon Aug  2 16:11:22 2021 us=697788 client_ip:11410 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Mon Aug  2 16:11:22 2021 us=697809 client_ip:11410 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 5000,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Mon Aug  2 16:11:22 2021 us=697856 client_ip:11410 TLS: Initial packet from [AF_INET]client_ip:11410, sid=1a5b3e02 e4a76226
Mon Aug  2 16:12:22 2021 us=923827 client_ip:11410 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Aug  2 16:12:22 2021 us=923964 client_ip:11410 TLS Error: TLS handshake failed
Mon Aug  2 16:12:22 2021 us=924109 client_ip:11410 SIGUSR1[soft,tls-error] received, client-instance restarting

ecspl01t
() автор топика
Ответ на: комментарий от ecspl01t

client windows log part 1: 

2021-08-10 14:51:01 NOTE: --user option is not implemented on Windows
2021-08-10 14:51:01 NOTE: --group option is not implemented on Windows
2021-08-10 14:51:01 us=490793 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-08-10 14:51:01 us=491636 Current Parameter Settings:
2021-08-10 14:51:01 us=491636   config = 'client1.ovpn'
2021-08-10 14:51:01 us=491636   mode = 0
2021-08-10 14:51:01 us=491636   show_ciphers = DISABLED
2021-08-10 14:51:01 us=491636   show_digests = DISABLED
2021-08-10 14:51:01 us=491636   show_engines = DISABLED
2021-08-10 14:51:01 us=491636   genkey = DISABLED
2021-08-10 14:51:01 us=491636   genkey_filename = '[UNDEF]'
2021-08-10 14:51:01 us=491636   key_pass_file = '[UNDEF]'
2021-08-10 14:51:01 us=491636   show_tls_ciphers = DISABLED
2021-08-10 14:51:01 us=491636   connect_retry_max = 0
2021-08-10 14:51:01 us=491636 Connection profiles [0]:
2021-08-10 14:51:01 us=491636   proto = udp
2021-08-10 14:51:01 us=491636   local = '[UNDEF]'
2021-08-10 14:51:01 us=491636   local_port = '[UNDEF]'
2021-08-10 14:51:01 us=491636   remote = 'server_1'
2021-08-10 14:51:01 us=491636   remote_port = '1194'
2021-08-10 14:51:01 us=491636   remote_float = ENABLED
2021-08-10 14:51:01 us=491636   bind_defined = DISABLED
2021-08-10 14:51:01 us=491636   bind_local = DISABLED
2021-08-10 14:51:01 us=491636   bind_ipv6_only = DISABLED
2021-08-10 14:51:01 us=491636   connect_retry_seconds = 5
2021-08-10 14:51:01 us=491636   connect_timeout = 120
2021-08-10 14:51:01 us=491636   socks_proxy_server = '[UNDEF]'
2021-08-10 14:51:01 us=491636   socks_proxy_port = '[UNDEF]'
2021-08-10 14:51:01 us=491636   tun_mtu = 1500
2021-08-10 14:51:01 us=491636   tun_mtu_defined = ENABLED
2021-08-10 14:51:01 us=491636   link_mtu = 1500
2021-08-10 14:51:01 us=491636   link_mtu_defined = DISABLED
2021-08-10 14:51:01 us=491636   tun_mtu_extra = 0
2021-08-10 14:51:01 us=491636   tun_mtu_extra_defined = DISABLED
2021-08-10 14:51:01 us=491636   mtu_discover_type = -1
2021-08-10 14:51:01 us=491636   fragment = 0
2021-08-10 14:51:01 us=491636   mssfix = 0
2021-08-10 14:51:01 us=491636   explicit_exit_notification = 0
2021-08-10 14:51:01 us=491636   tls_auth_file = \'\'
2021-08-10 14:51:01 us=491636   key_direction = 1
2021-08-10 14:51:01 us=491636   tls_crypt_file = \'[UNDEF]\'
2021-08-10 14:51:01 us=491636   tls_crypt_v2_file = '[UNDEF]'
2021-08-10 14:51:01 us=491636 Connection profiles END
2021-08-10 14:51:01 us=491636   remote_random = DISABLED
2021-08-10 14:51:01 us=491636   ipchange = '[UNDEF]'
2021-08-10 14:51:01 us=491636   dev = 'tun'
2021-08-10 14:51:01 us=491636   dev_type = '[UNDEF]'
2021-08-10 14:51:01 us=491636   dev_node = '[UNDEF]'
2021-08-10 14:51:01 us=491636   lladdr = '[UNDEF]'
2021-08-10 14:51:01 us=491636   topology = 1
2021-08-10 14:51:01 us=491636   ifconfig_local = '[UNDEF]'
2021-08-10 14:51:01 us=491636   ifconfig_remote_netmask = '[UNDEF]'
2021-08-10 14:51:01 us=491636   ifconfig_noexec = DISABLED
2021-08-10 14:51:01 us=491636   ifconfig_nowarn = DISABLED
2021-08-10 14:51:01 us=491636   ifconfig_ipv6_local = '[UNDEF]'
2021-08-10 14:51:01 us=491636   ifconfig_ipv6_netbits = 0
2021-08-10 14:51:01 us=491636   ifconfig_ipv6_remote = '[UNDEF]'
2021-08-10 14:51:01 us=491636   shaper = 0
2021-08-10 14:51:01 us=491636   mtu_test = 0
2021-08-10 14:51:01 us=491636   mlock = DISABLED

ecspl01t
() автор топика
Ответ на: комментарий от ecspl01t

part 2: 

2021-08-10 14:51:01 us=491636   keepalive_ping = 0
2021-08-10 14:51:01 us=491636   keepalive_timeout = 0
2021-08-10 14:51:01 us=491636   inactivity_timeout = 0
2021-08-10 14:51:01 us=491636   ping_send_timeout = 0
2021-08-10 14:51:01 us=491636   ping_rec_timeout = 0
2021-08-10 14:51:01 us=491636   ping_rec_timeout_action = 0
2021-08-10 14:51:01 us=491636   ping_timer_remote = DISABLED
2021-08-10 14:51:01 us=491636   remap_sigusr1 = 0
2021-08-10 14:51:01 us=491636   persist_tun = ENABLED
2021-08-10 14:51:01 us=491636   persist_local_ip = DISABLED
2021-08-10 14:51:01 us=491636   persist_remote_ip = DISABLED
2021-08-10 14:51:01 us=491636   persist_key = ENABLED
2021-08-10 14:51:01 us=491636   passtos = DISABLED
2021-08-10 14:51:01 us=491636   resolve_retry_seconds = 1000000000
2021-08-10 14:51:01 us=491636   resolve_in_advance = DISABLED
2021-08-10 14:51:01 us=491636   username = '[UNDEF]'
2021-08-10 14:51:01 us=491636   groupname = '[UNDEF]'
2021-08-10 14:51:01 us=491636   chroot_dir = '[UNDEF]'
2021-08-10 14:51:01 us=491636   cd_dir = '[UNDEF]'
2021-08-10 14:51:01 us=491636   writepid = '[UNDEF]'
2021-08-10 14:51:01 us=491636   up_script = '[UNDEF]'
2021-08-10 14:51:01 us=491636   down_script = '[UNDEF]'
2021-08-10 14:51:01 us=491636   down_pre = DISABLED
2021-08-10 14:51:01 us=491636   up_restart = DISABLED
2021-08-10 14:51:01 us=491636   up_delay = DISABLED
2021-08-10 14:51:01 us=491636   daemon = DISABLED
2021-08-10 14:51:01 us=491636   inetd = 0
2021-08-10 14:51:01 us=491636   log = ENABLED
2021-08-10 14:51:01 us=491636   suppress_timestamps = DISABLED
2021-08-10 14:51:01 us=491636   machine_readable_output = DISABLED
2021-08-10 14:51:01 us=491636   nice = 0
2021-08-10 14:51:01 us=491636   verbosity = 4
2021-08-10 14:51:01 us=491636   mute = 0
2021-08-10 14:51:01 us=491636   gremlin = 0
2021-08-10 14:51:01 us=491636   status_file = '[UNDEF]'
2021-08-10 14:51:01 us=491636   status_file_version = 1
2021-08-10 14:51:01 us=491636   status_file_update_freq = 60
2021-08-10 14:51:01 us=491636   occ = ENABLED
2021-08-10 14:51:01 us=491636   rcvbuf = 0
2021-08-10 14:51:01 us=491636   sndbuf = 0
2021-08-10 14:51:01 us=492633   sockflags = 0
2021-08-10 14:51:01 us=492633   fast_io = DISABLED
2021-08-10 14:51:01 us=492633   comp.alg = 0
2021-08-10 14:51:01 us=492633   comp.flags = 0
2021-08-10 14:51:01 us=492633   route_script = '[UNDEF]'
2021-08-10 14:51:01 us=492633   route_default_gateway = '[UNDEF]'
2021-08-10 14:51:01 us=492633   route_default_metric = 0
2021-08-10 14:51:01 us=492633   route_noexec = DISABLED
2021-08-10 14:51:01 us=492633   route_delay = 2
2021-08-10 14:51:01 us=492633   route_delay_window = 30
2021-08-10 14:51:01 us=492633   route_delay_defined = ENABLED
2021-08-10 14:51:01 us=492633   route_nopull = DISABLED
2021-08-10 14:51:01 us=492633   route_gateway_via_dhcp = DISABLED
2021-08-10 14:51:01 us=492633   allow_pull_fqdn = DISABLED
2021-08-10 14:51:01 us=492633   Pull filters:
2021-08-10 14:51:01 us=492633     ignore "route-method"
2021-08-10 14:51:01 us=492633   management_addr = '127.0.0.1'
2021-08-10 14:51:01 us=492633   management_port = '25340'
2021-08-10 14:51:01 us=492633   management_user_pass = 'stdin'
2021-08-10 14:51:01 us=492633   management_log_history_cache = 250
2021-08-10 14:51:01 us=492633   management_echo_buffer_size = 100
2021-08-10 14:51:01 us=492633   management_write_peer_info_file = '[UNDEF]'
2021-08-10 14:51:01 us=492633   management_client_user = '[UNDEF]'
2021-08-10 14:51:01 us=492633   management_client_group = '[UNDEF]'
2021-08-10 14:51:01 us=492633   management_flags = 6
2021-08-10 14:51:01 us=492633   shared_secret_file = '[UNDEF]'
2021-08-10 14:51:01 us=492633   key_direction = 1
2021-08-10 14:51:01 us=492633   ciphername = 'AES-256-CBC'
2021-08-10 14:51:01 us=492633   ncp_enabled = ENABLED
2021-08-10 14:51:01 us=492633   ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-256-CBC'
2021-08-10 14:51:01 us=492633   authname = 'SHA256'
2021-08-10 14:51:01 us=492633   prng_hash = 'SHA1'
2021-08-10 14:51:01 us=492633   prng_nonce_secret_len = 16
2021-08-10 14:51:01 us=492633   keysize = 0
2021-08-10 14:51:01 us=492633   engine = DISABLED
2021-08-10 14:51:01 us=492633   replay = ENABLED
2021-08-10 14:51:01 us=492633   mute_replay_warnings = DISABLED
2021-08-10 14:51:01 us=492633   replay_window = 64
2021-08-10 14:51:01 us=492633   replay_time = 15
2021-08-10 14:51:01 us=492633   packet_id_file = '[UNDEF]'
2021-08-10 14:51:01 us=492633   test_crypto = DISABLED
2021-08-10 14:51:01 us=492633   tls_server = DISABLED
2021-08-10 14:51:01 us=492633   tls_client = ENABLED
2021-08-10 14:51:01 us=492633   ca_file = ''
2021-08-10 14:51:01 us=492633   ca_path = '[UNDEF]'
2021-08-10 14:51:01 us=492633   dh_file = '[UNDEF]'
2021-08-10 14:51:01 us=492633   cert_file = ''
2021-08-10 14:51:01 us=492633   extra_certs_file = '[UNDEF]'
2021-08-10 14:51:01 us=492633   priv_key_file = ''
2021-08-10 14:51:01 us=492633   pkcs12_file = '[UNDEF]'
2021-08-10 14:51:01 us=492633   cryptoapi_cert = '[UNDEF]'
2021-08-10 14:51:01 us=492633   cipher_list = '[UNDEF]'
2021-08-10 14:51:01 us=492633   cipher_list_tls13 = '[UNDEF]'
2021-08-10 14:51:01 us=492633   tls_cert_profile = '[UNDEF]'
2021-08-10 14:51:01 us=492633   tls_verify = '[UNDEF]'
2021-08-10 14:51:01 us=492633   tls_export_cert = '[UNDEF]'
2021-08-10 14:51:01 us=492633   verify_x509_type = 0
2021-08-10 14:51:01 us=492633   verify_x509_name = '[UNDEF]'
2021-08-10 14:51:01 us=492633   crl_file = '[UNDEF]'
2021-08-10 14:51:01 us=492633   ns_cert_type = 0

ecspl01t
() автор топика
Ответ на: комментарий от ecspl01t

part 3 

2021-08-10 14:51:01 us=492633   remote_cert_ku[i] = 65535
2021-08-10 14:51:01 us=492633   remote_cert_ku[i] = 0
2021-08-10 14:51:01 us=492633   remote_cert_ku[i] = 0
2021-08-10 14:51:01 us=492633   remote_cert_ku[i] = 0
2021-08-10 14:51:01 us=492633   remote_cert_ku[i] = 0
2021-08-10 14:51:01 us=492633   remote_cert_ku[i] = 0
2021-08-10 14:51:01 us=492633   remote_cert_ku[i] = 0
2021-08-10 14:51:01 us=492633   remote_cert_ku[i] = 0
2021-08-10 14:51:01 us=492633   remote_cert_ku[i] = 0
2021-08-10 14:51:01 us=492633   remote_cert_ku[i] = 0
2021-08-10 14:51:01 us=492633   remote_cert_ku[i] = 0
2021-08-10 14:51:01 us=492633   remote_cert_ku[i] = 0
2021-08-10 14:51:01 us=492633   remote_cert_ku[i] = 0
2021-08-10 14:51:01 us=492633   remote_cert_ku[i] = 0
2021-08-10 14:51:01 us=492633   remote_cert_ku[i] = 0
2021-08-10 14:51:01 us=492633   remote_cert_ku[i] = 0
2021-08-10 14:51:01 us=492633   remote_cert_eku = 'TLS Web Server Authentication'
2021-08-10 14:51:01 us=492633   ssl_flags = 0
2021-08-10 14:51:01 us=492633   tls_timeout = 2
2021-08-10 14:51:01 us=492633   renegotiate_bytes = -1
2021-08-10 14:51:01 us=492633   renegotiate_packets = 0
2021-08-10 14:51:01 us=492633   renegotiate_seconds = 3600
2021-08-10 14:51:01 us=492633   handshake_window = 60
2021-08-10 14:51:01 us=492633   transition_window = 3600
2021-08-10 14:51:01 us=492633   single_session = DISABLED
2021-08-10 14:51:01 us=492633   push_peer_info = DISABLED
2021-08-10 14:51:01 us=492633   tls_exit = DISABLED
2021-08-10 14:51:01 us=492633   tls_crypt_v2_metadata = '[UNDEF]'
2021-08-10 14:51:01 us=492633   pkcs11_protected_authentication = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_protected_authentication = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_protected_authentication = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_protected_authentication = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_protected_authentication = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_protected_authentication = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_protected_authentication = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_protected_authentication = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_protected_authentication = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_protected_authentication = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_protected_authentication = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_protected_authentication = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_protected_authentication = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_protected_authentication = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_protected_authentication = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_protected_authentication = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_private_mode = 00000000
2021-08-10 14:51:01 us=492633   pkcs11_private_mode = 00000000
2021-08-10 14:51:01 us=492633   pkcs11_private_mode = 00000000
2021-08-10 14:51:01 us=492633   pkcs11_private_mode = 00000000
2021-08-10 14:51:01 us=492633   pkcs11_private_mode = 00000000
2021-08-10 14:51:01 us=492633   pkcs11_private_mode = 00000000
2021-08-10 14:51:01 us=492633   pkcs11_private_mode = 00000000
2021-08-10 14:51:01 us=492633   pkcs11_private_mode = 00000000
2021-08-10 14:51:01 us=492633   pkcs11_private_mode = 00000000
2021-08-10 14:51:01 us=492633   pkcs11_private_mode = 00000000
2021-08-10 14:51:01 us=492633   pkcs11_private_mode = 00000000
2021-08-10 14:51:01 us=492633   pkcs11_private_mode = 00000000
2021-08-10 14:51:01 us=492633   pkcs11_private_mode = 00000000
2021-08-10 14:51:01 us=492633   pkcs11_private_mode = 00000000
2021-08-10 14:51:01 us=492633   pkcs11_private_mode = 00000000
2021-08-10 14:51:01 us=492633   pkcs11_private_mode = 00000000
2021-08-10 14:51:01 us=492633   pkcs11_cert_private = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_cert_private = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_cert_private = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_cert_private = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_cert_private = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_cert_private = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_cert_private = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_cert_private = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_cert_private = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_cert_private = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_cert_private = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_cert_private = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_cert_private = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_cert_private = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_cert_private = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_cert_private = DISABLED
2021-08-10 14:51:01 us=492633   pkcs11_pin_cache_period = -1
2021-08-10 14:51:01 us=492633   pkcs11_id = '[UNDEF]'
2021-08-10 14:51:01 us=492633   pkcs11_id_management = DISABLED

ecspl01t
() автор топика
Ответ на: комментарий от ecspl01t

part 4 

2021-08-10 14:51:01 us=492633   server_network = 0.0.0.0
2021-08-10 14:51:01 us=492633   server_netmask = 0.0.0.0
2021-08-10 14:51:01 us=492633   server_network_ipv6 = ::
2021-08-10 14:51:01 us=492633   server_netbits_ipv6 = 0
2021-08-10 14:51:01 us=492633   server_bridge_ip = 0.0.0.0
2021-08-10 14:51:01 us=492633   server_bridge_netmask = 0.0.0.0
2021-08-10 14:51:01 us=492633   server_bridge_pool_start = 0.0.0.0
2021-08-10 14:51:01 us=492633   server_bridge_pool_end = 0.0.0.0
2021-08-10 14:51:01 us=492633   ifconfig_pool_defined = DISABLED
2021-08-10 14:51:01 us=492633   ifconfig_pool_start = 0.0.0.0
2021-08-10 14:51:01 us=492633   ifconfig_pool_end = 0.0.0.0
2021-08-10 14:51:01 us=492633   ifconfig_pool_netmask = 0.0.0.0
2021-08-10 14:51:01 us=492633   ifconfig_pool_persist_filename = '[UNDEF]'
2021-08-10 14:51:01 us=492633   ifconfig_pool_persist_refresh_freq = 600
2021-08-10 14:51:01 us=493630   ifconfig_ipv6_pool_defined = DISABLED
2021-08-10 14:51:01 us=493630   ifconfig_ipv6_pool_base = ::
2021-08-10 14:51:01 us=493630   ifconfig_ipv6_pool_netbits = 0
2021-08-10 14:51:01 us=493630   n_bcast_buf = 256
2021-08-10 14:51:01 us=493630   tcp_queue_limit = 64
2021-08-10 14:51:01 us=493630   real_hash_size = 256
2021-08-10 14:51:01 us=493630   virtual_hash_size = 256
2021-08-10 14:51:01 us=493630   client_connect_script = '[UNDEF]'
2021-08-10 14:51:01 us=493630   learn_address_script = '[UNDEF]'
2021-08-10 14:51:01 us=493630   client_disconnect_script = '[UNDEF]'
2021-08-10 14:51:01 us=493630   client_config_dir = '[UNDEF]'
2021-08-10 14:51:01 us=493630   ccd_exclusive = DISABLED
2021-08-10 14:51:01 us=493630   tmp_dir = 'C:\Temp\'
2021-08-10 14:51:01 us=493630   push_ifconfig_defined = DISABLED
2021-08-10 14:51:01 us=493630   push_ifconfig_local = 0.0.0.0
2021-08-10 14:51:01 us=493630   push_ifconfig_remote_netmask = 0.0.0.0
2021-08-10 14:51:01 us=493630   push_ifconfig_ipv6_defined = DISABLED
2021-08-10 14:51:01 us=493630   push_ifconfig_ipv6_local = ::/0
2021-08-10 14:51:01 us=493630   push_ifconfig_ipv6_remote = ::
2021-08-10 14:51:01 us=493630   enable_c2c = DISABLED
2021-08-10 14:51:01 us=493630   duplicate_cn = DISABLED
2021-08-10 14:51:01 us=493630   cf_max = 0
2021-08-10 14:51:01 us=493630   cf_per = 0
2021-08-10 14:51:01 us=493630   max_clients = 1024
2021-08-10 14:51:01 us=493630   max_routes_per_client = 256
2021-08-10 14:51:01 us=493630   auth_user_pass_verify_script = '[UNDEF]'
2021-08-10 14:51:01 us=493630   auth_user_pass_verify_script_via_file = DISABLED
2021-08-10 14:51:01 us=493630   auth_token_generate = DISABLED
2021-08-10 14:51:01 us=493630   auth_token_lifetime = 0
2021-08-10 14:51:01 us=493630   auth_token_secret_file = '[UNDEF]'
2021-08-10 14:51:01 us=493630   vlan_tagging = DISABLED
2021-08-10 14:51:01 us=493630   vlan_accept = all
2021-08-10 14:51:01 us=493630   vlan_pvid = 1
2021-08-10 14:51:01 us=493630   client = ENABLED
2021-08-10 14:51:01 us=493630   pull = ENABLED
2021-08-10 14:51:01 us=493630   auth_user_pass_file = '[UNDEF]'
2021-08-10 14:51:01 us=493630   show_net_up = DISABLED
2021-08-10 14:51:01 us=493630   route_method = 3
2021-08-10 14:51:01 us=493630   block_outside_dns = DISABLED
2021-08-10 14:51:01 us=493630   ip_win32_defined = DISABLED
2021-08-10 14:51:01 us=493630   ip_win32_type = 3
2021-08-10 14:51:01 us=493630   dhcp_masq_offset = 0
2021-08-10 14:51:01 us=493630   dhcp_lease_time = 31536000
2021-08-10 14:51:01 us=493630   tap_sleep = 0
2021-08-10 14:51:01 us=493630   dhcp_options = DISABLED
2021-08-10 14:51:01 us=493630   dhcp_renew = DISABLED
2021-08-10 14:51:01 us=493630   dhcp_pre_release = DISABLED
2021-08-10 14:51:01 us=493630   domain = '[UNDEF]'
2021-08-10 14:51:01 us=493630   netbios_scope = '[UNDEF]'
2021-08-10 14:51:01 us=493630   netbios_node_type = 0
2021-08-10 14:51:01 us=493630   disable_nbt = DISABLED
2021-08-10 14:51:01 us=493630 OpenVPN 2.5.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 17 2021
2021-08-10 14:51:01 us=493630 Windows version 10.0 (Windows 10 or greater) 64bit
2021-08-10 14:51:01 us=493630 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
Enter Management Password:
2021-08-10 14:51:01 us=495034 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2021-08-10 14:51:01 us=495034 Need hold release from management interface, waiting...
2021-08-10 14:51:01 us=954739 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2021-08-10 14:51:02 us=56855 MANAGEMENT: CMD 'state on'
2021-08-10 14:51:02 us=57858 MANAGEMENT: CMD 'log all on'
2021-08-10 14:51:02 us=131917 MANAGEMENT: CMD 'echo all on'
2021-08-10 14:51:02 us=131917 MANAGEMENT: CMD 'bytecount 5'
2021-08-10 14:51:02 us=132938 MANAGEMENT: CMD 'hold off'
2021-08-10 14:51:02 us=133942 MANAGEMENT: CMD 'hold release'
2021-08-10 14:51:02 us=137978 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-08-10 14:51:02 us=137978 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-08-10 14:51:02 us=137978 Control Channel MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
2021-08-10 14:51:02 us=137978 Data Channel MTU parms [ L:1621 D:1621 EF:121 EB:406 ET:0 EL:3 ]
2021-08-10 14:51:02 us=137978 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
2021-08-10 14:51:02 us=137978 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
2021-08-10 14:51:02 us=137978 TCP/UDP: Preserving recently used remote address: [AF_INET]server_1:1194
2021-08-10 14:51:02 us=137978 Socket Buffers: R=[65536->65536] S=[65536->65536]
2021-08-10 14:51:02 us=137978 UDP link local: (not bound)
2021-08-10 14:51:02 us=137978 UDP link remote: [AF_INET]server_1:1194
2021-08-10 14:51:02 us=137978 MANAGEMENT: >STATE:1628599862,WAIT,,,,,,
2021-08-10 14:52:02 us=460466 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2021-08-10 14:52:02 us=460466 TLS Error: TLS handshake failed
2021-08-10 14:52:02 us=460466 TCP/UDP: Closing socket
2021-08-10 14:52:02 us=461457 SIGUSR1[soft,tls-error] received, process restarting

ecspl01t
() автор топика
Ответ на: комментарий от anc

Тот же конфиг на Ubuntu работает, а на остальных система нет.

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
ecspl01t
() автор топика
Ответ на: комментарий от ecspl01t

Тот же конфиг на Ubuntu работает, а на остальных система нет.

У вас пути до сертов &etc как прописаны, полный путь или нет? Попробуйте для начала прописать полные пути.

anc ★★★★★
()
Ответ на: комментарий от ecspl01t

Проблема присутствует только тогда, когда server_1 подключен к server_2 для Windows

Не распарсил. Поясните плиз.

anc ★★★★★
()
Ответ на: комментарий от anc

Проблема с подключением клиента к сервер_1, есть только в случае, если server_1 подключен к server_2. Клиент на виндовсе не может подключиться к впн. Так только я отключаю подключение между серверами, клиент автоматически подключается к сервер_1.

ecspl01t
() автор топика
Ответ на: комментарий от anc

У вас пути до сертов &etc как прописаны, полный путь или нет? Попробуйте для начала прописать полные пути.

Вы говорите о сертификатах в конфиге? - есла да, сертификаты находятся вместе с конфигом внутри.

ecspl01t
() автор топика
Ответ на: комментарий от ecspl01t

На всякий случай уточню, когда проверяете у вас случайно server_1 и клиент не в одной локалке находятся?

anc ★★★★★
()
Ответ на: комментарий от anc

Нет, все в разных сетях. Сервера имеют выделенный ИР в разных сетях, а клиент выходит с роутера с обычного домашнего провайдера.

Клиент спокойно подключается к отдельным серверам без проблем (когда нет подключения между server_1 и server_2)

ecspl01t
() автор топика
Последнее исправление: ecspl01t (всего исправлений: 1)
Ответ на: комментарий от ecspl01t

Вот смущает это:
--cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM)
У вас версии openssl и openvpn между офтопик и онтопик не сильно разные ?

anc ★★★★★
()
Ответ на: комментарий от anc

Вот смущает это

Здравствуй, здравствуй, @anc мордастый ;) /Шутка/
Не смущайтесь, это всего лишь эхо …

Владимир

anonymous
()
Ответ на: комментарий от anc

Все тоже самое.

Ну и по отдельности все же работает. Клиент с виндовс может подключиться к server_1 или server_2.

Есть идеи у Вас?

ecspl01t
() автор топика
Последнее исправление: ecspl01t (всего исправлений: 1)
Ответ на: комментарий от ecspl01t

На всякий случай обобщу текущую ситуацию:
1. На любых других системах кроме виндоус работает.
2. Подобная ситуация возникает только на виндоус. Тут уточняющий вопрос, на любой или это конкретная машинка?
3. В случае если разорвать тунель между сервер1 и сервер2 то начинает работать и на этой винде
4. Винда так же как и другие клиенты находиться «где-то в инете»
5. Сервер1 и Сервер2 с 09.08.21 09:54:08 не перезагружались.

anc ★★★★★
()
Ответ на: комментарий от anc

Я нашел мануал тот что мне нужно, на основе первого мануала, может ресетнуть сервера и еще раз попытаться, только по нормальному мануалу сделать: https://gist.github.com/gushmazuko/a74debe24bcabb0bbedf5695cb703a12 ?

В мануале уже видно, что разница в конфигах есть, а у меня ее нет. Может поэтому различные проблемы с подключением и с логами Bad packet..

ecspl01t
() автор топика
Последнее исправление: ecspl01t (всего исправлений: 1)
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.
Admin