OpenVPN Konfiguracia

hurfo

Zdravim potreboval by som vyriesit problem s OpenVPN. Ak mozte poradte niekto kto sa vyzna. Potrebujem sa pripajat na firemnu siet z mobilneho internetu. Spojenie by mal zabezpecovat OpenVPN.
Server je umiestneny za routrom a ma staticku IP 192.192.192.1
vnutorna adresa serveru je 192.168.1.1
Na routri je presmerovany port 5555 na server
certifikat s nazvom skuska je umiestneny v C:\Program Files\OpenVPN\config
Kluc je rovnako v C:\Program Files\OpenVPN\config
ca certifikat neviem aky mam zadat program mi ziadny nevygeneroval resp neviem kde ho mam hladat. A neplanujem ho zadavat nejakej certifikacnej autorite.
Server je nastaveny takto:

Kód: Vybrať všetko

;local a.b.c.d

port 5555

proto tcp

;proto udp

;dev tap

dev tun

dev-node OpenVPN

ca config/skuska.crt

cert config/skuska.crt

key config/skuska.key

dh sample-keys/dh1024.pem # Tomuto nerozumiem co to je?

server 192.168.1.1.255.255.0

ifconfig-pool-persist ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

;push "route 192.168.10.0 255.255.255.0"

;push "route 192.168.20.0 255.255.255.0"

;push "redirect-gateway"

;push "dhcp-option DNS 10.8.0.1"

;push "dhcp-option WINS 10.8.0.1"

client-to-client

;duplicate-cn

keepalive 10 120

;tls-auth ta.key 0 

cipher BF-CBC # Blowfish (default)

;cipher AES-128-CBC # AES

;cipher DES-EDE3-CBC # Triple-DES

comp-lzo

;max-clients 100

;user nobody

;group nobody

persist-key

persist-tun

status openvpn-status.log

;log openvpn.log

;log-append openvpn.log

verb 4

;mute 20

Klient je nastaveny takto

Kód: Vybrať všetko



dev tun

dev-node OpenVPN

proto tcp

;proto udp

remote 192.192.192.1 5555

;remote my-server-2 1194

;remote-random

resolv-retry infinite

nobind

;user nobody

;group nobody

persist-key

persist-tun

;http-proxy-retry 

;http-proxy [proxy server] [proxy port #]

mute-replay-warnings


ca config/skuska.crt

cert config/skuska.crt

key config/skuska.key

;ns-cert-type server

;tls-auth ta.key 1

;cipher x

comp-lzo

verb 4

;mute 20

deblasco

mas port forward? port 5555 je defaultne blokovany...
ca certifikat musis vygenerovat cez utilitu ktoru vyguglis v suvislosti s openvpn

/edit: postupoval si podla tohoto: http://openvpn.net/INSTALL-win32.html ci mas to na linuxe ? ? ?

hurfo

Len pre doplnenie ip som uviedo vymyslene aby sa to dalo dobre rozlisit.
Port 5555 je presmerovany na vnutornu IP servera.
Ak mas na mysli My Certificate Wizard tak v tom som vytvoril Certifikat.

Sakra sorrac zabudol som . Je to na Woknach , Server je Win 2003 server, klienti budu XP a Vista

deblasco

hurfo napísal:Len pre doplnenie ip som uviedo vymyslene aby sa to dalo dobre rozlisit.
Port 5555 je presmerovany na vnutornu IP servera.
Ak mas na mysli My Certificate Wizard tak v tom som vytvoril Certifikat.

Sakra sorrac zabudol som . Je to na Woknach , Server je Win 2003 server, klienti budu XP a Vista

toto je dobre z toho codu???

Kód: Vybrať všetko

server 192.168.1.1.255.255.0

a tiez na routri musis mat nastavene myslim pass through vpn autentification inak blokuje samotnu autentifikaciu... (alebo nieco obdobne, na linksys-e sa to tak vola)

hurfo

[quote="deblasco"]toto je dobre z toho codu???

Kód: Vybrať všetko

server 192.168.1.1.255.255.0

Tak to je v subore teda je to opisane spravne avsak rozmyslam ze maska je standardne 255.255.255.0. Pokial je to teda maska

pato83

Podla mojho skromneho nazoru je zle zapisane:

Kód: Vybrať všetko

server 192.168.1.1.255.255.0

malo by to byt skor takto:

Kód: Vybrať všetko

server 192.168.1.1 255.255.255.0

Urcite tam bola zle dana ta bodka a chybala ti tam riadne zadana maska. To mal asi na mysli deblasco .

hurfo

Odskusane varianty:
server 192.168.1.1.255.255.255.0
server 192.168.1.1 255.255.255.0
server 192.168.1.1. 255.255.255.0
Nefunguje ani jedna moznost problem je tym padom niekde inde.

deblasco

aky kod chyby ti hadze do logu? (openvpn logu)

hurfo

Kód: Vybrať všetko

Wed Nov 07 14:47:08 2007 us=163197 Current Parameter Settings:
Wed Nov 07 14:47:08 2007 us=163248   config = 'Klient.ovpn'
Wed Nov 07 14:47:08 2007 us=163259   mode = 0
Wed Nov 07 14:47:08 2007 us=163269   show_ciphers = DISABLED
Wed Nov 07 14:47:08 2007 us=163278   show_digests = DISABLED
Wed Nov 07 14:47:08 2007 us=163289   show_engines = DISABLED
Wed Nov 07 14:47:08 2007 us=163299   genkey = DISABLED
Wed Nov 07 14:47:08 2007 us=163309   key_pass_file = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=163319   show_tls_ciphers = DISABLED
Wed Nov 07 14:47:08 2007 us=163329   proto = 0
Wed Nov 07 14:47:08 2007 us=163338   local = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=163349   remote_list[0] = {'192.192.192.1', 5555}
Wed Nov 07 14:47:08 2007 us=163359   remote_random = DISABLED
Wed Nov 07 14:47:08 2007 us=163369   local_port = 1194
Wed Nov 07 14:47:08 2007 us=163379   remote_port = 1194
Wed Nov 07 14:47:08 2007 us=163389   remote_float = DISABLED
Wed Nov 07 14:47:08 2007 us=163399   ipchange = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=163410   bind_local = DISABLED
Wed Nov 07 14:47:08 2007 us=163420   dev = 'tun'
Wed Nov 07 14:47:08 2007 us=163429   dev_type = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=163440   dev_node = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=163450   tun_ipv6 = DISABLED
Wed Nov 07 14:47:08 2007 us=163461   ifconfig_local = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=163472   ifconfig_remote_netmask = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=163482   ifconfig_noexec = DISABLED
Wed Nov 07 14:47:08 2007 us=163493   ifconfig_nowarn = DISABLED
Wed Nov 07 14:47:08 2007 us=163502   shaper = 0
Wed Nov 07 14:47:08 2007 us=163512   tun_mtu = 1500
Wed Nov 07 14:47:08 2007 us=163523   tun_mtu_defined = ENABLED
Wed Nov 07 14:47:08 2007 us=163533   link_mtu = 1500
Wed Nov 07 14:47:08 2007 us=163543   link_mtu_defined = DISABLED
Wed Nov 07 14:47:08 2007 us=163554   tun_mtu_extra = 0
Wed Nov 07 14:47:08 2007 us=163564   tun_mtu_extra_defined = DISABLED
Wed Nov 07 14:47:08 2007 us=163574   fragment = 0
Wed Nov 07 14:47:08 2007 us=163584   mtu_discover_type = -1
Wed Nov 07 14:47:08 2007 us=163594   mtu_test = 0
Wed Nov 07 14:47:08 2007 us=163604   mlock = DISABLED
Wed Nov 07 14:47:08 2007 us=163614   keepalive_ping = 0
Wed Nov 07 14:47:08 2007 us=163624   keepalive_timeout = 0
Wed Nov 07 14:47:08 2007 us=163634   inactivity_timeout = 0
Wed Nov 07 14:47:08 2007 us=163644   ping_send_timeout = 0
Wed Nov 07 14:47:08 2007 us=163655   ping_rec_timeout = 120
Wed Nov 07 14:47:08 2007 us=163665   ping_rec_timeout_action = 2
Wed Nov 07 14:47:08 2007 us=163675   ping_timer_remote = DISABLED
Wed Nov 07 14:47:08 2007 us=163685   remap_sigusr1 = 0
Wed Nov 07 14:47:08 2007 us=163696   explicit_exit_notification = 0
Wed Nov 07 14:47:08 2007 us=163706   persist_tun = ENABLED
Wed Nov 07 14:47:08 2007 us=163716   persist_local_ip = DISABLED
Wed Nov 07 14:47:08 2007 us=163727   persist_remote_ip = DISABLED
Wed Nov 07 14:47:08 2007 us=163737   persist_key = ENABLED
Wed Nov 07 14:47:08 2007 us=163747   mssfix = 1450
Wed Nov 07 14:47:08 2007 us=163758   resolve_retry_seconds = 1000000000
Wed Nov 07 14:47:08 2007 us=163769   connect_retry_seconds = 5
Wed Nov 07 14:47:08 2007 us=163779   username = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=163789   groupname = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=163799   chroot_dir = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=163811   cd_dir = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=163821   writepid = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=163837   up_script = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=163847   down_script = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=163857   down_pre = DISABLED
Wed Nov 07 14:47:08 2007 us=163875   up_restart = DISABLED
Wed Nov 07 14:47:08 2007 us=163886   up_delay = DISABLED
Wed Nov 07 14:47:08 2007 us=163896   daemon = DISABLED
Wed Nov 07 14:47:08 2007 us=163906   inetd = 0
Wed Nov 07 14:47:08 2007 us=163915   log = DISABLED
Wed Nov 07 14:47:08 2007 us=163926   suppress_timestamps = DISABLED
Wed Nov 07 14:47:08 2007 us=163935   nice = 0
Wed Nov 07 14:47:08 2007 us=163945   verbosity = 4
Wed Nov 07 14:47:08 2007 us=362375   mute = 0
Wed Nov 07 14:47:08 2007 us=362394   gremlin = 0
Wed Nov 07 14:47:08 2007 us=362403   status_file = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=362413   status_file_version = 1
Wed Nov 07 14:47:08 2007 us=362422   status_file_update_freq = 60
Wed Nov 07 14:47:08 2007 us=362431   occ = ENABLED
Wed Nov 07 14:47:08 2007 us=362440   rcvbuf = 0
Wed Nov 07 14:47:08 2007 us=362450   sndbuf = 0
Wed Nov 07 14:47:08 2007 us=362460   socks_proxy_server = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=362475   socks_proxy_port = 0
Wed Nov 07 14:47:08 2007 us=362484   socks_proxy_retry = DISABLED
Wed Nov 07 14:47:08 2007 us=362493   fast_io = DISABLED
Wed Nov 07 14:47:08 2007 us=362502   comp_lzo = ENABLED
Wed Nov 07 14:47:08 2007 us=362511   comp_lzo_adaptive = ENABLED
Wed Nov 07 14:47:08 2007 us=362520   route_script = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=362530   route_default_gateway = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=362539   route_noexec = DISABLED
Wed Nov 07 14:47:08 2007 us=373124   route_delay = 0
Wed Nov 07 14:47:08 2007 us=373142   route_delay_window = 30
Wed Nov 07 14:47:08 2007 us=373152   route_delay_defined = ENABLED
Wed Nov 07 14:47:08 2007 us=373161   management_addr = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=373171   management_port = 0
Wed Nov 07 14:47:08 2007 us=373180   management_user_pass = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=373191   management_log_history_cache = 250
Wed Nov 07 14:47:08 2007 us=373201   management_echo_buffer_size = 100
Wed Nov 07 14:47:08 2007 us=373211   management_query_passwords = DISABLED
Wed Nov 07 14:47:08 2007 us=373222   management_hold = DISABLED
Wed Nov 07 14:47:08 2007 us=373231   shared_secret_file = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=373241   key_direction = 0
Wed Nov 07 14:47:08 2007 us=373250   ciphername_defined = ENABLED
Wed Nov 07 14:47:08 2007 us=373260   ciphername = 'BF-CBC'
Wed Nov 07 14:47:08 2007 us=373269   authname_defined = ENABLED
Wed Nov 07 14:47:08 2007 us=391605   authname = 'SHA1'
Wed Nov 07 14:47:08 2007 us=391621   keysize = 0
Wed Nov 07 14:47:08 2007 us=391630   engine = DISABLED
Wed Nov 07 14:47:08 2007 us=391639   replay = ENABLED
Wed Nov 07 14:47:08 2007 us=391649   mute_replay_warnings = ENABLED
Wed Nov 07 14:47:08 2007 us=391658   replay_window = 64
Wed Nov 07 14:47:08 2007 us=391668   replay_time = 15
Wed Nov 07 14:47:08 2007 us=391677   packet_id_file = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=391686   use_iv = ENABLED
Wed Nov 07 14:47:08 2007 us=391695   test_crypto = DISABLED
Wed Nov 07 14:47:08 2007 us=391704   tls_server = DISABLED
Wed Nov 07 14:47:08 2007 us=391713   tls_client = ENABLED
Wed Nov 07 14:47:08 2007 us=391722   key_method = 2
Wed Nov 07 14:47:08 2007 us=391732   ca_file = 'config/skuska.crt'
Wed Nov 07 14:47:08 2007 us=391741   dh_file = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=391751   cert_file = 'config/skuska.crt'
Wed Nov 07 14:47:08 2007 us=411955   priv_key_file = 'config/skuska.key'
Wed Nov 07 14:47:08 2007 us=411973   pkcs12_file = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=411983   cryptoapi_cert = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=411992   cipher_list = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=412001   tls_verify = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=412010   tls_remote = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=412019   crl_file = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=412028   ns_cert_type = 0
Wed Nov 07 14:47:08 2007 us=412037   tls_timeout = 2
Wed Nov 07 14:47:08 2007 us=412045   renegotiate_bytes = 0
Wed Nov 07 14:47:08 2007 us=412054   renegotiate_packets = 0
Wed Nov 07 14:47:08 2007 us=412064   renegotiate_seconds = 3600
Wed Nov 07 14:47:08 2007 us=412073   handshake_window = 60
Wed Nov 07 14:47:08 2007 us=412082   transition_window = 3600
Wed Nov 07 14:47:08 2007 us=412091   single_session = DISABLED
Wed Nov 07 14:47:08 2007 us=435061   tls_exit = DISABLED
Wed Nov 07 14:47:08 2007 us=435079   tls_auth_file = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=435102   server_network = 0.0.0.0
Wed Nov 07 14:47:08 2007 us=435113   server_netmask = 0.0.0.0
Wed Nov 07 14:47:08 2007 us=435123   server_bridge_ip = 0.0.0.0
Wed Nov 07 14:47:08 2007 us=435133   server_bridge_netmask = 0.0.0.0
Wed Nov 07 14:47:08 2007 us=435143   server_bridge_pool_start = 0.0.0.0
Wed Nov 07 14:47:08 2007 us=435154   server_bridge_pool_end = 0.0.0.0
Wed Nov 07 14:47:08 2007 us=435163   ifconfig_pool_defined = DISABLED
Wed Nov 07 14:47:08 2007 us=435174   ifconfig_pool_start = 0.0.0.0
Wed Nov 07 14:47:08 2007 us=435184   ifconfig_pool_end = 0.0.0.0
Wed Nov 07 14:47:08 2007 us=435194   ifconfig_pool_netmask = 0.0.0.0
Wed Nov 07 14:47:08 2007 us=435206   ifconfig_pool_persist_filename = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=435217   ifconfig_pool_persist_refresh_freq = 600
Wed Nov 07 14:47:08 2007 us=435226   ifconfig_pool_linear = DISABLED
Wed Nov 07 14:47:08 2007 us=454885   n_bcast_buf = 256
Wed Nov 07 14:47:08 2007 us=454900   tcp_queue_limit = 64
Wed Nov 07 14:47:08 2007 us=454910   real_hash_size = 256
Wed Nov 07 14:47:08 2007 us=454919   virtual_hash_size = 256
Wed Nov 07 14:47:08 2007 us=454929   client_connect_script = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=454938   learn_address_script = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=454948   client_disconnect_script = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=454958   client_config_dir = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=454967   ccd_exclusive = DISABLED
Wed Nov 07 14:47:08 2007 us=454976   tmp_dir = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=454986   push_ifconfig_defined = DISABLED
Wed Nov 07 14:47:08 2007 us=454998   push_ifconfig_local = 0.0.0.0
Wed Nov 07 14:47:08 2007 us=455008   push_ifconfig_remote_netmask = 0.0.0.0
Wed Nov 07 14:47:08 2007 us=455019   enable_c2c = DISABLED
Wed Nov 07 14:47:08 2007 us=455028   duplicate_cn = DISABLED
Wed Nov 07 14:47:08 2007 us=472796   cf_max = 0
Wed Nov 07 14:47:08 2007 us=472811   cf_per = 0
Wed Nov 07 14:47:08 2007 us=472820   max_clients = 1024
Wed Nov 07 14:47:08 2007 us=472830   max_routes_per_client = 256
Wed Nov 07 14:47:08 2007 us=472840   client_cert_not_required = DISABLED
Wed Nov 07 14:47:08 2007 us=472850   username_as_common_name = DISABLED
Wed Nov 07 14:47:08 2007 us=472860   auth_user_pass_verify_script = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=472871   auth_user_pass_verify_script_via_file = DISABLED
Wed Nov 07 14:47:08 2007 us=472881   client = ENABLED
Wed Nov 07 14:47:08 2007 us=472890   pull = ENABLED
Wed Nov 07 14:47:08 2007 us=472899   auth_user_pass_file = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=472912   show_net_up = DISABLED
Wed Nov 07 14:47:08 2007 us=472921   route_method = 0
Wed Nov 07 14:47:08 2007 us=472930   ip_win32_defined = DISABLED
Wed Nov 07 14:47:08 2007 us=472939   ip_win32_type = 3
Wed Nov 07 14:47:08 2007 us=472948   dhcp_masq_offset = 0
Wed Nov 07 14:47:08 2007 us=492633   dhcp_lease_time = 31536000
Wed Nov 07 14:47:08 2007 us=492647   tap_sleep = 0
Wed Nov 07 14:47:08 2007 us=492657   dhcp_options = DISABLED
Wed Nov 07 14:47:08 2007 us=492666   dhcp_renew = DISABLED
Wed Nov 07 14:47:08 2007 us=492675   dhcp_pre_release = DISABLED
Wed Nov 07 14:47:08 2007 us=492684   dhcp_release = DISABLED
Wed Nov 07 14:47:08 2007 us=492693   domain = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=492702   netbios_scope = '[UNDEF]'
Wed Nov 07 14:47:08 2007 us=492711   netbios_node_type = 0
Wed Nov 07 14:47:08 2007 us=492720   disable_nbt = DISABLED
Wed Nov 07 14:47:08 2007 us=492735 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Wed Nov 07 14:47:08 2007 us=492857 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Nov 07 14:47:08 2007 us=492871 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Nov 07 14:47:08 2007 us=512987 Cannot load certificate file config/skuska.crt: error:02001003:system library:fopen:No such process: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Wed Nov 07 14:47:08 2007 us=513005 Exiting

\\edit: Nerozumiem preco je tam uvedene ze local aj remote port je 1194
Zaroven doplnam ze certifikat aj kluc je umiestneny na oboch stranach rovnaky

\\edit 2: Akurat pozeram do priecinka a je tam subor skuska.req a nie skuska.crt z toho my plynie ze asi to nieje certifikat co som tam dal alebo ma iny format

deblasco

hurfo napísal:
\\edit: Nerozumiem preco je tam uvedene ze local aj remote port je 1194
Zaroven doplnam ze certifikat aj kluc je umiestneny na oboch stranach rovnaky

\\edit 2: Akurat pozeram do priecinka a je tam subor skuska.req a nie skuska.crt z toho my plynie ze asi to nieje certifikat co som tam dal alebo ma iny format

no na tom stroji sa skus telnetnut na port 5555 ak mas odpoved, pocuva to tam ak nie, nepocuva...
subor .req je iba request ktory musis spracovat/skompilovat a vystu dostanes myslim cer alebo dec, nepametam si... to je to co som ti vravel ze si nepametam ale musel som vyguglit command prompt utilitu ktora ten req subor "skompiluje" a vygeneruje ti normalny kluc ktory potom pouzijes...

strasne sa mi nechce to hladat, riesil som to asi tyzden

a teraz idem parit cod4

ale skus sa mi do ss ozvat