keine Verbindung mit OpenVPN

[inschenjoer]

Hallo,

ich bekomme OpenVPN einfach nicht zum Laufen. Meine Vermutung ist die AVM-Firewall, obwohl ich eigentlich die nötige Einstellung gemacht habe:

forwardrules =
    "tcp 0.0.0.0:21 192.168.2.24:21 0 # FTP-Server",
    "tcp 0.0.0.0:25 192.168.2.22:25 0 # SMTP-Server",
    "tcp 0.0.0.0:4662 192.168.2.24:4662 0 # ED2K-Server TCP",
    "udp 0.0.0.0:4662 192.168.2.24:4662 0 # ED2K-Server UDP",
    "tcp 0.0.0.0:22 192.168.2.21:22 0 # SSH-Server",
    "tcp 0.0.0.0:80 192.168.2.27:80 0 # HTTP-Server",
    "udp 0.0.0.0:1194 0.0.0.0:1194 0 # OpenVPN-Server";

ALso in der letzten Zeile wird doch eindeutig der Port 1194 udp freigegeben.

Hier mal die aktuelle OpenVPN.conf:

#  OpenVPN 2.1 Config, Wed Mar  4 07:35:32 CET 2009
proto udp
dev tap
secret /tmp/flash/static.key
port 1194
ifconfig 192.168.2.199 255.255.255.0
push "route-gateway 192.168.2.199"
push "route 192.168.178.0 255.255.255.0"
max-clients 1
tun-mtu 1500
mssfix
log /var/tmp/debug_openvpn.out
verb 3
daemon
cipher BF-CBC
comp-lzo
keepalive 10 120

Der OpenVPN-Server läuft. Ein Portscan vom internen Netz ist wenig aussagekräftig:

scrooge:~# nmap -sU -p 1194 fritz.box

Starting Nmap 4.62 ( http://nmap.org ) at 2009-03-04 07:46 CET
Interesting ports on fritz.fonwlan.box (192.168.2.100):
PORT     STATE         SERVICE
1194/udp open|filtered unknown
MAC Address: 00:1F:3F:40:3E:C1 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.488 seconds

Und der Client gibt folgendes aus:

Wed Mar 04 07:44:04 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Mar 04 07:44:04 2009 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar 04 07:44:04 2009 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 04 07:44:04 2009 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar 04 07:44:04 2009 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 04 07:44:04 2009 TAP-WIN32 device [LAN-Verbindung 3] opened: \\.\Global\{BBF5E19B-A571-4E87-9C3B-97407BA2EA56}.tap
Wed Mar 04 07:44:04 2009 TAP-Win32 Driver Version 8.4 
Wed Mar 04 07:44:04 2009 TAP-Win32 MTU=1500
Wed Mar 04 07:44:04 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.200.2/255.255.255.252 on interface {BBF5E19B-A571-4E87-9C3B-97407BA2EA56} [DHCP-serv: 192.168.200.1, lease-time: 31536000]
Wed Mar 04 07:44:04 2009 Successful ARP Flush on interface [3] {BBF5E19B-A571-4E87-9C3B-97407BA2EA56}
Wed Mar 04 07:44:05 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:4 ET:0 EL:0 ]
Wed Mar 04 07:44:05 2009 Local Options hash (VER=V4): '1db64539'
Wed Mar 04 07:44:05 2009 Expected Remote Options hash (VER=V4): '27d76c6d'
Wed Mar 04 07:44:05 2009 UDPv4 link local: [undef]
Wed Mar 04 07:44:05 2009 UDPv4 link remote: 88.73.201.223:1194
Wed Mar 04 07:46:04 2009 Inactivity timeout (--ping-restart), restarting
Wed Mar 04 07:46:04 2009 TCP/UDP: Closing socket
Wed Mar 04 07:46:04 2009 Closing TUN/TAP interface
Wed Mar 04 07:46:04 2009 SIGUSR1[soft,ping-restart] received, process restarting
Wed Mar 04 07:46:04 2009 Restart pause, 2 second(s)
Wed Mar 04 07:46:06 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Mar 04 07:46:06 2009 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar 04 07:46:06 2009 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 04 07:46:06 2009 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar 04 07:46:06 2009 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 04 07:46:07 2009 TAP-WIN32 device [LAN-Verbindung 3] opened: \\.\Global\{BBF5E19B-A571-4E87-9C3B-97407BA2EA56}.tap
Wed Mar 04 07:46:07 2009 TAP-Win32 Driver Version 8.4 
Wed Mar 04 07:46:07 2009 TAP-Win32 MTU=1500
Wed Mar 04 07:46:07 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.200.2/255.255.255.252 on interface {BBF5E19B-A571-4E87-9C3B-97407BA2EA56} [DHCP-serv: 192.168.200.1, lease-time: 31536000]
Wed Mar 04 07:46:07 2009 Successful ARP Flush on interface [3] {BBF5E19B-A571-4E87-9C3B-97407BA2EA56}
Wed Mar 04 07:46:07 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:4 ET:0 EL:0 ]
Wed Mar 04 07:46:07 2009 Local Options hash (VER=V4): '1db64539'
Wed Mar 04 07:46:07 2009 Expected Remote Options hash (VER=V4): '27d76c6d'
Wed Mar 04 07:46:07 2009 UDPv4 link local: [undef]
Wed Mar 04 07:46:07 2009 UDPv4 link remote: 88.73.201.223:1194

Es scheint einfach keine Verbindung zustand zu kommen. Wahrscheinlich habe ich Tomaten auf den Augen.

Hat evtl. jemand ne Idee?

Viele Grüße
Sebastian

 

[itsmee]

Hi,

der Portscan auf die externe IP funktioniert auch, d.h. Du hast Port 1194 extern freigegeben? (Portscan auf frti.box - openvpn auf die ext. ip)

ItsMee

 

[MaxMuster]

Hast du, sofern die Einstellungen im Portforwarding über die FW-GUI gemacht wurden, auch "Regeln anwenden" angehakt bzw. die Box danach mal neu gestartet?

Wie sehen denn die Client-Config und das Server-Log aus?
Versuchst du den Zugriff von extern? Klappt es von "intern", also Client-Verbindung auf die LAN-IP?

Jörg

 

[inschenjoer]

Hallo,

also die Fritzbox hab ich neugestartet.

Ich hab es sowohl von intern als auch von extern probiert.

Serverlog:

Wed Mar  4 18:24:45 2009 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar  4 18:24:45 2009 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar  4 18:24:45 2009 LZO compression initialized
Wed Mar  4 18:24:45 2009 TUN/TAP device tap0 opened
Wed Mar  4 18:24:45 2009 TUN/TAP TX queue length set to 100
Wed Mar  4 18:24:45 2009 /sbin/ifconfig tap0 192.168.2.199 netmask 255.255.255.0 mtu 1500 broadcast 192.168.2.255
Wed Mar  4 18:24:45 2009 Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Mar  4 18:24:45 2009 Socket Buffers: R=[108544->131072] S=[108544->131072]
Wed Mar  4 18:24:45 2009 UDPv4 link local (bound): [undef]:1194
Wed Mar  4 18:24:45 2009 UDPv4 link remote: [undef]
Wed Mar  4 18:26:45 2009 Inactivity timeout (--ping-restart), restarting
Wed Mar  4 18:26:45 2009 TCP/UDP: Closing socket
Wed Mar  4 18:26:45 2009 Closing TUN/TAP interface
Wed Mar  4 18:26:45 2009 /sbin/ifconfig tap0 0.0.0.0
Wed Mar  4 18:26:45 2009 SIGUSR1[soft,ping-restart] received, process restarting
Wed Mar  4 18:26:45 2009 Restart pause, 2 second(s)
Wed Mar  4 18:26:47 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Mar  4 18:26:47 2009 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar  4 18:26:47 2009 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar  4 18:26:47 2009 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar  4 18:26:47 2009 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar  4 18:26:47 2009 LZO compression initialized
Wed Mar  4 18:26:47 2009 TUN/TAP device tap0 opened
Wed Mar  4 18:26:47 2009 TUN/TAP TX queue length set to 100
Wed Mar  4 18:26:47 2009 /sbin/ifconfig tap0 192.168.2.199 netmask 255.255.255.0 mtu 1500 broadcast 192.168.2.255
Wed Mar  4 18:26:47 2009 Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Mar  4 18:26:47 2009 Socket Buffers: R=[108544->131072] S=[108544->131072]
Wed Mar  4 18:26:47 2009 UDPv4 link local (bound): [undef]:1194
Wed Mar  4 18:26:47 2009 UDPv4 link remote: [undef]

Clientconfig:

remote fritz.box
rport 1194
secret duckburg.secret
dev tap
comp-lzo
persist-tun
persist-key
ping-timer-rem
ping-restart 60
proto udp
tun-mtu 1500
fragment 1300
mssfix

Noch ne Idee?

Sebastian

 

[MaxMuster]

Wie war denn das Ergebnis, als du intern getestet hast???

Du musst auch dem Client-Interface noch eine IP geben, die zu der Server-IP passt.

Jörg