- Mitglied seit
- 28 Jul 2005
- Beiträge
- 451
- Punkte für Reaktionen
- 0
- Punkte
- 0
Hallo,
ich habe vor kurzem eine 7390 bekommen und mir ein Freetz DEV-image gebastelt. (freetz-devel-6864M)
openvpn
> enable_small
> static
> with_lzo
Alles läuft soweit einwandfrei bis auf OpenVPN. Ich habe die gleiche Konfiguration wie auf meiner 7170 verwenden.
Gleiche Box-Cert, StaticKey, etc. genommen, aber meine Client Boxen wollen sich einfach nicht verbinden.
Also zumindest kann ich das Gateway und auch die FritzBox auf der Client-Seite nicht pingen.
In der AVM-GUI werden die Gateways aber als connected angezeigt ????
Ich sehe keine Fehler in Debug-Log. Im Vergleich mit dem Debug-Log der 7170 sind mir auch keine Unterschiede aufgefallen.
Vielleicht kann mir jemand helfen den Fehler zu finden? Steht der Tunnel? Ist etwas am Routing faul?
Debug
openvpn.diff
openvpn.conf
In obiger Config kommt mir allerdings der Eintrag "client-config-dir /clients_openvpn" komisch vor, weil sich die Dateien unter "/tmp/openvpn/clients_openvpn" befinden. Aber das hab ich auch schonmal ohne Erfolg händisch in der config angepasst.
Routen
ar7.cfg
Danke schonmal....
Gruß
HS
ich habe vor kurzem eine 7390 bekommen und mir ein Freetz DEV-image gebastelt. (freetz-devel-6864M)
openvpn
> enable_small
> static
> with_lzo
Alles läuft soweit einwandfrei bis auf OpenVPN. Ich habe die gleiche Konfiguration wie auf meiner 7170 verwenden.
Gleiche Box-Cert, StaticKey, etc. genommen, aber meine Client Boxen wollen sich einfach nicht verbinden.
Also zumindest kann ich das Gateway und auch die FritzBox auf der Client-Seite nicht pingen.
In der AVM-GUI werden die Gateways aber als connected angezeigt ????
Ich sehe keine Fehler in Debug-Log. Im Vergleich mit dem Debug-Log der 7170 sind mir auch keine Unterschiede aufgefallen.
Vielleicht kann mir jemand helfen den Fehler zu finden? Steht der Tunnel? Ist etwas am Routing faul?
Debug
Code:
Tue Apr 26 12:25:30 2011 OpenVPN 2.1.1 mips-linux [SSL] [LZO2] [EPOLL] built on Apr 15 2010
Tue Apr 26 12:25:30 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Apr 26 12:25:30 2011 Diffie-Hellman initialized with 1024 bit key
Tue Apr 26 12:25:30 2011 WARNING: file '/tmp/flash/openvpn/box.key' is group or others accessible
Tue Apr 26 12:25:30 2011 Control Channel Authentication: using '/tmp/flash/openvpn/static.key' as a OpenVPN static key file
Tue Apr 26 12:25:30 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 26 12:25:30 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 26 12:25:30 2011 TLS-Auth MTU parms [ L:1592 D:168 EF:68 EB:0 ET:0 EL:0 ]
Tue Apr 26 12:25:30 2011 ROUTE: default_gateway=UNDEF
Tue Apr 26 12:25:30 2011 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Tue Apr 26 12:25:30 2011 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.179.0
Tue Apr 26 12:25:31 2011 TUN/TAP device tap0 opened
Tue Apr 26 12:25:31 2011 TUN/TAP TX queue length set to 100
Tue Apr 26 12:25:31 2011 /sbin/ifconfig tap0 192.168.179.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.179.255
Tue Apr 26 12:25:31 2011 /sbin/route add -net 192.168.177.0 netmask 255.255.255.0 gw 192.168.179.241
route: SIOCADDRT: File exists
Tue Apr 26 12:25:31 2011 ERROR: Linux route add command failed: external program exited with error status: 1
Tue Apr 26 12:25:31 2011 /sbin/route add -net 192.168.178.0 netmask 255.255.255.0 gw 192.168.179.242
route: SIOCADDRT: File exists
Tue Apr 26 12:25:31 2011 ERROR: Linux route add command failed: external program exited with error status: 1
Tue Apr 26 12:25:31 2011 /sbin/route add -net 192.168.168.0 netmask 255.255.255.0 gw 192.168.179.243
route: SIOCADDRT: File exists
Tue Apr 26 12:25:31 2011 ERROR: Linux route add command failed: external program exited with error status: 1
Tue Apr 26 12:25:31 2011 Data Channel MTU parms [ L:1592 D:1450 EF:60 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Apr 26 10:25:31 2011 chroot to '/tmp/openvpn' and cd to '/' succeeded
Tue Apr 26 10:25:31 2011 GID set to openvpn
Tue Apr 26 10:25:31 2011 UID set to openvpn
Tue Apr 26 10:25:31 2011 Listening for incoming TCP connection on [undef]:1195
Tue Apr 26 10:25:31 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Apr 26 10:25:31 2011 TCPv4_SERVER link local (bound): [undef]:1195
Tue Apr 26 10:25:31 2011 TCPv4_SERVER link remote: [undef]
Tue Apr 26 10:25:31 2011 MULTI: multi_init called, r=256 v=256
Tue Apr 26 10:25:31 2011 IFCONFIG POOL: base=192.168.179.230 size=21
Tue Apr 26 10:25:31 2011 MULTI: TCP INIT maxclients=10 maxevents=14
Tue Apr 26 10:25:31 2011 Initialization Sequence Completed
Tue Apr 26 10:25:34 2011 MULTI: multi_create_instance called
Tue Apr 26 10:25:34 2011 Re-using SSL/TLS context
Tue Apr 26 10:25:34 2011 LZO compression initialized
Tue Apr 26 10:25:34 2011 Control Channel MTU parms [ L:1592 D:168 EF:68 EB:0 ET:0 EL:0 ]
Tue Apr 26 10:25:34 2011 Data Channel MTU parms [ L:1592 D:1450 EF:60 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Apr 26 10:25:34 2011 Local Options hash (VER=V4): '3d4363c6'
Tue Apr 26 10:25:34 2011 Expected Remote Options hash (VER=V4): '29f6c8b2'
Tue Apr 26 10:25:34 2011 TCP connection established with 95.114.99.38:2381
Tue Apr 26 10:25:34 2011 Socket Buffers: R=[131072->131072] S=[131072->131072]
Tue Apr 26 10:25:34 2011 TCPv4_SERVER link local: [undef]
Tue Apr 26 10:25:34 2011 TCPv4_SERVER link remote: 95.114.99.38:2381
Tue Apr 26 10:25:35 2011 95.114.99.38:2381 TLS: Initial packet from 95.114.99.38:2381, sid=f495bdf8 c5179ffe
Tue Apr 26 10:25:35 2011 MULTI: multi_create_instance called
Tue Apr 26 10:25:35 2011 Re-using SSL/TLS context
Tue Apr 26 10:25:35 2011 LZO compression initialized
Tue Apr 26 10:25:35 2011 Control Channel MTU parms [ L:1592 D:168 EF:68 EB:0 ET:0 EL:0 ]
Tue Apr 26 10:25:35 2011 Data Channel MTU parms [ L:1592 D:1450 EF:60 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Apr 26 10:25:35 2011 Local Options hash (VER=V4): '3d4363c6'
Tue Apr 26 10:25:35 2011 Expected Remote Options hash (VER=V4): '29f6c8b2'
Tue Apr 26 10:25:35 2011 TCP connection established with 87.172.244.229:4373
Tue Apr 26 10:25:35 2011 Socket Buffers: R=[131072->131072] S=[131072->131072]
Tue Apr 26 10:25:35 2011 TCPv4_SERVER link local: [undef]
Tue Apr 26 10:25:35 2011 TCPv4_SERVER link remote: 87.172.244.229:4373
Tue Apr 26 10:25:36 2011 87.172.244.229:4373 TLS: Initial packet from 87.172.244.229:4373, sid=8afcd38c 22aedec2
Tue Apr 26 10:25:38 2011 95.114.99.38:2381 VERIFY OK: depth=1, /C=DE/ST=Hessen/L=Rodgau/O=OpenVPNProject/CN=ca/[email protected]
Tue Apr 26 10:25:38 2011 95.114.99.38:2381 VERIFY OK: depth=0, /C=DE/ST=Hessen/O=OpenVPNProject/CN=client1/[email protected]
Tue Apr 26 10:25:39 2011 95.114.99.38:2381 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Apr 26 10:25:39 2011 95.114.99.38:2381 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 26 10:25:39 2011 95.114.99.38:2381 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Apr 26 10:25:39 2011 95.114.99.38:2381 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 26 10:25:39 2011 95.114.99.38:2381 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Apr 26 10:25:39 2011 95.114.99.38:2381 [client1] Peer Connection Initiated with 95.114.99.38:2381
Tue Apr 26 10:25:39 2011 client1/95.114.99.38:2381 OPTIONS IMPORT: reading client specific options from: /clients_openvpn/client1
Tue Apr 26 10:25:39 2011 client1/95.114.99.38:2381 MULTI: --iroute options rejected for client1/95.114.99.38:2381 -- iroute only works with tun-style tunnels
Tue Apr 26 10:25:49 2011 87.172.244.229:4373 VERIFY OK: depth=1, /C=DE/ST=Hessen/L=Rodgau/O=OpenVPNProject/CN=ca/[email protected]
Tue Apr 26 10:25:49 2011 87.172.244.229:4373 VERIFY OK: depth=0, /C=DE/ST=Hessen/O=OpenVPNProject/CN=client2/[email protected]
Tue Apr 26 10:25:53 2011 87.172.244.229:4373 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Apr 26 10:25:53 2011 87.172.244.229:4373 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 26 10:25:53 2011 87.172.244.229:4373 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Apr 26 10:25:53 2011 87.172.244.229:4373 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 26 10:25:55 2011 87.172.244.229:4373 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Apr 26 10:25:55 2011 87.172.244.229:4373 [client2] Peer Connection Initiated with 87.172.244.229:4373openvpn.diff
Code:
export OPENVPN_AUTH_TYPE='static#certs'
export OPENVPN_AUTOSTART='#no'
export OPENVPN_BOX_IP='#192.168.179.1'
export OPENVPN_CIPHER='BF-CBC#AES-128-CBC'
export OPENVPN_CLIENTS_DEFINED='#3'
export OPENVPN_CLIENT_INFO='#yes'
export OPENVPN_CLIENT_IPS='#192.168.179.241:192.168.179.242:192.168.179.243:'
export OPENVPN_CLIENT_NAMES='#client1:client3:client2:'
export OPENVPN_CLIENT_NETS='#192.168.177.0 255.255.255.0:192.168.178.0 255.255.255.0:192.168.168.0 255.255.255.0:'
export OPENVPN_CONFIG_CHANGED='new#yes'
export OPENVPN_DEBUG='#yes'
export OPENVPN_DHCP_RANGE='#192.168.179.230 192.168.179.250'
export OPENVPN_ENABLED='no'
export OPENVPN_EXPERT='yes'
export OPENVPN_FLOAT='#yes'
export OPENVPN_LOCAL_NET='#192.168.179.0 255.255.255.0'
export OPENVPN_MAXCLIENTS='1#10'
export OPENVPN_PORT='#1195'
export OPENVPN_PROTO='udp#tcp'
export OPENVPN_TLS_AUTH='#yes'
export OPENVPN_TYPE='tun#tap'
root@fritz:/var/tmp/flash#openvpn.conf
Code:
# OpenVPN 2.1 Config, Tue Apr 26 12:25:30 CEST 2011
proto tcp-server
dev tap0
ca /tmp/flash/openvpn/ca.crt
cert /tmp/flash/openvpn/box.crt
key /tmp/flash/openvpn/box.key
dh /tmp/flash/openvpn/dh.pem
tls-server
tls-auth /tmp/flash/openvpn/static.key 0
port 1195
mode server
ifconfig-pool 192.168.179.230 192.168.179.250
push "route 192.168.179.1"
route 192.168.179.0 255.255.255.0
ifconfig 192.168.179.1 255.255.255.0
push "route-gateway 192.168.179.1"
client-config-dir /clients_openvpn
topology subnet
push "topology subnet"
max-clients 10
push "route 192.168.179.0 255.255.255.0 192.168.179.1"
route 192.168.177.0 255.255.255.0 192.168.179.241
route 192.168.178.0 255.255.255.0 192.168.179.242
route 192.168.168.0 255.255.255.0 192.168.179.243
ifconfig 192.168.179.1 255.255.255.0
push "route-gateway 192.168.179.1"
push "route 192.168.179.0 255.255.255.0"
max-clients 10
tun-mtu 1500
mssfix
log /var/tmp/debug_openvpn.out
verb 3
daemon
cipher AES-128-CBC
comp-lzo
float
keepalive 10 120
chroot /tmp/openvpn
user openvpn
group openvpn
persist-tun
persist-keyIn obiger Config kommt mir allerdings der Eintrag "client-config-dir /clients_openvpn" komisch vor, weil sich die Dateien unter "/tmp/openvpn/clients_openvpn" befinden. Aber das hab ich auch schonmal ohne Erfolg händisch in der config angepasst.
Routen
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
77.1.220.198 * 255.255.255.255 UH 3 0 0 dsl
192.168.180.1 * 255.255.255.255 UH 2 0 0 dsl
192.168.180.2 * 255.255.255.255 UH 2 0 0 dsl
95.116.28.127 * 255.255.255.255 UH 2 0 0 dsl
192.168.178.0 192.168.179.242 255.255.255.0 UG 0 0 0 lan
10.4.70.0 192.168.179.2 255.255.255.0 UG 0 0 0 lan
192.168.179.0 * 255.255.255.0 U 0 0 0 lan
192.168.179.0 * 255.255.255.0 U 0 0 0 tap0
192.168.177.0 192.168.179.241 255.255.255.0 UG 0 0 0 lan
192.168.1.0 192.168.179.2 255.255.255.0 UG 0 0 0 lan
192.168.181.0 * 255.255.255.0 U 0 0 0 guest
192.168.168.0 192.168.179.243 255.255.255.0 UG 0 0 0 lan
169.254.0.0 * 255.255.0.0 U 0 0 0 lan
default * 0.0.0.0 U 2 0 0 dslar7.cfg
Code:
"tcp 0.0.0.0:1194+6 0.0.0.0:1194 0 # OpenVPN"Danke schonmal....
Gruß
HS
Zuletzt bearbeitet:
