На OC Ubuntu Server 11.10 поднят сервер openvpn. Сам сервер имеет интерфейс, на котором прописаны 5 валидных адресов. На абсолютно идентичном сервере, клиенты могут цепляться к любому из адресов. На данном же, работает только один.
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:30:48:9e:a7:4a
inet addr:xx.yy.zz.106 Bcast:xx.yy.zz.111 Mask:255.255.255.248
inet6 addr: fe80::230:48ff:fe9e:a74a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:641172 errors:0 dropped:0 overruns:0 frame:0
TX packets:643571 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:51329271 (51.3 MB) TX bytes:53195456 (53.1 MB)
Interrupt:16 Память:dc100000-dc120000eth0:0 Link encap:Ethernet HWaddr 00:30:48:9e:a7:4a
inet addr:xx.yy.zz.107 Bcast:0.0.0.0 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:16 Память:dc100000-dc120000
eth0:1 Link encap:Ethernet HWaddr 00:30:48:9e:a7:4a
inet addr:xx.yy.zz.108 Bcast:0.0.0.0 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:16 Память:dc100000-dc120000
eth0:2 Link encap:Ethernet HWaddr 00:30:48:9e:a7:4a
inet addr:xx.yy.zz.109 Bcast:0.0.0.0 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:16 Память:dc100000-dc120000
eth0:3 Link encap:Ethernet HWaddr 00:30:48:9e:a7:4a
inet addr:xx.yy.zz.110 Bcast:0.0.0.0 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:16 Память:dc100000-dc120000
lo Link encap:Локальная петля (Loopback)
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:25 errors:0 dropped:0 overruns:0 frame:0
TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7839 (7.8 KB) TX bytes:7839 (7.8 KB)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.1.0.1 P-t-P:10.1.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
# ip route
10.1.0.2 dev tun1 proto kernel scope link src 10.1.0.1
xx.yy.zz.104/29 dev eth0 proto kernel scope link src xx.yy.zz.106
10.1.0.0/24 via 10.1.0.2 dev tun1
default via xx.yy.zz.105 dev eth0 metric 100
# iptables -L -nv
Chain INPUT (policy ACCEPT 626K packets, 41M bytes)
pkts bytes target prot opt in out source destinationChain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 632K packets, 43M bytes)
pkts bytes target prot opt in out source destination
# cat /etc/openvpn/server1.conf
port 36782
proto udp
dev tun1
ca /etc/openvpn/ca.crt
cert /etc/openvpn/servers/server1/server1.crt
key /etc/openvpn/servers/server1/server1.key # This file should be kept secret
dh /etc/openvpn/dh1024.pem
server 10.1.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/servers/server1/ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /etc/openvpn/servers/server1/openvpn-status.log
log-append /etc/openvpn/servers/server1/openvpn.log
verb 4
mute 20
###
tls-server
tls-auth /etc/openvpn/ta.key 0
tls-timeout 120
auth MD5 #
cipher BF-CBC
###
client-to-client
client-config-dir /etc/openvpn/ccd
management localhost 7505
# cat client.conf
remote xx.yy.zz.107 36782
client
dev tun
proto udp
resolv-retry infinite # this is necessary for DynDNS
nobind
user nobody
group nogroup
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client1.crt
key /etc/openvpn/client1.key
###
tls-client
tls-auth /etc/openvpn/ta.key 1
auth MD5
cipher BF-CBC
ns-cert-type server
###
comp-lzo
verb 4
mute 20
Соединение на 106й адрес:
Jan 27 06:48:59 ms-srv001 ovpn-client[32378]: event_wait : Interrupted system call (code=4)
Jan 27 06:48:59 ms-srv001 ovpn-client[32378]: TCP/UDP: Closing socket
Jan 27 06:48:59 ms-srv001 ovpn-client[32378]: SIGTERM[hard,] received, process exiting
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: Current Parameter Settings:
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: config = '/etc/openvpn/client.conf'
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: mode = 0
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: persist_config = DISABLED
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: persist_mode = 1
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: show_ciphers = DISABLED
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: show_digests = DISABLED
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: show_engines = DISABLED
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: genkey = DISABLED
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: key_pass_file = '[UNDEF]'
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: show_tls_ciphers = DISABLED
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: Connection profiles [default]:
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: proto = udp
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: local = '[UNDEF]'
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: local_port = 0
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: remote = 'xx.yy.zz.106'
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: remote_port = 36782
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: remote_float = DISABLED
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: bind_defined = DISABLED
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: bind_local = DISABLED
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: NOTE: --mute triggered...
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: 241 variation(s) on previous 20 message(s) suppressed by --mute
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: OpenVPN 2.1.3 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Mar 11 2011
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: WARNING: file '/etc/openvpn/client1.key' is group or others accessible
Jan 27 06:49:01 ms-srv001 ovpn-client[32442]: /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Jan 27 06:49:03 ms-srv001 ovpn-client[32442]: WARNING: file '/etc/openvpn/ta.key' is group or others accessible
Jan 27 06:49:03 ms-srv001 ovpn-client[32442]: Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Jan 27 06:49:03 ms-srv001 ovpn-client[32442]: Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Jan 27 06:49:03 ms-srv001 ovpn-client[32442]: Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Jan 27 06:49:03 ms-srv001 ovpn-client[32442]: LZO compression initialized
Jan 27 06:49:03 ms-srv001 ovpn-client[32442]: Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Jan 27 06:49:03 ms-srv001 ovpn-client[32442]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Jan 27 06:49:03 ms-srv001 ovpn-client[32442]: Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Jan 27 06:49:03 ms-srv001 ovpn-client[32442]: Local Options String: 'V4,dev-type tun,link-mtu 1538,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth MD5,keysize 128,tls-auth,key-method 2,tls-client'
Jan 27 06:49:03 ms-srv001 ovpn-client[32442]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1538,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth MD5,keysize 128,tls-auth,key-method 2,tls-server'
Jan 27 06:49:03 ms-srv001 ovpn-client[32442]: Local Options hash (VER=V4): '03fa487d'
Jan 27 06:49:03 ms-srv001 ovpn-client[32442]: Expected Remote Options hash (VER=V4): '1056bce3'
Jan 27 06:49:03 ms-srv001 ovpn-client[32444]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jan 27 06:49:03 ms-srv001 ovpn-client[32444]: UDPv4 link local: [undef]
Jan 27 06:49:03 ms-srv001 ovpn-client[32444]: UDPv4 link remote: [AF_INET]xx.yy.zz.106:36782
Jan 27 06:49:03 ms-srv001 ovpn-client[32444]: TLS: Initial packet from [AF_INET]xx.yy.zz.106:36782, sid=eb51c724 2e574eff
Jan 27 06:49:03 ms-srv001 ovpn-client[32444]: Replay-window backtrack occurred [1]
Jan 27 06:49:03 ms-srv001 ovpn-client[32444]: VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=changeme/name=changeme/emailAddress=me@myhost.mydomain
Jan 27 06:49:03 ms-srv001 ovpn-client[32444]: VERIFY OK: nsCertType=SERVER
Jan 27 06:49:03 ms-srv001 ovpn-client[32444]: VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=server1/name=changeme/emailAddress=me@myhost.mydomain
Jan 27 06:49:04 ms-srv001 ovpn-client[32444]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 27 06:49:04 ms-srv001 ovpn-client[32444]: Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
Jan 27 06:49:04 ms-srv001 ovpn-client[32444]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 27 06:49:04 ms-srv001 ovpn-client[32444]: Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
Jan 27 06:49:04 ms-srv001 ovpn-client[32444]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jan 27 06:49:04 ms-srv001 ovpn-client[32444]: [server1] Peer Connection Initiated with [AF_INET]xx.yy.zz.106:36782
Jan 27 06:49:07 ms-srv001 ovpn-client[32444]: SENT CONTROL [server1]: 'PUSH_REQUEST' (status=1)
Jan 27 06:49:07 ms-srv001 ovpn-client[32444]: PUSH: Received control message: 'PUSH_REPLY,route 10.1.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.1.0.6 10.1.0.5'
Jan 27 06:49:07 ms-srv001 ovpn-client[32444]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 27 06:49:07 ms-srv001 ovpn-client[32444]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 27 06:49:07 ms-srv001 ovpn-client[32444]: OPTIONS IMPORT: route options modified
Jan 27 06:49:07 ms-srv001 ovpn-client[32444]: ROUTE default_gateway=192.168.0.1
Jan 27 06:49:07 ms-srv001 ovpn-client[32444]: TUN/TAP device tun0 opened
Jan 27 06:49:07 ms-srv001 ovpn-client[32444]: TUN/TAP TX queue length set to 100
Jan 27 06:49:07 ms-srv001 ovpn-client[32444]: /sbin/ifconfig tun0 10.1.0.6 pointopoint 10.1.0.5 mtu 1500
Jan 27 06:49:07 ms-srv001 ovpn-client[32444]: /sbin/route add -net 10.1.0.0 netmask 255.255.255.0 gw 10.1.0.5
Jan 27 06:49:07 ms-srv001 ovpn-client[32444]: GID set to nogroup
Jan 27 06:49:07 ms-srv001 ovpn-client[32444]: UID set to nobody
Jan 27 06:49:07 ms-srv001 ovpn-client[32444]: Initialization Sequence Completed
Соединение на любой другой:
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: Current Parameter Settings:
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: config = '/etc/openvpn/client.conf'
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: mode = 0
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: persist_config = DISABLED
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: persist_mode = 1
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: show_ciphers = DISABLED
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: show_digests = DISABLED
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: show_engines = DISABLED
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: genkey = DISABLED
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: key_pass_file = '[UNDEF]'
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: show_tls_ciphers = DISABLED
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: Connection profiles [default]:
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: proto = udp
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: local = '[UNDEF]'
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: local_port = 0
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: remote = 'xx.yy.zz.107'
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: remote_port = 36782
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: remote_float = DISABLED
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: bind_defined = DISABLED
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: bind_local = DISABLED
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: NOTE: --mute triggered...
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: 241 variation(s) on previous 20 message(s) suppressed by --mute
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: OpenVPN 2.1.3 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Mar 11 2011
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: WARNING: file '/etc/openvpn/client1.key' is group or others accessible
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: WARNING: file '/etc/openvpn/ta.key' is group or others accessible
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: LZO compression initialized
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: Local Options String: 'V4,dev-type tun,link-mtu 1538,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth MD5,keysize 128,tls-auth,key-method 2,tls-client'
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1538,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth MD5,keysize 128,tls-auth,key-method 2,tls-server'
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: Local Options hash (VER=V4): '03fa487d'
Jan 27 10:41:50 ms-srv001 ovpn-client[455]: Expected Remote Options hash (VER=V4): '1056bce3'
Jan 27 10:41:50 ms-srv001 ovpn-client[457]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jan 27 10:41:50 ms-srv001 ovpn-client[457]: UDPv4 link local: [undef]
Jan 27 10:41:50 ms-srv001 ovpn-client[457]: UDPv4 link remote: [AF_INET]xx.yy.zz.107:36782
Jan 27 10:42:50 ms-srv001 ovpn-client[457]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 27 10:42:50 ms-srv001 ovpn-client[457]: TLS Error: TLS handshake failed
Jan 27 10:42:50 ms-srv001 ovpn-client[457]: TCP/UDP: Closing socket
Jan 27 10:42:50 ms-srv001 ovpn-client[457]: SIGUSR1[soft,tls-error] received, process restarting
Jan 27 10:42:50 ms-srv001 ovpn-client[457]: Restart pause, 2 second(s)
Jan 27 10:42:52 ms-srv001 ovpn-client[457]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 27 10:42:52 ms-srv001 ovpn-client[457]: Re-using SSL/TLS context
Jan 27 10:42:52 ms-srv001 ovpn-client[457]: LZO compression initialized
Jan 27 10:42:52 ms-srv001 ovpn-client[457]: Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Jan 27 10:42:52 ms-srv001 ovpn-client[457]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Jan 27 10:42:52 ms-srv001 ovpn-client[457]: Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Jan 27 10:42:52 ms-srv001 ovpn-client[457]: Local Options String: 'V4,dev-type tun,link-mtu 1538,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth MD5,keysize 128,tls-auth,key-method 2,tls-client'
Jan 27 10:42:52 ms-srv001 ovpn-client[457]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1538,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth MD5,keysize 128,tls-auth,key-method 2,tls-server'
Jan 27 10:42:52 ms-srv001 ovpn-client[457]: Local Options hash (VER=V4): '03fa487d'
Jan 27 10:42:52 ms-srv001 ovpn-client[457]: Expected Remote Options hash (VER=V4): '1056bce3'
Jan 27 10:42:52 ms-srv001 ovpn-client[457]: UDPv4 link local: [undef]
Jan 27 10:42:52 ms-srv001 ovpn-client[457]: UDPv4 link remote: [AF_INET]xx.yy.zz.107:36782
Вторые сутки голову (и пальцы) ломаю. Подскажите, если кто сталкивался.
Вариант для распечатки
