Добрый день. Прошу вашей помощи в первоначальном запуске OpenVPN.
Система Centos 6.4, OpenVPN 2.3.1
При установке опирался на мануал http://bozza.ru/art-130.html
Все сертификаты сгенерированы и рассованы по нужным папкам.
OpenVPN запускается нормально, ни на что не ругается.
При попытке подключения (OpenVPN client for Windows) в логе подключения не появляется ничего, просто выдаётся сообщение о невожможности подключения к серверу.
Заранее благодарен за помощь. От здравой критики конфигов тоже не откажусь :)
Необходимые конфиги прилагаю.###server.conf
port 1194
proto udp
dev tun
ca "/etc/openvpn/keys/ca.crt"
cert "/etc/openvpn/keys/server.crt"
key "/etc/openvpn/keys/server.key" # Этот файл хранить в секрете!
dh "/etc/openvpn/keys/dh2048.pem"
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist "/etc/openvpn/config/ipp.txt"
push "route 192.168.10.0 255.255.255.0"
route 192.168.10.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
client-to-client
keepalive 10 120
tls-server
tls-auth "/etc/openvpn/keys/ta.key" 0
tls-timeout 120
auth MD5
cipher BF-CBC # Blowfish (default)
comp-lzo
max-clients 10
persist-key
persist-tun
status "/etc/openvpn/log/openvpn-status.log"
log "/etc/openvpn/log/openvpn.log"
log-append "/etc/openvpn/log/openvpn.log"
verb 3
###iptables
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -p icmp -m comment -j ACCEPT --comment "allow icmp to WAN"
-A FORWARD -i eth0 -o tun0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -p tcp -m multiport -d 195.122.229.16 -j ACCEPT --dports 8088,8089
-A FORWARD -p tcp -m multiport -s 195.122.229.16 -j ACCEPT --dports 8088,8089
-A FORWARD -p udp ! -d 192.168.10.2 --dport 53 -j REJECT --reject-with icmp-host-unreachable
-A FORWARD -s 192.168.10.244/31 -j ACCEPT
-A FORWARD -p tcp -m comment --dport 8005 -j ACCEPT --comment online-radio
-A FORWARD -m state -m comment --state ESTABLISHED,RELATED -j ACCEPT --comment "Allow established connections"
-A FORWARD -p tcp -m state -m comment --dport 21 --sport 1024:65535 --state NEW -j ACCEPT --comment "FTP new connection"
-A FORWARD -p tcp -m state -m comment -s 192.168.10.100 --dport 9443 --state NEW -j ACCEPT --comment "SberBank Client Veronika"
-A FORWARD -p tcp -m tcp -m multiport -m comment -j ACCEPT --dports 25,80,110,143,443,587,993,995,3389:3392,8989 --comment "MAIL, HTTP(DVR), HTTPS, RDP, DVR"
-A FORWARD -p udp -m udp -m comment --dport 8989 -j ACCEPT --comment "DVR"
-A FORWARD -p tcp -m tcp -m multiport -m comment -j ACCEPT --sports 25,80,110,143,443,587,993,995,3389:3392,8989 --comment "MAIL, HTTP(DVR), HTTPS, RDP, DVR"
-A FORWARD -p udp -m udp -m comment --sport 8989 -j ACCEPT --comment "DVR"
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -p icmp -m comment -j ACCEPT --comment "Allow icmp to proxy"
-A INPUT -m comment -i lo -j ACCEPT --comment "Allow input from localhost"
-A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 60000:65000 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport -m state -m comment --state NEW -j ACCEPT --dports 22,10000 --comment "SSH, Webmin"
-A INPUT -p tcp -m multiport -m comment -s 192.168.10.0/24 -j ACCEPT --dports 80,3128,3306 --comment "Wordpress, Squid, MySQL"
-A INPUT -p udp -m multiport -m comment -s 192.168.10.0/24 -j ACCEPT --dports 53 --comment "BIND"
-A INPUT -p tcp -m multiport -m comment -s 192.168.10.1 -j ACCEPT --dports 53,953 --comment "BIND Sync & Control"
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -m multiport -s 192.168.10.0/24 ! -d 192.168.10.2 --dports 80,8000,8080,8081,8082 -j DNAT --to-destination 192.168.10.2:3128 -m comment --comment "to squid"
-A PREROUTING -p tcp -m tcp -m multiport -i tun0 ! -d 192.168.10.2 --dports 80,8000,8080,8081,8082 -j DNAT --to-destination 192.168.10.2:3128 -m comment --comment "to squid"
-A POSTROUTING -s 192.168.10.0/24 -o eth1 -j SNAT --to WAN IP -m comment --comment NAT
-A PREROUTING -p tcp -m tcp -d WAN IP --dport 3390 -j DNAT --to-destination 192.168.10.1:3389 -m comment --comment AD
-A PREROUTING -p tcp -m tcp -d WAN IP --dport 3391 -j DNAT --to-destination 192.168.10.4:3389 -m comment --comment 1C
-A PREROUTING -p tcp -m tcp -d WAN IP --dport 3400 -j DNAT --to-destination 192.168.10.82:3389 -m comment --comment MINE
-A PREROUTING -p tcp -m tcp -d WAN IP --dport 3392 -j DNAT --to-destination 192.168.10.234:3389 -m comment --comment TillyPad
-A PREROUTING -p tcp -m tcp -d WAN IP --dport 8989 -j DNAT --to-destination 192.168.10.60:80 -m comment --comment DVR
COMMIT
###ifconfig
eth0 Link encap:Ethernet HWaddr 50:E5:49:C7:9E:60
inet addr:192.168.10.2 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::52e5:49ff:fec7:9e60/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:208324935 errors:0 dropped:0 overruns:0 frame:0
TX packets:255568258 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4074832290 (3.7 GiB) TX bytes:2366163449 (2.2 GiB)
eth1 Link encap:Ethernet HWaddr F8:D1:11:03:12:B8
inet addr:WAN IP Bcast:255.255.255.255 Mask:255.255.255.248
inet6 addr: fe80::fad1:11ff:fe03:12b8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:328727448 errors:0 dropped:0 overruns:0 frame:0
TX packets:219805081 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1644180648 (1.5 GiB) TX bytes:843322414 (804.2 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5731771 errors:0 dropped:0 overruns:0 frame:0
TX packets:5731771 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:716881079 (683.6 MiB) TX bytes:716881079 (683.6 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
###lsof -i udp:1194
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
openvpn 11906 root 4u IPv4 46562123 0t0 UDP *:openvpn
###client1.ovpn (openvpn for windows)
#client
dev tun
proto udp
remote WAN IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\OpenVPN\\config\\client1.crt"
key "C:\\Program Files\\OpenVPN\\config\\client1.key"
tls-client
tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 1
auth MD5
ns-cert-type server
comp-lzo
verb 3
Вариант для распечатки
