Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OpenVPN und Bridging
View unanswered posts
View posts from last 24 hours
View posts from last 7 days

 
Reply to topic    Gentoo Forums Forum Index Deutsches Forum (German)
View previous topic :: View next topic  
Author Message
ITFriend
n00b
n00b


Joined: 13 May 2010
Posts: 5

PostPosted: Thu Nov 18, 2010 6:37 pm    Post subject: OpenVPN und Bridging Reply with quote

Hallo zusammen,
ich hab ein Problem bei der Einrichtung von OpenVPN.
Ich bekomme keine Verbindung durch den Tunnel (ping etc.)

Mein Netzwerkaufbau sieht so aus
Code:

+--------+ 
|morpheus| 192.168.178.201/24
+--------+
     |
     | VPN über 172.20.228.0/22 (unsicheres Netzwerk)
     |
+-----------+ 
|datenbunker| 192.168.178.250/24
+-----------+ 
     |
     |
     |
+---------+ 
|fritz.box| 192.168.178.254/24
+---------+ 
     |
     |
/~~~~~~~~\
|Internet|
\~~~~~~~~/


Hier sind die Configs vom Server:

Code:
datenbunker ~ # cat /etc/openvpn/openvpn.conf
daemon
port 1194
proto udp
dev tap0
ca /etc/openvpn/easy-rsa2/keys/ca.crt
cert /etc/openvpn/easy-rsa2/keys/datenbunker.wh36.de.crt
dh /etc/openvpn/easy-rsa2/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.178.254 255.255.255.0 192.168.178.200 192.168.178.210
push "redirect-gateway def1"
client-to-client
keepalive 10 120
comp-lzo
max-clients 10
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
verb 3

datenbunker ~ # brctl show
bridge name   bridge id      STP enabled   interfaces
br0      8000.00148534197c   no      eth1

datenbunker ~ # ifconfig
br0       Protokoll:Ethernet  Hardware Adresse 00:14:85:34:19:7c 
          inet Adresse:192.168.178.250  Bcast:192.168.178.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1936 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1706 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:347414 (339.2 KiB)  TX bytes:305584 (298.4 KiB)

eth0      Protokoll:Ethernet  Hardware Adresse 00:e0:7d:e5:3b:60 
          inet Adresse:172.20.231.169  Bcast:172.20.231.255  Maske:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:599699 errors:0 dropped:0 overruns:0 frame:0
          TX packets:812339 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX bytes:47783179 (45.5 MiB)  TX bytes:1196274074 (1.1 GiB)
          Interrupt:16 Basisadresse:0xa000

eth1      Protokoll:Ethernet  Hardware Adresse 00:14:85:34:19:7c 
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:82112 errors:0 dropped:0 overruns:0 frame:0
          TX packets:71976 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX bytes:15820642 (15.0 MiB)  TX bytes:14282878 (13.6 MiB)
          Interrupt:21 Basisadresse:0x6000

lo        Protokoll:Lokale Schleife 
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1115 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1115 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:111269 (108.6 KiB)  TX bytes:111269 (108.6 KiB)

# iptables-save
# Generated by iptables-save v1.4.6 on Thu Nov 18 19:07:59 2010
*nat
:PREROUTING ACCEPT [16411:1978350]
:OUTPUT ACCEPT [596:71880]
:POSTROUTING ACCEPT [596:71880]
COMMIT
# Completed on Thu Nov 18 19:07:59 2010
# Generated by iptables-save v1.4.6 on Thu Nov 18 19:07:59 2010
*mangle
:PREROUTING ACCEPT [620807:48287740]
:INPUT ACCEPT [612234:47429467]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [547989:1173676771]
:POSTROUTING ACCEPT [547989:1173676771]
COMMIT
# Completed on Thu Nov 18 19:07:59 2010
# Generated by iptables-save v1.4.6 on Thu Nov 18 19:07:59 2010
*filter
:INPUT ACCEPT [4845:328555]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4202:9864120]
COMMIT
# Completed on Thu Nov 18 19:07:59 2010

datenbunker ~ # netstat -r
Kernel IP Routentabelle
Ziel            Router          Genmask         Flags   MSS Fenster irtt Iface
192.168.178.0   *               255.255.255.0   U         0 0          0 br0
172.20.228.0    *               255.255.252.0   U         0 0          0 eth0
129.13.0.0      172.20.231.254  255.255.0.0     UG        0 0          0 eth0
141.3.0.0       172.20.231.254  255.255.0.0     UG        0 0          0 eth0
172.16.0.0      172.20.231.254  255.240.0.0     UG        0 0          0 eth0
loopback        *               255.0.0.0       U         0 0          0 lo
default         192.168.178.254 0.0.0.0         UG        0 0          0 br0

datenbunker ~ # cat /etc/conf.d/net
bridge_br0="eth1"
config_br0=( "192.168.178.250/24" )
config_eth1=( "null" )
config_eth0=( "172.20.231.169/22" )
routes_br0=( "default via 192.168.178.254" )
routes_eth0=( "172.16.0.0/12 via 172.20.231.254" "129.13.0.0/16 via 172.20.231.254" "141.3.0.0/16 via 172.20.231.254" )
dns_domain="wh36.de"
dns_servers=( "172.20.228.10" )

preup() {
  openvpn --mktun --dev tap0
  brctl addif br0 tap0
  return 0
}

predown() {
  brctl delif br0 tap0
  openvpn --rmtun --dev tap0
  return 0
}

datenbunker openvpn # ping -c3 192.168.178.201
PING 192.168.178.201 (192.168.178.201) 56(84) bytes of data.
From 192.168.178.250 icmp_seq=1 Destination Host Unreachable
From 192.168.178.250 icmp_seq=2 Destination Host Unreachable
From 192.168.178.250 icmp_seq=3 Destination Host Unreachable

--- 192.168.178.201 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 1999ms

datenbunker ~ # tail /var/log/messages
Nov 18 19:26:01 datenbunker openvpn[21110]: OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [MH] [PF_INET6] built on Nov 14 2010
Nov 18 19:26:01 datenbunker openvpn[21110]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Nov 18 19:26:01 datenbunker openvpn[21110]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Nov 18 19:26:01 datenbunker openvpn[21110]: Diffie-Hellman initialized with 1024 bit key
Nov 18 19:26:01 datenbunker openvpn[21110]: TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Nov 18 19:26:01 datenbunker openvpn[21110]: Socket Buffers: R=[118784->131072] S=[118784->131072]
Nov 18 19:26:01 datenbunker openvpn[21110]: TUN/TAP device tap0 opened
Nov 18 19:26:01 datenbunker openvpn[21110]: TUN/TAP TX queue length set to 100
Nov 18 19:26:01 datenbunker openvpn[21110]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Nov 18 19:26:01 datenbunker openvpn[21111]: GID set to openvpn
Nov 18 19:26:01 datenbunker openvpn[21111]: UID set to openvpn
Nov 18 19:26:01 datenbunker openvpn[21111]: UDPv4 link local (bound): [undef]
Nov 18 19:26:01 datenbunker openvpn[21111]: UDPv4 link remote: [undef]
Nov 18 19:26:01 datenbunker openvpn[21111]: MULTI: multi_init called, r=256 v=256
Nov 18 19:26:01 datenbunker openvpn[21111]: IFCONFIG POOL: base=192.168.178.200 size=11
Nov 18 19:26:01 datenbunker openvpn[21111]: IFCONFIG POOL LIST
Nov 18 19:26:01 datenbunker openvpn[21111]: ares.wh36.de,192.168.178.200
Nov 18 19:26:01 datenbunker openvpn[21111]: morpheus.wh36.de,192.168.178.201
Nov 18 19:26:01 datenbunker openvpn[21111]: Initialization Sequence Completed
Nov 18 19:26:04 datenbunker openvpn[21111]: MULTI: multi_create_instance called
Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Re-using SSL/TLS context
Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 LZO compression initialized
Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Local Options hash (VER=V4): 'f7df56b8'
Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Expected Remote Options hash (VER=V4): 'd79ca330'
Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 TLS: Initial packet from [AF_INET]172.20.230.168:1194, sid=583cec3d e3802f03
Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 VERIFY OK: depth=1, /C=DE/ST=BW/L=Karlsruhe/O=VPN-Alice/CN=VPN-Alice_CA/emailAddress=netz@wh36.de
Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 VERIFY OK: depth=0, /C=DE/ST=BW/L=Karlsruhe/O=VPN-Alice/CN=morpheus.wh36.de/emailAddress=netz@wh36.de
Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Nov 18 19:26:04 datenbunker openvpn[21111]: 172.20.230.168:1194 [morpheus.wh36.de] Peer Connection Initiated with [AF_INET]172.20.230.168:1194
Nov 18 19:26:07 datenbunker openvpn[21111]: morpheus.wh36.de/172.20.230.168:1194 PUSH: Received control message: 'PUSH_REQUEST'
Nov 18 19:26:07 datenbunker openvpn[21111]: morpheus.wh36.de/172.20.230.168:1194 SENT CONTROL [morpheus.wh36.de]: 'PUSH_REPLY,redirect-gateway def1,route-gateway 192.168.178.254,ping 10,ping-restart 120,ifconfig 192.168.178.201 255.255.255.0' (status=1)
Nov 18 19:26:07 datenbunker openvpn[21111]: morpheus.wh36.de/172.20.230.168:1194 MULTI: Learn: 5e:f1:6a:c8:c1:be -> morpheus.wh36.de/172.20.230.168:1194


Hier sind die Configs vom Client:

Code:
morpheus ~ # cat /etc/openvpn/openvpn.conf   
client
dev tap0
proto udp
remote datenbunker.wh36.de 1194
resolv-retry infinite
pull
persist-key
persist-tun
ca ca.crt
cert morpheus.wh36.de.crt
key morpheus.wh36.de.key
ns-cert-type server
comp-lzo
verb 3

morpheus ~ # ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:17:43:b4:4b 
          inet addr:172.20.230.168  Bcast:172.20.231.255  Mask:255.255.252.0
          inet6 addr: fe80::216:17ff:fe43:b44b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11291426 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4681976 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:7294392096 (6.7 GiB)  TX bytes:6186748379 (5.7 GiB)
          Interrupt:23 Base address:0x6000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:31033 errors:0 dropped:0 overruns:0 frame:0
          TX packets:31033 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:209789297 (200.0 MiB)  TX bytes:209789297 (200.0 MiB)

tap0      Link encap:Ethernet  HWaddr 4a:cb:81:b5:53:10 
          inet addr:192.168.178.201  Bcast:192.168.178.255  Mask:255.255.255.0
          inet6 addr: fe80::48cb:81ff:feb5:5310/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:76 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:3278 (3.2 KiB)

morpheus ~ # netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
wh36-e004-2.wh3 172.20.231.254  255.255.255.255 UGH       0 0          0 eth0
192.168.178.0   *               255.255.255.0   U         0 0          0 tap0
172.20.228.0    *               255.255.252.0   U         0 0          0 eth0
129.13.0.0      172.20.231.254  255.255.0.0     UG        0 0          0 eth0
141.3.0.0       172.20.231.254  255.255.0.0     UG        0 0          0 eth0
172.16.0.0      172.20.231.254  255.240.0.0     UG        0 0          0 eth0
loopback        *               255.0.0.0       U         0 0          0 lo
default         192.168.178.254 128.0.0.0       UG        0 0          0 tap0
128.0.0.0       192.168.178.254 128.0.0.0       UG        0 0          0 tap0
default         172.20.231.254  0.0.0.0         UG        0 0          0 eth0

morpheus ~ # ping -c3 192.168.178.254
PING 192.168.178.254 (192.168.178.254) 56(84) bytes of data.
From 192.168.178.201 icmp_seq=1 Destination Host Unreachable
From 192.168.178.201 icmp_seq=2 Destination Host Unreachable
From 192.168.178.201 icmp_seq=3 Destination Host Unreachable

--- 192.168.178.254 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 1999ms

morpheus ~ # tail /var/log/messages
Nov 18 19:26:08 moprheus openvpn[21319]: OpenVPN 2.1.2 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Oct 19 2010
Nov 18 19:26:08 moprheus openvpn[21319]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Nov 18 19:26:08 moprheus openvpn[21319]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 18 19:26:08 moprheus openvpn[21319]: LZO compression initialized
Nov 18 19:26:08 moprheus openvpn[21319]: Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Nov 18 19:26:08 moprheus openvpn[21319]: Socket Buffers: R=[116736->131072] S=[116736->131072]
Nov 18 19:26:08 moprheus openvpn[21319]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Nov 18 19:26:08 moprheus openvpn[21319]: Local Options hash (VER=V4): 'd79ca330'
Nov 18 19:26:08 moprheus openvpn[21319]: Expected Remote Options hash (VER=V4): 'f7df56b8'
Nov 18 19:26:08 moprheus openvpn[21320]: UDPv4 link local (bound): [undef]:1194
Nov 18 19:26:08 moprheus openvpn[21320]: UDPv4 link remote: 172.20.231.169:1194
Nov 18 19:26:08 moprheus openvpn[21320]: TLS: Initial packet from 172.20.231.169:1194, sid=5e6d83c4 e7b74c95
Nov 18 19:26:08 moprheus openvpn[21320]: VERIFY OK: depth=1, /C=DE/ST=BW/L=Karlsruhe/O=VPN-Alice/CN=VPN-Alice_CA/emailAddress=netz@wh36.de
Nov 18 19:26:08 moprheus openvpn[21320]: VERIFY OK: nsCertType=SERVER
Nov 18 19:26:08 moprheus openvpn[21320]: VERIFY OK: depth=0, /C=DE/ST=BW/L=Karlsruhe/O=VPN-Alice/CN=datenbunker.wh36.de/emailAddress=netz@wh36.de
Nov 18 19:26:08 moprheus openvpn[21320]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 18 19:26:08 moprheus openvpn[21320]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 18 19:26:08 moprheus openvpn[21320]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 18 19:26:08 moprheus openvpn[21320]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 18 19:26:08 moprheus openvpn[21320]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Nov 18 19:26:08 moprheus openvpn[21320]: [datenbunker.wh36.de] Peer Connection Initiated with 172.20.231.169:1194
Nov 18 19:26:11 moprheus openvpn[21320]: SENT CONTROL [datenbunker.wh36.de]: 'PUSH_REQUEST' (status=1)
Nov 18 19:26:11 moprheus openvpn[21320]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-gateway 192.168.178.254,ping 10,ping-restart 120,ifconfig 192.168.178.201 255.255.255.0'
Nov 18 19:26:11 moprheus openvpn[21320]: OPTIONS IMPORT: timers and/or timeouts modified
Nov 18 19:26:11 moprheus openvpn[21320]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 18 19:26:11 moprheus openvpn[21320]: OPTIONS IMPORT: route options modified
Nov 18 19:26:11 moprheus openvpn[21320]: OPTIONS IMPORT: route-related options modified
Nov 18 19:26:11 moprheus openvpn[21320]: ROUTE default_gateway=172.20.231.254
Nov 18 19:26:11 moprheus openvpn[21320]: TUN/TAP device tap0 opened
Nov 18 19:26:11 moprheus openvpn[21320]: TUN/TAP TX queue length set to 100
Nov 18 19:26:11 moprheus openvpn[21320]: /sbin/ifconfig tap0 192.168.178.201 netmask 255.255.255.0 mtu 1500 broadcast 192.168.178.255
Nov 18 19:26:11 moprheus openvpn[21320]: /etc/openvpn/up.sh tap0 1500 1574 192.168.178.201 255.255.255.0 init
Nov 18 19:26:11 moprheus openvpn[21320]: /sbin/route add -net 172.20.231.169 netmask 255.255.255.255 gw 172.20.231.254
Nov 18 19:26:11 moprheus openvpn[21320]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.178.254
Nov 18 19:26:11 moprheus openvpn[21320]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.178.254
Nov 18 19:26:11 moprheus openvpn[21320]: Initialization Sequence Completed
Nov 18 19:26:27 moprheus chronyd[17809]: Selected source 85.214.230.247


/etc/openvpn/up.sh auf dem Client ist das Standard-Skript von Gentoo.

Mir kommen die Routen auf dem Client komisch vor.
Leider weiß ich nicht, warum OpenVPN die so setzt.
Hat jemand eine Idee, wo mein Fehler liegen könnte?

Vielen Dank für eure Hilfe!
ITFriend


Last edited by ITFriend on Fri Nov 19, 2010 6:15 pm; edited 1 time in total
Back to top
View user's profile Send private message
ITFriend
n00b
n00b


Joined: 13 May 2010
Posts: 5

PostPosted: Fri Nov 19, 2010 5:58 pm    Post subject: Reply with quote

ein ifconfig tap0 up hat geholfen...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Deutsches Forum (German) All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum