web-dev-qa-db-ja.com

openvpn:サーバーモードに変更した後、クライアントはTUNデバイスを作成しません

前の質問 で使用された構成ファイルを使用して以前に機能した構成がありました

ただし、サーバーモードを使用してこれを次の構成に変更しました。ログのすべてが正常に見えますが、クライアントはtunインターフェイスを作成しないため、接続するものがありません。おそらく、接続する必要があります。いくつかのルートコマンドを追加またはプッシュしますが、現時点では何をする必要があるのか​​わかりません。関連するすべての構成ファイルを投稿しています

server.conf

dev tun
server 10.8.117.0 255.255.255.0
ifconfig-pool-persist ipp.txt
tls-server
dh /home/lurscher/keys/dh1024.pem
ca /home/lurscher/keys/ca.crt
cert /home/lurscher/keys/vpnCh8TestServer.crt
key /home/lurscher/keys/vpnCh8TestServer.key
status openvpn-status.log
log         openvpn.log
comp-lzo
verb 3

およびclient.conf

dev tun
remote my.server.com
tls-client
ca /home/chuckq/keys/ca.crt
cert /home/chuckq/keys/vpnCh8TestClient.crt
key /home/chuckq/keys/vpnCh8TestClient.key
ns-cert-type server
; port 1194
; user nobody
; group nogroup
status openvpn-status.log
log         openvpn.log
comp-lzo
verb 3

サーバーifconfigはtunデバイスを示しています。

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.117.1  P-t-P:10.8.117.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ただし、クライアントifconfigはtunインターフェイスを表示しません!

$ ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          POINTOPOINT NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

クライアントログには次のように記載されています。

Tue May 17 23:27:09 2011 OpenVPN 2.1.0 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 12 2010
Tue May 17 23:27:09 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue May 17 23:27:09 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue May 17 23:27:09 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue May 17 23:27:09 2011 LZO compression initialized
Tue May 17 23:27:09 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue May 17 23:27:09 2011 TUN/TAP device tun0 opened
Tue May 17 23:27:09 2011 TUN/TAP TX queue length set to 100
Tue May 17 23:27:09 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue May 17 23:27:09 2011 Local Options hash (VER=V4): '41690919'
Tue May 17 23:27:09 2011 Expected Remote Options hash (VER=V4): '530fdded'
Tue May 17 23:27:09 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]
Tue May 17 23:27:09 2011 UDPv4 link local (bound): [undef]
Tue May 17 23:27:09 2011 UDPv4 link remote: [AF_INET]192.168.0.101:1194
Tue May 17 23:27:09 2011 TLS: Initial packet from [AF_INET]192.168.0.101:1194, sid=8e8bdc33 f4275407
Tue May 17 23:27:09 2011 VERIFY OK: depth=1, /C=CA/ST=Out/L=There/O=Ubuntu/OU=Home/CN=Ubuntu_CA/name=lurscher/[email protected]
Tue May 17 23:27:09 2011 VERIFY OK: nsCertType=SERVER
Tue May 17 23:27:09 2011 VERIFY OK: depth=0, /C=CA/ST=Out/L=There/O=Ubuntu/OU=Home/CN=vpnCh8TestServer/name=lurscher/[email protected]
Tue May 17 23:27:09 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 17 23:27:09 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 17 23:27:09 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 17 23:27:09 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 17 23:27:09 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue May 17 23:27:09 2011 [vpnCh8TestServer] Peer Connection Initiated with [AF_INET]192.168.0.101:1194
Tue May 17 23:27:10 2011 Initialization Sequence Completed

クライアントステータスログ:

OpenVPN STATISTICS
Updated,Tue May 17 23:30:09 2011
TUN/TAP read bytes,0
TUN/TAP write bytes,0
TCP/UDP read bytes,5604
TCP/UDP write bytes,4244
Auth read bytes,0
pre-compress bytes,0
post-compress bytes,0
pre-decompress bytes,0
post-decompress bytes,0
END

サーバーログには次のように記載されています。

Tue May 17 23:18:25 2011 OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 12 2010
Tue May 17 23:18:25 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue May 17 23:18:25 2011 WARNING: --keepalive option is missing from server config
Tue May 17 23:18:25 2011 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Tue May 17 23:18:25 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue May 17 23:18:25 2011 Diffie-Hellman initialized with 1024 bit key
Tue May 17 23:18:25 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue May 17 23:18:25 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue May 17 23:18:25 2011 ROUTE default_gateway=192.168.0.1
Tue May 17 23:18:25 2011 TUN/TAP device tun0 opened
Tue May 17 23:18:25 2011 TUN/TAP TX queue length set to 100
Tue May 17 23:18:25 2011 /sbin/ifconfig tun0 10.8.117.1 pointopoint 10.8.117.2 mtu 1500
Tue May 17 23:18:25 2011 /sbin/route add -net 10.8.117.0 netmask 255.255.255.0 gw 10.8.117.2
Tue May 17 23:18:25 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue May 17 23:18:25 2011 Socket Buffers: R=[126976->131072] S=[126976->131072]
Tue May 17 23:18:25 2011 UDPv4 link local (bound): [undef]
Tue May 17 23:18:25 2011 UDPv4 link remote: [undef]
Tue May 17 23:18:25 2011 MULTI: multi_init called, r=256 v=256
Tue May 17 23:18:25 2011 IFCONFIG POOL: base=10.8.117.4 size=62
Tue May 17 23:18:25 2011 IFCONFIG POOL LIST
Tue May 17 23:18:25 2011 vpnCh8TestClient,10.8.117.4
Tue May 17 23:18:25 2011 Initialization Sequence Completed
Tue May 17 23:27:22 2011 MULTI: multi_create_instance called
Tue May 17 23:27:22 2011 192.168.0.104:1194 Re-using SSL/TLS context
Tue May 17 23:27:22 2011 192.168.0.104:1194 LZO compression initialized
Tue May 17 23:27:22 2011 192.168.0.104:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue May 17 23:27:22 2011 192.168.0.104:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue May 17 23:27:22 2011 192.168.0.104:1194 Local Options hash (VER=V4): '530fdded'
Tue May 17 23:27:22 2011 192.168.0.104:1194 Expected Remote Options hash (VER=V4): '41690919'
Tue May 17 23:27:22 2011 192.168.0.104:1194 TLS: Initial packet from [AF_INET]192.168.0.104:1194, sid=8972b565 79323f68
Tue May 17 23:27:22 2011 192.168.0.104:1194 VERIFY OK: depth=1, /C=CA/ST=Out/L=There/O=Ubuntu/OU=Home/CN=Ubuntu_CA/name=lurscher/[email protected]
Tue May 17 23:27:22 2011 192.168.0.104:1194 VERIFY OK: depth=0, /C=CA/ST=Out/L=There/O=Ubuntu/OU=Home/CN=Ubuntu_CA/name=lurscher/[email protected]
Tue May 17 23:27:22 2011 192.168.0.104:1194 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 17 23:27:22 2011 192.168.0.104:1194 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 17 23:27:22 2011 192.168.0.104:1194 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 17 23:27:22 2011 192.168.0.104:1194 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 17 23:27:22 2011 192.168.0.104:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue May 17 23:27:22 2011 192.168.0.104:1194 [vpnCh8TestClient] Peer Connection Initiated with [AF_INET]192.168.0.104:1194
Tue May 17 23:27:22 2011 vpnCh8TestClient/192.168.0.104:1194 MULTI: Learn: 10.8.117.6 -> vpnCh8TestClient/192.168.0.104:1194
Tue May 17 23:27:22 2011 vpnCh8TestClient/192.168.0.104:1194 MULTI: primary virtual IP for vpnCh8TestClient/192.168.0.104:1194: 10.8.117.6

最後に、サーバーステータスログ:

OpenVPN CLIENT LIST
Updated,Tue May 17 23:36:25 2011
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
vpnCh8TestClient,192.168.0.104:1194,4244,5604,Tue May 17 23:27:22 2011
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.117.6,vpnCh8TestClient,192.168.0.104:1194,Tue May 17 23:27:22 2011
GLOBAL STATS
Max bcast/mcast queue length,0
END
2
lurscher

クライアント構成で使用するもの:

client

OpenVPNのクライアントモードの構成を簡素化するように設計されたヘルパーディレクティブ。このディレクティブは次と同等です。

 pull
 tls-client

サーバー構成:

server 10.8.117.0 255.255.255.0

に展開します

 mode server
 tls-server
 ifconfig 10.8.117.1 10.8.0.2 
 ifconfig-pool 10.8.117.4 10.8.117.251
 route 10.8.117.0 255.255.255.0

OpenVPNのサーバーモードの構成を簡素化するために設計されたヘルパーディレクティブ。このディレクティブは、指定されたネットワーク/ネットマスクからクライアントにアドレスを割り当てるOpenVPNサーバーをセットアップします。サーバー自体は、ローカルTUN/TAPインターフェイスのサーバー側エンドポイントとして使用するために、指定されたネットワークの「.1」アドレスを取得します。

たとえば、-server 10.8.0.0255.255.255.0は次のように展開されます。

 mode server
 tls-server

 if dev tun:
   ifconfig 10.8.0.1 10.8.0.2 
   ifconfig-pool 10.8.0.4 10.8.0.251
   route 10.8.0.0 255.255.255.0
   if client-to-client:
     Push "route 10.8.0.0 255.255.255.0"
   else
     Push "route 10.8.0.1"

 if dev tap:
   ifconfig 10.8.0.1 255.255.255.0
   ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
   Push "route-gateway 10.8.0.1"

したがって、明示的なtls-server 必須ではありません。

1
rda