Debian OpenVPN - kolejne urządzenia

Konfiguracja serwerów, usług, itp.
darkom
Posty: 12
Rejestracja: 03 stycznia 2012, 13:46

Debian OpenVPN - kolejne urządzenia

Post autor: darkom »

Witam wszystkich forumowiczów,
po różnych przygodach udało mi się w końcu na serwerze VPS zainstalować i uruchomić OpenVPN według tutorial:
https://www.digitalocean.com/community/ ... n-debian-8

Wszystko działa bardzo dobrze stworzyłem przykładowy client.ovpn, ale nie mogę sobie poradzić z tworzeniem kolejnych dla innych urządzeń. Coś tam próbowałem robić, ale nie wychodzi. Stworzony wcześniej cały czas działa poprawnie.

Proszę o pomoc.
Awatar użytkownika
pawkrol
Moderator
Posty: 939
Rejestracja: 03 kwietnia 2011, 10:25

Re: Debian OpenVPN - kolejne urządzenia

Post autor: pawkrol »

Pliki klienta mogą być identyczne. Tworzysz jedynie różne konfiguracje dla nich na serwerze.
Tyle mogę Ci powiedzieć. Bo więcej info nie podałeś.
darkom
Posty: 12
Rejestracja: 03 stycznia 2012, 13:46

Re: Debian OpenVPN - kolejne urządzenia

Post autor: darkom »

Chętnie podam co potrzeba tylko robiłem według tutorial z linka powyższego dlatego nie kopiowałem tutaj ustawień - mam tylko inne ip i port.

By wygenerować client2 próbowałem powtarzać krok 8:

Kod: Zaznacz cały

./build-key client1
dla kolejnego client2 i dostałem komunikat:

Kod: Zaznacz cały

Please edit the vars script to reflect your configuration,
  then source it with "source ./vars".
  Next, to start with a fresh PKI configuration and to delete any
  previous certificates and keys, run "./clean-all".
  Finally, you can run this tool (pkitool) to build certificates/keys.
Więc tak zrobiłem

Kod: Zaznacz cały

source ./vars
./clean-all"
./build-key client2
........
Idąc dalej instrukcją do końca stworzyłem kolejny client2.ovpn zaimportowałem go do programu i wisi na autoryzacji do serwera VPN :(

Krótko mówiąc różnie próbowałem i sporo chyba namieszałem. Nadal bez problemu działa mi pierwszy stworzony client.ovpn, ale żaden następny a próbowałem wiele razy :(

Myślę, że źle coś wykonuje, albo pomijam jakiś istotny krok. Czy może należy wszystko do początku zacząć?
Moderowano: Uzupełniono znaczniki kodu.
Awatar użytkownika
pawkrol
Moderator
Posty: 939
Rejestracja: 03 kwietnia 2011, 10:25

Re: Debian OpenVPN - kolejne urządzenia

Post autor: pawkrol »

Podaj konfiguracje serwera, konfiguracje klienta, topologie sieci.
darkom
Posty: 12
Rejestracja: 03 stycznia 2012, 13:46

Re: Debian OpenVPN - kolejne urządzenia

Post autor: darkom »

Dziękuje za zainteresowanie tematem :)

Konfiguracja serwera

Kod: Zaznacz cały

#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# This config should work on Windows            #
# or Linux/BSD systems.  Remember on            #
# Windows to quote pathnames and use            #
# double backslashes, e.g.:                     #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port 11194

# TCP or UDP server?
;proto tcp
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one.  On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys. 
dh dh2048.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.  Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.  Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.  Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses.  You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different
# firewall access policies for different groups
# of clients.  There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
#     group, and firewall the TUN/TAP interface
#     for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
#     modify the firewall in response to access
#     from different clients.  See man
#     page for more info on learn-address script.
;learn-address ./script

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.  This is recommended
# only for testing purposes.  For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
;log         openvpn.log
;log-append  openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
Klient

Kod: Zaznacz cały

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote moje_ip 11194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
;ca ca.crt
;cert client.crt
;key client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20
<ca>
Sieć

Kod: Zaznacz cały

debian# ip route
10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1 
10.8.0.0/24 via 10.8.0.2 dev tun0 
default dev venet0  scope link
Awatar użytkownika
pawkrol
Moderator
Posty: 939
Rejestracja: 03 kwietnia 2011, 10:25

Re: Debian OpenVPN - kolejne urządzenia

Post autor: pawkrol »

1. Certyfikat CA musisz podać w konfigu klienta.
Co to za szczątkowa opcja <ca> na końcu konfigu (tudzież gdzie reszta <ca>....AkGADScsCUEw...</ca>
2. Proponuje na serwerze dodać opcję

Kod: Zaznacz cały

topology subnet
Wtedy klient zabiera jeden adres a nie 4.
3. Ty chcesz cały ruch puścić przez VPN ?
4. Ja wygląda log z połączenia (klient oraz serwer)
darkom
Posty: 12
Rejestracja: 03 stycznia 2012, 13:46

Re: Debian OpenVPN - kolejne urządzenia

Post autor: darkom »

Podaje ponownie pełną konfigurację jak się próbuje łączyć to piszę autoryzacja

1.

Kod: Zaznacz cały

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote moje_IP 11194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
;ca ca.crt
;cert client.crt
;key client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20
<ca>
-----BEGIN CERTIFICATE-----
MIIEjzCCA3egAwIBAgIJAM79KzPSvbr4MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
VQQGEwJQTDEMMAoGA1UECBMDUE9MMQ4wDAYDVQQHEwVSYWJrYTELMAkGA1UEChMC
REsxDjAMBgNVBAsTBU15VlBOMQ4wDAYDVQQDEwVESyBDQTEPMA0GA1UEKRMGc2Vy
dmVyMSAwHgYJKoZIhvcNAQkBFhFkYXJrb205QGdtYWlsLmNvbTAeFw0xNzA0MDYy
MTQyMTZaFw0yNzA0MDQyMTQyMTZaMIGLMQswCQYDVQQGEwJQTDEMMAoGA1UECBMD
UE9MMQ4wDAYDVQQHEwVSYWJrYTELMAkGA1UEChMCREsxDjAMBgNVBAsTBU15VlBO
MQ4wDAYDVQQDEwVESyBDQTEPMA0GA1UEKRMGc2VydmVyMSAwHgYJKoZIhvcNAQkB
FhFkYXJrb205QGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMqKShXeZcphZdNuOe8kGsHusQvbWpuxHvzwaav+8N+sYTgIUwCXpqbT+NXl
rbjDLskSr2dxv0Yy4FOx/9/X+yIce+iH0irM8lu9/rPmzaWYOxnyp2KeRl14QMzJ
kKNFSm/DkEgJd2etG4jX3gAmV9rfozCwqagGDKIfRP8Q3PImymGUwpzkpPkfjSxx
Nif/NZAcZF9NGpy5PLeomYFMoMaHCZon2DT1YPz8J8c5vBsER1YCKd34gcp3JXP1
63dIvgcFIOFLJhSP0BR63Io4panX8Ylkjcz58ssWPXvGYo13Lk/ad28tZonqct6w
FwIyp6DxG3ZUqyY8vH82dCJrI+8CAwEAAaOB8zCB8DAdBgNVHQ4EFgQUNfxhdt5N
J/p+enonRQB5pud7LLwwgcAGA1UdIwSBuDCBtYAUNfxhdt5NJ/p+enonRQB5pud7
LLyhgZGkgY4wgYsxCzAJBgNVBAYTAlBMMQwwCgYDVQQIEwNQT0wxDjAMBgNVBAcT
BVJhYmthMQswCQYDVQQKEwJESzEOMAwGA1UECxMFTXlWUE4xDjAMBgNVBAMTBURL
IENBMQ8wDQYDVQQpEwZzZXJ2ZXIxIDAeBgkqhkiG9w0BCQEWEWRhcmtvbTlAZ21h
aWwuY29tggkAzv0rM9K9uvgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEAjxo6jDdB6JElOE0iUVhn7QjaRVK0TZrESp3JwzDzZkpMTBrJrcHESrPVT8DA
O2WXgzNN8T1scgbLXK8gutHrRttirKryJBf+N66rTfrVTR7QESD+3YEHE/4uIx0L
/wLADhBOxXpBr6hNOllKRVRgPN6gn8zUeTacZ78z/+nG54SUKF4eSsIYxhdQ4x7m
CnpHj3PZBwOzEni63F+I2zGTnTilumKj/tWvsBW3cN3r0Zzh2Yw5Iqxh0GrQv2Wb
24DmmzpRp6gtm2ORmuQCl1/26yQKp6a63nnS7Zsld2tgi/attPRC5GkXq9qVrISD
W/w5JAShZzxWRIpc72g0hJoWKQ==
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=pp, ST=po1, L=zdr, O=kd, OU=vpn, CN=dd/name=derver/emailAddress=dd@pl.pl
        Validity
            Not Before: Apr  9 21:11:18 2017 GMT
            Not After : Apr  7 21:11:18 2027 GMT
        Subject: C=kk, ST=kk, L=kk, O=kk, OU=kk, CN=kk/name=kk/emailAddress=kk
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:be:83:26:bd:72:d4:11:bf:30:d4:3c:c9:1e:72:
                    57:e0:0d:ee:ea:2d:9e:6a:98:e8:b6:84:d3:62:d8:
                    43:23:59:02:ef:84:0c:f7:cf:75:b0:9e:5b:91:c3:
                    1e:72:ef:8c:91:45:c0:f3:24:18:f3:a2:c4:8f:62:
                    fc:69:7d:3f:22:4f:c7:95:40:75:e8:0f:39:17:48:
                    9f:a5:0f:28:07:57:62:b5:4d:02:50:43:b3:c3:21:
                    5e:ef:e2:c1:c3:57:80:0f:01:dc:af:d1:c0:4b:2b:
                    62:b9:bc:d5:9d:ce:06:2e:07:3b:bb:e0:0f:51:ee:
                    1c:d9:67:68:54:32:fa:12:98:47:26:49:f7:f6:59:
                    be:ee:a9:a4:3e:0a:63:ff:31:33:ad:24:b5:ab:9f:
                    4b:57:42:aa:5f:ca:07:83:6d:98:eb:f0:02:4e:d7:
                    28:83:cc:f9:c5:ce:1a:3e:b6:4c:9e:9d:1b:84:51:
                    1e:b8:6b:28:5b:f7:cd:50:6e:c5:af:d8:f6:b0:4a:
                    46:92:10:81:51:3f:c9:8c:51:10:ff:8d:4c:c7:99:
                    c6:f7:08:96:3d:8f:42:a8:7a:fc:8d:6e:14:fc:35:
                    03:cc:06:4c:ae:0c:c3:d2:7d:ad:a3:50:f0:76:2e:
                    48:04:7c:7f:98:14:f5:6a:6c:e9:4e:78:f3:f2:5c:
                    5b:61
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                Easy-RSA Generated Certificate
            X509v3 Subject Key Identifier: 
                39:89:8B:E0:70:46:49:90:2F:8B:15:5F:B3:57:05:E5:6A:00:13:3B
            X509v3 Authority Key Identifier: 
                keyid:E8:9F:6C:A2:CC:DD:E7:F6:A1:CF:AB:18:7A:29:B7:6B:F2:08:A6:9B
                DirName:/C=pp/ST=po1/L=zdr/O=kd/OU=vpn/CN=dd/name=derver/emailAddress=dd@pl.pl
                serial:F5:7C:44:1D:69:F1:78:5A

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Subject Alternative Name: 
                DNS:t1
    Signature Algorithm: sha256WithRSAEncryption
         2d:3a:1d:10:57:8d:23:09:32:4e:14:1f:de:0c:49:86:55:3a:
         55:4c:8a:4f:47:8f:df:51:c3:ea:f1:8e:eb:7e:b3:65:83:2e:
         8e:76:b5:dd:86:bb:e3:a4:20:fd:2b:db:6b:24:14:3b:a1:b1:
         fe:49:8a:78:12:17:fe:e1:a7:fb:53:e6:90:4d:01:8e:ed:78:
         57:a9:ca:30:bb:93:ea:aa:0a:d5:e8:26:1c:07:82:c6:cb:ab:
         0b:6f:b7:15:a9:f6:a1:b0:82:fb:26:d7:fa:8e:a0:8e:1c:cd:
         12:3d:0c:9c:cc:ee:82:9d:79:c7:83:ed:bd:5f:f0:3a:2b:c3:
         22:13:21:08:1f:aa:c6:0a:92:a9:d8:bc:f9:f9:15:11:91:a6:
         ae:6b:4e:71:c1:fe:fa:71:51:44:09:d6:e4:d9:a8:4f:15:74:
         98:8c:13:4d:45:77:80:7c:c7:c6:d2:1e:71:57:e4:de:77:9f:
         13:57:ab:b7:b0:92:64:4f:24:de:d3:42:63:a7:1a:f1:83:cc:
         b8:56:f3:d0:ea:b3:11:69:c5:f4:6c:a3:e3:6e:a0:fb:d7:a1:
         8e:43:3a:42:e2:31:8b:d8:f5:82:46:3c:a1:ee:f3:70:0c:4d:
         2b:3d:36:1d:be:69:f8:b9:83:3f:e1:d8:a3:47:bd:1a:30:d9:
         45:0d:16:2f
-----BEGIN CERTIFICATE-----
MIIEpDCCA4ygAwIBAgIBATANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJwcDEM
MAoGA1UECBMDcG8xMQwwCgYDVQQHEwN6ZHIxCzAJBgNVBAoTAmtkMQwwCgYDVQQL
EwN2cG4xCzAJBgNVBAMTAmRkMQ8wDQYDVQQpEwZkZXJ2ZXIxFzAVBgkqhkiG9w0B
CQEWCGRkQHBsLnBsMB4XDTE3MDQwOTIxMTExOFoXDTI3MDQwNzIxMTExOFowbjEL
MAkGA1UEBhMCa2sxCzAJBgNVBAgTAmtrMQswCQYDVQQHEwJrazELMAkGA1UEChMC
a2sxCzAJBgNVBAsTAmtrMQswCQYDVQQDEwJrazELMAkGA1UEKRMCa2sxETAPBgkq
hkiG9w0BCQEWAmtrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvoMm
vXLUEb8w1DzJHnJX4A3u6i2eapjotoTTYthDI1kC74QM9891sJ5bkcMecu+MkUXA
8yQY86LEj2L8aX0/Ik/HlUB16A85F0ifpQ8oB1ditU0CUEOzwyFe7+LBw1eADwHc
r9HASytiubzVnc4GLgc7u+APUe4c2WdoVDL6EphHJkn39lm+7qmkPgpj/zEzrSS1
q59LV0KqX8oHg22Y6/ACTtcog8z5xc4aPrZMnp0bhFEeuGsoW/fNUG7Fr9j2sEpG
khCBUT/JjFEQ/41Mx5nG9wiWPY9CqHr8jW4U/DUDzAZMrgzD0n2to1Dwdi5IBHx/
iYvgcEZJkC+LFV+zVwXlagATOzCBrQYDVR0jBIGlMIGigBTon2yizN3n9qHPqxh6
Kbdr8gimm6F/pH0wezELMAkGA1UEBhMCcHAxDDAKBgNVBAgTA3BvMTEMMAoGA1UE
BxMDemRyMQswCQYDVQQKEwJrZDEMMAoGA1UECxMDdnBuMQswCQYDVQQDEwJkZDEP
MA0GA1UEKRMGZGVydmVyMRcwFQYJKoZIhvcNAQkBFghkZEBwbC5wbIIJAPV8RB1p
8XhaMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgNVHREEBjAE
ggJ0MTANBgkqhkiG9w0BAQsFAAOCAQEALTodEFeNIwkyThQf3gxJhlU6VUyKT0eP
31HD6vGO636zZYMujna13Ya746Qg/SvbayQUO6Gx/kmKeBIX/uGn+1PmkE0Bju14
V6nKMLuT6qoK1egmHAeCxsurC2+3Fan2obCC+ybX+o6gjhzNEj0MnMzugp15x4Pt
vV/wOivDIhMhCB+qxgqSqdi8+fkVEZGmrmtOccH++nFRRAnW5NmoTxV0mIwTTUV3
gHzHxtIecVfk3nefE1ert7CSZE8k3tNCY6ca8YPMuFbz0OqzEWnF9Gyj426g+9eh
jkM6QuIxi9j1gkY8oe7zcAxNKz02Hb5p+LmDP+HYo0e9GjDZRQ0WLw==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC+gya9ctQRvzDU
PMkeclfgDe7qLZ5qmOi2hNNi2EMjWQLvhAz3z3WwnluRwx5y74yRRcDzJBjzosSP
YvxpfT8iT8eVQHXoDzkXSJ+lDygHV2K1TQJQQ7PDIV7v4sHDV4APAdyv0cBLK2K5
vNWdzgYuBzu74A9R7hzZZ2hUMvoSmEcmSff2Wb7uqaQ+CmP/MTOtJLWrn0tXQqpf
ygeDbZjr8AJO1yiDzPnFzho+tkyenRuEUR64ayhb981QbsWv2PawSkaSEIFRP8mM
URD/jUzHmcb3CJY9j0KoevyNbhT8NQPMBkyuDMPSfa2jUPB2LkgEfH+YFPVqbOlO
Uir1iKafZFaNDI1V1kbaLvhjxqYI5xg02vF0HJOWumIdvP43yHG+uJH2gnR5Vtxr
UBU0MvJEsizIvTvna+BFQdVJKSFh8u99SqtW/DiMmC09Qba1IbuObCMvkpkCRWSO
uktyDfqH6op4JTWJMrrduwnzBh/a4C/xNW9h5zsd4XlrUmcpjT0D56XKqNKWF3zr
at9BSX4VX6gqG3mUoZAzy8kncif+kEfE1nhg+GtH2U2Mezg7QVAuSj9C/DUnbpTQ
59u+QEZ9eNklPCRh/9STgFrvOFXf0ZOPZ5m7lzEBQQKBgQD43/tZ1rWtHq8tfci1
0zvIxFIpSpWVfOll7vn/LkEMzBnhgRuhy3okBFEzyLNGoidVWNnoByVt+3UQexFf
Z1ed971xtc4Hdvak5XJacGzzYFWxbXp+l541UUkgWmnkJgQ7aEj+Oq2olLc0NWfj
azFDiEHhaDEYEJUBwYeP0oaYyQKBgQDD9202qAJT2q/Qm2Tg6sCX559sSxSvMEe9
jER8IjIR3d/ZUANlct1aNe0QUih8helqPM23jDbf0ihFLh9PbHPGQGGHjDRoi/VA
lMeu3JRk8lXMJz3+xp5L4nYLfX1GO6G9TdDuSiVfb3XWWBo3xn3l5Z9li+LmjV9A
+PyHzGOR2QKBgBG5CZI1OwzQAZOQwIlKOJisellcaViS46ARq5Xjelhp9HHdmtUj
w1frQskYQsQF6h0mzaW7VIwHeyeoS+1qU4/5Q3Fki/52F0xY1pLgLLIMKy4OaMm5
DFgpqLZ4GdBYcLa2T3RjQ1ic9oruPq6wRHrVqjNeExjunV3ZpUi1qkYZAoGBAJTs
FycODpbC/hE9xi/Wtn26G8EkXZe0zRAS5IihRAOn5VE0KSCTZfwENx/MD9Bxw6xk
gMEX4Su+fbP1FP46oNDsZDGqLrm0grCNYCJWpr8AGouG1uoi7nEkrCiXOPiCoKtH
05sC5dvczGQTl/kC8vIeyj9VSx2CGf06Ok7I2HIhAoGAPZwX3wFCYMBWFRDoaHoE
rSvT8ZUIXhvQXECla6zeUwDWJnFxRtrppWfHDfRXF4ZdXZcUR8XE7cTd6HJRrs9n
CtjlKUaSS79Oki89yz6/p0C4gaxEdFU4Urs2pv9+RWj9+sZTPJO5+e67Z3qeSw6p
fArEfDVmoGTbtJywWS4BFh4=
-----END PRIVATE KEY-----
</key>
2. Czy mogę dodać to gdziekolwiek w configuracji serwera czy w konkretnym miejscu ?

Kod: Zaznacz cały

topology subnet
3. Tak chciałem całość puścić przez VPN, a czy to zły pomysł ?
4. Gdzie konkretnie te logi mogę znaleźć? Te które odnalazłem nie mają świeżej daty i godziny.
Awatar użytkownika
pawkrol
Moderator
Posty: 939
Rejestracja: 03 kwietnia 2011, 10:25

Re: Debian OpenVPN - kolejne urządzenia

Post autor: pawkrol »

2. Opcję możesz dodać gdziekolwiek w konfigu serwera.
3. Czy to zły pomysł? Nie. Chciałem wiedzieć co w ogóle chcesz osiągnąć. Tyle
4. Dodaj w konfigu serwera opcję:

Kod: Zaznacz cały

log-append /var/log/vpn.log
i podaj log z takiego nieudanego połączenia.
darkom
Posty: 12
Rejestracja: 03 stycznia 2012, 13:46

Re: Debian OpenVPN - kolejne urządzenia

Post autor: darkom »

Zrobiłem jak poleciłeś i zrobiłem nawet nowy test.ovpn załadowałem do programu.
LOG

Kod: Zaznacz cały

Mon Apr 10 13:59:18 2017 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
Mon Apr 10 13:59:18 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Mon Apr 10 13:59:18 2017 Diffie-Hellman initialized with 2048 bit key
Mon Apr 10 13:59:18 2017 Socket Buffers: R=[133120->131072] S=[133120->131072]
Mon Apr 10 13:59:18 2017 TUN/TAP device tun0 opened
Mon Apr 10 13:59:18 2017 TUN/TAP TX queue length set to 100
Mon Apr 10 13:59:18 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Apr 10 13:59:18 2017 /sbin/ip link set dev tun0 up mtu 1500
Mon Apr 10 13:59:18 2017 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Mon Apr 10 13:59:18 2017 GID set to nogroup
Mon Apr 10 13:59:18 2017 UID set to nobody
Mon Apr 10 13:59:18 2017 UDPv4 link local (bound): [undef]
Mon Apr 10 13:59:18 2017 UDPv4 link remote: [undef]
Mon Apr 10 13:59:18 2017 MULTI: multi_init called, r=256 v=256
Mon Apr 10 13:59:18 2017 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Mon Apr 10 13:59:18 2017 ifconfig_pool_read(), in='client1,10.8.0.4', TODO: IPv6
Mon Apr 10 13:59:18 2017 succeeded -> ifconfig_pool_set()
Mon Apr 10 13:59:18 2017 IFCONFIG POOL LIST
Mon Apr 10 13:59:18 2017 client1,10.8.0.4
Mon Apr 10 13:59:18 2017 Initialization Sequence Completed
Mon Apr 10 13:59:40 2017 83.22.109.239:60897 TLS: Initial packet from [AF_INET]83.22.109.239:60897, sid=e145722b f2b7a510
Mon Apr 10 13:59:41 2017 83.22.109.239:60897 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=PL, ST=POL, L=Rabka, O=DK, OU=MyVPN, CN=test1, name=server, emailAddress=darkom9@gmail.com
Mon Apr 10 13:59:41 2017 83.22.109.239:60897 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Mon Apr 10 13:59:41 2017 83.22.109.239:60897 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 10 13:59:41 2017 83.22.109.239:60897 TLS Error: TLS handshake failed
Mon Apr 10 13:59:41 2017 83.22.109.239:60897 SIGUSR1[soft,tls-error] received, client-instance restarting
Mon Apr 10 14:00:40 2017 83.22.109.239:57605 TLS: Initial packet from [AF_INET]83.22.109.239:57605, sid=b83fc011 b467dd94
Mon Apr 10 14:00:40 2017 83.22.109.239:57605 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=PL, ST=POL, L=Rabka, O=DK, OU=MyVPN, CN=test1, name=server, emailAddress=darkom9@gmail.com
Mon Apr 10 14:00:40 2017 83.22.109.239:57605 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Mon Apr 10 14:00:40 2017 83.22.109.239:57605 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 10 14:00:40 2017 83.22.109.239:57605 TLS Error: TLS handshake failed
Mon Apr 10 14:00:40 2017 83.22.109.239:57605 SIGUSR1[soft,tls-error] received, client-instance restarting
Mon Apr 10 14:01:40 2017 83.22.109.239:50556 TLS: Initial packet from [AF_INET]83.22.109.239:50556, sid=07dc63d3 1cb0fb72
Mon Apr 10 14:01:41 2017 83.22.109.239:50556 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=PL, ST=POL, L=Rabka, O=DK, OU=MyVPN, CN=test1, name=server, emailAddress=darkom9@gmail.com
Mon Apr 10 14:01:41 2017 83.22.109.239:50556 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Mon Apr 10 14:01:41 2017 83.22.109.239:50556 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 10 14:01:41 2017 83.22.109.239:50556 TLS Error: TLS handshake failed
Mon Apr 10 14:01:41 2017 83.22.109.239:50556 SIGUSR1[soft,tls-error] received, client-instance restarting
Mon Apr 10 14:02:40 2017 83.22.109.239:62849 TLS: Initial packet from [AF_INET]83.22.109.239:62849, sid=08c67360 71963619
Mon Apr 10 14:02:40 2017 83.22.109.239:62849 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=PL, ST=POL, L=Rabka, O=DK, OU=MyVPN, CN=test1, name=server, emailAddress=darkom9@gmail.com
Mon Apr 10 14:02:40 2017 83.22.109.239:62849 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Mon Apr 10 14:02:40 2017 83.22.109.239:62849 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 10 14:02:40 2017 83.22.109.239:62849 TLS Error: TLS handshake failed
Mon Apr 10 14:02:40 2017 83.22.109.239:62849 SIGUSR1[soft,tls-error] received, client-instance restarting
Awatar użytkownika
pawkrol
Moderator
Posty: 939
Rejestracja: 03 kwietnia 2011, 10:25

Re: Debian OpenVPN - kolejne urządzenia

Post autor: pawkrol »

Mon Apr 10 13:59:41 2017 83.22.109.239:60897 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=PL, ST=POL, L=Rabka, O=DK, OU=MyVPN, CN=test1, name=server, emailAddress=darkom9@gmail.com
Mon Apr 10 13:59:41 2017 83.22.109.239:60897 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Mon Apr 10 13:59:41 2017 83.22.109.239:60897 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 10 13:59:41 2017 83.22.109.239:60897 TLS Error: TLS handshake failed
Masz błąd negocjacji certyfikatu. Jak generowałeś certyfikaty? Tworzyłeś SUB CA ? Masz hasło do klucza prywatnego na kliencie? Może zamiast "wtłaczania" certyfikatu do konfigu daj ścieżki dostępu do ca,cert i key.

Może certyfikatu nie spełniają założeń.

Kod: Zaznacz cały

Client	digitalSignature,TLS Web Client Authentication
		
Server	digitalSignature, keyEncipherment,TLS Web Server Authentication	
Czy w ogóle Serwer OpenVPN uruchamia się? Podnosi się interfejs tun?

Tu masz najprostszy konfig klienta z którego kiedyś korzystałem

Kod: Zaznacz cały

client
proto udp
dev tun
remote vpn.domena.com 11235
ca /etc/openvpn/CA.crt
cert /etc/openvpn/user1.crt
key /etc/openvpn/user1.pem
remote-cert-tls server
comp-lzo
persist-key
persist-tun
nobind
resolv-retry infinite
verb 3
mute 10
Dodane:
Czy Ty aby nie wygenerowaleś samopodpisanych certyfikatow osobno na serwerze jak i kliencie lub zrobiłeś dla nich osobne ca?
ODPOWIEDZ