OPENVPN - Brak maskowania IP

[kochmys]

Witam postawiłem sobie server openVPN wersja TUN.
Problem polega na tym, że gdy połącze się z serwerem to po wejsciu na strone np. ip.boo.pl dalej widnieje moje IP a nie serwera.


config server:

1. dev tun
2. proto udp
3. port 1194
4. ca /etc/openvpn/easy-rsa/keys/ca.crt
5. cert /etc/openvpn/easy-rsa/keys/server.crt
6. key /etc/openvpn/easy-rsa/keys/server.key
7. dh /etc/openvpn/easy-rsa/keys/dh1024.pem
8. user nobody
9. group nogroup
10. server 10.8.0.0 255.255.255.0
11. persist-key
12. persist-tun
13. status /var/log/openvpn-status.log
14. verb 3
15. client-to-client
16. push "redirect-gateway def1"
17. push "dhcp-option DNS 8.8.8.8"
18. push "dhcp-option DNS 8.8.4.4"
19. log-append /var/log/openvpn
20. comp-lzo

a tutaj config clienta:

1. dev tun
2. client
3. proto udp
4. remote xxx.xxx.xxx.xxx 1194
5. resolv-retry infinite
6. nobind
7. persist-key
8. persist-tun
9. ca ca.crt
10. cert client1.crt
11. key client1.key
12. comp-lzo
13. verb 3

Czy czegoś w tych configach brakuje żeby maskowało moje IP?

Pozdrawiam

[pawkrol]

Pokaż tablice routingu na kliencie po połączeniu.
Spróbuj w konfiguracji serwera dodać opcje:

Kod: Zaznacz cały

push route 0.0.0.0/0

Oczywiście na serwerze masz włączoną maskarade na interfejsie wan oraz forward pakietów.

[kochmys]

Witam spróbowałem postawić od nowa wg. tego poradnika http://www.e24cloud.com/pl/Dla-dewelope ... nux-Debian

niestety dalej jest ten sam efekt... połączy przydzieli IP, ale dalej po sprawdzeniu pokazywane jest moje IP a nie serwera. (próbuje to postawić na VPS z ovh.)

Pozdrawiam

[pawkrol]

Zrób to co Ci napisałem w poprzednim poście. Ponadto pokaż log z klienta w trakcie połączenia

[kochmys]

Po wpisaniu

push route 0.0.0.0/0

Dalej ten sam efekt.

Tabela trasy routingu

Kod: Zaznacz cały

Tabela tras IPv4
===========================================================================
Aktywne trasy:
Miejsce docelowe w sieci   Maska sieci      Brama          Interfejs Metryka
          0.0.0.0          0.0.0.0        10.10.1.1        10.10.1.4     10
        10.10.1.0    255.255.255.0         On-link         10.10.1.4    266
        10.10.1.4  255.255.255.255         On-link         10.10.1.4    266
      10.10.1.255  255.255.255.255         On-link         10.10.1.4    266
        10.66.0.4  255.255.255.252         On-link         10.66.0.6    276
        10.66.0.6  255.255.255.255         On-link         10.66.0.6    276
        10.66.0.7  255.255.255.255         On-link         10.66.0.6    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     192.168.52.0    255.255.255.0         On-link      192.168.52.1    276
     192.168.52.1  255.255.255.255         On-link      192.168.52.1    276
   192.168.52.255  255.255.255.255         On-link      192.168.52.1    276
    192.168.199.0    255.255.255.0         On-link     192.168.199.1    276
    192.168.199.1  255.255.255.255         On-link     192.168.199.1    276
  192.168.199.255  255.255.255.255         On-link     192.168.199.1    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         10.10.1.4    266
        224.0.0.0        240.0.0.0         On-link     192.168.199.1    276
        224.0.0.0        240.0.0.0         On-link      192.168.52.1    276
        224.0.0.0        240.0.0.0         On-link         10.66.0.6    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link         10.10.1.4    266
  255.255.255.255  255.255.255.255         On-link     192.168.199.1    276
  255.255.255.255  255.255.255.255         On-link      192.168.52.1    276
  255.255.255.255  255.255.255.255         On-link         10.66.0.6    276
===========================================================================

Log z klienta podczas łączenia:

Kod: Zaznacz cały

Thu Feb 12 10:38:43 2015 Warning: cannot open --log file: C:\Program Files\OpenVPN\log\gowniarz.log: Odmowa dostêpu.   (errno=5)
Thu Feb 12 10:38:43 2015 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec  1 2014
Thu Feb 12 10:38:43 2015 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Thu Feb 12 10:38:43 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Thu Feb 12 10:38:43 2015 Need hold release from management interface, waiting...
Thu Feb 12 10:38:44 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Thu Feb 12 10:38:44 2015 MANAGEMENT: CMD 'state on'
Thu Feb 12 10:38:44 2015 MANAGEMENT: CMD 'log all on'
Thu Feb 12 10:38:44 2015 MANAGEMENT: CMD 'hold off'
Thu Feb 12 10:38:44 2015 MANAGEMENT: CMD 'hold release'
Thu Feb 12 10:38:44 2015 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Thu Feb 12 10:38:44 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 12 10:38:44 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 12 10:38:44 2015 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Feb 12 10:38:44 2015 UDPv4 link local (bound): [undef]
Thu Feb 12 10:38:44 2015 UDPv4 link remote: [AF_INET]XX.XXX.XX.XX:1194
Thu Feb 12 10:38:44 2015 MANAGEMENT: >STATE:1423733924,WAIT,,,
Thu Feb 12 10:38:44 2015 MANAGEMENT: >STATE:1423733924,AUTH,,,
Thu Feb 12 10:38:44 2015 TLS: Initial packet from [AF_INET]XX.XXX.XX.XX:1194, sid=29281286 7d465a20
Thu Feb 12 10:38:44 2015 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Thu Feb 12 10:38:44 2015 VERIFY OK: nsCertType=SERVER
Thu Feb 12 10:38:44 2015 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=gowniarz-server, name=changeme, emailAddress=mail@host.domain
Thu Feb 12 10:38:45 2015 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Feb 12 10:38:45 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 12 10:38:45 2015 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Feb 12 10:38:45 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 12 10:38:45 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Feb 12 10:38:45 2015 [gowniarz-server] Peer Connection Initiated with [AF_INET]XX.XXX.XX.XX:1194
Thu Feb 12 10:38:46 2015 MANAGEMENT: >STATE:1423733926,GET_CONFIG,,,
Thu Feb 12 10:38:47 2015 SENT CONTROL [gowniarz-server]: 'PUSH_REQUEST' (status=1)
Thu Feb 12 10:38:47 2015 PUSH: Received control message: 'PUSH_REPLY,route 0.0.0.0/0,route 10.66.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.66.0.6 10.66.0.5'
Thu Feb 12 10:38:47 2015 Options error: route parameter network/IP '0.0.0.0/0' must be a valid address
Thu Feb 12 10:38:47 2015 OPTIONS IMPORT: timers and/or timeouts modified
Thu Feb 12 10:38:47 2015 OPTIONS IMPORT: --ifconfig/up options modified
Thu Feb 12 10:38:47 2015 OPTIONS IMPORT: route options modified
Thu Feb 12 10:38:47 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Feb 12 10:38:47 2015 MANAGEMENT: >STATE:1423733927,ASSIGN_IP,,10.66.0.6,
Thu Feb 12 10:38:47 2015 open_tun, tt->ipv6=0
Thu Feb 12 10:38:47 2015 TAP-WIN32 device [Połączenie lokalne 2] opened: \\.\Global\{C0DF68C6-FFA5-48D8-87E5-F358BC3B207E}.tap
Thu Feb 12 10:38:47 2015 TAP-Windows Driver Version 9.21 
Thu Feb 12 10:38:47 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.66.0.6/255.255.255.252 on interface {C0DF68C6-FFA5-48D8-87E5-F358BC3B207E} [DHCP-serv: 10.66.0.5, lease-time: 31536000]
Thu Feb 12 10:38:47 2015 NOTE: FlushIpNetTable failed on interface [17] {C0DF68C6-FFA5-48D8-87E5-F358BC3B207E} (status=5) : Odmowa dostêpu.  
Thu Feb 12 10:38:53 2015 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Thu Feb 12 10:38:53 2015 MANAGEMENT: >STATE:1423733933,ADD_ROUTES,,,
Thu Feb 12 10:38:53 2015 C:\Windows\system32\route.exe ADD 10.66.0.1 MASK 255.255.255.255 10.66.0.5
Thu Feb 12 10:38:53 2015 ROUTE: route addition failed using CreateIpForwardEntry: Odmowa dostêpu.   [status=5 if_index=17]
Thu Feb 12 10:38:53 2015 Route addition via IPAPI failed [adaptive]
Thu Feb 12 10:38:53 2015 Route addition fallback to route.exe
Thu Feb 12 10:38:53 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Thu Feb 12 10:38:53 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1
Thu Feb 12 10:38:53 2015 Initialization Sequence Completed
Thu Feb 12 10:38:53 2015 MANAGEMENT: >STATE:1423733933,CONNECTED,SUCCESS,10.66.0.6,37.59.108.64

XX.XXX.XX.XX - zastapiony adres IP serwera

[pawkrol]

Wpisz tak

Kod: Zaznacz cały

push route 0.0.0.0 0.0.0.0

Thu Feb 12 10:38:53 2015 C:\Windows\system32\route.exe ADD 10.66.0.1 MASK 255.255.255.255 10.66.0.5
Thu Feb 12 10:38:53 2015 ROUTE: route addition failed using CreateIpForwardEntry: Odmowa dostêpu. [status=5 if_index=17] Thu Feb 12 10:38:53 2015 Route addition via IPAPI failed [adaptive]
Thu Feb 12 10:38:53 2015 Route addition fallback to route.exe
Thu Feb 12 10:38:53 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Thu Feb 12 10:38:53 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1

Ponadto moim zdaniem zestawienie routingu nie dochodzi do skutku ze wzgledu na brak uprawnień, bądź Windows w wersji Home.

Chociaż zastanwiam się czy to w ogóle będzie działać. Czy wymuszając cały routing na tunel nie zerwiesz połączenia. No nic spróbuj zobaczymy.


Dodane:

Sprawdziłem osobiście, wystarcza poniższa opcja w konfiguracji serwera, maskarada oraz włączony forward pakietów i działa jak należy.

Kod: Zaznacz cały

push redirect-gateway

Więc jeśli tak miałeś, a mimo to nie działoło, to winy należy szukać w Windows o czym już wspomniałem.

[sethiel]

OpenVPN Client musi być uruchomiony z prawami administratora. Inaczej nie dodaje prawidłowo tras do tablicy routingu.