lj_ru_linux: Проясните с OpenVPN

Пишет Русскоязычное Linux-сообщество (

lj_ru_linux)
@ 2013-02-11 09:09:00

Проясните с OpenVPN
Имеем:
OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 20 2012

На клиенте аналогичный софт (серверс Debian, у которого 4 физических интерфейса + 4G свисток.

За клиентом прячутся:
192.168.5.0/24
192.168.7.0/24
192.168.8.0/24

За сервером:
192.168.3.0/24

Между ними: 10.8.0.0/24

С клиента пинтуется сеть за сервером (192.168.3.0/24), но с сервера не пингуется ни одна из подсетей за клиентом.
Также не пингуется сеть за сервером с компов за клиентом.
При этом на сервере в лог сыпется:
MULTI: bad source address from client [192.168.7.19], packet dropped

192.168.7.19 - комп за клиентом.

Под катом - конфиги и логи соединения с сервера и клиента.

Server.conf:

mode server
tls-server
proto udp
dev tun
port 1194
topology subnet
tls-auth /etc/openvpn/keys/ta.key 0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/debian.crt
key /etc/openvpn/keys/debian.key
dh /etc/openvpn/keys/dh1024.pem
ifconfig 10.8.0.1 255.255.255.0
#ifconfig-pool 10.8.0.2 10.8.0.10
#user openvpn
#group openvpn
verb 4
cipher DES-EDE3-CBC
#duplicate-cn
keepalive 10 60
ping-timer-rem
persist-key
persist-tun
comp-lzo
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
client-to-client
client-config-dir /etc/openvpn/ccd
script-security 2
route 192.168.5.0 255.255.255.0 10.8.0.2
route 192.168.7.0 255.255.255.0 10.8.0.2
route 192.168.8.0 255.255.255.0 10.8.0.2
server 10.8.0.0 255.255.255.0

==============================
ccd/client1:
ifconfig-push 10.8.0.2 255.255.255.0
push "route 192.168.3.0 255.255.255.0"
iroute "192.168.5.0 255.255.255.0 10.8.0.2"
iroute "192.168.7.0 255.255.255.0 10.8.0.2"
iroute "192.168.8.0 255.255.255.0 10.8.0.2"
==============================

Лог на стороне сервера:

Mon Feb 11 12:28:10 2013 us=588459 OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 20 2012
Mon Feb 11 12:28:10 2013 us=589970 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Feb 11 12:28:10 2013 us=681932 Diffie-Hellman initialized with 1024 bit key
Mon Feb 11 12:28:10 2013 us=690077 /usr/bin/openssl-vulnkey -q -b 1024 -m
Mon Feb 11 12:28:12 2013 us=7283 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Mon Feb 11 12:28:12 2013 us=8161 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 11 12:28:12 2013 us=8641 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 11 12:28:12 2013 us=9169 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Feb 11 12:28:12 2013 us=9696 Socket Buffers: R=[112640->131072] S=[112640->131072]
Mon Feb 11 12:28:12 2013 us=11163 ROUTE default_gateway=192.168.3.119
Mon Feb 11 12:28:12 2013 us=25831 TUN/TAP device tun0 opened
Mon Feb 11 12:28:12 2013 us=30165 TUN/TAP TX queue length set to 100
Mon Feb 11 12:28:12 2013 us=30960 /sbin/ifconfig tun0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Mon Feb 11 12:28:12 2013 us=45952 /sbin/route add -net 192.168.5.0 netmask 255.255.255.0 gw 10.8.0.2
Mon Feb 11 12:28:12 2013 us=56055 /sbin/route add -net 192.168.7.0 netmask 255.255.255.0 gw 10.8.0.2
Mon Feb 11 12:28:12 2013 us=76858 /sbin/route add -net 192.168.8.0 netmask 255.255.255.0 gw 10.8.0.2
Mon Feb 11 12:28:12 2013 us=82904 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Feb 11 12:28:12 2013 us=83303 UDPv4 link local (bound): [undef]
Mon Feb 11 12:28:12 2013 us=83550 UDPv4 link remote: [undef]
Mon Feb 11 12:28:12 2013 us=83710 MULTI: multi_init called, r=256 v=256
Mon Feb 11 12:28:12 2013 us=84090 IFCONFIG POOL: base=10.8.0.2 size=252
Mon Feb 11 12:28:12 2013 us=84352 Initialization Sequence Completed
Mon Feb 11 12:29:01 2013 us=103262 MULTI: multi_create_instance called
Mon Feb 11 12:29:01 2013 us=104073 83.149.2.144:16204 Re-using SSL/TLS context
Mon Feb 11 12:29:01 2013 us=104347 83.149.2.144:16204 LZO compression initialized
Mon Feb 11 12:29:01 2013 us=105296 83.149.2.144:16204 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Feb 11 12:29:01 2013 us=105538 83.149.2.144:16204 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Feb 11 12:29:01 2013 us=105893 83.149.2.144:16204 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher DES-EDE3-CBC,auth SHA1,keysize 192,tls-auth,key-method 2,tls
-server'
Mon Feb 11 12:29:01 2013 us=106002 83.149.2.144:16204 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher DES-EDE3-CBC,auth SHA1,keysize 192,tls-auth,key-me
thod 2,tls-client'
Mon Feb 11 12:29:01 2013 us=106269 83.149.2.144:16204 Local Options hash (VER=V4): 'b5edb94e'
Mon Feb 11 12:29:01 2013 us=106466 83.149.2.144:16204 Expected Remote Options hash (VER=V4): '53f7fc82'
Mon Feb 11 12:29:01 2013 us=106825 83.149.2.144:16204 TLS: Initial packet from [AF_INET]83.149.2.144:16204, sid=103e552d 94f9e812
Mon Feb 11 12:29:01 2013 us=561456 83.149.2.144:16204 Replay-window backtrack occurred [1]
Mon Feb 11 12:29:01 2013 us=621247 83.149.2.144:16204 VERIFY OK: depth=1, /C=RU/ST=SPB/L=Sankt-Peterburg/O=Telemip/OU=debian.office.vrs.ru/CN=Telemip_CA/name=debian/emailAddress=sadmitry@v-real.ru
Mon Feb 11 12:29:01 2013 us=624774 83.149.2.144:16204 VERIFY OK: depth=0, /C=RU/ST=SPB/L=Sankt-Peterburg/O=Telemip/OU=debian.office.vrs.ru/CN=paks1/name=paks1/emailAddress=sadmitry@v-real.ru
Mon Feb 11 12:29:01 2013 us=809301 83.149.2.144:16204 Data Channel Encrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Mon Feb 11 12:29:01 2013 us=810001 83.149.2.144:16204 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 11 12:29:01 2013 us=810465 83.149.2.144:16204 Data Channel Decrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Mon Feb 11 12:29:01 2013 us=810895 83.149.2.144:16204 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 11 12:29:01 2013 us=837578 83.149.2.144:16204 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Feb 11 12:29:01 2013 us=838365 83.149.2.144:16204 [paks1] Peer Connection Initiated with [AF_INET]83.149.2.144:16204
Mon Feb 11 12:29:01 2013 us=839007 paks1/83.149.2.144:16204 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/paks1
Mon Feb 11 12:29:01 2013 us=840423 paks1/83.149.2.144:16204 MULTI: Learn: 10.8.0.2 -> paks1/83.149.2.144:16204
Mon Feb 11 12:29:01 2013 us=840930 paks1/83.149.2.144:16204 MULTI: primary virtual IP for paks1/83.149.2.144:16204: 10.8.0.2
Mon Feb 11 12:29:01 2013 us=841376 paks1/83.149.2.144:16204 MULTI: internal route 192.168.8.0 -> paks1/83.149.2.144:16204
Mon Feb 11 12:29:01 2013 us=841822 paks1/83.149.2.144:16204 MULTI: Learn: 192.168.8.0 -> paks1/83.149.2.144:16204
Mon Feb 11 12:29:01 2013 us=842251 paks1/83.149.2.144:16204 MULTI: internal route 192.168.7.0 -> paks1/83.149.2.144:16204
Mon Feb 11 12:29:01 2013 us=842691 paks1/83.149.2.144:16204 MULTI: Learn: 192.168.7.0 -> paks1/83.149.2.144:16204
Mon Feb 11 12:29:01 2013 us=843119 paks1/83.149.2.144:16204 MULTI: internal route 192.168.5.0 -> paks1/83.149.2.144:16204
Mon Feb 11 12:29:01 2013 us=843615 paks1/83.149.2.144:16204 MULTI: Learn: 192.168.5.0 -> paks1/83.149.2.144:16204
Mon Feb 11 12:29:04 2013 us=319822 paks1/83.149.2.144:16204 PUSH: Received control message: 'PUSH_REQUEST'
Mon Feb 11 12:29:04 2013 us=320697 paks1/83.149.2.144:16204 SENT CONTROL [paks1]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,route 192.168.3.0 255.255.255.0,ifconfig 10.8.0.2 255.255.25
5.0' (status=1)

==============================

client1.conf:

tls-client
proto udp
remote YYY.YYY.YYY.YYY
client
dev tun
topology subnet
port 1194
cd /etc/openvpn
pull
tls-auth /etc/openvpn/ta.key 1
ca /etc/openvpn/ca.crt
cert /etc/openvpn/paks1.crt
key /etc/openvpn/paks1.key
cipher DES-EDE3-CBC
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
#user openvpn
#group openvpn
verb 4
mssfix 1200
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
================================
Лог на стороне клиента:
Mon Feb 11 12:28:06 2013 us=60266 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Mon Feb 11 12:28:09 2013 us=119629 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Mon Feb 11 12:28:11 2013 us=125245 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Mon Feb 11 12:28:59 2013 us=89714 [debian] Inactivity timeout (--ping-restart), restarting
Mon Feb 11 12:28:59 2013 us=90349 TCP/UDP: Closing socket
Mon Feb 11 12:28:59 2013 us=90493 SIGUSR1[soft,ping-restart] received, process restarting
Mon Feb 11 12:28:59 2013 us=90603 Restart pause, 2 second(s)
Mon Feb 11 12:29:01 2013 us=90729 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Feb 11 12:29:01 2013 us=90823 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Feb 11 12:29:01 2013 us=90891 Re-using SSL/TLS context
Mon Feb 11 12:29:01 2013 us=90947 LZO compression initialized
Mon Feb 11 12:29:01 2013 us=91109 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Feb 11 12:29:01 2013 us=91194 Socket Buffers: R=[163840->131072] S=[163840->131072]
Mon Feb 11 12:29:01 2013 us=91266 Data Channel MTU parms [ L:1542 D:1200 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Feb 11 12:29:01 2013 us=91346 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher DES-EDE3-CBC,auth SHA1,keysize 192,tls-auth,key-method 2,tls-client'
Mon Feb 11 12:29:01 2013 us=91392 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher DES-EDE3-CBC,auth SHA1,keysize 192,tls-auth,key-method 2,tls-server'
Mon Feb 11 12:29:01 2013 us=91455 Local Options hash (VER=V4): '53f7fc82'
Mon Feb 11 12:29:01 2013 us=91518 Expected Remote Options hash (VER=V4): 'b5edb94e'
Mon Feb 11 12:29:01 2013 us=91587 UDPv4 link local (bound): [undef]
Mon Feb 11 12:29:01 2013 us=91642 UDPv4 link remote: [AF_INET]94.229.104.146:1194
Mon Feb 11 12:29:01 2013 us=114356 TLS: Initial packet from [AF_INET]94.229.104.146:1194, sid=fdaa1863 17ec2a79
Mon Feb 11 12:29:01 2013 us=386583 VERIFY OK: depth=1, /C=RU/ST=SPB/L=Sankt-Peterburg/O=Telemip/OU=debian.office.vrs.ru/CN=Telemip_CA/name=debian/emailAddress=sadmitry@v-real.ru
Mon Feb 11 12:29:01 2013 us=387563 VERIFY OK: depth=0, /C=RU/ST=SPB/L=Sankt-Peterburg/O=Telemip/OU=debian.office.vrs.ru/CN=debian/name=debian/emailAddress=sadmitry@v-real.ru
Mon Feb 11 12:29:01 2013 us=820086 Data Channel Encrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Mon Feb 11 12:29:01 2013 us=820198 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 11 12:29:01 2013 us=820266 Data Channel Decrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Mon Feb 11 12:29:01 2013 us=820501 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 11 12:29:01 2013 us=820916 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Feb 11 12:29:01 2013 us=821182 [debian] Peer Connection Initiated with [AF_INET]94.229.104.146:1194
Mon Feb 11 12:29:04 2013 us=297928 SENT CONTROL [debian]: 'PUSH_REQUEST' (status=1)
Mon Feb 11 12:29:04 2013 us=327134 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,route 192.168.3.0 255.255.255.0,ifconfig 10.8.0.2 255.255.255.0'
Mon Feb 11 12:29:04 2013 us=327324 OPTIONS IMPORT: timers and/or timeouts modified
Mon Feb 11 12:29:04 2013 us=327404 OPTIONS IMPORT: --ifconfig/up options modified
Mon Feb 11 12:29:04 2013 us=327461 OPTIONS IMPORT: route options modified
Mon Feb 11 12:29:04 2013 us=327514 OPTIONS IMPORT: route-related options modified
Mon Feb 11 12:29:04 2013 us=327573 Preserving previous TUN/TAP instance: tun0
Mon Feb 11 12:29:04 2013 us=327628 Initialization Sequence Completed

WTF?
ЧЯДНТ ?