Connection refused - VPN - Urgente!

1. Connection refused - VPN - Urgente!

rensantos
(usa Ubuntu)

Enviado em 16/03/2015 - 09:44h

Bom dia pessoal,

Estou com um problema urgentíssimo.
Troquei de servidor nesse final de semana e fiz os testes no domingo, com um ip, mas agora quando subo a vpn não está dando certo, as filiais estão todas fora, sem conseguir acessar o sistema aqui na matriz, alguém pode me dar uma ajuda, por favor?

As configurações do meu servidor:



##Protocolo de conexão

#proto tcp / proto udp

proto udp

# Porta do servico (padrao openvpn)

port 51001

# Drive da interface

dev tun

# Seguranca na VPN

script-security 2

# Configura o IP do Tunel

ifconfig 172.32.1.1 172.32.1.2

# Acrescenta rotas aos clientes, informações da rede local

push "route 192.168.1.0 255.255.255.0"

# Compactacao lib LZO

comp-lzo

# Pinga a cada 10 segundos e derruba a conexao apos 120 segundos

keepalive 10 120

float

#ifconfig-pool-persist ipp.txt

max-clients 1

persist-key

persist-tun

log-append /var/log/openvpn.log

verb 3

# Servidor TLS

tls-server

# Chaves necessarias

dh /etc/openvpn/keys/dh1024.pem

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/matriz.crt

key /etc/openvpn/keys/matriz.key

# Chave secreta do servidor

#tls-auth /etc/openvpn/keys/chave.key

status /var/log/openvpn.stats

# Executa scripts

up /etc/openvpn/scripts/filial1.sh

E da filial:



client

dev tun

proto udp

remote x.x.x.x --> o ip está certo

port 51001

pull

comp-lzo

keepalive 10 120

float

tls-client

persist-tun

persist-key

dh /etc/openvpn/keys/dh1024.pem

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/filial1.crt

key /etc/openvpn/keys/filial1.key

tls-auth /etc/openvpn/keys/chave.key

route-method exe

route-delay 2

script-security 2

remote-cert-tls server

ifconfig 172.32.1.2 172.32.1.1

log /etc/openvpn/filial1.log

Deixei essas regras nos 2 firewalls:



 /sbin/iptables -A INPUT -p udp --dport 51001 -j ACCEPT

 /sbin/iptables -A FORWARD -p udp --dport 51001 -j ACCEPT

 /sbin/iptables -A OUTPUT -p udp --dport 51001 -j ACCEPT

 /sbin/iptables -A INPUT -p udp --sport 51001 -j ACCEPT

 /sbin/iptables -A FORWARD -p udp --sport 51001 -j ACCEPT

 /sbin/iptables -A OUTPUT -p udp --sport 51001 -j ACCEPT

E na filial1 não sobe a interface da vpn (tun0)

Esse e o log na filial:



Mon Mar 16 09:42:09 2015 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec  1 2014

Mon Mar 16 09:42:09 2015 WARNING: using --pull/--client and --ifconfig together is probably not what you want

Mon Mar 16 09:42:09 2015 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Mon Mar 16 09:42:09 2015 Control Channel Authentication: using '/etc/openvpn/keys/chave.key' as a OpenVPN static key file

Mon Mar 16 09:42:09 2015 LZO compression initialized

Mon Mar 16 09:42:09 2015 UDPv4 link local (bound): [undef]

Mon Mar 16 09:42:09 2015 UDPv4 link remote: [AF_INET]x.x.x.x:51001

Mon Mar 16 09:42:09 2015 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

Mon Mar 16 09:42:11 2015 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

Mon Mar 16 09:42:15 2015 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

Mon Mar 16 09:42:23 2015 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]x.x.x.x:51001

Mon Mar 16 09:42:25 2015 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]x.x.x.x:51001

Mon Mar 16 09:42:29 2015 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]x.x.x.x:51001

Mon Mar 16 09:42:37 2015 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]x.x.x.x:51001

Obs.: o x.x.x.x é o ip da matriz

E aqui o log no servidor:



Tue Jan  1 20:20:05 2002 Socket Buffers: R=[229376->131072] S=[229376->131072]

Tue Jan  1 20:20:05 2002 Preserving previous TUN/TAP instance: tun0

Tue Jan  1 20:20:05 2002 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]

Tue Jan  1 20:20:05 2002 Local Options hash (VER=V4): '09ead35e'

Tue Jan  1 20:20:05 2002 Expected Remote Options hash (VER=V4): '32ab9cc9'

Tue Jan  1 20:20:05 2002 UDPv4 link local (bound): [undef]

Tue Jan  1 20:20:05 2002 UDPv4 link remote: [undef]

Tue Jan  1 20:20:05 2002 TLS: Initial packet from [AF_INET]y.y.y.y:51001, sid=03acb6bb b6cac87c

Tue Jan  1 20:20:05 2002 TLS Error: reading acknowledgement record from packet

Tue Jan  1 20:20:21 2002 TLS Error: reading acknowledgement record from packet

Tue Jan  1 20:20:53 2002 TLS: new session incoming connection from [AF_INET]y.y.y.y:51001

Tue Jan  1 20:20:53 2002 TLS Error: reading acknowledgement record from packet

Tue Jan  1 20:20:55 2002 TLS Error: reading acknowledgement record from packet

Tue Jan  1 20:20:59 2002 TLS Error: reading acknowledgement record from packet

Obs.: o y.y.y.y é o ip da filial1
O que estou fazendo de errado?

0 0

Quote

2. Re: Connection refused - VPN - Urgente!

rensantos
(usa Ubuntu)

Enviado em 16/03/2015 - 10:02h

Olha o que eu já achei de errado (o que a pressa faz com uma pessoa):
Descomentei a segunda linha abaixo, na matriz, que estava comentada e tinha na filial:



# Chave secreta do servidor

tls-auth /etc/openvpn/keys/chave.key

Agora o log da matriz:



Tue Jan  1 20:38:48 2002 Socket Buffers: R=[229376->131072] S=[229376->131072]

Tue Jan  1 20:38:48 2002 Preserving previous TUN/TAP instance: tun0

Tue Jan  1 20:38:48 2002 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]

Tue Jan  1 20:38:48 2002 Local Options hash (VER=V4): '7b726282'

Tue Jan  1 20:38:48 2002 Expected Remote Options hash (VER=V4): 'ebe38598'

Tue Jan  1 20:38:48 2002 UDPv4 link local (bound): [undef]

Tue Jan  1 20:38:48 2002 UDPv4 link remote: [undef]

Tue Jan  1 20:38:48 2002 TLS Error: Unroutable control packet received from [AF_INET]y.y.y.y:51001 (si=3 op=P_CONTROL_V1)

Tue Jan  1 20:38:49 2002 TLS Error: Unroutable control packet received from [AF_INET]y.y.y.y:51001 (si=3 op=P_CONTROL_V1)

Tue Jan  1 20:38:50 2002 TLS Error: Unroutable control packet received from [AF_INET]y.y.y.y:51001 (si=3 op=P_CONTROL_V1)

Tue Jan  1 20:38:51 2002 TLS Error: Unroutable control packet received from [AF_INET]y.y.y.y:51001 (si=3 op=P_CONTROL_V1)

Tue Jan  1 20:38:52 2002 TLS Error: Unroutable control packet received from [AF_INET]y.y.y.y:51001 (si=3 op=P_CONTROL_V1)

Tue Jan  1 20:38:53 2002 TLS Error: Unroutable control packet received from [AF_INET]y.y.y.y:51001 (si=3 op=P_CONTROL_V1)

Tue Jan  1 20:38:54 2002 TLS Error: Unroutable control packet received from [AF_INET]y.y.y.y:51001 (si=3 op=P_CONTROL_V1)

E da filial:



Mon Mar 16 10:00:25 2015 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec  1 2014

Mon Mar 16 10:00:25 2015 WARNING: using --pull/--client and --ifconfig together is probably not what you want

Mon Mar 16 10:00:25 2015 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Mon Mar 16 10:00:25 2015 Control Channel Authentication: using '/etc/openvpn/keys/chave.key' as a OpenVPN static key file

Mon Mar 16 10:00:25 2015 LZO compression initialized

Mon Mar 16 10:00:25 2015 UDPv4 link local (bound): [undef]

Mon Mar 16 10:00:25 2015 UDPv4 link remote: [AF_INET]x.x.x.x:51001

Mon Mar 16 10:00:27 2015 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

Ainda assim não conecta, na matriz sobe a tun0, mas na filial não.

0 0

Quote

3. Re: Connection refused - VPN - Urgente!

jcoli
(usa Debian)

Enviado em 16/03/2015 - 10:17h

Eu tive esse problema.

Troquei o protocolo para tcp. Resolveu.

Jeferson Coli
---------------------
www.tecnocoli.com.br

0 0

Quote

4. Re: Connection refused - VPN - Urgente!

rensantos
(usa Ubuntu)

Enviado em 16/03/2015 - 10:33h

Oi Jeferson, troquei como você falou, agora na matriz o log está atualizando assim:



Tue Jan  1 21:08:11 2002 TCP connection established with [AF_INET]y.y.y.y:46416

Tue Jan  1 21:08:11 2002 TCPv4_SERVER link local (bound): [undef]

Tue Jan  1 21:08:11 2002 TCPv4_SERVER link remote: [AF_INET]y.y.y.y:46416

Tue Jan  1 21:08:11 2002 TLS: Initial packet from [AF_INET]y.y.y.y:46416, sid=d29d6e59 9204e8a7

Tue Jan  1 21:08:11 2002 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=BR/ST=PR/L=Cidade/O=Empresa/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain

Tue Jan  1 21:08:11 2002 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Tue Jan  1 21:08:11 2002 TLS Error: TLS object -> incoming plaintext read error

Tue Jan  1 21:08:11 2002 TLS Error: TLS handshake failed

Tue Jan  1 21:08:11 2002 Fatal TLS error (check_tls_errors_co), restarting

Tue Jan  1 21:08:11 2002 TCP/UDP: Closing socket

Tue Jan  1 21:08:11 2002 SIGUSR1[soft,tls-error] received, process restarting

Tue Jan  1 21:08:11 2002 Restart pause, 1 second(s)

Tue Jan  1 21:08:12 2002 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Tue Jan  1 21:08:12 2002 Re-using SSL/TLS context

Tue Jan  1 21:08:12 2002 LZO compression initialized

Tue Jan  1 21:08:12 2002 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]

Tue Jan  1 21:08:12 2002 Socket Buffers: R=[87380->131072] S=[16384->131072]

Tue Jan  1 21:08:12 2002 Preserving previous TUN/TAP instance: tun0

Tue Jan  1 21:08:12 2002 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]

Tue Jan  1 21:08:12 2002 Local Options hash (VER=V4): 'd595669d'

Tue Jan  1 21:08:12 2002 Expected Remote Options hash (VER=V4): 'fa5b43c2'

Tue Jan  1 21:08:12 2002 Listening for incoming TCP connection on [undef]

E na filial, assim:



Mon Mar 16 10:33:27 2015 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Mon Mar 16 10:33:27 2015 Re-using SSL/TLS context

Mon Mar 16 10:33:27 2015 LZO compression initialized

Mon Mar 16 10:33:27 2015 Attempting to establish TCP connection with [AF_INET]x.x.x.x:51001 [nonblock]

Mon Mar 16 10:33:28 2015 TCP connection established with [AF_INET]x.x.x.x:51001

Mon Mar 16 10:33:28 2015 TCPv4_CLIENT link local: [undef]

Mon Mar 16 10:33:28 2015 TCPv4_CLIENT link remote: [AF_INET]x.x.x.x:51001

Mon Mar 16 10:33:28 2015 Connection reset, restarting [0]

Mon Mar 16 10:33:28 2015 SIGUSR1[soft,connection-reset] received, process restarting

E ainda não subiu a tun0 na filial.
Esse do certificado, na matriz, o que pode ser? Eu conferi, os arquivos estão certos tb.

0 0

Quote

5. Re: Connection refused - VPN - Urgente!

jcoli
(usa Debian)

Enviado em 16/03/2015 - 11:09h

Agora parece erro de certificado mesmo.

Só para esclarecer, eu montei a VPN para uma empresa usando o UDP. Eles mudaram de local e a internet não ficou lá essas coisas.
Não era 100% das vezes, mas esta sempre com esse erro.

Mudei para tcp, acabou o problema. Eu acho que como a internet é ruim, há muita perda de pacote.

Eu utilizo para conexões remotas de usuários, mas não muda quase nada.

meus scripts:
server:
port 1194
proto tcp
mssfix 1400
dev tun
tls-server

ca certs/ca.crt
cert certs/server.crt
key keys/server.key
dh keys/dh2048.pem

# Rede usada pelo tunel openvpn
server 10.254.0.0 255.255.255.0

# define o arquivo onde sera guardados os ips que os clientes obtiverem na conexao, assim os mesmos sempre irao pegar os
# mesmos ips
ifconfig-pool-persist ipp.txt

# Define a rota para a rede da filial poder enxergar a rede da matriz
push "route-delay 2 600"
push "route 192.168.0.0 255.255.255.0"
ping-timer-rem
keepalive 10 120

# Tipo de criptografia usada
cipher DES-EDE3-CBC

# habilita compressão no link VPN
comp-lzo

# Numero maximo de clientes (filiais)
max-clients 10

# usuário e grupo sob o qual o openvpn ira rodar
#user nobody
#group nogroup

script-security 2
username-as-common-name
client-cert-not-required
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf

# Permite um restart sem fechar a conexão e re-ler as chaves
persist-key
persist-tun

# Log de status das conexoes
status /var/log/openvpn/status.log

# define um arquivo de log, pois o default é o /var/log/syslog
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log

verb 6

# desabilita mensagens repetitivas, ou seja, erros ou conexoes em sequencia
# acima de 20, ele dropa.
mute 20

client:

float
port 1194
dev tun
proto tcp
comp-lzo
cipher DES-EDE3-CBC
remote sai-br.no-ip.biz
ping 10
persist-tun
persist-key
ca [inline]
auth-user-pass
client
verb 4
<ca>
-----BEGIN CERTIFICATE-----
MIIEvTCCA6WgAwIBAgIJAMfm8JKaR6XyMA0GCSqGSIb3DQEBBQUAMIGaMQswCQYD
dlaksjhlkashfkashfdjhgj........................................................................................................
-----END CERTIFICATE-----
</ca>

Jeferson Coli
---------------------
www.tecnocoli.com.br

0 0

Quote

6. Re: Connection refused - VPN - Urgente!

rensantos
(usa Ubuntu)

Enviado em 16/03/2015 - 12:02h

Oi Jeferson, já copiei de novo o mesmo certificado (que estava funcionando no domingo quando testei) e continua a mesma coisa, será que tem alguma outra coisa que eu possa fazer?
Ou o certo seria refazer todo certificado? Neste caso as configurações estão certas?

0 0

Quote

7. Re: Connection refused - VPN - Urgente!

jcoli
(usa Debian)

Enviado em 22/03/2015 - 05:57h

Tenho um manual aqui que usei pela primeira vez.
Me passa o seu email que lhe envio.

Abraços

Jeferson Coli
---------------------
www.tecnocoli.com.br

0 0

Quote