Openvpn Matriz e Duas Filiais [RESOLVIDO]

1. Openvpn Matriz e Duas Filiais [RESOLVIDO]

asparion
(usa Ubuntu)

Enviado em 28/02/2014 - 15:26h

Ola boa tarde a todos..
Achei que tinha resolvido mas não. Alguém pode ver o que ta errado aqui segue.

MATRIZ = 192.168.0.0/24 IP VALIDO 189.7.20.XX
FILIAL 1 = 192.168.1.0/24 ( VM1 TESTE )
FILIAL 2 = 192.168.1.0/24 ( VM2 TESTE MESMA REDE VM1 )



#filial1.conf    -- na matriz



dev tun0

proto udp

ifconfig 10.0.0.1 10.0.0.2

cd /etc/openvpn

secret filial1.key

port 1194

user root

group root

comp-lzo

persist-key

persist-tun

ping 15

verb 3

status /var/log/openvpn/filial1.log

log-append /var/log/openvpn/messages.log

log /var/log/openvpn/logsvpn.log 



#route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.0.0.2



#filial1.conf  -- no cliente1 VM1



dev tun0

proto udp

ifconfig 10.0.0.2 10.0.0.1

remote 189.7.20.XX

cd /etc/openvpn

secret filial1.key

port 1194

user nobody

group nobody

comp-lzo

persist-key

persist-tun

ping 15

verb 3

status /var/log/openvpn/filial1.log

log-append /var/log/openvpn/messages.log

log /var/log/openvpn/logsvpn.log



#route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.0.0.1



#filial2.conf   -- na matriz



dev tun1

proto udp

ifconfig 20.0.0.1 20.0.0.2

cd /etc/openvpn

secret filial2.key

port 5000

user root

group root

comp-lzo

persist-key

persist-tun

ping 15

verb 3

status /var/log/openvpn/filial2.log

log-append /var/log/openvpn/messages.log

log /var/log/openvpn/logsvpn.log 



#route add -net 192.168.1.0 netmask 255.255.255.0 gw 20.0.0.2



#filial2.conf  -- no cliente2 VM2



dev tun1

proto udp

ifconfig 20.0.0.2 20.0.0.1

remote 189.7.20.XX

cd /etc/openvpn

secret filial2.key

port 5000

user nobody

group nobody

comp-lzo

persist-key

persist-tun

ping 15

verb 3

status /var/log/openvpn/filial2.log

log-append /var/log/openvpn/messages.log

log /var/log/openvpn/logsvpn.log



#route add -net 192.168.0.0 netmask 255.255.255.0 gw 20.0.0.1

Firewall nas matriz e nas duas filias



Iptables –N PORTAS

Iptables –A INPUT –j PORTAS

Iptables –A FORWARD –j PORTAS

Iptables –A OUPUT –j PORTAS



Iptables –A PORTAS –p udp –dport 1194 –j ACCEPT

Iptables –A PORTAS –p udp –dport 5000 –j ACCEPT

Iptables –A PORTAS –I tun0 –o tun0 –j ACCEPT

Iptables –A PORTAS –I tun1 –o tun1 –j ACCEPT

 

Iptables –A POSTROUTING –o eth0 –j MASQUERADE



Setenforce 0

echo 1 > /proc/sys/net/ipv4_ip_forward

a filial1 conecta certinho com a matriz
ja a filial 2 nao esta pingando mas nao da erro quando sobe a vpn
service openvpn restart ---> ok

as configuraçoes parecem todas ok

alguem sabe de algum macete ai pra esse joça fumegar rsrs

0 0

Quote

2. Re: Openvpn Matriz e Duas Filiais [RESOLVIDO]

danniel-lara
(usa Fedora)

Enviado em 28/02/2014 - 16:34h

ja chegou a verificar os logs ?

0 0

Quote

3. Re: Openvpn Matriz e Duas Filiais [RESOLVIDO]

asparion
(usa Ubuntu)

Enviado em 28/02/2014 - 16:44h

Bom ta chegando ou saindo pacotes na filial2 na porta 5000



 2   176 ACCEPT    udp  --  *      *    0.0.0.0/0    0.0.0.0/0    udp dpt:5000

ja na matriz nao



0     0 ACCEPT     udp  --  *      *    0.0.0.0/0    0.0.0.0/0    udp dpt:5000

segue logs na filial que nao sobe.

vim /var/log/openvpn/filial2.log



OpenVPN STATISTICS

Updated,Fri Feb 28 16:40:37 2014

TUN/TAP read bytes,0

TUN/TAP write bytes,0

TCP/UDP read bytes,0

TCP/UDP write bytes,360

Auth read bytes,0

pre-compress bytes,0

post-compress bytes,0

pre-decompress bytes,0

post-decompress bytes,0

END

vim /var/log/openvpn/messages.log

Fri Feb 28 16:42:46 2014 event_wait : Interrupted system call (code=4)

Fri Feb 28 16:42:46 2014 Closing TUN/TAP interface

Fri Feb 28 16:42:46 2014 /sbin/ip addr del dev tun1 local 20.0.0.2 peer 20.0.0.1

RTNETLINK answers: Operation not permitted

Fri Feb 28 16:42:46 2014 Linux ip addr del failed: external program exited with error status: 2

Fri Feb 28 16:42:46 2014 SIGTERM[hard,] received, process exiting

Fri Feb 28 16:42:48 2014 OpenVPN 2.3.2 i686-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013

Fri Feb 28 16:42:48 2014 WARNING: --ping should normally be used with --ping-restart or --ping-exit

Fri Feb 28 16:42:48 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Fri Feb 28 16:42:48 2014 WARNING: file 'filial.key' is group or others accessible

Fri Feb 28 16:42:48 2014 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

Fri Feb 28 16:42:48 2014 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Feb 28 16:42:48 2014 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

Fri Feb 28 16:42:48 2014 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Feb 28 16:42:48 2014 Socket Buffers: R=[188416->131072] S=[188416->131072]

Fri Feb 28 16:42:48 2014 TUN/TAP device tun1 opened

Fri Feb 28 16:42:48 2014 TUN/TAP TX queue length set to 100

Fri Feb 28 16:42:48 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Fri Feb 28 16:42:48 2014 /sbin/ip link set dev tun1 up mtu 1500

Fri Feb 28 16:42:48 2014 /sbin/ip addr add dev tun1 local 20.0.0.2 peer 20.0.0.1

Fri Feb 28 16:42:48 2014 ./filial.up tun1 1500 1545 20.0.0.2 20.0.0.1 init

Fri Feb 28 16:42:48 2014 GID set to nobody

Fri Feb 28 16:42:48 2014 UID set to nobody

Fri Feb 28 16:42:48 2014 UDPv4 link local (bound): [undef]

Fri Feb 28 16:42:48 2014 UDPv4 link remote: [AF_INET]189.103.46.34:5000

sera que isso ajuda.
RTNETLINK answers: Operation not permitted

log na matris da filial2

vim /var/log/openpvn/messages_filial2.log



Fri Feb 28 17:05:50 2014 OpenVPN 2.3.2 i686-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013

Fri Feb 28 17:05:50 2014 WARNING: --ping should normally be used with --ping-restart or --ping-exit

Fri Feb 28 17:05:50 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Fri Feb 28 17:05:50 2014 WARNING: file 'filial.key' is group or others accessible

Fri Feb 28 17:05:50 2014 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

Fri Feb 28 17:05:50 2014 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Feb 28 17:05:50 2014 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

Fri Feb 28 17:05:50 2014 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Feb 28 17:05:50 2014 Socket Buffers: R=[112640->131072] S=[112640->131072]

Fri Feb 28 17:05:50 2014 TUN/TAP device tun1 opened

Fri Feb 28 17:05:50 2014 TUN/TAP TX queue length set to 100

Fri Feb 28 17:05:50 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Fri Feb 28 17:05:50 2014 /sbin/ip link set dev tun1 up mtu 1500

Fri Feb 28 17:05:50 2014 /sbin/ip addr add dev tun1 local 20.0.0.1 peer 20.0.0.2

Fri Feb 28 17:05:50 2014 /etc/openvpn/rotas/filial.up tun1 1500 1545 20.0.0.1 20.0.0.2 init

Fri Feb 28 17:05:50 2014 GID set to nobody

Fri Feb 28 17:05:50 2014 UID set to nobody

Fri Feb 28 17:05:50 2014 UDPv4 link local (bound): [undef]

Fri Feb 28 17:05:50 2014 UDPv4 link remote: [undef]

0 0

Quote

4. Re: Openvpn Matriz e Duas Filiais [RESOLVIDO]

removido
(usa Nenhuma)

Enviado em 04/03/2014 - 09:04h

BOm dia... use a opção server ao invés de ifconfig para atribuir endereços ao servidor e clientes. por exemplo:

server 10.0.0.0 255.255.255.0

OBS:. use somente esta opção no arquivo de configuração do servidor. portanto o servidor vai ficar com um arquivo só de configuração. e os clientes ficam com a opção pull no lugar de ifconfig.

0 0

Quote

5. Re: Openvpn Matriz e Duas Filiais [RESOLVIDO]

asparion
(usa Ubuntu)

Enviado em 04/03/2014 - 11:22h

eabreu escreveu:

BOm dia... use a opção server ao invés de ifconfig para atribuir endereços ao servidor e clientes. por exemplo:

server 10.0.0.0 255.255.255.0

Bom dia. Ficaria assim?



# Servidor:

server 10.0.0.0 255.255.255.0



# Cliente1

pull 10.0.0.2 255.255.255.0



# Cliente2

pull 10.0.0.3 255.255.255.0

?????????

0 0

Quote

6. Re: Openvpn Matriz e Duas Filiais [RESOLVIDO]

removido
(usa Nenhuma)

Enviado em 04/03/2014 - 11:32h

Ficaria assim:

conf do server:



dev tun1

proto udp

server 10.0.0.0 255.255.255.0

cd /etc/openvpn

secret filial1.key

port 1194

user root

group root

comp-lzo

persist-key

persist-tun

ping 15

verb 3

status /var/log/openvpn/filial1.log

log-append /var/log/openvpn/messages.log

log /var/log/openvpn/logsvpn.log

conf cliente 1:



dev tun1

proto udp

client

remote 189.7.20.XX

pull

cd /etc/openvpn

secret filial1.key

port 1194

user nobody

group nobody

comp-lzo

persist-key

persist-tun

ping 15

verb 3

status /var/log/openvpn/filial1.log

log-append /var/log/openvpn/messages.log

log /var/log/openvpn/logsvpn.log

conf cliente 2:



dev tun1

proto udp

client

pull

remote 189.7.20.XX

cd /etc/openvpn

secret filial1.key

port 1194

user nobody

group nobody

comp-lzo

persist-key

persist-tun

ping 15

verb 3

status /var/log/openvpn/filial2.log

log-append /var/log/openvpn/messages.log

log /var/log/openvpn/logsvpn.log

0 0

Quote

7. Re: Openvpn Matriz e Duas Filiais [RESOLVIDO]

asparion
(usa Ubuntu)

Enviado em 04/03/2014 - 12:57h

boa tarde..

se eu trocar

ifconfig 10.0.0.1 10.0.0.2

no servidor por

server 10.0.0.0 255.255.255.0

ao reiniciar o openvpn da erro.



[root@asparion openvpn]# service openvpn restart

Shutting down openvpn:                                     [  OK  ]

Starting openvpn:                                          [FAILED]

0 0

Quote

8. Re: Openvpn Matriz e Duas Filiais [RESOLVIDO]

removido
(usa Nenhuma)

Enviado em 04/03/2014 - 16:40h

Além dos logs, inicie o serviço no servidor assim, para ter mais informações para depuração e poste as informações aqui.

openvpn --config nome_do_arquivo.conf

OBS:. o caminho do arquivo deve ser absoluto.

0 0

Quote

9. Re: Openvpn Matriz e Duas Filiais [RESOLVIDO]

asparion
(usa Ubuntu)

Enviado em 04/03/2014 - 19:13h

opa blz. segue



openvpn --config servidor.conf

vim /var/log/openvpn/messages.log

Options error: --server and --secret cannot be used together (you must use SSL/TLS keys)

Use --help for more information.

so gerou esse log

segue conf:



# Openvpn Servidor

dev tun

proto udp

server 10.0.0.0 255.255.255.0

cd /etc/openvpn

secret chave

port 1194

user nobody

group nobody

comp-lzo

persist-key

persist-tun

ping 15

verb 3

status /var/log/openvpn/servidor.log

log-append /var/log/openvpn/messages.log

log /var/log/openvpn/logsvpn.log

0 0

Quote

10. Re: Openvpn Matriz e Duas Filiais [RESOLVIDO]

removido
(usa Nenhuma)

Enviado em 04/03/2014 - 19:21h

Isso quer dizer que as duas opções secret e server não podem ser usadas juntas. então voltando a sua configuração inicial. onde os arquivos *.conf do openvpn do servidor e dos clientes estão instalados ?

0 0

Quote