Bonjour, J'ai configuré un serveur OpenVPN. J'ai déjà connecté un client et ça fonctionne bien (ping des deux côté, le client et serveur se voient, pas de problèmes).
Avec un deuxième client, le tunnel VPN est bien monté, mais le client ne ping pas serveur, et, inversement. Voici les logs
Wed Jul 20 09:25:13 2016 event_wait : Interrupted system call (code=4)
Wed Jul 20 09:25:13 2016 TCP/UDP: Closing socket
Wed Jul 20 09:25:13 2016 /sbin/route del -net 10.6.66.0 netmask 255.255.255.0
Wed Jul 20 09:25:13 2016 /sbin/route del -net 10.10.10.0 netmask 255.255.255.0
Wed Jul 20 09:25:13 2016 Closing TUN/TAP interface
Wed Jul 20 09:25:13 2016 /sbin/ifconfig tun0 0.0.0.0
Wed Jul 20 09:25:13 2016 SIGTERM[hard,] received, process exiting
Wed Jul 20 09:25:14 2016 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014
Wed Jul 20 09:25:14 2016 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jul 20 09:25:14 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Jul 20 09:25:14 2016 WARNING: file '/etc/openvpn/***.***' is group or others accessible
Wed Jul 20 09:25:14 2016 LZO compression initialized
Wed Jul 20 09:25:14 2016 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jul 20 09:25:14 2016 Socket Buffers: R=[229376->131072] S=[229376->131072]
Wed Jul 20 09:25:14 2016 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jul 20 09:25:14 2016 Local Options hash (VER=V4): '66096c33'
Wed Jul 20 09:25:14 2016 Expected Remote Options hash (VER=V4): '691e95c7'
Wed Jul 20 09:25:14 2016 UDPv4 link local (bound): [undef]
Wed Jul 20 09:25:14 2016 UDPv4 link remote: [AF_INET]195.154.***.***:1194
Wed Jul 20 09:25:14 2016 TLS: Initial packet from [AF_INET]195.154.***.***:1194, sid=2111b29e 59ff24f2
Wed Jul 20 09:25:14 2016 VERIFY OK: depth=1, /C=***.***/ST=***.***/L=***.***/O=***.***/OU=***.***/CN=openvpn-ca/name=openvpn-ca/emailAddress=***.***
Wed Jul 20 09:25:14 2016 VERIFY OK: nsCertType=SERVER
Wed Jul 20 09:25:14 2016 VERIFY OK: depth=0, /C=***.***/ST=***.***/L=***.***/O=***.***/OU=***.***/CN=dev/name=***.***/emailAddress=***.***
Wed Jul 20 09:25:14 2016 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jul 20 09:25:14 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 20 09:25:14 2016 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jul 20 09:25:14 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 20 09:25:14 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jul 20 09:25:14 2016 [dev] Peer Connection Initiated with [AF_INET]195.154.***.***:1194
Wed Jul 20 09:25:16 2016 SENT CONTROL [dev]: 'PUSH_REQUEST' (status=1)
Wed Jul 20 09:25:16 2016 PUSH: Received control message: 'PUSH_REPLY,route 10.10.10.0 255.255.255.0,route 10.6.66.0 255.255.255.0,route 10.6.66.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.6.66.118 10.6.66.117'
Wed Jul 20 09:25:16 2016 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jul 20 09:25:16 2016 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul 20 09:25:16 2016 OPTIONS IMPORT: route options modified
Wed Jul 20 09:25:16 2016 ROUTE default_gateway=195.154.***.***
Wed Jul 20 09:25:16 2016 TUN/TAP device tun0 opened
Wed Jul 20 09:25:16 2016 TUN/TAP TX queue length set to 100
Wed Jul 20 09:25:16 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Jul 20 09:25:16 2016 /sbin/ifconfig tun0 10.6.66.118 pointopoint 10.6.66.117 mtu 1500
Wed Jul 20 09:25:16 2016 /sbin/route add -net 10.10.10.0 netmask 255.255.255.0 gw 10.6.66.117
Wed Jul 20 09:25:16 2016 /sbin/route add -net 10.6.66.0 netmask 255.255.255.0 gw 10.6.66.117
Wed Jul 20 09:25:16 2016 /sbin/route add -net 10.6.66.0 netmask 255.255.255.0 gw 10.6.66.117
SIOCADDRT: File exists
Wed Jul 20 09:25:16 2016 ERROR: Linux route add command failed: external program exited with error status: 7
Wed Jul 20 09:25:16 2016 Initialization Sequence Completed
le ping vers le seveur vpn renvoie ce message d'erreur:
ping 10.6.66.1
PING 10.6.66.1 (10.6.66.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
D'aprés ce que j'ai vu, cela serait un PB de FW côté client
Voici mes régles actuelles:
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 64M 35G ACCEPT all -- lo any anywhere anywhere
2 1018K 95M ACCEPT icmp -- eth0 any anywhere anywhere
3 245M 47G ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED
4 42795 2460K ACCEPT tcp -- eth0 any anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:ssh
5 115K 6831K ACCEPT tcp -- eth0 any anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:http
6 269K 16M ACCEPT tcp -- eth0 any anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:https
7 146K 8774K ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:rsync
8 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:rsync
9 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:rsync
10 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:rsync
11 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:rsync
12 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:rsync
13 37441 2246K ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:mysql
14 1808K 108M ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:mysql
15 127K 7640K ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:mysql
16 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:mysql
17 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:mysql
18 123K 7351K ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:mysql
19 872K 52M ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:mysql
20 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:mysql
21 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:mysql
22 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:mysql
23 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:mysql
24 7283 437K ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:mysql
25 82939 4976K ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:mysql
26 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:mysql
27 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:munin
28 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:11211
29 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:11211
30 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:11211
31 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:11211
32 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:11211
33 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:11211
34 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:11211
35 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:11211
36 0 0 ACCEPT tcp -- eth0 any ***.*** anywhere state NEW,RELATED,ESTABLISHED tcp dpt:11211
37 2716K 214M reject-and-log-it all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 17 9792 DROP icmp -- any any anywhere anywhere state INVALID
2 64M 35G ACCEPT all -- any lo anywhere anywhere
3 104M 539G ACCEPT all -- any eth0 ***.*** anywhere
4 25826 21M ACCEPT all -- any eth0 ***.*** anywhere
5 33815 45M ACCEPT all -- any eth0 ***.*** anywhere
6 102K 157M ACCEPT all -- any eth0 ***.*** anywhere
7 33719 34M ACCEPT all -- any eth0 ***.*** anywhere
8 0 0 ACCEPT all -- any eth0 ***.*** anywhere
9 211K 495M ACCEPT all -- any eth0 ***.*** anywhere
10 0 0 ACCEPT all -- any eth0 ***.*** anywhere
11 25513 11M ACCEPT all -- any eth0 ***.*** anywhere
12 0 0 ACCEPT all -- any eth0 ***.*** anywhere
13 312K 192M ACCEPT all -- any eth0 ***.*** anywhere
14 39063 33M ACCEPT all -- any eth0 ***.*** anywhere
15 80914 157M ACCEPT all -- any eth0 ***.*** anywhere
16 24222 14M ACCEPT all -- any eth0 ***.*** anywhere
17 6129 1910K ACCEPT all -- any eth0 ***.*** anywhere
18 502K 127M ACCEPT all -- any eth0 ***.*** anywhere
19 27940 66M ACCEPT all -- any eth0 ***.*** anywhere
20 67238 199M ACCEPT all -- any eth0 ***.*** anywhere
21 2542K 6326M ACCEPT all -- any eth0 ***.*** anywhere
22 32 2568 reject-and-log-it all -- any any anywhere anywhere
si demandé: 1/ conf client openvpn:
client
dev tun
proto udp
remote ***.*** 1194
resolv-retry infinite
;nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/***.***.crt
key /etc/openvpn/***.***.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 3
log-append /var/log/openvpn.log
2/ conf serveur OpenVPN
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/dev.crt
key /etc/openvpn/easy-rsa/keys/dev.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.6.66.0 255.255.255.0
push "route 10.10.10.0 255.255.255.0"
push "route 10.6.66.0 255.255.255.0"
client-config-dir /etc/openvpn/ccd
#push "route 10.6.66.0 255.255.255.0"
route 10.10.10.0 255.255.255.0
#push "dhcp-option DNS 10.10.10.254"
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
client-to-client
ifconfig-pool-persist ipp.txt
#duplicate-cn
keepalive 10 120
cipher AES-128-CBC # AES
user nobody
group nogroup
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
En vous remerciant pour votre aide
OpenVPN+PB Firewall
× Après avoir cliqué sur "Répondre" vous serez invité à vous connecter pour que votre message soit publié.
× Attention, ce sujet est très ancien. Le déterrer n'est pas forcément approprié. Nous te conseillons de créer un nouveau sujet pour poser ta question.
