Autor Tópico: Cliente Openvpn 2.4.4 não acessa rede interna (Lida 4711 vezes)

Rafael_M · « **Online:** 05 de Dezembro de 2019, 17:12 »

Estou trocando de servidor, do Ubuntu 14.04 para o 18.04, mas o openvpn não está funcionando, consigo conectar e pingar o IP da interface tun0 mas não consigo acessar a rede interna. o Openvpn funcionava corretamente no servidor antigo com o Openvpn 2.3.2. Não sei o que pode ser.
Ps:O ip_forward já esta = 1.

Segue os arquivos de configuração do servidor e cliente e logs.
Server

Código: [Selecionar]

# Arquivo de configuração do OpenVPN.
proto udp		 			
port 1194 					
dev tun 					
server 10.0.0.0 255.255.255.0 			
# comentado devido a msg de erro na versão 2.4.4
;push "route 192.168.0.0 255.255.255.0" 		
;push "dhcp-option DNS 192.168.0.1" 	
;route 10.0.0.0 255.255.255.0 			

comp-lzo 					
keepalive 10 120 			
float 						

ifconfig-pool-persist /etc/openvpn/ipp.txt 	

max-clients 10 					
persist-key 					
persist-tun 					

verb 4
tls-server

dh   /etc/openvpn/keys/dh2048.pem 
ca   /etc/openvpn/keys/ca.crt 
cert /etc/openvpn/keys/site.crt 
key  /etc/openvpn/keys/site.key 
tls-auth /etc/openvpn/keys/chave.key

status     /var/log/openvpn/status.log
log        /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log

Cliente

Código: [Selecionar]

dev tun 				
proto udp 				
remote [<editado>]
port 1194 		
pull 			
comp-lzo 		
keepalive 10 120 	
float 			
tls-client 		
persist-tun 		
persist-key 		
remote-cert-tls server 	

		
ca ca.crt 		
cert cliente01.crt 	
key cliente01.key 	
tls-auth chave.key  	
route-method exe 
route-delay 2 

verb 4
log openvpn.log

log cliente

Código: [Selecionar]

Thu Dec 05 14:57:16 2019   pkcs11_protected_authentication = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_pin_cache_period = -1
Thu Dec 05 14:57:16 2019   pkcs11_id = '[UNDEF]'
Thu Dec 05 14:57:16 2019   pkcs11_id_management = DISABLED
Thu Dec 05 14:57:16 2019   server_network = 0.0.0.0
Thu Dec 05 14:57:16 2019   server_netmask = 0.0.0.0
Thu Dec 05 14:57:16 2019   server_network_ipv6 = ::
Thu Dec 05 14:57:16 2019   server_netbits_ipv6 = 0
Thu Dec 05 14:57:16 2019   server_bridge_ip = 0.0.0.0
Thu Dec 05 14:57:16 2019   server_bridge_netmask = 0.0.0.0
Thu Dec 05 14:57:16 2019   server_bridge_pool_start = 0.0.0.0
Thu Dec 05 14:57:16 2019   server_bridge_pool_end = 0.0.0.0
Thu Dec 05 14:57:16 2019   ifconfig_pool_defined = DISABLED
Thu Dec 05 14:57:16 2019   ifconfig_pool_start = 0.0.0.0
Thu Dec 05 14:57:16 2019   ifconfig_pool_end = 0.0.0.0
Thu Dec 05 14:57:16 2019   ifconfig_pool_netmask = 0.0.0.0
Thu Dec 05 14:57:16 2019   ifconfig_pool_persist_filename = '[UNDEF]'
Thu Dec 05 14:57:16 2019   ifconfig_pool_persist_refresh_freq = 600
Thu Dec 05 14:57:16 2019   ifconfig_ipv6_pool_defined = DISABLED
Thu Dec 05 14:57:16 2019   ifconfig_ipv6_pool_base = ::
Thu Dec 05 14:57:16 2019   ifconfig_ipv6_pool_netbits = 0
Thu Dec 05 14:57:16 2019   n_bcast_buf = 256
Thu Dec 05 14:57:16 2019   tcp_queue_limit = 64
Thu Dec 05 14:57:16 2019   real_hash_size = 256
Thu Dec 05 14:57:16 2019   virtual_hash_size = 256
Thu Dec 05 14:57:16 2019   client_connect_script = '[UNDEF]'
Thu Dec 05 14:57:16 2019   learn_address_script = '[UNDEF]'
Thu Dec 05 14:57:16 2019   client_disconnect_script = '[UNDEF]'
Thu Dec 05 14:57:16 2019   client_config_dir = '[UNDEF]'
Thu Dec 05 14:57:16 2019   ccd_exclusive = DISABLED
Thu Dec 05 14:57:16 2019   tmp_dir = 'C:\Users\aaa\AppData\Local\Temp\'
Thu Dec 05 14:57:16 2019   push_ifconfig_defined = DISABLED
Thu Dec 05 14:57:16 2019   push_ifconfig_local = 0.0.0.0
Thu Dec 05 14:57:16 2019   push_ifconfig_remote_netmask = 0.0.0.0
Thu Dec 05 14:57:16 2019   push_ifconfig_ipv6_defined = DISABLED
Thu Dec 05 14:57:16 2019   push_ifconfig_ipv6_local = ::/0
Thu Dec 05 14:57:16 2019   push_ifconfig_ipv6_remote = ::
Thu Dec 05 14:57:16 2019   enable_c2c = DISABLED
Thu Dec 05 14:57:16 2019   duplicate_cn = DISABLED
Thu Dec 05 14:57:16 2019   cf_max = 0
Thu Dec 05 14:57:16 2019   cf_per = 0
Thu Dec 05 14:57:16 2019   max_clients = 1024
Thu Dec 05 14:57:16 2019   max_routes_per_client = 256
Thu Dec 05 14:57:16 2019   auth_user_pass_verify_script = '[UNDEF]'
Thu Dec 05 14:57:16 2019   auth_user_pass_verify_script_via_file = DISABLED
Thu Dec 05 14:57:16 2019   auth_token_generate = DISABLED
Thu Dec 05 14:57:16 2019   auth_token_lifetime = 0
Thu Dec 05 14:57:16 2019   client = DISABLED
Thu Dec 05 14:57:16 2019   pull = ENABLED
Thu Dec 05 14:57:16 2019   auth_user_pass_file = '[UNDEF]'
Thu Dec 05 14:57:16 2019   show_net_up = DISABLED
Thu Dec 05 14:57:16 2019   route_method = 3
Thu Dec 05 14:57:16 2019   block_outside_dns = DISABLED
Thu Dec 05 14:57:16 2019   ip_win32_defined = DISABLED
Thu Dec 05 14:57:16 2019   ip_win32_type = 3
Thu Dec 05 14:57:16 2019   dhcp_masq_offset = 0
Thu Dec 05 14:57:16 2019   dhcp_lease_time = 31536000
Thu Dec 05 14:57:16 2019   tap_sleep = 0
Thu Dec 05 14:57:16 2019   dhcp_options = DISABLED
Thu Dec 05 14:57:16 2019   dhcp_renew = DISABLED
Thu Dec 05 14:57:16 2019   dhcp_pre_release = DISABLED
Thu Dec 05 14:57:16 2019   domain = '[UNDEF]'
Thu Dec 05 14:57:16 2019   netbios_scope = '[UNDEF]'
Thu Dec 05 14:57:16 2019   netbios_node_type = 0
Thu Dec 05 14:57:16 2019   disable_nbt = DISABLED
Thu Dec 05 14:57:16 2019 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Thu Dec 05 14:57:16 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Dec 05 14:57:16 2019 library versions: OpenSSL 1.1.0l  10 Sep 2019, LZO 2.10
Thu Dec 05 14:57:16 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Dec 05 14:57:16 2019 Need hold release from management interface, waiting...
Thu Dec 05 14:57:16 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Dec 05 14:57:16 2019 MANAGEMENT: CMD 'state on'
Thu Dec 05 14:57:16 2019 MANAGEMENT: CMD 'log all on'
Thu Dec 05 14:57:16 2019 MANAGEMENT: CMD 'echo all on'
Thu Dec 05 14:57:16 2019 MANAGEMENT: CMD 'bytecount 5'
Thu Dec 05 14:57:16 2019 MANAGEMENT: CMD 'hold off'
Thu Dec 05 14:57:16 2019 MANAGEMENT: CMD 'hold release'
Thu Dec 05 14:57:16 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 05 14:57:16 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 05 14:57:16 2019 LZO compression initializing
Thu Dec 05 14:57:16 2019 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Thu Dec 05 14:57:16 2019 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Dec 05 14:57:16 2019 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu Dec 05 14:57:16 2019 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu Dec 05 14:57:16 2019 TCP/UDP: Preserving recently used remote address: [AF_INET][serverip]:1194
Thu Dec 05 14:57:16 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Dec 05 14:57:16 2019 UDP link local (bound): [AF_INET][undef]:1194
Thu Dec 05 14:57:16 2019 UDP link remote: [AF_INET][serverip]:1194
Thu Dec 05 14:57:16 2019 MANAGEMENT: >STATE:1575568636,WAIT,,,,,,
Thu Dec 05 14:57:17 2019 MANAGEMENT: >STATE:1575568637,AUTH,,,,,,
Thu Dec 05 14:57:17 2019 TLS: Initial packet from [AF_INET][serverip]:1194, sid=f06c8454 8ab4e8f2
Thu Dec 05 14:57:17 2019 PID_ERR replay-window backtrack occurred [1] [TLS_WRAP-0] [0_00] 1575568636:4 1575568636:3 t=1575568637[0] r=[0,64,15,1,1] sl=[60,4,64,528]
Thu Dec 05 14:57:17 2019 VERIFY OK: depth=1, C=BR, ST=PR, L=cidade, O=aaa, OU=a, CN=aaa CA, name=VPN_aaa, emailAddress=cpd@[<editado>]
Thu Dec 05 14:57:17 2019 VERIFY KU OK
Thu Dec 05 14:57:17 2019 Validating certificate extended key usage
Thu Dec 05 14:57:17 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Dec 05 14:57:17 2019 VERIFY EKU OK
Thu Dec 05 14:57:17 2019 VERIFY OK: depth=0, C=BR, ST=PR, L=cidade, O=aaa, OU=a, CN=[<editado>], name=VPN_aaa, emailAddress=ssss@[<editado>]
Thu Dec 05 14:57:17 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Dec 05 14:57:17 2019 [[<editado>]] Peer Connection Initiated with [AF_INET][serverip]:1194
Thu Dec 05 14:57:18 2019 MANAGEMENT: >STATE:1575568638,GET_CONFIG,,,,,,
Thu Dec 05 14:57:18 2019 SENT CONTROL [[<editado>]]: 'PUSH_REQUEST' (status=1)
Thu Dec 05 14:57:18 2019 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.0.18 10.0.0.17,peer-id 0,cipher AES-256-GCM'
Thu Dec 05 14:57:18 2019 OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 05 14:57:18 2019 OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 05 14:57:18 2019 OPTIONS IMPORT: route options modified
Thu Dec 05 14:57:18 2019 OPTIONS IMPORT: peer-id set
Thu Dec 05 14:57:18 2019 OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Dec 05 14:57:18 2019 OPTIONS IMPORT: data channel crypto options modified
Thu Dec 05 14:57:18 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Dec 05 14:57:18 2019 Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Thu Dec 05 14:57:18 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 05 14:57:18 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 05 14:57:18 2019 interactive service msg_channel=788
Thu Dec 05 14:57:18 2019 ROUTE_GATEWAY 192.168.100.1/255.255.255.0 I=13 HWADDR=78:e4:00:8d:e2:da
Thu Dec 05 14:57:18 2019 open_tun
Thu Dec 05 14:57:18 2019 TAP-WIN32 device [Conexão Local] opened: \\.\Global\{0B0748C8-4C81-45CE-841C-E6BBE95E4FAF}.tap
Thu Dec 05 14:57:18 2019 TAP-Windows Driver Version 9.24 
Thu Dec 05 14:57:18 2019 TAP-Windows MTU=1500
Thu Dec 05 14:57:18 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.0.18/255.255.255.252 on interface {0B0748C8-4C81-45CE-841C-E6BBE95E4FAF} [DHCP-serv: 10.0.0.17, lease-time: 31536000]
Thu Dec 05 14:57:18 2019 Successful ARP Flush on interface [40] {0B0748C8-4C81-45CE-841C-E6BBE95E4FAF}
Thu Dec 05 14:57:18 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Dec 05 14:57:18 2019 MANAGEMENT: >STATE:1575568638,ASSIGN_IP,,10.0.0.18,,,,
Thu Dec 05 14:57:20 2019 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Thu Dec 05 14:57:20 2019 MANAGEMENT: >STATE:1575568640,ADD_ROUTES,,,,,,
Thu Dec 05 14:57:20 2019 C:\Windows\system32\route.exe ADD 10.0.0.1 MASK 255.255.255.255 10.0.0.17
Thu Dec 05 14:57:20 2019 Route addition via service succeeded
Thu Dec 05 14:57:20 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Dec 05 14:57:20 2019 Initialization Sequence Completed
Thu Dec 05 14:57:20 2019 MANAGEMENT: >STATE:1575568640,CONNECTED,SUCCESS,10.0.0.18,[serverip],1194,,

log do servidor :
http://www.filedropper.com/openvpnlog

zekkerj · « **Resposta #1 Online:** 05 de Dezembro de 2019, 22:29 »

Quais são as faixas de endereço IP local da rede do cliente e do servidor?

Rafael_M · « **Resposta #2 Online:** 06 de Dezembro de 2019, 08:46 »

Citação de: zekkerj em 05 de Dezembro de 2019, 22:29

Quais são as faixas de endereço IP local da rede do cliente e do servidor?

Acabei esquecendo de colocar essa informação.
Cliente 192.168.100.10/24 (DHCP)

Código: [Selecionar]

2: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether [<editado>] brd ff:ff:ff:ff:ff:ff
    inet [<editado>]/29 brd [<editado>] scope global enp2s0f0
       valid_lft forever preferred_lft forever
    inet6 fe80::af1:eaff:feeb:a298/64 scope link
       valid_lft forever preferred_lft forever
3: enp2s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether [<editado>] brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.35/24 brd 192.168.0.255 scope global enp2s0f1
       valid_lft forever preferred_lft forever
    inet6 fe80::af1:eaff:feeb:a299/64 scope link
       valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.0.0.1 peer 10.0.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::dae:800c:f34e:c49d/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

zekkerj · « **Resposta #3 Online:** 06 de Dezembro de 2019, 11:55 »

Bateu uma dúvida agora: quando vc diz que não acessa a rede interna, vc quer dizer a rede do cliente, ou do servidor?

Rafael_M · « **Resposta #4 Online:** 06 de Dezembro de 2019, 12:12 »

Citação de: zekkerj em 06 de Dezembro de 2019, 11:55

Bateu uma dúvida agora: quando vc diz que não acessa a rede interna, vc quer dizer a rede do cliente, ou do servidor?

Servidor (Matriz)

zekkerj · « **Resposta #5 Online:** 06 de Dezembro de 2019, 13:42 »

Ah. Eu estava entendendo que vc estava parando de enxergar a rede do cliente, quando conectava.

Lá em cima, vc disse que a regra de rota foi desativada pq passou a dar erro. Me parece que é isso que está faltando, uma regra pra ensinar o cliente da rede do servidor. Veja se a sintaxe da regra mudou, ou se há alguma outra forma (de preferência que só ative quando a conexão ativar) de ensinar essa rota pro cliente.

Notícias:

Autor Tópico: Cliente Openvpn 2.4.4 não acessa rede interna (Lida 4711 vezes)

Rafael_M

Cliente Openvpn 2.4.4 não acessa rede interna

zekkerj

Re:Cliente Openvpn 2.4.4 não acessa rede interna

Rafael_M

Re:Cliente Openvpn 2.4.4 não acessa rede interna

zekkerj

Re:Cliente Openvpn 2.4.4 não acessa rede interna

Rafael_M

Re:Cliente Openvpn 2.4.4 não acessa rede interna

zekkerj

Re:Cliente Openvpn 2.4.4 não acessa rede interna