Autor Tópico: Cliente Openvpn 2.4.4 não acessa rede interna  (Lida 4711 vezes)

Offline Rafael_M

  • Usuário Ubuntu
  • *
  • Mensagens: 5
    • Ver perfil
Cliente Openvpn 2.4.4 não acessa rede interna
« Online: 05 de Dezembro de 2019, 17:12 »
Estou trocando de servidor, do Ubuntu 14.04 para o 18.04, mas o openvpn não está funcionando, consigo conectar  e pingar o IP da interface tun0 mas não consigo acessar a rede interna. o Openvpn funcionava corretamente no servidor antigo com o Openvpn 2.3.2. Não sei o que pode ser.
Ps:O ip_forward já esta  = 1.

Segue os arquivos de configuração do servidor e cliente e logs.
Server
Código: [Selecionar]
# Arquivo de configuração do OpenVPN.
proto udp
port 1194
dev tun
server 10.0.0.0 255.255.255.0
# comentado devido a msg de erro na versão 2.4.4
;push "route 192.168.0.0 255.255.255.0"
;push "dhcp-option DNS 192.168.0.1"
;route 10.0.0.0 255.255.255.0

comp-lzo
keepalive 10 120
float

ifconfig-pool-persist /etc/openvpn/ipp.txt

max-clients 10
persist-key
persist-tun

verb 4
tls-server

dh   /etc/openvpn/keys/dh2048.pem
ca   /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/site.crt
key  /etc/openvpn/keys/site.key
tls-auth /etc/openvpn/keys/chave.key

status     /var/log/openvpn/status.log
log        /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
Cliente
Código: [Selecionar]
dev tun
proto udp
remote [<editado>]
port 1194
pull
comp-lzo
keepalive 10 120
float
tls-client
persist-tun
persist-key
remote-cert-tls server


ca ca.crt
cert cliente01.crt
key cliente01.key
tls-auth chave.key 
route-method exe
route-delay 2

verb 4
log openvpn.log

log cliente
Código: [Selecionar]
Thu Dec 05 14:57:16 2019   pkcs11_protected_authentication = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_private_mode = 00000000
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_cert_private = DISABLED
Thu Dec 05 14:57:16 2019   pkcs11_pin_cache_period = -1
Thu Dec 05 14:57:16 2019   pkcs11_id = '[UNDEF]'
Thu Dec 05 14:57:16 2019   pkcs11_id_management = DISABLED
Thu Dec 05 14:57:16 2019   server_network = 0.0.0.0
Thu Dec 05 14:57:16 2019   server_netmask = 0.0.0.0
Thu Dec 05 14:57:16 2019   server_network_ipv6 = ::
Thu Dec 05 14:57:16 2019   server_netbits_ipv6 = 0
Thu Dec 05 14:57:16 2019   server_bridge_ip = 0.0.0.0
Thu Dec 05 14:57:16 2019   server_bridge_netmask = 0.0.0.0
Thu Dec 05 14:57:16 2019   server_bridge_pool_start = 0.0.0.0
Thu Dec 05 14:57:16 2019   server_bridge_pool_end = 0.0.0.0
Thu Dec 05 14:57:16 2019   ifconfig_pool_defined = DISABLED
Thu Dec 05 14:57:16 2019   ifconfig_pool_start = 0.0.0.0
Thu Dec 05 14:57:16 2019   ifconfig_pool_end = 0.0.0.0
Thu Dec 05 14:57:16 2019   ifconfig_pool_netmask = 0.0.0.0
Thu Dec 05 14:57:16 2019   ifconfig_pool_persist_filename = '[UNDEF]'
Thu Dec 05 14:57:16 2019   ifconfig_pool_persist_refresh_freq = 600
Thu Dec 05 14:57:16 2019   ifconfig_ipv6_pool_defined = DISABLED
Thu Dec 05 14:57:16 2019   ifconfig_ipv6_pool_base = ::
Thu Dec 05 14:57:16 2019   ifconfig_ipv6_pool_netbits = 0
Thu Dec 05 14:57:16 2019   n_bcast_buf = 256
Thu Dec 05 14:57:16 2019   tcp_queue_limit = 64
Thu Dec 05 14:57:16 2019   real_hash_size = 256
Thu Dec 05 14:57:16 2019   virtual_hash_size = 256
Thu Dec 05 14:57:16 2019   client_connect_script = '[UNDEF]'
Thu Dec 05 14:57:16 2019   learn_address_script = '[UNDEF]'
Thu Dec 05 14:57:16 2019   client_disconnect_script = '[UNDEF]'
Thu Dec 05 14:57:16 2019   client_config_dir = '[UNDEF]'
Thu Dec 05 14:57:16 2019   ccd_exclusive = DISABLED
Thu Dec 05 14:57:16 2019   tmp_dir = 'C:\Users\aaa\AppData\Local\Temp\'
Thu Dec 05 14:57:16 2019   push_ifconfig_defined = DISABLED
Thu Dec 05 14:57:16 2019   push_ifconfig_local = 0.0.0.0
Thu Dec 05 14:57:16 2019   push_ifconfig_remote_netmask = 0.0.0.0
Thu Dec 05 14:57:16 2019   push_ifconfig_ipv6_defined = DISABLED
Thu Dec 05 14:57:16 2019   push_ifconfig_ipv6_local = ::/0
Thu Dec 05 14:57:16 2019   push_ifconfig_ipv6_remote = ::
Thu Dec 05 14:57:16 2019   enable_c2c = DISABLED
Thu Dec 05 14:57:16 2019   duplicate_cn = DISABLED
Thu Dec 05 14:57:16 2019   cf_max = 0
Thu Dec 05 14:57:16 2019   cf_per = 0
Thu Dec 05 14:57:16 2019   max_clients = 1024
Thu Dec 05 14:57:16 2019   max_routes_per_client = 256
Thu Dec 05 14:57:16 2019   auth_user_pass_verify_script = '[UNDEF]'
Thu Dec 05 14:57:16 2019   auth_user_pass_verify_script_via_file = DISABLED
Thu Dec 05 14:57:16 2019   auth_token_generate = DISABLED
Thu Dec 05 14:57:16 2019   auth_token_lifetime = 0
Thu Dec 05 14:57:16 2019   client = DISABLED
Thu Dec 05 14:57:16 2019   pull = ENABLED
Thu Dec 05 14:57:16 2019   auth_user_pass_file = '[UNDEF]'
Thu Dec 05 14:57:16 2019   show_net_up = DISABLED
Thu Dec 05 14:57:16 2019   route_method = 3
Thu Dec 05 14:57:16 2019   block_outside_dns = DISABLED
Thu Dec 05 14:57:16 2019   ip_win32_defined = DISABLED
Thu Dec 05 14:57:16 2019   ip_win32_type = 3
Thu Dec 05 14:57:16 2019   dhcp_masq_offset = 0
Thu Dec 05 14:57:16 2019   dhcp_lease_time = 31536000
Thu Dec 05 14:57:16 2019   tap_sleep = 0
Thu Dec 05 14:57:16 2019   dhcp_options = DISABLED
Thu Dec 05 14:57:16 2019   dhcp_renew = DISABLED
Thu Dec 05 14:57:16 2019   dhcp_pre_release = DISABLED
Thu Dec 05 14:57:16 2019   domain = '[UNDEF]'
Thu Dec 05 14:57:16 2019   netbios_scope = '[UNDEF]'
Thu Dec 05 14:57:16 2019   netbios_node_type = 0
Thu Dec 05 14:57:16 2019   disable_nbt = DISABLED
Thu Dec 05 14:57:16 2019 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Thu Dec 05 14:57:16 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Dec 05 14:57:16 2019 library versions: OpenSSL 1.1.0l  10 Sep 2019, LZO 2.10
Thu Dec 05 14:57:16 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Dec 05 14:57:16 2019 Need hold release from management interface, waiting...
Thu Dec 05 14:57:16 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Dec 05 14:57:16 2019 MANAGEMENT: CMD 'state on'
Thu Dec 05 14:57:16 2019 MANAGEMENT: CMD 'log all on'
Thu Dec 05 14:57:16 2019 MANAGEMENT: CMD 'echo all on'
Thu Dec 05 14:57:16 2019 MANAGEMENT: CMD 'bytecount 5'
Thu Dec 05 14:57:16 2019 MANAGEMENT: CMD 'hold off'
Thu Dec 05 14:57:16 2019 MANAGEMENT: CMD 'hold release'
Thu Dec 05 14:57:16 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 05 14:57:16 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 05 14:57:16 2019 LZO compression initializing
Thu Dec 05 14:57:16 2019 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Thu Dec 05 14:57:16 2019 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Dec 05 14:57:16 2019 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu Dec 05 14:57:16 2019 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu Dec 05 14:57:16 2019 TCP/UDP: Preserving recently used remote address: [AF_INET][serverip]:1194
Thu Dec 05 14:57:16 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Dec 05 14:57:16 2019 UDP link local (bound): [AF_INET][undef]:1194
Thu Dec 05 14:57:16 2019 UDP link remote: [AF_INET][serverip]:1194
Thu Dec 05 14:57:16 2019 MANAGEMENT: >STATE:1575568636,WAIT,,,,,,
Thu Dec 05 14:57:17 2019 MANAGEMENT: >STATE:1575568637,AUTH,,,,,,
Thu Dec 05 14:57:17 2019 TLS: Initial packet from [AF_INET][serverip]:1194, sid=f06c8454 8ab4e8f2
Thu Dec 05 14:57:17 2019 PID_ERR replay-window backtrack occurred [1] [TLS_WRAP-0] [0_00] 1575568636:4 1575568636:3 t=1575568637[0] r=[0,64,15,1,1] sl=[60,4,64,528]
Thu Dec 05 14:57:17 2019 VERIFY OK: depth=1, C=BR, ST=PR, L=cidade, O=aaa, OU=a, CN=aaa CA, name=VPN_aaa, emailAddress=cpd@[<editado>]
Thu Dec 05 14:57:17 2019 VERIFY KU OK
Thu Dec 05 14:57:17 2019 Validating certificate extended key usage
Thu Dec 05 14:57:17 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Dec 05 14:57:17 2019 VERIFY EKU OK
Thu Dec 05 14:57:17 2019 VERIFY OK: depth=0, C=BR, ST=PR, L=cidade, O=aaa, OU=a, CN=[<editado>], name=VPN_aaa, emailAddress=ssss@[<editado>]
Thu Dec 05 14:57:17 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Dec 05 14:57:17 2019 [[<editado>]] Peer Connection Initiated with [AF_INET][serverip]:1194
Thu Dec 05 14:57:18 2019 MANAGEMENT: >STATE:1575568638,GET_CONFIG,,,,,,
Thu Dec 05 14:57:18 2019 SENT CONTROL [[<editado>]]: 'PUSH_REQUEST' (status=1)
Thu Dec 05 14:57:18 2019 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.0.18 10.0.0.17,peer-id 0,cipher AES-256-GCM'
Thu Dec 05 14:57:18 2019 OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 05 14:57:18 2019 OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 05 14:57:18 2019 OPTIONS IMPORT: route options modified
Thu Dec 05 14:57:18 2019 OPTIONS IMPORT: peer-id set
Thu Dec 05 14:57:18 2019 OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Dec 05 14:57:18 2019 OPTIONS IMPORT: data channel crypto options modified
Thu Dec 05 14:57:18 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Dec 05 14:57:18 2019 Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Thu Dec 05 14:57:18 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 05 14:57:18 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 05 14:57:18 2019 interactive service msg_channel=788
Thu Dec 05 14:57:18 2019 ROUTE_GATEWAY 192.168.100.1/255.255.255.0 I=13 HWADDR=78:e4:00:8d:e2:da
Thu Dec 05 14:57:18 2019 open_tun
Thu Dec 05 14:57:18 2019 TAP-WIN32 device [Conexão Local] opened: \\.\Global\{0B0748C8-4C81-45CE-841C-E6BBE95E4FAF}.tap
Thu Dec 05 14:57:18 2019 TAP-Windows Driver Version 9.24
Thu Dec 05 14:57:18 2019 TAP-Windows MTU=1500
Thu Dec 05 14:57:18 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.0.18/255.255.255.252 on interface {0B0748C8-4C81-45CE-841C-E6BBE95E4FAF} [DHCP-serv: 10.0.0.17, lease-time: 31536000]
Thu Dec 05 14:57:18 2019 Successful ARP Flush on interface [40] {0B0748C8-4C81-45CE-841C-E6BBE95E4FAF}
Thu Dec 05 14:57:18 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Dec 05 14:57:18 2019 MANAGEMENT: >STATE:1575568638,ASSIGN_IP,,10.0.0.18,,,,
Thu Dec 05 14:57:20 2019 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Thu Dec 05 14:57:20 2019 MANAGEMENT: >STATE:1575568640,ADD_ROUTES,,,,,,
Thu Dec 05 14:57:20 2019 C:\Windows\system32\route.exe ADD 10.0.0.1 MASK 255.255.255.255 10.0.0.17
Thu Dec 05 14:57:20 2019 Route addition via service succeeded
Thu Dec 05 14:57:20 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Dec 05 14:57:20 2019 Initialization Sequence Completed
Thu Dec 05 14:57:20 2019 MANAGEMENT: >STATE:1575568640,CONNECTED,SUCCESS,10.0.0.18,[serverip],1194,,


log do servidor :
http://www.filedropper.com/openvpnlog
« Última modificação: 05 de Dezembro de 2019, 17:29 por Rafael_M »

Offline zekkerj

  • Usuário Ubuntu
  • *
  • Mensagens: 19.736
  • Gratidão gera gratidão, lamúria atrai lamúria...
    • Ver perfil
    • Blog do Zekke
Re:Cliente Openvpn 2.4.4 não acessa rede interna
« Resposta #1 Online: 05 de Dezembro de 2019, 22:29 »
Quais são as faixas de endereço IP local da rede do cliente e do servidor?
Pesquise antes de perguntar, sua dúvida pode já ter sido respondida.
Não respondo dúvidas por MP, coloque sua dúvida no fórum onde ela pode ser pesquisada pelos seus colegas!
Não venha ao fórum apenas para perguntar. Se você sabe a resposta de um problema, porque não ajudar seu colega? ;D

Offline Rafael_M

  • Usuário Ubuntu
  • *
  • Mensagens: 5
    • Ver perfil
Re:Cliente Openvpn 2.4.4 não acessa rede interna
« Resposta #2 Online: 06 de Dezembro de 2019, 08:46 »
Quais são as faixas de endereço IP local da rede do cliente e do servidor?

Acabei esquecendo de colocar essa informação.
Cliente 192.168.100.10/24 (DHCP)

Código: [Selecionar]
2: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether [<editado>] brd ff:ff:ff:ff:ff:ff
    inet [<editado>]/29 brd [<editado>] scope global enp2s0f0
       valid_lft forever preferred_lft forever
    inet6 fe80::af1:eaff:feeb:a298/64 scope link
       valid_lft forever preferred_lft forever
3: enp2s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether [<editado>] brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.35/24 brd 192.168.0.255 scope global enp2s0f1
       valid_lft forever preferred_lft forever
    inet6 fe80::af1:eaff:feeb:a299/64 scope link
       valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.0.0.1 peer 10.0.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::dae:800c:f34e:c49d/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

Offline zekkerj

  • Usuário Ubuntu
  • *
  • Mensagens: 19.736
  • Gratidão gera gratidão, lamúria atrai lamúria...
    • Ver perfil
    • Blog do Zekke
Re:Cliente Openvpn 2.4.4 não acessa rede interna
« Resposta #3 Online: 06 de Dezembro de 2019, 11:55 »
Bateu uma dúvida agora: quando vc diz que não acessa a rede interna, vc quer dizer a rede do cliente, ou do servidor?
Pesquise antes de perguntar, sua dúvida pode já ter sido respondida.
Não respondo dúvidas por MP, coloque sua dúvida no fórum onde ela pode ser pesquisada pelos seus colegas!
Não venha ao fórum apenas para perguntar. Se você sabe a resposta de um problema, porque não ajudar seu colega? ;D

Offline Rafael_M

  • Usuário Ubuntu
  • *
  • Mensagens: 5
    • Ver perfil
Re:Cliente Openvpn 2.4.4 não acessa rede interna
« Resposta #4 Online: 06 de Dezembro de 2019, 12:12 »
Bateu uma dúvida agora: quando vc diz que não acessa a rede interna, vc quer dizer a rede do cliente, ou do servidor?
Servidor (Matriz)


Offline zekkerj

  • Usuário Ubuntu
  • *
  • Mensagens: 19.736
  • Gratidão gera gratidão, lamúria atrai lamúria...
    • Ver perfil
    • Blog do Zekke
Re:Cliente Openvpn 2.4.4 não acessa rede interna
« Resposta #5 Online: 06 de Dezembro de 2019, 13:42 »
Ah. Eu estava entendendo que vc estava parando de enxergar a rede do cliente, quando conectava.

Lá em cima, vc disse que a regra de rota foi desativada pq passou a dar erro. Me parece que é isso que está faltando, uma regra pra ensinar o cliente da rede do servidor. Veja se a sintaxe da regra mudou, ou se há alguma outra forma (de preferência que só ative quando a conexão ativar) de ensinar essa rota pro cliente.
Pesquise antes de perguntar, sua dúvida pode já ter sido respondida.
Não respondo dúvidas por MP, coloque sua dúvida no fórum onde ela pode ser pesquisada pelos seus colegas!
Não venha ao fórum apenas para perguntar. Se você sabe a resposta de um problema, porque não ajudar seu colega? ;D