Hallo zusammen,
erstmal ein Lob an die Community, habe viel hier im Forum gelesen und Ihr konntet mir schon bei dem ein oder anderen Problem gut helfen.....
nun aber zum eigentlichen Problem:
der PC im lokalen Netzerk, hinter dem Fritzbox OVPN Server ist nicht erreichbar.
lokales Netz: 192.168.179.0
FritzBox: 192.168.179.1
Computer: 192.168.179.20 (statisch)
VPN Server: 10.0.0.1
VPN Client: 10.0.0.2
Tunnel wird aufgebaut, ping auf 192.168.179.1, fritz.box und 10.0.0.1 möglich.
Anmeldung per WebIf via Browser funktioniert.
von der FritzBox ist auch ein Ping auf den VPN Client (10.0.0.2) und auf 192.168.179.20 möglich (klar.)
Ich denke es ist ein routing Problem
Im Anhang gibts die Routing Tabellen von Client und Server
...habe schon einiges probiert und sehe evtl den Wald vor lauter Bäumen nicht...
anbei meine Configs:
Client.config Windows 7 starter
client.log
Server.conf
server LOG /var/tmp/debug_ovpn.out
erstmal ein Lob an die Community, habe viel hier im Forum gelesen und Ihr konntet mir schon bei dem ein oder anderen Problem gut helfen.....
nun aber zum eigentlichen Problem:
der PC im lokalen Netzerk, hinter dem Fritzbox OVPN Server ist nicht erreichbar.
lokales Netz: 192.168.179.0
FritzBox: 192.168.179.1
Computer: 192.168.179.20 (statisch)
VPN Server: 10.0.0.1
VPN Client: 10.0.0.2
Tunnel wird aufgebaut, ping auf 192.168.179.1, fritz.box und 10.0.0.1 möglich.
Anmeldung per WebIf via Browser funktioniert.
von der FritzBox ist auch ein Ping auf den VPN Client (10.0.0.2) und auf 192.168.179.20 möglich (klar.)
Ich denke es ist ein routing Problem
Im Anhang gibts die Routing Tabellen von Client und Server
...habe schon einiges probiert und sehe evtl den Wald vor lauter Bäumen nicht...
anbei meine Configs:
Client.config Windows 7 starter
Code:
remote xxx.dyndns.org # die öffentliche IP des Routers auf Server Seite
proto udp
tls-auth server
nobind
port 1194 #Port bei Server und Client muss gleich sein, ggf Firewall Port freischalten, bzw. NAT im Router, Port forwarding
dev tap #tap oder tun? tun point-to-point Device per IP OSI3 TAP über ethernet-Device OSI2
dev-node openvpn
tls-client #ich bin der client
ca c:\\openvpn\\easy-rsa\\keys\\ca.crt
key c:\\openvpn\\easy-rsa\\keys\\clientcert.key
cert c:\\openvpn\\easy-rsa\\keys\\clientcert.crt
tls-auth "c:\\openvpn\\easy-rsa\\keys\\static.key" 1
ns-cert-type server #Server überprüft die Zertifikate auf Gültigkeit
comp-lzo #Koprimierung
pull # "pull" muss in der client.config stehen, damit die push anweisung (Gateway,Routen) vom Server geholt werden.
tun-mtu 1500
tun-mtu-extra 32 # wenn tun-mtu und tun-mtu-extra, dann in beiden Configs! client & Server
verb 5
mute 50
persist-key
persist-tun
cipher AES-256-CBC
route-method exe
route-delay 2
client.log
Code:
Tue Nov 29 12:16:24 2011 us=868000 Current Parameter Settings:
Tue Nov 29 12:16:24 2011 us=884000 config = 'client_FreetzBox.ovpn'
Tue Nov 29 12:16:24 2011 us=884000 mode = 0
Tue Nov 29 12:16:24 2011 us=884000 show_ciphers = DISABLED
Tue Nov 29 12:16:24 2011 us=884000 show_digests = DISABLED
Tue Nov 29 12:16:24 2011 us=884000 show_engines = DISABLED
Tue Nov 29 12:16:24 2011 us=884000 genkey = DISABLED
Tue Nov 29 12:16:24 2011 us=884000 key_pass_file = '[UNDEF]'
Tue Nov 29 12:16:24 2011 us=884000 show_tls_ciphers = DISABLED
Tue Nov 29 12:16:24 2011 us=884000 Connection profiles [default]:
Tue Nov 29 12:16:24 2011 us=884000 proto = udp
Tue Nov 29 12:16:24 2011 us=884000 local = '[UNDEF]'
Tue Nov 29 12:16:24 2011 us=884000 local_port = 0
Tue Nov 29 12:16:24 2011 us=884000 remote = XXX.no-ip.org'
Tue Nov 29 12:16:24 2011 us=884000 remote_port = 1194
Tue Nov 29 12:16:24 2011 us=884000 remote_float = DISABLED
Tue Nov 29 12:16:24 2011 us=884000 bind_defined = DISABLED
Tue Nov 29 12:16:24 2011 us=884000 bind_local = DISABLED
Tue Nov 29 12:16:24 2011 us=884000 connect_retry_seconds = 5
Tue Nov 29 12:16:24 2011 us=884000 connect_timeout = 10
Tue Nov 29 12:16:24 2011 us=884000 connect_retry_max = 0
Tue Nov 29 12:16:24 2011 us=884000 socks_proxy_server = '[UNDEF]'
Tue Nov 29 12:16:24 2011 us=884000 socks_proxy_port = 0
Tue Nov 29 12:16:24 2011 us=884000 socks_proxy_retry = DISABLED
Tue Nov 29 12:16:24 2011 us=884000 Connection profiles END
Tue Nov 29 12:16:24 2011 us=884000 remote_random = DISABLED
Tue Nov 29 12:16:24 2011 us=884000 ipchange = '[UNDEF]'
Tue Nov 29 12:16:24 2011 us=884000 dev = 'tap'
Tue Nov 29 12:16:24 2011 us=884000 dev_type = '[UNDEF]'
Tue Nov 29 12:16:24 2011 us=884000 dev_node = 'openvpn'
Tue Nov 29 12:16:24 2011 us=884000 lladdr = '[UNDEF]'
Tue Nov 29 12:16:24 2011 us=884000 topology = 1
Tue Nov 29 12:16:24 2011 us=884000 tun_ipv6 = DISABLED
Tue Nov 29 12:16:24 2011 us=884000 ifconfig_local = '[UNDEF]'
Tue Nov 29 12:16:24 2011 us=884000 ifconfig_remote_netmask = '[UNDEF]'
Tue Nov 29 12:16:24 2011 us=884000 ifconfig_noexec = DISABLED
Tue Nov 29 12:16:24 2011 us=884000 ifconfig_nowarn = DISABLED
Tue Nov 29 12:16:24 2011 us=884000 shaper = 0
Tue Nov 29 12:16:24 2011 us=884000 tun_mtu = 1500
Tue Nov 29 12:16:24 2011 us=884000 tun_mtu_defined = ENABLED
Tue Nov 29 12:16:24 2011 us=884000 link_mtu = 1500
Tue Nov 29 12:16:24 2011 us=884000 link_mtu_defined = DISABLED
Tue Nov 29 12:16:24 2011 us=884000 tun_mtu_extra = 32
Tue Nov 29 12:16:24 2011 us=884000 tun_mtu_extra_defined = ENABLED
Tue Nov 29 12:16:24 2011 us=884000 fragment = 0
Tue Nov 29 12:16:24 2011 us=884000 mtu_discover_type = -1
Tue Nov 29 12:16:24 2011 us=884000 mtu_test = 0
Tue Nov 29 12:16:24 2011 us=884000 mlock = DISABLED
Tue Nov 29 12:16:24 2011 us=884000 keepalive_ping = 0
Tue Nov 29 12:16:24 2011 us=884000 keepalive_timeout = 0
Tue Nov 29 12:16:24 2011 us=884000 NOTE: --mute triggered...
Tue Nov 29 12:16:24 2011 us=884000 172 variation(s) on previous 50 message(s) suppressed by --mute
Tue Nov 29 12:16:24 2011 us=884000 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul 1 2011
Tue Nov 29 12:16:24 2011 us=884000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Nov 29 12:16:25 2011 us=992000 Control Channel Authentication: using 'c:\openvpn\easy-rsa\keys\static.key' as a OpenVPN static key file
Tue Nov 29 12:16:25 2011 us=992000 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 29 12:16:25 2011 us=992000 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 29 12:16:25 2011 us=992000 LZO compression initialized
Tue Nov 29 12:16:25 2011 us=992000 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Nov 29 12:16:25 2011 us=992000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Nov 29 12:16:26 2011 us=132000 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Nov 29 12:16:26 2011 us=132000 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Tue Nov 29 12:16:26 2011 us=132000 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Tue Nov 29 12:16:26 2011 us=132000 Local Options hash (VER=V4): '48527533'
Tue Nov 29 12:16:26 2011 us=132000 Expected Remote Options hash (VER=V4): '44bd8b5e'
Tue Nov 29 12:16:26 2011 us=132000 UDPv4 link local: [undef]
Tue Nov 29 12:16:26 2011 us=132000 UDPv4 link remote: xx.xxx.xxx.xx:1194
Tue Nov 29 12:16:26 2011 us=257000 TLS: Initial packet from xx.xxx.xxx.xx:1194, sid=84d0a337 80ea1603
Tue Nov 29 12:16:29 2011 us=268000 VERIFY OK: depth=1, /C=DE/ST=NRW/L=Bonn/O=OpenVPN/OU=IT/CN=IT/[email protected]
Tue Nov 29 12:16:29 2011 us=268000 VERIFY OK: nsCertType=SERVER
Tue Nov 29 12:16:29 2011 us=268000 VERIFY OK: depth=0, /C=DE/ST=NRW/O=OpenVPN/OU=IT1/CN=IT1/emailAddress= [email protected]
Tue Nov 29 12:16:32 2011 us=840000 NOTE: Options consistency check may be skewed by version differences
Tue Nov 29 12:16:32 2011 us=840000 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
Tue Nov 29 12:16:32 2011 us=840000 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tap'
Tue Nov 29 12:16:32 2011 us=840000 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1590'
Tue Nov 29 12:16:32 2011 us=840000 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1532'
Tue Nov 29 12:16:32 2011 us=840000 WARNING: 'proto' is present in local config but missing in remote config, local='proto UDPv4'
Tue Nov 29 12:16:32 2011 us=840000 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Tue Nov 29 12:16:32 2011 us=840000 WARNING: 'keydir' is present in local config but missing in remote config, local='keydir 0'
Tue Nov 29 12:16:32 2011 us=840000 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher AES-256-CBC'
Tue Nov 29 12:16:32 2011 us=840000 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
Tue Nov 29 12:16:32 2011 us=840000 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 256'
Tue Nov 29 12:16:32 2011 us=840000 WARNING: 'tls-auth' is present in local config but missing in remote config, local='tls-auth'
Tue Nov 29 12:16:32 2011 us=840000 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
Tue Nov 29 12:16:32 2011 us=840000 WARNING: 'tls-server' is present in local config but missing in remote config, local='tls-server'
Tue Nov 29 12:16:32 2011 us=840000 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Nov 29 12:16:32 2011 us=840000 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 29 12:16:32 2011 us=840000 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Nov 29 12:16:32 2011 us=840000 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 29 12:16:32 2011 us=840000 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Nov 29 12:16:32 2011 us=840000 [IT1] Peer Connection Initiated with xx.xxx.xxx.xx:1194
Tue Nov 29 12:16:35 2011 us=227000 SENT CONTROL [IT1]: 'PUSH_REQUEST' (status=1)
Tue Nov 29 12:16:35 2011 us=336000 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.179.1,dhcp-option WINS 192.168.179.1,redirect-gateway,route 10.0.0.0 255.255.255.0,route-gateway 10.0.0.1,route 192.168.179.0 255.255.255.0,route 192.168.179.0 255.255.255.0,route 192.168.179.20 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.0.0.2 255.255.255.0'
Tue Nov 29 12:16:35 2011 us=336000 OPTIONS IMPORT: timers and/or timeouts modified
Tue Nov 29 12:16:35 2011 us=336000 OPTIONS IMPORT: --ifconfig/up options modified
Tue Nov 29 12:16:35 2011 us=336000 OPTIONS IMPORT: route options modified
Tue Nov 29 12:16:35 2011 us=336000 OPTIONS IMPORT: route-related options modified
Tue Nov 29 12:16:35 2011 us=336000 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Nov 29 12:16:35 2011 us=367000 ROUTE default_gateway=192.168.2.1
Tue Nov 29 12:16:35 2011 us=430000 TAP-WIN32 device [openvpn] opened: \\.\Global\{CCA89BE2-3DA1-418B-A562-A9D4ACAFC1F5}.tap
Tue Nov 29 12:16:35 2011 us=445000 TAP-Win32 Driver Version 9.8
Tue Nov 29 12:16:35 2011 us=445000 TAP-Win32 MTU=1500
Tue Nov 29 12:16:35 2011 us=445000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.0.2/255.255.255.0 on interface {CCA89BE2-3DA1-418B-A562-A9D4ACAFC1F5} [DHCP-serv: 10.0.0.0, lease-time: 31536000]
Tue Nov 29 12:16:35 2011 us=445000 DHCP option string: 0604c0a8 b3012c04 c0a8b301
Tue Nov 29 12:16:35 2011 us=445000 Successful ARP Flush on interface [19] {CCA89BE2-3DA1-418B-A562-A9D4ACAFC1F5}
Tue Nov 29 12:16:37 2011 us=941000 TEST ROUTES: 5/5 succeeded len=4 ret=1 a=0 u/d=up
Tue Nov 29 12:16:37 2011 us=941000 C:\WINDOWS\system32\route.exe ADD 95.223.249.24 MASK 255.255.255.255 192.168.2.1
OK!
Tue Nov 29 12:16:38 2011 us=82000 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 0.0.0.0 192.168.2.1
OK!
Tue Nov 29 12:16:38 2011 us=191000 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 10.0.0.1
OK!
Tue Nov 29 12:16:38 2011 us=362000 WARNING: potential route subnet conflict between local LAN [10.0.0.0/255.255.255.0] and remote VPN [10.0.0.0/255.255.255.0]
Tue Nov 29 12:16:38 2011 us=362000 C:\WINDOWS\system32\route.exe ADD 10.0.0.0 MASK 255.255.255.0 10.0.0.1
OK!
Tue Nov 29 12:16:38 2011 us=487000 C:\WINDOWS\system32\route.exe ADD 192.168.179.0 MASK 255.255.255.0 10.0.0.1
OK!
Tue Nov 29 12:16:38 2011 us=628000 C:\WINDOWS\system32\route.exe ADD 192.168.179.0 MASK 255.255.255.0 10.0.0.1
Hinzufgen der Route fehlgeschlagen: Das Objekt ist bereits vorhanden.
Tue Nov 29 12:16:38 2011 us=752000 C:\WINDOWS\system32\route.exe ADD 192.168.179.20 MASK 255.255.255.0 10.0.0.1
Hinzufgen der Route fehlgeschlagen: Falscher Parameter.
Tue Nov 29 12:16:38 2011 us=830000 Initialization Sequence Completed
Server.conf
Code:
# OpenVPN 2.1 Config, Fri Nov 25 20:53:06 CET 2011
proto udp
dev tap1
ca /tmp/flash/ca.crt
cert /tmp/flash/box.crt
key /tmp/flash/box.key
dh /tmp/flash/dh.pem
tls-server
tls-auth /tmp/flash/static.key 0
port 1194
mode server
client-to-client
max-clients 2
client-to-client
tun-mtu 1500
mssfix
verb 3
daemon
cipher AES-256-CBC
comp-lzo
keepalive 10 120
status /var/log/openvpn_Test.log
ifconfig-push 10.0.0.1 10.0.0.2
push "route 10.0.0.1 255.255.255.0"
route 192.168.179.0 255.255.255.0
iroute 192.168.179.0 255.255.255.0
push "route-gateway 10.0.0.1"
server LOG /var/tmp/debug_ovpn.out
Code:
Tue Nov 29 12:31:55 2011 OpenVPN 2.1.1 mipsel-linux [SSL] [LZO2] [EPOLL] [MH] built on Nov 7 2011
Tue Nov 29 12:31:55 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Nov 29 12:31:57 2011 Diffie-Hellman initialized with 2048 bit key
Tue Nov 29 12:31:57 2011 WARNING: file '/tmp/flash/box.key' is group or others accessible
Tue Nov 29 12:31:57 2011 Control Channel Authentication: using '/tmp/flash/static.key' as a OpenVPN static key file
Tue Nov 29 12:31:57 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 29 12:31:57 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 29 12:31:57 2011 TLS-Auth MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Nov 29 12:31:57 2011 TUN/TAP device tap1 opened
Tue Nov 29 12:31:57 2011 TUN/TAP TX queue length set to 100
Tue Nov 29 12:31:57 2011 /sbin/ifconfig tap1 10.0.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.0.0.255
Tue Nov 29 12:31:57 2011 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Nov 29 12:31:57 2011 Socket Buffers: R=[110592->131072] S=[110592->131072]
Tue Nov 29 12:31:57 2011 UDPv4 link local (bound): [undef]
Tue Nov 29 12:31:57 2011 UDPv4 link remote: [undef]
Tue Nov 29 12:31:57 2011 MULTI: multi_init called, r=256 v=256
Tue Nov 29 12:31:57 2011 IFCONFIG POOL: base=10.0.0.2 size=8
Tue Nov 29 12:31:57 2011 Initialization Sequence Completed
Tue Nov 29 12:32:13 2011 MULTI: multi_create_instance called
Tue Nov 29 12:32:13 2011 80.136.37.93:59905 Re-using SSL/TLS context
Tue Nov 29 12:32:13 2011 80.136.37.93:59905 LZO compression initialized
Tue Nov 29 12:32:13 2011 80.136.37.93:59905 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Nov 29 12:32:13 2011 80.136.37.93:59905 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Nov 29 12:32:13 2011 80.136.37.93:59905 TLS: Initial packet from [AF_INET]80.136.37.93:59905, sid=034fb784 b8b41548
Tue Nov 29 12:32:20 2011 80.136.37.93:59905 VERIFY OK: depth=1, /C=DE/ST=NRW/L=Bonn/O=OpenVPN/OU=IT/CN=IT/[email protected]
Tue Nov 29 12:32:20 2011 80.136.37.93:59905 VERIFY OK: depth=0, /C=DE/ST=NRW/O=OpenVPN/OU=IT2/CN=IT2/emailAddress= [email protected]
Tue Nov 29 12:32:25 2011 80.136.37.93:59905 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Nov 29 12:32:25 2011 80.136.37.93:59905 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 29 12:32:25 2011 80.136.37.93:59905 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Nov 29 12:32:25 2011 80.136.37.93:59905 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 29 12:32:26 2011 80.136.37.93:59905 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Nov 29 12:32:26 2011 80.136.37.93:59905 [IT2] Peer Connection Initiated with [AF_INET]80.136.37.93:59905
Tue Nov 29 12:32:28 2011 IT2/80.136.37.93:59905 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 29 12:32:28 2011 IT2/80.136.37.93:59905 SENT CONTROL [IT2]: 'PUSH_REPLY,dhcp-option DNS 192.168.179.1,dhcp-option WINS 192.168.179.1,redirect-gateway,route 10.0.0.0 255.255.255.0,route-gateway 10.0.0.1,route 192.168.179.0 255.255.255.0,route 192.168.179.0 255.255.255.0,route 192.168.179.20 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.0.0.2 255.255.255.0' (status=1)
Tue Nov 29 12:32:28 2011 IT2/80.136.37.93:59905 MULTI: Learn: 00:ff:cc:a8:9b:e2 -> IT2/80.136.37.93:59905