Перевел один из серверов на AltLinux 6.0 Centaurus. Все конфиги перекинул с 4.1. Почти все сервисы, после некоторых плясок, заработали кроме OpenVPN сервера. Сервер запускается, клиенты цепляются, НО, клиенты видят сервер и сеть за ним, а сервер не видит клиентов и, соответственно. и сети за ним. При том, что на старом сервере с Альтом 4.1 таких проблем не наблюдаю. Может кто то увидит мою ошибку свежим взглядом. Оговорюсь заранее, что фаервол, в порядке эксперемента, выключен с обоих сторон, а внешние адреса в конфигах заменены. Форвадинг включен.
ниже конфиги
конфиг VPN-сервера
#server.conf
port 1194
proto udp
dev tun01
dev-type tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.1.0.0 255.255.0.0
push "route 172.21.0.0 255.255.0.0"
route "10.1.0.0 255.255.0.0"
route "192.168.1.0 255.255.255.0"
#ifconfig-pool 10.1.0.10 10.1.0.30 255.255.0.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
client-config-dir /etc/openvpn/ccd
tls-server
tls-auth /etc/openvpn/keys/ta.key 0
auth MD5
keepalive 10 60
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
log /etc/openvpn/openvpn.log
verb 3
файл из ./ccd для тестового клиента
ifconfig-push 10.1.0.10 10.1.0.2
iroute 192.168.1.0 255.255.255.0
конфиг OpenVPN на клиенте
#client.conf
dev tun01
#dev-type tun
proto udp
remote 123.123.123.123
port 1194
resolv-retry infinite
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/openvpn-client.crt
key /etc/openvpn/keys/openvpn-client.key
tls-client
tls-auth /etc/openvpn/keys/ta.key 1
auth MD5
cipher BF-CBC
ns-cert-type server
#script-security 3 system
comp-lzo
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
log /etc/openvpn/openvpn.log
verb 3
nobind
лог при запуске сервиса на сервере
старт OpenVPN
Fri Oct 28 09:15:29 2011 OpenVPN 2.1.4 x86_64-alt-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 30 2010
Fri Oct 28 09:15:29 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Oct 28 09:15:29 2011 Diffie-Hellman initialized with 1024 bit key
Fri Oct 28 09:15:29 2011 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Fri Oct 28 09:15:29 2011 Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Fri Oct 28 09:15:29 2011 Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Fri Oct 28 09:15:29 2011 TLS-Auth MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Fri Oct 28 09:15:29 2011 Socket Buffers: R=[124928->131072] S=[124928->131072]
Fri Oct 28 09:15:29 2011 ROUTE default_gateway=123.123.123.124
Fri Oct 28 09:15:29 2011 TUN/TAP device tun01 opened
Fri Oct 28 09:15:29 2011 TUN/TAP TX queue length set to 100
Fri Oct 28 09:15:29 2011 /sbin/ip link set dev tun01 up mtu 1500
Fri Oct 28 09:15:29 2011 /sbin/ip addr add dev tun01 local 10.1.0.1 peer 10.1.0.2
Fri Oct 28 09:15:29 2011 /sbin/ip route add 10.1.0.0/32 via 10.1.0.2
Fri Oct 28 09:15:29 2011 /sbin/ip route add 192.168.1.0/32 via 10.1.0.2
Fri Oct 28 09:15:29 2011 /sbin/ip route add 10.1.0.0/16 via 10.1.0.2
Fri Oct 28 09:15:29 2011 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Oct 28 09:15:29 2011 chroot to '/var/lib/openvpn' and cd to '/' succeeded
Fri Oct 28 09:15:29 2011 GID set to openvpn
Fri Oct 28 09:15:29 2011 UID set to openvpn
Fri Oct 28 09:15:29 2011 UDPv4 link local (bound): [undef]:1194
Fri Oct 28 09:15:29 2011 UDPv4 link remote: [undef]
Fri Oct 28 09:15:29 2011 MULTI: multi_init called, r=256 v=256
Fri Oct 28 09:15:29 2011 IFCONFIG POOL: base=10.1.0.4 size=16382
Fri Oct 28 09:15:29 2011 IFCONFIG POOL LIST
Fri Oct 28 09:15:29 2011 client1,10.1.0.4
Fri Oct 28 09:15:29 2011 Initialization Sequence Completed
попытка подключения клиента
Fri Oct 28 12:03:23 2011 MULTI: multi_create_instance called
Fri Oct 28 12:03:23 2011 78.159.227.22:53413 Re-using SSL/TLS context
Fri Oct 28 12:03:23 2011 78.159.227.22:53413 LZO compression initialized
Fri Oct 28 12:03:23 2011 78.159.227.22:53413 Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Fri Oct 28 12:03:23 2011 78.159.227.22:53413 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Oct 28 12:03:23 2011 78.159.227.22:53413 Local Options hash (VER=V4): '1056bce3'
Fri Oct 28 12:03:23 2011 78.159.227.22:53413 Expected Remote Options hash (VER=V4): '03fa487d'
Fri Oct 28 12:03:23 2011 78.159.227.22:53413 TLS: Initial packet from 111.111.111.111:53413, sid=a09470da 68d0725d
Fri Oct 28 12:03:24 2011 78.159.227.22:53413 VERIFY OK: depth=1, /C=RU/ST=sity/L=sity/O=CompanyLtd/CN=company.ru/emailAddress=info@company.ru
Fri Oct 28 12:03:24 2011 78.159.227.22:53413 VERIFY OK: depth=0, /C=RU/ST=sity/O=CompanyLtd/CN=client1/emailAddress=info@company.ru
Fri Oct 28 12:03:24 2011 78.159.227.22:53413 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Oct 28 12:03:24 2011 78.159.227.22:53413 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
Fri Oct 28 12:03:24 2011 78.159.227.22:53413 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Oct 28 12:03:24 2011 78.159.227.22:53413 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
Fri Oct 28 12:03:24 2011 78.159.227.22:53413 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Oct 28 12:03:24 2011 78.159.227.22:53413 [client1] Peer Connection Initiated with 111.111.111.111:53413
Fri Oct 28 12:03:24 2011 MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Fri Oct 28 12:03:24 2011 MULTI: Learn: 10.1.0.6 -> client1/111.111.111.111:53413
Fri Oct 28 12:03:24 2011 MULTI: primary virtual IP for client1/111.111.111.111: 10.1.0.6
Лог подключения клиента
Fri Oct 28 12:06:38 2011 OpenVPN 2.0.8 i586-alt-linux-gnu [SSL] [LZO] [EPOLL] built on Jun 5 2009
Fri Oct 28 12:06:38 2011 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Fri Oct 28 12:06:38 2011 Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Fri Oct 28 12:06:38 2011 Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Fri Oct 28 12:06:38 2011 LZO compression initialized
Fri Oct 28 12:06:38 2011 Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Fri Oct 28 12:06:38 2011 TUN/TAP device tun01 opened
Fri Oct 28 12:06:38 2011 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Oct 28 12:06:38 2011 Local Options hash (VER=V4): '03fa487d'
Fri Oct 28 12:06:38 2011 Expected Remote Options hash (VER=V4): '1056bce3'
Fri Oct 28 12:06:38 2011 chroot to '/var/lib/openvpn' and cd to '/' succeeded
Fri Oct 28 12:06:38 2011 GID set to openvpn
Fri Oct 28 12:06:38 2011 UID set to openvpn
Fri Oct 28 12:06:38 2011 UDPv4 link local: [undef]
Fri Oct 28 12:06:38 2011 UDPv4 link remote: 123.123.123.123:1194
Fri Oct 28 12:06:38 2011 TLS: Initial packet from 123.123.123.123:1194, sid=e056ce84 85797b64
Fri Oct 28 12:06:39 2011 VERIFY OK: depth=1, /C=RU/ST=sity_region/L=sity/O=companyLtd/CN=company.ru/emailAddress=info@company.ru
Fri Oct 28 12:06:39 2011 VERIFY OK: nsCertType=SERVER
Fri Oct 28 12:06:39 2011 VERIFY OK: depth=0, /C=RU/ST=sity_region/O=companyLtd/CN=server/emailAddress=info@company.ru
Fri Oct 28 12:06:40 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Oct 28 12:06:40 2011 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
Fri Oct 28 12:06:40 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Oct 28 12:06:40 2011 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
Fri Oct 28 12:06:40 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Oct 28 12:06:40 2011 [server] Peer Connection Initiated with 123.123.123.123:1194
Fri Oct 28 12:06:41 2011 Initialization Sequence Completed
ip a на сервере
ip a on server
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether b4:99:ba:a9:08:0c brd ff:ff:ff:ff:ff:ff
inet 172.21.21.21/16 brd 172.21.255.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether b4:99:ba:a9:08:0d brd ff:ff:ff:ff:ff:ff
inet 123.123.123.123/29 brd 123.123.123.124 scope global eth1
23: tun01: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 10.1.0.1 peer 10.1.0.2/32 scope global tun01
ip a на клиенте
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:17:31:4b:4f:60 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:19:cb:54:9e:8f brd ff:ff:ff:ff:ff:ff
4: breth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 00:17:31:4b:4f:60 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.2/24 scope global breth0
5: breth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 00:19:cb:54:9e:8f brd ff:ff:ff:ff:ff:ff
inet 222.222.222.222/20 scope global breth1
7: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/void
20: tun01: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 100
link/[65534]
