免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
楼主: wenzk

[vpn] [原创]用OpenVPN构建安全VPN [OpenVPN + CA] [复制链接]

论坛徽章:
0
发表于 2005-03-03 16:55 |显示全部楼层

[原创]用OpenVPN构建安全VPN [OpenVPN + CA]

原帖由 "wheel" 发表:
# easy-rsa/build-key生成的key pair文件,上面生成key部分中有提到,不同客户使用不同的keys修改以下两行配置并使用他们的keys即可。
cert elm.crt
key elm.key

/etc/openvpn/easy-rsa/keys下的文件吗?


你使用./build-key <name>; 命令
就会在easy-rsa/keys/生成<name>;.crt   <name>;.key文件,这两个文件替换上面的文件

论坛徽章:
0
发表于 2005-03-03 16:59 |显示全部楼层

[原创]用OpenVPN构建安全VPN [OpenVPN + CA]

为何客户端起不来阿?
我的server.conf在vpn 的server上
/etc/openvpn/server.conf
#申明本机使用的IP地址,也可以不说明
;local a.b.c.d
#申明使用的端口,默认1194
port 1194
#申明使用的协议,默认使用UDP,如果使用HTTP proxy,必须使用TCP协议
;proto tcp
proto udp
#申明使用的设备可选tap和tun,tap是二层设备,支持链路层协议。
#tun是ip层的点对点协议,限制稍微多一些,本人习惯使用TAP设备
dev tap
;dev tun
#OpenVPN使用的ROOT CA,使用build-ca生成的,用于验证客户是证书是否合法
ca ca.crt
#Server使用的证书文件
cert server.crt
#Server使用的证书对应的key,注意文件的权限,防止被盗
key server.key # This file should be kept secret
#CRL文件的申明,被吊销的证书链,这些证书将无法登录
crl-verify vpncrl.pem
#上面提到的生成的Diffie-Hellman文件
dh dh1024.pem
#这是一条命令的合集,如果你是OpenVPN的老用户,就知道这条命令的来由
#这条命令等效于:
# mode server #OpenVPN工作在Server模式,可以支持多client同时动态接入
# tls-server #使用TLS加密传输,本端为Server,Client端为tls-client
#
# if dev tun: #如果使用tun设备,等效于以下配置
# ifconfig 10.8.0.1 10.8.0.2 #设置本地tun设备的地址
# ifconfig-pool 10.8.0.4 10.8.0.251 #说明OpenVPN使用的地址池(用于分配给客户),分别是起始地址、结束地址
# route 10.8.0.0 255.255.255.0 #增加一条静态路由,省略下一跳地址,下一跳为对端地址,这里是: 10.8.0.2
# if client-to-client: #如果使用client-to-client这个选项
# push "route 10.8.0.0 255.255.255.0" #把这条路由发送给客户端,客户连接成功后自动加入路由表,省略了下一跳地址: 10.8.0.1
# else
# push "route 10.8.0.1" #否则发送本条路由,这是一个主机路由,省略了子网掩码和下一跳地址,分别为: 255.255.255.255 10.8.0.1
#
# if dev tap: #如果使用tap设备,则等效于以下命令
# ifconfig 10.8.0.1 255.255.255.0 #配置tap设备的地址
# ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 #客户端使用的地址池,分别是起始地址、结束地址、子网掩码
# push "route-gateway 10.8.0.1" #把环境变量route-gateway传递给客户机
#
server 10.8.0.0 255.255.255.0 #等效于以上命令

#用于记录某个Client获得的IP地址,类似于dhcpd.lease文件,
#防止openvpn重新启动后“忘记”Client曾经使用过的IP地址
ifconfig-pool-persist ipp.txt
#Bridge状态下类似DHCPD的配置,为客户分配地址,由于这里工作在路由模式,所以不使用
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
#通过VPN Server往Client push路由,client通过pull指令获得Server push的所有选项并应用
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
#VPN启动后,在VPN Server上增加的路由,VPN停止后自动删除
;route 10.9.0.0 255.255.255.252
#Run script or shell command cmd to validate client
#virtual addresses or routes. 具体查看manual
;learn-address ./script
#其他的一些需要PUSH给Client的选项
#
#使Client的默认网关指向VPN,让Client的所有Traffic都通过VPN走
push "redirect-gateway"
#DHCP的一些选项,具体查看Manual
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
#如果可以让VPN Client之间相互访问直接通过openvpn程序转发,
#不用发送到tun或者tap设备后重新转发,优化Client to Client的访问效率
client-to-client
#如果Client使用的CA的Common Name有重复了,或者说客户都使用相同的CA
#和keys连接VPN,一定要打开这个选项,否则只允许一个人连接VPN
;duplicate-cn
#NAT后面使用VPN,如果VPN长时间不通信,NAT Session可能会失效,
#导致VPN连接丢失,为防止之类事情的发生,keepalive提供一个类似于ping的机制,
#下面表示每10秒通过VPN的Control通道ping对方,如果连续120秒无法ping通,
#认为连接丢失,并重新启动VPN,重新连接
#(对于mode server模式下的openvpn不会重新连接)。
keepalive 10 120
#上面提到的HMAC防火墙,防止DOS攻击,对于所有的控制信息,都使用HMAC signature,
#没有HMAC signature的控制信息不予处理,注意server端后面的数字肯定使用0,client使用1
tls-auth ta.key 0 # This file is secret
#对数据进行压缩,注意Server和Client一致
comp-lzo
#定义最大连接数
;max-clients 100
#定义运行openvpn的用户
user nobody
group nobody
#通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys
persist-key
#通过keepalive检测超时后,重新启动VPN,一直保持tun或者tap设备是linkup的,
#否则网络连接会先linkdown然后linkup
persist-tun
#定期把openvpn的一些状态信息写到文件中,以便自己写程序计费或者进行其他操作
status openvpn-status.log
#记录日志,每次重新启动openvpn后删除原有的log信息
log /var/log/openvpn.log
#和log一致,每次重新启动openvpn后保留原有的log信息,新信息追加到文件最后
;log-append openvpn.log
#相当于debug level,具体查看manual
verb 3

论坛徽章:
0
发表于 2005-03-03 17:02 |显示全部楼层

[原创]用OpenVPN构建安全VPN [OpenVPN + CA]

原帖由 "wheel" 发表:
在客户端
ls /etc/openvpn/
ca.crt  client.conf  elm.crt  elm.key  ta.key
对吗?
客户端有了这文件是否可以直接
/etc/rc.d/init.d/openvpn start


对,如果有问题,看看/var/log/openvpn.log文件,帖出来

论坛徽章:
0
发表于 2005-03-03 17:06 |显示全部楼层

[原创]用OpenVPN构建安全VPN [OpenVPN + CA]

[quote]原帖由 "wheel"]alhost ~]#[/quote 发表:


QQ: 616621
MSN: zhankaowen#hotmail.com

论坛徽章:
0
发表于 2005-03-03 17:08 |显示全部楼层

[原创]用OpenVPN构建安全VPN [OpenVPN + CA]

[quote]原帖由 "wangli2000_cn"]server.conf在那里啊.[/quote 发表:


在文章的内容里头有说法的,或者使用sample-config下的server.conf稍加修改就OK了

论坛徽章:
0
发表于 2005-03-03 17:11 |显示全部楼层

[原创]用OpenVPN构建安全VPN [OpenVPN + CA]

原帖由 "wheel" 发表:
为何客户端起不来阿?
我的server.conf在vpn 的server上
/etc/openvpn/server.conf
#申明本机使用的IP地址,也可以不说明
;local a.b.c.d
#申明使用的端口,默认1194
port 1194
#申明使用的协议,默认使用UDP..........


给我看log,/var/log/openvpn.log文件

win下的是C:\Program Files\OpenVPN\logs\主要看什么提示

论坛徽章:
0
发表于 2005-03-03 17:41 |显示全部楼层

[原创]用OpenVPN构建安全VPN [OpenVPN + CA]

客户端没有
/var/log/openvpn.log
server有
Thu Mar  3 16:43:42 2005 OpenVPN 2.0_rc16 i686-pc-linux [SSL] [LZO] [EPOLL] built on Mar  3 2005
Thu Mar  3 16:43:42 2005 Diffie-Hellman initialized with 1024 bit key
Thu Mar  3 16:43:42 2005 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Thu Mar  3 16:43:42 2005 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar  3 16:43:42 2005 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar  3 16:43:42 2005 TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Mar  3 16:43:42 2005 TUN/TAP device tap0 opened
Thu Mar  3 16:43:42 2005 /sbin/ifconfig tap0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Thu Mar  3 16:43:42 2005 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:23 ET:32 EL:0 AF:3/1 ]
Thu Mar  3 16:43:42 2005 GID set to nobody
Thu Mar  3 16:43:42 2005 UID set to nobody
Thu Mar  3 16:43:42 2005 UDPv4 link local (bound): [undef]:1194
Thu Mar  3 16:43:42 2005 UDPv4 link remote: [undef]
Thu Mar  3 16:43:42 2005 MULTI: multi_init called, r=256 v=256
Thu Mar  3 16:43:42 2005 IFCONFIG POOL: base=10.8.0.2 size=253
Thu Mar  3 16:43:42 2005 IFCONFIG POOL LIST
Thu Mar  3 16:43:42 2005 Initialization Sequence Completed
Thu Mar  3 17:08:14 2005 event_wait : Interrupted system call (code=4)
Thu Mar  3 17:08:14 2005 TCP/UDP: Closing socket
Thu Mar  3 17:08:14 2005 Closing TUN/TAP interface
Thu Mar  3 17:08:14 2005 SIGTERM[hard,] received, process exiting
~

论坛徽章:
0
发表于 2005-03-03 18:19 |显示全部楼层

[原创]用OpenVPN构建安全VPN [OpenVPN + CA]

客户端起来了!!!
cat /etc/openvpn/client.conf
client
dev tap
;dev tun
;dev-node MyTap
;proto tcp
proto udp
remote 192.168.1.72 1194
;remote my-server-2 1194
;remote-random
;resolv-retry infinite
;nobind
user nobody
group nobody
route 200.200.199.0 255.255.0.0
persist-key
;persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert elm.crt
key elm.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
log /var/log/openvpn.log
verb 4

论坛徽章:
0
发表于 2005-03-03 18:53 |显示全部楼层

[原创]用OpenVPN构建安全VPN [OpenVPN + CA]

原帖由 "wheel"]rt # 发表:

;mute-replay-warnings
ca ca.crt
cert elm.crt
key elm.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
log /var/log/openvpn.log
verb 4


你的192.168.1.146肯能openssl的库文件有问题,导致有TLS验证错误

在你本机我把client也启动起来了,有一点小错误,刚才还没有看出来

client启动日志应该是:
---------------------------------------------------------------------------
Thu Mar  3 18:46:44 2005 us=782366 Current Parameter Settings:
Thu Mar  3 18:46:44 2005 us=782640   config = 'client.conf.bak'
Thu Mar  3 18:46:44 2005 us=782722   mode = 0
Thu Mar  3 18:46:44 2005 us=782766   persist_config = DISABLED
Thu Mar  3 18:46:44 2005 us=782804   persist_mode = 1
Thu Mar  3 18:46:44 2005 us=782838   show_ciphers = DISABLED
Thu Mar  3 18:46:44 2005 us=782874   show_digests = DISABLED
Thu Mar  3 18:46:44 2005 us=782909   show_engines = DISABLED
Thu Mar  3 18:46:44 2005 us=782949   genkey = DISABLED
Thu Mar  3 18:46:44 2005 us=782986   key_pass_file = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=783021   show_tls_ciphers = DISABLED
Thu Mar  3 18:46:44 2005 us=783057   proto = 0
Thu Mar  3 18:46:44 2005 us=783091   local = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=783129   remote_list[0] = {'192.168.1.72', 1194}
Thu Mar  3 18:46:44 2005 us=783176   remote_random = DISABLED
Thu Mar  3 18:46:44 2005 us=783215   local_port = 1194
Thu Mar  3 18:46:44 2005 us=783249   remote_port = 1194
Thu Mar  3 18:46:44 2005 us=783285   remote_float = DISABLED
Thu Mar  3 18:46:44 2005 us=783320   ipchange = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=783354   bind_local = DISABLED
Thu Mar  3 18:46:44 2005 us=783391   dev = 'tap'
Thu Mar  3 18:46:44 2005 us=783426   dev_type = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=783460   dev_node = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=783495   tun_ipv6 = DISABLED
Thu Mar  3 18:46:44 2005 us=783529   ifconfig_local = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=783562   ifconfig_remote_netmask = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=783596   ifconfig_noexec = DISABLED
Thu Mar  3 18:46:44 2005 us=783630   ifconfig_nowarn = DISABLED
Thu Mar  3 18:46:44 2005 us=783664   shaper = 0
Thu Mar  3 18:46:44 2005 us=783713   tun_mtu = 1500
Thu Mar  3 18:46:44 2005 us=783753   tun_mtu_defined = ENABLED
Thu Mar  3 18:46:44 2005 us=783790   link_mtu = 1500
Thu Mar  3 18:46:44 2005 us=783867   link_mtu_defined = DISABLED
Thu Mar  3 18:46:44 2005 us=783920   tun_mtu_extra = 32
Thu Mar  3 18:46:44 2005 us=783956   tun_mtu_extra_defined = ENABLED
Thu Mar  3 18:46:44 2005 us=783992   fragment = 0
Thu Mar  3 18:46:44 2005 us=784028   mtu_discover_type = -1
Thu Mar  3 18:46:44 2005 us=784062   mtu_test = 0
Thu Mar  3 18:46:44 2005 us=784096   mlock = DISABLED
Thu Mar  3 18:46:44 2005 us=784131   keepalive_ping = 0
Thu Mar  3 18:46:44 2005 us=784169   keepalive_timeout = 0
Thu Mar  3 18:46:44 2005 us=784203   inactivity_timeout = 0
Thu Mar  3 18:46:44 2005 us=784237   ping_send_timeout = 0
Thu Mar  3 18:46:44 2005 us=784271   ping_rec_timeout = 120
Thu Mar  3 18:46:44 2005 us=784304   ping_rec_timeout_action = 2
Thu Mar  3 18:46:44 2005 us=784337   ping_timer_remote = DISABLED
Thu Mar  3 18:46:44 2005 us=784372   remap_sigusr1 = 0
Thu Mar  3 18:46:44 2005 us=784406   explicit_exit_notification = 0
Thu Mar  3 18:46:44 2005 us=784440   persist_tun = DISABLED
Thu Mar  3 18:46:44 2005 us=784473   persist_local_ip = DISABLED
Thu Mar  3 18:46:44 2005 us=784506   persist_remote_ip = DISABLED
Thu Mar  3 18:46:44 2005 us=784542   persist_key = ENABLED
Thu Mar  3 18:46:44 2005 us=784577   mssfix = 1450
Thu Mar  3 18:46:44 2005 us=784611   passtos = DISABLED
Thu Mar  3 18:46:44 2005 us=784648   resolve_retry_seconds = 1000000000
Thu Mar  3 18:46:44 2005 us=784703   connect_retry_seconds = 5
Thu Mar  3 18:46:44 2005 us=784741   username = 'nobody'
Thu Mar  3 18:46:44 2005 us=784777   groupname = 'nobody'
Thu Mar  3 18:46:44 2005 us=784812   chroot_dir = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=784845   cd_dir = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=784878   writepid = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=784912   up_script = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=784946   down_script = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=784980   down_pre = DISABLED
Thu Mar  3 18:46:44 2005 us=785015   up_restart = DISABLED
Thu Mar  3 18:46:44 2005 us=785049   up_delay = DISABLED
Thu Mar  3 18:46:44 2005 us=785081   daemon = DISABLED
Thu Mar  3 18:46:44 2005 us=785115   inetd = 0
Thu Mar  3 18:46:44 2005 us=785148   log = ENABLED
Thu Mar  3 18:46:44 2005 us=785184   suppress_timestamps = DISABLED
Thu Mar  3 18:46:44 2005 us=785259   nice = 0
Thu Mar  3 18:46:44 2005 us=785300   verbosity = 4
Thu Mar  3 18:46:44 2005 us=785337   mute = 0
Thu Mar  3 18:46:44 2005 us=785371   gremlin = 0
Thu Mar  3 18:46:44 2005 us=785403   status_file = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=785437   status_file_version = 1
Thu Mar  3 18:46:44 2005 us=785471   status_file_update_freq = 60
Thu Mar  3 18:46:44 2005 us=785507   occ = ENABLED
Thu Mar  3 18:46:44 2005 us=785541   rcvbuf = 65536
Thu Mar  3 18:46:44 2005 us=785576   sndbuf = 65536
Thu Mar  3 18:46:44 2005 us=785615   socks_proxy_server = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=785654   socks_proxy_port = 0
Thu Mar  3 18:46:44 2005 us=785709   socks_proxy_retry = DISABLED
Thu Mar  3 18:46:44 2005 us=785749   fast_io = DISABLED
Thu Mar  3 18:46:44 2005 us=785785   comp_lzo = ENABLED
Thu Mar  3 18:46:44 2005 us=785820   comp_lzo_adaptive = ENABLED
Thu Mar  3 18:46:44 2005 us=785856   route_script = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=785889   route_default_gateway = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=785926   route_noexec = DISABLED
Thu Mar  3 18:46:44 2005 us=785961   route_delay = 0
Thu Mar  3 18:46:44 2005 us=785995   route_delay_window = 30
Thu Mar  3 18:46:44 2005 us=786028   route_delay_defined = DISABLED
Thu Mar  3 18:46:44 2005 us=786065   route 200.200.199.0/255.255.0.0/nil/nil
Thu Mar  3 18:46:44 2005 us=786103   management_addr = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=786138   management_port = 0
Thu Mar  3 18:46:44 2005 us=786171   management_user_pass = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=786207   management_log_history_cache = 250
Thu Mar  3 18:46:44 2005 us=786242   management_echo_buffer_size = 100
Thu Mar  3 18:46:44 2005 us=786277   management_query_passwords = DISABLED
Thu Mar  3 18:46:44 2005 us=786313   management_hold = DISABLED
Thu Mar  3 18:46:44 2005 us=786350   shared_secret_file = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=786387   key_direction = 2
Thu Mar  3 18:46:44 2005 us=786423   ciphername_defined = ENABLED
Thu Mar  3 18:46:44 2005 us=786458   ciphername = 'BF-CBC'
Thu Mar  3 18:46:44 2005 us=786494   authname_defined = ENABLED
Thu Mar  3 18:46:44 2005 us=786531   authname = 'SHA1'
Thu Mar  3 18:46:44 2005 us=786566   keysize = 0
Thu Mar  3 18:46:44 2005 us=786600   engine = DISABLED
Thu Mar  3 18:46:44 2005 us=786635   replay = ENABLED
Thu Mar  3 18:46:44 2005 us=786670   mute_replay_warnings = DISABLED
Thu Mar  3 18:46:44 2005 us=786730   replay_window = 64
Thu Mar  3 18:46:44 2005 us=786771   replay_time = 15
Thu Mar  3 18:46:44 2005 us=786810   packet_id_file = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=786847   use_iv = ENABLED
Thu Mar  3 18:46:44 2005 us=786882   test_crypto = DISABLED
Thu Mar  3 18:46:44 2005 us=786917   tls_server = DISABLED
Thu Mar  3 18:46:44 2005 us=786952   tls_client = ENABLED
Thu Mar  3 18:46:44 2005 us=786989   key_method = 2
Thu Mar  3 18:46:44 2005 us=787023   ca_file = 'ca.crt'
Thu Mar  3 18:46:44 2005 us=787055   dh_file = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=787089   cert_file = 'elm.crt'
Thu Mar  3 18:46:44 2005 us=787122   priv_key_file = 'elm.key'
Thu Mar  3 18:46:44 2005 us=787156   pkcs12_file = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=787192   cipher_list = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=787227   tls_verify = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=787261   tls_remote = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=787295   crl_file = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=787330   ns_cert_type = 64
Thu Mar  3 18:46:44 2005 us=787363   tls_timeout = 2
Thu Mar  3 18:46:44 2005 us=787398   renegotiate_bytes = 0
Thu Mar  3 18:46:44 2005 us=787432   renegotiate_packets = 0
Thu Mar  3 18:46:44 2005 us=787470   renegotiate_seconds = 3600
Thu Mar  3 18:46:44 2005 us=787507   handshake_window = 60
Thu Mar  3 18:46:44 2005 us=787543   transition_window = 3600
Thu Mar  3 18:46:44 2005 us=787578   single_session = DISABLED
Thu Mar  3 18:46:44 2005 us=787613   tls_exit = DISABLED
Thu Mar  3 18:46:44 2005 us=787650   tls_auth_file = 'ta.key'
Thu Mar  3 18:46:44 2005 us=787742   server_network = 0.0.0.0
Thu Mar  3 18:46:44 2005 us=787834   server_netmask = 0.0.0.0
Thu Mar  3 18:46:44 2005 us=787881   server_bridge_ip = 0.0.0.0
Thu Mar  3 18:46:44 2005 us=787923   server_bridge_netmask = 0.0.0.0
Thu Mar  3 18:46:44 2005 us=787962   server_bridge_pool_start = 0.0.0.0
Thu Mar  3 18:46:44 2005 us=788004   server_bridge_pool_end = 0.0.0.0
Thu Mar  3 18:46:44 2005 us=788040   ifconfig_pool_defined = DISABLED
Thu Mar  3 18:46:44 2005 us=788079   ifconfig_pool_start = 0.0.0.0
Thu Mar  3 18:46:44 2005 us=788117   ifconfig_pool_end = 0.0.0.0
Thu Mar  3 18:46:44 2005 us=788155   ifconfig_pool_netmask = 0.0.0.0
Thu Mar  3 18:46:44 2005 us=788190   ifconfig_pool_persist_filename = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=788226   ifconfig_pool_persist_refresh_freq = 600
Thu Mar  3 18:46:44 2005 us=788261   ifconfig_pool_linear = DISABLED
Thu Mar  3 18:46:44 2005 us=788297   n_bcast_buf = 256
Thu Mar  3 18:46:44 2005 us=788330   tcp_queue_limit = 64
Thu Mar  3 18:46:44 2005 us=788366   real_hash_size = 256
Thu Mar  3 18:46:44 2005 us=788402   virtual_hash_size = 256
Thu Mar  3 18:46:44 2005 us=788437   client_connect_script = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=788473   learn_address_script = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=788508   client_disconnect_script = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=788545   client_config_dir = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=788586   ccd_exclusive = DISABLED
Thu Mar  3 18:46:44 2005 us=788625   tmp_dir = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=788660   push_ifconfig_defined = DISABLED
Thu Mar  3 18:46:44 2005 us=788718   push_ifconfig_local = 0.0.0.0
Thu Mar  3 18:46:44 2005 us=788762   push_ifconfig_remote_netmask = 0.0.0.0
Thu Mar  3 18:46:44 2005 us=788802   enable_c2c = DISABLED
Thu Mar  3 18:46:44 2005 us=788837   duplicate_cn = DISABLED
Thu Mar  3 18:46:44 2005 us=788872   cf_max = 0
Thu Mar  3 18:46:44 2005 us=788905   cf_per = 0
Thu Mar  3 18:46:44 2005 us=788937   max_clients = 1024
Thu Mar  3 18:46:44 2005 us=788969   client_cert_not_required = DISABLED
Thu Mar  3 18:46:44 2005 us=789013   username_as_common_name = DISABLED
Thu Mar  3 18:46:44 2005 us=789056   auth_user_pass_verify_script = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=789091   auth_user_pass_verify_script_via_file = DISABLED
Thu Mar  3 18:46:44 2005 us=789125   client = ENABLED
Thu Mar  3 18:46:44 2005 us=789158   pull = ENABLED
Thu Mar  3 18:46:44 2005 us=789191   auth_user_pass_file = '[UNDEF]'
Thu Mar  3 18:46:44 2005 us=789234 OpenVPN 2.0_rc16 i686-pc-linux [SSL] [LZO] [EPOLL] built on Mar  3 2005
Thu Mar  3 18:46:44 2005 us=789386 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  O
penVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Mar  3 18:46:44 2005 us=789433 WARNING: you are using user/group/chroot without persist-key/persist-tun -- this may cause restarts to fail
Thu Mar  3 18:46:44 2005 us=792374 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Thu Mar  3 18:46:44 2005 us=792479 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar  3 18:46:44 2005 us=792536 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar  3 18:46:44 2005 us=792657 LZO compression initialized
Thu Mar  3 18:46:44 2005 us=793050 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Mar  3 18:46:44 2005 us=793251 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:23 ET:32 EL:0 AF:3/1 ]
Thu Mar  3 18:46:44 2005 us=793357 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC
,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu Mar  3 18:46:44 2005 us=793398 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cip
her BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu Mar  3 18:46:44 2005 us=793493 Local Options hash (VER=V4): '13a273ba'
Thu Mar  3 18:46:44 2005 us=793558 Expected Remote Options hash (VER=V4): '360696c5'
Thu Mar  3 18:46:44 2005 us=794819 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Mar  3 18:46:44 2005 us=794936 Socket Buffers: R=[110592->;131072] S=[110592->;131072]
Thu Mar  3 18:46:44 2005 us=795017 UDPv4 link local: [undef]
Thu Mar  3 18:46:44 2005 us=795065 UDPv4 link remote: 192.168.1.72:1194
Thu Mar  3 18:46:44 2005 us=810246 TLS: Initial packet from 192.168.1.72:1194, sid=1de7ebdf dc3c0174
Thu Mar  3 18:46:44 2005 us=865823 VERIFY OK: depth=1, /C=CN/ST=Liaoning/L=Shenyang/O=ELM_OpenVPN_ORG/CN=ROOT_CA/emailAddress=chenqs@clo.com.cn
Thu Mar  3 18:46:44 2005 us=866523 VERIFY OK: nsCertType=SERVER
Thu Mar  3 18:46:44 2005 us=866587 VERIFY OK: depth=0, /C=CN/ST=Liaoning/O=ELM_OpenVPN_ORG/CN=Server/emailAddress=chenqs@clo.com.cn
Thu Mar  3 18:46:44 2005 us=988885 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Mar  3 18:46:44 2005 us=988975 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar  3 18:46:44 2005 us=989102 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Mar  3 18:46:44 2005 us=989152 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar  3 18:46:44 2005 us=989373 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Mar  3 18:46:44 2005 us=989480 [Server] Peer Connection Initiated with 192.168.1.72:1194
Thu Mar  3 18:46:46 2005 us=48628 SENT CONTROL [Server]: 'PUSH_REQUEST' (status=1)
Thu Mar  3 18:46:46 2005 us=50063 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,route-gateway 10.8.0.1,ping 10,ping-restart 120,i
fconfig 10.8.0.2 255.255.255.0'
Thu Mar  3 18:46:46 2005 us=50205 OPTIONS IMPORT: timers and/or timeouts modified
Thu Mar  3 18:46:46 2005 us=50251 OPTIONS IMPORT: --ifconfig/up options modified
Thu Mar  3 18:46:46 2005 us=50285 OPTIONS IMPORT: route options modified
Thu Mar  3 18:46:46 2005 us=54587 TUN/TAP device tap1 opened
Thu Mar  3 18:46:46 2005 us=54724 TUN/TAP TX queue length set to 100
Thu Mar  3 18:46:46 2005 us=54819 /sbin/ifconfig tap1 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Thu Mar  3 18:46:46 2005 us=61089 /sbin/route add -net 192.168.1.72 netmask 255.255.255.255 gw 192.168.1.1
Thu Mar  3 18:46:46 2005 us=110708 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Thu Mar  3 18:46:46 2005 us=115697 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.8.0.1
Thu Mar  3 18:46:46 2005 us=121058 /sbin/route add -net 200.200.199.0 netmask 255.255.0.0 gw 10.8.0.1
route: netmask doesn't match route address
Usage: route [-nNvee] [-FC] [<AF>;]           List kernel routing tables
       route [-v] [-FC] {add|del|flush} ...  Modify routing table for AF.

       route {-h|--help} [<AF>;]              Detailed usage syntax for specified AF.
       route {-V|--version}                  Display version/author and exit.

        -v, --verbose            be verbose
        -n, --numeric            don't resolve names
        -e, --extend             display other/more information
        -F, --fib                display Forwarding Information Base (default)
        -C, --cache              display routing cache instead of FIB

  <AF>;=Use '-A <af>;' or '--<af>;'; default: inet
  List of possible address families (which support routing):
    inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
    netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
    x25 (CCITT X.25)
Thu Mar  3 18:46:46 2005 us=126109 ERROR: Linux route add command failed: shell command exited with error status: 4
Thu Mar  3 18:46:46 2005 us=126239 GID set to nobody
Thu Mar  3 18:46:46 2005 us=126318 UID set to nobody
Thu Mar  3 18:46:46 2005 us=126362 Initialization Sequence Completed

论坛徽章:
0
发表于 2005-03-03 19:14 |显示全部楼层

[原创]用OpenVPN构建安全VPN [OpenVPN + CA]

客户端的 /var/log/messages文件

Mar  3 19:12:23 localhost openvpn[29339]:   client = ENABLED
Mar  3 19:12:23 localhost openvpn[29339]:   pull = ENABLED
Mar  3 19:12:23 localhost openvpn[29339]:   auth_user_pass_file = '[UNDEF]'
Mar  3 19:12:23 localhost openvpn[29339]: OpenVPN 2.0_rc16 i686-pc-linux [SSL] [LZO] [EPOLL] built on Mar  3 2005
Mar  3 19:12:23 localhost openvpn[29339]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mar  3 19:12:23 localhost openvpn[29339]: WARNING: file 'elm.key' is group or others accessible
Mar  3 19:12:23 localhost openvpn[29339]: WARNING: file 'ta.key' is group or others accessible
Mar  3 19:12:23 localhost openvpn[29339]: Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mar  3 19:12:23 localhost openvpn[29339]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar  3 19:12:23 localhost openvpn[29339]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar  3 19:12:23 localhost openvpn[29339]: LZO compression initialized
Mar  3 19:12:23 localhost openvpn[29339]: Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mar  3 19:12:23 localhost openvpn[29339]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:23 ET:32 EL:0 AF:3/1 ]
Mar  3 19:12:23 localhost openvpn[29339]: Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Mar  3 19:12:23 localhost openvpn[29339]: Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Mar  3 19:12:23 localhost openvpn[29339]: Local Options hash (VER=V4): '13a273ba'
Mar  3 19:12:23 localhost openvpn[29339]: Expected Remote Options hash (VER=V4): '360696c5'
Mar  3 19:12:23 localhost openvpn:  succeeded
Mar  3 19:12:23 localhost openvpn[29340]: Socket Buffers: R=[110592->;131072] S=[110592->;131072]
Mar  3 19:12:23 localhost openvpn[29340]: UDPv4 link local: [undef]
Mar  3 19:12:23 localhost openvpn[29340]: UDPv4 link remote: 192.168.1.72:1194
Mar  3 19:12:23 localhost openvpn[29340]: TLS Error: Unroutable control packet received from 192.168.1.72:1194 (si=3 op=P_ACK_V1)
Mar  3 19:12:24 localhost openvpn[29340]: TLS Error: Unroutable control packet received from 192.168.1.72:1194 (si=3 op=P_CONTROL_V1)
Mar  3 19:12:24 localhost last message repeated 7 times
Mar  3 19:12:25 localhost openvpn[29340]: TLS Error: Unroutable control packet received from 192.168.1.72:1194 (si=3 op=P_ACK_V1)
Mar  3 19:12:27 localhost openvpn[29340]: TLS Error: Unroutable control packet received from 192.168.1.72:1194 (si=3 op=P_CONTROL_V1)
Mar  3 19:12:27 localhost last message repeated 7 times
Mar  3 19:12:27 localhost openvpn[29340]: TLS Error: Unroutable control packet received from 192.168.1.72:1194 (si=3 op=P_ACK_V1)
Mar  3 19:12:28 localhost openvpn[29340]: TLS Error: Unroutable control packet received from 192.168.1.72:1194 (si=3 op=P_CONTROL_V1)
Mar  3 19:12:28 localhost last message repeated 7 times
Mar  3 19:12:29 localhost openvpn[29340]: TLS Error: Unroutable control packet received from 192.168.1.72:1194 (si=3 op=P_ACK_V1)
Mar  3 19:12:30 localhost openvpn[29340]: TLS Error: Unroutable control packet received from 192.168.1.72:1194 (si=3 op=P_CONTROL_V1)
Mar  3 19:12:30 localhost last message repeated 7 times
Mar  3 19:12:31 localhost openvpn[29340]: event_wait : Interrupted system call (code=4)
Mar  3 19:12:31 localhost openvpn[29340]: OpenVPN STATISTICS
Mar  3 19:12:31 localhost openvpn[29340]: Updated,Thu Mar  3 19:12:31 2005
Mar  3 19:12:31 localhost openvpn[29340]: TUN/TAP read bytes,0
Mar  3 19:12:31 localhost openvpn[29340]: TUN/TAP write bytes,0
Mar  3 19:12:31 localhost openvpn[29340]: TCP/UDP read bytes,4744
Mar  3 19:12:31 localhost openvpn[29340]: TCP/UDP write bytes,168
Mar  3 19:12:31 localhost openvpn[29340]: Auth read bytes,0
Mar  3 19:12:31 localhost openvpn[29340]: pre-compress bytes,0
Mar  3 19:12:31 localhost openvpn[29340]: post-compress bytes,0
Mar  3 19:12:31 localhost openvpn[29340]: pre-decompress bytes,0
Mar  3 19:12:31 localhost openvpn[29340]: post-decompress bytes,0
Mar  3 19:12:31 localhost openvpn[29340]: END
Mar  3 19:12:31 localhost openvpn[29340]: TLS Error: Unroutable control packet received from 192.168.1.72:1194 (si=3 op=P_ACK_V1)
Mar  3 19:12:32 localhost openvpn[29340]: TLS Error: Unroutable control packet received from 192.168.1.72:1194 (si=3 op=P_CONTROL_V1)
Mar  3 19:12:32 localhost last message repeated 7 times
Mar  3 19:12:33 localhost openvpn[29340]: TLS Error: Unroutable control packet received from 192.168.1.72:1194 (si=3 op=P_ACK_V1)
Mar  3 19:12:34 localhost openvpn[29340]: TLS Error: Unroutable control packet received from 192.168.1.72:1194 (si=3 op=P_CONTROL_V1)
Mar  3 19:12:34 localhost last message repeated 7 times
Mar  3 19:12:35 localhost openvpn[29340]: TLS Error: Unroutable control packet received from 192.168.1.72:1194 (si=3 op=P_ACK_V1)
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

SACC2019中国系统架构师大会

【数字转型 架构演进】SACC2019中国系统架构师大会,8.5折限时优惠重磅来袭!
2019年10月31日~11月2日第11届中国系统架构师大会(SACC2019)将在北京隆重召开。四大主线并行的演讲模式,1个主会场、20个技术专场、超千人参与的会议规模,100+来自互联网、金融、制造业、电商等领域的嘉宾阵容,将为广大参会者提供一场最具价值的技术交流盛会。

限时8.5折扣期:2019年9月30日前


----------------------------------------

大会官网>>
  

北京盛拓优讯信息技术有限公司. 版权所有 16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122
中国互联网协会会员  联系我们:huangweiwei@it168.com
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP