Sujet Précédent Sujet Suivant

[help] OpenVPN+Firewall

Fermé
xxx31fr Messages postés 86 Date d'inscription samedi 25 décembre 2004 Statut Membre Dernière intervention 6 septembre 2016 - 20 juil. 2016 à 10:31
cocoche95 Messages postés 1134 Date d'inscription jeudi 29 juillet 2004 Statut Contributeur Dernière intervention 27 novembre 2019 - 20 juil. 2016 à 21:41
Bonjour,
J'ai configuré un serveur OpenVPN.
J'ai déjà connecté un client et ça fonctionne bien (ping des deux côté, le client et serveur se voient, pas de problèmes).

Avec un deuxième client, le tunnel VPN est bien monté, mais le client ne ping pas serveur, et, inversement.
Voici les logs 
Wed Jul 20 09:25:13 2016 event_wait : Interrupted system call (code=4)
Wed Jul 20 09:25:13 2016 TCP/UDP: Closing socket
Wed Jul 20 09:25:13 2016 /sbin/route del -net 10.6.66.0 netmask 255.255.255.0
Wed Jul 20 09:25:13 2016 /sbin/route del -net 10.10.10.0 netmask 255.255.255.0
Wed Jul 20 09:25:13 2016 Closing TUN/TAP interface
Wed Jul 20 09:25:13 2016 /sbin/ifconfig tun0 0.0.0.0
Wed Jul 20 09:25:13 2016 SIGTERM[hard,] received, process exiting
Wed Jul 20 09:25:14 2016 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec  1 2014
Wed Jul 20 09:25:14 2016 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jul 20 09:25:14 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Jul 20 09:25:14 2016 WARNING: file '/etc/openvpn/***.***' is group or others accessible
Wed Jul 20 09:25:14 2016 LZO compression initialized
Wed Jul 20 09:25:14 2016 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jul 20 09:25:14 2016 Socket Buffers: R=[229376->131072] S=[229376->131072]
Wed Jul 20 09:25:14 2016 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jul 20 09:25:14 2016 Local Options hash (VER=V4): '66096c33'
Wed Jul 20 09:25:14 2016 Expected Remote Options hash (VER=V4): '691e95c7'
Wed Jul 20 09:25:14 2016 UDPv4 link local (bound): [undef]
Wed Jul 20 09:25:14 2016 UDPv4 link remote: [AF_INET]195.154.***.***:1194
Wed Jul 20 09:25:14 2016 TLS: Initial packet from [AF_INET]195.154.***.***:1194, sid=2111b29e 59ff24f2
Wed Jul 20 09:25:14 2016 VERIFY OK: depth=1, /C=***.***/ST=***.***/L=***.***/O=***.***/OU=***.***/CN=openvpn-ca/name=openvpn-ca/emailAddress=***.***
Wed Jul 20 09:25:14 2016 VERIFY OK: nsCertType=SERVER
Wed Jul 20 09:25:14 2016 VERIFY OK: depth=0, /C=***.***/ST=***.***/L=***.***/O=***.***/OU=***.***/CN=dev/name=***.***/emailAddress=***.***
Wed Jul 20 09:25:14 2016 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jul 20 09:25:14 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 20 09:25:14 2016 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jul 20 09:25:14 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 20 09:25:14 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jul 20 09:25:14 2016 [dev] Peer Connection Initiated with [AF_INET]195.154.***.***:1194
Wed Jul 20 09:25:16 2016 SENT CONTROL [dev]: 'PUSH_REQUEST' (status=1)
Wed Jul 20 09:25:16 2016 PUSH: Received control message: 'PUSH_REPLY,route 10.10.10.0 255.255.255.0,route 10.6.66.0 255.255.255.0,route 10.6.66.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.6.66.118 10.6.66.117'
Wed Jul 20 09:25:16 2016 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jul 20 09:25:16 2016 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul 20 09:25:16 2016 OPTIONS IMPORT: route options modified
Wed Jul 20 09:25:16 2016 ROUTE default_gateway=195.154.***.***
Wed Jul 20 09:25:16 2016 TUN/TAP device tun0 opened
Wed Jul 20 09:25:16 2016 TUN/TAP TX queue length set to 100
Wed Jul 20 09:25:16 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Jul 20 09:25:16 2016 /sbin/ifconfig tun0 10.6.66.118 pointopoint 10.6.66.117 mtu 1500
Wed Jul 20 09:25:16 2016 /sbin/route add -net 10.10.10.0 netmask 255.255.255.0 gw 10.6.66.117
Wed Jul 20 09:25:16 2016 /sbin/route add -net 10.6.66.0 netmask 255.255.255.0 gw 10.6.66.117
Wed Jul 20 09:25:16 2016 /sbin/route add -net 10.6.66.0 netmask 255.255.255.0 gw 10.6.66.117
SIOCADDRT: File exists
Wed Jul 20 09:25:16 2016 ERROR: Linux route add command failed: external program exited with error status: 7
Wed Jul 20 09:25:16 2016 Initialization Sequence Completed


le ping vers le seveur vpn renvoie ce message d'erreur: 
ping 10.6.66.1
PING 10.6.66.1 (10.6.66.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted


D'aprés ce que j'ai vu, cela serait un PB de FW côté client

Voici mes régles actuelles: 
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      64M   35G ACCEPT     all  --  lo     any     anywhere             anywhere
2    1018K   95M ACCEPT     icmp --  eth0   any     anywhere             anywhere
3     245M   47G ACCEPT     all  --  eth0   any     anywhere             anywhere             state RELATED,ESTABLISHED
4    42795 2460K ACCEPT     tcp  --  eth0   any     anywhere             anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:ssh
5     115K 6831K ACCEPT     tcp  --  eth0   any     anywhere             anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:http
6     269K   16M ACCEPT     tcp  --  eth0   any     anywhere             anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:https
7     146K 8774K ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:rsync
8        0     0 ACCEPT     tcp  --  eth0   any     ***.***                  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:rsync
9        0     0 ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:rsync
10       0     0 ACCEPT     tcp  --  eth0   any     ***.***                 anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:rsync
11       0     0 ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:rsync
12       0     0 ACCEPT     tcp  --  eth0   any     ***.***               anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:rsync
13   37441 2246K ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:mysql
14   1808K  108M ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:mysql
15    127K 7640K ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:mysql
16       0     0 ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:mysql
17       0     0 ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:mysql
18    123K 7351K ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:mysql
19    872K   52M ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:mysql
20       0     0 ACCEPT     tcp  --  eth0   any     ***.***                 anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:mysql
21       0     0 ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:mysql
22       0     0 ACCEPT     tcp  --  eth0   any     ***.***        anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:mysql
23       0     0 ACCEPT     tcp  --  eth0   any     ***.***        anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:mysql
24    7283  437K ACCEPT     tcp  --  eth0   any     ***.***                 anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:mysql
25   82939 4976K ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:mysql
26       0     0 ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:mysql
27       0     0 ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:munin
28       0     0 ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:11211
29       0     0 ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:11211
30       0     0 ACCEPT     tcp  --  eth0   any     ***.***                anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:11211
31       0     0 ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:11211
32       0     0 ACCEPT     tcp  --  eth0   any     ***.***        anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:11211
33       0     0 ACCEPT     tcp  --  eth0   any     ***.***        anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:11211
34       0     0 ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:11211
35       0     0 ACCEPT     tcp  --  eth0   any     ***.***  anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:11211
36       0     0 ACCEPT     tcp  --  eth0   any     ***.***                 anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:11211
37   2716K  214M reject-and-log-it  all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       17  9792 DROP       icmp --  any    any     anywhere             anywhere             state INVALID
2      64M   35G ACCEPT     all  --  any    lo      anywhere             anywhere
3     104M  539G ACCEPT     all  --  any    eth0    ***.***  anywhere
4    25826   21M ACCEPT     all  --  any    eth0    ***.***       anywhere
5    33815   45M ACCEPT     all  --  any    eth0    ***.***  anywhere
6     102K  157M ACCEPT     all  --  any    eth0    ***.***  anywhere
7    33719   34M ACCEPT     all  --  any    eth0    ***.***  anywhere
8        0     0 ACCEPT     all  --  any    eth0    ***.***  anywhere
9     211K  495M ACCEPT     all  --  any    eth0    ***.***  anywhere
10       0     0 ACCEPT     all  --  any    eth0    ***.***  anywhere
11   25513   11M ACCEPT     all  --  any    eth0    ***.***  anywhere
12       0     0 ACCEPT     all  --  any    eth0    ***.***  anywhere
13    312K  192M ACCEPT     all  --  any    eth0    ***.***  anywhere
14   39063   33M ACCEPT     all  --  any    eth0    ***.***  anywhere
15   80914  157M ACCEPT     all  --  any    eth0    ***.***  anywhere
16   24222   14M ACCEPT     all  --  any    eth0    ***.***  anywhere
17    6129 1910K ACCEPT     all  --  any    eth0    ***.***  anywhere
18    502K  127M ACCEPT     all  --  any    eth0    ***.***  anywhere
19   27940   66M ACCEPT     all  --  any    eth0    ***.***  anywhere
20   67238  199M ACCEPT     all  --  any    eth0    ***.***  anywhere
21   2542K 6326M ACCEPT     all  --  any    eth0    ***.***  anywhere
22      32  2568 reject-and-log-it  all  --  any    any     anywhere             anywhere


si demandé:
1/ conf client openvpn: 
client
dev tun
proto udp
remote ***.*** 1194
resolv-retry infinite
;nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/***.***.crt
key /etc/openvpn/***.***.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 3
log-append /var/log/openvpn.log


2/ conf serveur OpenVPN 
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/dev.crt
key /etc/openvpn/easy-rsa/keys/dev.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.6.66.0 255.255.255.0
push "route 10.10.10.0 255.255.255.0"
push "route 10.6.66.0 255.255.255.0"
client-config-dir /etc/openvpn/ccd
#push "route 10.6.66.0 255.255.255.0"
route 10.10.10.0 255.255.255.0
#push "dhcp-option DNS 10.10.10.254"
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
client-to-client
ifconfig-pool-persist ipp.txt
#duplicate-cn
keepalive 10 120
cipher AES-128-CBC   # AES
user nobody
group nogroup
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3


En vous remerciant pour votre aide
A voir également:

2 réponses

Réponse 1 / 2
Luc
Modifié par Luc le 20/07/2016 à 19:05
Salut,


C'est pas plutôt ça qu'il faut pinger ?

10.10.10.0


Dans ta chaîne input, je ne vois pas ICMP et echo reply, tu es sûr de tes règles ?
0
Luc
Modifié par Luc le 20/07/2016 à 19:11
" 1 17 9792 DROP icmp -- any any anywhere "

Faudrait vérifier l'ordre des règles, mais celle ci en premier qui DROP pourrait empêcher de pinguer.

Tu as copié tes règles chez Ubuntu ?
0
Réponse 2 / 2
cocoche95 Messages postés 1134 Date d'inscription jeudi 29 juillet 2004 Statut Contributeur Dernière intervention 27 novembre 2019 543
20 juil. 2016 à 21:41
Salut,

Luc a raison, dans ta chaine OUTPUT, tu drop l'icmp : tu ne pourras jamais pinger.
De plus, tu n'a aucune règle pour autoriser des flux transitant par ton tunnel : interface tun0 ! Tu ne traite qu'avec eth0 (interface physique) donc ton tunnel monte mais aucun trafic ne sera autorisé à cause de la politique en drop et ta règle de fin en reject.
0

Discussions similaires

Blocage sécurité
Utilisateur anonyme -
Utilisateur anonyme -

4 réponses
Matrice de flux
SEM94 -
vignemail1 -

3 réponses
Problème driver réseau ethernet
airsoftmomo -
kaneagle -

12 réponses
Drole de message Tap-Windows provider v9.
Mars Radio DNB -
billmaxime -

33 réponses
OpenVPN et VPNBook empêche le téléchargement de torrent
roblemman -
roblemman -

9 réponses