Я пытаюсь подключиться к VPN-серверу.
Я получил client.ovpn от моего системного администратора.
При беге: sudo openvpn --config client.ovpn
я собираюсь Initialization Sequence Completed
через несколько секунд, но мое соединение не работает. пытаюсь - ping google.com
не дает ответа.
На машине macOSX с установленным Tunnelblick и тем же файлом client.ovpn все работает отлично.
Я что-то упускаю?
Добавление журналов для sudo openvpn --config client.ovpn
:
OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Enter Auth Username: *****
Enter Auth Password: ********************
Control Channel Authentication: tls-auth using INLINE static key file
Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Socket Buffers: R=[212992->200000] S=[212992->200000]
UDPv4 link local: [undef]
UDPv4 link remote: [AF_INET]52.204.89.71:1194
Server poll timeout, restarting
SIGUSR1[soft,server_poll] received, process restarting
Control Channel Authentication: tls-auth using INLINE static key file
Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Socket Buffers: R=[212992->200000] S=[212992->200000]
UDPv4 link local: [undef]
UDPv4 link remote: [AF_INET]52.204.89.71:1194
Server poll timeout, restarting
SIGUSR1[soft,server_poll] received, process restarting
Control Channel Authentication: tls-auth using INLINE static key file
Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Socket Buffers: R=[87380->200000] S=[16384->200000]
Attempting to establish TCP connection with [AF_INET]52.204.89.71:443 [nonblock]
TCP connection established with [AF_INET]52.204.89.71:443
TCPv4_CLIENT link local: [undef]
TCPv4_CLIENT link remote: [AF_INET]52.204.89.71:443
TLS: Initial packet from [AF_INET]52.204.89.71:443, sid=06674f4e bf6e2a84
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
VERIFY OK: depth=1, CN=OpenVPN CA
VERIFY OK: nsCertType=SERVER
VERIFY OK: depth=0, CN=OpenVPN Server
Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
[OpenVPN Server] Peer Connection Initiated with [AF_INET]52.204.89.71:443
SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,socket-flags TCP_NODELAY,auth-token SESS_ID,comp-lzo yes,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.27.224.1,dhcp-option DNS 10.0.0.2,register-dns,block-ipv6,ifconfig 172.27.227.61 255.255.248.0'
Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks
Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.3.10)
Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.3.10)
Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.3.10)
Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:18: register-dns (2.3.10)
Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:19: block-ipv6 (2.3.10)
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
OPTIONS IMPORT: LZO parms modified
OPTIONS IMPORT: --socket-flags option modified
Socket flags: TCP_NODELAY=1 succeeded
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
ROUTE_GATEWAY 192.168.1.99/255.255.255.0 IFACE=wlp4s0 HWADDR=60:f6:77:31:df:9e
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 172.27.227.61/21 broadcast 172.27.231.255
ROUTE remote_host is NOT LOCAL
/sbin/ip route add 52.204.89.71/32 via 192.168.1.99
/sbin/ip route add 0.0.0.0/1 via 172.27.224.1
/sbin/ip route add 128.0.0.0/1 via 172.27.224.1
Initialization Sequence Completed
редактировать:
Мой client.ovpn
выглядит так:
Я снимаю \ меняю детали бирючины
# Automatically generated OpenVPN client config file
# Generated on Mon Jan 22 15:15:18 2018 by openvpnas2
# Note: this config file contains inline private keys
# and therefore should be kept confidential!
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=My_Name
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=MyName@vpn.server.com
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=vpn.server.com:443
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
# OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN Technologies, Inc.
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote vpn.server.com 1194 udp
remote vpn.server.com 1194 udp
remote vpn.server.com 443 tcp
remote vpn.server.com 1194 udp
remote vpn.server.com 1194 udp
remote vpn.server.com 1194 udp
remote vpn.server.com 1194 udp
remote vpn.server.com 1194 udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
auth-user-pass
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
## -----BEGIN RSA SIGNATURE-----
## DIGEST:sha256
## -----END RSA SIGNATURE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
Ubuntu предоставляет сценарий для обновления файла resolv.conf: /etc/openvpn/update-resolv-conf
вы можете добавить его в свой client.ovpn, добавив к нему следующие строки:
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
при запуске службы vpn он будет оценивать сторонние параметры, отправленные сервером. они должны содержать информацию о DNS-серверах для удаленной сети, к которой вы только что подключились.
Чтобы разрешить запуск этих сценариев, вам нужно либо изменить конфигурацию, либо добавить
script-security 2
также, или вы можете добавить этот параметр в свою командную строку следующим образом:
sudo openvpn --config client.ovpn --script-security 2