Вопросы Теги

OpenVPN через stunnel не работает при перенаправлении через маршрутизатор, но работает внутренне [закрыто]

Я пытаюсь настроить OpenVPN через stunnel на моем личном сервере.

openvpn находится в протоколе TCP и отлично подключается за пределами stunnel, даже при подключении через порт на маршрутизаторе.

OpenVPN, завернутый в stunnel, отлично работает, когда не подключается через переадресацию порта на маршрутизаторе, то есть stunnel отправляет на внутренний IP-адрес.

stunnel, похоже, работает нормально при подключении через перенаправленный порт на маршрутизаторе, я установил stunnel для SSH, и он отлично подключается, я даже оставил его в цикле while, выводя его на консоль на пару минут, чтобы увидеть если бы не получилось.

Однако при запуске openVPN через stunnel и через переадресацию порта на маршрутизаторе соединение устанавливается, но затем разрывается, и я не могу получить веб-трафик.

Я отлаживал это весь день, и я буду очень благодарен за любую помощь.

Я получаю следующие предупреждения в журнале OVPN: 

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1552', remote='link-mtu 1544'
WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher BF-CBC'
WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'

сервер настроек stunnel (включая тест ssh): 

[openvpn]
accept = 44444
connect = 127.0.0.1:1194
ciphers = DHE-RSA-AES256-SHA256

[sslssh]
accept = 55555
connect = 127.0.0.1:22

клиент настроек stunnel:

[openvpn ] 

client = yes
accept = 127.0.0.1:11194
connect = <my_ip>:44444
;cert = /usr/local/etc/stunnel/cert.pem
;connect = 192.168.255.25:44444
ciphers = DHE-RSA-AES256-SHA256

[sslssh]
client = yes
accept  = 127.0.0.1:2222
connect = <my_IP>:55555

конфигурация ovpn клиента: 

remote localhost 11194
proto tcp
remote-cert-tls server


client
dev tun
resolv-retry infinite
keepalive 10 120
nobind
comp-lzo
verb 3

конфигурация ovpn сервера: 

port 1194
proto tcp
dev tun

comp-lzo
keepalive 10 120

persist-key
persist-tun
user nobody
group nogroup

chroot /etc/openvpn/easy-rsa/keys/crl.jail
crl-verify crl.pem

ca /etc/openvpn/easy-rsa/keys/ca.crt
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
key /etc/openvpn/easy-rsa/keys/server.key
cert /etc/openvpn/easy-rsa/keys/server.crt

ifconfig-pool-persist /var/lib/openvpn/server.ipp
client-config-dir /etc/openvpn/server.ccd
status /var/log/openvpn/server.log
verb 4

полный журнал клиента ovpn 

2019-05-27 14:10:53 *Tunnelblick: openvpnstart starting OpenVPN
*Tunnelblick: OS X 10.14.6; Tunnelblick 3.7.5a (build 5011); prior version 3.4.0 (build 4007)
2019-05-27 14:10:53 *Tunnelblick: Attempting connection with mikewarde_tcp_stunnel using shadow copy; Set nameserver = 769; monitoring connection
2019-05-27 14:10:53 *Tunnelblick: openvpnstart start mikewarde_tcp_stunnel.tblk 1337 769 0 1 0 1065264 -ptADGNWradsgnw 2.4.4-openssl-1.0.2o
2019-05-27 14:10:54 *Tunnelblick: openvpnstart log:
     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):

          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.4-openssl-1.0.2o/openvpn
          --daemon
          --log
          /Library/Application Support/Tunnelblick/Logs/-SUsers-Smikewarde-SLibrary-SApplication Support-STunnelblick-SConfigurations-Smikewarde_tcp_stunnel.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1065264.1337.openvpn.log
          --cd
          /Library/Application Support/Tunnelblick/Users/mikewarde/mikewarde_tcp_stunnel.tblk/Contents/Resources
          --setenv
          IV_GUI_VER
          "net.tunnelblick.tunnelblick 5011 3.7.5a (build 5011)"
          --verb
          3
          --config
          /Library/Application Support/Tunnelblick/Users/mikewarde/mikewarde_tcp_stunnel.tblk/Contents/Resources/config.ovpn
          --verb
          3
          --cd
          /Library/Application Support/Tunnelblick/Users/mikewarde/mikewarde_tcp_stunnel.tblk/Contents/Resources
          --management
          127.0.0.1
          1337
          /Library/Application Support/Tunnelblick/fognhooiggkindigaihckcifckpilcfpnmgdikmh.mip
          --management-query-passwords
          --management-hold
          --script-security
          2
          --up
          /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
          --down
          /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

2019-05-27 14:10:54 *Tunnelblick: Established communication with OpenVPN
2019-05-27 14:10:54 OpenVPN 2.4.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Mar 27 2018
2019-05-27 14:10:54 library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
2019-05-27 14:10:54 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2019-05-27 14:10:54 Need hold release from management interface, waiting...
2019-05-27 14:10:54 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2019-05-27 14:10:54 MANAGEMENT: CMD 'pid'
2019-05-27 14:10:54 MANAGEMENT: CMD 'state on'
2019-05-27 14:10:54 MANAGEMENT: CMD 'state'
2019-05-27 14:10:54 MANAGEMENT: CMD 'bytecount 1'
2019-05-27 14:10:54 MANAGEMENT: CMD 'hold release'
2019-05-27 14:10:54 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2019-05-27 14:10:54 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2019-05-27 14:10:54 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2019-05-27 14:10:54 MANAGEMENT: >STATE:1558962654,RESOLVE,,,,,,
2019-05-27 14:10:54 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:11194
2019-05-27 14:10:54 Socket Buffers: R=[131072->131072] S=[131072->131072]
2019-05-27 14:10:54 Attempting to establish TCP connection with [AF_INET]127.0.0.1:11194 [nonblock]
2019-05-27 14:10:54 MANAGEMENT: >STATE:1558962654,TCP_CONNECT,,,,,,
2019-05-27 14:10:55 TCP connection established with [AF_INET]127.0.0.1:11194
2019-05-27 14:10:55 TCP_CLIENT link local: (not bound)
2019-05-27 14:10:55 TCP_CLIENT link remote: [AF_INET]127.0.0.1:11194
2019-05-27 14:10:55 MANAGEMENT: >STATE:1558962655,WAIT,,,,,,
2019-05-27 14:10:55 MANAGEMENT: >STATE:1558962655,AUTH,,,,,,
2019-05-27 14:10:55 TLS: Initial packet from [AF_INET]127.0.0.1:11194, sid=c58c277c 5918dc12
2019-05-27 14:10:55 VERIFY OK: depth=1, C=US, ST=CA, L=San Francisco, O=TurnKey Linux, OU=OpenVPN, CN=server, name=openvpn, emailAddress=vpn@radged.com
2019-05-27 14:10:55 VERIFY KU OK
2019-05-27 14:10:55 Validating certificate extended key usage
2019-05-27 14:10:55 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2019-05-27 14:10:55 VERIFY EKU OK
2019-05-27 14:10:55 VERIFY OK: depth=0, C=US, ST=CA, L=San Francisco, O=TurnKey Linux, OU=OpenVPN, CN=server, name=openvpn, emailAddress=vpn@radged.com
2019-05-27 14:10:55 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2019-05-27 14:10:55 [server] Peer Connection Initiated with [AF_INET]127.0.0.1:11194
2019-05-27 14:10:57 MANAGEMENT: >STATE:1558962657,GET_CONFIG,,,,,,
2019-05-27 14:10:57 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2019-05-27 14:10:57 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.222.29.1,topology net30,ping 10,ping-restart 120,ifconfig 10.222.29.6 10.222.29.5,peer-id 0,cipher AES-256-GCM'
2019-05-27 14:10:57 OPTIONS IMPORT: timers and/or timeouts modified
2019-05-27 14:10:57 OPTIONS IMPORT: --ifconfig/up options modified
2019-05-27 14:10:57 OPTIONS IMPORT: route options modified
2019-05-27 14:10:57 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2019-05-27 14:10:57 OPTIONS IMPORT: peer-id set
2019-05-27 14:10:57 OPTIONS IMPORT: adjusting link_mtu to 1627
2019-05-27 14:10:57 OPTIONS IMPORT: data channel crypto options modified
2019-05-27 14:10:57 Data Channel: using negotiated cipher 'AES-256-GCM'
2019-05-27 14:10:57 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-05-27 14:10:57 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-05-27 14:10:57 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2019-05-27 14:10:57 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2019-05-27 14:10:57 Opened utun device utun2
2019-05-27 14:10:57 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2019-05-27 14:10:57 MANAGEMENT: >STATE:1558962657,ASSIGN_IP,,10.222.29.6,,,,
2019-05-27 14:10:57 /sbin/ifconfig utun2 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2019-05-27 14:10:57 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2019-05-27 14:10:57 /sbin/ifconfig utun2 10.222.29.6 10.222.29.5 mtu 1500 netmask 255.255.255.255 up
2019-05-27 14:10:57 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun2 1500 1555 10.222.29.6 10.222.29.5 init
                                        **********************************************
                                        Start of output from client.up.tunnelblick.sh
                                        Disabled IPv6 for 'iPhone USB'
                                        Disabled IPv6 for 'Wi-Fi'
                                        Disabled IPv6 for 'Bluetooth PAN'
                                        Disabled IPv6 for 'Thunderbolt Bridge'
                                        Retrieved from OpenVPN: name server(s) [ 208.67.222.222 208.67.220.220 ], search domain(s) [  ] and SMB server(s) [  ] and using default domain name [ openvpn ]
                                        WARNING: Ignoring ServerAddresses '208.67.222.222 208.67.220.220' because ServerAddresses was set manually and '-allowChangesToManuallySetNetworkSettings' was not specified
                                        Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
                                        Saved the DNS and SMB configurations so they can be restored
                                        Did not change DNS ServerAddresses setting of '1.1.1.1 1.0.0.1' (but re-set it)
                                        Changed DNS SearchDomains setting from '' to 'openvpn'
                                        Changed DNS DomainName setting from '' to 'openvpn'
                                        Did not change SMB NetBIOSName setting of ''
                                        Did not change SMB Workgroup setting of ''
                                        Did not change SMB WINSAddresses setting of ''
                                        DNS servers '1.1.1.1 1.0.0.1' were set manually
                                        DNS servers '1.1.1.1 1.0.0.1' will be used for DNS queries when the VPN is active
                                        NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
                                        Flushed the DNS cache via dscacheutil
                                        /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
                                        Notified mDNSResponder that the DNS cache was flushed
                                        Setting up to monitor system configuration with process-network-changes
                                        End of output from client.up.tunnelblick.sh
                                        **********************************************
2019-05-27 14:11:00 *Tunnelblick: No 'connected.sh' script to execute
2019-05-27 14:11:00 /sbin/route add -net 127.0.0.1 192.168.255.1 255.255.255.255
                                        add net 127.0.0.1: gateway 192.168.255.1
2019-05-27 14:11:00 /sbin/route add -net 0.0.0.0 10.222.29.5 128.0.0.0
                                        add net 0.0.0.0: gateway 10.222.29.5
2019-05-27 14:11:00 /sbin/route add -net 128.0.0.0 10.222.29.5 128.0.0.0
                                        add net 128.0.0.0: gateway 10.222.29.5
2019-05-27 14:11:00 MANAGEMENT: >STATE:1558962660,ADD_ROUTES,,,,,,
2019-05-27 14:11:00 /sbin/route add -net 10.222.29.1 10.222.29.5 255.255.255.255
                                        add net 10.222.29.1: gateway 10.222.29.5
2019-05-27 14:11:00 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2019-05-27 14:11:00 Initialization Sequence Completed
2019-05-27 14:11:00 MANAGEMENT: >STATE:1558962660,CONNECTED,SUCCESS,10.222.29.6,127.0.0.1,11194,127.0.0.1,55166
2019-05-27 14:11:24 Connection reset, restarting [-1]
2019-05-27 14:11:24 /sbin/route delete -net 10.222.29.1 10.222.29.5 255.255.255.255
                                        delete net 10.222.29.1: gateway 10.222.29.5
2019-05-27 14:11:24 /sbin/route delete -net 127.0.0.1 192.168.255.1 255.255.255.255
                                        delete net 127.0.0.1: gateway 192.168.255.1
2019-05-27 14:11:24 /sbin/route delete -net 0.0.0.0 10.222.29.5 128.0.0.0
                                        delete net 0.0.0.0: gateway 10.222.29.5
2019-05-27 14:11:24 /sbin/route delete -net 128.0.0.0 10.222.29.5 128.0.0.0
                                        delete net 128.0.0.0: gateway 10.222.29.5
2019-05-27 14:11:24 Closing TUN/TAP interface
2019-05-27 14:11:24 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun2 1500 1555 10.222.29.6 10.222.29.5 init
                                        **********************************************
                                        Start of output from client.down.tunnelblick.sh
                                        Cancelled monitoring of system configuration changes
                                        Restored the DNS and SMB configurations
                                        Re-enabled IPv6 (automatic) for 'iPhone USB'
                                        Re-enabled IPv6 (automatic) for 'Wi-Fi'
                                        Re-enabled IPv6 (automatic) for 'Bluetooth PAN'
                                        Re-enabled IPv6 (automatic) for 'Thunderbolt Bridge'
                                        Flushed the DNS cache via dscacheutil
                                        /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
                                        Notified mDNSResponder that the DNS cache was flushed
                                        End of output from client.down.tunnelblick.sh
                                        **********************************************
2019-05-27 14:11:25 SIGUSR1[soft,connection-reset] received, process restarting
2019-05-27 14:11:25 MANAGEMENT: >STATE:1558962685,RECONNECTING,connection-reset,,,,,
2019-05-27 14:11:25 *Tunnelblick: No 'reconnecting.sh' script to execute
2019-05-27 14:11:25 MANAGEMENT: CMD 'hold release'
2019-05-27 14:11:25 MANAGEMENT: CMD 'hold release'
2019-05-27 14:11:25 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2019-05-27 14:11:25 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2019-05-27 14:11:25 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2019-05-27 14:11:25 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:11194
2019-05-27 14:11:25 Socket Buffers: R=[131072->131072] S=[131072->131072]
2019-05-27 14:11:25 Attempting to establish TCP connection with [AF_INET]127.0.0.1:11194 [nonblock]
2019-05-27 14:11:25 MANAGEMENT: >STATE:1558962685,TCP_CONNECT,,,,,,
2019-05-27 14:11:26 TCP connection established with [AF_INET]127.0.0.1:11194
2019-05-27 14:11:26 TCP_CLIENT link local: (not bound)
2019-05-27 14:11:26 TCP_CLIENT link remote: [AF_INET]127.0.0.1:11194
2019-05-27 14:11:26 MANAGEMENT: >STATE:1558962686,WAIT,,,,,,
2019-05-27 14:11:26 MANAGEMENT: >STATE:1558962686,AUTH,,,,,,
2019-05-27 14:11:26 TLS: Initial packet from [AF_INET]127.0.0.1:11194, sid=072914d3 4912c8a0
2019-05-27 14:11:26 VERIFY OK: depth=1, C=US, ST=CA, L=San Francisco, O=TurnKey Linux, OU=OpenVPN, CN=server, name=openvpn, emailAddress=vpn@radged.com
2019-05-27 14:11:26 VERIFY KU OK
2019-05-27 14:11:26 Validating certificate extended key usage
2019-05-27 14:11:26 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2019-05-27 14:11:26 VERIFY EKU OK
2019-05-27 14:11:26 VERIFY OK: depth=0, C=US, ST=CA, L=San Francisco, O=TurnKey Linux, OU=OpenVPN, CN=server, name=openvpn, emailAddress=vpn@radged.com
2019-05-27 14:11:26 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1552', remote='link-mtu 1544'
2019-05-27 14:11:26 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher BF-CBC'
2019-05-27 14:11:26 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
2019-05-27 14:11:26 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
2019-05-27 14:11:26 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2019-05-27 14:11:26 [server] Peer Connection Initiated with [AF_INET]127.0.0.1:11194
2019-05-27 14:11:26 *Tunnelblick: Disconnecting; notification window disconnect button pressed
2019-05-27 14:11:27 *Tunnelblick: No 'pre-disconnect.sh' script to execute
2019-05-27 14:11:27 *Tunnelblick: Disconnecting using 'kill'
2019-05-27 14:11:27 event_wait : Interrupted system call (code=4)
2019-05-27 14:11:27 SIGTERM[hard,] received, process exiting
2019-05-27 14:11:27 MANAGEMENT: >STATE:1558962687,EXITING,SIGTERM,,,,,
2019-05-27 14:11:27 *Tunnelblick: No 'post-disconnect.sh' script to execute
2019-05-27 14:11:27 *Tunnelblick: Expected disconnection occurred.
0
задан 27 May 2019 в 16:32
1 ответ

Журналы, надеюсь, будут полезны для вы замените Предупреждение на Фатальный, поскольку это фатальные ошибки, препятствующие подключению.

Для openvpn удаленные и локальные настройки должны совпадать, особенно с настройками обмена ключами.

Для предупреждения относительно MTU установите link-mtu на общеизвестное полезное значение, такое как 1500, как на удаленном, так и на локальном уровне, так как это предотвратит фрагментацию. 

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1552', remote='link-mtu 1544'

--link-mtu n
     Sets an upper bound on the size of UDP packets which are sent
     between OpenVPN peers. It's best not to set this parameter unless
     you know what you're doing.

Другие предупреждения основаны на вашем Cipher, ваш локальный клиент пытается использовать более безопасный AES-256-GCM по сравнению с удаленным BF-CBC , который устарел и устарел. 

WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher BF-CBC'

Чтобы решить эту проблему, укажите как в удаленной, так и в локальной конфигурации шифр AES-256-GCM

Для Keysize игнорируйте это, так как это устаревший флаг, и теперь Cipher устанавливает размер, это 256 в AES-256-GCM и указание этого ключа как на локальном, так и на удаленном компьютере будет таким же, как указание 256 на обоих удаленных и локальных

TLDR добавить эти строки в оба локальная и удаленная конфигурация. 

auth SHA256
link-mtu 1500
cipher AES-256-GCM
ncp-ciphers AES-256-GCM:AES-128-GCM
1
ответ дан 4 December 2019 в 15:42

Теги

Похожие вопросы