OS(Linux Mint 19)を再ロードしてVPN接続を実行しようとしています。以前のOSと同じ.ovpn設定ファイルを使用していますが(うまくいきます)、今はトンネルを正しく設定できないようです(接続されていると表示されますが)。 an はip atun0 の構成を次のように表示します。
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.14 peer 10.8.0.13/32 brd 10.8.0.14 scope global noprefixroute tun0
valid_lft forever preferred_lft forever
inet6 fe80::492b:6fe4:1395:8619/64 scope link stable-privacy
valid_lft forever preferred_lft forever
私のクライアント設定ファイル:
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote premprovsol.com 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key
# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
auth SHA256
key-direction 1
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
#certs are below
通常、NFS共有を10.8.0.1サーバーアドレスにマウントしますが、そのアドレスでできる唯一の操作はpingです。私が逃したものはありますか?
ログ制御--
Logs begin at Tue 2018-07-10 21:24:32 EDT, end at Wed 2018-07-11 11:25:24 EDT. --
Jul 10 21:24:43 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 10 21:24:43 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 08:01:12 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 08:04:32 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 08:04:32 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 09:01:18 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 09:02:11 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 09:02:11 Shawn-Home systemd[1]: Started OpenVPN service.
openvpnコマンドログ:
Wed Jul 11 11:54:56 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
Wed Jul 11 11:54:56 2018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Wed Jul 11 11:54:56 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Jul 11 11:54:56 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jul 11 11:54:56 2018 UDP link local: (not bound)
Wed Jul 11 11:54:56 2018 UDP link remote: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed Jul 11 11:54:57 2018 TLS: Initial packet from [AF_INET]97.76.87.146:1194, sid=87606e28 e67e77b4
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Jul 11 11:54:58 2018 VERIFY KU OK
Wed Jul 11 11:54:58 2018 Validating certificate extended key usage
Wed Jul 11 11:54:58 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jul 11 11:54:58 2018 VERIFY EKU OK
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=0, CN=server
Wed Jul 11 11:54:58 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jul 11 11:54:58 2018 [server] Peer Connection Initiated with [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:59 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jul 11 11:54:59 2018 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 1,cipher AES-256-GCM'
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: route options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: peer-id set
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: adjusting link_mtu to 1624
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: data channel crypto options modified
Wed Jul 11 11:54:59 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jul 11 11:54:59 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 ROUTE_GATEWAY 10.0.10.1/255.255.255.0 IFACE=enp2s0 HWADDR=48:4d:7e:d2:08:0a
Wed Jul 11 11:54:59 2018 TUN/TAP device tun1 opened
Wed Jul 11 11:54:59 2018 TUN/TAP TX queue length set to 100
Wed Jul 11 11:54:59 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jul 11 11:54:59 2018 /sbin/ip link set dev tun1 up mtu 1500
Wed Jul 11 11:54:59 2018 /sbin/ip addr add dev tun1 local 10.8.0.14 peer 10.8.0.13
Wed Jul 11 11:54:59 2018 /etc/openvpn/update-resolv-conf tun1 1500 1552 10.8.0.14 10.8.0.13 init
Wed Jul 11 11:54:59 2018 /sbin/ip route add 10.8.0.1/32 via 10.8.0.13
Wed Jul 11 11:54:59 2018 GID set to nogroup
Wed Jul 11 11:54:59 2018 UID set to nobody
Wed Jul 11 11:54:59 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jul 11 11:54:59 2018 Initialization Sequence Completed