It is currently 22.08.2017 15:01


All times are UTC




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: Clients verbinden sich nicht mehr korrekt
PostPosted: 24.11.2016 20:33 
DES
DES

Joined: 23.11.2016 22:55
Posts: 2
Hallo zusammen,

in meinem VPN hatte ich bei einer Änderung ausversehen "dev tun" durch "dev tap" ersetzt. Die Clients haben sich danach zwar noch verbunden, aber man konnte sie nicht mehr anpingen, ssh sowieso nicht. Ein Revert der Server-Konfiguration hat keine Änderung gebracht. Ich habe durch Probieren herausgefunden, dass sich der Client nach einem Reboot wieder normal verbindet. Ich komme jedoch nicht an alle Clients dran, an einige erst wieder in ein paar Monaten. Gibt es die Möglichkeit, ohne Reboot die Clients wieder zum Verbinden zu bewegen?

Hier die Ausgabe von /var/log/syslog. Zunächst mit der falschen Server-Konfiguration:

Code:
Nov 23 23:11:51 Raspberry ovpn-rpi[2039]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Nov 23 23:11:51 Raspberry ovpn-rpi[2039]: Re-using SSL/TLS context
Nov 23 23:11:51 Raspberry ovpn-rpi[2039]: LZO compression initialized
Nov 23 23:11:51 Raspberry ovpn-rpi[2039]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Nov 23 23:11:51 Raspberry ovpn-rpi[2039]: Socket Buffers: R=[163840->131072] S=[163840->131072]
Nov 23 23:11:51 Raspberry ovpn-rpi[2039]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Nov 23 23:11:51 Raspberry ovpn-rpi[2039]: Local Options hash (VER=V4): '41690919'
Nov 23 23:11:51 Raspberry ovpn-rpi[2039]: Expected Remote Options hash (VER=V4): '530fdded'
Nov 23 23:11:51 Raspberry ovpn-rpi[2039]: UDPv4 link local: [undef]
Nov 23 23:11:51 Raspberry ovpn-rpi[2039]: UDPv4 link remote: [AF_INET]192.168.2.112:1194
Nov 23 23:11:51 Raspberry ovpn-rpi[2039]: TLS: Initial packet from [AF_INET]192.168.2.112:1194, sid=dc32af45 54619572
Nov 23 23:11:51 Raspberry ovpn-rpi[2039]: VERIFY OK: depth=1, /C=DE/ST=BY/L=Munich/O=OTTO/OU=qwer/CN=asdf/name=EasyRSA/emailAddress=joman@gmx.de
Nov 23 23:11:51 Raspberry ovpn-rpi[2039]: VERIFY OK: nsCertType=SERVER
Nov 23 23:11:51 Raspberry ovpn-rpi[2039]: VERIFY OK: depth=0, /C=DE/ST=BY/L=Munich/O=OTTO/OU=qwer/CN=server/name=EasyRSA/emailAddress=joman@gmx.de
Nov 23 23:11:52 Raspberry ovpn-rpi[2039]: WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'
Nov 23 23:11:52 Raspberry ovpn-rpi[2039]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1574'
Nov 23 23:11:52 Raspberry ovpn-rpi[2039]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
Nov 23 23:11:52 Raspberry ovpn-rpi[2039]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 23 23:11:52 Raspberry ovpn-rpi[2039]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 23 23:11:52 Raspberry ovpn-rpi[2039]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 23 23:11:52 Raspberry ovpn-rpi[2039]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 23 23:11:52 Raspberry ovpn-rpi[2039]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Nov 23 23:11:52 Raspberry ovpn-rpi[2039]: [server] Peer Connection Initiated with [AF_INET]192.168.2.112:1194
Nov 23 23:11:53 Raspberry ovpn-rpi[2039]: write to TUN/TAP : Invalid argument (code=22)
Nov 23 23:11:53 Raspberry ovpn-rpi[2039]: write to TUN/TAP : Invalid argument (code=22)
Nov 23 23:11:54 Raspberry ovpn-rpi[2039]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Nov 23 23:11:54 Raspberry ovpn-rpi[2039]: write to TUN/TAP : Invalid argument (code=22)
Nov 23 23:11:54 Raspberry ovpn-rpi[2039]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.20 10.8.0.21'
Nov 23 23:11:54 Raspberry ovpn-rpi[2039]: OPTIONS IMPORT: timers and/or timeouts modified
Nov 23 23:11:54 Raspberry ovpn-rpi[2039]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 23 23:11:54 Raspberry ovpn-rpi[2039]: OPTIONS IMPORT: route-related options modified
Nov 23 23:11:54 Raspberry ovpn-rpi[2039]: Preserving previous TUN/TAP instance: tun0
Nov 23 23:11:54 Raspberry ovpn-rpi[2039]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Nov 23 23:11:54 Raspberry ovpn-rpi[2039]: /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
Nov 23 23:11:54 Raspberry ovpn-rpi[2039]: Closing TUN/TAP interface
Nov 23 23:11:54 Raspberry ovpn-rpi[2039]: /sbin/ifconfig tun0 0.0.0.0
Nov 23 23:11:55 Raspberry ifplugd(tun0)[2205]: Link beat lost.
Nov 23 23:11:55 Raspberry ifplugd(tun0)[2205]: Exiting.
Nov 23 23:11:56 Raspberry ovpn-rpi[2039]: TUN/TAP device tun0 opened
Nov 23 23:11:56 Raspberry ovpn-rpi[2039]: TUN/TAP TX queue length set to 100
Nov 23 23:11:56 Raspberry ovpn-rpi[2039]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 23 23:11:56 Raspberry ovpn-rpi[2039]: /sbin/ifconfig tun0 10.8.0.20 pointopoint 10.8.0.21 mtu 1500
Nov 23 23:11:56 Raspberry ovpn-rpi[2039]: Initialization Sequence Completed
Nov 23 23:11:56 Raspberry ovpn-rpi[2039]: write to TUN/TAP : Invalid argument (code=22)
Nov 23 23:11:56 Raspberry ifplugd(tun0)[3575]: ifplugd 0.28 initializing.
Nov 23 23:11:56 Raspberry ifplugd(tun0)[3575]: Using interface tun0/00:00:00:00:00:00 with driver <tun> (version: 1.6)
Nov 23 23:11:56 Raspberry ifplugd(tun0)[3575]: Using detection mode: SIOCETHTOOL
Nov 23 23:11:56 Raspberry ifplugd(tun0)[3575]: Initialization complete, link beat detected.
Nov 23 23:11:56 Raspberry ifplugd(tun0)[3575]: Executing '/etc/ifplugd/ifplugd.action tun0 up'.
Nov 23 23:11:56 Raspberry ifplugd(tun0)[3575]: client: Ignoring unknown interface tun0=tun0.
Nov 23 23:11:56 Raspberry ifplugd(tun0)[3575]: Program executed successfully.
Nov 23 23:11:56 Raspberry ovpn-rpi[2039]: write to TUN/TAP : Invalid argument (code=22)
Nov 23 23:11:57 Raspberry ovpn-rpi[2039]: write to TUN/TAP : Invalid argument (code=22)
Nov 23 23:12:00 Raspberry ovpn-rpi[2039]: write to TUN/TAP : Invalid argument (code=22)
Nov 23 23:12:15 Raspberry ovpn-rpi[2039]: write to TUN/TAP : Invalid argument (code=22)
Nov 23 23:12:16 Raspberry ovpn-rpi[2039]: write to TUN/TAP : Invalid argument (code=22)


Und dann mit der korrigierten Server-Konfiguration:
Code:
Nov 23 23:15:47 Raspberry ovpn-rpi[2039]: [server] Inactivity timeout (--ping-restart), restarting
Nov 23 23:15:47 Raspberry ovpn-rpi[2039]: TCP/UDP: Closing socket
Nov 23 23:15:47 Raspberry ovpn-rpi[2039]: SIGUSR1[soft,ping-restart] received, process restarting
Nov 23 23:15:47 Raspberry ovpn-rpi[2039]: Restart pause, 2 second(s)
Nov 23 23:15:49 Raspberry ovpn-rpi[2039]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Nov 23 23:15:49 Raspberry ovpn-rpi[2039]: Re-using SSL/TLS context
Nov 23 23:15:49 Raspberry ovpn-rpi[2039]: LZO compression initialized
Nov 23 23:15:49 Raspberry ovpn-rpi[2039]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Nov 23 23:15:49 Raspberry ovpn-rpi[2039]: Socket Buffers: R=[163840->131072] S=[163840->131072]
Nov 23 23:15:49 Raspberry ovpn-rpi[2039]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Nov 23 23:15:49 Raspberry ovpn-rpi[2039]: Local Options hash (VER=V4): '41690919'
Nov 23 23:15:49 Raspberry ovpn-rpi[2039]: Expected Remote Options hash (VER=V4): '530fdded'
Nov 23 23:15:49 Raspberry ovpn-rpi[2039]: UDPv4 link local: [undef]
Nov 23 23:15:49 Raspberry ovpn-rpi[2039]: UDPv4 link remote: [AF_INET]192.168.2.112:1194
Nov 23 23:15:49 Raspberry ovpn-rpi[2039]: TLS: Initial packet from [AF_INET]192.168.2.112:1194, sid=271b784f 349fb0b6
Nov 23 23:15:49 Raspberry ovpn-rpi[2039]: VERIFY OK: depth=1, /C=DE/ST=BY/L=Munich/O=OTTO/OU=qwer/CN=asdf/name=EasyRSA/emailAddress=joman@gmx.de
Nov 23 23:15:49 Raspberry ovpn-rpi[2039]: VERIFY OK: nsCertType=SERVER
Nov 23 23:15:49 Raspberry ovpn-rpi[2039]: VERIFY OK: depth=0, /C=DE/ST=BY/L=Munich/O=OTTO/OU=qwer/CN=server/name=EasyRSA/emailAddress=joman@gmx.de
Nov 23 23:15:50 Raspberry ovpn-rpi[2039]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 23 23:15:50 Raspberry ovpn-rpi[2039]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 23 23:15:50 Raspberry ovpn-rpi[2039]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 23 23:15:50 Raspberry ovpn-rpi[2039]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 23 23:15:50 Raspberry ovpn-rpi[2039]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Nov 23 23:15:50 Raspberry ovpn-rpi[2039]: [server] Peer Connection Initiated with [AF_INET]192.168.2.112:1194
Nov 23 23:15:52 Raspberry ovpn-rpi[2039]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Nov 23 23:15:52 Raspberry ovpn-rpi[2039]: PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.20 10.8.0.21'
Nov 23 23:15:52 Raspberry ovpn-rpi[2039]: OPTIONS IMPORT: timers and/or timeouts modified
Nov 23 23:15:52 Raspberry ovpn-rpi[2039]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 23 23:15:52 Raspberry ovpn-rpi[2039]: OPTIONS IMPORT: route options modified
Nov 23 23:15:52 Raspberry ovpn-rpi[2039]: Preserving previous TUN/TAP instance: tun0
Nov 23 23:15:52 Raspberry ovpn-rpi[2039]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Nov 23 23:15:52 Raspberry ovpn-rpi[2039]: Closing TUN/TAP interface
Nov 23 23:15:52 Raspberry ovpn-rpi[2039]: /sbin/ifconfig tun0 0.0.0.0
Nov 23 23:15:52 Raspberry ifplugd(tun0)[3575]: Link beat lost.
Nov 23 23:15:52 Raspberry ifplugd(tun0)[3575]: Exiting.
Nov 23 23:15:53 Raspberry ovpn-rpi[2039]: ROUTE default_gateway=192.168.2.1
Nov 23 23:15:53 Raspberry ovpn-rpi[2039]: TUN/TAP device tun0 opened
Nov 23 23:15:53 Raspberry ovpn-rpi[2039]: TUN/TAP TX queue length set to 100
Nov 23 23:15:53 Raspberry ovpn-rpi[2039]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 23 23:15:53 Raspberry ovpn-rpi[2039]: /sbin/ifconfig tun0 10.8.0.20 pointopoint 10.8.0.21 mtu 1500
Nov 23 23:15:53 Raspberry ovpn-rpi[2039]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.1
Nov 23 23:15:53 Raspberry ovpn-rpi[2039]: ERROR: Linux route add command failed: external program exited with error status: 7
Nov 23 23:15:53 Raspberry ovpn-rpi[2039]: Initialization Sequence Completed
Nov 23 23:15:53 Raspberry ifplugd(tun0)[3699]: ifplugd 0.28 initializing.
Nov 23 23:15:53 Raspberry ifplugd(tun0)[3699]: Using interface tun0/00:00:00:00:00:00 with driver <tun> (version: 1.6)
Nov 23 23:15:53 Raspberry ifplugd(tun0)[3699]: Using detection mode: SIOCETHTOOL
Nov 23 23:15:53 Raspberry ifplugd(tun0)[3699]: Initialization complete, link beat detected.
Nov 23 23:15:53 Raspberry ifplugd(tun0)[3699]: Executing '/etc/ifplugd/ifplugd.action tun0 up'.
Nov 23 23:15:53 Raspberry ifplugd(tun0)[3699]: client: Ignoring unknown interface tun0=tun0.
Nov 23 23:15:53 Raspberry ifplugd(tun0)[3699]: Program executed successfully.
Nov 23 23:17:01 Raspberry /USR/SBIN/CRON[3725]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)


Viele Grüße
Konstantin


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Clients verbinden sich nicht mehr korrekt
PostPosted: 26.11.2016 13:05 
DES
DES

Joined: 23.11.2016 22:55
Posts: 2
... Fortsetzung: mittlerweile habe ich herausgefunden, dass sich die "routing table" geändert hat. Bei den "kaputten" Clients (hier z.B. mit IP 10.8.0.25) sieht sie so aus:

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         easy.box        0.0.0.0         UG    0      0        0 wlan0
10.8.0.26       *               255.255.255.255 UH    0      0        0 tun0
192.168.2.0     *               255.255.255.0   U     0      0        0 wlan0


Bei den funktionierenden Clients (hier z.B. mit 10.8.0.20) sieht sie so aus:
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         easy.box        0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.21       255.255.255.0   UG    0      0        0 tun0
10.8.0.21       *               255.255.255.255 UH    0      0        0 tun0
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0


Wenn ich manuell die fehlende Route zum Gateway hinzufüge, dann läuft wieder alles:
Code:
route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.26 dev tun0


Weiß jemand, wie ich diese Route auf den "kaputten" Clients wieder hinzufügen kann? Wie gesagt, ich kann an einige Clients nicht dran, weil die auf Bergen in abgelegenen Hütten stehen. Aktuell hab ich keine Lust auf Wandern...

Viele Grüße
Konstantin


Top
Offline Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ]  Moderator: Moderators

All times are UTC


Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot], Google [Bot] and 15 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Theme created StylerBB.net