OpenVPN et problème de "gateway-redirect"

OpenVPN et problème de "gateway-redirect" - réseaux et sécurité - Linux et OS Alternatifs

Marsh Posté le 31-05-2007 à 15:45:53    


 
Bonjour à tous.
 
Voilà, j'ai installé un serveur OpenVPN sur Linux. Tout fonctionnait bien et à l'heure actuelle tout fonctionne bien... A peu de chose près. Voilà mon installation est pour l'instant très simple, j'ai un client, un serveur, et entre deux deux ou trois routeurs qui ne font rien d'autre que router (jusque là tout va bien smile ).
 
le soucis que j'ai à l'heure actuelle est celui-ci. Je voudrais que toutes les communications de mon client passe par le VPN vers mon serveur VPN, qui lui relayera vers l'Internet par derrière. Donc pour cela, mon serveur VPN doit être la route par défaut du client. Cela est possible grâce à l'option "gateway-redirect" du fichier de conf du serveur VPN. J'ai activé cette option, effectivement la gateway par défaut du client est changée... Mais pas par l'adresse du serveur VPN !!! LE serveur VPN (avec comme adresse 10.8.0.1) envoie au client : "voici ta gateway par défaut : 10.8.0.5" (ça varie, des fois il lui dit 10.8.0.9.ou .10 ou... Selon ses envies). Or, ces adresses n'existent pas sur mon réseau, je rappelle j'ai basiquement un client un serveur quelques routeurs au milieu en 192.168.x.x et c'est tout. Avant tout fonctionnait bien, le serveur envoyait au client : "c'est moi ta gateway 10.8.0.1", maintenant il lui envoie une adresse foireuse... :'( quelqu'un aurait une idée ? Voici au cas où les fichiers de conf de mon serveur et de mon client :
 
 
Serveur :
 

Code :
  1. #################################################
  2. # Sample OpenVPN 2.0 config file for            #
  3. # multi-client server.                          #
  4. #                                               #
  5. # This file is for the server side              #
  6. # of a many-clients <-> one-server              #
  7. # OpenVPN configuration.                        #
  8. #                                               #
  9. # OpenVPN also supports                         #
  10. # single-machine <-> single-machine             #
  11. # configurations (See the Examples page         #
  12. # on the web site for more info).               #
  13. #                                               #
  14. # This config should work on Windows            #
  15. # or Linux/BSD systems.  Remember on            #
  16. # Windows to quote pathnames and use            #
  17. # double backslashes, e.g.:                     #
  18. # "C:\\Program Files\\OpenVPN\\config\\foo.key" #
  19. #                                               #
  20. # Comments are preceded with '#' or ';'         #
  21. #################################################
  22. # Which local IP address should OpenVPN
  23. # listen on? (optional)
  24. ;local a.b.c.d
  25. # Which TCP/UDP port should OpenVPN listen on?
  26. # If you want to run multiple OpenVPN instances
  27. # on the same machine, use a different port
  28. # number for each one.  You will need to
  29. # open up this port on your firewall.
  30. port 1194
  31. # TCP or UDP server?
  32. ;proto tcp
  33. proto udp
  34. # "dev tun" will create a routed IP tunnel,
  35. # "dev tap" will create an ethernet tunnel.
  36. # Use "dev tap0" if you are ethernet bridging
  37. # and have precreated a tap0 virtual interface
  38. # and bridged it with your ethernet interface.
  39. # If you want to control access policies
  40. # over the VPN, you must create firewall
  41. # rules for the the TUN/TAP interface.
  42. # On non-Windows systems, you can give
  43. # an explicit unit number, such as tun0.
  44. # On Windows, use "dev-node" for this.
  45. # On most systems, the VPN will not function
  46. # unless you partially or fully disable
  47. # the firewall for the TUN/TAP interface.
  48. ;dev tap
  49. dev tun
  50. # Windows needs the TAP-Win32 adapter name
  51. # from the Network Connections panel if you
  52. # have more than one.  On XP SP2 or higher,
  53. # you may need to selectively disable the
  54. # Windows firewall for the TAP adapter.
  55. # Non-Windows systems usually don't need this.
  56. ;dev-node MyTap
  57. # SSL/TLS root certificate (ca), certificate
  58. # (cert), and private key (key).  Each client
  59. # and the server must have their own cert and
  60. # key file.  The server and all clients will
  61. # use the same ca file.
  62. #
  63. # See the "easy-rsa" directory for a series
  64. # of scripts for generating RSA certificates
  65. # and private keys.  Remember to use
  66. # a unique Common Name for the server
  67. # and each of the client certificates.
  68. #
  69. # Any X509 key management system can be used.
  70. # OpenVPN can also use a PKCS #12 formatted key file
  71. # (see "pkcs12" directive in man page).
  72. ca ca.crt
  73. cert VPNserver.crt
  74. key VPNserver.key  # This file should be kept secret
  75. # Diffie hellman parameters.
  76. # Generate your own with:
  77. #   openssl dhparam -out dh1024.pem 1024
  78. # Substitute 2048 for 1024 if you are using
  79. # 2048 bit keys.
  80. dh dh1024.pem
  81. # Configure server mode and supply a VPN subnet
  82. # for OpenVPN to draw client addresses from.
  83. # The server will take 10.8.0.1 for itself,
  84. # the rest will be made available to clients.
  85. # Each client will be able to reach the server
  86. # on 10.8.0.1. Comment this line out if you are
  87. # ethernet bridging. See the man page for more info.
  88. server 10.8.0.0 255.255.255.0
  89. # Maintain a record of client <-> virtual IP address
  90. # associations in this file.  If OpenVPN goes down or
  91. # is restarted, reconnecting clients can be assigned
  92. # the same virtual IP address from the pool that was
  93. # previously assigned.
  94. ifconfig-pool-persist ipp.txt
  95. # Configure server mode for ethernet bridging.
  96. # You must first use your OS's bridging capability
  97. # to bridge the TAP interface with the ethernet
  98. # NIC interface.  Then you must manually set the
  99. # IP/netmask on the bridge interface, here we
  100. # assume 10.8.0.4/255.255.255.0.  Finally we
  101. # must set aside an IP range in this subnet
  102. # (start=10.8.0.50 end=10.8.0.100) to allocate
  103. # to connecting clients.  Leave this line commented
  104. # out unless you are ethernet bridging.
  105. ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
  106. # Push routes to the client to allow it
  107. # to reach other private subnets behind
  108. # the server.  Remember that these
  109. # private subnets will also need
  110. # to know to route the OpenVPN client
  111. # address pool (10.8.0.0/255.255.255.0)
  112. # back to the OpenVPN server.
  113. ;push "route 192.168.0.0 255.255.255.0"
  114. ;push "route 192.168.20.0 255.255.255.0"
  115. # To assign specific IP addresses to specific
  116. # clients or if a connecting client has a private
  117. # subnet behind it that should also have VPN access,
  118. # use the subdirectory "ccd" for client-specific
  119. # configuration files (see man page for more info).
  120. # EXAMPLE: Suppose the client
  121. # having the certificate common name "Thelonious"
  122. # also has a small subnet behind his connecting
  123. # machine, such as 192.168.40.128/255.255.255.248.
  124. # First, uncomment out these lines:
  125. ;client-config-dir ccd
  126. ;route 192.168.40.128 255.255.255.248
  127. # Then create a file ccd/Thelonious with this line:
  128. #   iroute 192.168.40.128 255.255.255.248
  129. # This will allow Thelonious' private subnet to
  130. # access the VPN.  This example will only work
  131. # if you are routing, not bridging, i.e. you are
  132. # using "dev tun" and "server" directives.
  133. # EXAMPLE: Suppose you want to give
  134. # Thelonious a fixed VPN IP address of 10.9.0.1.
  135. # First uncomment out these lines:
  136. ;client-config-dir ccd
  137. ;route 10.9.0.0 255.255.255.252
  138. # Then add this line to ccd/Thelonious:
  139. #   ifconfig-push 10.9.0.1 10.9.0.2
  140. # Suppose that you want to enable different
  141. # firewall access policies for different groups
  142. # of clients.  There are two methods:
  143. # (1) Run multiple OpenVPN daemons, one for each
  144. #     group, and firewall the TUN/TAP interface
  145. #     for each group/daemon appropriately.
  146. # (2) (Advanced) Create a script to dynamically
  147. #     modify the firewall in response to access
  148. #     from different clients.  See man
  149. #     page for more info on learn-address script.
  150. ;learn-address ./script
  151. # If enabled, this directive will configure
  152. # all clients to redirect their default
  153. # network gateway through the VPN, causing
  154. # all IP traffic such as web browsing and
  155. # and DNS lookups to go through the VPN
  156. # (The OpenVPN server machine may need to NAT
  157. # the TUN/TAP interface to the internet in
  158. # order for this to work properly).
  159. # CAVEAT: May break client's network config if
  160. # client's local DHCP server packets get routed
  161. # through the tunnel.  Solution: make sure
  162. # client's local DHCP server is reachable via
  163. # a more specific route than the default route
  164. # of 0.0.0.0/0.0.0.0.
  165. push "redirect-gateway"
  166. # Certain Windows-specific network settings
  167. # can be pushed to clients, such as DNS
  168. # or WINS server addresses.  CAVEAT:
  169. # http://openvpn.net/faq.html#dhcpcaveats
  170. ;push "dhcp-option DNS 10.8.0.1"
  171. ;push "dhcp-option WINS 10.8.0.1"
  172. # Uncomment this directive to allow different
  173. # clients to be able to "see" each other.
  174. # By default, clients will only see the server.
  175. # To force clients to only see the server, you
  176. # will also need to appropriately firewall the
  177. # server's TUN/TAP interface.
  178. ;client-to-client
  179. # Uncomment this directive if multiple clients
  180. # might connect with the same certificate/key
  181. # files or common names.  This is recommended
  182. # only for testing purposes.  For production use,
  183. # each client should have its own certificate/key
  184. # pair.
  185. #
  186. # IF YOU HAVE NOT GENERATED INDIVIDUAL
  187. # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
  188. # EACH HAVING ITS OWN UNIQUE "COMMON NAME",
  189. # UNCOMMENT THIS LINE OUT.
  190. ;duplicate-cn
  191. # The keepalive directive causes ping-like
  192. # messages to be sent back and forth over
  193. # the link so that each side knows when
  194. # the other side has gone down.
  195. # Ping every 10 seconds, assume that remote
  196. # peer is down if no ping received during
  197. # a 120 second time period.
  198. keepalive 10 120
  199. # For extra security beyond that provided
  200. # by SSL/TLS, create an "HMAC firewall"
  201. # to help block DoS attacks and UDP port flooding.
  202. #
  203. # Generate with:
  204. #   openvpn --genkey --secret ta.key
  205. #
  206. # The server and each client must have
  207. # a copy of this key.
  208. # The second parameter should be '0'
  209. # on the server and '1' on the clients.
  210. ;tls-auth ta.key 0 # This file is secret
  211. # Select a cryptographic cipher.
  212. # This config item must be copied to
  213. # the client config file as well.
  214. ;cipher BF-CBC        # Blowfish (default)
  215. ;cipher AES-128-CBC   # AES
  216. ;cipher DES-EDE3-CBC  # Triple-DES
  217. # Enable compression on the VPN link.
  218. # If you enable it here, you must also
  219. # enable it in the client config file.
  220. comp-lzo
  221. # The maximum number of concurrently connected
  222. # clients we want to allow.
  223. ;max-clients 100
  224. # It's a good idea to reduce the OpenVPN
  225. # daemon's privileges after initialization.
  226. #
  227. # You can uncomment this out on
  228. # non-Windows systems.
  229. ;user nobody
  230. ;group nogroup
  231. user openvpn
  232. group openvpn
  233. # The persist options will try to avoid
  234. # accessing certain resources on restart
  235. # that may no longer be accessible because
  236. # of the privilege downgrade.
  237. persist-key
  238. persist-tun
  239. # Output a short status file showing
  240. # current connections, truncated
  241. # and rewritten every minute.
  242. status openvpn-status.log
  243. # By default, log messages will go to the syslog (or
  244. # on Windows, if running as a service, they will go to
  245. # the "\Program Files\OpenVPN\log" directory).
  246. # Use log or log-append to override this default.
  247. # "log" will truncate the log file on OpenVPN startup,
  248. # while "log-append" will append to it.  Use one
  249. # or the other (but not both).
  250. ;log         openvpn.log
  251. ;log-append  openvpn.log
  252. # Set the appropriate level of log
  253. # file verbosity.
  254. #
  255. # 0 is silent, except for fatal errors
  256. # 4 is reasonable for general usage
  257. # 5 and 6 can help to debug connection problems
  258. # 9 is extremely verbose
  259. verb 3
  260. # Silence repeating messages.  At most 20
  261. # sequential messages of the same message
  262. # category will be output to the log.
  263. ;mute 20


 
Client :
 

Code :
  1. ##############################################
  2. # Sample client-side OpenVPN 2.0 config file #
  3. # for connecting to multi-client server.     #
  4. #                                            #
  5. # This configuration can be used by multiple #
  6. # clients, however each client should have   #
  7. # its own cert and key files.                #
  8. #                                            #
  9. # On Windows, you might want to rename this  #
  10. # file so it has a .ovpn extension           #
  11. ##############################################
  12. # Specify that we are a client and that we
  13. # will be pulling certain config file directives
  14. # from the server.
  15. client
  16. # Use the same setting as you are using on
  17. # the server.
  18. # On most systems, the VPN will not function
  19. # unless you partially or fully disable
  20. # the firewall for the TUN/TAP interface.
  21. ;dev tap
  22. dev tun
  23. # Windows needs the TAP-Win32 adapter name
  24. # from the Network Connections panel
  25. # if you have more than one.  On XP SP2,
  26. # you may need to disable the firewall
  27. # for the TAP adapter.
  28. ;dev-node MyTap
  29. # Are we connecting to a TCP or
  30. # UDP server?  Use the same setting as
  31. # on the server.
  32. ;proto tcp
  33. proto udp
  34. # The hostname/IP and port of the server.
  35. # You can have multiple remote entries
  36. # to load balance between the servers.
  37. remote 192.168.100.10 1194
  38. ;remote my-server-2 1194
  39. # Choose a random host from the remote
  40. # list for load-balancing.  Otherwise
  41. # try hosts in the order specified.
  42. ;remote-random
  43. # Keep trying indefinitely to resolve the
  44. # host name of the OpenVPN server.  Very useful
  45. # on machines which are not permanently connected
  46. # to the internet such as laptops.
  47. resolv-retry infinite
  48. # Most clients don't need to bind to
  49. # a specific local port number.
  50. nobind
  51. # Downgrade privileges after initialization (non-Windows only)
  52. ;user nobody
  53. ;group nobody
  54. # Try to preserve some state across restarts.
  55. persist-key
  56. persist-tun
  57. # If you are connecting through an
  58. # HTTP proxy to reach the actual OpenVPN
  59. # server, put the proxy server/IP and
  60. # port number here.  See the man page
  61. # if your proxy server requires
  62. # authentication.
  63. ;http-proxy-retry # retry on connection failures
  64. ;http-proxy [proxy server] [proxy port #]
  65. # Wireless networks often produce a lot
  66. # of duplicate packets.  Set this flag
  67. # to silence duplicate packet warnings.
  68. ;mute-replay-warnings
  69. # SSL/TLS parms.
  70. # See the server config file for more
  71. # description.  It's best to use
  72. # a separate .crt/.key file pair
  73. # for each client.  A single ca
  74. # file can be used for all clients.
  75. ca ca.crt
  76. cert Client02.crt
  77. key Client02.key
  78. # Verify server certificate by checking
  79. # that the certicate has the nsCertType
  80. # field set to "server".  This is an
  81. # important precaution to protect against
  82. # a potential attack discussed here:
  83. http://openvpn.net/howto.html#mitm
  84. #
  85. # To use this feature, you will need to generate
  86. # your server certificates with the nsCertType
  87. # field set to "server".  The build-key-server
  88. # script in the easy-rsa folder will do this.
  89. ;ns-cert-type server
  90. # If a tls-auth key is used on the server
  91. # then every client must also have the key.
  92. ;tls-auth ta.key 1
  93. # Select a cryptographic cipher.
  94. # If the cipher option is used on the server
  95. # then you must also specify it here.
  96. ;cipher x
  97. # Enable compression on the VPN link.
  98. # Don't enable this unless it is also
  99. # enabled in the server config file.
  100. comp-lzo
  101. # Set log file verbosity.
  102. verb 3
  103. # Silence repeating messages
  104. ;mute 20


 
 
Logs affichés sur le client :
 

Code :
  1. Wed May 30 10:01:38 2007 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov  2 2005
  2. Wed May 30 10:01:38 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
  3. Wed May 30 10:01:38 2007 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
  4. Wed May 30 10:01:38 2007 LZO compression initialized
  5. Wed May 30 10:01:38 2007 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
  6. Wed May 30 10:01:38 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
  7. Wed May 30 10:01:38 2007 Local Options hash (VER=V4): '41690919'
  8. Wed May 30 10:01:38 2007 Expected Remote Options hash (VER=V4): '530fdded'
  9. Wed May 30 10:01:38 2007 UDPv4 link local: [undef]
  10. Wed May 30 10:01:38 2007 UDPv4 link remote: 192.168.100.10:1194
  11. Wed May 30 10:01:38 2007 TLS: Initial packet from 192.168.100.10:1194, sid=81ac3d67 05db3950
  12. Wed May 30 10:01:39 2007 VERIFY OK: depth=1, /C=FR/ST=France/L=Issy/O=Aramis/CN=VPNserver/emailAddress=contact@aramis.fr
  13. Wed May 30 10:01:39 2007 VERIFY OK: depth=0, /C=FR/ST=France/O=Aramis/CN=VPNserver/emailAddress=contact@aramis.fr
  14. Wed May 30 10:01:42 2007 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
  15. Wed May 30 10:01:42 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
  16. Wed May 30 10:01:42 2007 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
  17. Wed May 30 10:01:42 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
  18. Wed May 30 10:01:42 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
  19. Wed May 30 10:01:42 2007 [VPNserver] Peer Connection Initiated with 192.168.100.10:1194
  20. Wed May 30 10:01:43 2007 SENT CONTROL [VPNserver]: 'PUSH_REQUEST' (status=1)
  21. Wed May 30 10:01:43 2007 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,route 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
  22. Wed May 30 10:01:43 2007 OPTIONS IMPORT: timers and/or timeouts modified
  23. Wed May 30 10:01:43 2007 OPTIONS IMPORT: --ifconfig/up options modified
  24. Wed May 30 10:01:43 2007 OPTIONS IMPORT: route options modified
  25. Wed May 30 10:01:43 2007 TAP-WIN32 device [Connexion au réseau local 2] opened: \\.\Global\{A020DE63-2556-44B0-91AB-42187758D9DE}.tap
  26. Wed May 30 10:01:43 2007 TAP-Win32 Driver Version 8.1
  27. Wed May 30 10:01:43 2007 TAP-Win32 MTU=1500
  28. Wed May 30 10:01:43 2007 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {A020DE63-2556-44B0-91AB-42187758D9DE} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
  29. Wed May 30 10:01:43 2007 Successful ARP Flush on interface [3] {A020DE63-2556-44B0-91AB-42187758D9DE}
  30. Wed May 30 10:01:43 2007 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
  31. Wed May 30 10:01:43 2007 Route: Waiting for TUN/TAP interface to come up...
  32. Wed May 30 10:01:44 2007 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
  33. Wed May 30 10:01:44 2007 Route: Waiting for TUN/TAP interface to come up...
  34. Wed May 30 10:01:45 2007 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
  35. Wed May 30 10:01:45 2007 Route: Waiting for TUN/TAP interface to come up...
  36. Wed May 30 10:01:47 2007 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
  37. Wed May 30 10:01:47 2007 Route: Waiting for TUN/TAP interface to come up...
  38. Wed May 30 10:01:48 2007 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
  39. Wed May 30 10:01:48 2007 route ADD 192.168.100.10 MASK 255.255.255.255 192.168.102.11
  40. Wed May 30 10:01:48 2007 Route addition via IPAPI succeeded
  41. Wed May 30 10:01:48 2007 route DELETE 0.0.0.0 MASK 0.0.0.0 192.168.102.11
  42. Wed May 30 10:01:48 2007 Route deletion via IPAPI succeeded
  43. Wed May 30 10:01:48 2007 route ADD 0.0.0.0 MASK 0.0.0.0 10.8.0.5
  44. Wed May 30 10:01:48 2007 Route addition via IPAPI succeeded
  45. Wed May 30 10:01:48 2007 route ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
  46. Wed May 30 10:01:48 2007 Route addition via IPAPI succeeded
  47. Wed May 30 10:01:48 2007 Initialization Sequence Completed


 
Voilà comme on voit sur les logs il ajoute 10.8.0.5 comme route par défaut et je comprend vraiment pas ce que ca vient faire là, comme déjà dit mon dispositif est basique et il n'y a pas de matériel à l'adresse 10.8.0.5... Je ne comprend pas, si quelqu'un a une idée, je l'en remercie d'avance !!!

Reply

Marsh Posté le 31-05-2007 à 15:45:53   

Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed