OpenVPN ne fonctionne qu'en TAP

OpenVPN ne fonctionne qu'en TAP - Sécurité - Réseaux grand public / SoHo

Marsh Posté le 24-12-2012 à 14:40:27    

Bonjour, je prie pour que quelqu'un puisse m'aider car je suis novice en la matière  :D  
 
Je loue un serveur Windows 2007 avec une seule carte réseau possédant une IP publique, masque 255.255.255.0.
Dessus j'ai installé OpenVPN pour faire Serveur VPN.
 
Lorsque ce serveur et les clients sont en mode Tap tout fonctionne parfaitement bien.
 
Mais si je bascule tout ce beau monde en mode Tun, alors les clients se connectent bien au serveur (ils ont une ip attribuée, icone vert), mais ils ne peuvent pas pinguer le serveur, et le serveur ne peut pas les pinguer non plus.
 
Le problème c'est qu'un de mes clients ne peut fonctionner qu'en mode Tun (un smartphone android).
 
 
Voici les logs (J'y modifie l'ip publique du serveur en une ip bidon 123.123.123.123 et l'ip publique du client en 124.124.124.124)
 
Client Tap (ok)


Mon Dec 24 13:47:23 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Mon Dec 24 13:47:23 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Dec 24 13:47:24 2012 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Dec 24 13:47:24 2012 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 13:47:24 2012 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 13:47:24 2012 LZO compression initialized
Mon Dec 24 13:47:24 2012 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Dec 24 13:47:24 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Dec 24 13:47:24 2012 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Dec 24 13:47:24 2012 Local Options hash (VER=V4): '13a273ba'
Mon Dec 24 13:47:24 2012 Expected Remote Options hash (VER=V4): '360696c5'
Mon Dec 24 13:47:24 2012 UDPv4 link local: [undef]
Mon Dec 24 13:47:24 2012 UDPv4 link remote: 123.123.123.123:60444
Mon Dec 24 13:47:24 2012 TLS: Initial packet from 123.123.123.123:60444, sid=73cb9e36 fb11648f
Mon Dec 24 13:47:24 2012 VERIFY OK: depth=1, /C=FR/ST=IDF/L=toto/O=toto/CN=server1VPN.toto.com/emailAddress=toto@toto.fr
Mon Dec 24 13:47:24 2012 VERIFY OK: nsCertType=SERVER
Mon Dec 24 13:47:24 2012 VERIFY OK: depth=0, /C=FR/ST=IDF/O=toto.com/CN=server/emailAddress=toto@toto.fr
Mon Dec 24 13:47:25 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 24 13:47:25 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 13:47:25 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 24 13:47:25 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 13:47:25 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Dec 24 13:47:25 2012 [server] Peer Connection Initiated with 123.123.123.123:60444
Mon Dec 24 13:47:27 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Dec 24 13:47:27 2012 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.186.196.1,ping 30,ping-restart 300,ifconfig 10.186.196.4 255.255.255.0'
Mon Dec 24 13:47:27 2012 OPTIONS IMPORT: timers and/or timeouts modified
Mon Dec 24 13:47:27 2012 OPTIONS IMPORT: --ifconfig/up options modified
Mon Dec 24 13:47:27 2012 OPTIONS IMPORT: route-related options modified
Mon Dec 24 13:47:27 2012 TAP-WIN32 device [Connexion au réseau local 3] opened: \\.\Global\{FFA15676-3710-47DA-87F6-35A8869B80BB}.tap
Mon Dec 24 13:47:27 2012 TAP-Win32 Driver Version 9.9  
Mon Dec 24 13:47:27 2012 TAP-Win32 MTU=1500
Mon Dec 24 13:47:27 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.186.196.4/255.255.255.0 on interface {FFA15676-3710-47DA-87F6-35A8869B80BB} [DHCP-serv: 10.186.196.0, lease-time: 31536000]
Mon Dec 24 13:47:27 2012 Successful ARP Flush on interface [26] {FFA15676-3710-47DA-87F6-35A8869B80BB}
Mon Dec 24 13:47:32 2012 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Mon Dec 24 13:47:32 2012 Initialization Sequence Completed


 
Client Tun (fail)


Mon Dec 24 13:43:23 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Mon Dec 24 13:43:23 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Dec 24 13:43:24 2012 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Dec 24 13:43:24 2012 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 13:43:24 2012 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 13:43:24 2012 LZO compression initialized
Mon Dec 24 13:43:24 2012 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Dec 24 13:43:24 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Dec 24 13:43:24 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Dec 24 13:43:24 2012 Local Options hash (VER=V4): '504e774e'
Mon Dec 24 13:43:24 2012 Expected Remote Options hash (VER=V4): '14168603'
Mon Dec 24 13:43:24 2012 UDPv4 link local: [undef]
Mon Dec 24 13:43:24 2012 UDPv4 link remote: 123.123.123.123:60444
Mon Dec 24 13:43:24 2012 TLS: Initial packet from 123.123.123.123:60444, sid=2aa78faa 36412f7d
Mon Dec 24 13:43:24 2012 VERIFY OK: depth=1, /C=FR/ST=IDF/L=toto/O=toto.com/CN=server1VPN.toto.com/emailAddress=toto@toto.fr
Mon Dec 24 13:43:24 2012 VERIFY OK: nsCertType=SERVER
Mon Dec 24 13:43:24 2012 VERIFY OK: depth=0, /C=FR/ST=IDF/O=toto.com/CN=server/emailAddress=toto@toto.fr
Mon Dec 24 13:43:25 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 24 13:43:25 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 13:43:25 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 24 13:43:25 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 13:43:25 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Dec 24 13:43:25 2012 [server] Peer Connection Initiated with 123.123.123.123:60444
Mon Dec 24 13:43:27 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Dec 24 13:43:27 2012 PUSH: Received control message: 'PUSH_REPLY,route 10.186.196.0 255.255.255.0,ping 30,ping-restart 300,ifconfig 10.186.196.6 10.186.196.5'
Mon Dec 24 13:43:27 2012 OPTIONS IMPORT: timers and/or timeouts modified
Mon Dec 24 13:43:27 2012 OPTIONS IMPORT: --ifconfig/up options modified
Mon Dec 24 13:43:27 2012 OPTIONS IMPORT: route options modified
Mon Dec 24 13:43:27 2012 ROUTE default_gateway=192.168.1.1
Mon Dec 24 13:43:27 2012 TAP-WIN32 device [Connexion au réseau local 3] opened: \\.\Global\{FFA15676-3710-47DA-87F6-35A8869B80BB}.tap
Mon Dec 24 13:43:27 2012 TAP-Win32 Driver Version 9.9  
Mon Dec 24 13:43:27 2012 TAP-Win32 MTU=1500
Mon Dec 24 13:43:27 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.186.196.6/255.255.255.252 on interface {FFE15676-3710-47DA-87F6-35A8869B80BB} [DHCP-serv: 10.186.196.5, lease-time: 31536000]
Mon Dec 24 13:43:27 2012 Successful ARP Flush on interface [26] {FFA15676-3710-47DA-87F6-35A8869B80BB}
Mon Dec 24 13:43:32 2012 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Mon Dec 24 13:43:32 2012 C:\WINDOWS\system32\route.exe ADD 10.186.196.0 MASK 255.255.255.0 10.186.196.5
Mon Dec 24 13:43:32 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Mon Dec 24 13:43:32 2012 Route addition via IPAPI succeeded [adaptive]
Mon Dec 24 13:43:32 2012 Initialization Sequence Completed


 
Serveur TAP (ok)


Mon Dec 24 13:47:14 2012 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Mon Dec 24 13:47:15 2012 Diffie-Hellman initialized with 1024 bit key
Mon Dec 24 13:47:15 2012 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Dec 24 13:47:15 2012 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 13:47:15 2012 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 13:47:15 2012 TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Dec 24 13:47:15 2012 TAP-WIN32 device [Connexion au réseau local 3] opened: \\.\Global\{45075563-48E6-411F-B252-68B7C35BF10C}.tap
Mon Dec 24 13:47:15 2012 TAP-Win32 Driver Version 8.4  
Mon Dec 24 13:47:15 2012 TAP-Win32 MTU=1500
Mon Dec 24 13:47:15 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.186.196.1/255.255.255.0 on interface {45075563-48E6-411F-B252-68B7C35BF10C} [DHCP-serv: 10.186.196.0, lease-time: 31536000]
Mon Dec 24 13:47:15 2012 Sleeping for 10 seconds...
Mon Dec 24 13:47:25 2012 NOTE: FlushIpNetTable failed on interface [24] {45075563-48E6-411F-B252-68B7C35BF10C} (status=5) : Accès refusé.  
Mon Dec 24 13:47:25 2012 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Dec 24 13:47:25 2012 UDPv4 link local (bound): 123.123.123.123:60444
Mon Dec 24 13:47:25 2012 UDPv4 link remote: [undef]
Mon Dec 24 13:47:25 2012 MULTI: multi_init called, r=256 v=256
Mon Dec 24 13:47:25 2012 IFCONFIG POOL: base=10.186.196.2 size=253
Mon Dec 24 13:47:25 2012 IFCONFIG POOL LIST
Mon Dec 24 13:47:25 2012 giovaportable,10.186.196.4
Mon Dec 24 13:47:25 2012 giovaPDA,10.186.196.8
Mon Dec 24 13:47:25 2012 Initialization Sequence Completed
Mon Dec 24 13:47:25 2012 MULTI: multi_create_instance called
Mon Dec 24 13:47:25 2012 79.86.144.28:64556 Re-using SSL/TLS context
Mon Dec 24 13:47:25 2012 79.86.144.28:64556 LZO compression initialized
Mon Dec 24 13:47:25 2012 79.86.144.28:64556 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Dec 24 13:47:25 2012 79.86.144.28:64556 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Dec 24 13:47:25 2012 79.86.144.28:64556 Local Options hash (VER=V4): '360696c5'
Mon Dec 24 13:47:25 2012 79.86.144.28:64556 Expected Remote Options hash (VER=V4): '13a273ba'
Mon Dec 24 13:47:25 2012 79.86.144.28:64556 TLS: Initial packet from 124.124.124.124:64556, sid=c1b8731e 213a68b6
Mon Dec 24 13:47:25 2012 79.86.144.28:64556 VERIFY OK: depth=1, /C=FR/ST=IDF/L=Boulogne-Billancourt/O=Gamereco.com/CN=server1VPN.gamereco.com/emailAddress=giovareco@yahoo.fr
Mon Dec 24 13:47:25 2012 79.86.144.28:64556 VERIFY OK: depth=0, /C=FR/ST=IDF/O=toto.com/CN=giovaportable/emailAddress=toto@toto.fr
Mon Dec 24 13:47:25 2012 79.86.144.28:64556 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 24 13:47:25 2012 79.86.144.28:64556 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 13:47:25 2012 79.86.144.28:64556 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 24 13:47:25 2012 79.86.144.28:64556 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 13:47:25 2012 79.86.144.28:64556 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Dec 24 13:47:25 2012 79.86.144.28:64556 [giovaportable] Peer Connection Initiated with 124.124.124.124:64556
Mon Dec 24 13:47:28 2012 giovaportable/79.86.144.28:64556 PUSH: Received control message: 'PUSH_REQUEST'
Mon Dec 24 13:47:28 2012 giovaportable/79.86.144.28:64556 SENT CONTROL [giovaportable]: 'PUSH_REPLY,route-gateway 10.186.196.1,ping 30,ping-restart 300,ifconfig 10.186.196.4 255.255.255.0' (status=1)
Mon Dec 24 13:47:28 2012 giovaportable/79.86.144.28:64556 MULTI: Learn: 00:ff:ff:e1:56:76 -> giovaportable/124.124.124.124:64556


 
Serveur Tun (Fail)


Mon Dec 24 13:42:13 2012 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Mon Dec 24 13:42:13 2012 Diffie-Hellman initialized with 1024 bit key
Mon Dec 24 13:42:13 2012 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Dec 24 13:42:13 2012 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 13:42:13 2012 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 13:42:13 2012 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Dec 24 13:42:13 2012 TAP-WIN32 device [Connexion au réseau local 3] opened: \\.\Global\{45075563-48E6-411F-B252-68B7C35BF10C}.tap
Mon Dec 24 13:42:13 2012 TAP-Win32 Driver Version 8.4  
Mon Dec 24 13:42:13 2012 TAP-Win32 MTU=1500
Mon Dec 24 13:42:13 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.186.196.1/255.255.255.252 on interface {45075563-48E6-411F-B252-68B7C35BF10C} [DHCP-serv: 10.186.196.2, lease-time: 31536000]
Mon Dec 24 13:42:13 2012 Sleeping for 10 seconds...
Mon Dec 24 13:42:23 2012 NOTE: FlushIpNetTable failed on interface [24] {45075563-48E6-411F-B252-68B7C35BF10C} (status=5) : Accès refusé.  
Mon Dec 24 13:42:23 2012 route ADD 10.186.196.0 MASK 255.255.255.0 10.186.196.2
Mon Dec 24 13:42:23 2012 ROUTE: route addition failed using CreateIpForwardEntry: Un ou plusieurs arguments sont incorrects.   [if_index=24]
Mon Dec 24 13:42:23 2012 Route addition via IPAPI failed
Mon Dec 24 13:42:23 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Dec 24 13:42:23 2012 UDPv4 link local (bound): 123.123.123.123:60444
Mon Dec 24 13:42:23 2012 UDPv4 link remote: [undef]
Mon Dec 24 13:42:23 2012 MULTI: multi_init called, r=256 v=256
Mon Dec 24 13:42:23 2012 IFCONFIG POOL: base=10.186.196.4 size=62
Mon Dec 24 13:42:23 2012 IFCONFIG POOL LIST
Mon Dec 24 13:42:23 2012 giovaportable,10.186.196.4
Mon Dec 24 13:42:23 2012 giovaPDA,10.186.196.8
Mon Dec 24 13:42:23 2012 Initialization Sequence Completed
Mon Dec 24 13:43:24 2012 MULTI: multi_create_instance called
Mon Dec 24 13:43:24 2012 124.124.124.124:58646 Re-using SSL/TLS context
Mon Dec 24 13:43:24 2012 124.124.124.124:58646 LZO compression initialized
Mon Dec 24 13:43:24 2012 124.124.124.124:58646 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Dec 24 13:43:24 2012 124.124.124.124:58646 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Dec 24 13:43:24 2012 124.124.124.124:58646 Local Options hash (VER=V4): '14168603'
Mon Dec 24 13:43:24 2012 124.124.124.124:58646 Expected Remote Options hash (VER=V4): '504e774e'
Mon Dec 24 13:43:24 2012 124.124.124.124:58646 TLS: Initial packet from 124.124.124.124:58646, sid=957ae244 080394b7
Mon Dec 24 13:43:25 2012 124.124.124.124:58646 VERIFY OK: depth=1, /C=FR/ST=IDF/L=toto/O=toto.com/CN=server1VPN.toto.com/emailAddress=toto@toto.fr
Mon Dec 24 13:43:25 2012 124.124.124.124:58646 VERIFY OK: depth=0, /C=FR/ST=IDF/O=Gamereco.com/CN=giovaportable/emailAddress=giovareco@yahoo.fr
Mon Dec 24 13:43:25 2012 124.124.124.124:58646 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 24 13:43:25 2012 124.124.124.124:58646 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 13:43:25 2012 124.124.124.124:58646 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 24 13:43:25 2012 124.124.124.124:58646 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 13:43:25 2012 124.124.124.124:58646 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Dec 24 13:43:25 2012 124.124.124.124:58646 [giovaportable] Peer Connection Initiated with 124.124.124.124:58646
Mon Dec 24 13:43:25 2012 giovaportable/124.124.124.124:58646 MULTI: Learn: 10.186.196.6 -> giovaportable/124.124.124.124:58646
Mon Dec 24 13:43:25 2012 giovaportable/124.124.124.124:58646 MULTI: primary virtual IP for giovaportable/124.124.124.124:58646: 10.186.196.6
Mon Dec 24 13:43:27 2012 giovaportable/124.124.124.124:58646 PUSH: Received control message: 'PUSH_REQUEST'
Mon Dec 24 13:43:27 2012 giovaportable/124.124.124.124:58646 SENT CONTROL [giovaportable]: 'PUSH_REPLY,route 10.186.196.0 255.255.255.0,ping 30,ping-restart 300,ifconfig 10.186.196.6 10.186.196.5' (status=1)


 
J'imagine que le fait d'avoir uniquement une ip publique sur le serveur est lié au problème....
Je vois que les masques sont differents entre tap (255.255.255.0) et tun (255.255.255.252)
Sans doute un routage à faire, mais quoi et comment???

Reply

Marsh Posté le 24-12-2012 à 14:40:27   

Reply

Marsh Posté le 14-01-2013 à 13:43:59    

Bonjour, je me permet de remonter le sujet, car je n'ai toujours pas trouvé  la moindre explication nullepart...

Reply

Marsh Posté le 26-04-2013 à 16:40:56    

désolé de déterrer ce topic, mais je n'ai jamais réussi à résoudre ce problème.
 
Et ça devient de plus en plus bloquant pour moi !
 
Quelqu'un aurait il une piste SVP????

Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed