openvpn sur ubuntu
bonjour,
J'ai migré mon serveur odroid sous ubuntu 18.04 vers 20.04. Depuis, le serveur openvpn qu'il héberge me pose un pb :
Les clients peuvent toujours bien se connecter à openvpn, mais je n'ai plus accès qu'au serveur lui-même et plus aux autres machines dans mon réseau. (aussi bien pour un client android que pour un client linux).
Je peux pinguer le 10.8.0.1 et le 192.168.1.21 (qui sont les adresses ip du serveur), mais pas les machines dans le 192.168.1.0.
Connecté sur le serveur openvpn à partir d'un client, je n'ai pas accès à internet non plus (moins grave).
Que dois-je faire ?
Mon fichier server.conf de openvpn est le suivant :
root@odroid:~# cat /etc/openvpn/server.conf
# OpenVPN serveur
# Tunnel mode
dev tun
# Protocole udp ou tcp
proto tcp
# Port 1194 ou 443
port 993
# La CA
ca /etc/openvpn/easy-rsa/keys/ca.crt
# Le certificat serveur
cert /etc/openvpn/easy-rsa/keys/openvpn.crt
# La clé du certificat serveur
key /etc/openvpn/easy-rsa/keys/openvpn.key
# clé Diffie-Hellman generé, si 4096, modifier la
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
# Le serveur dhcp, on definit la plage, par defaut 10.8.0.0/24
server 10.8.0.0 255.255.255.0
# serveur et client distant.
ifconfig 10.8.0.1 10.8.0.2
# Ajout de la route pour le client OpenVPN Server.
push "route 10.8.0.1 255.255.255.255"
# Ajout de la route pour les clients du sous-reseau.
push "route 10.8.0.0 255.255.255.0"
# le réseau local du serveur Openvpn.
push "route 192.168.1.0 255.255.255.0"
# Adresse du serveur DNS, si pas de domaine, utilisez dns public.
push "dhcp-option DNS 208.67.222.222"
# Le serveur sera la passerelle par défaut et tout le trafic sera router par lui.
push "redirect-gateway def1"
#push "redirect-gateway def1 bypass-dhcp"
client-to-client
# Pour dupliquer le meme certificat
# duplicate-cn
keepalive 10 120
# la clé partagée
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
#user openvpn
#group openvpn
persist-key
persist-tun
# Des logs
status /var/logvpn/openvpn-status.log 20
log /var/logvpn/openvpn.log
verb 3
Voici le log sur le serveur :
Fri Jul 14 16:24:15 2023 OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Fri Jul 14 16:24:15 2023 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Fri Jul 14 16:24:15 2023 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Fri Jul 14 16:24:15 2023 Diffie-Hellman initialized with 2048 bit key
Fri Jul 14 16:24:15 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jul 14 16:24:15 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jul 14 16:24:15 2023 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=00:1e:06:36:56:3b
Fri Jul 14 16:24:15 2023 TUN/TAP device tun0 opened
Fri Jul 14 16:24:15 2023 TUN/TAP TX queue length set to 100
Fri Jul 14 16:24:15 2023 /sbin/ip link set dev tun0 up mtu 1500
Fri Jul 14 16:24:16 2023 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Fri Jul 14 16:24:16 2023 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Fri Jul 14 16:24:16 2023 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Jul 14 16:24:16 2023 Socket Buffers: R=[131072->131072] S=[16384->16384]
Fri Jul 14 16:24:16 2023 Listening for incoming TCP connection on [AF_INET][undef]:993
Fri Jul 14 16:24:16 2023 TCPv4_SERVER link local (bound): [AF_INET][undef]:993
Fri Jul 14 16:24:16 2023 TCPv4_SERVER link remote: [AF_UNSPEC]
Fri Jul 14 16:24:16 2023 GID set to nogroup
Fri Jul 14 16:24:16 2023 UID set to nobody
Fri Jul 14 16:24:16 2023 MULTI: multi_init called, r=256 v=256
Fri Jul 14 16:24:16 2023 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Fri Jul 14 16:24:16 2023 MULTI: TCP INIT maxclients=1024 maxevents=1028
Fri Jul 14 16:24:16 2023 Initialization Sequence Completed
Fri Jul 14 16:24:27 2023 TCP connection established with [AF_INET]109.208.39.187:55732
Fri Jul 14 16:24:27 2023 109.208.39.187:55732 TLS: Initial packet from [AF_INET]109.208.39.187:55732, sid=55b237dd 7ef75480
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 VERIFY OK: depth=1, C=FR, ST=France, L=Paris, O=., OU=., CN=openvpn, name=EasyRSA, emailAddress=
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 VERIFY OK: depth=0, C=FR, ST=France, L=Paris, O=., OU=., CN=fafar, name=EasyRSA, emailAddress=
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_VER=2.5.5
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_PLAT=linux
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_PROTO=6
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_NCP=2
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-128-CBC
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_LZ4=1
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_LZ4v2=1
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_LZO=1
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_COMP_STUB=1
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_COMP_STUBv2=1
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_TCPNL=1
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 [fafar] Peer Connection Initiated with [AF_INET]109.208.39.187:55732
Fri Jul 14 16:24:28 2023 fafar/109.208.39.187:55732 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Fri Jul 14 16:24:28 2023 fafar/109.208.39.187:55732 MULTI: Learn: 10.8.0.6 -> fafar/109.208.39.187:55732
Fri Jul 14 16:24:28 2023 fafar/109.208.39.187:55732 MULTI: primary virtual IP for fafar/109.208.39.187:55732: 10.8.0.6
Fri Jul 14 16:24:29 2023 fafar/109.208.39.187:55732 PUSH: Received control message: 'PUSH_REQUEST'
Fri Jul 14 16:24:29 2023 fafar/109.208.39.187:55732 SENT CONTROL [fafar]: 'PUSH_REPLY,route 10.8.0.1 255.255.255.255,route 10.8.0.0 255.255.255.0,route 192.168.1.0 255.255.255.0,dhcp-option DNS 208.67.222.222,redirect-gateway def1,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Fri Jul 14 16:24:29 2023 fafar/109.208.39.187:55732 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Jul 14 16:24:29 2023 fafar/109.208.39.187:55732 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Jul 14 16:24:29 2023 fafar/109.208.39.187:55732 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Jul 14 16:25:03 2023 fafar/109.208.39.187:55732 Connection reset, restarting [0]
Fri Jul 14 16:25:03 2023 fafar/109.208.39.187:55732 SIGUSR1[soft,connection-reset] received, client-instance restarting
Je trouve ceci :
root@odroid:~# ip route
default via 192.168.1.1 dev eth0 src 192.168.1.21 metric 202
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
192.168.1.0/24 dev eth0 proto dhcp scope link src 192.168.1.21 metric 202
et
root@odroid:~# route
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
default box 0.0.0.0 UG 202 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
dans ifconfig, je trouve :
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::b521:662b:fcd:9c66 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100
et sur mon client linux :
% route
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
0.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
default livebox.home 0.0.0.0 UG 600 0 0 wlo1
10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
32.10.88.92.rev livebox.home 255.255.255.255 UGH 0 0 0 wlo1
128.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 wlo1
192.168.1.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlo1
et
% ip route
0.0.0.0/1 via 10.8.0.5 dev tun0
default via 192.168.1.1 dev wlo1 proto dhcp metric 600
10.8.0.0/24 via 10.8.0.5 dev tun0
10.8.0.1 via 10.8.0.5 dev tun0
10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6
92.88.10.32 via 192.168.1.1 dev wlo1
128.0.0.0/1 via 10.8.0.5 dev tun0
169.254.0.0/16 dev wlo1 scope link metric 1000
192.168.1.0/24 via 10.8.0.5 dev tun0
192.168.1.0/24 dev wlo1 proto kernel scope link src 192.168.1.14 metric 600
et dans ifconfig du client, j'ai ceci :
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5
inet6 fe80::27d3:b1f0:d338:6f3c prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500
Répondre avec citation
Partager