[technique] OpenVPN plouf !

Rémy Carbon remy.carbon at orange.fr
Lun 22 Sep 16:14:43 CEST 2014 

Bonjour,

A 13h aujourd'hui, j'ai essayé de lancer openVPN sur le serveur concerné.
Et bien pouf ! plus de réseau pour les users.
Pourtant personne ne m'a fait de remarque concernant la config que je 
vous ai soumise la semaine dernière (J'ai pensé qu'ils étaient ok).
Quelqu'un aurait-il la gentillesse de se pencher sur ces fichiers svp ? 
A chaque manip qui plante ssh il me faut faire 34km A/R.
Et je suis dans la mouise !

Bien que le serveur soit pingable en local, il ne répondait plus au ssh 
ni aucun autre service.
un ifconfig m'a donné ceci :

root at samba:~# ifconfig
br0       Link encap:Ethernet  HWaddr 40:16:7e:2a:3a:38
           inet adr:192.168.67.210  Bcast:192.168.67.255 
Masque:255.255.255.0
           adr inet6: fe80::4216:7eff:fe2a:3a38/64 Scope:Lien
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:4256 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1056 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 lg file transmission:0
           RX bytes:402229 (392.8 KiB)  TX bytes:104219 (101.7 KiB)

eth0      Link encap:Ethernet  HWaddr 40:16:7e:2a:3a:38
           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
           RX packets:281521879 errors:0 dropped:0 overruns:0 frame:0
           TX packets:194252518 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 lg file transmission:1000
           RX bytes:314958805003 (293.3 GiB)  TX bytes:117142217605 
(109.0 GiB)
           Interruption:103 Adresse de base:0xc000

lo        Link encap:Boucle locale
           inet adr:127.0.0.1  Masque:255.0.0.0
           adr inet6: ::1/128 Scope:Hôte
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:833079 errors:0 dropped:0 overruns:0 frame:0
           TX packets:833079 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 lg file transmission:0
           RX bytes:79965979 (76.2 MiB)  TX bytes:79965979 (76.2 MiB)

tap0      Link encap:Ethernet  HWaddr d2:db:a2:dc:a7:05
           adr inet6: fe80::d0db:a2ff:fedc:a705/64 Scope:Lien
           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:3747 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 lg file transmission:100
           RX bytes:0 (0.0 B)  TX bytes:408474 (398.9 KiB)

Et bien que openvpn.log donne son OK:

Mon Sep 22 13:00:19 2014 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] 
[EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 
(2.2RC2)] built on Jun 18 2013
Mon Sep 22 13:00:19 2014 NOTE: when bridging your LAN adapter with the 
TAP adapter, note that the new bridge adapter will often take on its own 
IP address that is different from what the LAN adapter was previously set to
Mon Sep 22 13:00:19 2014 NOTE: OpenVPN 2.1 requires '--script-security 
2' or higher to call user-defined scripts or executables
Mon Sep 22 13:00:19 2014 Diffie-Hellman initialized with 1024 bit key
Mon Sep 22 13:00:19 2014 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 
ET:0 EL:0 ]
Mon Sep 22 13:00:19 2014 Socket Buffers: R=[229376->131072] 
S=[229376->131072]
Mon Sep 22 13:00:19 2014 TUN/TAP device tap0 opened
Mon Sep 22 13:00:19 2014 TUN/TAP TX queue length set to 100
Mon Sep 22 13:00:19 2014 Data Channel MTU parms [ L:1574 D:1450 EF:42 
EB:135 ET:32 EL:0 AF:3/1 ]
Mon Sep 22 13:00:19 2014 UDPv4 link local (bound): [undef]
Mon Sep 22 13:00:19 2014 UDPv4 link remote: [undef]
Mon Sep 22 13:00:19 2014 MULTI: multi_init called, r=256 v=256
Mon Sep 22 13:00:19 2014 Initialization Sequence Completed
...
^C <- là c'est moi qui ctrl-C.
...
Mon Sep 22 13:37:23 2014 event_wait : Interrupted system call (code=4)
Mon Sep 22 13:37:23 2014 TCP/UDP: Closing socket
Mon Sep 22 13:37:23 2014 Closing TUN/TAP interface
Mon Sep 22 13:37:23 2014 SIGTERM[hard,] received, process exiting



Et daemon.log me donne des trucs du genre (est ce pertinent ?) :

Sep 22 12:59:09 samba named[17185]: error (network unreachable) 
resolving './NS/IN': 2001:500:1::803f:235#53
Sep 22 12:59:09 samba named[17185]: error (network unreachable) 
resolving './NS/IN': 2001:500:84::b#53
Sep 22 12:59:09 samba named[17185]: error (network unreachable) 
resolving './NS/IN': 2001:500:2f::f#53
Sep 22 12:59:09 samba monit[21607]: 'Bind9' failed protocol test [DNS] 
at INET[127.0.0.1:53] via UDP -- DNS: invalid response code: 0x2#012
Sep 22 12:59:09 samba named[17185]: validating @0x7fd0ab9726c0: . NS: 
got insecure response; parent indicates it should be secure
Sep 22 12:59:09 samba named[17185]: error (insecurity proof failed) 
resolving './NS/IN': 192.168.67.1#53
Sep 22 12:59:09 samba named[17185]: validating @0x7fd09c06c8b0: . NS: no 
valid signature found
Sep 22 12:59:09 samba named[17185]: error (no valid RRSIG) resolving 
'./NS/IN': 80.10.246.2#53
Sep 22 12:59:09 samba named[17185]: validating @0x7fd0ab9726c0: . NS: no 
valid signature found
Sep 22 12:59:09 samba named[17185]: error (no valid RRSIG) resolving 
'./NS/IN': 80.10.246.129#53
Sep 22 12:59:09 samba named[17185]: validating @0x7fd09c06c8b0: . NS: no 
valid signature found
Sep 22 12:59:09 samba named[17185]: error (no valid RRSIG) resolving 
'./NS/IN': 192.58.128.30#53


et auth.log :

Sep 22 12:59:13 samba sshd[2186]: Connection closed by 127.0.0.1 [preauth]
Sep 22 13:00:19 samba sshd[21103]: Received signal 15; terminating.
Sep 22 13:00:19 samba sshd[2431]: Server listening on 0.0.0.0 port 22.
Sep 22 13:00:19 samba sshd[2431]: Server listening on :: port 22.
Sep 22 13:00:40 samba sshd[2040]: Received disconnect from 88.161.98.76: 
11: disconnected by user
Sep 22 13:00:40 samba sshd[2035]: pam_unix(sshd:session): session closed 
for user remy
Sep 22 13:00:40 samba su[2123]: pam_unix(su:session): session closed for 
user root
Sep 22 13:01:19 samba sshd[2501]: Connection closed by 127.0.0.1 [preauth]
Sep 22 13:01:21 samba smbd[1863]: pam_unix(samba:session): session 
closed for user jmaganto
Sep 22 13:01:21 samba smbd[32188]: pam_unix(samba:session): session 
closed for user ypenhouet
Sep 22 13:01:21 samba smbd[32051]: pam_unix(samba:session): session 
closed for user pfroissard
Sep 22 13:01:21 samba smbd[892]: pam_unix(samba:session): session closed 
for user stagiaire01
Sep 22 13:01:21 samba smbd[892]: pam_unix(samba:session): session closed 
for user stagiaire01
Sep 22 13:01:21 samba smbd[1733]: pam_unix(samba:session): session 
closed for user jmention
Sep 22 13:01:21 samba smbd[32189]: pam_unix(samba:session): session 
closed for user dgehin
Sep 22 13:03:22 samba sshd[2548]: Connection closed by 127.0.0.1 [preauth]
Sep 22 13:05:24 samba sshd[2579]: Connection closed by 127.0.0.1 [preauth]
Sep 22 13:07:26 samba sshd[2633]: Connection closed by 127.0.0.1 [preauth]
Sep 22 13:09:29 samba sshd[2638]: Connection closed by 127.0.0.1 [preauth]
Sep 22 13:11:31 samba sshd[2642]: Connection closed by 127.0.0.1 [preauth]
Sep 22 13:13:33 samba sshd[2667]: Connection closed by 127.0.0.1 [preauth]
Sep 22 13:15:35 samba sshd[2671]: Connection closed by 127.0.0.1 [preauth]


Je vous rappel la config concernée :

root at samba:~# cat /etc/network/interfaces
#************************************************
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

### Interface Bridgee pour OpenVPN
auto br0
     iface br0 inet manual
     bridge-ports eth0
     post-up /etc/openvpn/scripts/ovup && service openvpn start
     pre-down service openvpn stop
     post-down /etc/openvpn/scripts/ovdown


root at samba:~# cat /etc/openvpn/scripts/ovup
#******************************************
#!/bin/sh
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig eth0 promisc up
ifconfig tap0 promisc up

### Adresse MAC de eth0 attribuee a br0
# ifconfig br0 hw ether xx:xx:xx:xx:xx:xx  ## si on veut forcer le pont 
à avoir une adresse mac précise. Normalement elle prend celle de 
l'interface physique, mais il m'est arrivé qu'elle prenne celle de 
l'interface tap0, ce qui perturbe mon dhcp basé sur des baux fixes
ifconfig br0 hw ether 40:16:7e:2a:3a:38

### br0 demande une adresse ip fixe
ifconfig br0 192.168.67.210 netmask 255.255.255.0 broadcast 192.168.67.255
# dhclient -v br0


root at samba:~# cat /etc/openvpn/scripts/ovdown
#********************************************
#!/bin/sh
openvpn --rmtun --dev tap0


root at samba:~# cat /etc/openvpn/sambaVPN.conf
#*******************************************
port 1194
proto udp
dev tap0
ca      /etc/openvpn/easy-rsa/keys/ca.crt
cert    /etc/openvpn/easy-rsa/keys/samba.crt
key     /etc/openvpn/easy-rsa/keys/samba.key  # This file should be kept 
secret
dh      /etc/openvpn/easy-rsa/keys/dh1024.pem
server-bridge
keepalive 10 120
comp-lzo
persist-key
persist-tun
status  /etc/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem


Merci !
Rémy.

Plus d'informations sur la liste de diffusion technique