[technique] OpenVPN plouf !
Rémy Carbon
remy.carbon at orange.fr
Lun 22 Sep 16:14:43 CEST 2014
Bonjour,
A 13h aujourd'hui, j'ai essayé de lancer openVPN sur le serveur concerné.
Et bien pouf ! plus de réseau pour les users.
Pourtant personne ne m'a fait de remarque concernant la config que je
vous ai soumise la semaine dernière (J'ai pensé qu'ils étaient ok).
Quelqu'un aurait-il la gentillesse de se pencher sur ces fichiers svp ?
A chaque manip qui plante ssh il me faut faire 34km A/R.
Et je suis dans la mouise !
Bien que le serveur soit pingable en local, il ne répondait plus au ssh
ni aucun autre service.
un ifconfig m'a donné ceci :
root at samba:~# ifconfig
br0 Link encap:Ethernet HWaddr 40:16:7e:2a:3a:38
inet adr:192.168.67.210 Bcast:192.168.67.255
Masque:255.255.255.0
adr inet6: fe80::4216:7eff:fe2a:3a38/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4256 errors:0 dropped:0 overruns:0 frame:0
TX packets:1056 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:402229 (392.8 KiB) TX bytes:104219 (101.7 KiB)
eth0 Link encap:Ethernet HWaddr 40:16:7e:2a:3a:38
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:281521879 errors:0 dropped:0 overruns:0 frame:0
TX packets:194252518 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
RX bytes:314958805003 (293.3 GiB) TX bytes:117142217605
(109.0 GiB)
Interruption:103 Adresse de base:0xc000
lo Link encap:Boucle locale
inet adr:127.0.0.1 Masque:255.0.0.0
adr inet6: ::1/128 Scope:Hôte
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:833079 errors:0 dropped:0 overruns:0 frame:0
TX packets:833079 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:79965979 (76.2 MiB) TX bytes:79965979 (76.2 MiB)
tap0 Link encap:Ethernet HWaddr d2:db:a2:dc:a7:05
adr inet6: fe80::d0db:a2ff:fedc:a705/64 Scope:Lien
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:3747 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:100
RX bytes:0 (0.0 B) TX bytes:408474 (398.9 KiB)
Et bien que openvpn.log donne son OK:
Mon Sep 22 13:00:19 2014 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2]
[EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2
(2.2RC2)] built on Jun 18 2013
Mon Sep 22 13:00:19 2014 NOTE: when bridging your LAN adapter with the
TAP adapter, note that the new bridge adapter will often take on its own
IP address that is different from what the LAN adapter was previously set to
Mon Sep 22 13:00:19 2014 NOTE: OpenVPN 2.1 requires '--script-security
2' or higher to call user-defined scripts or executables
Mon Sep 22 13:00:19 2014 Diffie-Hellman initialized with 1024 bit key
Mon Sep 22 13:00:19 2014 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0
ET:0 EL:0 ]
Mon Sep 22 13:00:19 2014 Socket Buffers: R=[229376->131072]
S=[229376->131072]
Mon Sep 22 13:00:19 2014 TUN/TAP device tap0 opened
Mon Sep 22 13:00:19 2014 TUN/TAP TX queue length set to 100
Mon Sep 22 13:00:19 2014 Data Channel MTU parms [ L:1574 D:1450 EF:42
EB:135 ET:32 EL:0 AF:3/1 ]
Mon Sep 22 13:00:19 2014 UDPv4 link local (bound): [undef]
Mon Sep 22 13:00:19 2014 UDPv4 link remote: [undef]
Mon Sep 22 13:00:19 2014 MULTI: multi_init called, r=256 v=256
Mon Sep 22 13:00:19 2014 Initialization Sequence Completed
...
^C <- là c'est moi qui ctrl-C.
...
Mon Sep 22 13:37:23 2014 event_wait : Interrupted system call (code=4)
Mon Sep 22 13:37:23 2014 TCP/UDP: Closing socket
Mon Sep 22 13:37:23 2014 Closing TUN/TAP interface
Mon Sep 22 13:37:23 2014 SIGTERM[hard,] received, process exiting
Et daemon.log me donne des trucs du genre (est ce pertinent ?) :
Sep 22 12:59:09 samba named[17185]: error (network unreachable)
resolving './NS/IN': 2001:500:1::803f:235#53
Sep 22 12:59:09 samba named[17185]: error (network unreachable)
resolving './NS/IN': 2001:500:84::b#53
Sep 22 12:59:09 samba named[17185]: error (network unreachable)
resolving './NS/IN': 2001:500:2f::f#53
Sep 22 12:59:09 samba monit[21607]: 'Bind9' failed protocol test [DNS]
at INET[127.0.0.1:53] via UDP -- DNS: invalid response code: 0x2#012
Sep 22 12:59:09 samba named[17185]: validating @0x7fd0ab9726c0: . NS:
got insecure response; parent indicates it should be secure
Sep 22 12:59:09 samba named[17185]: error (insecurity proof failed)
resolving './NS/IN': 192.168.67.1#53
Sep 22 12:59:09 samba named[17185]: validating @0x7fd09c06c8b0: . NS: no
valid signature found
Sep 22 12:59:09 samba named[17185]: error (no valid RRSIG) resolving
'./NS/IN': 80.10.246.2#53
Sep 22 12:59:09 samba named[17185]: validating @0x7fd0ab9726c0: . NS: no
valid signature found
Sep 22 12:59:09 samba named[17185]: error (no valid RRSIG) resolving
'./NS/IN': 80.10.246.129#53
Sep 22 12:59:09 samba named[17185]: validating @0x7fd09c06c8b0: . NS: no
valid signature found
Sep 22 12:59:09 samba named[17185]: error (no valid RRSIG) resolving
'./NS/IN': 192.58.128.30#53
et auth.log :
Sep 22 12:59:13 samba sshd[2186]: Connection closed by 127.0.0.1 [preauth]
Sep 22 13:00:19 samba sshd[21103]: Received signal 15; terminating.
Sep 22 13:00:19 samba sshd[2431]: Server listening on 0.0.0.0 port 22.
Sep 22 13:00:19 samba sshd[2431]: Server listening on :: port 22.
Sep 22 13:00:40 samba sshd[2040]: Received disconnect from 88.161.98.76:
11: disconnected by user
Sep 22 13:00:40 samba sshd[2035]: pam_unix(sshd:session): session closed
for user remy
Sep 22 13:00:40 samba su[2123]: pam_unix(su:session): session closed for
user root
Sep 22 13:01:19 samba sshd[2501]: Connection closed by 127.0.0.1 [preauth]
Sep 22 13:01:21 samba smbd[1863]: pam_unix(samba:session): session
closed for user jmaganto
Sep 22 13:01:21 samba smbd[32188]: pam_unix(samba:session): session
closed for user ypenhouet
Sep 22 13:01:21 samba smbd[32051]: pam_unix(samba:session): session
closed for user pfroissard
Sep 22 13:01:21 samba smbd[892]: pam_unix(samba:session): session closed
for user stagiaire01
Sep 22 13:01:21 samba smbd[892]: pam_unix(samba:session): session closed
for user stagiaire01
Sep 22 13:01:21 samba smbd[1733]: pam_unix(samba:session): session
closed for user jmention
Sep 22 13:01:21 samba smbd[32189]: pam_unix(samba:session): session
closed for user dgehin
Sep 22 13:03:22 samba sshd[2548]: Connection closed by 127.0.0.1 [preauth]
Sep 22 13:05:24 samba sshd[2579]: Connection closed by 127.0.0.1 [preauth]
Sep 22 13:07:26 samba sshd[2633]: Connection closed by 127.0.0.1 [preauth]
Sep 22 13:09:29 samba sshd[2638]: Connection closed by 127.0.0.1 [preauth]
Sep 22 13:11:31 samba sshd[2642]: Connection closed by 127.0.0.1 [preauth]
Sep 22 13:13:33 samba sshd[2667]: Connection closed by 127.0.0.1 [preauth]
Sep 22 13:15:35 samba sshd[2671]: Connection closed by 127.0.0.1 [preauth]
Je vous rappel la config concernée :
root at samba:~# cat /etc/network/interfaces
#************************************************
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
### Interface Bridgee pour OpenVPN
auto br0
iface br0 inet manual
bridge-ports eth0
post-up /etc/openvpn/scripts/ovup && service openvpn start
pre-down service openvpn stop
post-down /etc/openvpn/scripts/ovdown
root at samba:~# cat /etc/openvpn/scripts/ovup
#******************************************
#!/bin/sh
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig eth0 promisc up
ifconfig tap0 promisc up
### Adresse MAC de eth0 attribuee a br0
# ifconfig br0 hw ether xx:xx:xx:xx:xx:xx ## si on veut forcer le pont
à avoir une adresse mac précise. Normalement elle prend celle de
l'interface physique, mais il m'est arrivé qu'elle prenne celle de
l'interface tap0, ce qui perturbe mon dhcp basé sur des baux fixes
ifconfig br0 hw ether 40:16:7e:2a:3a:38
### br0 demande une adresse ip fixe
ifconfig br0 192.168.67.210 netmask 255.255.255.0 broadcast 192.168.67.255
# dhclient -v br0
root at samba:~# cat /etc/openvpn/scripts/ovdown
#********************************************
#!/bin/sh
openvpn --rmtun --dev tap0
root at samba:~# cat /etc/openvpn/sambaVPN.conf
#*******************************************
port 1194
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/samba.crt
key /etc/openvpn/easy-rsa/keys/samba.key # This file should be kept
secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server-bridge
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
Merci !
Rémy.
Plus d'informations sur la liste de diffusion technique