Jump to content
  • 0

Openvpn server


s_kolew

Въпрос

Привет, 

опитвам се да настроя OpenVPN server на Mikrotik RB, но когато се свържа с клиента, получавам следните логове с грешки и не успявам да се свържа:

ovpn,debug,error,63336,61312,61900,62792,31696,63948,62736,61896,l2tp,info,61900,debug,79,65535,critical,360,39064,37776,79,64024,39576,4544,4043,37776,63948,54192,63948,error duplicate packet, dropping 
 

 

Конфигурацията е следната:

[admin@CoreMikrotik] > export 
# sep/25/2017 16:46:42 by RouterOS 6.40.3
# software id = PC33-NERL
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 6737052E08AF
/caps-man channel
add control-channel-width=20mhz frequency=2432 name=channel_2.4 tx-power=40
add band=5ghz-a control-channel-width=20mhz frequency=5180 name=channel_5G_48
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2447 name=channel_2.4_guest
add band=5ghz-a/n/ac control-channel-width=40mhz-turbo frequency=5230 name=channel_5G_46_guest
/interface bridge
add admin-mac=E4:8D:8C:6B:F0:73 auto-mac=no name=br1_lan
add name=br2_guest
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee distance=indoors frequency=auto mode=\
    ap-bridge ssid=MikroTik-6BF078 wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
/caps-man datapath
add bridge=br1_lan client-to-client-forwarding=yes local-forwarding=yes name=datapath
add bridge=br2_guest name=datapath_guest
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=security1 passphrase="\$Credit\$"
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=guest passphrase="\$CreditGuest\$"
/caps-man configuration
add channel=channel_2.4 datapath=datapath mode=ap name=cfg_2.4GhZ_lan security=security1 ssid=CRM13
add channel=channel_5G_48 datapath=datapath mode=ap name=cfg_5GhZ_lan security=security1 ssid=CRM13
add channel=channel_2.4_guest datapath=datapath_guest mode=ap name=cfg_2.4GhZ_guest security=guest ssid=Credit_guest
add channel=channel_5G_46_guest datapath=datapath_guest mode=ap name=cfg_5GhZ_guest security=guest ssid=Credit_guest
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=dynamic-keys name=Credit_core \
    wpa-pre-shared-key="\$Credit\$" wpa2-pre-shared-key="\$Credit\$"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors frequency=2442 mode=\
    ap-bridge security-profile=Credit_core ssid=Credit_core wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=office_pool_no_vlan ranges=10.132.1.100-10.132.1.200
add name=office_guest_pool ranges=10.132.2.100-10.132.2.200
add name=vpn_pool ranges=10.132.1.201-10.132.1.210
/ip dhcp-server
add address-pool=office_pool_no_vlan disabled=no interface=br1_lan name=office_no_vlan
add address-pool=office_guest_pool disabled=no interface=br2_guest name=office_guest
/ppp profile
set *FFFFFFFE local-address=10.132.1.1 remote-address=vpn_pool
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=b,gn master-configuration=cfg_2.4GhZ_lan name-format=\
    prefix-identity name-prefix=ofc2g
add action=create-dynamic-enabled hw-supported-modes=an,ac master-configuration=cfg_5GhZ_lan name-format=\
    prefix-identity name-prefix=ofc5g
/interface bridge port
add bridge=br1_lan interface=ether3
add bridge=br1_lan interface=sfp1
add bridge=br1_lan interface=ether4
add bridge=br1_lan interface=ether5
add bridge=br1_lan interface=ether2
/interface list member
add interface=br1_lan list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=MTserver cipher=aes256 default-profile=default-encryption enabled=yes keepalive-timeout=\
    disabled mode=ethernet port=1195 require-client-certificate=yes
/interface wireless cap
set bridge=br1_lan caps-man-addresses=10.132.1.1 discovery-interfaces=br1_lan interfaces=wlan1
/ip address
add address=10.132.1.1/24 interface=br1_lan network=10.132.1.0
add address=10.132.2.1/24 interface=br2_guest network=10.132.2.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.132.1.0/24 comment=defconf gateway=10.132.1.1 netmask=24
add address=10.132.2.0/24 dns-server=8.8.8.8 gateway=10.132.2.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=10.132.1.0/24 list=office_net
add address=10.132.2.0/24 list=guest_net
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN" dst-port=1195 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Allow OpenVPN" dst-port=1195 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
/ppp secret
add name=admin password=XXXXXXX profile=default-encryption service=ovpn
/system clock
set time-zone-name=Europe/Sofia
/system identity
set name=CoreMikrotik
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=br1_lan
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=br1_lan
[admin@CoreMikrotik] > 


 

Ето това получавам като output на OpenVPn клиента:

Mon Sep 25 16:45:09 2017 MANAGEMENT: >STATE:1506347109,TCP_CONNECT,,,,,,
Mon Sep 25 16:45:10 2017 TCP connection established with [AF_INET]10.16.131.29:1195
Mon Sep 25 16:45:10 2017 TCP_CLIENT link local: (not bound)
Mon Sep 25 16:45:10 2017 TCP_CLIENT link remote: [AF_INET]10.16.131.29:1195
Mon Sep 25 16:45:10 2017 MANAGEMENT: >STATE:1506347110,WAIT,,,,,,
Mon Sep 25 16:45:10 2017 MANAGEMENT: >STATE:1506347110,AUTH,,,,,,
Mon Sep 25 16:45:10 2017 TLS: Initial packet from [AF_INET]10.16.131.29:1195, sid=a8b8e6e1 f37bb201
Mon Sep 25 16:45:11 2017 VERIFY OK: depth=1, C=BG, ST=BG, L=Sofia, CN=CA
Mon Sep 25 16:45:11 2017 VERIFY KU OK
Mon Sep 25 16:45:11 2017 Validating certificate extended key usage
Mon Sep 25 16:45:11 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Sep 25 16:45:11 2017 VERIFY EKU OK
Mon Sep 25 16:45:11 2017 VERIFY OK: depth=0, C=BG, ST=BG, L=Sofia, CN=MTserver
Mon Sep 25 16:45:11 2017 Connection reset, restarting [0]
Mon Sep 25 16:45:11 2017 SIGUSR1[soft,connection-reset] received, process restarting
Mon Sep 25 16:45:11 2017 MANAGEMENT: >STATE:1506347111,RECONNECTING,connection-reset,,,,,
Mon Sep 25 16:45:11 2017 Restart pause, 20 second(s)

 

 

 

Адрес на коментара
Сподели в други сайтове

Recommended Posts

  • 0

И аз се мъча с един ОВПН + сертификати, ОВПН клиент инсталиран на Уиндоус. След конеция се получава грешката с дублирания пакет, но си работи. Връзка ТЦП има, но ЮДП отсъства. Примерно споделени ресурси в мрежата (уиндоуси), не се достъпват.

Някой ако има опит с подобен сценарий нека сподели.

Адрес на коментара
Сподели в други сайтове

  • 0
  • Администратор
Преди 9 часа, cna написа:

И аз се мъча с един ОВПН + сертификати, ОВПН клиент инсталиран на Уиндоус. След конеция се получава грешката с дублирания пакет, но си работи. Връзка ТЦП има, но ЮДП отсъства. Примерно споделени ресурси в мрежата (уиндоуси), не се достъпват.

Някой ако има опит с подобен сценарий нека сподели.

Има си в Уин L2TP с IPSec PSK който работи превъзходно . Споменатите по-горе протоколи  работят също превъзходно между бордове !

Адрес на коментара
Сподели в други сайтове

  • 0
Преди 9 часа, JohnTRIVOLTA написа:

Има си в Уин L2TP с IPSec PSK който работи превъзходно . Споменатите по-горе протоколи  работят също превъзходно между бордове !

Между бордове знам че работи. Трябва ми: СЕРВ <==> Уин

 

Адрес на коментара
Сподели в други сайтове

  • 0

L2TP върху IPSec между Микротик и Уиндоус си работи перфектно. Ползвам го от години. Ако клиентите трябва сами да си настройват "бузата", по-лесно става с SSTP но с истински сертификат и DNS запис.

Адрес на коментара
Сподели в други сайтове

Създайте нов акаунт или се впишете, за да коментирате

За да коментирате, трябва да имате регистрация

Създайте акаунт

Присъединете се към нашата общност. Регистрацията става бързо!

Регистрация на нов акаунт

Вход

Имате акаунт? Впишете се оттук.

Вписване
  • Потребители разглеждащи страницата   0 потребители

    • No registered users viewing this page.
×
×
  • Създай нов...

Important Information

By using this site, you agree to our Terms of Use.