Problème connexion client avec openvpn debian 10

Thimoty44 · Septembre 5, 2021, 7:22am

Bonjour, donc je suis face à un problème j’ai monter un serveur openvpn sur debian 10. Mon serveur openvpn est bien up mais quand j’essaye de me connecter avec ma configuration client cela ne fonctionne pas pourtant les port sur ufw sont ouverts, je suis en panne d’idée. Une semaine que j’essaye de trouvé une solution mais je ne trouve pas pour l’instant.

la seul chose que j’ai trouvé étrange dans les logs c’est ceci :
Expected Remote Options String (VER=V4): ‹ V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server ›

j’ai essayé déja de changer des paramètres mais ça na rien changer après pas sur que cela soit une erreur.

config ufw 

Status: active

To                         Action      From
--                         ------      ----
1194/udp                   ALLOW       Anywhere
443/tcp                    ALLOW     x.x.x.x
943/tcp                    ALLOW      x.x.x.x
22/tcp                     ALLOW      x.x.x.x
22/tcp                     ALLOW       x.x.x.x
943/tcp                    ALLOW       x.x.x.x
443/tcp                    ALLOW       x.x.x.x
443/tcp                    ALLOW       x.x.x.x
943/tcp                    ALLOW       x.x.x.x
22/tcp                     ALLOW       x.x.x.x
22/tcp                     ALLOW       x.x.x.x
943/tcp                    ALLOW       x.x.x.x
443/tcp                    ALLOW       x.x.x.x
1194/tcp                   ALLOW       Anywhere
1194                       ALLOW       x.x.x.x

before .rules que j’ai ajouté pour UFW:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p udp --dport 1194 -j REDIRECT --to-port 1194
COMMIT
#
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 1194 -j REDIRECT --to-port 1194
COMMIT
#
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.6.0.0/24 -o ens192 -j MASQUERADE
COMMIT
# END OPENVPN RULES

Configuration du serveur

port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 10.6.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 212.227.123.16"
push "dhcp-option DNS 212.227.123.17"
ifconfig-pool-persist ipp.txt
client-to-client
#duplicate-cn
keepalive 20 60
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 5
user nobody
group nogroup
auth RSA-SHA256
cipher BF-CBC
#cipher AES-256-CTR
explicit-exit-notify 0
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0 # This file is secret

Configuration du client :

client
dev tun
proto tcp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
remote-cert-tls server
comp-lzo
verb 4
auth RSA-SHA256
cipher BF-CBC
tls-auth vpnusa.key 1
ca ca.crt
cert vpnusa.crt
key vpnusa.key

Logs serveur :

TCP/UDP: Closing socket
/sbin/ip route del 10.6.0.0/24
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
Closing TUN/TAP interface
/sbin/ip addr del dev tun0 local 10.6.0.1 peer 10.6.0.2
RTNETLINK answers: Operation not permitted
Linux ip addr del failed: external program exited with error status: 2
SIGTERM[hard,] received, process exiting
Current Parameter Settings:
  config = 'server.conf'
  mode = 1
  persist_config = DISABLED
  persist_mode = 1
  show_ciphers = DISABLED
  show_digests = DISABLED
  show_engines = DISABLED
  genkey = DISABLED
  key_pass_file = '[UNDEF]'
  show_tls_ciphers = DISABLED
  connect_retry_max = 0
Connection profiles [0]:
  proto = tcp-server
  local = '[UNDEF]'
  local_port = '1194'
  remote = '[UNDEF]'
  remote_port = '1194'
  remote_float = DISABLED
  bind_defined = DISABLED
  bind_local = ENABLED
  bind_ipv6_only = DISABLED
  connect_retry_seconds = 5
  connect_timeout = 120
  socks_proxy_server = '[UNDEF]'
  socks_proxy_port = '[UNDEF]'
  tun_mtu = 1500
  tun_mtu_defined = ENABLED
  link_mtu = 1500
  link_mtu_defined = DISABLED
  tun_mtu_extra = 0
  tun_mtu_extra_defined = DISABLED
  mtu_discover_type = -1
  fragment = 0
  mssfix = 1450
  explicit_exit_notification = 0
Connection profiles END
  remote_random = DISABLED
  ipchange = '[UNDEF]'
  dev = 'tun'
  dev_type = '[UNDEF]'
  dev_node = '[UNDEF]'
  lladdr = '[UNDEF]'
  topology = 1
  ifconfig_local = '10.6.0.1'
  ifconfig_remote_netmask = '10.6.0.2'
  ifconfig_noexec = DISABLED
  ifconfig_nowarn = DISABLED
  ifconfig_ipv6_local = '[UNDEF]'
  ifconfig_ipv6_netbits = 0
  ifconfig_ipv6_remote = '[UNDEF]'
  shaper = 0
  mtu_test = 0
  mlock = DISABLED
  keepalive_ping = 20
  keepalive_timeout = 60
  inactivity_timeout = 0
  ping_send_timeout = 20
  ping_rec_timeout = 120
  ping_rec_timeout_action = 2
  ping_timer_remote = DISABLED
  remap_sigusr1 = 0
  persist_tun = ENABLED
  persist_local_ip = DISABLED
  persist_remote_ip = DISABLED
  persist_key = ENABLED
  passtos = DISABLED
  resolve_retry_seconds = 1000000000
  resolve_in_advance = DISABLED
  username = 'nobody'
  groupname = 'nogroup'
  chroot_dir = '[UNDEF]'
  cd_dir = '[UNDEF]'
  writepid = '[UNDEF]'
  up_script = '[UNDEF]'
  down_script = '[UNDEF]'
  down_pre = DISABLED
  up_restart = DISABLED
  up_delay = DISABLED
  daemon = DISABLED
  inetd = 0
  log = ENABLED
  suppress_timestamps = ENABLED
  machine_readable_output = DISABLED
  nice = 0
  verbosity = 5
  mute = 0
  gremlin = 0
  status_file = '/var/log/openvpn-status.log'
  status_file_version = 2
  status_file_update_freq = 60
  occ = ENABLED
  rcvbuf = 0
  sndbuf = 0
  mark = 0
  sockflags = 0
  fast_io = DISABLED
  comp.alg = 2
  comp.flags = 1
  route_script = '[UNDEF]'
  route_default_gateway = '[UNDEF]'
  route_default_metric = 0
  route_noexec = DISABLED
  route_delay = 0
  route_delay_window = 30
  route_delay_defined = DISABLED
  route_nopull = DISABLED
  route_gateway_via_dhcp = DISABLED
  allow_pull_fqdn = DISABLED
  route 10.6.0.0/255.255.255.0/default (not set)/default (not set)
  management_addr = '[UNDEF]'
  management_port = '[UNDEF]'
  management_user_pass = '[UNDEF]'
  management_log_history_cache = 250
  management_echo_buffer_size = 100
  management_write_peer_info_file = '[UNDEF]'
  management_client_user = '[UNDEF]'
  management_client_group = '[UNDEF]'
  management_flags = 0
  shared_secret_file = '[UNDEF]'
  key_direction = 0
  ciphername = 'BF-CBC'
  ncp_enabled = ENABLED
  ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
  authname = 'RSA-SHA256'
  prng_hash = 'SHA1'
  prng_nonce_secret_len = 16
  keysize = 0
  engine = DISABLED
  replay = ENABLED
  mute_replay_warnings = DISABLED
  replay_window = 64
  replay_time = 15
  packet_id_file = '[UNDEF]'
  use_iv = ENABLED
  test_crypto = DISABLED
  tls_server = ENABLED
  tls_client = DISABLED
  key_method = 2
  ca_file = '/etc/openvpn/easy-rsa/pki/ca.crt'
  ca_path = '[UNDEF]'
  dh_file = '/etc/openvpn/easy-rsa/pki/dh.pem'
  cert_file = '/etc/openvpn/easy-rsa/pki/issued/server.crt'
  extra_certs_file = '[UNDEF]'
  priv_key_file = '/etc/openvpn/easy-rsa/pki/private/server.key'
  pkcs12_file = '[UNDEF]'
  cipher_list = '[UNDEF]'
  cipher_list_tls13 = '[UNDEF]'
  tls_cert_profile = '[UNDEF]'
  tls_verify = '[UNDEF]'
  tls_export_cert = '[UNDEF]'
  verify_x509_type = 0
  verify_x509_name = '[UNDEF]'
  crl_file = '[UNDEF]'
  ns_cert_type = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_eku = '[UNDEF]'
  ssl_flags = 0
  tls_timeout = 2
  renegotiate_bytes = -1
  renegotiate_packets = 0
  renegotiate_seconds = 3600
  handshake_window = 60
  transition_window = 3600
  single_session = DISABLED
  push_peer_info = DISABLED
  tls_exit = DISABLED
  tls_auth_file = '/etc/openvpn/easy-rsa/pki/ta.key'
  tls_crypt_file = '[UNDEF]'
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_pin_cache_period = -1
  pkcs11_id = '[UNDEF]'
  pkcs11_id_management = DISABLED
  server_network = 10.6.0.0
  server_netmask = 255.255.255.0
  server_network_ipv6 = ::
  server_netbits_ipv6 = 0
  server_bridge_ip = 0.0.0.0
  server_bridge_netmask = 0.0.0.0
  server_bridge_pool_start = 0.0.0.0
  server_bridge_pool_end = 0.0.0.0
  push_entry = 'redirect-gateway def1 bypass-dhcp'
  push_entry = 'dhcp-option DNS 212.227.123.16'
  push_entry = 'dhcp-option DNS 212.227.123.17'
  push_entry = 'route 10.6.0.0 255.255.255.0'
  push_entry = 'topology net30'
  push_entry = 'ping 20'
  push_entry = 'ping-restart 60'
  ifconfig_pool_defined = ENABLED
  ifconfig_pool_start = 10.6.0.4
  ifconfig_pool_end = 10.6.0.251
  ifconfig_pool_netmask = 0.0.0.0
  ifconfig_pool_persist_filename = 'ipp.txt'
  ifconfig_pool_persist_refresh_freq = 600
  ifconfig_ipv6_pool_defined = DISABLED
  ifconfig_ipv6_pool_base = ::
  ifconfig_ipv6_pool_netbits = 0
  n_bcast_buf = 256
  tcp_queue_limit = 64
  real_hash_size = 256
  virtual_hash_size = 256
  client_connect_script = '[UNDEF]'
  learn_address_script = '[UNDEF]'
  client_disconnect_script = '[UNDEF]'
  client_config_dir = '[UNDEF]'
  ccd_exclusive = DISABLED
  tmp_dir = '/tmp'
  push_ifconfig_defined = DISABLED
  push_ifconfig_local = 0.0.0.0
  push_ifconfig_remote_netmask = 0.0.0.0
  push_ifconfig_ipv6_defined = DISABLED
  push_ifconfig_ipv6_local = ::/0
  push_ifconfig_ipv6_remote = ::
  enable_c2c = ENABLED
  duplicate_cn = DISABLED
  cf_max = 0
  cf_per = 0
  max_clients = 1024
  max_routes_per_client = 256
  auth_user_pass_verify_script = '[UNDEF]'
  auth_user_pass_verify_script_via_file = DISABLED
  auth_token_generate = DISABLED
  auth_token_lifetime = 0
  port_share_host = '[UNDEF]'
  port_share_port = '[UNDEF]'
  client = DISABLED
  pull = DISABLED
  auth_user_pass_file = '[UNDEF]'
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Diffie-Hellman initialized with 2048 bit key
Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
TLS-Auth MTU parms [ L:1624 D:1170 EF:80 EB:0 ET:0 EL:3 ]
ROUTE_GATEWAY 10.255.255.1
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 local 10.6.0.1 peer 10.6.0.2
/sbin/ip route add 10.6.0.0/24 via 10.6.0.2
Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Could not determine IPv4/IPv6 protocol. Using AF_INET
Socket Buffers: R=[131072->131072] S=[16384->16384]
Listening for incoming TCP connection on [AF_INET][undef]:1194
TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
TCPv4_SERVER link remote: [AF_UNSPEC]
GID set to nogroup
UID set to nobody
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL: base=10.6.0.4 size=62, ipv6=0
IFCONFIG POOL LIST
MULTI: TCP INIT maxclients=1024 maxevents=1028
Initialization Sequence Completed

Logs client :

Sun Sep 05 01:17:14 2021 us=78199 Current Parameter Settings:
Sun Sep 05 01:17:14 2021 us=78199   config = 'vpnusatest.ovpn'
Sun Sep 05 01:17:14 2021 us=78199   mode = 0
Sun Sep 05 01:17:14 2021 us=78199   show_ciphers = DISABLED
Sun Sep 05 01:17:14 2021 us=78199   show_digests = DISABLED
Sun Sep 05 01:17:14 2021 us=78199   show_engines = DISABLED
Sun Sep 05 01:17:14 2021 us=78199   genkey = DISABLED
Sun Sep 05 01:17:14 2021 us=78199   key_pass_file = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=78199   show_tls_ciphers = DISABLED
Sun Sep 05 01:17:14 2021 us=78199   connect_retry_max = 0
Sun Sep 05 01:17:14 2021 us=78199 Connection profiles [0]:
Sun Sep 05 01:17:14 2021 us=78199   proto = tcp-client
Sun Sep 05 01:17:14 2021 us=78199   local = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=78199   local_port = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=78199   remote = 'x.x.x.x'
Sun Sep 05 01:17:14 2021 us=78199   remote_port = '1194'
Sun Sep 05 01:17:14 2021 us=78199   remote_float = DISABLED
Sun Sep 05 01:17:14 2021 us=78199   bind_defined = DISABLED
Sun Sep 05 01:17:14 2021 us=78199   bind_local = DISABLED
Sun Sep 05 01:17:14 2021 us=78199   bind_ipv6_only = DISABLED
Sun Sep 05 01:17:14 2021 us=78199   connect_retry_seconds = 5
Sun Sep 05 01:17:14 2021 us=78199   connect_timeout = 120
Sun Sep 05 01:17:14 2021 us=78199   socks_proxy_server = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=78199   socks_proxy_port = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=78199   tun_mtu = 1500
Sun Sep 05 01:17:14 2021 us=78199   tun_mtu_defined = ENABLED
Sun Sep 05 01:17:14 2021 us=78199   link_mtu = 1500
Sun Sep 05 01:17:14 2021 us=78199   link_mtu_defined = DISABLED
Sun Sep 05 01:17:14 2021 us=78199   tun_mtu_extra = 0
Sun Sep 05 01:17:14 2021 us=78199   tun_mtu_extra_defined = DISABLED
Sun Sep 05 01:17:14 2021 us=78199   mtu_discover_type = -1
Sun Sep 05 01:17:14 2021 us=78199   fragment = 0
Sun Sep 05 01:17:14 2021 us=78199   mssfix = 1450
Sun Sep 05 01:17:14 2021 us=78199   explicit_exit_notification = 0
Sun Sep 05 01:17:14 2021 us=78199 Connection profiles END
Sun Sep 05 01:17:14 2021 us=78199   remote_random = DISABLED
Sun Sep 05 01:17:14 2021 us=78199   ipchange = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=78199   dev = 'tun'
Sun Sep 05 01:17:14 2021 us=78199   dev_type = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=78199   dev_node = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=78199   lladdr = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=78199   topology = 1
Sun Sep 05 01:17:14 2021 us=78199   ifconfig_local = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=78199   ifconfig_remote_netmask = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=78199   ifconfig_noexec = DISABLED
Sun Sep 05 01:17:14 2021 us=78199   ifconfig_nowarn = DISABLED
Sun Sep 05 01:17:14 2021 us=78199   ifconfig_ipv6_local = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=78199   ifconfig_ipv6_netbits = 0
Sun Sep 05 01:17:14 2021 us=78199   ifconfig_ipv6_remote = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   shaper = 0
Sun Sep 05 01:17:14 2021 us=79200   mtu_test = 0
Sun Sep 05 01:17:14 2021 us=79200   mlock = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   keepalive_ping = 0
Sun Sep 05 01:17:14 2021 us=79200   keepalive_timeout = 0
Sun Sep 05 01:17:14 2021 us=79200   inactivity_timeout = 0
Sun Sep 05 01:17:14 2021 us=79200   ping_send_timeout = 0
Sun Sep 05 01:17:14 2021 us=79200   ping_rec_timeout = 0
Sun Sep 05 01:17:14 2021 us=79200   ping_rec_timeout_action = 0
Sun Sep 05 01:17:14 2021 us=79200   ping_timer_remote = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   remap_sigusr1 = 0
Sun Sep 05 01:17:14 2021 us=79200   persist_tun = ENABLED
Sun Sep 05 01:17:14 2021 us=79200   persist_local_ip = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   persist_remote_ip = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   persist_key = ENABLED
Sun Sep 05 01:17:14 2021 us=79200   passtos = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   resolve_retry_seconds = 1000000000
Sun Sep 05 01:17:14 2021 us=79200   resolve_in_advance = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   username = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   groupname = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   chroot_dir = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   cd_dir = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   writepid = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   up_script = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   down_script = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   down_pre = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   up_restart = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   up_delay = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   daemon = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   inetd = 0
Sun Sep 05 01:17:14 2021 us=79200   log = ENABLED
Sun Sep 05 01:17:14 2021 us=79200   suppress_timestamps = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   machine_readable_output = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   nice = 0
Sun Sep 05 01:17:14 2021 us=79200   verbosity = 4
Sun Sep 05 01:17:14 2021 us=79200   mute = 0
Sun Sep 05 01:17:14 2021 us=79200   gremlin = 0
Sun Sep 05 01:17:14 2021 us=79200   status_file = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   status_file_version = 1
Sun Sep 05 01:17:14 2021 us=79200   status_file_update_freq = 60
Sun Sep 05 01:17:14 2021 us=79200   occ = ENABLED
Sun Sep 05 01:17:14 2021 us=79200   rcvbuf = 0
Sun Sep 05 01:17:14 2021 us=79200   sndbuf = 0
Sun Sep 05 01:17:14 2021 us=79200   sockflags = 0
Sun Sep 05 01:17:14 2021 us=79200   fast_io = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   comp.alg = 2
Sun Sep 05 01:17:14 2021 us=79200   comp.flags = 1
Sun Sep 05 01:17:14 2021 us=79200   route_script = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   route_default_gateway = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   route_default_metric = 0
Sun Sep 05 01:17:14 2021 us=79200   route_noexec = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   route_delay = 5
Sun Sep 05 01:17:14 2021 us=79200   route_delay_window = 30
Sun Sep 05 01:17:14 2021 us=79200   route_delay_defined = ENABLED
Sun Sep 05 01:17:14 2021 us=79200   route_nopull = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   route_gateway_via_dhcp = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   allow_pull_fqdn = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   management_addr = '127.0.0.1'
Sun Sep 05 01:17:14 2021 us=79200   management_port = '25343'
Sun Sep 05 01:17:14 2021 us=79200   management_user_pass = 'stdin'
Sun Sep 05 01:17:14 2021 us=79200   management_log_history_cache = 250
Sun Sep 05 01:17:14 2021 us=79200   management_echo_buffer_size = 100
Sun Sep 05 01:17:14 2021 us=79200   management_write_peer_info_file = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   management_client_user = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   management_client_group = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   management_flags = 6
Sun Sep 05 01:17:14 2021 us=79200   shared_secret_file = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   key_direction = 1
Sun Sep 05 01:17:14 2021 us=79200   ciphername = 'BF-CBC'
Sun Sep 05 01:17:14 2021 us=79200   ncp_enabled = ENABLED
Sun Sep 05 01:17:14 2021 us=79200   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Sun Sep 05 01:17:14 2021 us=79200   authname = 'RSA-SHA256'
Sun Sep 05 01:17:14 2021 us=79200   prng_hash = 'SHA1'
Sun Sep 05 01:17:14 2021 us=79200   prng_nonce_secret_len = 16
Sun Sep 05 01:17:14 2021 us=79200   keysize = 0
Sun Sep 05 01:17:14 2021 us=79200   engine = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   replay = ENABLED
Sun Sep 05 01:17:14 2021 us=79200   mute_replay_warnings = ENABLED
Sun Sep 05 01:17:14 2021 us=79200   replay_window = 64
Sun Sep 05 01:17:14 2021 us=79200   replay_time = 15
Sun Sep 05 01:17:14 2021 us=79200   packet_id_file = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   use_iv = ENABLED
Sun Sep 05 01:17:14 2021 us=79200   test_crypto = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   tls_server = DISABLED
Sun Sep 05 01:17:14 2021 us=79200   tls_client = ENABLED
Sun Sep 05 01:17:14 2021 us=79200   key_method = 2
Sun Sep 05 01:17:14 2021 us=79200   ca_file = '[[INLINE]]'
Sun Sep 05 01:17:14 2021 us=79200   ca_path = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   dh_file = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   cert_file = '[[INLINE]]'
Sun Sep 05 01:17:14 2021 us=79200   extra_certs_file = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=79200   priv_key_file = '[[INLINE]]'
Sun Sep 05 01:17:14 2021 us=79200   pkcs12_file = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=80202   cryptoapi_cert = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=80202   cipher_list = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=80202   cipher_list_tls13 = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=80202   tls_cert_profile = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=80202   tls_verify = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=80202   tls_export_cert = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=80202   verify_x509_type = 0
Sun Sep 05 01:17:14 2021 us=80202   verify_x509_name = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=80202   crl_file = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=80202   ns_cert_type = 0
Sun Sep 05 01:17:14 2021 us=80202   remote_cert_ku[i] = 65535
Sun Sep 05 01:17:14 2021 us=80202   remote_cert_ku[i] = 0
Sun Sep 05 01:17:14 2021 us=80202   remote_cert_eku = 'TLS Web Server Authentication'
Sun Sep 05 01:17:14 2021 us=80202   ssl_flags = 0
Sun Sep 05 01:17:14 2021 us=80202   tls_timeout = 2
Sun Sep 05 01:17:14 2021 us=80202   renegotiate_bytes = -1
Sun Sep 05 01:17:14 2021 us=80202   renegotiate_packets = 0
Sun Sep 05 01:17:14 2021 us=80202   renegotiate_seconds = 3600
Sun Sep 05 01:17:14 2021 us=80202   handshake_window = 60
Sun Sep 05 01:17:14 2021 us=80202   transition_window = 3600
Sun Sep 05 01:17:14 2021 us=80202   single_session = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   push_peer_info = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   tls_exit = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   tls_auth_file = 'vpnusa.key'
Sun Sep 05 01:17:14 2021 us=80202   tls_crypt_file = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_protected_authentication = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_protected_authentication = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_protected_authentication = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_protected_authentication = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_protected_authentication = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_protected_authentication = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_protected_authentication = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_protected_authentication = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_protected_authentication = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_protected_authentication = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_protected_authentication = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_protected_authentication = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_protected_authentication = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_protected_authentication = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_protected_authentication = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_protected_authentication = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_private_mode = 00000000
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_private_mode = 00000000
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_private_mode = 00000000
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_private_mode = 00000000
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_private_mode = 00000000
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_private_mode = 00000000
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_private_mode = 00000000
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_private_mode = 00000000
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_private_mode = 00000000
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_private_mode = 00000000
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_private_mode = 00000000
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_private_mode = 00000000
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_private_mode = 00000000
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_private_mode = 00000000
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_private_mode = 00000000
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_private_mode = 00000000
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_cert_private = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_cert_private = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_cert_private = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_cert_private = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_cert_private = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_cert_private = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_cert_private = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_cert_private = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_cert_private = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_cert_private = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_cert_private = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_cert_private = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_cert_private = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_cert_private = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_cert_private = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_cert_private = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_pin_cache_period = -1
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_id = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=80202   pkcs11_id_management = DISABLED
Sun Sep 05 01:17:14 2021 us=80202   server_network = 0.0.0.0
Sun Sep 05 01:17:14 2021 us=80202   server_netmask = 0.0.0.0
Sun Sep 05 01:17:14 2021 us=80202   server_network_ipv6 = ::
Sun Sep 05 01:17:14 2021 us=80202   server_netbits_ipv6 = 0
Sun Sep 05 01:17:14 2021 us=80202   server_bridge_ip = 0.0.0.0
Sun Sep 05 01:17:14 2021 us=81202   server_bridge_netmask = 0.0.0.0
Sun Sep 05 01:17:14 2021 us=81202   server_bridge_pool_start = 0.0.0.0
Sun Sep 05 01:17:14 2021 us=81202   server_bridge_pool_end = 0.0.0.0
Sun Sep 05 01:17:14 2021 us=81202   ifconfig_pool_defined = DISABLED
Sun Sep 05 01:17:14 2021 us=81202   ifconfig_pool_start = 0.0.0.0
Sun Sep 05 01:17:14 2021 us=81202   ifconfig_pool_end = 0.0.0.0
Sun Sep 05 01:17:14 2021 us=81202   ifconfig_pool_netmask = 0.0.0.0
Sun Sep 05 01:17:14 2021 us=81202   ifconfig_pool_persist_filename = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=81202   ifconfig_pool_persist_refresh_freq = 600
Sun Sep 05 01:17:14 2021 us=81202   ifconfig_ipv6_pool_defined = DISABLED
Sun Sep 05 01:17:14 2021 us=81202   ifconfig_ipv6_pool_base = ::
Sun Sep 05 01:17:14 2021 us=81202   ifconfig_ipv6_pool_netbits = 0
Sun Sep 05 01:17:14 2021 us=81202   n_bcast_buf = 256
Sun Sep 05 01:17:14 2021 us=81202   tcp_queue_limit = 64
Sun Sep 05 01:17:14 2021 us=81202   real_hash_size = 256
Sun Sep 05 01:17:14 2021 us=81202   virtual_hash_size = 256
Sun Sep 05 01:17:14 2021 us=81202   client_connect_script = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=81202   learn_address_script = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=81202   client_disconnect_script = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=81202   client_config_dir = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=81202   ccd_exclusive = DISABLED
Sun Sep 05 01:17:14 2021 us=81202   tmp_dir = 'C:\Users\Thimoty\AppData\Local\Temp\'
Sun Sep 05 01:17:14 2021 us=81202   push_ifconfig_defined = DISABLED
Sun Sep 05 01:17:14 2021 us=81202   push_ifconfig_local = 0.0.0.0
Sun Sep 05 01:17:14 2021 us=81202   push_ifconfig_remote_netmask = 0.0.0.0
Sun Sep 05 01:17:14 2021 us=81202   push_ifconfig_ipv6_defined = DISABLED
Sun Sep 05 01:17:14 2021 us=81202   push_ifconfig_ipv6_local = ::/0
Sun Sep 05 01:17:14 2021 us=81202   push_ifconfig_ipv6_remote = ::
Sun Sep 05 01:17:14 2021 us=81202   enable_c2c = DISABLED
Sun Sep 05 01:17:14 2021 us=81202   duplicate_cn = DISABLED
Sun Sep 05 01:17:14 2021 us=81202   cf_max = 0
Sun Sep 05 01:17:14 2021 us=81202   cf_per = 0
Sun Sep 05 01:17:14 2021 us=81202   max_clients = 1024
Sun Sep 05 01:17:14 2021 us=81202   max_routes_per_client = 256
Sun Sep 05 01:17:14 2021 us=81202   auth_user_pass_verify_script = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=81202   auth_user_pass_verify_script_via_file = DISABLED
Sun Sep 05 01:17:14 2021 us=81202   auth_token_generate = DISABLED
Sun Sep 05 01:17:14 2021 us=81202   auth_token_lifetime = 0
Sun Sep 05 01:17:14 2021 us=81202   client = ENABLED
Sun Sep 05 01:17:14 2021 us=81202   pull = ENABLED
Sun Sep 05 01:17:14 2021 us=81202   auth_user_pass_file = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=81202   show_net_up = DISABLED
Sun Sep 05 01:17:14 2021 us=81202   route_method = 0
Sun Sep 05 01:17:14 2021 us=81202   block_outside_dns = DISABLED
Sun Sep 05 01:17:14 2021 us=81202   ip_win32_defined = DISABLED
Sun Sep 05 01:17:14 2021 us=81202   ip_win32_type = 3
Sun Sep 05 01:17:14 2021 us=81202   dhcp_masq_offset = 0
Sun Sep 05 01:17:14 2021 us=81202   dhcp_lease_time = 31536000
Sun Sep 05 01:17:14 2021 us=81202   tap_sleep = 0
Sun Sep 05 01:17:14 2021 us=81202   dhcp_options = DISABLED
Sun Sep 05 01:17:14 2021 us=81202   dhcp_renew = DISABLED
Sun Sep 05 01:17:14 2021 us=81202   dhcp_pre_release = DISABLED
Sun Sep 05 01:17:14 2021 us=81202   domain = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=81202   netbios_scope = '[UNDEF]'
Sun Sep 05 01:17:14 2021 us=81202   netbios_node_type = 0
Sun Sep 05 01:17:14 2021 us=81202   disable_nbt = DISABLED
Sun Sep 05 01:17:14 2021 us=81202 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Sun Sep 05 01:17:14 2021 us=81202 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Sep 05 01:17:14 2021 us=81202 library versions: OpenSSL 1.1.0l  10 Sep 2019, LZO 2.10
Enter Management Password:
Sun Sep 05 01:17:14 2021 us=82203 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25343
Sun Sep 05 01:17:14 2021 us=82203 Need hold release from management interface, waiting...
Sun Sep 05 01:17:14 2021 us=557105 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25343
Sun Sep 05 01:17:14 2021 us=663571 MANAGEMENT: CMD 'state on'
Sun Sep 05 01:17:14 2021 us=663571 MANAGEMENT: CMD 'log all on'
Sun Sep 05 01:17:15 2021 us=94206 MANAGEMENT: CMD 'echo all on'
Sun Sep 05 01:17:15 2021 us=100212 MANAGEMENT: CMD 'bytecount 5'
Sun Sep 05 01:17:15 2021 us=105217 MANAGEMENT: CMD 'hold off'
Sun Sep 05 01:17:15 2021 us=110221 MANAGEMENT: CMD 'hold release'
Sun Sep 05 01:17:15 2021 us=115225 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Sep 05 01:17:15 2021 us=115225 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Sep 05 01:17:15 2021 us=115225 LZO compression initializing
Sun Sep 05 01:17:15 2021 us=115225 Control Channel MTU parms [ L:1624 D:1170 EF:80 EB:0 ET:0 EL:3 ]
Sun Sep 05 01:17:15 2021 us=115225 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sun Sep 05 01:17:15 2021 us=115225 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
Sun Sep 05 01:17:15 2021 us=115225 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Sun Sep 05 01:17:15 2021 us=115225 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Sun Sep 05 01:17:15 2021 us=115225 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Sep 05 01:17:15 2021 us=115225 Attempting to establish TCP connection with [AF_INET]x.x.x.x:1194 [nonblock]
Sun Sep 05 01:17:15 2021 us=115225 MANAGEMENT: >STATE:1630797435,TCP_CONNECT,,,,,,

Almtesh · Septembre 5, 2021, 7:25am

Bonjour,

Question bête, tu peux activer le VPN et nous donner la table d’itinéraires (ip r et ip -6 r) du client ?
Je n’ai pas trop l’habitude de ce genre de configuration OVPN, mais il me semble qu’il faut des options spécifiques pour que les itinéraires soient corrects.

Sinon, tu peux nous dire comment tu sais que le VPN est bien activé et quel type de connexion ne fonctionne pas ?

Thimoty44 · Septembre 5, 2021, 9:58am

Bonjour,

pour les tables d’itinéraires, cela va être compliqué, car c’est la connexion en tant que client qui ne fonctionne pas du coup, je ne peut rien te donner par rapport à ça, car le client ne démarre pas, en gros, il ne monte pas l’interface tun0 on vois bien dans les logs « Attempting to establish TCP connection with [AF_INET]x.x.x.x:1194 [nonblock] » et il s’arrête la.

Cependant coté serveur cela fonctionne l’interface tun0 est bien monté donc voila quand son ip route : (j’ai désactivé l’ipv6)

default via 10.255.255.1 dev ens192
10.6.0.0/24 via 10.6.0.2 dev tun0
10.6.0.2 dev tun0 proto kernel scope link src 10.6.0.1
10.255.255.1 dev ens192 scope link

Du coup je sais que mon interface vpn est up coté serveur grace à la table de routage est le fait que l’interfaace est up et qu’elle à l’ip dans la plage du vpn que j’ai défini et le service est en active

Almtesh · Septembre 5, 2021, 10:11am

Nooooooooooooooooon !

Ah oui, le lien ne monte pas, est-ce que tu peux nous donner les retours des commandes suivantes sur le serveur :

iptables-save
grep '04AA' /proc/net/tcp

Thimoty44:

before .rules que j’ai ajouté pour UFW:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p udp --dport 1194 -j REDIRECT --to-port 1194
COMMIT
#
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 1194 -j REDIRECT --to-port 1194
COMMIT
#
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.6.0.0/24 -o ens192 -j MASQUERADE
COMMIT
# END OPENVPN RULES

Sinon, je ne comprends pas bien ce que tu as voulu faire avec ça, mais je pense que tu peux le dégager.

Thimoty44 · Septembre 5, 2021, 10:34am

Pour iptables-save :

# Generated by xtables-save v1.8.2 on Sun Sep  5 06:29:36 2021
*filter
:INPUT DROP [1224:68108]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-reject-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-not-local - [0:0]
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-forward -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-skip-to-policy-forward -j ACCEPT
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-user-input -p udp -m udp --dport 1194 -j ACCEPT
-A ufw-user-input -s 74.208.94.119/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -s 74.208.94.119/32 -p tcp -m tcp --dport 943 -j ACCEPT
-A ufw-user-input -s 74.208.94.119/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -s 212.227.31.58/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -s 212.227.31.58/32 -p tcp -m tcp --dport 943 -j ACCEPT
-A ufw-user-input -s 172.27.224.0/20 -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -s 172.26.224.0/20 -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -s 172.26.224.0/20 -p tcp -m tcp --dport 943 -j ACCEPT
-A ufw-user-input -s 172.26.224.0/20 -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -s 77.148.135.21/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -s 77.148.135.21/32 -p tcp -m tcp --dport 943 -j ACCEPT
-A ufw-user-input -s 77.148.135.21/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 1194 -j ACCEPT
-A ufw-user-input -s 77.148.135.21/32 -p tcp -m tcp --dport 1194 -j ACCEPT
-A ufw-user-input -s 77.148.135.21/32 -p udp -m udp --dport 1194 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Sun Sep  5 06:29:36 2021
# Generated by xtables-save v1.8.2 on Sun Sep  5 06:29:36 2021
*nat
:PREROUTING ACCEPT [1760:213392]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [24:2296]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p udp -m udp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p tcp -m tcp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p udp -m udp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p tcp -m tcp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p udp -m udp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p tcp -m tcp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p udp -m udp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p tcp -m tcp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p udp -m udp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p tcp -m tcp --dport 1194 -j REDIRECT --to-ports 1194
-A POSTROUTING -s 10.6.0.0/24 -o ens192 -j MASQUERADE
-A POSTROUTING -s 10.6.0.0/24 -o ens192 -j MASQUERADE
-A POSTROUTING -s 10.6.0.0/24 -o ens192 -j MASQUERADE
-A POSTROUTING -s 10.6.0.0/24 -o ens192 -j MASQUERADE
-A POSTROUTING -s 10.6.0.0/24 -o ens192 -j MASQUERADE
COMMIT
# Completed on Sun Sep  5 06:29:36 2021

Pour grep ‹ 04AA › /proc/net/tcp :

   0: 00000000:04AA 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 42090 1 00000000c3f0d024 100 0 0 10 0

Ensuite pour les before.rules ce sont les configurations pour le port forwarding sur le serveur.

Dans le futur je compte activé l’ipv6 mais je ne m’y connais pas suffisamment sur l’ipv6 actuellement.

Almtesh · Septembre 5, 2021, 10:52am

Ça ne sert à rien, ça complexifie ta configuration inutilement, explications :

Là, tu rajoutes une règle qui, pour tout trafic arrivant sur ton serveur OVPN sur le port UDP 1194 soit renvoyé vers le port UDP 1194 de ton serveur OVPN. Cette règle spécifique ne sert à rien car ton serveur OVPN n’écoute pas en UDP.

Même chose.

Je ne sais pas si c’est utile ça, est-ce que ton serveur OVPN est la passerelle par défaut du réseau dans lequel il se trouve. Si c’est le cas, c’est inutile, sinon, laisse-ça là.

Je ne comprends rien à cet enfer, mais je vois que tu as ouvert le port 1194 à l’IP source 77.148.135.21. Est-ce que ton client a bien cette adresse ?

Thimoty44:

-A PREROUTING -p udp -m udp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p tcp -m tcp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p udp -m udp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p tcp -m tcp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p udp -m udp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p tcp -m tcp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p udp -m udp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p tcp -m tcp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p udp -m udp --dport 1194 -j REDIRECT --to-ports 1194
-A PREROUTING -p tcp -m tcp --dport 1194 -j REDIRECT --to-ports 1194
-A POSTROUTING -s 10.6.0.0/24 -o ens192 -j MASQUERADE
-A POSTROUTING -s 10.6.0.0/24 -o ens192 -j MASQUERADE
-A POSTROUTING -s 10.6.0.0/24 -o ens192 -j MASQUERADE
-A POSTROUTING -s 10.6.0.0/24 -o ens192 -j MASQUERADE
-A POSTROUTING -s 10.6.0.0/24 -o ens192 -j MASQUERADE

Il y a trop de couches au dessus de iptables qui génèrent des règles dans des boucles. Ce n’est pas très optimal ça. En plus, ton serveur OVPN n’écoute toujours pas en UDP.

Thimoty44 · Septembre 5, 2021, 1:44pm

Bon alors du coup j’ai enlever toutes les règles de port forwarding que j’avais ajouter oui mon client est sur 77.148.135.21 du coup j’ai retenter de me connecter ça me donne ça dans les logs client:

Sep 05 14:27:18 debian-thimoty-laptop ovpn-vpnusatest[1845817]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sep 05 14:27:18 debian-thimoty-laptop ovpn-vpnusatest[1845817]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sep 05 14:27:18 debian-thimoty-laptop ovpn-vpnusatest[1845817]: LZO compression initializing
Sep 05 14:27:18 debian-thimoty-laptop ovpn-vpnusatest[1845817]: Control Channel MTU parms [ L:1624 D:1170 EF:80 EB:0 ET:0 EL:3 ]
Sep 05 14:27:18 debian-thimoty-laptop ovpn-vpnusatest[1845817]: Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sep 05 14:27:18 debian-thimoty-laptop ovpn-vpnusatest[1845817]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA256,keysize 128,tls>
Sep 05 14:27:18 debian-thimoty-laptop ovpn-vpnusatest[1845817]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA256,keysi>
Sep 05 14:27:18 debian-thimoty-laptop ovpn-vpnusatest[1845817]: TCP/UDP: Preserving recently used remote address: [AF_INET]74.208.94.119:1194
Sep 05 14:27:18 debian-thimoty-laptop ovpn-vpnusatest[1845817]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Sep 05 14:27:18 debian-thimoty-laptop ovpn-vpnusatest[1845817]: Attempting to establish TCP connection with [AF_INET]74.208.94.119:1194 [nonblock]

Du coup ça ne fonctionne toujours pas mais je ne comprend pas pourquoi. Je ne m’attendais pas à que cela a fasse des boucles. Il faut savoir que mon serveur n’a pas d’ip privé il n’a qu’une ip publique c’est sur une vm. Cependant le fait que j’enlève ces règles de forwarding ne va pas faire que les ports se ferme ?

Almtesh · Septembre 5, 2021, 1:56pm

Ah, c’est un serveur virtuel chez 1&1.
Si ce serveur n’a qu’un adresse publique, il n’y a pas de NAT, donc pas de forwarding à faire, il faut juste accepter les connexions entrantes pour le VPN.
Par contre, j’ai de bonnes raisons de penser que l’adresse IP que tu autorises ne soit probablement pas la bonne. L’adresse IP est une adresse utilisée par SFR pour ses clients mobiles, elle peut changer sans préavis.

Thimoty44 · Septembre 5, 2021, 2:04pm

Après dans mon ufw j’ai autorisé tous le port 1194 en tcp depuis n’importe quel ip ça ne devrait pas poser de problème normalementt

Almtesh · Septembre 5, 2021, 2:11pm

Et ça fonctionne ? J’ai tenté de me connecter depuis mon adresse IPv4 (82.65.155.50) et ça ne semble pas répondre.
Soit ton client s’est connecté et OVPN ne me répond donc pas, soit tu n’as pas fait la bonne modification, soit tu as oublié d’appliquer ta modification.

Thimoty44 · Septembre 10, 2021, 9:21pm

Bonjour, je reviens un peu tard beaucoup de chose à faire cette semaine ^^. J’ai trouver la solution pour les personnes qui utilisent des serveurs ionos il ont une couche pare feu en plus de la vm il faut donc la configuré dans l’onglet réseau donc j’ai finalement réussi merci de ton aide Almtesh.