-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/09/13 17:08, Jan Just Keijser wrote: > Hi, > > Dmitry Melekhov wrote: >> Hello! >> >> I run OpenVPN 2.2.1 server. >> >> And there are clients connected by mobile links, so they are not >> stable. Connections are over udp. >> >> On connect route add script is executed, on disconnect- route >> del. As you see, route del was executed, but no route add. >> >> Sep 4 12:45:19 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 >> TLS: tls_process: killed expiring key Sep 4 12:45:22 inetgw1 >> openvpn[2692]: yuski/94.77.49.2:32768 TLS: soft reset sec=0 >> bytes=2696526/0 pkts=25464/0 Sep 4 12:45:23 inetgw1 >> openvpn[2692]: yuski/94.77.49.2:32768 CRL CHECK OK: >> /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=Belkam_CA/emailAddress=d...@belkam.com >> >> Sep 4 12:45:23 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 VERIFY OK: >> depth=1, >> /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=Belkam_CA/emailAddress=d...@belkam.com >> >> Sep 4 12:45:23 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 CRL CHECK >> OK: >> /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=yuski/emailAddress=d...@belkam.com >> >> Sep 4 12:45:23 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 VERIFY OK: >> depth=0, >> /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=yuski/emailAddress=d...@belkam.com >> >> Sep 4 12:45:24 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 Data >> Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sep >> 4 12:45:24 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 Data >> Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC >> authentication Sep 4 12:45:24 inetgw1 openvpn[2692]: >> yuski/94.77.49.2:32768 Data Channel Decrypt: Cipher 'BF-CBC' >> initialized with 128 bit key Sep 4 12:45:24 inetgw1 >> openvpn[2692]: yuski/94.77.49.2:32768 Data Channel Decrypt: Using >> 160 bit message hash 'SHA1' for HMAC authentication Sep 4 >> 12:45:24 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 Control >> Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit >> RSA Sep 4 12:46:01 inetgw1 openvpn[2692]: MULTI: Learn: >> 192.168.113.1 -> yuski/94.77.49.2:32768 Sep 4 12:51:01 inetgw1 >> openvpn[2692]: MULTI: Learn: 192.168.113.1 -> >> yuski/94.77.49.2:32768 Sep 4 12:56:02 inetgw1 openvpn[2692]: >> MULTI: Learn: 192.168.113.1 -> yuski/94.77.49.2:32768 Sep 4 >> 13:01:02 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> >> yuski/94.77.49.2:32768 Sep 4 13:06:01 inetgw1 openvpn[2692]: >> MULTI: Learn: 192.168.113.1 -> yuski/94.77.49.2:32768 Sep 4 >> 13:11:01 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> >> yuski/94.77.49.2:32768 Sep 4 13:14:20 inetgw1 openvpn[2692]: >> MULTI: Learn: 192.168.113.1 -> yuski/94.77.49.2:32768 Sep 4 >> 13:16:01 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> >> yuski/94.77.49.2:32768 Sep 4 13:21:01 inetgw1 openvpn[2692]: >> MULTI: Learn: 192.168.113.1 -> yuski/94.77.49.2:32768 Sep 4 >> 13:26:01 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> >> yuski/94.77.49.2:32768 Sep 4 13:31:02 inetgw1 openvpn[2692]: >> MULTI: Learn: 192.168.113.1 -> yuski/94.77.49.2:32768 Sep 4 >> 13:36:02 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> >> yuski/94.77.49.2:32768 Sep 4 13:41:01 inetgw1 openvpn[2692]: >> MULTI: Learn: 192.168.113.1 -> yuski/94.77.49.2:32768 Sep 4 >> 13:45:22 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 TLS: >> tls_process: killed expiring key Sep 4 13:45:25 inetgw1 >> openvpn[2692]: yuski/94.77.49.2:32768 TLS: soft reset sec=-1 >> bytes=3481446/0 pkts=19745/0 Sep 4 13:46:01 inetgw1 >> openvpn[2692]: MULTI: Learn: 192.168.113.1 -> >> yuski/94.77.49.2:32768 Sep 4 13:46:25 inetgw1 openvpn[2692]: >> yuski/94.77.49.2:32768 TLS Error: TLS key negotiation failed to >> occur within 60 seconds (check your network connectivity) Sep 4 >> 13:46:25 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 TLS Error: >> TLS handshake failed Sep 4 13:46:25 inetgw1 openvpn[2692]: >> yuski/94.77.49.2:32768 TLS: move_session: dest=TM_LAME_DUCK >> src=TM_ACTIVE reinit_src=1 Sep 4 13:46:39 inetgw1 openvpn[2692]: >> 94.77.49.2:32770 CRL CHECK OK: >> /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=yuski/emailAddress=d...@belkam.com >> >> Sep 4 13:46:39 inetgw1 openvpn[2692]: 94.77.49.2:32770 VERIFY OK: >> depth=0, >> /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=yuski/emailAddress=d...@belkam.com >> >> Sep 4 13:46:39 inetgw1 openvpn[2692]: 94.77.49.2:32770 [yuski] Peer >> Connection Initiated with [AF_INET]94.77.49.2:32770 (via >> [AF_INET]192.168.42.2%vlan2) Sep 4 13:46:39 inetgw1 >> openvpn[2692]: yuski/94.77.49.2:32770 OPTIONS IMPORT: reading >> client specific options from: ccd-udp/yuski Sep 4 13:46:39 >> inetgw1 openvpn: yuski sudo route add -net 192.168.113.0 netmask >> 255.255.255.0 gw 192.168.205.1 Sep 4 13:46:39 inetgw1 >> openvpn[2692]: yuski/94.77.49.2:32770 OPTIONS IMPORT: reading >> client specific options from: >> /tmp/openvpn_cc_3033ceb343f4ebe50459758ab34f550d.tmp Sep 4 >> 13:46:39 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 MULTI: >> Learn: 192.168.205.142 -> yuski/94.77.49.2:32770 Sep 4 13:46:39 >> inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 MULTI: primary >> virtual IP for yuski/94.77.49.2:32770: 192.168.205.142 Sep 4 >> 13:46:39 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 MULTI: >> internal route 192.168.113.0/24 -> yuski/94.77.49.2:32770 Sep 4 >> 13:46:39 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 MULTI: >> Learn: 192.168.113.0/24 -> yuski/94.77.49.2:32770 Sep 4 13:46:40 >> inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 PUSH: Received >> control message: 'PUSH_REQUEST' Sep 4 13:46:40 inetgw1 >> openvpn[2692]: yuski/94.77.49.2:32770 send_push_reply(): >> safe_cap=960 Sep 4 13:46:40 inetgw1 openvpn[2692]: >> yuski/94.77.49.2:32770 SENT CONTROL [yuski]: >> 'PUSH_REPLY,explicit-exit-notify 3,route 192.168.205.1,topology >> net30,ping 10,ping-restart 120,route 10.0.0.0 255.0.0.0,route >> 192.168.0.0 255.255.0.0,ifconfig 192.168.205.142 192.168.205.141' >> (status=1) Sep 4 13:47:41 inetgw1 openvpn[2692]: >> yuski/94.77.49.2:32768 TLS Error: TLS key negotiation failed to >> occur within 60 seconds (check your network connectivity) Sep 4 >> 13:47:41 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 TLS Error: >> TLS handshake failed Sep 4 13:48:33 inetgw1 openvpn[2692]: >> yuski/94.77.49.2:32768 [UNDEF] Inactivity timeout >> (--ping-restart), restarting Sep 4 13:48:33 inetgw1 >> openvpn[2692]: yuski/94.77.49.2:32768 SIGUSR1[soft,ping-restart] >> received, client-instance restarting Sep 4 13:48:33 inetgw1 >> openvpn: yuski sudo route del -net 192.168.113.0 netmask >> 255.255.255.0 gw 192.168.205.1 Sep 4 14:46:39 inetgw1 >> openvpn[2692]: yuski/94.77.49.2:32770 TLS: soft reset sec=0 >> bytes=1878484/0 pkts=6064/0 Sep 4 14:46:40 inetgw1 >> openvpn[2692]: yuski/94.77.49.2:32770 CRL CHECK OK: >> /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=Belkam_CA/emailAddress=d...@belkam.com >> >> Sep 4 14:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 VERIFY OK: >> depth=1, >> /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=Belkam_CA/emailAddress=d...@belkam.com >> >> Sep 4 14:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 CRL CHECK >> OK: >> /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=yuski/emailAddress=d...@belkam.com >> >> Sep 4 14:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 VERIFY OK: >> depth=0, >> /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=yuski/emailAddress=d...@belkam.com >> >> Sep 4 14:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 Data >> Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sep >> 4 14:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 Data >> Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC >> authentication Sep 4 14:46:40 inetgw1 openvpn[2692]: >> yuski/94.77.49.2:32770 Data Channel Decrypt: Cipher 'BF-CBC' >> initialized with 128 bit key Sep 4 14:46:40 inetgw1 >> openvpn[2692]: yuski/94.77.49.2:32770 Data Channel Decrypt: Using >> 160 bit message hash 'SHA1' for HMAC authentication Sep 4 >> 14:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 Control >> Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit >> RSA Sep 4 15:39:12 inetgw1 openvpn[2692]: MULTI: Learn: >> 192.168.113.1 -> yuski/94.77.49.2:32770 >> >> >> What can I do to solve this problem? >> >> I have push "explicit-exit-notify 3" >> >> > - post your server config - try replacing the 'client-connect' > script with something like > > #!/bin/bash exit 1 > > clients should no longer be able to connect - if they are, you know > the client-connect script is not called properly
That's a good idea. In addition, other things to check: - - Do you have --script-security set at a proper level? - - Do you use chroot? Is the script/binary available inside the chroot, together with all needed dependencies? - - Can the user OpenVPN runs as access the script file? (including at least +x permissions an all parent directories) - - Does the script have execute permission set? (f.ex chmod 755) > - post your existing client-connect script. That's usually always a good idea to do. - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlInWicACgkQDC186MBRfrrx+gCfaN7aUqLoJTXZRUuxemw8hXZP TFkAoKb0mhEXFRBy9XSclGJG6IW0AWWS =g4FR -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
