AndreyEver » Пт мар 22, 2024 8:38 am
Приветствую.
Имею OpenVPN сервер на Mikrotik и крайнюю версию WTware с настроенным OpenVPN клиентом. Не могу добиться стабильной работы последнего при обрывах подключения (по тем или иным причинам) или неактивности. Приходится часто перезапускать WTware целиком, так как OpenVPN клиент на стороне WTware просто завершается и не рестартует.
Конфиг клиента простой и проверенный на Debian
Код: Выделить всё
client
dev tun
proto udp
nobind
resolv-retry infinite
#comp-lzo
auth sha256
cipher aes-256-cbc
persist-key
persist-tun
ping 10
#auth-nocache
auth-retry interact
mute-replay-warnings
replay-window 128
daemon
remote-cert-tls server
script-security 2
up /etc/openvpn/update-resolv-conf
dhcp-option DNS 172.16.72.241
auth-user-pass /bootmedia/configs/pass.txt
remote vpn.lab****.ru
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
Лог WTware
Код: Выделить всё
[ initrd] [ 28.061325] +--- Executing "/usr/sbin/openvpn --config /etc/client.conf"
[ KERNEL] [ 28.061300] tun: Universal TUN/TAP device driver, 1.6
[ SYSLOG] [ 28.074100] 8 openvpn[696]: DEPRECATED OPTION: --cipher set to 'aes-256-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-256-cbc' to --data-ciphers or change --cipher 'aes-256-cbc' to --data-ciphers-fallback 'aes-256-cbc' to silence this warning.
[ SYSLOG] [ 28.074603] 8 openvpn[696]: WARNING: file '/bootmedia/configs/pass.txt' is group or others accessible
[ SYSLOG] [ 28.074630] 8 openvpn[696]: OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
[ SYSLOG] [ 28.074668] 8 openvpn[696]: library versions: OpenSSL 1.1.1w 11 Sep 2023, LZO 2.10
[ initrd] [ 28.076586] +- Errorlevel: 0, output:
| [No output]
[ SYSLOG] [ 28.076731] 8 openvpn[698]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
[ initrd] [ 28.078854] +------------------------
[ SYSLOG] [ 28.128905] 8 openvpn[698]: TCP/UDP: Preserving recently used remote address: [AF_INET]93.189.*.166:1194
[ SYSLOG] [ 28.128985] 8 openvpn[698]: UDP link local: (not bound)
[ SYSLOG] [ 28.129011] 8 openvpn[698]: UDP link remote: [AF_INET]93.189.*.166:1194
[ SYSLOG] [ 28.294766] 8 openvpn[698]: [vpn.lab****.ru] Peer Connection Initiated with [AF_INET]93.189.*.166:1194
[ SYSLOG] [ 29.433966] 0 openvpn[698]: TUN/TAP device tun0 opened
[ SYSLOG] [ 29.434039] 0 openvpn[698]: net_iface_mtu_set: mtu 1500 for tun0
[ SYSLOG] [ 29.434065] 0 openvpn[698]: net_iface_up: set tun0 up
[ SYSLOG] [ 29.434230] 0 openvpn[698]: net_addr_v4_add: 172.29.72.65/24 dev tun0
[ SYSLOG] [ 29.436699] 0 openvpn[698]: /etc/openvpn/update-resolv-conf tun0 1500 1572 172.29.72.65 255.255.255.0 init
[ SYSLOG] [ 29.444231] 0 openvpn[698]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
[ SYSLOG] [ 29.444313] 0 openvpn[698]: Initialization Sequence Completed
[ pfac] [ 29.486284] Run /sbin/httpd.
[ initrd] [ 29.486318] OpenVPN tun0: my IP 172.29.72.65.
[ initrd] [ 29.486351] Run '/sbin/httpd', log '/tmp/httpd.out', env '', pid ''.
[ pfac] [ 29.486381] Ok, PID 758.
[ initrd] [ 29.486399] Copy /bootmedia/configs/config.wtc to /tmp/config.wtc.
[ initrd] [ 29.486624] /bootmedia/configs/config.wtc -> /tmp/config.wtc, 2 bytes copied.
[ initrd] [ 29.486660] Common local disk config:
/--- FILE "/tmp/config.wtc" -----------------------
| [BOM..
...
[ SYSLOG] [ 89.819111] 0 openvpn[698]: [vpn.lab****.ru] Inactivity timeout (--ping-restart), restarting
[ SYSLOG] [ 89.819192] 0 openvpn[698]: SIGUSR1[soft,ping-restart] received, process restarting
[ SYSLOG] [ 94.820137] 5 openvpn[698]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
[ SYSLOG] [ 94.820225] 5 openvpn[698]: TCP/UDP: Preserving recently used remote address: [AF_INET]93.189.*.166:1194
[ SYSLOG] [ 94.820253] 5 openvpn[698]: UDP link local: (not bound)
[ SYSLOG] [ 94.820278] 5 openvpn[698]: UDP link remote: [AF_INET]93.189.*.166:1194
[ SYSLOG] [ 94.985075] 5 openvpn[698]: [vpn.lab****.ru] Peer Connection Initiated with [AF_INET]93.189.*.166:1194
[ SYSLOG] [ 96.059855] 6 openvpn[698]: AUTH: Received control message: AUTH_FAILED, user PC-04467 is already active
[ SYSLOG] [ 96.060196] 6 openvpn[698]: SIGUSR1[soft,auth-failure] received, process restarting
[ SYSLOG] [ 101.060795] 1 openvpn[698]: Error opening 'Auth' auth file: /bootmedia/configs/pass.txt: No such file or directory (errno=2)
[ SYSLOG] [ 101.060870] 1 openvpn[698]: Exiting due to fatal error
[ SYSLOG] [ 101.060897] 1 openvpn[698]: net_addr_v4_del: 172.29.72.65 dev tun0
[ pfac] [ 101.082084] Process pid 698 terminated, status 00000100.
Полагаю, что проблема в этом
Error opening 'Auth' auth file: /bootmedia/configs/pass.txt: No such file or directory (errno=2)
а причина в том, что WTware отмонтирует загрузочный диск после загрузки?
Вроде это поведение (держать в памяти систему или обращаться к диску) каким-то образом настраивалось. Не могу найти каким параметром
Или тут что-то другое?
Приветствую.
Имею OpenVPN сервер на Mikrotik и крайнюю версию WTware с настроенным OpenVPN клиентом. Не могу добиться стабильной работы последнего при обрывах подключения (по тем или иным причинам) или неактивности. Приходится часто перезапускать WTware целиком, так как OpenVPN клиент на стороне WTware просто завершается и не рестартует.
Конфиг клиента простой и проверенный на Debian
[code]
client
dev tun
proto udp
nobind
resolv-retry infinite
#comp-lzo
auth sha256
cipher aes-256-cbc
persist-key
persist-tun
ping 10
#auth-nocache
auth-retry interact
mute-replay-warnings
replay-window 128
daemon
remote-cert-tls server
script-security 2
up /etc/openvpn/update-resolv-conf
dhcp-option DNS 172.16.72.241
auth-user-pass /bootmedia/configs/pass.txt
remote vpn.lab****.ru
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
[/code]
Лог WTware
[code][ initrd] [ 28.061325] +--- Executing "/usr/sbin/openvpn --config /etc/client.conf"
[ KERNEL] [ 28.061300] tun: Universal TUN/TAP device driver, 1.6
[ SYSLOG] [ 28.074100] 8 openvpn[696]: DEPRECATED OPTION: --cipher set to 'aes-256-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-256-cbc' to --data-ciphers or change --cipher 'aes-256-cbc' to --data-ciphers-fallback 'aes-256-cbc' to silence this warning.
[ SYSLOG] [ 28.074603] 8 openvpn[696]: WARNING: file '/bootmedia/configs/pass.txt' is group or others accessible
[ SYSLOG] [ 28.074630] 8 openvpn[696]: OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
[ SYSLOG] [ 28.074668] 8 openvpn[696]: library versions: OpenSSL 1.1.1w 11 Sep 2023, LZO 2.10
[ initrd] [ 28.076586] +- Errorlevel: 0, output:
| [No output]
[ SYSLOG] [ 28.076731] 8 openvpn[698]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
[ initrd] [ 28.078854] +------------------------
[ SYSLOG] [ 28.128905] 8 openvpn[698]: TCP/UDP: Preserving recently used remote address: [AF_INET]93.189.*.166:1194
[ SYSLOG] [ 28.128985] 8 openvpn[698]: UDP link local: (not bound)
[ SYSLOG] [ 28.129011] 8 openvpn[698]: UDP link remote: [AF_INET]93.189.*.166:1194
[ SYSLOG] [ 28.294766] 8 openvpn[698]: [vpn.lab****.ru] Peer Connection Initiated with [AF_INET]93.189.*.166:1194
[ SYSLOG] [ 29.433966] 0 openvpn[698]: TUN/TAP device tun0 opened
[ SYSLOG] [ 29.434039] 0 openvpn[698]: net_iface_mtu_set: mtu 1500 for tun0
[ SYSLOG] [ 29.434065] 0 openvpn[698]: net_iface_up: set tun0 up
[ SYSLOG] [ 29.434230] 0 openvpn[698]: net_addr_v4_add: 172.29.72.65/24 dev tun0
[ SYSLOG] [ 29.436699] 0 openvpn[698]: /etc/openvpn/update-resolv-conf tun0 1500 1572 172.29.72.65 255.255.255.0 init
[ SYSLOG] [ 29.444231] 0 openvpn[698]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
[ SYSLOG] [ 29.444313] 0 openvpn[698]: Initialization Sequence Completed
[ pfac] [ 29.486284] Run /sbin/httpd.
[ initrd] [ 29.486318] OpenVPN tun0: my IP 172.29.72.65.
[ initrd] [ 29.486351] Run '/sbin/httpd', log '/tmp/httpd.out', env '', pid ''.
[ pfac] [ 29.486381] Ok, PID 758.
[ initrd] [ 29.486399] Copy /bootmedia/configs/config.wtc to /tmp/config.wtc.
[ initrd] [ 29.486624] /bootmedia/configs/config.wtc -> /tmp/config.wtc, 2 bytes copied.
[ initrd] [ 29.486660] Common local disk config:
/--- FILE "/tmp/config.wtc" -----------------------
| [BOM..
...
[ SYSLOG] [ 89.819111] 0 openvpn[698]: [vpn.lab****.ru] Inactivity timeout (--ping-restart), restarting
[ SYSLOG] [ 89.819192] 0 openvpn[698]: SIGUSR1[soft,ping-restart] received, process restarting
[ SYSLOG] [ 94.820137] 5 openvpn[698]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
[ SYSLOG] [ 94.820225] 5 openvpn[698]: TCP/UDP: Preserving recently used remote address: [AF_INET]93.189.*.166:1194
[ SYSLOG] [ 94.820253] 5 openvpn[698]: UDP link local: (not bound)
[ SYSLOG] [ 94.820278] 5 openvpn[698]: UDP link remote: [AF_INET]93.189.*.166:1194
[ SYSLOG] [ 94.985075] 5 openvpn[698]: [vpn.lab****.ru] Peer Connection Initiated with [AF_INET]93.189.*.166:1194
[ SYSLOG] [ 96.059855] 6 openvpn[698]: AUTH: Received control message: AUTH_FAILED, user PC-04467 is already active
[ SYSLOG] [ 96.060196] 6 openvpn[698]: SIGUSR1[soft,auth-failure] received, process restarting
[ SYSLOG] [ 101.060795] 1 openvpn[698]: Error opening 'Auth' auth file: /bootmedia/configs/pass.txt: No such file or directory (errno=2)
[ SYSLOG] [ 101.060870] 1 openvpn[698]: Exiting due to fatal error
[ SYSLOG] [ 101.060897] 1 openvpn[698]: net_addr_v4_del: 172.29.72.65 dev tun0
[ pfac] [ 101.082084] Process pid 698 terminated, status 00000100.[/code]
Полагаю, что проблема в этом
Error opening 'Auth' auth file: /bootmedia/configs/pass.txt: No such file or directory (errno=2)
а причина в том, что WTware отмонтирует загрузочный диск после загрузки?
Вроде это поведение (держать в памяти систему или обращаться к диску) каким-то образом настраивалось. Не могу найти каким параметром :?
Или тут что-то другое?