сталкивается. D общем тоже столкнулся с этим вопросом...
Постановка задачи:
Удаленное подключение к клиентским машинам за сервером + шифрование + аутентификация по сертификатам с парой логин/пароль
был там был здесь.. где моя только не была, а потом вспомнил про Вас.
В общем имею сервер на Freebsd 7.2. установил и настроил все по статье
http://tuxnotes.ru/articles.php?a_id=18
Возникла проблема по которой устал гуглить...
в логах опенвпн показывает:
[spoilerless /var/log/openvpn/openvpn.log]Mon Jun 14 07:56:47 2010 OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Jun 13 2010
Mon Jun 14 07:56:47 2010 PLUGIN_INIT: POST /usr/local/lib/openvpn-auth-pam.so 'login' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Mon Jun 14 07:56:47 2010 Diffie-Hellman initialized with 1024 bit key
Mon Jun 14 07:56:47 2010 Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file
Mon Jun 14 07:56:47 2010 Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Mon Jun 14 07:56:47 2010 Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Mon Jun 14 07:56:47 2010 TLS-Auth MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Mon Jun 14 07:56:47 2010 gw 91.205.X.X
Mon Jun 14 07:56:47 2010 TUN/TAP device /dev/tun0 opened
Mon Jun 14 07:56:47 2010 /sbin/ifconfig tun0 10.0.0.1 10.0.0.2 mtu 1500 netmask 255.255.255.255 up
Mon Jun 14 07:56:47 2010 /sbin/route add -net 10.0.0.0 10.0.0.2 255.255.255.0
add net 10.0.0.0: gateway 10.0.0.2
Mon Jun 14 07:56:47 2010 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jun 14 07:56:47 2010 GID set to nobody
Mon Jun 14 07:56:47 2010 UID set to nobody
Mon Jun 14 07:56:47 2010 UDPv4 link local (bound): [undef]:1194
Mon Jun 14 07:56:47 2010 UDPv4 link remote: [undef]
Mon Jun 14 07:56:47 2010 MULTI: multi_init called, r=256 v=256
Mon Jun 14 07:56:47 2010 IFCONFIG POOL: base=10.0.0.4 size=62
Mon Jun 14 07:56:47 2010 Initialization Sequence Completed
Mon Jun 14 08:00:16 2010 MULTI: multi_create_instance called
Mon Jun 14 08:00:16 2010 91.205.X.X:1194 Re-using SSL/TLS context
Mon Jun 14 08:00:16 2010 91.205.X.X:1194 LZO compression initialized
Mon Jun 14 08:00:16 2010 91.205.X.X:1194 Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Mon Jun 14 08:00:16 2010 91.205.X.X:1194 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jun 14 08:00:16 2010 91.205.X.X:1194 Local Options hash (VER=V4): '1056bce3'
Mon Jun 14 08:00:16 2010 91.205.X.X:1194 Expected Remote Options hash (VER=V4): '03fa487d'
Mon Jun 14 08:00:16 2010 91.205.X.X:1194 TLS: Initial packet from 91.205.X.X::1194, sid=8a07e199 502ee84d
Mon Jun 14 08:00:16 2010 91.205.X.X:1194 VERIFY OK: depth=1, /C=KG/ST=Bishkek/L=Bishkek/O=server/OU=server/CN=server/emailAddress=me@myhost.mydomain
Mon Jun 14 08:00:16 2010 91.205.X.X:1194 VERIFY OK: depth=0, /C=KG/ST=Bishkek/O=server/OU=client/CN=client/emailAddress=me@myhost.mydomain
AUTH-PAM: BACKGROUND: user 'client' failed to authenticate: authentication error
Mon Jun 14 08:00:16 2010 91.205.X.X:1194 PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Jun 14 08:00:16 2010 91.205.X.X:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/local/lib/openvpn-auth-pam.so
Mon Jun 14 08:00:16 2010 91.205.X.X:1194 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Jun 14 08:00:16 2010 91.205.X.X:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Jun 14 08:00:16 2010 91.205.X.X:1194 [client] Peer Connection Initiated with 91.205.X.X::1194
Mon Jun 14 08:00:19 2010 91.205.X.X:1194 PUSH: Received control message: 'PUSH_REQUEST'
Mon Jun 14 08:00:19 2010 91.205.X.X:1194 SENT CONTROL [client]: 'AUTH_FAILED' (status=1)
Mon Jun 14 08:00:19 2010 91.205.X.X:1194 Delayed exit in 5 seconds
Mon Jun 14 08:00:24 2010 91.205.X.X:1194 SIGTERM[soft,delayed-exit] received, client-instance exiting[/spoiler]
[spoilerконфиг сервера:]port 1194
proto udp
dev tun0
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh1024.pem
server 10.0.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
route 10.10.100.0 255.255.255.252
client-config-dir ccd
tls-server
tls-auth keys/ta.key 0
tls-timeout 120
auth MD5
cipher BF-CBC
keepalive 10 120
comp-lzo
max-clients 2
plugin /usr/local/lib/openvpn-auth-pam.so login
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3[/spoiler]
[spoilerконфиг клиента]dev tun
proto udp
remote 91.205.X.X
port 1194
client
resolv-retry infinite
ca ca.crt
cert client.crt
key client.key
tls-client
tls-auth ta.key 1
auth-user-pass
auth MD5
cipher BF-CBC
ns-cert-type server
comp-lzo
persist-key
persist-tun
verb 3[/spoiler]
[spoilerна стороне клиента при подключении пишет]Mon Jun 14 13:51:30 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Mon Jun 14 13:51:36 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Jun 14 13:51:36 2010 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Jun 14 13:51:36 2010 Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Mon Jun 14 13:51:36 2010 Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Mon Jun 14 13:51:36 2010 LZO compression initialized
Mon Jun 14 13:51:36 2010 Control Channel MTU parms [ L:1538 D:162 EF:62 EB:0 ET:0 EL:0 ]
Mon Jun 14 13:51:36 2010 Data Channel MTU parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jun 14 13:51:36 2010 Local Options hash (VER=V4): '03fa487d'
Mon Jun 14 13:51:36 2010 Expected Remote Options hash (VER=V4): '1056bce3'
Mon Jun 14 13:51:36 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Jun 14 13:51:36 2010 UDPv4 link local (bound): [undef]:1194
Mon Jun 14 13:51:36 2010 UDPv4 link remote: 91.205.X.X:1194
Mon Jun 14 13:51:36 2010 TLS: Initial packet from 91.205.X.X:1194, sid=9eff6b5e 1165a727
Mon Jun 14 13:51:36 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jun 14 13:51:36 2010 VERIFY OK: depth=1, /C=KG/ST=Bishkek/L=Bishkek/O=server/OU=server/CN=server/emailAddress=me@myhost.mydomain
Mon Jun 14 13:51:36 2010 VERIFY OK: nsCertType=SERVER
Mon Jun 14 13:51:36 2010 VERIFY OK: depth=0, /C=KG/ST=Bishkek/O=server/OU=server/CN=server/emailAddress=me@myhost.mydomain
Mon Jun 14 13:51:37 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jun 14 13:51:37 2010 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
Mon Jun 14 13:51:37 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jun 14 13:51:37 2010 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
Mon Jun 14 13:51:37 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Jun 14 13:51:37 2010 [server] Peer Connection Initiated with 91.205.X.X:1194
Mon Jun 14 13:51:39 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Jun 14 13:51:39 2010 AUTH: Received AUTH_FAILED control message
Mon Jun 14 13:51:39 2010 TCP/UDP: Closing socket
Mon Jun 14 13:51:39 2010 SIGTERM[soft,auth-failure] received, process exiting
Mon Jun 14 13:51:39 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009[/spoiler]
и обратно логин пароль вводить надо, если не вводить то тупо стоит и все... а еще после всего этого потух апач... непонятно по каким причинам ))))) но это потом ) Жду вашей помощи )))))))))))))
