search

pahud / autoddvpn

Automatically exported from code.google.com/p/autoddvpn
0 stars 0 forks source link

ddwrt開機啟動openvpn建立SSL/TLS連線時會檢查CA有效期限的問題 #14

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
通常CA有效期限都是10年,也就是3650 days
但是ddwrt一開機是1970年,如果來不及網路校時,這時候openvpn�
��無法通過SSL/TLS Verify
於是我做一個workaround來解決:

統一一開機直接設定當前日期為20100729紀念今天我找到這個問
題。

之後如果有設定NTP的自然會校時回來,先觀察一下這個做法��
�

Original issue reported on code.google.com by pahud...@gmail.com on 29 Jul 2010 at 6:11

GoogleCodeExporter commented 9 years ago 
looks GREAT!

root@DD-WRT:~# tail -f /tmp/autoddvpn.log 
[INFO#311] 01/Jan/1970:00:00:13 log starts
[INFO#311] 01/Jan/1970:00:00:13 log starts
[INFO#311] 01/Jan/1970:00:00:13 temporarily set date to 20100729 to fix openvpn 
SSL/TLS issue. see http://goo.gl/bb6a
[INFO#311] 10/Aug/1971:07:29:00 modifying /tmp/openvpncl/route-up.sh
[INFO#311] 10/Aug/1971:07:29:00 /tmp/openvpncl/route-up.sh not exists, sleep 
10sec.
[INFO#311] 29/Jul/2010:06:14:24 /tmp/openvpncl/route-up.sh not exists, sleep 
10sec.
[INFO#311] 29/Jul/2010:06:14:34 /tmp/openvpncl/route-up.sh modified
[INFO#311] 29/Jul/2010:06:14:34 modifying /tmp/openvpncl/route-down.sh
[INFO#311] 29/Jul/2010:06:14:34 /tmp/openvpncl/route-down.sh modified
[INFO#311] 29/Jul/2010:06:14:34 ALL DONE. Let's wait for VPN being connected.
[INFO#702] 29/Jul/2010:06:14:47 vpnup.sh started
[INFO#702] 29/Jul/2010:06:15:08 preparing the exceptional routes
[INFO#702] 29/Jul/2010:06:15:08 modifying the exceptional routes
[INFO#702] 29/Jul/2010:06:15:08 fetching exceptional routes for flickr
[INFO#702] 29/Jul/2010:06:15:08 adding 68.142.214.43 via wan_gateway
[INFO#702] 29/Jul/2010:06:15:08 adding 69.147.90.159 via wan_gateway
[INFO#702] 29/Jul/2010:06:15:08 adding 69.147.90.215 via wan_gateway
[INFO#702] 29/Jul/2010:06:15:08 adding 67.195.19.66 via wan_gateway
[INFO#702] 29/Jul/2010:06:15:08 adding 67.195.19.74 via wan_gateway
[INFO#702] 29/Jul/2010:06:15:08 adding 68.142.214.24 via wan_gateway
[INFO#702] 29/Jul/2010:06:15:08 fetching exceptional routes for dropbox
[INFO#702] 29/Jul/2010:06:15:09 adding 174.129.27.0/24 via wan_gateway
[INFO#702] 29/Jul/2010:06:15:09 adding 184.73.211.0/24 via wan_gateway
[INFO#702] 29/Jul/2010:06:15:09 adding 204.236.220.0/24 via wan_gateway
[INFO#702] 29/Jul/2010:06:15:09 fetching exceptional routes for vimeo
[INFO#702] 29/Jul/2010:06:15:09 adding 66.235.126.128 via wan_gateway
[INFO#702] 29/Jul/2010:06:15:09 modifying custom exceptional routes if available
[INFO#702] 29/Jul/2010:06:15:11 vpnup.sh ended

Original comment by pahud...@gmail.com on 29 Jul 2010 at 6:15

GoogleCodeExporter commented 9 years ago 
不知为何我的是这样的

[INFO#261] 01/Jan/1970:00:00:12 log starts
[INFO#261] 01/Jan/1970:00:00:12 openvpn+jffs mode
[INFO#261] 01/Jan/1970:00:00:12 temporarily set date to 20100729 to fix openvpn
SSL/TLS issue. see http://goo.gl/bb6a
[INFO#261] 10/Aug/1971:07:29:00 modifying /tmp/openvpncl/route-up.sh
[INFO#261] 10/Aug/1971:07:29:00 /tmp/openvpncl/route-up.sh not exists, sleep 10s
ec.
[INFO#261] 10/Aug/1971:07:29:10 /tmp/openvpncl/route-up.sh not exists, sleep 10s
ec.
[INFO#261] 10/Aug/1971:07:29:20 /tmp/openvpncl/route-up.sh modified
[INFO#261] 10/Aug/1971:07:29:20 modifying /tmp/openvpncl/route-down.sh
[INFO#261] 10/Aug/1971:07:29:20 /tmp/openvpncl/route-down.sh modified
[INFO#261] 10/Aug/1971:07:29:20 ALL DONE. Let's wait for VPN being connected.

接下去就运行不下去了

Original comment by yellowho...@gmail.com on 1 Sep 2010 at 6:03

GoogleCodeExporter commented 9 years ago 
OK 你是openvpn+jffs 
模式,看到這個信息表示autoddvpn正在等待openvpn撥號上去,如�
��都沒有反應表示沒有播上openvpn,有可能是設置錯誤問題,��
�是防火牆阻擋了。

你可以ssh進去ddwrt然後下這個指令手動測試一下

先關閉當前運行的oepnvpn process
# stopservice openvpn  
手動執行看看
# openvpn --config /tmp/openvpncl/openvpn.conf --verb 5

然後看output才能知道原因。

如果還是不能解決問題,請另外開一個新的issue來討論。

Original comment by pahud...@gmail.com on 1 Sep 2010 at 6:08

GoogleCodeExporter commented 9 years ago 
WTue Aug 10 07:41:48 1971 us=83554 read UDPv4 [ECONNREFUSED]: Connection refused
 (code=146)
RWTue Aug 10 07:41:49 1971 us=525501 read UDPv4 [ECONNREFUSED]: Connection refus
ed (code=146)
RWTue Aug 10 07:41:52 1971 us=194621 read UDPv4 [ECONNREFUSED]: Connection refus
ed (code=146)
RWTue Aug 10 07:41:53 1971 us=635683 read UDPv4 [ECONNREFUSED]: Connection refus
ed (code=146)
RWTue Aug 10 07:41:56 1971 us=304846 read UDPv4 [ECONNREFUSED]: Connection refus
ed (code=146)
RWTue Aug 10 07:41:58 1971 us=964760 read UDPv4 [ECONNREFUSED]: Connection refus
ed (code=146)
RWTue Aug 10 07:42:00 1971 us=394785 read UDPv4 [ECONNREFUSED]: Connection refus
ed (code=146)
RWTue Aug 10 07:42:03 1971 us=48791 read UDPv4 [ECONNREFUSED]: Connection refuse
d (code=146)

我查了之后显示这些
是表示防火墙不通过吗

Original comment by yellowho...@gmail.com on 4 Sep 2010 at 10:13

GoogleCodeExporter commented 9 years ago 
連線被拒絕 檢查你的openvpn服務器設置吧

Original comment by pahud...@gmail.com on 4 Sep 2010 at 10:18

GoogleCodeExporter commented 9 years ago 
我也是openvpn+jffs模式,同样的问题
引用:
//OK 你是openvpn+jffs 
模式,看到這個信息表示autoddvpn正在等待openvpn撥號上去,如�
��都沒有反應表示沒有播上openvpn,有可能是設置錯誤問題,��
�是防火牆阻擋了。

你可以ssh進去ddwrt然後下這個指令手動測試一下

先關閉當前運行的oepnvpn process
# stopservice openvpn  
手動執行看看
# openvpn --config /tmp/openvpncl/openvpn.conf --verb 5
//
执行后,有大量Wr操作。如下:
Fri Feb 25 11:27:36 2011 us=944039 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Fri Feb 25 11:27:36 2011 us=956466 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0
gw 10.2.8.9
Fri Feb 25 11:27:36 2011 us=969437 WARNING: potential route subnet conflict betw
een local LAN [10.2.8.0/255.255.255.0] and remote VPN [10.2.8.1/255.255.255.255]
Fri Feb 25 11:27:36 2011 us=969850 /sbin/route add -net 10.2.8.1 netmask 255.255
.255.255 gw 10.2.8.9
Fri Feb 25 11:27:36 2011 us=982343 Initialization Sequence Completed
rWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWRrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWr
WrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWr
rWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWRrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWr
WrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWr

ctrl+c终止后

WrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWRrWrWFri Feb 25 11:29:27 2011 us=
665465 event_wait : Interrupted system call (code=4)
Fri Feb 25 11:29:27 2011 us=667853 TCP/UDP: Closing socket
Fri Feb 25 11:29:27 2011 us=668451 /sbin/route del -net 10.2.8.1 netmask 255.255
.255.255

可以肯定openvpn是拨入的,外网IP已经是vpn服务器的ip,但是aut
oddvpn没有成功生效修改设备的主路由表

Original comment by squallg...@gmail.com on 25 Feb 2011 at 3:31

GoogleCodeExporter commented 9 years ago 
补充
root@WRT610Ng:/tmp# cat autoddvpn.lock
[INFO#1831] 25/Feb/2011:11:21:33 vpnup
[INFO#1831] 25/Feb/2011:11:21:33 unknown vpnup.sh parameter,quit.

Original comment by squallg...@gmail.com on 25 Feb 2011 at 3:45

GoogleCodeExporter commented 9 years ago 
cat /tmp/autoddvpn.log
.....
[INFO#1092] 25/Feb/2011:11:11:37 /tmp/openvpncl/route-up.sh modified
[INFO#1092] 25/Feb/2011:11:11:37 modifying /tmp/openvpncl/route-down.sh
[INFO#1092] 25/Feb/2011:11:11:37 /tmp/openvpncl/route-down.sh modified
[INFO#1092] 25/Feb/2011:11:11:37 ALL DONE. Let's wait for VPN being connected.
[INFO#1831] 25/Feb/2011:11:21:33 vpnup.sh started
[INFO#1876] 25/Feb/2011:11:22:24 vpndown.sh started
[INFO#1876] 25/Feb/2011:11:22:24 got /tmp/autoddvpn.lock , sleep 10 secs. #1/6
[INFO#1876] 25/Feb/2011:11:22:34 got /tmp/autoddvpn.lock , sleep 10 secs. #2/6
[INFO#1876] 25/Feb/2011:11:22:44 got /tmp/autoddvpn.lock , sleep 10 secs. #3/6
[INFO#1876] 25/Feb/2011:11:22:54 got /tmp/autoddvpn.lock , sleep 10 secs. #4/6
[INFO#1876] 25/Feb/2011:11:23:04 got /tmp/autoddvpn.lock , sleep 10 secs. #5/6
[INFO#1876] 25/Feb/2011:11:23:14 got /tmp/autoddvpn.lock , sleep 10 secs. #6/6
[ERROR#1876] 25/Feb/2011:11:23:24 still got /tmp/autoddvpn.lock , I'm aborted. F
ix me.

Original comment by squallg...@gmail.com on 25 Feb 2011 at 3:45

GoogleCodeExporter commented 9 years ago 
[INFO#1831] 25/Feb/2011:11:21:33 unknown vpnup.sh parameter,quit.

你是用classicMode+JFFS+OpenVPN嗎?確定一下你的run.sh 
vpnup.sh是否抓的位置正確

http://autoddvpn.googlecode.com/svn/trunk/openvpn/jffs/run.sh
http://autoddvpn.googlecode.com/svn/trunk/vpnup.sh

Original comment by pahud...@gmail.com on 25 Feb 2011 at 7:02

GoogleCodeExporter commented 9 years ago 
我的错,弄了一下午,设置为手动openvpn连接方式,不适用webg
ui配置,搞定连接问题。现在,在路由器上能开机自动连接VPN
,路由修改也正常。
包括“Issue 
7:  自定義直連網段或網站”中提到的方式,我添加的几个网��
�也能正常traceroute。
但现在的问题是路由器上的网络选择无误,却无法正常为下��
�的计算机进行地址转化。我参照自定义openvpn.conf中up事件的��
�一条命令。每次在内部无法通过vpn隧道访问其下IP段时,手��
�在cli中执行iptables -A POSTROUTING -t nat -o tun0 -j 
MASQUERADE,下面的计算机就能恢复正常访问。
不知道如何解决?或者更换一下
up 'iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE; 
/jffs/openvpn/vpnup.sh openvpn'
的顺序,为
up '/jffs/openvpn/vpnup.sh openvpn; iptables -A POSTROUTING -t nat -o tun0 -j 
MASQUERADE'
稍后测试。

Original comment by squallg...@gmail.com on 25 Feb 2011 at 10:36

GoogleCodeExporter commented 9 years ago 
补充:
我使用graceMode,参考
http://code.google.com/p/autoddvpn/wiki/graceMode
http://code.google.com/p/autoddvpn/wiki/OpenVPNManualStartUP

设备为WRT610N,DD-WRT v24-sp2 (08/07/10) mega (SVN revision 14896)

Original comment by squallg...@gmail.com on 25 Feb 2011 at 10:39

GoogleCodeExporter commented 9 years ago 
感謝,我也是用SVN 14xxx的最新版本。

Original comment by pahud...@gmail.com on 25 Feb 2011 at 10:43

GoogleCodeExporter commented 9 years ago 
不行。现在启动完毕后。主路由表变成
64.233.160.0    10.2.8.5        255.255.224.0   UG    0      0        0 tun0
208.117.224.0   10.2.8.5        255.255.224.0   UG    0      0        0 tun0
72.14.192.0     10.2.8.5        255.255.192.0   UG    0      0        0 tun0
173.194.0.0     10.2.8.5        255.255.0.0     UG    0      0        0 tun0
69.63.0.0       10.2.8.5        255.255.0.0     UG    0      0        0 tun0
66.220.0.0      10.2.8.5        255.255.0.0     UG    0      0        0 tun0
169.254.0.0     *               255.255.0.0     U     0      0        0 br0
74.125.0.0      10.2.8.5        255.255.0.0     UG    0      0        0 tun0
116.214.0.0     10.2.8.5        255.255.0.0     UG    0      0        0 tun0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         10.2.8.5        0.0.0.0         UG    0      0        0 tun0

而autoddvpn的日志显示则正常
root@WRT610N_BigPig:~# cat /tmp/autoddvpn.log
[INFO#1649] 25/Feb/2011:19:03:51 vpnup.sh started
[INFO#1649] 25/Feb/2011:19:03:51 loading vpnup_custom if available
[INFO#1649] 25/Feb/2011:19:03:51 adding the static routes, this may take a while

.
[INFO#1649] 25/Feb/2011:19:03:59 preparing the exceptional routes
[INFO#1649] 25/Feb/2011:19:03:59 modifying the exceptional routes
[INFO#1649] 25/Feb/2011:19:03:59 modifying custom exceptional routes if availabl

e
[INFO#1649] 25/Feb/2011:19:03:59 adding custom host/subnet 204.13.248.0/24 via w

an_gateway
[INFO#1649] 25/Feb/2011:19:03:59 adding custom host/subnet 208.78.69.0/24 via wa

n_gateway
[INFO#1649] 25/Feb/2011:19:03:59 adding custom host/subnet 208.79.69.0/24 via wa

n_gateway
[INFO#1649] 25/Feb/2011:19:03:59 adding custom host/subnet 91.198.22.0/24 via wa

n_gateway
[INFO#1649] 25/Feb/2011:19:04:00 vpnup.sh ended
root@WRT610N_BigPig:~#

最后openvpn.log有点异样,不知道为何在最后几句删掉了正确的
默认路由,把vpn出口改为了默认路由?(我修改了一下里面��
�IP地址做文字描述)

+ route add -net 91.198.22.0/24 gw ISP分配正确网关IP
+ echo [INFO#1649] final check the default gw
[INFO#1649] final check the default gw
+ true
+ route -n
+ grep ^0.0.0.0
+ awk {print $2}
+ GW=ISP分配正确网关IP
+ echo [DEBUG#1649] my current gw is ISP分配正确网关IP
[DEBUG#1649] my current gw is ISP分配正确网关IP
+ [ ISP分配正确网关IP == ISP分配正确网关IP ]
+ echo [DEBUG#1649] GOOD
[DEBUG#1649] GOOD
+ break
+ echo [INFO#1649] static routes added
[INFO#1649] static routes added
+ date +%d/%b/%Y:%H:%M:%S
+ echo [INFO#1649] 25/Feb/2011:19:04:00 vpnup.sh ended
+ rm -f /tmp/autoddvpn.lock
Fri Feb 25 19:04:00 2011 /sbin/route add -net VPN服务器公网IP netmask 
255.255.25

5.255 gw ISP分配正确网关IP
Fri Feb 25 19:04:00 2011 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Fri Feb 25 19:04:00 2011 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.2.8.

5
Fri Feb 25 19:04:00 2011 WARNING: potential route subnet conflict between local

LAN [10.2.8.0/255.255.255.0] and remote VPN [10.2.8.1/255.255.255.255]
Fri Feb 25 19:04:00 2011 /sbin/route add -net 10.2.8.1 netmask 255.255.255.255 g

w 10.2.8.5
Fri Feb 25 19:04:00 2011 Initialization Sequence Completed
root@WRT610N_BigPig:~#

10.2.8.1是vpn的内网网关地址。现在我到哪儿都是从vpn出去了…
…

Original comment by squallg...@gmail.com on 25 Feb 2011 at 11:46

GoogleCodeExporter commented 9 years ago 
我想问题解决了。在openvpn.conf增加了一句
route-nopull
拒绝了服务端push过来的路由信息,由自己维护路由表。目前�
��本正常,就是qq2011不时的掉线后上线。

Original comment by squallg...@gmail.com on 25 Feb 2011 at 1:39

GoogleCodeExporter commented 9 years ago 
不好意思沒幫到你,不過你這個經驗很好,我更新一下教學��
�幫助更多的人吧!

Original comment by pahud...@gmail.com on 25 Feb 2011 at 1:57

GoogleCodeExporter commented 9 years ago 
不用客气。我确定qq2011掉线是我这边网线问题。换了网线和��
�线都正常。目前一切正常。

Original comment by squallg...@gmail.com on 25 Feb 2011 at 3:10

GoogleCodeExporter commented 9 years ago 
开机时间硬设成 20100729 还是会出现 TLS 
握手错误信息,并导致 openvpn 自己内部的 
restart。可以用脚本方式等待时间同步完成之后再启动openvpn,
在我的机器上相当于休眠了 8s 之后开始启动,查看 openvpn 
的日志再没有任何出错信息。我写的 rc_startup 
启动脚本如下,供参考

while test "`date +%Y`" == "1970" ; do
        sleep 1
        echo "sleep 1s" >> /tmp/autoddvpn.log
done
echo "INFO $(date "+%d/%b/%Y:%H:%M:%S") openvpn start" >> /tmp/autoddvpn.log
openvpn --config /jffs/openvpn/openvpn.conf --daemon

Original comment by lee...@gmail.com on 7 Nov 2012 at 3:13