Роутер ASUS RT-N10U с прошивкой DD-WRT, который сконфигурирован как OpenVPN-клиент, «пропадает» после попытки получить IP. В чем проблема?

Question

[nvr258852]

Доброго времени суток!
Имеются два роутера ASUS RT-N10U с прошивкой DD-WRT v24-sp2 (03/25/13) vpn.
Один сконфигурирован как сервер, другой - как клиент. Все делается в рамках учебного задания, поэтому все в пределах локальной сети.
IP сервера 192.168.2.1/24
IP клиента 192.168.2.2/24
VPN раздает IP из подсети 10.8.0.0/24

Настройки сервера:
OpenVPN Server/Daemon
OpenVPN: Enable
Start Type: WAN Up
Config as: Daemon
Additional Config:

push "route 192.168.2.0 255.255.255.0"
push "route 192.168.2.1 255.255.255.255"

server 10.8.0.0 255.255.255.0

dev tun0
proto tcp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

comp-lzo

management localhost 16

Administration - Commands - Firewall:

iptables -I INPUT 1 -p udp -dport 1194 -j ACCEPT
iptables -I FORWARD 1 -source 192.168.2.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Настройки клиента:

Конфигурация клиента имеет следующий вид:

client
dev tun
proto tcp
remote 192.168.2.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
ns-cert-type server

comp-lzo
verb 4

При запуске клиента, он пропадает (ни по 192.168.2.2, ни по 10.8.0.6 подключиться нельзя
На клиенте успеваю наблюдать следующее в Status - OpenVPN:

State

Server: : Local Address: Remote Address: Client: AUTH: Local Address: Remote Address:

Log

Serverlog Clientlog 20180419 19:02:36 Current Parameter Settings: 
20180419 19:02:36 config = '/tmp/openvpncl/openvpn.conf' 
20180419 19:02:36 mode = 0 
20180419 19:02:36 NOTE: --mute triggered... 
20180419 19:02:36 270 variation(s) on previous 3 message(s) suppressed by --mute 
20180419 19:02:36 I OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 25 2013 
20180419 19:02:36 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16 
20180419 19:02:36 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20180419 19:02:37 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible 
20180419 19:02:37 LZO compression initialized 
20180419 19:02:37 Control Channel MTU parms [ L:1540 D:140 EF:40 EB:0 ET:0 EL:0 ] 
20180419 19:02:37 Socket Buffers: R=[87380->131072] S=[16384->131072] 
20180419 19:02:37 Data Channel MTU parms [ L:1540 D:1450 EF:40 EB:135 ET:0 EL:0 AF:3/1 ] 
20180419 19:02:37 Local Options String: 'V4 dev-type tun link-mtu 1540 tun-mtu 1500 proto TCPv4_CLIENT comp-lzo cipher BF-CBC auth MD5 keysize 128 key-method 2 tls-client' 
20180419 19:02:37 Expected Remote Options String: 'V4 dev-type tun link-mtu 1540 tun-mtu 1500 proto TCPv4_SERVER comp-lzo cipher BF-CBC auth MD5 keysize 128 key-method 2 tls-server' 
20180419 19:02:37 Local Options hash (VER=V4): 'a4a8100a' 
20180419 19:02:37 Expected Remote Options hash (VER=V4): 'f457ea0a' 
20180419 19:02:37 I Attempting to establish TCP connection with [AF_INET]192.168.2.1:1194 [nonblock] 
20180419 19:02:38 I TCP connection established with [AF_INET]192.168.2.1:1194 
20180419 19:02:38 I TCPv4_CLIENT link local: [undef] 
20180419 19:02:38 I TCPv4_CLIENT link remote: [AF_INET]192.168.2.1:1194 
20180419 19:02:38 TLS: Initial packet from [AF_INET]192.168.2.1:1194 sid=a8835141 01ca3bb0 
20180419 19:02:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180419 19:02:39 D MANAGEMENT: CMD 'state' 
20180419 19:02:39 MANAGEMENT: Client disconnected 
20180419 19:02:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180419 19:02:39 D MANAGEMENT: CMD 'state' 
20180419 19:02:39 MANAGEMENT: Client disconnected 
20180419 19:02:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180419 19:02:39 D MANAGEMENT: CMD 'state' 
20180419 19:02:39 MANAGEMENT: Client disconnected 
20180419 19:02:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180419 19:02:39 D MANAGEMENT: CMD 'log 500' 
19700101 00:00:00

после этого доступ теряется

На сервере:
State

Server: : Local Address: Remote Address: Client: CONNECTED: SUCCESS Local Address: 10.8.0.1 Remote Address:

Log

Serverlog Clientlog 20180419 19:01:47 I OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 25 2013 
20180419 19:01:47 W NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 
20180419 19:01:51 I TUN/TAP device tun0 opened 
20180419 19:01:51 I do_ifconfig tt->ipv6=0 tt->did_ifconfig_ipv6_setup=0 
20180419 19:01:51 I /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 
20180419 19:01:51 W WARNING: External program may not be called unless '--script-security 2' or higher is enabled. Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier. See --help text or man page for detailed info. 
20180419 19:01:51 W WARNING: Failed running command (--route-up): external program fork failed 
20180419 19:01:51 I Listening for incoming TCP connection on [undef] 
20180419 19:01:51 I TCPv4_SERVER link local (bound): [undef] 
20180419 19:01:51 I TCPv4_SERVER link remote: [undef] 
20180419 19:01:51 I Initialization Sequence Completed 
20180419 19:02:46 I TCP connection established with [AF_INET]192.168.2.2:32835 
20180419 19:02:59 W 192.168.2.2:32835 WARNING: 'link-mtu' is used inconsistently local='link-mtu 1544' remote='link-mtu 1540' 
20180419 19:02:59 W 192.168.2.2:32835 WARNING: 'auth' is used inconsistently local='auth SHA1' remote='auth MD5' 
20180419 19:02:59 I 192.168.2.2:32835 [client1] Peer Connection Initiated with [AF_INET]192.168.2.2:32835 
20180419 19:02:59 I client1/192.168.2.2:32835 MULTI_sva: pool returned IPv4=10.8.0.6 IPv6=(Not enabled) 
20180419 19:03:01 I client1/192.168.2.2:32835 send_push_reply(): safe_cap=940 
19700101 00:00:00

cat /tmp/var/log/messages на сервере:

Apr 19 19:01:10 DD-WRT user.debug syslog: ttraff: data collection started
Apr 19 19:01:43 DD-WRT user.info syslog: klogd : kernel log daemon successfully stopped
Apr 19 19:01:43 DD-WRT user.info syslog: ttraff : traffic counter daemon successfully stopped
Apr 19 19:01:43 DD-WRT user.info syslog: dnsmasq : dnsmasq daemon successfully stopped
Apr 19 19:01:43 DD-WRT user.info syslog: telnetd : telnet daemon successfully stopped
Apr 19 19:01:43 DD-WRT kern.notice kernel: klogd: exiting
Apr 19 19:01:45 DD-WRT user.info syslog: klogd : kernel log daemon successfully stopped
Apr 19 19:01:45 DD-WRT user.info syslog: syslogd : syslog daemon successfully stopped
Apr 19 19:01:45 DD-WRT user.info syslog: ttraff : traffic counter daemon successfully started
Apr 19 19:01:45 DD-WRT user.info syslog: telnetd : telnet daemon successfully started
Apr 19 19:01:45 DD-WRT user.info syslog: openvpn : OpenVPN daemon (Server) starting/restarting...
Apr 19 19:01:45 DD-WRT syslog.info syslogd exiting
Apr 19 19:01:45 DD-WRT syslog.info syslogd started: BusyBox v1.21.0
Apr 19 19:01:45 DD-WRT syslog.info syslogd started: BusyBox v1.21.0
Apr 19 19:01:45 DD-WRT kern.notice kernel: klogd started: BusyBox v1.21.0 (2013-03-25 02:54:18 CET)
Apr 19 19:01:45 DD-WRT user.info syslog: klogd : klog daemon successfully started
Apr 19 19:01:45 DD-WRT kern.notice kernel: klogd started: BusyBox v1.21.0 (2013-03-25 02:54:18 CET)
Apr 19 19:01:45 DD-WRT user.info syslog: klogd : klog daemon successfully started
Apr 19 19:01:47 DD-WRT daemon.notice openvpn[1339]: OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 25 2013
Apr 19 19:01:47 DD-WRT daemon.warn openvpn[1339]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Apr 19 19:01:51 DD-WRT daemon.notice openvpn[1339]: TUN/TAP device tun0 opened
Apr 19 19:01:51 DD-WRT daemon.notice openvpn[1339]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Apr 19 19:01:51 DD-WRT daemon.notice openvpn[1339]: /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Apr 19 19:01:51 DD-WRT daemon.warn openvpn[1339]: WARNING: External program may not be called unless '--script-security 2' or higher is enabled.  Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier.  See --help text or 
an page for detai
Apr 19 19:01:51 DD-WRT daemon.warn openvpn[1339]: WARNING: Failed running command (--route-up): external program fork failed
Apr 19 19:01:51 DD-WRT daemon.notice openvpn[1575]: Listening for incoming TCP connection on [undef]
Apr 19 19:01:51 DD-WRT daemon.notice openvpn[1575]: TCPv4_SERVER link local (bound): [undef]
Apr 19 19:01:51 DD-WRT daemon.notice openvpn[1575]: TCPv4_SERVER link remote: [undef]
Apr 19 19:01:51 DD-WRT daemon.notice openvpn[1575]: Initialization Sequence Completed
Apr 19 19:02:46 DD-WRT daemon.notice openvpn[1575]: TCP connection established with [AF_INET]192.168.2.2:32835
Apr 19 19:02:59 DD-WRT daemon.warn openvpn[1575]: 192.168.2.2:32835 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1544', remote='link-mtu 1540'
Apr 19 19:02:59 DD-WRT daemon.warn openvpn[1575]: 192.168.2.2:32835 WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth MD5'
Apr 19 19:02:59 DD-WRT daemon.notice openvpn[1575]: 192.168.2.2:32835 [client1] Peer Connection Initiated with [AF_INET]192.168.2.2:32835
Apr 19 19:02:59 DD-WRT daemon.notice openvpn[1575]: client1/192.168.2.2:32835 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Apr 19 19:03:01 DD-WRT daemon.notice openvpn[1575]: client1/192.168.2.2:32835 send_push_reply(): safe_cap=940

Пробовал ставить на клиенте SHA1 и MD5
клиент с теми же сертификатами и такой же конфигурацией успешно получает IP и пингует роутер (10.8.0.1)

Answer 1

[mureevms]

Судя по логу сервера, клиент успешно подключается. Похоже, что на клиенте переписывается дефолт гетвей, поэтому он и не отвечает после установки соединения с OVPN сервером. Хотя странно, что в конфиге сервера нет этого праметра. Не имел дела с DD-WRT, но предполагаю, что там другие дефолтные настройки. Погуглите в этом направлении. Т.е. надо заставить сервер не пушить дефолт гетвей на клиента