proto udp
remote хх.хх.хх.хх - тут белий ип
port 1194
client
resolv-retry infinite
ca ca.crt
cert filial.crt
key filial.key
tun-mtu 48000
fragment 0
mssfix 0
tls-client
tls-auth ta.key 1
auth MD5
cipher BF-CBC
remote-cert-tls server
comp-lzo
persist-key
persist-tun
verb 3
Tue May 07 17:37:35 2019 Restart pause, 5 second(s)
Tue May 07 17:37:40 2019 Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Tue May 07 17:37:40 2019 Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Tue May 07 17:37:40 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]БЕЛЫЙИПАДРЕС:1194
Tue May 07 17:37:40 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue May 07 17:37:40 2019 UDP link local (bound): [AF_INET][undef]:1194
Tue May 07 17:37:40 2019 UDP link remote: [AF_INET]БЕЛЫЙИПАДРЕС:1194
Tue May 07 17:37:40 2019 MANAGEMENT: >STATE:1557229060,WAIT,,,,,,
Tue May 07 17:37:40 2019 MANAGEMENT: >STATE:1557229060,AUTH,,,,,,
Tue May 07 17:37:40 2019 TLS: Initial packet from [AF_INET]БЕЛЫЙИПАДРЕС:1194, sid=d969c8e9 cf71aa95
Tue May 07 17:37:40 2019 VERIFY OK: depth=1, C=KG, ST=CHUI, L=City, O=server, OU=server, CN=server, name=server, emailAddress=mymail@mail.ru
Tue May 07 17:37:40 2019 VERIFY KU OK
Tue May 07 17:37:40 2019 Validating certificate extended key usage
Tue May 07 17:37:40 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue May 07 17:37:40 2019 VERIFY EKU OK
Tue May 07 17:37:40 2019 VERIFY OK: depth=0, C=KG, ST=CHUI, L=City, O=server, OU=server, CN=server, name=server, emailAddress=mymail@mail.ru
Tue May 07 17:38:40 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue May 07 17:38:40 2019 TLS Error: TLS handshake failed
Tue May 07 17:38:40 2019 SIGUSR1[soft,tls-error] received, process restarting
Tue May 07 17:38:40 2019 MANAGEMENT: >STATE:1557229120,RECONNECTING,tls-error,,,,,
Tue May 07 17:38:40 2019 Restart pause, 5 second(s)
Tue May 07 17:38:45 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]БЕЛЫЙИПАДРЕС:1194
Tue May 07 17:38:45 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue May 07 17:38:45 2019 UDP link local (bound): [AF_INET][undef]:1194
Tue May 07 17:38:45 2019 UDP link remote: [AF_INET]БЕЛЫЙИПАДРЕС:1194
Tue May 07 17:38:45 2019 MANAGEMENT: >STATE:1557229125,WAIT,,,,,,
Tue May 07 17:38:45 2019 MANAGEMENT: >STATE:1557229125,AUTH,,,,,,
Tue May 07 17:38:45 2019 TLS: Initial packet from [AF_INET]БЕЛЫЙИПАДРЕС:1194, sid=7213c96d 1953b8de
Tue May 07 17:38:45 2019 VERIFY OK: depth=1, C=KG, ST=CHUI, L=City, O=server, OU=server, CN=server, name=server, emailAddress=mymail@mail.ru
Tue May 07 17:38:45 2019 VERIFY KU OK
Tue May 07 17:38:45 2019 Validating certificate extended key usage
Tue May 07 17:38:45 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue May 07 17:38:45 2019 VERIFY EKU OK
Tue May 07 17:38:45 2019 VERIFY OK: depth=0, C=KG, ST=CHUI, L=City, O=server, OU=server, CN=server, name=server, emailAddress=mymail@mail.ru
Tue May 07 17:39:45 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue May 07 17:39:45 2019 TLS Error: TLS handshake failed
Tue May 07 17:39:45 2019 SIGUSR1[soft,tls-error] received, process restarting
Tue May 07 17:39:45 2019 MANAGEMENT: >STATE:1557229185,RECONNECTING,tls-error,,,,,
Tue May 07 17:39:45 2019 Restart pause, 5 second(s)
Что нужно сделать, что бы ipset после reboot сервера сохранял сеты?
согласно здесь, я делаю
apt install iptables-persistent (в моем случае с убунту)
Далее редактируем скрипт запуска /etc/init.d/iptables-persistent
Находим секуцию save_rules() и дописываем в нее вначале строку
ipset save > /etc/ipset.rules
Это будет сохранять сеты IPSET при каждом сохранении правил iptables с помощью iptables-persistent.
После этого находим секцию load_rules() и добавляем вначале строку
ipset restore < /etc/ipset.rules
Это будет загружать сеты IPSET при каждой загрузке правил iptables с помощью iptables-persistent.
Этот вариант на мой взгляд самый удобный. Одной командой из консоли cохраняются и правила iptables и сеты Ipset. После перезагрузки правила сохранятся.
service iptables-persistent save