Squid als Zugang für den VPN-Server

Alle weiteren Dienste, die nicht in die drei oberen Foren gehören.
Antworten
H8Ball
Beiträge: 52
Registriert: 14.12.2010 16:00:33

Squid als Zugang für den VPN-Server

Beitrag von H8Ball » 05.07.2016 12:33:34

Hallo Leute, ich stehe hier vor einem ganz blöden Problem. Ich will aus meiner Firma raus in mein VPN rein, was aber nur über Port 443 geht. Klar könnte ich jetzt den VPN-Server auf dem Port laufen lassen, aber es sind so viele Clients überall verstreut dass an dem VPN-Server nichts mehr geändert werden kann. Also dachte ich mir ich setze für mich einen Proxy-Server ein. Mit den dementsprechenden Optionen in OpenVPN kann ich mich ja dann verbinden.

Der Client baut auch die Verbindung zu Squid über den Port 443 auf, dann aber schafft er das authentisieren nicht.

Hier die Confs
Squid:

Code: Alles auswählen

debug_options ALL,1 33,2 28,9
http_port 3128
http_port 443

acl offen src 0.0.0.0
acl connect_vpn dst 8.2.9.1
http_access allow offen
http_access allow connect_vpn
client.conf

Code: Alles auswählen

client
float
dev tun
proto tcp
remote 8.2.9.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert WASSERMANN_USER.crt
key WASSERMANN_USER.key
ns-cert-type server
verb 5
auth-user-pass
http-proxy 8.2.9.1 443
http-proxy-retry
http-proxy-option VERSION 1.1
Hier die Logs:
Squid Cache

Code: Alles auswählen

2016/07/05 11:38:27.333 kid1| Eui48.cc(204) lookup: id=0x7f2978ce2db4 query ARP table
2016/07/05 11:38:27.333 kid1| Eui48.cc(247) lookup: id=0x7f2978ce2db4 query ARP on each interface (160 found)
2016/07/05 11:38:27.333 kid1| Eui48.cc(253) lookup: id=0x7f2978ce2db4 found interface lo
2016/07/05 11:38:27.333 kid1| Eui48.cc(253) lookup: id=0x7f2978ce2db4 found interface venet0
2016/07/05 11:38:27.333 kid1| Eui48.cc(262) lookup: id=0x7f2978ce2db4 looking up ARP address for 1.6.2.6 on venet0
2016/07/05 11:38:27.333 kid1| Eui48.cc(253) lookup: id=0x7f2978ce2db4 found interface venet0:0
2016/07/05 11:38:27.333 kid1| Eui48.cc(253) lookup: id=0x7f2978ce2db4 found interface tun1
2016/07/05 11:38:27.333 kid1| Eui48.cc(262) lookup: id=0x7f2978ce2db4 looking up ARP address for 1.6.2.6 on tun1
2016/07/05 11:38:27.334 kid1| Eui48.cc(541) lookup: id=0x7f2978ce2db4 1.6.2.6 NOT found
2016/07/05 11:38:27.334 kid1| FilledChecklist.cc(58) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff2092dd90
2016/07/05 11:38:27.334 kid1| Checklist.cc(189) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff2092dd90
2016/07/05 11:38:27.587 kid1| Checklist.cc(62) preCheck: 0x7f2978ce9508 checking slow rules
2016/07/05 11:38:27.587 kid1| Acl.cc(157) matches: checking http_access
2016/07/05 11:38:27.587 kid1| Acl.cc(157) matches: checking http_access#1
2016/07/05 11:38:27.587 kid1| Acl.cc(157) matches: checking offen
2016/07/05 11:38:27.587 kid1| Ip.cc(134) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 1.6.2.6:51241/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (1.6.2.6:51241)  vs 0.0.0.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
2016/07/05 11:38:27.587 kid1| Ip.cc(560) match: aclIpMatchIp: '1.6.2.6:51241' NOT found
2016/07/05 11:38:27.587 kid1| Acl.cc(177) matches: checked: offen = 0
2016/07/05 11:38:27.587 kid1| Acl.cc(177) matches: checked: http_access#1 = 0
2016/07/05 11:38:27.588 kid1| Acl.cc(157) matches: checking http_access#2
2016/07/05 11:38:27.588 kid1| Acl.cc(157) matches: checking connect_vpn
2016/07/05 11:38:27.588 kid1| DestinationIp.cc(88) match: aclMatchAcl: Can't yet compare 'connect_vpn' ACL for 'dhg.pisz.pl'
2016/07/05 11:38:27.588 kid1| Acl.cc(177) matches: checked: connect_vpn = -1 async
2016/07/05 11:38:27.588 kid1| Acl.cc(177) matches: checked: http_access#2 = -1 async
2016/07/05 11:38:27.588 kid1| Acl.cc(177) matches: checked: http_access = -1 async
2016/07/05 11:38:27.641 kid1| InnerNode.cc(87) resumeMatchingAt: checking http_access at 1
2016/07/05 11:38:27.641 kid1| InnerNode.cc(87) resumeMatchingAt: checking http_access#2 at 0
2016/07/05 11:38:27.641 kid1| Acl.cc(157) matches: checking connect_vpn
2016/07/05 11:38:27.641 kid1| Ip.cc(134) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 1.6.2.6/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (1.6.2.6)  vs 8.2.9.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
2016/07/05 11:38:27.641 kid1| Ip.cc(560) match: aclIpMatchIp: '1.6.2.6' NOT found
2016/07/05 11:38:27.641 kid1| Acl.cc(177) matches: checked: connect_vpn = 0
2016/07/05 11:38:27.641 kid1| InnerNode.cc(90) resumeMatchingAt: checked: http_access#2 = 0
2016/07/05 11:38:27.641 kid1| InnerNode.cc(90) resumeMatchingAt: checked: http_access = 0
2016/07/05 11:38:27.641 kid1| Checklist.cc(378) calcImplicitAnswer: 0x7f2978ce9508 NO match found, last action ALLOWED so returning DENIED
2016/07/05 11:38:27.641 kid1| Checklist.cc(55) markFinished: 0x7f2978ce9508 answer DENIED for implicit rule won
2016/07/05 11:38:27.641 kid1| Checklist.cc(155) checkCallback: ACLChecklist::checkCallback: 0x7f2978ce9508 answer=DENIED
2016/07/05 11:38:27.641 kid1| Gadgets.cc(103) aclIsProxyAuth: aclIsProxyAuth: called for connect_vpn
2016/07/05 11:38:27.641 kid1| Acl.cc(118) FindByName: ACL::FindByName 'connect_vpn'
2016/07/05 11:38:27.642 kid1| Gadgets.cc(108) aclIsProxyAuth: aclIsProxyAuth: returning 0
2016/07/05 11:38:27.668 kid1| Gadgets.cc(71) aclGetDenyInfoPage: got called for connect_vpn
2016/07/05 11:38:27.669 kid1| Gadgets.cc(90) aclGetDenyInfoPage: aclGetDenyInfoPage: no match
2016/07/05 11:38:27.669 kid1| FilledChecklist.cc(58) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff2092d7f0
2016/07/05 11:38:27.669 kid1| Checklist.cc(189) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff2092d7f0
2016/07/05 11:38:27.669 kid1| FilledChecklist.cc(58) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff2092d7f0
2016/07/05 11:38:27.669 kid1| Checklist.cc(189) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff2092d7f0
2016/07/05 11:38:27.669 kid1| FilledChecklist.cc(58) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7f2978ce9508
2016/07/05 11:38:27.669 kid1| Checklist.cc(189) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7f2978ce9508
2016/07/05 11:38:27.669 kid1| Checklist.cc(62) preCheck: 0x7fff2092d9e0 checking fast ACLs
2016/07/05 11:38:27.669 kid1| Acl.cc(157) matches: checking access_log daemon:/var/log/squid3/access.log
2016/07/05 11:38:27.669 kid1| Acl.cc(157) matches: checking (access_log daemon:/var/log/squid3/access.log line)
2016/07/05 11:38:27.669 kid1| Acl.cc(177) matches: checked: (access_log daemon:/var/log/squid3/access.log line) = 1
2016/07/05 11:38:27.669 kid1| Acl.cc(177) matches: checked: access_log daemon:/var/log/squid3/access.log = 1
2016/07/05 11:38:27.669 kid1| Checklist.cc(55) markFinished: 0x7fff2092d9e0 answer ALLOWED for match
2016/07/05 11:38:27.669 kid1| FilledChecklist.cc(58) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff2092d9e0
2016/07/05 11:38:27.669 kid1| Checklist.cc(189) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff2092d9e0
2016/07/05 11:38:37.433 kid1| client_side.cc(864) swanSong: local=8.2.9.1:3128 remote=1.6.2.6:51241 flags=1
Openvpn Log:

Code: Alles auswählen

Tue Jul  5 12:22:19 2016 us=765202 Current Parameter Settings:
Tue Jul  5 12:22:19 2016 us=765297   config = 'test.conf'
Tue Jul  5 12:22:19 2016 us=765329   mode = 0
Tue Jul  5 12:22:19 2016 us=765358   persist_config = DISABLED
Tue Jul  5 12:22:19 2016 us=765387   persist_mode = 1
Tue Jul  5 12:22:19 2016 us=765416   show_ciphers = DISABLED
Tue Jul  5 12:22:19 2016 us=765445   show_digests = DISABLED
Tue Jul  5 12:22:19 2016 us=765474   show_engines = DISABLED
Tue Jul  5 12:22:19 2016 us=765503   genkey = DISABLED
Tue Jul  5 12:22:19 2016 us=765532   key_pass_file = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=765560   show_tls_ciphers = DISABLED
Tue Jul  5 12:22:19 2016 us=765588 Connection profiles [default]:
Tue Jul  5 12:22:19 2016 us=765617   proto = tcp-client
Tue Jul  5 12:22:19 2016 us=765645   local = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=765673   local_port = 0
Tue Jul  5 12:22:19 2016 us=765701   remote = '8.2.9.1'
Tue Jul  5 12:22:19 2016 us=765748   remote_port = 1194
Tue Jul  5 12:22:19 2016 us=765778   remote_float = ENABLED
Tue Jul  5 12:22:19 2016 us=765806   bind_defined = DISABLED
Tue Jul  5 12:22:19 2016 us=765834   bind_local = DISABLED
Tue Jul  5 12:22:19 2016 us=765863   connect_retry_seconds = 5
Tue Jul  5 12:22:19 2016 us=765891   connect_timeout = 10
Tue Jul  5 12:22:19 2016 us=765919   connect_retry_max = 0
Tue Jul  5 12:22:19 2016 us=765948 BEGIN http_proxy
Tue Jul  5 12:22:19 2016 us=765976   server = '8.2.9.1'
Tue Jul  5 12:22:19 2016 us=766004   port = 443
Tue Jul  5 12:22:19 2016 us=766033   auth_method_string = 'none'
Tue Jul  5 12:22:19 2016 us=766060   auth_file = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=766088   retry = ENABLED
Tue Jul  5 12:22:19 2016 us=766151   timeout = 5
Tue Jul  5 12:22:19 2016 us=766181   http_version = '1.1'
Tue Jul  5 12:22:19 2016 us=766221   user_agent = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=766253 END http_proxy
Tue Jul  5 12:22:19 2016 us=766281   socks_proxy_server = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=766309   socks_proxy_port = 0
Tue Jul  5 12:22:19 2016 us=766337   socks_proxy_retry = DISABLED
Tue Jul  5 12:22:19 2016 us=766365   tun_mtu = 1500
Tue Jul  5 12:22:19 2016 us=766393   tun_mtu_defined = ENABLED
Tue Jul  5 12:22:19 2016 us=766420   link_mtu = 1500
Tue Jul  5 12:22:19 2016 us=766448   link_mtu_defined = DISABLED
Tue Jul  5 12:22:19 2016 us=766476   tun_mtu_extra = 0
Tue Jul  5 12:22:19 2016 us=766503   tun_mtu_extra_defined = DISABLED
Tue Jul  5 12:22:19 2016 us=766531   mtu_discover_type = -1
Tue Jul  5 12:22:19 2016 us=766559   fragment = 0
Tue Jul  5 12:22:19 2016 us=766629   mssfix = 1450
Tue Jul  5 12:22:19 2016 us=766658   explicit_exit_notification = 0
Tue Jul  5 12:22:19 2016 us=766686 Connection profiles END
Tue Jul  5 12:22:19 2016 us=766728   remote_random = DISABLED
Tue Jul  5 12:22:19 2016 us=766758   ipchange = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=766786   dev = 'tun'
Tue Jul  5 12:22:19 2016 us=766814   dev_type = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=766841   dev_node = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=766869   lladdr = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=766897   topology = 1
Tue Jul  5 12:22:19 2016 us=766924   tun_ipv6 = DISABLED
Tue Jul  5 12:22:19 2016 us=766952   ifconfig_local = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=766980   ifconfig_remote_netmask = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=767008   ifconfig_noexec = DISABLED
Tue Jul  5 12:22:19 2016 us=767036   ifconfig_nowarn = DISABLED
Tue Jul  5 12:22:19 2016 us=767063   ifconfig_ipv6_local = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=767091   ifconfig_ipv6_netbits = 0
Tue Jul  5 12:22:19 2016 us=767119   ifconfig_ipv6_remote = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=767147   shaper = 0
Tue Jul  5 12:22:19 2016 us=767174   mtu_test = 0
Tue Jul  5 12:22:19 2016 us=767202   mlock = DISABLED
Tue Jul  5 12:22:19 2016 us=767243   keepalive_ping = 0
Tue Jul  5 12:22:19 2016 us=767272   keepalive_timeout = 0
Tue Jul  5 12:22:19 2016 us=767299   inactivity_timeout = 0
Tue Jul  5 12:22:19 2016 us=767327   ping_send_timeout = 0
Tue Jul  5 12:22:19 2016 us=767355   ping_rec_timeout = 0
Tue Jul  5 12:22:19 2016 us=767383   ping_rec_timeout_action = 0
Tue Jul  5 12:22:19 2016 us=767411   ping_timer_remote = DISABLED
Tue Jul  5 12:22:19 2016 us=767438   remap_sigusr1 = 0
Tue Jul  5 12:22:19 2016 us=767466   persist_tun = ENABLED
Tue Jul  5 12:22:19 2016 us=767494   persist_local_ip = DISABLED
Tue Jul  5 12:22:19 2016 us=767521   persist_remote_ip = DISABLED
Tue Jul  5 12:22:19 2016 us=767549   persist_key = ENABLED
Tue Jul  5 12:22:19 2016 us=767576   passtos = DISABLED
Tue Jul  5 12:22:19 2016 us=767604   resolve_retry_seconds = 1000000000
Tue Jul  5 12:22:19 2016 us=767632   username = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=767659   groupname = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=767687   chroot_dir = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=767733   cd_dir = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=767764   writepid = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=767792   up_script = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=767819   down_script = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=767847   down_pre = DISABLED
Tue Jul  5 12:22:19 2016 us=767875   up_restart = DISABLED
Tue Jul  5 12:22:19 2016 us=767904   up_delay = DISABLED
Tue Jul  5 12:22:19 2016 us=767933   daemon = DISABLED
Tue Jul  5 12:22:19 2016 us=767960   inetd = 0
Tue Jul  5 12:22:19 2016 us=767988   log = DISABLED
Tue Jul  5 12:22:19 2016 us=768016   suppress_timestamps = DISABLED
Tue Jul  5 12:22:19 2016 us=768043   nice = 0
Tue Jul  5 12:22:19 2016 us=768071   verbosity = 5
Tue Jul  5 12:22:19 2016 us=768099   mute = 0
Tue Jul  5 12:22:19 2016 us=768126   gremlin = 0
Tue Jul  5 12:22:19 2016 us=768154   status_file = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=768182   status_file_version = 1
Tue Jul  5 12:22:19 2016 us=768210   status_file_update_freq = 60
Tue Jul  5 12:22:19 2016 us=768278   occ = ENABLED
Tue Jul  5 12:22:19 2016 us=768308   rcvbuf = 65536
Tue Jul  5 12:22:19 2016 us=768336   sndbuf = 65536
Tue Jul  5 12:22:19 2016 us=768364   mark = 0
Tue Jul  5 12:22:19 2016 us=768392   sockflags = 0
Tue Jul  5 12:22:19 2016 us=768420   fast_io = DISABLED
Tue Jul  5 12:22:19 2016 us=768448   lzo = 0
Tue Jul  5 12:22:19 2016 us=768475   route_script = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=768503   route_default_gateway = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=768531   route_default_metric = 0
Tue Jul  5 12:22:19 2016 us=768559   route_noexec = DISABLED
Tue Jul  5 12:22:19 2016 us=768587   route_delay = 0
Tue Jul  5 12:22:19 2016 us=768614   route_delay_window = 30
Tue Jul  5 12:22:19 2016 us=768642   route_delay_defined = DISABLED
Tue Jul  5 12:22:19 2016 us=768670   route_nopull = DISABLED
Tue Jul  5 12:22:19 2016 us=768698   route_gateway_via_dhcp = DISABLED
Tue Jul  5 12:22:19 2016 us=768741   max_routes = 100
Tue Jul  5 12:22:19 2016 us=768771   allow_pull_fqdn = DISABLED
Tue Jul  5 12:22:19 2016 us=768799   management_addr = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=768827   management_port = 0
Tue Jul  5 12:22:19 2016 us=768855   management_user_pass = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=768883   management_log_history_cache = 250
Tue Jul  5 12:22:19 2016 us=768911   management_echo_buffer_size = 100
Tue Jul  5 12:22:19 2016 us=768939   management_write_peer_info_file = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=768966   management_client_user = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=768994   management_client_group = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=769022   management_flags = 0
Tue Jul  5 12:22:19 2016 us=769050   shared_secret_file = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=769078   key_direction = 0
Tue Jul  5 12:22:19 2016 us=769106   ciphername_defined = ENABLED
Tue Jul  5 12:22:19 2016 us=769133   ciphername = 'BF-CBC'
Tue Jul  5 12:22:19 2016 us=769161   authname_defined = ENABLED
Tue Jul  5 12:22:19 2016 us=769188   authname = 'SHA1'
Tue Jul  5 12:22:19 2016 us=769226   prng_hash = 'SHA1'
Tue Jul  5 12:22:19 2016 us=769258   prng_nonce_secret_len = 16
Tue Jul  5 12:22:19 2016 us=769286   keysize = 0
Tue Jul  5 12:22:19 2016 us=769314   engine = DISABLED
Tue Jul  5 12:22:19 2016 us=769342   replay = ENABLED
Tue Jul  5 12:22:19 2016 us=769370   mute_replay_warnings = DISABLED
Tue Jul  5 12:22:19 2016 us=769398   replay_window = 64
Tue Jul  5 12:22:19 2016 us=769426   replay_time = 15
Tue Jul  5 12:22:19 2016 us=769453   packet_id_file = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=769481   use_iv = ENABLED
Tue Jul  5 12:22:19 2016 us=769509   test_crypto = DISABLED
Tue Jul  5 12:22:19 2016 us=769537   tls_server = DISABLED
Tue Jul  5 12:22:19 2016 us=769565   tls_client = ENABLED
Tue Jul  5 12:22:19 2016 us=769592   key_method = 2
Tue Jul  5 12:22:19 2016 us=769620   ca_file = 'ca.crt'
Tue Jul  5 12:22:19 2016 us=769648   ca_path = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=769675   dh_file = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=769703   cert_file = 'WASSERMANN_USER.crt'
Tue Jul  5 12:22:19 2016 us=769745   priv_key_file = 'WASSERMANN_USER.key'
Tue Jul  5 12:22:19 2016 us=769774   pkcs12_file = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=769802   cipher_list = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=769829   tls_verify = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=769857   tls_export_cert = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=769885   verify_x509_type = 0
Tue Jul  5 12:22:19 2016 us=769913   verify_x509_name = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=769941   crl_file = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=769968   ns_cert_type = 1
Tue Jul  5 12:22:19 2016 us=769996   remote_cert_ku[i] = 0
Tue Jul  5 12:22:19 2016 us=770024   remote_cert_ku[i] = 0
Tue Jul  5 12:22:19 2016 us=770051   remote_cert_ku[i] = 0
Tue Jul  5 12:22:19 2016 us=770079   remote_cert_ku[i] = 0
Tue Jul  5 12:22:19 2016 us=770107   remote_cert_ku[i] = 0
Tue Jul  5 12:22:19 2016 us=770134   remote_cert_ku[i] = 0
Tue Jul  5 12:22:19 2016 us=770162   remote_cert_ku[i] = 0
Tue Jul  5 12:22:19 2016 us=770189   remote_cert_ku[i] = 0
Tue Jul  5 12:22:19 2016 us=770217   remote_cert_ku[i] = 0
Tue Jul  5 12:22:19 2016 us=770258   remote_cert_ku[i] = 0
Tue Jul  5 12:22:19 2016 us=770286   remote_cert_ku[i] = 0
Tue Jul  5 12:22:19 2016 us=770314   remote_cert_ku[i] = 0
Tue Jul  5 12:22:19 2016 us=770342   remote_cert_ku[i] = 0
Tue Jul  5 12:22:19 2016 us=770369   remote_cert_ku[i] = 0
Tue Jul  5 12:22:19 2016 us=770397   remote_cert_ku[i] = 0
Tue Jul  5 12:22:19 2016 us=770424   remote_cert_ku[i] = 0
Tue Jul  5 12:22:19 2016 us=770452   remote_cert_eku = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=770480   ssl_flags = 0
Tue Jul  5 12:22:19 2016 us=770507   tls_timeout = 2
Tue Jul  5 12:22:19 2016 us=770535   renegotiate_bytes = 0
Tue Jul  5 12:22:19 2016 us=770563   renegotiate_packets = 0
Tue Jul  5 12:22:19 2016 us=770591   renegotiate_seconds = 3600
Tue Jul  5 12:22:19 2016 us=770618   handshake_window = 60
Tue Jul  5 12:22:19 2016 us=770646   transition_window = 3600
Tue Jul  5 12:22:19 2016 us=770674   single_session = DISABLED
Tue Jul  5 12:22:19 2016 us=770701   push_peer_info = DISABLED
Tue Jul  5 12:22:19 2016 us=770744   tls_exit = DISABLED
Tue Jul  5 12:22:19 2016 us=770773   tls_auth_file = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=770802   pkcs11_protected_authentication = DISABLED
Tue Jul  5 12:22:19 2016 us=770830   pkcs11_protected_authentication = DISABLED
Tue Jul  5 12:22:19 2016 us=770858   pkcs11_protected_authentication = DISABLED
Tue Jul  5 12:22:19 2016 us=770886   pkcs11_protected_authentication = DISABLED
Tue Jul  5 12:22:19 2016 us=770914   pkcs11_protected_authentication = DISABLED
Tue Jul  5 12:22:19 2016 us=770942   pkcs11_protected_authentication = DISABLED
Tue Jul  5 12:22:19 2016 us=770969   pkcs11_protected_authentication = DISABLED
Tue Jul  5 12:22:19 2016 us=770997   pkcs11_protected_authentication = DISABLED
Tue Jul  5 12:22:19 2016 us=771025   pkcs11_protected_authentication = DISABLED
Tue Jul  5 12:22:19 2016 us=771052   pkcs11_protected_authentication = DISABLED
Tue Jul  5 12:22:19 2016 us=771080   pkcs11_protected_authentication = DISABLED
Tue Jul  5 12:22:19 2016 us=771108   pkcs11_protected_authentication = DISABLED
Tue Jul  5 12:22:19 2016 us=771135   pkcs11_protected_authentication = DISABLED
Tue Jul  5 12:22:19 2016 us=771156   pkcs11_protected_authentication = DISABLED
Tue Jul  5 12:22:19 2016 us=771162   pkcs11_protected_authentication = DISABLED
Tue Jul  5 12:22:19 2016 us=771167   pkcs11_protected_authentication = DISABLED
Tue Jul  5 12:22:19 2016 us=771173   pkcs11_private_mode = 00000000
Tue Jul  5 12:22:19 2016 us=771178   pkcs11_private_mode = 00000000
Tue Jul  5 12:22:19 2016 us=771183   pkcs11_private_mode = 00000000
Tue Jul  5 12:22:19 2016 us=771188   pkcs11_private_mode = 00000000
Tue Jul  5 12:22:19 2016 us=771192   pkcs11_private_mode = 00000000
Tue Jul  5 12:22:19 2016 us=771197   pkcs11_private_mode = 00000000
Tue Jul  5 12:22:19 2016 us=771202   pkcs11_private_mode = 00000000
Tue Jul  5 12:22:19 2016 us=771207   pkcs11_private_mode = 00000000
Tue Jul  5 12:22:19 2016 us=771212   pkcs11_private_mode = 00000000
Tue Jul  5 12:22:19 2016 us=771217   pkcs11_private_mode = 00000000
Tue Jul  5 12:22:19 2016 us=771233   pkcs11_private_mode = 00000000
Tue Jul  5 12:22:19 2016 us=771240   pkcs11_private_mode = 00000000
Tue Jul  5 12:22:19 2016 us=771245   pkcs11_private_mode = 00000000
Tue Jul  5 12:22:19 2016 us=771250   pkcs11_private_mode = 00000000
Tue Jul  5 12:22:19 2016 us=771255   pkcs11_private_mode = 00000000
Tue Jul  5 12:22:19 2016 us=771260   pkcs11_private_mode = 00000000
Tue Jul  5 12:22:19 2016 us=771265   pkcs11_cert_private = DISABLED
Tue Jul  5 12:22:19 2016 us=771270   pkcs11_cert_private = DISABLED
Tue Jul  5 12:22:19 2016 us=771275   pkcs11_cert_private = DISABLED
Tue Jul  5 12:22:19 2016 us=771280   pkcs11_cert_private = DISABLED
Tue Jul  5 12:22:19 2016 us=771285   pkcs11_cert_private = DISABLED
Tue Jul  5 12:22:19 2016 us=771290   pkcs11_cert_private = DISABLED
Tue Jul  5 12:22:19 2016 us=771295   pkcs11_cert_private = DISABLED
Tue Jul  5 12:22:19 2016 us=771300   pkcs11_cert_private = DISABLED
Tue Jul  5 12:22:19 2016 us=771304   pkcs11_cert_private = DISABLED
Tue Jul  5 12:22:19 2016 us=771309   pkcs11_cert_private = DISABLED
Tue Jul  5 12:22:19 2016 us=771314   pkcs11_cert_private = DISABLED
Tue Jul  5 12:22:19 2016 us=771319   pkcs11_cert_private = DISABLED
Tue Jul  5 12:22:19 2016 us=771324   pkcs11_cert_private = DISABLED
Tue Jul  5 12:22:19 2016 us=771329   pkcs11_cert_private = DISABLED
Tue Jul  5 12:22:19 2016 us=771334   pkcs11_cert_private = DISABLED
Tue Jul  5 12:22:19 2016 us=771339   pkcs11_cert_private = DISABLED
Tue Jul  5 12:22:19 2016 us=771344   pkcs11_pin_cache_period = -1
Tue Jul  5 12:22:19 2016 us=771349   pkcs11_id = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=771354   pkcs11_id_management = DISABLED
Tue Jul  5 12:22:19 2016 us=771366   server_network = 0.0.0.0
Tue Jul  5 12:22:19 2016 us=771372   server_netmask = 0.0.0.0
Tue Jul  5 12:22:19 2016 us=771379   server_network_ipv6 = ::
Tue Jul  5 12:22:19 2016 us=771384   server_netbits_ipv6 = 0
Tue Jul  5 12:22:19 2016 us=771389   server_bridge_ip = 0.0.0.0
Tue Jul  5 12:22:19 2016 us=771395   server_bridge_netmask = 0.0.0.0
Tue Jul  5 12:22:19 2016 us=771400   server_bridge_pool_start = 0.0.0.0
Tue Jul  5 12:22:19 2016 us=771405   server_bridge_pool_end = 0.0.0.0
Tue Jul  5 12:22:19 2016 us=771411   ifconfig_pool_defined = DISABLED
Tue Jul  5 12:22:19 2016 us=771416   ifconfig_pool_start = 0.0.0.0
Tue Jul  5 12:22:19 2016 us=771421   ifconfig_pool_end = 0.0.0.0
Tue Jul  5 12:22:19 2016 us=771427   ifconfig_pool_netmask = 0.0.0.0
Tue Jul  5 12:22:19 2016 us=771432   ifconfig_pool_persist_filename = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=771437   ifconfig_pool_persist_refresh_freq = 600
Tue Jul  5 12:22:19 2016 us=771442   ifconfig_ipv6_pool_defined = DISABLED
Tue Jul  5 12:22:19 2016 us=771447   ifconfig_ipv6_pool_base = ::
Tue Jul  5 12:22:19 2016 us=771453   ifconfig_ipv6_pool_netbits = 0
Tue Jul  5 12:22:19 2016 us=771458   n_bcast_buf = 256
Tue Jul  5 12:22:19 2016 us=771462   tcp_queue_limit = 64
Tue Jul  5 12:22:19 2016 us=771467   real_hash_size = 256
Tue Jul  5 12:22:19 2016 us=771472   virtual_hash_size = 256
Tue Jul  5 12:22:19 2016 us=771477   client_connect_script = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=771483   learn_address_script = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=771488   client_disconnect_script = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=771493   client_config_dir = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=771497   ccd_exclusive = DISABLED
Tue Jul  5 12:22:19 2016 us=771502   tmp_dir = '/tmp'
Tue Jul  5 12:22:19 2016 us=771507   push_ifconfig_defined = DISABLED
Tue Jul  5 12:22:19 2016 us=771512   push_ifconfig_local = 0.0.0.0
Tue Jul  5 12:22:19 2016 us=771517   push_ifconfig_remote_netmask = 0.0.0.0
Tue Jul  5 12:22:19 2016 us=771522   push_ifconfig_ipv6_defined = DISABLED
Tue Jul  5 12:22:19 2016 us=771528   push_ifconfig_ipv6_local = ::/0
Tue Jul  5 12:22:19 2016 us=771533   push_ifconfig_ipv6_remote = ::
Tue Jul  5 12:22:19 2016 us=771538   enable_c2c = DISABLED
Tue Jul  5 12:22:19 2016 us=771542   duplicate_cn = DISABLED
Tue Jul  5 12:22:19 2016 us=771547   cf_max = 0
Tue Jul  5 12:22:19 2016 us=771552   cf_per = 0
Tue Jul  5 12:22:19 2016 us=771557   max_clients = 1024
Tue Jul  5 12:22:19 2016 us=771562   max_routes_per_client = 256
Tue Jul  5 12:22:19 2016 us=771567   auth_user_pass_verify_script = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=771572   auth_user_pass_verify_script_via_file = DISABLED
Tue Jul  5 12:22:19 2016 us=771577   port_share_host = '[UNDEF]'
Tue Jul  5 12:22:19 2016 us=771581   port_share_port = 0
Tue Jul  5 12:22:19 2016 us=771586   client = ENABLED
Tue Jul  5 12:22:19 2016 us=771591   pull = ENABLED
Tue Jul  5 12:22:19 2016 us=771596   auth_user_pass_file = 'stdin'
Tue Jul  5 12:22:19 2016 us=771602 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
Tue Jul  5 12:22:19 2016 us=771611 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Enter Auth Username: *********
Enter Auth Password: ********
Tue Jul  5 12:22:26 2016 us=715624 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Jul  5 12:22:26 2016 us=715650 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Jul  5 12:22:26 2016 us=715662 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Jul  5 12:22:26 2016 us=715670 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Jul  5 12:22:26 2016 us=715674 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Jul  5 12:22:26 2016 us=715683 Local Options hash (VER=V4): 'db02a8f8'
Tue Jul  5 12:22:26 2016 us=715689 Expected Remote Options hash (VER=V4): '7e068940'
Tue Jul  5 12:22:26 2016 us=715697 Attempting to establish TCP connection with [AF_INET]8.2.9.1:443 [nonblock]
Tue Jul  5 12:22:27 2016 us=716797 TCP connection established with [AF_INET]8.2.9.1:443
Tue Jul  5 12:22:27 2016 us=716825 Send to HTTP proxy: 'CONNECT 8.2.9.6:1194 HTTP/1.1'
Tue Jul  5 12:22:27 2016 us=754055 HTTP proxy returned: 'HTTP/1.1 503 Service Unavailable'
Tue Jul  5 12:22:27 2016 us=754101 HTTP proxy returned bad status
Tue Jul  5 12:22:27 2016 us=754140 TCP/UDP: Closing socket
Tue Jul  5 12:22:27 2016 us=754214 SIGUSR1[soft,init_instance] received, process restarting
Tue Jul  5 12:22:27 2016 us=754220 Restart pause, 5 second(s)
Tue Jul  5 12:22:32 2016 us=754582 Re-using SSL/TLS context
Tue Jul  5 12:22:32 2016 us=754659 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Jul  5 12:22:32 2016 us=754686 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Jul  5 12:22:32 2016 us=754697 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Jul  5 12:22:32 2016 us=754712 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Jul  5 12:22:32 2016 us=754717 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Jul  5 12:22:32 2016 us=754730 Local Options hash (VER=V4): 'db02a8f8'
Tue Jul  5 12:22:32 2016 us=754739 Expected Remote Options hash (VER=V4): '7e068940'
Tue Jul  5 12:22:32 2016 us=754756 Attempting to establish TCP connection with [AF_INET]8.2.9.1:443 [nonblock]
Tue Jul  5 12:22:33 2016 us=755211 TCP connection established with [AF_INET]8.2.9.1:443
Tue Jul  5 12:22:33 2016 us=755279 Send to HTTP proxy: 'CONNECT 8.2.9.6:1194 HTTP/1.1'
Tue Jul  5 12:22:33 2016 us=793551 HTTP proxy returned: 'HTTP/1.1 503 Service Unavailable'
Tue Jul  5 12:22:33 2016 us=793580 HTTP proxy returned bad status
Tue Jul  5 12:22:33 2016 us=793665 TCP/UDP: Closing socket
Tue Jul  5 12:22:33 2016 us=793731 SIGUSR1[soft,init_instance] received, process restarting
Tue Jul  5 12:22:33 2016 us=793738 Restart pause, 5 second(s)
Die IP-Adressen habe ich an allen Stellen verändert.

Leider finde ich nicht wirklich eine Anleitung um Squid so zu konfigurieren dann man sich über ihn mit dem VPN auf dem gleichen Server Verbinden kann, immer nur der andere Weg, bei dem der Proxy nach dem VPN genutzt wird. Daher sehen meine ACLs vielleicht auch komisch aus.

Vielen Dank

Daniel
Nach oben
misterunknown
Beiträge: 1
Registriert: 03.05.2016 17:14:22

Re: Squid als Zugang für den VPN-Server

Beitrag von misterunknown » 05.07.2016 13:58:13

H8Ball hat geschrieben:Der Client baut auch die Verbindung zu Squid über den Port 443 auf, dann aber schafft er das authentisieren nicht.
Ich verstehe nicht, was du damit meinst. Wer soll sich denn wie und wo authentifizieren?
H8Ball hat geschrieben:Leider finde ich nicht wirklich eine Anleitung um Squid so zu konfigurieren dann man sich über ihn mit dem VPN auf dem gleichen Server Verbinden kann, immer nur der andere Weg, bei dem der Proxy nach dem VPN genutzt wird. Daher sehen meine ACLs vielleicht auch komisch aus.
Wenn ich das richtig verstehe, willst du den Squid nutzen, um deinen Datenverkehr durchs VPN zu transportieren, wobei Proxy und OpenVPN auf der gleichen Maschine sind. Meines Erachtens ist das also einfach ein Routing-Thema. Dazu habe ich einen Blog-Post (https://misterunknown.de/blog/2016/01/s ... envpn.html) geschrieben, der dir vermutlich weiterhelfen kann. Dort wird erklärt, wie du dem Squid beibringst eine bestimmte ausgehende IP zu nutzen, und anhand dieser den Traffic an das VPN-Gateway routen kannst.
Nach oben
H8Ball
Beiträge: 52
Registriert: 14.12.2010 16:00:33

Re: Squid als Zugang für den VPN-Server

Beitrag von H8Ball » 05.07.2016 14:14:53

Ich meine mit authentisieren den Schlüsselaustausch für eine erfolgreiche VPN Verbindung.
Ich kann im Firmen-Netzwerk nur über Port 443 nach außen.
Nach oben
Dimejo
Beiträge: 503
Registriert: 21.07.2014 13:37:23

Re: Squid als Zugang für den VPN-Server

Beitrag von Dimejo » 05.07.2016 14:15:16

H8Ball hat geschrieben:Hallo Leute, ich stehe hier vor einem ganz blöden Problem. Ich will aus meiner Firma raus in mein VPN rein, was aber nur über Port 443 geht. Klar könnte ich jetzt den VPN-Server auf dem Port laufen lassen, aber es sind so viele Clients überall verstreut dass an dem VPN-Server nichts mehr geändert werden kann. Also dachte ich mir ich setze für mich einen Proxy-Server ein. Mit den dementsprechenden Optionen in OpenVPN kann ich mich ja dann verbinden.
Wäre es nicht einfacher zwei Instanzen von OpenVPN mit unterschiedlichen Ports zu starten?
Nach oben
H8Ball
Beiträge: 52
Registriert: 14.12.2010 16:00:33

Re: Squid als Zugang für den VPN-Server

Beitrag von H8Ball » 05.07.2016 14:22:04

Wenn OpenVPN doch die Möglichkeit der Verbindung über einen HTTP-Proxy hat, dann hat das doch auch einen Grund, also muss es auch zu lösen sein.
Nach oben
Benutzeravatar
MSfree
Beiträge: 10776
Registriert: 25.09.2007 19:59:30

Re: Squid als Zugang für den VPN-Server

Beitrag von MSfree » 05.07.2016 14:47:41

H8Ball hat geschrieben:Hallo Leute, ich stehe hier vor einem ganz blöden Problem. Ich will aus meiner Firma raus in mein VPN rein, was aber nur über Port 443 geht. Klar könnte ich jetzt den VPN-Server auf dem Port laufen lassen, aber es sind so viele Clients überall verstreut dass an dem VPN-Server nichts mehr geändert werden kann. Also dachte ich mir ich setze für mich einen Proxy-Server ein.
Warum einfach, wenn es auch kompliziert geht? Den Spaß via Squid würde ich mir sparen.

Warum läßt du nicht einfach den Port 443 auf deinem VPN-Server per iptables auf den eigentlichen VPN-Port umbiegen?


iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port DeinOpenVPNPort
Nach oben
H8Ball
Beiträge: 52
Registriert: 14.12.2010 16:00:33

Re: Squid als Zugang für den VPN-Server

Beitrag von H8Ball » 05.07.2016 16:44:00

Weil eventuell noch mehr VPN-Server auf das gleiche System kommen. Also brauche ich eine Weiterleitung an verschiedene Ports, die dann auch nicht mehr per IP-Tables zu bewerkstelligen ist
Nach oben
H8Ball
Beiträge: 52
Registriert: 14.12.2010 16:00:33

Re: Squid als Zugang für den VPN-Server

Beitrag von H8Ball » 07.07.2016 08:53:50

Also, die Verbindung bekomme ich hin, nur leider ist der Proxy im Moment offen wie ein Scheunentor
Nach oben
Antworten

Zurück zu „weitere Dienste“