Hallo ihr Experten,
brauche dringend eure Hilfe. Ich habe Openvpn auf mein Qnap 239 Pro installiert. Genau nach der Anleitung. Es funktioniert auch alles prima..ping von meinem Laptop übers internet zur lokalen IP Adresse des NAS 192.168.0.200 (hinter Router Netgear 192.168.0.1) funktioniert. Aber wenn ich \\192.168.0.200\Freigabe in Windows Explorer auf meinen Laptop eingebe dann geht nichts. Unten stehen die logs auf Server und Client Seite.
Was mache ich falsch?
Vielen Dank.
Client Conf
Code
# connect to QNAP OpenVPN Server# Specify that we are a client and that we# will be pulling certain config file directives# from the server.client# Are we connecting to a TCP or# UDP server? Use the same setting as# on the server.;proto tcpproto udp# Use the same setting as you are using on# the server.# On most systems, the VPN will not function# unless you partially or fully disable# the firewall for the TUN/TAP interface.;dev tapdev tuntls-clientremote meine.dns.org 1194 # <--- Hier deinen dyndns-account eintragenpull# mtu-Wert festlegen, falls notwendig; tun-mtu xyz# Choose a random host from the remote# list for load-balancing. Otherwise# try hosts in the order specified.;remote-random# Keep trying indefinitely to resolve the# host name of the OpenVPN server. Very useful# on machines which are not permanently connected# to the internet such as laptops.resolv-retry infinite# Most clients don't need to bind to# a specific local port number.nobind# Downgrade privileges after initialization (non-Windows only);user nobody;group nobody# Try to preserve some state across restarts.persist-keypersist-tun# Wireless networks often produce a lot# of duplicate packets. Set this flag# to silence duplicate packet warnings.;mute-replay-warnings# SSL/TLS parms.# See the server config file for more# description. It's best to use# a separate .crt/.key file pair# for each client. A single ca# file can be used for all clients# Zertifikate und Schlüssel# Beachte die doppelten \\ in der Pfadangabe für eine windows-configca C:\\Programme\\OpenVPN\\easy-rsa\\keys\\ca.crtcert C:\\Programme\\OpenVPN\\easy-rsa\\keys\\client1.crtkey C:\\Programme\\OpenVPN\\easy-rsa\\keys\\client1.key# Verify server certificate by checking# that the certicate has the nsCertType# field set to "server". This is an# important precaution to protect against# a potential attack discussed here:# http://openvpn.net/howto.html#mitm## To use this feature, you will need to generate# your server certificates with the nsCertType# field set to "server". The build-key-server# script in the easy-rsa folder will do this.;ns-cert-type server# Enable compression on the VPN link.# Don't enable this unless it is also# enabled in the server config file.comp-lzo
Server Conf
Code
# OpenVPN server Konfiguration QNAP NAS# Which TCP/UDP port should OpenVPN listen on?# If you want to run multiple OpenVPN instances# on the same machine, use a different port# number for each one. You will need to# open up this port on your firewall.port 1194# TCP or UDP server?;proto tcpproto udp# "dev tun" will create a routed IP tunnel,# "dev tap" will create an ethernet tunnel.# Use "dev tap0" if you are ethernet bridging# and have precreated a tap0 virtual interface# and bridged it with your ethernet interface.# If you want to control access policies# over the VPN, you must create firewall# rules for the the TUN/TAP interface.# On non-Windows systems, you can give# an explicit unit number, such as tun0.# On Windows, use "dev-node" for this.# On most systems, the VPN will not function# unless you partially or fully disable# the firewall for the TUN/TAP interface.;dev tapdev tun# Configure server mode and supply a VPN subnet# for OpenVPN to draw client addresses from.# The server will take 10.8.0.1 for itself,# the rest will be made available to clients.# Each client will be able to reach the server# on 10.8.0.1. Comment this line out if you are# ethernet bridging. See the man page for more info.server 10.8.0.0 255.255.255.0# MTU-Werte # mtu-Wert feststellen, falls die Übertragung sehr langsam ist.; mtu-test# mtu Wert festlegen, falls notwendig; tun-mtu xyz # Push routes to the client to allow it# to reach other private subnets behind# the server. Remember that these# private subnets will also need# to know to route the OpenVPN client# address pool (10.8.0.0/255.255.255.0)# back to the OpenVPN server.push "route 192.168.0.0 255.255.255.0" # <--- Hier die IP des Heimnetzwerks eintragen!# SSL/TLS root certificate (ca), certificate# (cert), and private key (key). Each client# and the server must have their own cert and# key file. The server and all clients will# use the same ca file.# See the "easy-rsa" directory for a series# of scripts for generating RSA certificates# and private keys. Remember to use# a unique Common Name for the server# and each of the client certificates.# Any X509 key management system can be used.# OpenVPN can also use a PKCS #12 formatted key file# (see "pkcs12" directive in man page).ca /opt/etc/openvpn/keys/ca.crtcert /opt/etc/openvpn/keys/server.crtkey /opt/etc/openvpn/keys/server.key# Diffie hellman parameters.# Generate your own with:# openssl dhparam -out dh1024.pem 1024# Substitute 2048 for 1024 if you are using# 2048 bit keys. dh /opt/etc/openvpn/keys/dh1024.pem# Enable compression on the VPN link.# If you enable it here, you must also# enable it in the client config file.comp-lzo# Uncomment this directive if multiple clients# might connect with the same certificate/key# files or common names. This is recommended# only for testing purposes. For production use,# each client should have its own certificate/key# pair.## IF YOU HAVE NOT GENERATED INDIVIDUAL# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,# EACH HAVING ITS OWN UNIQUE "COMMON NAME",# UNCOMMENT THIS LINE OUT.;duplicate-cn# Uncomment this directive to allow different# clients to be able to "see" each other.# By default, clients will only see the server.# To force clients to only see the server, you# will also need to appropriately firewall the# server's TUN/TAP interface.;client-to-client# The keepalive directive causes ping-like# messages to be sent back and forth over# the link so that each side knows when# the other side has gone down.# Ping every 10 seconds, assume that remote# peer is down if no ping received during# a 120 second time period.keepalive 10 120# The persist options will try to avoid# accessing certain resources on restart# that may no longer be accessible because# of the privilege downgrade.persist-keypersist-tun## Meldungen in der Konsole (1-9 möglich. Zur Fehlerbehebung aktivieren); verb 5mute 30 # logging nach 30 gleichen Einträgen einstellen bis zu einer Änderung## Log; status /opt/etc/openvpn/log/status.log; log-append /opt/etc/openvpn/log/openvpn.log# # Run as daemon (Erst aktivieren, wenn alles eingerichtet ist und läuft);daemon## Management Interface über "telnet localhost 7505" zu erreichen
Client log
Code
Wed Apr 07 18:22:23 2010 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006Wed Apr 07 18:22:23 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.Wed Apr 07 18:22:23 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.Wed Apr 07 18:22:23 2010 LZO compression initializedWed Apr 07 18:22:23 2010 UDPv4 link local: [undef]Wed Apr 07 18:22:23 2010 UDPv4 link remote: 87.2.180.80:1194Wed Apr 07 18:22:27 2010 [server] Peer Connection Initiated with 87.2.180.80:1194Wed Apr 07 18:22:28 2010 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:3: topology (2.0.9)Wed Apr 07 18:22:28 2010 TAP-WIN32 device [LAN-Verbindung 6] opened: \\.\Global\{9A560C6A-1E83-4558-8BE3-01773BC081E1}.tapWed Apr 07 18:22:28 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {9A560C6A-1E83-4558-8BE3-01773BC081E1} [DHCP-serv: 10.8.0.5, lease-time: 31536000]Wed Apr 07 18:22:28 2010 Successful ARP Flush on interface [4] {9A560C6A-1E83-4558-8BE3-01773BC081E1}Wed Apr 07 18:22:32 2010 Initialization Sequence Completed
Server log
Code
Wed Apr 7 18:22:12 2010 OpenVPN 2.1.1 i686-unknown-linux-gnu [SSL] [LZO2] [EPOL L] built on Feb 21 2010
Wed Apr 7 18:22:12 2010 NOTE: your local LAN uses the extremely common subnet a ddress 192.168.0.x or 192.168.1.x. Be aware that this might create routing conf licts if you connect to the VPN server from public locations such as internet ca fes that use the same subnet.
Wed Apr 7 18:22:12 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig her to call user-defined scripts or executables
Wed Apr 7 18:22:12 2010 TUN/TAP device tun0 opened
Wed Apr 7 18:22:12 2010 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1 500
Wed Apr 7 18:22:12 2010 UDPv4 link local (bound): [undef]:1194
Wed Apr 7 18:22:12 2010 UDPv4 link remote: [undef]
Wed Apr 7 18:22:12 2010 Initialization Sequence Completed
Wed Apr 7 18:22:49 2010 83.175.82.219:1561 Re-using SSL/TLS context
Wed Apr 7 18:22:49 2010 83.175.82.219:1561 LZO compression initialized
Wed Apr 7 18:22:53 2010 83.175.82.219:1561 [client1] Peer Connection Initiated with 83.175.82.219:1561
Alles anzeigen