logo Debian Debian Debian-France Debian-Facile Debian-fr.org Forum-Debian.fr Debian ? Communautés logo inclusivité

Debian-facile

Bienvenue sur Debian-Facile, site d'aide pour les nouveaux utilisateurs de Debian.

Vous n'êtes pas identifié(e).

#1 15-01-2019 14:45:35

Henry26
Membre
Distrib. : Debian sur Raspberry
Noyau : linux 4.9.35-v7+
(G)UI : sans
Inscription : 14-01-2019

serveur de connexion + OpenVPN (NordVPN) + OpenPNY + IpTables...

Salut à vous,

Je me suis décidé à prendre un abonnement à un VPN (NordVPN) et j'essaie d'intégrer OpenVPN à mon serveur 4G (Raspberry). J'ai installé OpenVPN sur le Raspi mais je n'arrive pas à terminer le tuto de NordVPN... Aprés la commande :

sudo openvpn [Nom_de_Serveur]



Il me dit : 

Fri Nov 23 11:08:23 2018 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri Nov 23 11:08:23 2018 NOTE: --fast-io is disabled since we are not using UDP
Fri Nov 23 11:08:23 2018 Socket Buffers: R=[87380->131072] S=[16384->131072]
Fri Nov 23 11:08:23 2018 Attempting to establish TCP connection with [AF_INET]185.236.201.131:443 [nonblock]
Fri Nov 23 11:08:24 2018 TCP connection established with [AF_INET]185.236.201.131:443
Fri Nov 23 11:08:24 2018 TCPv4_CLIENT link local: [undef]
Fri Nov 23 11:08:24 2018 TCPv4_CLIENT link remote: [AF_INET]185.236.201.131:443
Fri Nov 23 11:08:24 2018 TLS: Initial packet from [AF_INET]185.236.201.131:443, sid=7185365a 707118ab
Fri Nov 23 11:08:25 2018 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Fri Nov 23 11:08:25 2018 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA3
Fri Nov 23 11:08:25 2018 VERIFY ERROR: depth=0, error=certificate is not yet valid: CN=ch76.nordvpn.com
Fri Nov 23 11:08:25 2018 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri Nov 23 11:08:25 2018 TLS Error: TLS object -> incoming plaintext read error
Fri Nov 23 11:08:25 2018 TLS Error: TLS handshake failed
Fri Nov 23 11:08:25 2018 Fatal TLS error (check_tls_errors_co), restarting
Fri Nov 23 11:08:25 2018 SIGUSR1[soft,tls-error] received, process restarting
Fri Nov 23 11:08:25 2018 Restart pause, 5 second(s)



Je comprends qu'il a un problème de certificat mais je ne trouve pas comment le résoudre... HELP !?


Les règles de filtrage de IpTables:

sudo iptables-save


# Generated by iptables-save v1.4.21 on Fri Nov 23 11:25:08 2018
*filter
:INPUT DROP [376624:11119058]
:FORWARD DROP [1513:225499]
:OUTPUT DROP [19356:5363595]
:icmp_error - [0:0]
:in - [0:0]
:in_priv - [0:0]
:in_pub - [0:0]
:out - [0:0]
:out_priv - [0:0]
:out_pub - [0:0]
:ping - [0:0]
:ssh - [0:0]
-A INPUT -i eth0 -j in_priv
-A INPUT -i wlan0 -j in_priv
-A INPUT -i eth1 -j in_pub
-A INPUT -i wlan1 -j in_pub
-A INPUT -i lo -j ACCEPT
-A FORWARD -s 192.168.200.0/24 -i eth0 -o eth1 -j out
-A FORWARD -d 192.168.200.0/24 -i eth1 -o eth0 -j in
-A FORWARD -s 192.168.200.0/24 -i eth0 -o wlan1 -j out
-A FORWARD -d 192.168.200.0/24 -i wlan1 -o eth0 -j in
-A FORWARD -s 192.168.201.0/24 -i wlan0 -o eth1 -j out
-A FORWARD -d 192.168.201.0/24 -i eth1 -o wlan0 -j in
-A FORWARD -s 192.168.201.0/24 -i wlan0 -o wlan1 -j out
-A FORWARD -d 192.168.201.0/24 -i wlan1 -o wlan0 -j in
-A OUTPUT -o eth0 -j out_priv
-A OUTPUT -o wlan0 -j out_priv
-A OUTPUT -o eth1 -j out_pub
-A OUTPUT -o wlan1 -j out_pub
-A OUTPUT -o lo -j ACCEPT
-A icmp_error -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate RELATED -j ACCEPT
-A icmp_error -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate RELATED -j ACCEPT
-A icmp_error -p icmp -m icmp --icmp-type 12 -m conntrack --ctstate RELATED -j ACCEPT
-A in -j icmp_error
-A in -m state ! --state NEW -j ping
-A in -p tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A in -p tcp -m tcp --sport 110 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A in -p tcp -m tcp --sport 465 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A in_priv -j ssh
-A in_priv -j icmp_error
-A in_priv -j ping
-A in_priv -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_priv -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A in_priv -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A in_pub -j in
-A in_pub -p tcp -m tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A in_pub -p udp -m udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A in_pub -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A out -j icmp_error
-A out -j ping
-A out -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A out -p tcp -m tcp --dport 110 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A out -p tcp -m tcp --dport 465 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A out_priv -j ssh
-A out_priv -j icmp_error
-A out_priv -j ping
-A out_priv -p tcp -m tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_priv -p udp -m udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A out_priv -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A out_pub -j out
-A out_pub -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A out_pub -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A out_pub -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ping -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A ping -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A ssh -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A ssh -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
COMMIT
# Completed on Fri Nov 23 11:25:08 2018
# Generated by iptables-save v1.4.21 on Fri Nov 23 11:25:08 2018
*nat
:PREROUTING ACCEPT [541965:84254262]
:INPUT ACCEPT [220:20628]
:OUTPUT ACCEPT [24931:5748116]
:POSTROUTING ACCEPT [39:6218]
-A POSTROUTING -o wlan1 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Fri Nov 23 11:25:08 2018



Ensuite, j'aurai des questions concernant les DNS et OpenPNY mais je trouverai peut-être tout seul quand NordVPN sera configuré correctement.

Merci pour aide !!!

Edit à toto : Modif faite - Séparé la commande de son retour c'est plus lisible par tous.

Hors ligne

#2 18-01-2019 07:16:19

NorrisFramboise
Membre
Inscription : 18-01-2019

Re : serveur de connexion + OpenVPN (NordVPN) + OpenPNY + IpTables...

Contactez leur support je pense.

Hors ligne

Pied de page des forums