Sicheres CS über ano VPN ???

Fri Jun 24 11:55:11 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Jun 24 11:55:11 2011 WARNING: file '/etc/openvpn/ivacy-client.key' is group or others accessible
Fri Jun 24 11:55:11 2011 WARNING: file '/etc/openvpn/ivacy-tls.key' is group or others accessible
Fri Jun 24 11:55:11 2011 Control Channel Authentication: using '/etc/openvpn/ivacy-tls.key' as a OpenVPN static key file
Fri Jun 24 11:55:11 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 24 11:55:11 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 24 11:55:11 2011 LZO compression initialized
Fri Jun 24 11:55:11 2011 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Jun 24 11:55:11 2011 Socket Buffers: R=[112640->131072] S=[112640->131072]
Fri Jun 24 11:55:11 2011 RESOLVE: NOTE: openvpn.ivacy.com resolves to 3 addresses
Fri Jun 24 11:55:11 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Jun 24 11:55:11 2011 Local Options hash (VER=V4): '504e774e'
Fri Jun 24 11:55:11 2011 Expected Remote Options hash (VER=V4): '14168603'
Fri Jun 24 11:55:11 2011 UDPv4 link local: [undef]
Fri Jun 24 11:55:11 2011 UDPv4 link remote: [AF_INET]213.232.200.170:1194
Fri Jun 24 11:55:11 2011 TLS: Initial packet from [AF_INET]213.232.200.170:1194, sid=8f4449d4 6dc824a1
Fri Jun 24 11:55:11 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jun 24 11:55:12 2011 VERIFY OK: depth=1, /C=RU/ST=MR/L=Moscow/O=ivacy.com/CN=ivacy.com_CA/emailAddress=admin@ivacy.com
Fri Jun 24 11:55:12 2011 VERIFY OK: nsCertType=SERVER
Fri Jun 24 11:55:12 2011 VERIFY OK: depth=0, /C=RU/ST=MR/L=Moscow/O=ivacy.com/CN=openvpn.ivacy.com/emailAddress=admin@ivacy.com
Fri Jun 24 11:55:12 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Jun 24 11:55:12 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 24 11:55:12 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Jun 24 11:55:12 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 24 11:55:12 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Jun 24 11:55:12 2011 [openvpn.ivacy.com] Peer Connection Initiated with [AF_INET]213.232.200.170:1194
Fri Jun 24 11:55:14 2011 SENT CONTROL [openvpn.ivacy.com]: 'PUSH_REQUEST' (status=1)
Fri Jun 24 11:55:15 2011 PUSH: Received control message: 'PUSH_REPLY,route 1.0.0.0 255.0.0.0,dhcp-option DNS 1.254.2.2,dhcp-option DNS 1.254.2.3,dhcp-option DOMAIN vpn,explicit-exit-notify 2,route-gateway 1.2.124.1,topology subnet,ping 10,ping-restart 60,ifconfig 1.2.124.11 255.255.255.0'
Fri Jun 24 11:55:15 2011 OPTIONS IMPORT: timers and/or timeouts modified
Fri Jun 24 11:55:15 2011 OPTIONS IMPORT: explicit notify parm(s) modified
Fri Jun 24 11:55:15 2011 OPTIONS IMPORT: --ifconfig/up options modified
Fri Jun 24 11:55:15 2011 OPTIONS IMPORT: route options modified
Fri Jun 24 11:55:15 2011 OPTIONS IMPORT: route-related options modified
Fri Jun 24 11:55:15 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Jun 24 11:55:15 2011 ROUTE default_gateway=192.168.1.1
Fri Jun 24 11:55:15 2011 TUN/TAP device tun0 opened
Fri Jun 24 11:55:15 2011 TUN/TAP TX queue length set to 100
Fri Jun 24 11:55:15 2011 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Jun 24 11:55:15 2011 /sbin/ifconfig tun0 1.2.124.11 netmask 255.255.255.0 mtu 1500 broadcast 1.2.124.255
Fri Jun 24 11:55:15 2011 /sbin/route add -net 213.232.200.170 netmask 255.255.255.255 gw 192.168.1.1
Fri Jun 24 11:55:15 2011 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Fri Jun 24 11:55:15 2011 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 1.2.124.1
Fri Jun 24 11:55:15 2011 WARNING: potential route subnet conflict between local LAN [1.2.124.0/255.255.255.0] and remote VPN [1.0.0.0/255.0.0.0]
Fri Jun 24 11:55:15 2011 /sbin/route add -net 1.0.0.0 netmask 255.0.0.0 gw 1.2.124.1
Fri Jun 24 11:55:15 2011 Initialization Sequence Completed
###########
FIREVALL
-A PREROUTING -i tun0 -p tcp -m tcp --dport 36417 -j REDIRECT --to-ports 12000
#################

ifconfig vor ohne opevpn

debian:~# ifconfig
eth0 Link encap:Ethernet Hardware Adresse 00:21:27:c9:4b:4c
inet Adresse:192.168.1.136 Bcast:192.168.1.255 Maske:255.255.255.0
inet6-Adresse: fd00::221:27ff:fec9:4b4c/64 Gültigkeitsbereich:Global
inet6-Adresse: fe80::221:27ff:fec9:4b4c/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:642070151 errors:0 dropped:0 overruns:0 frame:0
TX packets:746785187 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:536129953 (511.2 MiB) TX bytes:3402886760 (3.1 GiB)
Interrupt:21 Basisadresse:0xe000
lo Link encap:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:16436 Metrik:1
RX packets:80899397 errors:0 dropped:0 overruns:0 frame:0
TX packets:80899397 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:2496000991 (2.3 GiB) TX bytes:2496000991 (2.3 GiB)
debian:~#
##################

mit openvpn

debian:~# ifconfig
eth0 Link encap:Ethernet Hardware Adresse 00:21:27:c9:4b:4c
inet Adresse:192.168.1.136 Bcast:192.168.1.255 Maske:255.255.255.0
inet6-Adresse: fd00::221:27ff:fec9:4b4c/64 Gültigkeitsbereich:Global
inet6-Adresse: fe80::221:27ff:fec9:4b4c/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:642100404 errors:0 dropped:0 overruns:0 frame:0
TX packets:746820050 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:538684088 (513.7 MiB) TX bytes:3414333617 (3.1 GiB)
Interrupt:21 Basisadresse:0xe000
lo Link encap:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:16436 Metrik:1
RX packets:80902019 errors:0 dropped:0 overruns:0 frame:0
TX packets:80902019 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:2496370242 (2.3 GiB) TX bytes:2496370242 (2.3 GiB)
tun0 Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet Adresse:1.2.124.111 P-z-P:1.2.124.111 Maske:255.255.255.0
UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1500 Metrik:1
RX packets:42 errors:0 dropped:0 overruns:0 frame:0
TX packets:2076 errors:0 dropped:18 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:100
RX bytes:3065 (2.9 KiB) TX bytes:184106 (179.7 KiB)
##############################