Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OpenVPN 2.x TAP mini-HOWTO (linux 2 wifi-linux, wifi-xp)
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
tdb
Apprentice
Apprentice


Joined: 19 Sep 2002
Posts: 293
Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)

PostPosted: Fri Nov 12, 2004 7:08 am    Post subject: Reply with quote

FYI OpenVPN was assigned an official port number by IANA recently. It now officially uses port 1194 for both TCP and UDP communications. All versions of OpenVPN starting with 2.0 beta 17 will now default to port 1194 instead of 5000. You can, of course, continue to use port 5000, or any port your want by using the --port option.
_________________
Do you know what a usufruct is?
Back to top
View user's profile Send private message
mariourk
l33t
l33t


Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands

PostPosted: Wed Nov 17, 2004 10:27 am    Post subject: Reply with quote

Quote:

# Send the /root/openvpn/gateway.csr to your CA authority

I have no idea who my CA authority is... :?
Can someone explain this to me? Does someone know a good page
that explains this whole encryption-thing in detail?? I realy don't understand this :(
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Wed Nov 17, 2004 5:45 pm    Post subject: Reply with quote

mariourk wrote:
Quote:

# Send the /root/openvpn/gateway.csr to your CA authority

I have no idea who my CA authority is... :?
Can someone explain this to me? Does someone know a good page
that explains this whole encryption-thing in detail?? I realy don't understand this :(
Here is the educational info: http://en.wikipedia.org/wiki/Certificate_authority
You can be your own CA if you choose to do so. There is a section in this topic (page 1) provides you information on how to sign your own certificate. If you are in coporate settings, check with your system administrator and he can tell you if you have a CA server on your coporate LAN. Hope this help.
Back to top
View user's profile Send private message
tdb
Apprentice
Apprentice


Joined: 19 Sep 2002
Posts: 293
Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)

PostPosted: Wed Nov 17, 2004 6:02 pm    Post subject: Reply with quote

One thing to keep in mind is that Verisign and Thawte and the like are also CA's, but you don't want to use them for your certificate. The reason why is that by default, OpenVPN will let any two peers connect to each other if both ther certificates are signed by the same CA. So, if you used a certificate from Verisign or Thawte, then anyone else whose certificate was signed by Verisign or Thawte would be allowed to connect too. OpenVPN has several methods to prevent this from happening, incuding HMAC authentication, scripting to check the "common name" and fingerprints of certificates, and even support for accepting a username and password (in 2.0 beta 12 and later) along with (or in lieu of) a certificate.

Bottom line, once you figure out what a CA is, you're going to want to use your own internal CA and not an outside one.
_________________
Do you know what a usufruct is?
Back to top
View user's profile Send private message
gpeangel
Tux's lil' helper
Tux's lil' helper


Joined: 02 Jan 2003
Posts: 132
Location: Colorado, USA

PostPosted: Wed Dec 01, 2004 8:44 pm    Post subject: Reply with quote

It seems I'm really close to having openvpn working by following this excellent HOW-TO. I can start openvpn on the server and client and the logs indicate they are connecting properly. However, I cannot ping anything. I believe it's a routing issue that I don't understand enough to sort out. Is there a route command I need to run on the server and/or client which I've missed? The one suggested in the HOW-TO troubleshooting section hasn't made a difference.

The details:

Server Config (Linux, static 10.10.10.80 IP address):

Code:

ca keys/ca.crt
cert keys/server.crt
chroot /usr/local/openvpn
comp-lzo
dev tap
dh keys/dh2048.pem
duplicate-cn
group nobody
ifconfig 10.1.0.1 255.255.255.0 # openvpn gateway   
ifconfig-pool 10.1.0.2 10.1.0.11 255.255.255.0 # ip range for openvpn client
key keys/server.key  # This file should be kept secret
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
mode server
mssfix 1450
mtu-test
mute 20
persist-key
persist-tun
ping 10
ping-restart 120
port 5000
push "dhcp-option DNS m.n.o.p"
push "dhcp-option DNS m.n.o.q" # push DNS entries to openvpn client
push "ping 10"
push "ping-restart 60"
push "route 10.1.0.0 255.255.255.0 10.1.0.1"
push "route 10.10.10.0 255.255.255.0 10.1.0.1" # add route to to protected network
push "route-gateway 10.1.0.1" # push default gateway
status /var/log/openvpn/openvpn-status.log
tls-auth keys/ta.key 0
tls-server
tun-mtu 1500
tun-mtu-extra 32
user nobody
verb 6


Client Config (Win2K Pro):

Code:

ca ca.crt
cert client.crt
comp-lzo
dev tap
key client.key
mssfix 1450
mtu-test
mute 10
port 5000
pull
remote w.x.y.z (actual IP removed)
tls-auth ta.key 1
tls-client
tun-mtu 1500
tun-mtu-extra 32
verb 6



Before Connecting

On Client

Code:

C:\>route print
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.5.42.1     10.5.42.141       1
        10.5.42.0    255.255.255.0      10.5.42.141     10.5.42.141       1
      10.5.42.141  255.255.255.255        127.0.0.1       127.0.0.1       1
   10.255.255.255  255.255.255.255      10.5.42.141     10.5.42.141       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        224.0.0.0      10.5.42.141     10.5.42.141       1
  255.255.255.255  255.255.255.255      10.5.42.141               2       1
Default Gateway:         10.5.42.1
===========================================================================
Persistent Routes:
  None

C:\>ipconfig /all

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : computer-name
        Primary DNS Suffix  . . . . . . . : my.company.com
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : my.company.com
                                            company.com

Ethernet adapter Local Area Connection 9:

        Media State . . . . . . . . . . . : Cable Disconnected
        Description . . . . . . . . . . . : TAP-Win32 Adapter V8
        Physical Address. . . . . . . . . : 00-FF-89-33-DC-B6

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : company.com
        Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
        Physical Address. . . . . . . . . : 00-08-74-AA-9C-9C
        DHCP Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.5.42.141
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.5.42.1
        DHCP Server . . . . . . . . . . . : 10.5.10.13
        DNS Servers . . . . . . . . . . . : 10.5.10.10
                                            10.10.10.10
        Primary WINS Server . . . . . . . : 10.5.10.13
        Secondary WINS Server . . . . . . : 10.10.9.13


Starting, OpenVPN log on server:

Code:

...[0] Current Parameter Settings:
...[0]   config = 'myserver.conf'
...[0]   mode = 1
...[0]   persist_config = DISABLED
...[0]   persist_mode = 1
...[0]   show_ciphers = DISABLED
...[0]   show_digests = DISABLED
...[0]   show_engines = DISABLED
...[0]   genkey = DISABLED
...[0]   key_pass_file = '[UNDEF]'
...[0]   show_tls_ciphers = DISABLED
...[0]   proto = 0
...[0]   local = '[UNDEF]'
...[0]   remote_list = NULL
...[0]   remote_random = DISABLED
...[0]   local_port = 5000
...[0]   remote_port = 5000
...[0]   remote_float = DISABLED
...[0]   ipchange = '[UNDEF]'
...[0]   bind_local = ENABLED
...[0] NOTE: --mute triggered...
...[0] 152 variation(s) on previous 20 message(s) suppressed by --mute
...[0] OpenVPN 2.0_beta15 i686-pc-linux-gnu [SSL] [LZO] [PTHREAD] built on Nov 23 2004
...[0] Diffie-Hellman initialized with 2048 bit key
...[0] Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file
...[0] Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
...[0] Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
...[0] TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
...[0] TUN/TAP device tap0 opened
...[0] TUN/TAP TX queue length set to 100
...[0] /sbin/ifconfig tap0 10.1.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.1.0.255
...[0] Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]
...[0] chroot to '/usr/local/openvpn' and cd to '/' succeeded
...[0] GID set to nobody
...[0] UID set to nobody
...[0] Socket Buffers: R=[109568->131072] S=[109568->131072]
...[0] UDPv4 link local (bound): [undef]:5000
...[0] UDPv4 link remote: [undef]
...[0] MULTI: multi_init called, r=256 v=256
...[0] IFCONFIG POOL: base=10.1.0.2 size=10
...[0] Initialization Sequence Completed


After Connecting:

On Server

Code:

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.0.0        *               255.255.255.0   U     0      0        0 tap0
10.10.10.0      *               255.255.255.0   U     0      0        0 eth0
loopback        localhost       255.0.0.0       UG    0      0        0 lo
default         10.10.10.1      0.0.0.0         UG    0      0        0 eth0

Server log:

Code:

...[0] MULTI: multi_create_instance called
...[0] a.b.c.d:30964 Re-using SSL/TLS context
...[0] a.b.c.d:30964 LZO compression initialized
...[0] a.b.c.d:30964 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
...[0] a.b.c.d:30964 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]
...[0] a.b.c.d:30964 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
...[0] a.b.c.d:30964 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
...[0] a.b.c.d:30964 Local Options hash (VER=V4): '360696c5'
...[0] a.b.c.d:30964 Expected Remote Options hash (VER=V4): '13a273ba'
...[0] a.b.c.d:30964 UDPv4 READ [42] from a.b.c.d:30964: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
...[0] a.b.c.d:30964 TLS: Initial packet from a.b.c.d:30964, sid=4076e6c5 a8061fd2
...[0] a.b.c.d:30964 UDPv4 WRITE [54] to a.b.c.d:30964: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #3 ] [ 0 ]
...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #4 ] [ ] pid=1 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #2 ] [ 1 ]
...[0] a.b.c.d:30964 UDPv4 READ [44] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=2 DATA len=2
...[0] a.b.c.d:30964 UDPv4 WRITE [154] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #3 ] [ 2 ] pid=1 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #4 ] [ ] pid=2 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=3 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #6 ] [ ] pid=4 DATA len=100
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #6 ] [ 1 ]
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #7 ] [ ] pid=5 DATA len=100
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #7 ] [ 2 ]
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #8 ] [ ] pid=6 DATA len=100
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #8 ] [ 3 ]
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #9 ] [ ] pid=7 DATA len=100
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #9 ] [ 4 ]
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #10 ] [ ] pid=8 DATA len=100
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #10 ] [ 5 ]
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #11 ] [ ] pid=9 DATA len=100
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #11 ] [ 6 ]
...[0] a.b.c.d:30964 NOTE: --mute triggered...
...[0] a.b.c.d:30964 95 variation(s) on previous 20 message(s) suppressed by --mute
...[0] a.b.c.d:30964 VERIFY OK: depth=1, /C=US/ST=CO/L=Centennial/O=Java_Zen/CN=www.myserver.com/emailAddress=webmaster@myserver.com
...[0] a.b.c.d:30964 VERIFY OK: depth=0, /C=US/ST=CO/O=Java_Zen/CN=client/emailAddress=webmaster@myserver.com
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #58 ] [ 25 ]
...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #61 ] [ ] pid=26 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #59 ] [ 26 ]
...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #62 ] [ ] pid=27 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #60 ] [ 27 ]
...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #63 ] [ ] pid=28 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #61 ] [ 28 ]
...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #64 ] [ ] pid=29 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #62 ] [ 29 ]
...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #65 ] [ ] pid=30 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #63 ] [ 30 ]
...[0] a.b.c.d:30964 UDPv4 READ [123] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #66 ] [ ] pid=31 DATA len=81
...[0] a.b.c.d:30964 UDPv4 WRITE [113] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #64 ] [ 31 ] pid=34 DATA len=59
...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #68 ] [ ] pid=33 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #65 ] [ 33 ]
...[0] a.b.c.d:30964 UDPv4 READ [154] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #67 ] [ 34 ] pid=32 DATA len=100
...[0] a.b.c.d:30964 Replay-window backtrack occurred [1]
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #66 ] [ 32 ]
...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #69 ] [ ] pid=34 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #67 ] [ 34 ]
...[0] a.b.c.d:30964 UDPv4 READ [72] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #70 ] [ ] pid=35 DATA len=30
...[0] a.b.c.d:30964 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
...[0] a.b.c.d:30964 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
...[0] a.b.c.d:30964 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
...[0] a.b.c.d:30964 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
...[0] a.b.c.d:30964 UDPv4 WRITE [154] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #68 ] [ 35 ] pid=35 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #69 ] [ ] pid=36 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [124] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #70 ] [ ] pid=37 DATA len=82
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #71 ] [ 35 ]
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #72 ] [ 36 ]
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #73 ] [ 37 ]
...[0] a.b.c.d:30964 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
...[0] a.b.c.d:30964 [client] Peer Connection Initiated with a.b.c.d:30964
...[0] client/a.b.c.d:30964 UDPv4 READ [132] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #74 ] [ ] pid=36 DATA len=90
...[0] client/a.b.c.d:30964 PUSH: Received control message: 'PUSH_REQUEST'
...[0] client/a.b.c.d:30964 SENT CONTROL [client]: 'PUSH_REPLY,dhcp-option DNS m.n.o.q,dhcp-option DNS m.n.o.p,route-gateway 10.1.0.1,ping 10,ping-restart 60,route 10.10.10.0 255.255.255.0 10.1.0.1,route 10.1.0.0 255.255.255.0 10.1.0.1,ifconfig 10.1.0.2 255.255.255.0' (status=1)
...[0] client/a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #71 ] [ 36 ]
...[0] client/a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #72 ] [ ] pid=38 DATA len=100
...[0] client/a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #73 ] [ ] pid=39 DATA len=100
...[0] client/a.b.c.d:30964 UDPv4 WRITE [140] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #74 ] [ ] pid=40 DATA len=98
...[0] client/a.b.c.d:30964 UDPv4 READ [61] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=60
...[0] client/a.b.c.d:30964 UDPv4 WRITE [573] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572
...[0] client/a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #75 ] [ 38 ]
...[0] client/a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #76 ] [ 39 ]
...[0] client/a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #77 ] [ 40 ]
...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76
...[0] client/a.b.c.d:30964 MULTI: Learn: 00:ff:89:33:dc:b6 -> client/a.b.c.d:30964
...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76
...[0] client/a.b.c.d:30964 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
...[0] client/a.b.c.d:30964 UDPv4 WRITE [61] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=60
...[0] client/a.b.c.d:30964 UDPv4 READ [573] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572
...[0] client/a.b.c.d:30964 UDPv4 READ [573] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572
...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 WRITE [573] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572
...[0] client/a.b.c.d:30964 UDPv4 READ [61] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=60
...[0] client/a.b.c.d:30964 UDPv4 WRITE [573] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 WRITE [61] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=60
...[0] client/a.b.c.d:30964 UDPv4 READ [573] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572
...[0] client/a.b.c.d:30964 NOTE: --mute triggered...
...[0] client/a.b.c.d:30964 210 variation(s) on previous 20 message(s) suppressed by --mute
...[0] client/a.b.c.d:30964 NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1573,1573] remote->local=[1573,1469]
...[0] client/a.b.c.d:30964 NOTE: This connection is unable to accomodate a UDP packet size of 1573. Consider using --fragment or --mssfix options as a workaround.
...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76
...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76
...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76
...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76
...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 WRITE [253] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=252
...[0] client/a.b.c.d:30964 UDPv4 WRITE [245] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=244
...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76
...[0] client/a.b.c.d:30964 NOTE: --mute triggered...

On Client

Code:

C:\>route print
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.5.42.1     10.5.42.141       1
         10.1.0.0    255.255.255.0         10.1.0.2        10.1.0.2       1
         10.1.0.0    255.255.255.0         10.1.0.1        10.1.0.2       1
         10.1.0.2  255.255.255.255        127.0.0.1       127.0.0.1       1
        10.5.42.0    255.255.255.0      10.5.42.141     10.5.42.141       1
      10.5.42.141  255.255.255.255        127.0.0.1       127.0.0.1       1
       10.10.10.0    255.255.255.0         10.1.0.1        10.1.0.2       1
   10.255.255.255  255.255.255.255         10.1.0.2        10.1.0.2       1
   10.255.255.255  255.255.255.255      10.5.42.141     10.5.42.141       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        224.0.0.0         10.1.0.2        10.1.0.2       1
        224.0.0.0        224.0.0.0      10.5.42.141     10.5.42.141       1
  255.255.255.255  255.255.255.255         10.1.0.2               2       1
Default Gateway:         10.5.42.1
===========================================================================
Persistent Routes:
  None

C:\>ipconfig /all

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : computer-name
        Primary DNS Suffix  . . . . . . . : my.company.com
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : my.company.com
                                            company.com

Ethernet adapter Local Area Connection 9:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : TAP-Win32 Adapter V8
        Physical Address. . . . . . . . . : 00-FF-89-33-DC-B6
        DHCP Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.1.0.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
        DHCP Server . . . . . . . . . . . : 10.1.0.0
        DNS Servers . . . . . . . . . . . : m.n.o.q
                                            m.n.o.p

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : company.com
        Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
        Physical Address. . . . . . . . . : 00-08-74-AA-9C-9C
        DHCP Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.5.42.141
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.5.42.1
        DHCP Server . . . . . . . . . . . : 10.5.10.13
        DNS Servers . . . . . . . . . . . : 10.5.10.10
                                            10.10.10.10
        Primary WINS Server . . . . . . . : 10.5.10.13
        Secondary WINS Server . . . . . . : 10.10.9.13

Client Log:

Code:

...Current Parameter Settings:
...  config = 'myclient.ovpn'
...  mode = 0
...  show_ciphers = DISABLED
...  show_digests = DISABLED
...  show_engines = DISABLED
...  genkey = DISABLED
...  key_pass_file = '[UNDEF]'
...  show_tls_ciphers = DISABLED
...  proto = 0
...NOTE: --mute triggered...
...173 variation(s) on previous 10 message(s) suppressed by --mute
...OpenVPN 2.0_beta15 Win32-MinGW [SSL] [LZO] built on Oct 28 2004
...Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
...Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
...Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
...LZO compression initialized
...Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
...Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]
...Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
...Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
...Local Options hash (VER=V4): '13a273ba'
...Expected Remote Options hash (VER=V4): '360696c5'
...Socket Buffers: R=[8192->8192] S=[8192->8192]
...UDPv4 link local (bound): [undef]:5000
...UDPv4 link remote: w.x.y.z:5000
...UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
...UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
...UDPv4 READ [54] from w.x.y.z:5000: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0
...TLS: Initial packet from w.x.y.z:5000, sid=9a467e55 cbdd7f50
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #3 ] [ 0 ]
...UDPv4 WRITE [142] to w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #4 ] [ ] pid=1 DATA len=100
...UDPv4 WRITE [44] to w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=2 DATA len=2
...UDPv4 READ [50] from w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #2 ] [ 1 ]
...UDPv4 READ [154] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #3 ] [ 2 ] pid=1 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #6 ] [ 1 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #4 ] [ ] pid=2 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #7 ] [ 2 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=3 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #8 ] [ 3 ]
...NOTE: --mute triggered...
...41 variation(s) on previous 10 message(s) suppressed by --mute
...VERIFY OK: depth=1, /C=US/ST=CO/L=Centennial/O=Java_Zen/CN=www.myserver.com/emailAddress=webmaster@myserver.com
...VERIFY OK: depth=0, /C=US/ST=CO/O=Java_Zen/CN=www.myserver.com/emailAddress=webmaster@myserver.com
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #29 ] [ 24 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #27 ] [ ] pid=25 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #30 ] [ 25 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #28 ] [ ] pid=26 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #31 ] [ 26 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #29 ] [ ] pid=27 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #32 ] [ 27 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #30 ] [ ] pid=28 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #33 ] [ 28 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #31 ] [ ] pid=29 DATA len=100
...NOTE: --mute triggered...
...78 variation(s) on previous 10 message(s) suppressed by --mute
...Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
...Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
...Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
...Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #73 ] [ 37 ]
...Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
...[www.myserver.com] Peer Connection Initiated with w.x.y.z:5000
...SENT CONTROL [www.myserver.com]: 'PUSH_REQUEST' (status=1)
...NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
...UDPv4 WRITE [132] to w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #74 ] [ ] pid=36 DATA len=90
...UDPv4 WRITE [61] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=60
...UDPv4 READ [50] from w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #71 ] [ 36 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #72 ] [ ] pid=38 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #75 ] [ 38 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #73 ] [ ] pid=39 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #76 ] [ 39 ]
...UDPv4 READ [140] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #74 ] [ ] pid=40 DATA len=98
...PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS m.n.o.q,dhcp-option DNS m.n.o.p,route-gateway 10.1.0.1,ping 10,ping-restart 60,route 10.10.10.0 255.255.255.0 10.1.0.1,route 10.1.0.0 255.255.255.0 10.1.0.1,ifconfig 10.1.0.2 255.255.255.0'
...OPTIONS IMPORT: timers and/or timeouts modified
...OPTIONS IMPORT: --ifconfig/up options modified
...OPTIONS IMPORT: route options modified
...OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
...TAP-WIN32 device [Local Area Connection 9] opened: \\.\Global\{8933DCB6-A436-4A37-853C-D1D87ADDC5C6}.tap
...TAP-Win32 Driver Version 8.1
...TAP-Win32 MTU=1500
...Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.1.0.2/255.255.255.0 on interface {8933DCB6-A436-4A37-853C-D1D87ADDC5C6} [DHCP-serv: 10.1.0.0, lease-time: 31536000]
...DHCP option string: 0608cdab 0341cdab 0241
...Successful ARP Flush on interface [3] {8933DCB6-A436-4A37-853C-D1D87ADDC5C6}
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #77 ] [ 40 ]
...TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
...Route: Waiting for TUN/TAP interface to come up...
...UDPv4 READ [573] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=572
...TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
...Route: Waiting for TUN/TAP interface to come up...
...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76
...TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
...route ADD 10.10.10.0 MASK 255.255.255.0 10.1.0.1
...Route addition via IPAPI succeeded
...route ADD 10.1.0.0 MASK 255.255.255.0 10.1.0.1
...Route addition via IPAPI succeeded
...Initialization Sequence Completed
...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76
...UDPv4 WRITE [573] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=572
...UDPv4 READ [61] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=60
...UDPv4 WRITE [573] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=572
...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76
...UDPv4 WRITE [149] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=148
...UDPv4 WRITE [149] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=148
...UDPv4 WRITE [149] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=148
...UDPv4 WRITE [61] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=60
...UDPv4 WRITE [149] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=148
...NOTE: --mute triggered...
...232 variation(s) on previous 10 message(s) suppressed by --mute
...NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1573,1469] remote->local=[1573,1573]
...NOTE: This connection is unable to accomodate a UDP packet size of 1573. Consider using --fragment or --mssfix options as a workaround.
...UDPv4 READ [1573] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=1572
...UDPv4 READ [53] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=52
...UDPv4 WRITE [61] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=60
...UDPv4 WRITE [53] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=52
...UDPv4 READ [53] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=52
...UDPv4 READ [53] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=52
...UDPv4 WRITE [53] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=52
...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76
...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76
...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76
...NOTE: --mute triggered...

_________________
Gregory Engel
Web Master
www.javazen.com
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
My other computer is spongy gray matter.
Back to top
View user's profile Send private message
tdb
Apprentice
Apprentice


Joined: 19 Sep 2002
Posts: 293
Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)

PostPosted: Wed Dec 01, 2004 9:08 pm    Post subject: Reply with quote

I don't mess around enough with windows to offer you specific answers, but I will say this: don't try to add a bunch of features all at once. Start with the bare basics (no push/pull, no routing instructions, no hmac, no nothing); just get a tunnel up and running between the two machines. Manually assign the ip addresses and routing. Once you get that working, add the other features in one at a time and verify that the connection still works each time. That makes it immensely easier to figure out what in the hundreds of options available is causing the problem. Begin by adding the routing and push/pull commands before adding extra security and encryption.
_________________
Do you know what a usufruct is?
Back to top
View user's profile Send private message
tdb
Apprentice
Apprentice


Joined: 19 Sep 2002
Posts: 293
Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)

PostPosted: Wed Dec 01, 2004 9:09 pm    Post subject: Reply with quote

One other thing I did notice; did you change iptables to allow traffic on the new tap0 interface?
_________________
Do you know what a usufruct is?
Back to top
View user's profile Send private message
gpeangel
Tux's lil' helper
Tux's lil' helper


Joined: 02 Jan 2003
Posts: 132
Location: Colorado, USA

PostPosted: Wed Dec 01, 2004 9:44 pm    Post subject: Reply with quote

tdb wrote:
One other thing I did notice; did you change iptables to allow traffic on the new tap0 interface?


That was it! I figured it was something simple since I was so close. Enabling tap0 and restarting the firewall resulted in vpn connectivity.

Many thanks!
_________________
Gregory Engel
Web Master
www.javazen.com
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
My other computer is spongy gray matter.
Back to top
View user's profile Send private message
tdb
Apprentice
Apprentice


Joined: 19 Sep 2002
Posts: 293
Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)

PostPosted: Wed Dec 01, 2004 10:35 pm    Post subject: Reply with quote

gpeangel wrote:

Many thanks!

N.P.
_________________
Do you know what a usufruct is?
Back to top
View user's profile Send private message
gpeangel
Tux's lil' helper
Tux's lil' helper


Joined: 02 Jan 2003
Posts: 132
Location: Colorado, USA

PostPosted: Fri Dec 03, 2004 8:45 pm    Post subject: Reply with quote

I had to reboot the server (kernel upgrade) an now I cannot connect via OpenVPN. I went through my notes thinking I missed something in the config that was lost on reboot, but all is as expected. Both the client and server certs check out with at status of "OK". I've made sure the tap0 interface is enabled on the firewall:

Code:

# /etc/init.d/fw-jay start
Starting Jay's Firewall v1.0.3 :
Check of configuration's file : OK
Trying to load iptables modules ...
found internal eth0 on ip:'10.10.10.6', sub:'10.10.10.6/255.255.255.0'
found internal tap0 on ip:'10.1.0.1', sub:'10.1.0.1/255.255.255.0'
found external eth0 on ip:'10.10.10.6'
Check of iptables : OK
...


Yet even with the firewall down, I cannot connect. I think I am missing something, again, in how communications should be routed.

Server:

Code:

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.0.0        *               255.255.255.0   U     0      0        0 tap0
10.10.10.0      *               255.255.255.0   U     0      0        0 eth0
loopback        localhost       255.0.0.0       UG    0      0        0 lo
default         10.10.10.1      0.0.0.0         UG    0      0        0 eth0


# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:2C:A5:B9:70
          inet addr:10.10.10.6  Bcast:10.10.10.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:18609 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23821 errors:0 dropped:0 overruns:0 carrier:0
          collisions:224 txqueuelen:1000
          RX bytes:2363343 (2.2 Mb)  TX bytes:5087477 (4.8 Mb)
          Interrupt:23 Base address:0x2000

tap0      Link encap:Ethernet  HWaddr 00:FF:8B:A7:0A:B8
          inet addr:10.1.0.1  Bcast:10.1.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:1557 (1.5 Kb)


Server Log:

Code:

...[0] Current Parameter Settings:
...[0]   config = 'server.conf'
...[0]   mode = 1
...[0]   persist_config = DISABLED
...[0]   persist_mode = 1
...[0]   show_ciphers = DISABLED
...[0]   show_digests = DISABLED
...[0]   show_engines = DISABLED
...[0]   genkey = DISABLED
...[0]   key_pass_file = '[UNDEF]'
...[0]   show_tls_ciphers = DISABLED
...[0]   proto = 0
...[0]   local = '[UNDEF]'
...[0]   remote_list = NULL
...[0]   remote_random = DISABLED
...[0]   local_port = 5000
...[0]   remote_port = 5000
...[0]   remote_float = DISABLED
...[0]   ipchange = '[UNDEF]'
...[0]   bind_local = ENABLED
...[0] NOTE: --mute triggered...
...[0] 152 variation(s) on previous 20 message(s) suppressed by --mute
...[0] OpenVPN 2.0_beta15 i686-pc-linux-gnu [SSL] [LZO] [PTHREAD] built on Nov 23 2004
...[0] Diffie-Hellman initialized with 2048 bit key
...[0] Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file
...[0] Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
...[0] Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
...[0] TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
...[0] TUN/TAP device tap0 opened
...[0] TUN/TAP TX queue length set to 100
...[0] /sbin/ifconfig tap0 10.1.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.1.0.255
...[0] Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]
...[0] chroot to '/usr/local/openvpn' and cd to '/' succeeded
...[0] GID set to nobody
...[0] UID set to nobody
...[0] Socket Buffers: R=[109568->131072] S=[109568->131072]
...[0] UDPv4 link local (bound): [undef]:5000
...[0] UDPv4 link remote: [undef]
...[0] MULTI: multi_init called, r=256 v=256
...[0] IFCONFIG POOL: base=10.1.0.2 size=10
...[0] Initialization Sequence Completed


Client Log:

Code:

... Current Parameter Settings:
...   config = 'client.ovpn'
...   mode = 0
...   show_ciphers = DISABLED
...   show_digests = DISABLED
...   show_engines = DISABLED
...   genkey = DISABLED
...   key_pass_file = '[UNDEF]'
...   show_tls_ciphers = DISABLED
...   proto = 0
... NOTE: --mute triggered...
... 173 variation(s) on previous 10 message(s) suppressed by --mute
... OpenVPN 2.0_beta15 Win32-MinGW [SSL] [LZO] built on Oct 28 2004
... Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
... Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
... Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
... LZO compression initialized
... Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
... Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]
... Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
... Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
... Local Options hash (VER=V4): '13a273ba'
... Expected Remote Options hash (VER=V4): '360696c5'
... Socket Buffers: R=[8192->8192] S=[8192->8192]
... UDPv4 link local (bound): [undef]:5000
... UDPv4 link remote: w.x.y.z:5000
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #6 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #7 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #8 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #9 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #10 ] [ ] pid=0 DATA len=0
... NOTE: --mute triggered...
... 18 variation(s) on previous 10 message(s) suppressed by --mute
... TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
... TLS Error: TLS handshake failed
... TCP/UDP: Closing socket
... SIGUSR1[soft,tls-error] received, process restarting
... Restart pause, 2 second(s)


With verb set to 9...

Code:

...
... LZO compression initialized
... MTU DYNAMIC mtu=0, flags=1, 0 -> 166
... TLS: tls_session_init: entry
... PID packet_id_init seq_backtrack=64 time_backtrack=15
... PID packet_id_init seq_backtrack=64 time_backtrack=15
... TLS: tls_session_init: new session object, sid=0d9d1e3f 4f16f390
... TLS: tls_session_init: entry
... PID packet_id_init seq_backtrack=64 time_backtrack=15
... PID packet_id_init seq_backtrack=64 time_backtrack=15
... TLS: tls_session_init: new session object, sid=b9d0ffd2 65f6f591
... Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
... MTU DYNAMIC mtu=1450, flags=2, 1574 -> 1450
... REMOTE_LIST len=1 current=0
... [0] w.x.y.z:5000
... Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]
... Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
... Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
... Local Options hash (VER=V4): '13a273ba'
... Expected Remote Options hash (VER=V4): '360696c5'
... Socket Buffers: R=[8192->8192] S=[8192->8192]
... UDPv4 link local (bound): [undef]:5000
... UDPv4 link remote: w.x.y.z:5000
... TIMER: coarse timer wakeup 1 seconds
... TLS: tls_multi_process: i=0 state=S_INITIAL, mysid=0d9d1e3f 4f16f390, stored-sid=00000000 00000000, stored-ip=w.x.y.z:5000
... TLS: tls_process: chg=0 ks=S_INITIAL lame=S_UNDEF to_link->len=0 wakeup=604800
... ACK mark active outgoing ID 0
... TLS: Initial Handshake, sid=0d9d1e3f 4f16f390
... ACK reliable_can_send active=1 current=1 : [1] 0
... ACK reliable_send ID 0 (size=4 to=2)
... Reliable -> TCP/UDP
... ACK reliable_send_timeout 2 [1] 0
... TLS: tls_process: timeout set to 2
... NOTE: --mute triggered...
... 14 variation(s) on previous 10 message(s) suppressed by --mute
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=0d9d1e3f 4f16f390 tls_hmac=099c54b8 b0a440a8 c3127cae b5aa1501 374760ce pid=[ #1 / time = (1102104700) Fri Dec 03 13:11:40 2004 ] [ ] pid=0 DATA
... WIN32 I/O: Socket Send immediate return [42,42]
... UDPv4 write returned 42
... TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=0d9d1e3f 4f16f390, stored-sid=00000000 00000000, stored-ip=w.x.y.z:5000
... TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
... ACK reliable_can_send active=1 current=0 : [1] 0
... SSL state (connect): before/connect initialization
... SSL state (connect): SSLv3 write client hello A
... ACK reliable_send_timeout 2 [1] 0
... TLS: tls_process: timeout set to 2
... TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=b9d0ffd2 65f6f591, stored-sid=00000000 00000000, stored-ip=[undef]
... NOTE: --mute triggered...
... 45 variation(s) on previous 10 message(s) suppressed by --mute
...

This continues until it times out.


The server log never shows any additional entries while the client is attempting to connect.
_________________
Gregory Engel
Web Master
www.javazen.com
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
My other computer is spongy gray matter.
Back to top
View user's profile Send private message
tdb
Apprentice
Apprentice


Joined: 19 Sep 2002
Posts: 293
Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)

PostPosted: Fri Dec 03, 2004 9:03 pm    Post subject: Reply with quote

Try stripping your config files down to the bare minimum. Take out all the extra stuff (like key direction, cipher, compression, etc..) and add them back one by one and test until it stops working. One place to start is your tun-mtu setting, the max mtu for any connection is 1500, any bigger then that and it starts splitting the too-big packets into fragments. Lower tun-mtu to 1450 or so, to allow for the overhead that OpenVPN puts into each packet. I'm not a networking expert, and I'm not saying that will fix it, but it is a good place to start. OpenVPN (especially the later 2.0 betas) have very good default settings, especially when it comes to mtu stuff; let OpenVPN take care of that and only add the settings that you really need. An example of this is that you don't need to specify udp, OpenVPN uses it by default.

One other thing, you did add tap0 to your firewall script and make sure to open up udp 5000 on the other interfaces right? Also, keep in mind that 2.0 beta 17 and later use udp port 1194 by default. (it is the new IANA assigned port.)
_________________
Do you know what a usufruct is?
Back to top
View user's profile Send private message
gpeangel
Tux's lil' helper
Tux's lil' helper


Joined: 02 Jan 2003
Posts: 132
Location: Colorado, USA

PostPosted: Fri Dec 03, 2004 10:17 pm    Post subject: Reply with quote

tdb wrote:
Try stripping your config files down to the bare minimum. Take out all the extra stuff (like key direction, cipher, compression, etc..) and add them back one by one and test until it stops working. One place to start is your tun-mtu setting, the max mtu for any connection is 1500, any bigger then that and it starts splitting the too-big packets into fragments. Lower tun-mtu to 1450 or so, to allow for the overhead that OpenVPN puts into each packet. I'm not a networking expert, and I'm not saying that will fix it, but it is a good place to start. OpenVPN (especially the later 2.0 betas) have very good default settings, especially when it comes to mtu stuff; let OpenVPN take care of that and only add the settings that you really need. An example of this is that you don't need to specify udp, OpenVPN uses it by default.

One other thing, you did add tap0 to your firewall script and make sure to open up udp 5000 on the other interfaces right? Also, keep in mind that 2.0 beta 17 and later use udp port 1194 by default. (it is the new IANA assigned port.)


Good advice, so I followed it.

First I upgraded to 2.0-beta19 and reconfigured the firewall for port 1194. With a stripped down config on both client and server, I built up what was needed based on log error messages and warnings. Leaving out all the mtu adjustments in the config files seemed to be the hitch.

I've now been able to restore full connectivity.

Thanks again for the good pointers...
_________________
Gregory Engel
Web Master
www.javazen.com
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
My other computer is spongy gray matter.
Back to top
View user's profile Send private message
tdb
Apprentice
Apprentice


Joined: 19 Sep 2002
Posts: 293
Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)

PostPosted: Sat Dec 04, 2004 7:13 am    Post subject: Reply with quote

Glad I could help.
_________________
Do you know what a usufruct is?
Back to top
View user's profile Send private message
mariourk
l33t
l33t


Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands

PostPosted: Tue Dec 07, 2004 11:16 am    Post subject: Reply with quote

First of all, thanks for the howto. It really saved me a lot of work to figure this thing out
myself :D I have OpenVPN running fine now. However, there is still one problem. I hope you can help.
This is my situation:

I have a Gentoo-server at my company. This is the OpenVPN-server.
This Server has 2 network-cards. One is connected to an ADSL-modem and has
10.0.0.150 as IP-address. The other card has 192.168.1.1 as IP-address and connects
the OpenVPn-server to the local network of my company (192.168.1.xxx) so:
Code:

* 192.168.1.1 --> LAN
* 10.0.0.150  --> ADSL-Modem/internet/WAN (whatever you like to call it :wink: )
* 10.1.0.1    --> Tap0 (OpenVPN server)


I have my own Gentoo-server at home, this is the OpenVPN-client. It also has 2
network-cards. One is for internet/ADSL and has 10.0.0.150 as IP-address.
The other one connects the server to my own LAN (192.168.0.xxx) and has
192.168.0.1 as IP-address. so:
Code:

* 192.168.0.1 --> LAN
* 10.0.0.150  --> WAN
* 10.1.0.xxx  --> Tap0 (OpenVPN client with DHCP assigned IP-address)


The problem
I need to access my company's LAN (192.168.1.xxx) from my server.
When I do:
Code:

ssh 10.1.0.1

it works fine. But when I do:
Code:

ssh 192.168.1.1

I get no responce.
What's the real goal here. I need to access one of the windows servers in my
company's LAN from an OpenVPN client. When I have this working, some people
here can access the company's LAN from their home's
So if anyone can tell me what to do?? :?
The tap-devices are in the FORDWARD-cain and set to accept.
Code:

Chain FORWARD (policy DROP 1583 packets, 76965 bytes)
 pkts bytes target     prot opt in     out     source
311 39800 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0

This is the FORWARD-chain on the OpenVPN-server, ofcource :wink:
Any help is most welcome :)
Back to top
View user's profile Send private message
tdb
Apprentice
Apprentice


Joined: 19 Sep 2002
Posts: 293
Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)

PostPosted: Tue Dec 07, 2004 2:37 pm    Post subject: Reply with quote

First, make sure the gentoo server at your company has firewall rules and routing set up to allow packets on the vpn interface. (I'm assuming it does since you said other people can get to it just fine.)

Second, you need to set up a route telling your home computer where to find the 192.168.x.x network. Your computer doesn't know that 192.168.x.x is on the other side of the vpn tunnel. Try this:

route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.0.1

If that works, then you need to find a way to set that route every time OpenVPN starts. You can do this by a networking init script, or in the OpenVPN config file itself. Check the OpenVPN manpage for details.
_________________
Do you know what a usufruct is?
Back to top
View user's profile Send private message
mariourk
l33t
l33t


Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands

PostPosted: Tue Dec 07, 2004 2:53 pm    Post subject: Reply with quote

I tried to add a route. When I check it, it seems to be there and should work
fine.
Code:

Chimaera root # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.5.0     *               255.255.255.0   U     0      0        0 eth2
192.168.1.0     10.1.0.1        255.255.255.0   UG    0      0        0 tap0 #<-- here it is
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
10.1.0.0        *               255.255.255.0   U     0      0        0 tap0
loopback        localhost       255.0.0.0       UG    0      0        0 lo
default         10.0.0.2        0.0.0.0         UG    1      0        0 eth1

But I can't connect to 192.168.1.xxx :(
I really don't understand why :?
Back to top
View user's profile Send private message
tdb
Apprentice
Apprentice


Joined: 19 Sep 2002
Posts: 293
Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)

PostPosted: Tue Dec 07, 2004 3:28 pm    Post subject: Reply with quote

Check your netmask on the work machine. 10.x.x.x defaults to 255.0.0.0, and 192.168.x.x defaults to 255.255.255.0. Last time I had issues with routing it was because I had several 10.x.x.x networks with different netmasks. If 10.1.0.x has a 255.255.255.0 on one end, and 255..0.0.0 on the other, it might not work.

Short of that, I'm not sure.
_________________
Do you know what a usufruct is?
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Wed Dec 08, 2004 2:14 am    Post subject: Reply with quote

FYI, OpenVPN 2.0 RC is out! I will update the mini-howto once the official 2.0 is released.
Back to top
View user's profile Send private message
Meaulnes
n00b
n00b


Joined: 15 Mar 2004
Posts: 49

PostPosted: Thu Dec 16, 2004 4:04 am    Post subject: Reply with quote

Thank you very much for this how-to. So far it has been amazing. However, I am stuck on a certain point that I am unable to figure out. My situation is this: I am trying to set up a VPN for a PITA client that needs terminal services access to a Win2k server machine. I need to Win2k machine protected by a firewall. After a lot of head pounding, I found this how-to and am so close I can taste it. Here is how this thing is set up:

Client --> Internet --> Linux (OpenVPN / IPTables / NAT) -> Win2k
The linux box has a public IP address on eth0 and a 10.10.10.1 / 255.255.255.0 on eth1. The win2k machine is at 10.10.10.13 and is the only machine on the subnet. The only purpose of the linux box is A. to protect that win2k machine and B. act as a VPN server.

I have the client connecting and I am seeing no errors in either the client or the server log. However, I am unable to ping the vpn gateway by its private ip, nor can I ping the client machine from the vpn gateway, and I cannot ping the win2k machine (inside the lan) from the client machine. I am not sure what is wrong. I have checked and port forwarding is on:

Code:
# /etc/sysctl.conf:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/sysctl.conf,v 1.3 2002/11/18 19:39:22 azarah Exp $

# Disables packet forwarding
net.ipv4.ip_forward = 1


So, to continue, here is my openvpn server config:

Code:
port 5000
dev tap
tls-server
ca ca.crt
cert gateway.crt
key gateway.key
dh dh2048.pem
tls-auth ta.key 0
mode server
duplicate-cn
ifconfig 10.10.10.1 255.255.255.0 # openvpn gateway
ifconfig-pool 10.10.10.100 10.10.10.200 255.255.255.0 # ip range for openvpn client
push "dhcp-option DNS xxx.xxx.xxx.xxx" # push to client
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "route-gateway 10.10.10.1" # push default gateway
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"
push "route 10.10.10.0 255.255.255.0 10.10.10.1" # add route to to protected network
comp-lzo
status openvpn-status.log
verb 4



and here is the client config in linux:

Code:
port 5000
dev tap
remote w.x.y.z # w.x.y.z is external IP of the OpenVPN server

tls-client
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull

comp-lzo
verb 4



I am currently testing from a windows machine, so fo the sake of clarity, here is the windows client config:

Code:
port 5000
dev tap
remote w.x.y.z # w.x.y.z is external IP of the OpenVPN server

tls-client
ca ca.crt
cert gateway.crt
key gateway.key
tls-auth ta.key 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull

comp-lzo
verb 4


Lastly, here is my iptables startup script:

Code:
        PRIVATE=10.10.10.0/24

        # Loopback address
        LOOP=127.0.0.1

        # Delete old iptables rules
        # and temporarily block all traffic.
        $IPTABLES -P OUTPUT DROP
        $IPTABLES -P INPUT DROP
        $IPTABLES -P FORWARD DROP
        $IPTABLES -F

        # Set default policies
        $IPTABLES -P OUTPUT ACCEPT
        $IPTABLES -P INPUT DROP
        $IPTABLES -P FORWARD DROP

        # Prevent external packets from using loopback addr
        $IPTABLES -A INPUT -i eth0 -s $LOOP -j DROP
        $IPTABLES -A FORWARD -i eth0 -s $LOOP -j DROP
        $IPTABLES -A INPUT -i eth0 -d $LOOP -j DROP
        $IPTABLES -A FORWARD -i eth0 -d $LOOP -j DROP

        $IPTABLES -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
        $IPTABLES -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
        $IPTABLES -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
        $IPTABLES -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP

        # Block outgoing NetBios
        $IPTABLES -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
        $IPTABLES -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
        $IPTABLES -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
        $IPTABLES -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP

        # Check source address validity on packets going out to internet
        $IPTABLES -A FORWARD -s ! $PRIVATE -i eth1 -j DROP

        # Allow local loopback
        $IPTABLES -A INPUT -s $LOOP -j ACCEPT
        $IPTABLES -A INPUT -d $LOOP -j ACCEPT

        # Allow incoming pings (can be disabled)
        $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

        # Allow ssh (can be disabled)
        $IPTABLES -A INPUT -p tcp --dport ssh -j ACCEPT

        # Allow incoming OpenVPN packets
        $IPTABLES -A INPUT -p udp --dport 5000 -j ACCEPT

        # Allow packets from TUN/TAP devices.
        $IPTABLES -A INPUT -i tun+ -j ACCEPT
        $IPTABLES -A FORWARD -i tun+ -j ACCEPT
        $IPTABLES -A INPUT -i tap+ -j ACCEPT
        $IPTABLES -A FORWARD -i tap+ -j ACCEPT
        # Allow packets from private subnets
        $IPTABLES -A INPUT -i eth1 -j ACCEPT
        $IPTABLES -A FORWARD -i eth1 -j ACCEPT

        # Keep state of connections from local machine and private subnets
        $IPTABLES -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
        $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
        $IPTABLES -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
        $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

        # Masquerade local subnet
        $IPTABLES -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE


Any help will be appreciated. And thanks again for this how-to
Back to top
View user's profile Send private message
Meaulnes
n00b
n00b


Joined: 15 Mar 2004
Posts: 49

PostPosted: Thu Dec 16, 2004 1:42 pm    Post subject: Reply with quote

Well I got in to work this morning and figured it out. I was trying to use the same subnet for both the physical and the virtual. B/c of this, my tap0 and eth1 both had the same IP. I moved the virtual network over to a different subnet, and now all seems to be working swimmingly.
Back to top
View user's profile Send private message
AppleMasher
n00b
n00b


Joined: 09 Jul 2004
Posts: 11
Location: Chattanooga, TN

PostPosted: Sat Jan 01, 2005 8:33 pm    Post subject: Routing Reply with quote

First this is a great howto its definetly put me on the right track.

Routing Issue (This is the part I am having trouble with)

Quote:
Q:VPN client connected to the VPN server ok, but it can't access any other nodes in the protected network. What do I do?

A: There are two options.
1) In your default gateway, you need to add the route to your protected lan with VPN server as the gateway. Using the sample environment above, you will need to add the following route.
Code:
route add -net 10.1.0.0 netmask 255.255.255.240 gw 10.2.0.3
Note: Why netmask is 255.255.255.240? Because our VPN client IP range is 0 - 10, netmask is given as 255.255.255.240 (which give us 16 entries [0-15]) Power of 2 is always more efficent for router.
2) Use ethernet bridge.


Remote Private Network: 10.0.0.0/24
Remote Private VPN Server: 10.0.0.98
Remote Public VPN Server IP: 66.*.*.*

Local Private Network: 10.65.42.0/24
Local Private VPN Client: 10.65.42.22

OpenVPN Network: 10.5.0.0/24
OpenVPN Gateway: 10.5.0.1

So its a fairly typically basic setup to start out with. Right now the only issue i have is i cant seem to get routing correctly to route 10.0.0.0 traffic to my local network, 10.0.0.98 (vpn server) works fine, but 10.0.0.1 (dns server) fails.

Code:
current client routing table (route -n)
10.0.0.0        10.5.0.1        255.255.255.0   UG    0      0        0 tap0
10.65.42.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.5.0.0        10.5.0.1        255.255.255.0   UG    0      0        0 tap0
10.5.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tap0
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
0.0.0.0         10.65.42.1      0.0.0.0         UG    0      0        0 eth0

Code:
current server routing table (route -n)
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.5.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tap0
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 eth0

I realize i need an additional route command to map the 10.0.0.0 to the local network, just not sure exactly what i should use, and do I need this route command on the local client or the server?

If someone who has this working could just post me their route -n's on both the client and server I believe it would help me a ton.

thanks.
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Mon Jan 03, 2005 1:18 am    Post subject: Reply with quote

You need to add the route at your default gateway/firewall for your 10.0.0.0 network using your VPN server 10.0.0.98 as the "gateway" for 10.5.0.0 traffic.
In your case, your add route command is:

Code:
route add -net 10.5.0.0 netmask 255.255.255.0 gw 10.0.0.98
Back to top
View user's profile Send private message
AppleMasher
n00b
n00b


Joined: 09 Jul 2004
Posts: 11
Location: Chattanooga, TN

PostPosted: Mon Jan 03, 2005 8:08 pm    Post subject: Reply with quote

Thanks it all makes sense now. I just misinterpreted what you said the first time.
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Sat Jan 08, 2005 7:13 pm    Post subject: Reply with quote

mini HOWTO updated to include support for openvpn 2.0 rc6.
Back to top
View user's profile Send private message
whit
Tux's lil' helper
Tux's lil' helper


Joined: 26 Oct 2002
Posts: 121
Location: VT

PostPosted: Thu Jan 20, 2005 5:19 pm    Post subject: Bridging? Reply with quote

Has anyone basically followed this recipe but added bridging?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2, 3, 4, 5  Next
Page 2 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum