View previous topic :: View next topic |
Author |
Message |
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Fri Jan 21, 2005 1:14 pm Post subject: |
|
|
I believe you can find information about bridging in the INSTALL from openvpn or their website and other post in gentoo forum. |
|
Back to top |
|
|
whit Tux's lil' helper
Joined: 26 Oct 2002 Posts: 121 Location: VT
|
Posted: Fri Jan 21, 2005 5:46 pm Post subject: |
|
|
cchee wrote: | I believe you can find information about bridging in the INSTALL from openvpn or their website and other post in gentoo forum. |
Thanks. There's info about bridging out there. What I'm wondering is if anyone has started with this HOWTO, and then added bridging, or whether this HOWTO isn't compatible with a bridged setup - whether it would be best to start elsewhere or from scratch.
The OpenVPN project has lots of healthy activity around it, but that activity has so far produced a bunch of fragmentary documentation rather than - well - the sort of concise-yet-complete instructions that the best of Gentoo's own core documentation has achieved. Sorting through all the different OpenVPN docs and third-party HOWTOs, then figuring out how to combine details from different approaches to get where I need to go (bridged vpn for a dozen remote users mostly on cable modems on different services, mostly on Windows, but also on OS/X and Linux) is puzzling - as you know. |
|
Back to top |
|
|
Teardrop Apprentice
Joined: 21 Oct 2002 Posts: 176
|
Posted: Mon Jan 24, 2005 4:15 pm Post subject: |
|
|
hi guys
i got a little problem perhaps someone could help me out:
1) if i start openvpn with /etc/init.d/openvpn start i get an file open error with the dh1024.pem. it is something about the path bc when i start openvpn in the patch where the dh.pem is it works.
2) after the initialization of the openvpn server i get the following error when my client tries to log on:
Quote: | Mon Jan 24 17:08:30 2005 us=962955 Initialization Sequence Completed
Mon Jan 24 17:08:40 2005 us=813012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Mon Jan 24 17:08:40 2005 us=813049 TLS Error: incoming packet authentication failed from 213.3.188.32:13741
Mon Jan 24 17:08:43 2005 us=252936 Authenticate/Decrypt packet error: packet HMAC authentication failed
Mon Jan 24 17:08:43 2005 us=252983 TLS Error: incoming packet authentication failed from 213.3.188.32:13741
|
i checkt the tls-auth - that should be okay. any idea what i could do?
thx a lot guys
cu Teardrop |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Tue Jan 25, 2005 3:37 am Post subject: |
|
|
you can either use absolute path or there is another directive in the config file you can use to specify the base directory for config files. |
|
Back to top |
|
|
Teardrop Apprentice
Joined: 21 Oct 2002 Posts: 176
|
Posted: Tue Jan 25, 2005 6:59 am Post subject: |
|
|
thx gonna try that.
still going after problem #2 bc that is what bothers me atm most! is it perhaps that i didn't specify the purpos (server, client) with my certs? if yes, where can i do that?
any help appreaciated.
thx Teardrop
UPDATE
1) solved
2) i narrowed the problem. if i don't use the ta.key/ta-key.txt openvpn works fine. but i would like to use that security option too. any ideas?
finally working. don't know what it really was. made the keys about 1000 times in different ways now its working. |
|
Back to top |
|
|
dashnu l33t
Joined: 21 Jul 2004 Posts: 703 Location: Casco Maine
|
Posted: Wed Mar 02, 2005 5:31 pm Post subject: |
|
|
I am testing this with a very minimal setup. I have gone through your how-to only to end up with a few issues. I have got my server up and running ok with no errors.
Code: | port 5000
dev tap
tls-server
ca iwfinancial/ca.crt
cert keys/myl.crt
key keys/my.key
dh keys/dh1024.pem
tls-auth keys/ta.key 0
mode server
duplicate-cn
ifconfig 10.1.0.1 255.255.255.0
ifconfig-pool 10.1.0.2 10.1.0.11 255.255.255.0 # ip range for openvpn client
push "dhcp-option DNS 10.2.0.1" # push DNS entries to openvpn client
push "dhcp-option DNS 10.2.0.2"
push "route-gateway 10.1.0.1" # push default gateway
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"
push "route 10.2.0.0 255.255.255.0 10.1.0.1" # add route to to protected networkpush "route 10.1.0.0 255.255.255.0 10.1.0.1"
comp-lzo
status openvpn-status.log
verb 4
|
I created and signed all my keys and also checked them with the openssl verify commands. All checks out so I think this is a client side issue.
my client is also a gentoo box.
Code: | port 5000
dev tap
remote 192.168.1.251
tls-client
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
tls-auth keys/ta.key 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull
comp-lzo
verb 4
|
As you can see i am tesing this internaly.. when i start openvpn on the client i get this in the logs...
Code: | Mar 2 12:26:08 laptop openvpn-local[25593]: TLS Error: Unroutable control packet received from 192.168.1.251:5000 (si=3 op=P_CONTROL_V1)
|
and on the server i get the following.
Code: | Mar 2 12:24:50 dulcinea openvpn-local[7003]: 192.168.1.83:5000 Expected Remote Options hash (VER=V4): '13a273ba'
Mar 2 12:24:50 dulcinea openvpn-local[7003]: 192.168.1.83:5000 TLS: Initial packet from 192.168.1.83:5000, sid=acecdcab ac83e158
Mar 2 12:24:52 dulcinea openvpn-local[7003]: 192.168.1.83:5000 write UDPv4 [ECONNREFUSED|ECONNREFUSED|ECONNREFUSED]: Connection refused (code=111) |
I created a ta.key and have the same ta.key on each machine. Is this correct ? And I am really confused as to what keys I need to create on the client. So i created the same keys that i did on the server.
any help would be great _________________ write quit bang |
|
Back to top |
|
|
Teardrop Apprentice
Joined: 21 Oct 2002 Posts: 176
|
Posted: Wed Mar 02, 2005 5:57 pm Post subject: |
|
|
hi
as you wrote in the config file of your client you need:
- ca.crt
- ta.key
- client.crt
and
- dh2048.pem (or dh1024.pem)
- client.key
hope that helps, but i am not sure, if you have some routing problems...
cu Teardrop |
|
Back to top |
|
|
dashnu l33t
Joined: 21 Jul 2004 Posts: 703 Location: Casco Maine
|
Posted: Wed Mar 02, 2005 6:43 pm Post subject: |
|
|
ok To get this working I tar-ed up my /etc/openvpn/ and all the keys and scped it to the client machine I can now connect. not sure if this is what i should be doing but ehhhh... I can now ping 10.1.0.1 but i can not resolve any names or anything... _________________ write quit bang |
|
Back to top |
|
|
dashnu l33t
Joined: 21 Jul 2004 Posts: 703 Location: Casco Maine
|
Posted: Wed Mar 02, 2005 7:52 pm Post subject: |
|
|
This is my network.
Internet --> Firewall --> switch --> VPN Server
--> 6 other machines on the local net. 192.168.1.x ip range
My firewall box also servers as my internal dns / dhcp / gateway server (i know bad idea) I want to allow name resolution ? I want to be able to ping the ip's of the local net?
What do I need to do ?
I tried to add
Code: | push "route 192.168.1.0 255.255.255.0" |
Code: | push "dhcp-option DNS 192.168.1.1" # push DNS entries to openvpn client
push "dhcp-option DNS 192.168.1.1"
push "route-gateway 192.168.1.1" # push default gateway
|
192.168.1.1 is my dns / dhcp server
I am reading up on openvpn as i type, I am a master of multi tasking :p This is all brand new to me sorry for lame questions. _________________ write quit bang |
|
Back to top |
|
|
Teardrop Apprentice
Joined: 21 Oct 2002 Posts: 176
|
Posted: Wed Mar 02, 2005 9:17 pm Post subject: |
|
|
you still have to let your firewall on your server route the 10.1.0.2-11 IPs. a good fireall doesn't allow ip-forwarding or nat on different IPs than your internal network. add that rule and you will be good to go.
cu Teardrop |
|
Back to top |
|
|
dashnu l33t
Joined: 21 Jul 2004 Posts: 703 Location: Casco Maine
|
Posted: Thu Mar 03, 2005 3:55 pm Post subject: |
|
|
Has anyone had any experience with mac for the client side of this? Is it a pain in the arse? Will it be easy for my users to use? What about windows? I do not have any test machines other than my local linux laptop Is this a good full vpn soultion or should I look into something more common. The more I look into this the more difficult it seems to administer. _________________ write quit bang |
|
Back to top |
|
|
Teardrop Apprentice
Joined: 21 Oct 2002 Posts: 176
|
Posted: Thu Mar 03, 2005 4:03 pm Post subject: |
|
|
if you take openvpn 2.0 windows is no problem at all. i admin 5 laptops like that. mac i don't know. i find macs itself a pain in the a.s
cu Teardrop |
|
Back to top |
|
|
nepto n00b
Joined: 04 Sep 2003 Posts: 16 Location: Slovakia
|
Posted: Wed Mar 16, 2005 11:56 pm Post subject: |
|
|
Will Cisco VPN client work with this solution? _________________ Ondrej Jombik
Visit my homepage, review my recent CV or projects and give me some feedback. |
|
Back to top |
|
|
petterg Guru
Joined: 25 Mar 2004 Posts: 500 Location: Oslo, Norway
|
Posted: Fri Mar 18, 2005 9:32 am Post subject: |
|
|
This howto was a great help to make openvpn work on my gentooserver! Thanks a lot!
I was wondering one thing: It seems like a good idea to me to generate one certifcate for each user and put it into the users homedir. Is there any way to generate one certificate for all each user in a usergroup? (I was thinking of using the username as common_name) |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Thu Mar 24, 2005 9:04 pm Post subject: |
|
|
Troubleshooting section updated to include minor change to access control for 2.0_rc17. |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
|
Back to top |
|
|
eschoeller n00b
Joined: 03 May 2004 Posts: 35
|
Posted: Wed Apr 27, 2005 5:38 pm Post subject: Problems starting openvpn |
|
|
I set everything up according to this how-to (or at least i'm pretty confident that i have)
Anyway, when i try to run the gentoo init script to bring the vpn connection up, it doesnt start.
I see this in the log files:
Apr 27 11:32:04 [openvpn] Options error: --pull cannot be used with --mode server
Apr 27 11:32:04 [openvpn] Use --help for more information.
I take it there is something wrong with my config file, but i have copied it exactly as it was posted in this how-to
Any ideas would be greatly appreciated. |
|
Back to top |
|
|
eschoeller n00b
Joined: 03 May 2004 Posts: 35
|
Posted: Wed Apr 27, 2005 7:08 pm Post subject: Problems starting openvpn |
|
|
BTW, I am running the latest 2.0 ebuild provided at the bugzilla link in this how-to
thx |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Fri Apr 29, 2005 4:32 am Post subject: Re: Problems starting openvpn |
|
|
eschoeller wrote: | I set everything up according to this how-to (or at least i'm pretty confident that i have)
Anyway, when i try to run the gentoo init script to bring the vpn connection up, it doesnt start.
I see this in the log files:
Apr 27 11:32:04 [openvpn] Options error: --pull cannot be used with --mode server
Apr 27 11:32:04 [openvpn] Use --help for more information.
I take it there is something wrong with my config file, but i have copied it exactly as it was posted in this how-to
Any ideas would be greatly appreciated. |
When you use mode server, you can't pull in your dhcp-option.
Server push dhcp-option to client.
Client pull dhcp-option from server.
Hope this help. |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Wed May 04, 2005 1:20 pm Post subject: |
|
|
Good news! openvpn 2.0 is in portage ~x86 |
|
Back to top |
|
|
dashnu l33t
Joined: 21 Jul 2004 Posts: 703 Location: Casco Maine
|
Posted: Wed May 04, 2005 1:37 pm Post subject: |
|
|
Do you plan to update this doc for 2.x ?
*edit nm i guess the configs will be the same.. for the most part _________________ write quit bang |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Wed May 04, 2005 2:06 pm Post subject: |
|
|
I did some incremental updates, but I do plan to update the doc a bit to reflect 2.0 official next week. Too busy this week. |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Thu May 19, 2005 7:12 pm Post subject: |
|
|
Updated HOWTO to reflect official 2.0 release.
Added an addition Q&A in TroubleShooting section related to new /etc/init.d/openvpn script. |
|
Back to top |
|
|
ponzio n00b
Joined: 09 Mar 2005 Posts: 41
|
Posted: Tue May 31, 2005 12:41 pm Post subject: |
|
|
hi, i get the "unroutable" error:
Code: | Tue May 31 14:39:57 2005 us=849037 TLS Error: Unroutable control packet received from x.x.x.x:1024 (si=3 op=P_CONTROL_V1) |
but the certificate seems ok
Code: | myhost client # openssl verify -purpose sslclient -CAfile ca.crt client.crt
client.crt: OK |
what it means?
thanks,
marco |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Mon Jun 06, 2005 2:55 pm Post subject: |
|
|
Check your server side certificate also. In addition, it is possible you may have problem with networking (packet drop) which also causes this type of problem. Last time I had the similar problem and was resolved after I replace the bad cable. |
|
Back to top |
|
|
|