Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OpenVPN 2.x TAP mini-HOWTO (linux 2 wifi-linux, wifi-xp)
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Fri Jan 21, 2005 1:14 pm    Post subject: Reply with quote

I believe you can find information about bridging in the INSTALL from openvpn or their website and other post in gentoo forum.
Back to top
View user's profile Send private message
whit
Tux's lil' helper
Tux's lil' helper


Joined: 26 Oct 2002
Posts: 121
Location: VT

PostPosted: Fri Jan 21, 2005 5:46 pm    Post subject: Reply with quote

cchee wrote:
I believe you can find information about bridging in the INSTALL from openvpn or their website and other post in gentoo forum.


Thanks. There's info about bridging out there. What I'm wondering is if anyone has started with this HOWTO, and then added bridging, or whether this HOWTO isn't compatible with a bridged setup - whether it would be best to start elsewhere or from scratch.

The OpenVPN project has lots of healthy activity around it, but that activity has so far produced a bunch of fragmentary documentation rather than - well - the sort of concise-yet-complete instructions that the best of Gentoo's own core documentation has achieved. Sorting through all the different OpenVPN docs and third-party HOWTOs, then figuring out how to combine details from different approaches to get where I need to go (bridged vpn for a dozen remote users mostly on cable modems on different services, mostly on Windows, but also on OS/X and Linux) is puzzling - as you know.
Back to top
View user's profile Send private message
Teardrop
Apprentice
Apprentice


Joined: 21 Oct 2002
Posts: 176

PostPosted: Mon Jan 24, 2005 4:15 pm    Post subject: Reply with quote

hi guys

i got a little problem perhaps someone could help me out:

1) if i start openvpn with /etc/init.d/openvpn start i get an file open error with the dh1024.pem. it is something about the path bc when i start openvpn in the patch where the dh.pem is it works.

2) after the initialization of the openvpn server i get the following error when my client tries to log on:

Quote:
Mon Jan 24 17:08:30 2005 us=962955 Initialization Sequence Completed
Mon Jan 24 17:08:40 2005 us=813012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Mon Jan 24 17:08:40 2005 us=813049 TLS Error: incoming packet authentication failed from 213.3.188.32:13741
Mon Jan 24 17:08:43 2005 us=252936 Authenticate/Decrypt packet error: packet HMAC authentication failed
Mon Jan 24 17:08:43 2005 us=252983 TLS Error: incoming packet authentication failed from 213.3.188.32:13741


i checkt the tls-auth - that should be okay. any idea what i could do?

thx a lot guys

cu Teardrop
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Tue Jan 25, 2005 3:37 am    Post subject: Reply with quote

you can either use absolute path or there is another directive in the config file you can use to specify the base directory for config files.
Back to top
View user's profile Send private message
Teardrop
Apprentice
Apprentice


Joined: 21 Oct 2002
Posts: 176

PostPosted: Tue Jan 25, 2005 6:59 am    Post subject: Reply with quote

thx gonna try that.

still going after problem #2 bc that is what bothers me atm most! is it perhaps that i didn't specify the purpos (server, client) with my certs? if yes, where can i do that?


any help appreaciated.

thx Teardrop

UPDATE
1) solved ;)
2) i narrowed the problem. if i don't use the ta.key/ta-key.txt openvpn works fine. but i would like to use that security option too. any ideas?

finally working. don't know what it really was. made the keys about 1000 times in different ways now its working.
Back to top
View user's profile Send private message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine

PostPosted: Wed Mar 02, 2005 5:31 pm    Post subject: Reply with quote

I am testing this with a very minimal setup. I have gone through your how-to only to end up with a few issues. I have got my server up and running ok with no errors.
Code:
port 5000
dev tap
tls-server
ca iwfinancial/ca.crt
cert keys/myl.crt
key keys/my.key
dh keys/dh1024.pem
tls-auth keys/ta.key 0
mode server
duplicate-cn
ifconfig 10.1.0.1 255.255.255.0
ifconfig-pool 10.1.0.2 10.1.0.11 255.255.255.0 # ip range for openvpn client
push "dhcp-option DNS 10.2.0.1" # push DNS entries to openvpn client
push "dhcp-option DNS 10.2.0.2"
push "route-gateway 10.1.0.1" # push default gateway
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"
push "route 10.2.0.0 255.255.255.0 10.1.0.1" # add route to to protected networkpush "route 10.1.0.0 255.255.255.0 10.1.0.1"
comp-lzo
status openvpn-status.log
verb 4

I created and signed all my keys and also checked them with the openssl verify commands. All checks out so I think this is a client side issue.

my client is also a gentoo box.

Code:
port 5000
dev tap
remote 192.168.1.251

tls-client
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
tls-auth keys/ta.key 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull

comp-lzo
verb 4


As you can see i am tesing this internaly.. when i start openvpn on the client i get this in the logs...

Code:
Mar  2 12:26:08 laptop openvpn-local[25593]: TLS Error: Unroutable control packet received from 192.168.1.251:5000 (si=3 op=P_CONTROL_V1)

and on the server i get the following.
Code:
Mar  2 12:24:50 dulcinea openvpn-local[7003]: 192.168.1.83:5000 Expected Remote Options hash (VER=V4): '13a273ba'
Mar  2 12:24:50 dulcinea openvpn-local[7003]: 192.168.1.83:5000 TLS: Initial packet from 192.168.1.83:5000, sid=acecdcab ac83e158
Mar  2 12:24:52 dulcinea openvpn-local[7003]: 192.168.1.83:5000 write UDPv4 [ECONNREFUSED|ECONNREFUSED|ECONNREFUSED]: Connection refused (code=111)

I created a ta.key and have the same ta.key on each machine. Is this correct ? And I am really confused as to what keys I need to create on the client. So i created the same keys that i did on the server.

any help would be great
_________________
write quit bang
Back to top
View user's profile Send private message
Teardrop
Apprentice
Apprentice


Joined: 21 Oct 2002
Posts: 176

PostPosted: Wed Mar 02, 2005 5:57 pm    Post subject: Reply with quote

hi

as you wrote in the config file of your client you need:

- ca.crt
- ta.key
- client.crt

and

- dh2048.pem (or dh1024.pem)
- client.key

hope that helps, but i am not sure, if you have some routing problems...

cu Teardrop
Back to top
View user's profile Send private message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine

PostPosted: Wed Mar 02, 2005 6:43 pm    Post subject: Reply with quote

ok To get this working I tar-ed up my /etc/openvpn/ and all the keys and scped it to the client machine I can now connect. :P not sure if this is what i should be doing but ehhhh... I can now ping 10.1.0.1 but i can not resolve any names or anything...
_________________
write quit bang
Back to top
View user's profile Send private message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine

PostPosted: Wed Mar 02, 2005 7:52 pm    Post subject: Reply with quote

This is my network.

Internet --> Firewall --> switch --> VPN Server
--> 6 other machines on the local net. 192.168.1.x ip range

My firewall box also servers as my internal dns / dhcp / gateway server (i know bad idea) I want to allow name resolution ? I want to be able to ping the ip's of the local net?

What do I need to do ?

I tried to add
Code:
push "route 192.168.1.0 255.255.255.0"

Code:
push "dhcp-option DNS 192.168.1.1" # push DNS entries to openvpn client
push "dhcp-option DNS 192.168.1.1"
push "route-gateway 192.168.1.1" # push default gateway


192.168.1.1 is my dns / dhcp server

I am reading up on openvpn as i type, I am a master of multi tasking :p This is all brand new to me sorry for lame questions.
_________________
write quit bang
Back to top
View user's profile Send private message
Teardrop
Apprentice
Apprentice


Joined: 21 Oct 2002
Posts: 176

PostPosted: Wed Mar 02, 2005 9:17 pm    Post subject: Reply with quote

you still have to let your firewall on your server route the 10.1.0.2-11 IPs. a good fireall doesn't allow ip-forwarding or nat on different IPs than your internal network. add that rule and you will be good to go.

cu Teardrop
Back to top
View user's profile Send private message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine

PostPosted: Thu Mar 03, 2005 3:55 pm    Post subject: Reply with quote

Has anyone had any experience with mac for the client side of this? Is it a pain in the arse? Will it be easy for my users to use? What about windows? I do not have any test machines other than my local linux laptop :( Is this a good full vpn soultion or should I look into something more common. The more I look into this the more difficult it seems to administer.
_________________
write quit bang
Back to top
View user's profile Send private message
Teardrop
Apprentice
Apprentice


Joined: 21 Oct 2002
Posts: 176

PostPosted: Thu Mar 03, 2005 4:03 pm    Post subject: Reply with quote

if you take openvpn 2.0 windows is no problem at all. i admin 5 laptops like that. mac i don't know. i find macs itself a pain in the a.s ;)

cu Teardrop
Back to top
View user's profile Send private message
nepto
n00b
n00b


Joined: 04 Sep 2003
Posts: 16
Location: Slovakia

PostPosted: Wed Mar 16, 2005 11:56 pm    Post subject: Reply with quote

Will Cisco VPN client work with this solution?
_________________
Ondrej Jombik
Visit my homepage, review my recent CV or projects and give me some feedback.
Back to top
View user's profile Send private message
petterg
Guru
Guru


Joined: 25 Mar 2004
Posts: 465
Location: Oslo, Norway

PostPosted: Fri Mar 18, 2005 9:32 am    Post subject: Reply with quote

This howto was a great help to make openvpn work on my gentooserver! Thanks a lot!

I was wondering one thing: It seems like a good idea to me to generate one certifcate for each user and put it into the users homedir. Is there any way to generate one certificate for all each user in a usergroup? (I was thinking of using the username as common_name)
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Thu Mar 24, 2005 9:04 pm    Post subject: Reply with quote

Troubleshooting section updated to include minor change to access control for 2.0_rc17.
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Fri Apr 08, 2005 11:13 pm    Post subject: Reply with quote

Stumbled upon this page, thought Linux user may be interested in this one.
http://www.skynet.ie/~jonathan/blog/index.php?cat=8
Back to top
View user's profile Send private message
eschoeller
n00b
n00b


Joined: 03 May 2004
Posts: 35

PostPosted: Wed Apr 27, 2005 5:38 pm    Post subject: Problems starting openvpn Reply with quote

I set everything up according to this how-to (or at least i'm pretty confident that i have)
Anyway, when i try to run the gentoo init script to bring the vpn connection up, it doesnt start.
I see this in the log files:

Apr 27 11:32:04 [openvpn] Options error: --pull cannot be used with --mode server
Apr 27 11:32:04 [openvpn] Use --help for more information.

I take it there is something wrong with my config file, but i have copied it exactly as it was posted in this how-to

Any ideas would be greatly appreciated.
Back to top
View user's profile Send private message
eschoeller
n00b
n00b


Joined: 03 May 2004
Posts: 35

PostPosted: Wed Apr 27, 2005 7:08 pm    Post subject: Problems starting openvpn Reply with quote

BTW, I am running the latest 2.0 ebuild provided at the bugzilla link in this how-to

thx
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Fri Apr 29, 2005 4:32 am    Post subject: Re: Problems starting openvpn Reply with quote

eschoeller wrote:
I set everything up according to this how-to (or at least i'm pretty confident that i have)
Anyway, when i try to run the gentoo init script to bring the vpn connection up, it doesnt start.
I see this in the log files:

Apr 27 11:32:04 [openvpn] Options error: --pull cannot be used with --mode server
Apr 27 11:32:04 [openvpn] Use --help for more information.

I take it there is something wrong with my config file, but i have copied it exactly as it was posted in this how-to

Any ideas would be greatly appreciated.


When you use mode server, you can't pull in your dhcp-option.

Server push dhcp-option to client.
Client pull dhcp-option from server.

Hope this help.
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Wed May 04, 2005 1:20 pm    Post subject: Reply with quote

Good news! openvpn 2.0 is in portage ~x86
Back to top
View user's profile Send private message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine

PostPosted: Wed May 04, 2005 1:37 pm    Post subject: Reply with quote

Do you plan to update this doc for 2.x ?

*edit nm i guess the configs will be the same.. for the most part
_________________
write quit bang
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Wed May 04, 2005 2:06 pm    Post subject: Reply with quote

I did some incremental updates, but I do plan to update the doc a bit to reflect 2.0 official next week. Too busy this week. :)
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Thu May 19, 2005 7:12 pm    Post subject: Reply with quote

Updated HOWTO to reflect official 2.0 release.
Added an addition Q&A in TroubleShooting section related to new /etc/init.d/openvpn script.
Back to top
View user's profile Send private message
ponzio
n00b
n00b


Joined: 09 Mar 2005
Posts: 41

PostPosted: Tue May 31, 2005 12:41 pm    Post subject: Reply with quote

hi, i get the "unroutable" error:
Code:
Tue May 31 14:39:57 2005 us=849037 TLS Error: Unroutable control packet received from x.x.x.x:1024 (si=3 op=P_CONTROL_V1)

but the certificate seems ok
Code:
myhost client # openssl verify -purpose sslclient -CAfile ca.crt client.crt
    client.crt: OK

what it means?
thanks,
marco
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Mon Jun 06, 2005 2:55 pm    Post subject: Reply with quote

Check your server side certificate also. In addition, it is possible you may have problem with networking (packet drop) which also causes this type of problem. Last time I had the similar problem and was resolved after I replace the bad cable.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2, 3, 4, 5  Next
Page 3 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum