View previous topic :: View next topic |
Author |
Message |
tdb Apprentice
Joined: 19 Sep 2002 Posts: 293 Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)
|
Posted: Fri Nov 12, 2004 7:08 am Post subject: |
|
|
FYI OpenVPN was assigned an official port number by IANA recently. It now officially uses port 1194 for both TCP and UDP communications. All versions of OpenVPN starting with 2.0 beta 17 will now default to port 1194 instead of 5000. You can, of course, continue to use port 5000, or any port your want by using the --port option. _________________ Do you know what a usufruct is? |
|
Back to top |
|
|
mariourk l33t
Joined: 11 Jul 2003 Posts: 807 Location: Urk, Netherlands
|
Posted: Wed Nov 17, 2004 10:27 am Post subject: |
|
|
Quote: |
# Send the /root/openvpn/gateway.csr to your CA authority
|
I have no idea who my CA authority is...
Can someone explain this to me? Does someone know a good page
that explains this whole encryption-thing in detail?? I realy don't understand this |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Wed Nov 17, 2004 5:45 pm Post subject: |
|
|
mariourk wrote: | Quote: |
# Send the /root/openvpn/gateway.csr to your CA authority
|
I have no idea who my CA authority is...
Can someone explain this to me? Does someone know a good page
that explains this whole encryption-thing in detail?? I realy don't understand this | Here is the educational info: http://en.wikipedia.org/wiki/Certificate_authority
You can be your own CA if you choose to do so. There is a section in this topic (page 1) provides you information on how to sign your own certificate. If you are in coporate settings, check with your system administrator and he can tell you if you have a CA server on your coporate LAN. Hope this help. |
|
Back to top |
|
|
tdb Apprentice
Joined: 19 Sep 2002 Posts: 293 Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)
|
Posted: Wed Nov 17, 2004 6:02 pm Post subject: |
|
|
One thing to keep in mind is that Verisign and Thawte and the like are also CA's, but you don't want to use them for your certificate. The reason why is that by default, OpenVPN will let any two peers connect to each other if both ther certificates are signed by the same CA. So, if you used a certificate from Verisign or Thawte, then anyone else whose certificate was signed by Verisign or Thawte would be allowed to connect too. OpenVPN has several methods to prevent this from happening, incuding HMAC authentication, scripting to check the "common name" and fingerprints of certificates, and even support for accepting a username and password (in 2.0 beta 12 and later) along with (or in lieu of) a certificate.
Bottom line, once you figure out what a CA is, you're going to want to use your own internal CA and not an outside one. _________________ Do you know what a usufruct is? |
|
Back to top |
|
|
gpeangel Tux's lil' helper
Joined: 02 Jan 2003 Posts: 132 Location: Colorado, USA
|
Posted: Wed Dec 01, 2004 8:44 pm Post subject: |
|
|
It seems I'm really close to having openvpn working by following this excellent HOW-TO. I can start openvpn on the server and client and the logs indicate they are connecting properly. However, I cannot ping anything. I believe it's a routing issue that I don't understand enough to sort out. Is there a route command I need to run on the server and/or client which I've missed? The one suggested in the HOW-TO troubleshooting section hasn't made a difference.
The details:
Server Config (Linux, static 10.10.10.80 IP address):
Code: |
ca keys/ca.crt
cert keys/server.crt
chroot /usr/local/openvpn
comp-lzo
dev tap
dh keys/dh2048.pem
duplicate-cn
group nobody
ifconfig 10.1.0.1 255.255.255.0 # openvpn gateway
ifconfig-pool 10.1.0.2 10.1.0.11 255.255.255.0 # ip range for openvpn client
key keys/server.key # This file should be kept secret
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
mode server
mssfix 1450
mtu-test
mute 20
persist-key
persist-tun
ping 10
ping-restart 120
port 5000
push "dhcp-option DNS m.n.o.p"
push "dhcp-option DNS m.n.o.q" # push DNS entries to openvpn client
push "ping 10"
push "ping-restart 60"
push "route 10.1.0.0 255.255.255.0 10.1.0.1"
push "route 10.10.10.0 255.255.255.0 10.1.0.1" # add route to to protected network
push "route-gateway 10.1.0.1" # push default gateway
status /var/log/openvpn/openvpn-status.log
tls-auth keys/ta.key 0
tls-server
tun-mtu 1500
tun-mtu-extra 32
user nobody
verb 6
|
Client Config (Win2K Pro):
Code: |
ca ca.crt
cert client.crt
comp-lzo
dev tap
key client.key
mssfix 1450
mtu-test
mute 10
port 5000
pull
remote w.x.y.z (actual IP removed)
tls-auth ta.key 1
tls-client
tun-mtu 1500
tun-mtu-extra 32
verb 6
|
Before Connecting
On Client
Code: |
C:\>route print
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.5.42.1 10.5.42.141 1
10.5.42.0 255.255.255.0 10.5.42.141 10.5.42.141 1
10.5.42.141 255.255.255.255 127.0.0.1 127.0.0.1 1
10.255.255.255 255.255.255.255 10.5.42.141 10.5.42.141 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 224.0.0.0 10.5.42.141 10.5.42.141 1
255.255.255.255 255.255.255.255 10.5.42.141 2 1
Default Gateway: 10.5.42.1
===========================================================================
Persistent Routes:
None
C:\>ipconfig /all
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : computer-name
Primary DNS Suffix . . . . . . . : my.company.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : my.company.com
company.com
Ethernet adapter Local Area Connection 9:
Media State . . . . . . . . . . . : Cable Disconnected
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-89-33-DC-B6
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : company.com
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-08-74-AA-9C-9C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.5.42.141
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.5.42.1
DHCP Server . . . . . . . . . . . : 10.5.10.13
DNS Servers . . . . . . . . . . . : 10.5.10.10
10.10.10.10
Primary WINS Server . . . . . . . : 10.5.10.13
Secondary WINS Server . . . . . . : 10.10.9.13
|
Starting, OpenVPN log on server:
Code: |
...[0] Current Parameter Settings:
...[0] config = 'myserver.conf'
...[0] mode = 1
...[0] persist_config = DISABLED
...[0] persist_mode = 1
...[0] show_ciphers = DISABLED
...[0] show_digests = DISABLED
...[0] show_engines = DISABLED
...[0] genkey = DISABLED
...[0] key_pass_file = '[UNDEF]'
...[0] show_tls_ciphers = DISABLED
...[0] proto = 0
...[0] local = '[UNDEF]'
...[0] remote_list = NULL
...[0] remote_random = DISABLED
...[0] local_port = 5000
...[0] remote_port = 5000
...[0] remote_float = DISABLED
...[0] ipchange = '[UNDEF]'
...[0] bind_local = ENABLED
...[0] NOTE: --mute triggered...
...[0] 152 variation(s) on previous 20 message(s) suppressed by --mute
...[0] OpenVPN 2.0_beta15 i686-pc-linux-gnu [SSL] [LZO] [PTHREAD] built on Nov 23 2004
...[0] Diffie-Hellman initialized with 2048 bit key
...[0] Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file
...[0] Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
...[0] Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
...[0] TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
...[0] TUN/TAP device tap0 opened
...[0] TUN/TAP TX queue length set to 100
...[0] /sbin/ifconfig tap0 10.1.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.1.0.255
...[0] Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]
...[0] chroot to '/usr/local/openvpn' and cd to '/' succeeded
...[0] GID set to nobody
...[0] UID set to nobody
...[0] Socket Buffers: R=[109568->131072] S=[109568->131072]
...[0] UDPv4 link local (bound): [undef]:5000
...[0] UDPv4 link remote: [undef]
...[0] MULTI: multi_init called, r=256 v=256
...[0] IFCONFIG POOL: base=10.1.0.2 size=10
...[0] Initialization Sequence Completed
|
After Connecting:
On Server
Code: |
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.1.0.0 * 255.255.255.0 U 0 0 0 tap0
10.10.10.0 * 255.255.255.0 U 0 0 0 eth0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default 10.10.10.1 0.0.0.0 UG 0 0 0 eth0
|
Server log:
Code: |
...[0] MULTI: multi_create_instance called
...[0] a.b.c.d:30964 Re-using SSL/TLS context
...[0] a.b.c.d:30964 LZO compression initialized
...[0] a.b.c.d:30964 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
...[0] a.b.c.d:30964 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]
...[0] a.b.c.d:30964 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
...[0] a.b.c.d:30964 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
...[0] a.b.c.d:30964 Local Options hash (VER=V4): '360696c5'
...[0] a.b.c.d:30964 Expected Remote Options hash (VER=V4): '13a273ba'
...[0] a.b.c.d:30964 UDPv4 READ [42] from a.b.c.d:30964: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
...[0] a.b.c.d:30964 TLS: Initial packet from a.b.c.d:30964, sid=4076e6c5 a8061fd2
...[0] a.b.c.d:30964 UDPv4 WRITE [54] to a.b.c.d:30964: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #3 ] [ 0 ]
...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #4 ] [ ] pid=1 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #2 ] [ 1 ]
...[0] a.b.c.d:30964 UDPv4 READ [44] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=2 DATA len=2
...[0] a.b.c.d:30964 UDPv4 WRITE [154] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #3 ] [ 2 ] pid=1 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #4 ] [ ] pid=2 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=3 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #6 ] [ ] pid=4 DATA len=100
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #6 ] [ 1 ]
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #7 ] [ ] pid=5 DATA len=100
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #7 ] [ 2 ]
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #8 ] [ ] pid=6 DATA len=100
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #8 ] [ 3 ]
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #9 ] [ ] pid=7 DATA len=100
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #9 ] [ 4 ]
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #10 ] [ ] pid=8 DATA len=100
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #10 ] [ 5 ]
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #11 ] [ ] pid=9 DATA len=100
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #11 ] [ 6 ]
...[0] a.b.c.d:30964 NOTE: --mute triggered...
...[0] a.b.c.d:30964 95 variation(s) on previous 20 message(s) suppressed by --mute
...[0] a.b.c.d:30964 VERIFY OK: depth=1, /C=US/ST=CO/L=Centennial/O=Java_Zen/CN=www.myserver.com/emailAddress=webmaster@myserver.com
...[0] a.b.c.d:30964 VERIFY OK: depth=0, /C=US/ST=CO/O=Java_Zen/CN=client/emailAddress=webmaster@myserver.com
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #58 ] [ 25 ]
...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #61 ] [ ] pid=26 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #59 ] [ 26 ]
...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #62 ] [ ] pid=27 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #60 ] [ 27 ]
...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #63 ] [ ] pid=28 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #61 ] [ 28 ]
...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #64 ] [ ] pid=29 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #62 ] [ 29 ]
...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #65 ] [ ] pid=30 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #63 ] [ 30 ]
...[0] a.b.c.d:30964 UDPv4 READ [123] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #66 ] [ ] pid=31 DATA len=81
...[0] a.b.c.d:30964 UDPv4 WRITE [113] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #64 ] [ 31 ] pid=34 DATA len=59
...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #68 ] [ ] pid=33 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #65 ] [ 33 ]
...[0] a.b.c.d:30964 UDPv4 READ [154] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #67 ] [ 34 ] pid=32 DATA len=100
...[0] a.b.c.d:30964 Replay-window backtrack occurred [1]
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #66 ] [ 32 ]
...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #69 ] [ ] pid=34 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #67 ] [ 34 ]
...[0] a.b.c.d:30964 UDPv4 READ [72] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #70 ] [ ] pid=35 DATA len=30
...[0] a.b.c.d:30964 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
...[0] a.b.c.d:30964 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
...[0] a.b.c.d:30964 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
...[0] a.b.c.d:30964 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
...[0] a.b.c.d:30964 UDPv4 WRITE [154] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #68 ] [ 35 ] pid=35 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #69 ] [ ] pid=36 DATA len=100
...[0] a.b.c.d:30964 UDPv4 WRITE [124] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #70 ] [ ] pid=37 DATA len=82
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #71 ] [ 35 ]
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #72 ] [ 36 ]
...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #73 ] [ 37 ]
...[0] a.b.c.d:30964 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
...[0] a.b.c.d:30964 [client] Peer Connection Initiated with a.b.c.d:30964
...[0] client/a.b.c.d:30964 UDPv4 READ [132] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #74 ] [ ] pid=36 DATA len=90
...[0] client/a.b.c.d:30964 PUSH: Received control message: 'PUSH_REQUEST'
...[0] client/a.b.c.d:30964 SENT CONTROL [client]: 'PUSH_REPLY,dhcp-option DNS m.n.o.q,dhcp-option DNS m.n.o.p,route-gateway 10.1.0.1,ping 10,ping-restart 60,route 10.10.10.0 255.255.255.0 10.1.0.1,route 10.1.0.0 255.255.255.0 10.1.0.1,ifconfig 10.1.0.2 255.255.255.0' (status=1)
...[0] client/a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #71 ] [ 36 ]
...[0] client/a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #72 ] [ ] pid=38 DATA len=100
...[0] client/a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #73 ] [ ] pid=39 DATA len=100
...[0] client/a.b.c.d:30964 UDPv4 WRITE [140] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #74 ] [ ] pid=40 DATA len=98
...[0] client/a.b.c.d:30964 UDPv4 READ [61] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=60
...[0] client/a.b.c.d:30964 UDPv4 WRITE [573] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572
...[0] client/a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #75 ] [ 38 ]
...[0] client/a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #76 ] [ 39 ]
...[0] client/a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #77 ] [ 40 ]
...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76
...[0] client/a.b.c.d:30964 MULTI: Learn: 00:ff:89:33:dc:b6 -> client/a.b.c.d:30964
...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76
...[0] client/a.b.c.d:30964 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
...[0] client/a.b.c.d:30964 UDPv4 WRITE [61] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=60
...[0] client/a.b.c.d:30964 UDPv4 READ [573] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572
...[0] client/a.b.c.d:30964 UDPv4 READ [573] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572
...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 WRITE [573] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572
...[0] client/a.b.c.d:30964 UDPv4 READ [61] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=60
...[0] client/a.b.c.d:30964 UDPv4 WRITE [573] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148
...[0] client/a.b.c.d:30964 UDPv4 WRITE [61] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=60
...[0] client/a.b.c.d:30964 UDPv4 READ [573] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572
...[0] client/a.b.c.d:30964 NOTE: --mute triggered...
...[0] client/a.b.c.d:30964 210 variation(s) on previous 20 message(s) suppressed by --mute
...[0] client/a.b.c.d:30964 NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1573,1573] remote->local=[1573,1469]
...[0] client/a.b.c.d:30964 NOTE: This connection is unable to accomodate a UDP packet size of 1573. Consider using --fragment or --mssfix options as a workaround.
...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76
...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76
...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76
...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76
...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 WRITE [253] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=252
...[0] client/a.b.c.d:30964 UDPv4 WRITE [245] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=244
...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52
...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76
...[0] client/a.b.c.d:30964 NOTE: --mute triggered...
|
On Client
Code: |
C:\>route print
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.5.42.1 10.5.42.141 1
10.1.0.0 255.255.255.0 10.1.0.2 10.1.0.2 1
10.1.0.0 255.255.255.0 10.1.0.1 10.1.0.2 1
10.1.0.2 255.255.255.255 127.0.0.1 127.0.0.1 1
10.5.42.0 255.255.255.0 10.5.42.141 10.5.42.141 1
10.5.42.141 255.255.255.255 127.0.0.1 127.0.0.1 1
10.10.10.0 255.255.255.0 10.1.0.1 10.1.0.2 1
10.255.255.255 255.255.255.255 10.1.0.2 10.1.0.2 1
10.255.255.255 255.255.255.255 10.5.42.141 10.5.42.141 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 224.0.0.0 10.1.0.2 10.1.0.2 1
224.0.0.0 224.0.0.0 10.5.42.141 10.5.42.141 1
255.255.255.255 255.255.255.255 10.1.0.2 2 1
Default Gateway: 10.5.42.1
===========================================================================
Persistent Routes:
None
C:\>ipconfig /all
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : computer-name
Primary DNS Suffix . . . . . . . : my.company.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : my.company.com
company.com
Ethernet adapter Local Area Connection 9:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-89-33-DC-B6
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.1.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.1.0.0
DNS Servers . . . . . . . . . . . : m.n.o.q
m.n.o.p
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : company.com
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-08-74-AA-9C-9C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.5.42.141
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.5.42.1
DHCP Server . . . . . . . . . . . : 10.5.10.13
DNS Servers . . . . . . . . . . . : 10.5.10.10
10.10.10.10
Primary WINS Server . . . . . . . : 10.5.10.13
Secondary WINS Server . . . . . . : 10.10.9.13
|
Client Log:
Code: |
...Current Parameter Settings:
... config = 'myclient.ovpn'
... mode = 0
... show_ciphers = DISABLED
... show_digests = DISABLED
... show_engines = DISABLED
... genkey = DISABLED
... key_pass_file = '[UNDEF]'
... show_tls_ciphers = DISABLED
... proto = 0
...NOTE: --mute triggered...
...173 variation(s) on previous 10 message(s) suppressed by --mute
...OpenVPN 2.0_beta15 Win32-MinGW [SSL] [LZO] built on Oct 28 2004
...Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
...Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
...Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
...LZO compression initialized
...Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
...Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]
...Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
...Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
...Local Options hash (VER=V4): '13a273ba'
...Expected Remote Options hash (VER=V4): '360696c5'
...Socket Buffers: R=[8192->8192] S=[8192->8192]
...UDPv4 link local (bound): [undef]:5000
...UDPv4 link remote: w.x.y.z:5000
...UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
...UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
...UDPv4 READ [54] from w.x.y.z:5000: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0
...TLS: Initial packet from w.x.y.z:5000, sid=9a467e55 cbdd7f50
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #3 ] [ 0 ]
...UDPv4 WRITE [142] to w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #4 ] [ ] pid=1 DATA len=100
...UDPv4 WRITE [44] to w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=2 DATA len=2
...UDPv4 READ [50] from w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #2 ] [ 1 ]
...UDPv4 READ [154] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #3 ] [ 2 ] pid=1 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #6 ] [ 1 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #4 ] [ ] pid=2 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #7 ] [ 2 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=3 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #8 ] [ 3 ]
...NOTE: --mute triggered...
...41 variation(s) on previous 10 message(s) suppressed by --mute
...VERIFY OK: depth=1, /C=US/ST=CO/L=Centennial/O=Java_Zen/CN=www.myserver.com/emailAddress=webmaster@myserver.com
...VERIFY OK: depth=0, /C=US/ST=CO/O=Java_Zen/CN=www.myserver.com/emailAddress=webmaster@myserver.com
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #29 ] [ 24 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #27 ] [ ] pid=25 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #30 ] [ 25 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #28 ] [ ] pid=26 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #31 ] [ 26 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #29 ] [ ] pid=27 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #32 ] [ 27 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #30 ] [ ] pid=28 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #33 ] [ 28 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #31 ] [ ] pid=29 DATA len=100
...NOTE: --mute triggered...
...78 variation(s) on previous 10 message(s) suppressed by --mute
...Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
...Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
...Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
...Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #73 ] [ 37 ]
...Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
...[www.myserver.com] Peer Connection Initiated with w.x.y.z:5000
...SENT CONTROL [www.myserver.com]: 'PUSH_REQUEST' (status=1)
...NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
...UDPv4 WRITE [132] to w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #74 ] [ ] pid=36 DATA len=90
...UDPv4 WRITE [61] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=60
...UDPv4 READ [50] from w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #71 ] [ 36 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #72 ] [ ] pid=38 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #75 ] [ 38 ]
...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #73 ] [ ] pid=39 DATA len=100
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #76 ] [ 39 ]
...UDPv4 READ [140] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #74 ] [ ] pid=40 DATA len=98
...PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS m.n.o.q,dhcp-option DNS m.n.o.p,route-gateway 10.1.0.1,ping 10,ping-restart 60,route 10.10.10.0 255.255.255.0 10.1.0.1,route 10.1.0.0 255.255.255.0 10.1.0.1,ifconfig 10.1.0.2 255.255.255.0'
...OPTIONS IMPORT: timers and/or timeouts modified
...OPTIONS IMPORT: --ifconfig/up options modified
...OPTIONS IMPORT: route options modified
...OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
...TAP-WIN32 device [Local Area Connection 9] opened: \\.\Global\{8933DCB6-A436-4A37-853C-D1D87ADDC5C6}.tap
...TAP-Win32 Driver Version 8.1
...TAP-Win32 MTU=1500
...Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.1.0.2/255.255.255.0 on interface {8933DCB6-A436-4A37-853C-D1D87ADDC5C6} [DHCP-serv: 10.1.0.0, lease-time: 31536000]
...DHCP option string: 0608cdab 0341cdab 0241
...Successful ARP Flush on interface [3] {8933DCB6-A436-4A37-853C-D1D87ADDC5C6}
...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #77 ] [ 40 ]
...TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
...Route: Waiting for TUN/TAP interface to come up...
...UDPv4 READ [573] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=572
...TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
...Route: Waiting for TUN/TAP interface to come up...
...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76
...TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
...route ADD 10.10.10.0 MASK 255.255.255.0 10.1.0.1
...Route addition via IPAPI succeeded
...route ADD 10.1.0.0 MASK 255.255.255.0 10.1.0.1
...Route addition via IPAPI succeeded
...Initialization Sequence Completed
...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76
...UDPv4 WRITE [573] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=572
...UDPv4 READ [61] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=60
...UDPv4 WRITE [573] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=572
...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76
...UDPv4 WRITE [149] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=148
...UDPv4 WRITE [149] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=148
...UDPv4 WRITE [149] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=148
...UDPv4 WRITE [61] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=60
...UDPv4 WRITE [149] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=148
...NOTE: --mute triggered...
...232 variation(s) on previous 10 message(s) suppressed by --mute
...NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1573,1469] remote->local=[1573,1573]
...NOTE: This connection is unable to accomodate a UDP packet size of 1573. Consider using --fragment or --mssfix options as a workaround.
...UDPv4 READ [1573] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=1572
...UDPv4 READ [53] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=52
...UDPv4 WRITE [61] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=60
...UDPv4 WRITE [53] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=52
...UDPv4 READ [53] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=52
...UDPv4 READ [53] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=52
...UDPv4 WRITE [53] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=52
...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76
...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76
...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76
...NOTE: --mute triggered...
|
_________________ Gregory Engel
Web Master
www.javazen.com
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
My other computer is spongy gray matter. |
|
Back to top |
|
|
tdb Apprentice
Joined: 19 Sep 2002 Posts: 293 Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)
|
Posted: Wed Dec 01, 2004 9:08 pm Post subject: |
|
|
I don't mess around enough with windows to offer you specific answers, but I will say this: don't try to add a bunch of features all at once. Start with the bare basics (no push/pull, no routing instructions, no hmac, no nothing); just get a tunnel up and running between the two machines. Manually assign the ip addresses and routing. Once you get that working, add the other features in one at a time and verify that the connection still works each time. That makes it immensely easier to figure out what in the hundreds of options available is causing the problem. Begin by adding the routing and push/pull commands before adding extra security and encryption. _________________ Do you know what a usufruct is? |
|
Back to top |
|
|
tdb Apprentice
Joined: 19 Sep 2002 Posts: 293 Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)
|
Posted: Wed Dec 01, 2004 9:09 pm Post subject: |
|
|
One other thing I did notice; did you change iptables to allow traffic on the new tap0 interface? _________________ Do you know what a usufruct is? |
|
Back to top |
|
|
gpeangel Tux's lil' helper
Joined: 02 Jan 2003 Posts: 132 Location: Colorado, USA
|
Posted: Wed Dec 01, 2004 9:44 pm Post subject: |
|
|
tdb wrote: | One other thing I did notice; did you change iptables to allow traffic on the new tap0 interface? |
That was it! I figured it was something simple since I was so close. Enabling tap0 and restarting the firewall resulted in vpn connectivity.
Many thanks! _________________ Gregory Engel
Web Master
www.javazen.com
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
My other computer is spongy gray matter. |
|
Back to top |
|
|
tdb Apprentice
Joined: 19 Sep 2002 Posts: 293 Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)
|
Posted: Wed Dec 01, 2004 10:35 pm Post subject: |
|
|
gpeangel wrote: |
Many thanks! |
N.P. _________________ Do you know what a usufruct is? |
|
Back to top |
|
|
gpeangel Tux's lil' helper
Joined: 02 Jan 2003 Posts: 132 Location: Colorado, USA
|
Posted: Fri Dec 03, 2004 8:45 pm Post subject: |
|
|
I had to reboot the server (kernel upgrade) an now I cannot connect via OpenVPN. I went through my notes thinking I missed something in the config that was lost on reboot, but all is as expected. Both the client and server certs check out with at status of "OK". I've made sure the tap0 interface is enabled on the firewall:
Code: |
# /etc/init.d/fw-jay start
Starting Jay's Firewall v1.0.3 :
Check of configuration's file : OK
Trying to load iptables modules ...
found internal eth0 on ip:'10.10.10.6', sub:'10.10.10.6/255.255.255.0'
found internal tap0 on ip:'10.1.0.1', sub:'10.1.0.1/255.255.255.0'
found external eth0 on ip:'10.10.10.6'
Check of iptables : OK
...
|
Yet even with the firewall down, I cannot connect. I think I am missing something, again, in how communications should be routed.
Server:
Code: |
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.1.0.0 * 255.255.255.0 U 0 0 0 tap0
10.10.10.0 * 255.255.255.0 U 0 0 0 eth0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default 10.10.10.1 0.0.0.0 UG 0 0 0 eth0
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:2C:A5:B9:70
inet addr:10.10.10.6 Bcast:10.10.10.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:18609 errors:0 dropped:0 overruns:0 frame:0
TX packets:23821 errors:0 dropped:0 overruns:0 carrier:0
collisions:224 txqueuelen:1000
RX bytes:2363343 (2.2 Mb) TX bytes:5087477 (4.8 Mb)
Interrupt:23 Base address:0x2000
tap0 Link encap:Ethernet HWaddr 00:FF:8B:A7:0A:B8
inet addr:10.1.0.1 Bcast:10.1.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:1557 (1.5 Kb)
|
Server Log:
Code: |
...[0] Current Parameter Settings:
...[0] config = 'server.conf'
...[0] mode = 1
...[0] persist_config = DISABLED
...[0] persist_mode = 1
...[0] show_ciphers = DISABLED
...[0] show_digests = DISABLED
...[0] show_engines = DISABLED
...[0] genkey = DISABLED
...[0] key_pass_file = '[UNDEF]'
...[0] show_tls_ciphers = DISABLED
...[0] proto = 0
...[0] local = '[UNDEF]'
...[0] remote_list = NULL
...[0] remote_random = DISABLED
...[0] local_port = 5000
...[0] remote_port = 5000
...[0] remote_float = DISABLED
...[0] ipchange = '[UNDEF]'
...[0] bind_local = ENABLED
...[0] NOTE: --mute triggered...
...[0] 152 variation(s) on previous 20 message(s) suppressed by --mute
...[0] OpenVPN 2.0_beta15 i686-pc-linux-gnu [SSL] [LZO] [PTHREAD] built on Nov 23 2004
...[0] Diffie-Hellman initialized with 2048 bit key
...[0] Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file
...[0] Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
...[0] Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
...[0] TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
...[0] TUN/TAP device tap0 opened
...[0] TUN/TAP TX queue length set to 100
...[0] /sbin/ifconfig tap0 10.1.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.1.0.255
...[0] Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]
...[0] chroot to '/usr/local/openvpn' and cd to '/' succeeded
...[0] GID set to nobody
...[0] UID set to nobody
...[0] Socket Buffers: R=[109568->131072] S=[109568->131072]
...[0] UDPv4 link local (bound): [undef]:5000
...[0] UDPv4 link remote: [undef]
...[0] MULTI: multi_init called, r=256 v=256
...[0] IFCONFIG POOL: base=10.1.0.2 size=10
...[0] Initialization Sequence Completed
|
Client Log:
Code: |
... Current Parameter Settings:
... config = 'client.ovpn'
... mode = 0
... show_ciphers = DISABLED
... show_digests = DISABLED
... show_engines = DISABLED
... genkey = DISABLED
... key_pass_file = '[UNDEF]'
... show_tls_ciphers = DISABLED
... proto = 0
... NOTE: --mute triggered...
... 173 variation(s) on previous 10 message(s) suppressed by --mute
... OpenVPN 2.0_beta15 Win32-MinGW [SSL] [LZO] built on Oct 28 2004
... Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
... Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
... Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
... LZO compression initialized
... Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
... Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]
... Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
... Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
... Local Options hash (VER=V4): '13a273ba'
... Expected Remote Options hash (VER=V4): '360696c5'
... Socket Buffers: R=[8192->8192] S=[8192->8192]
... UDPv4 link local (bound): [undef]:5000
... UDPv4 link remote: w.x.y.z:5000
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #6 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #7 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #8 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #9 ] [ ] pid=0 DATA len=0
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #10 ] [ ] pid=0 DATA len=0
... NOTE: --mute triggered...
... 18 variation(s) on previous 10 message(s) suppressed by --mute
... TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
... TLS Error: TLS handshake failed
... TCP/UDP: Closing socket
... SIGUSR1[soft,tls-error] received, process restarting
... Restart pause, 2 second(s)
|
With verb set to 9...
Code: |
...
... LZO compression initialized
... MTU DYNAMIC mtu=0, flags=1, 0 -> 166
... TLS: tls_session_init: entry
... PID packet_id_init seq_backtrack=64 time_backtrack=15
... PID packet_id_init seq_backtrack=64 time_backtrack=15
... TLS: tls_session_init: new session object, sid=0d9d1e3f 4f16f390
... TLS: tls_session_init: entry
... PID packet_id_init seq_backtrack=64 time_backtrack=15
... PID packet_id_init seq_backtrack=64 time_backtrack=15
... TLS: tls_session_init: new session object, sid=b9d0ffd2 65f6f591
... Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
... MTU DYNAMIC mtu=1450, flags=2, 1574 -> 1450
... REMOTE_LIST len=1 current=0
... [0] w.x.y.z:5000
... Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]
... Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
... Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
... Local Options hash (VER=V4): '13a273ba'
... Expected Remote Options hash (VER=V4): '360696c5'
... Socket Buffers: R=[8192->8192] S=[8192->8192]
... UDPv4 link local (bound): [undef]:5000
... UDPv4 link remote: w.x.y.z:5000
... TIMER: coarse timer wakeup 1 seconds
... TLS: tls_multi_process: i=0 state=S_INITIAL, mysid=0d9d1e3f 4f16f390, stored-sid=00000000 00000000, stored-ip=w.x.y.z:5000
... TLS: tls_process: chg=0 ks=S_INITIAL lame=S_UNDEF to_link->len=0 wakeup=604800
... ACK mark active outgoing ID 0
... TLS: Initial Handshake, sid=0d9d1e3f 4f16f390
... ACK reliable_can_send active=1 current=1 : [1] 0
... ACK reliable_send ID 0 (size=4 to=2)
... Reliable -> TCP/UDP
... ACK reliable_send_timeout 2 [1] 0
... TLS: tls_process: timeout set to 2
... NOTE: --mute triggered...
... 14 variation(s) on previous 10 message(s) suppressed by --mute
... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=0d9d1e3f 4f16f390 tls_hmac=099c54b8 b0a440a8 c3127cae b5aa1501 374760ce pid=[ #1 / time = (1102104700) Fri Dec 03 13:11:40 2004 ] [ ] pid=0 DATA
... WIN32 I/O: Socket Send immediate return [42,42]
... UDPv4 write returned 42
... TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=0d9d1e3f 4f16f390, stored-sid=00000000 00000000, stored-ip=w.x.y.z:5000
... TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
... ACK reliable_can_send active=1 current=0 : [1] 0
... SSL state (connect): before/connect initialization
... SSL state (connect): SSLv3 write client hello A
... ACK reliable_send_timeout 2 [1] 0
... TLS: tls_process: timeout set to 2
... TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=b9d0ffd2 65f6f591, stored-sid=00000000 00000000, stored-ip=[undef]
... NOTE: --mute triggered...
... 45 variation(s) on previous 10 message(s) suppressed by --mute
...
This continues until it times out.
|
The server log never shows any additional entries while the client is attempting to connect. _________________ Gregory Engel
Web Master
www.javazen.com
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
My other computer is spongy gray matter. |
|
Back to top |
|
|
tdb Apprentice
Joined: 19 Sep 2002 Posts: 293 Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)
|
Posted: Fri Dec 03, 2004 9:03 pm Post subject: |
|
|
Try stripping your config files down to the bare minimum. Take out all the extra stuff (like key direction, cipher, compression, etc..) and add them back one by one and test until it stops working. One place to start is your tun-mtu setting, the max mtu for any connection is 1500, any bigger then that and it starts splitting the too-big packets into fragments. Lower tun-mtu to 1450 or so, to allow for the overhead that OpenVPN puts into each packet. I'm not a networking expert, and I'm not saying that will fix it, but it is a good place to start. OpenVPN (especially the later 2.0 betas) have very good default settings, especially when it comes to mtu stuff; let OpenVPN take care of that and only add the settings that you really need. An example of this is that you don't need to specify udp, OpenVPN uses it by default.
One other thing, you did add tap0 to your firewall script and make sure to open up udp 5000 on the other interfaces right? Also, keep in mind that 2.0 beta 17 and later use udp port 1194 by default. (it is the new IANA assigned port.) _________________ Do you know what a usufruct is? |
|
Back to top |
|
|
gpeangel Tux's lil' helper
Joined: 02 Jan 2003 Posts: 132 Location: Colorado, USA
|
Posted: Fri Dec 03, 2004 10:17 pm Post subject: |
|
|
tdb wrote: | Try stripping your config files down to the bare minimum. Take out all the extra stuff (like key direction, cipher, compression, etc..) and add them back one by one and test until it stops working. One place to start is your tun-mtu setting, the max mtu for any connection is 1500, any bigger then that and it starts splitting the too-big packets into fragments. Lower tun-mtu to 1450 or so, to allow for the overhead that OpenVPN puts into each packet. I'm not a networking expert, and I'm not saying that will fix it, but it is a good place to start. OpenVPN (especially the later 2.0 betas) have very good default settings, especially when it comes to mtu stuff; let OpenVPN take care of that and only add the settings that you really need. An example of this is that you don't need to specify udp, OpenVPN uses it by default.
One other thing, you did add tap0 to your firewall script and make sure to open up udp 5000 on the other interfaces right? Also, keep in mind that 2.0 beta 17 and later use udp port 1194 by default. (it is the new IANA assigned port.) |
Good advice, so I followed it.
First I upgraded to 2.0-beta19 and reconfigured the firewall for port 1194. With a stripped down config on both client and server, I built up what was needed based on log error messages and warnings. Leaving out all the mtu adjustments in the config files seemed to be the hitch.
I've now been able to restore full connectivity.
Thanks again for the good pointers... _________________ Gregory Engel
Web Master
www.javazen.com
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
My other computer is spongy gray matter. |
|
Back to top |
|
|
tdb Apprentice
Joined: 19 Sep 2002 Posts: 293 Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)
|
Posted: Sat Dec 04, 2004 7:13 am Post subject: |
|
|
Glad I could help. _________________ Do you know what a usufruct is? |
|
Back to top |
|
|
mariourk l33t
Joined: 11 Jul 2003 Posts: 807 Location: Urk, Netherlands
|
Posted: Tue Dec 07, 2004 11:16 am Post subject: |
|
|
First of all, thanks for the howto. It really saved me a lot of work to figure this thing out
myself I have OpenVPN running fine now. However, there is still one problem. I hope you can help.
This is my situation:
I have a Gentoo-server at my company. This is the OpenVPN-server.
This Server has 2 network-cards. One is connected to an ADSL-modem and has
10.0.0.150 as IP-address. The other card has 192.168.1.1 as IP-address and connects
the OpenVPn-server to the local network of my company (192.168.1.xxx) so:
Code: |
* 192.168.1.1 --> LAN
* 10.0.0.150 --> ADSL-Modem/internet/WAN (whatever you like to call it :wink: )
* 10.1.0.1 --> Tap0 (OpenVPN server)
|
I have my own Gentoo-server at home, this is the OpenVPN-client. It also has 2
network-cards. One is for internet/ADSL and has 10.0.0.150 as IP-address.
The other one connects the server to my own LAN (192.168.0.xxx) and has
192.168.0.1 as IP-address. so:
Code: |
* 192.168.0.1 --> LAN
* 10.0.0.150 --> WAN
* 10.1.0.xxx --> Tap0 (OpenVPN client with DHCP assigned IP-address)
|
The problem
I need to access my company's LAN (192.168.1.xxx) from my server.
When I do:
it works fine. But when I do:
I get no responce.
What's the real goal here. I need to access one of the windows servers in my
company's LAN from an OpenVPN client. When I have this working, some people
here can access the company's LAN from their home's
So if anyone can tell me what to do??
The tap-devices are in the FORDWARD-cain and set to accept.
Code: |
Chain FORWARD (policy DROP 1583 packets, 76965 bytes)
pkts bytes target prot opt in out source
311 39800 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0
|
This is the FORWARD-chain on the OpenVPN-server, ofcource
Any help is most welcome |
|
Back to top |
|
|
tdb Apprentice
Joined: 19 Sep 2002 Posts: 293 Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)
|
Posted: Tue Dec 07, 2004 2:37 pm Post subject: |
|
|
First, make sure the gentoo server at your company has firewall rules and routing set up to allow packets on the vpn interface. (I'm assuming it does since you said other people can get to it just fine.)
Second, you need to set up a route telling your home computer where to find the 192.168.x.x network. Your computer doesn't know that 192.168.x.x is on the other side of the vpn tunnel. Try this:
route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.0.1
If that works, then you need to find a way to set that route every time OpenVPN starts. You can do this by a networking init script, or in the OpenVPN config file itself. Check the OpenVPN manpage for details. _________________ Do you know what a usufruct is? |
|
Back to top |
|
|
mariourk l33t
Joined: 11 Jul 2003 Posts: 807 Location: Urk, Netherlands
|
Posted: Tue Dec 07, 2004 2:53 pm Post subject: |
|
|
I tried to add a route. When I check it, it seems to be there and should work
fine.
Code: |
Chimaera root # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.5.0 * 255.255.255.0 U 0 0 0 eth2
192.168.1.0 10.1.0.1 255.255.255.0 UG 0 0 0 tap0 #<-- here it is
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
10.1.0.0 * 255.255.255.0 U 0 0 0 tap0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default 10.0.0.2 0.0.0.0 UG 1 0 0 eth1
|
But I can't connect to 192.168.1.xxx
I really don't understand why |
|
Back to top |
|
|
tdb Apprentice
Joined: 19 Sep 2002 Posts: 293 Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)
|
Posted: Tue Dec 07, 2004 3:28 pm Post subject: |
|
|
Check your netmask on the work machine. 10.x.x.x defaults to 255.0.0.0, and 192.168.x.x defaults to 255.255.255.0. Last time I had issues with routing it was because I had several 10.x.x.x networks with different netmasks. If 10.1.0.x has a 255.255.255.0 on one end, and 255..0.0.0 on the other, it might not work.
Short of that, I'm not sure. _________________ Do you know what a usufruct is? |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Wed Dec 08, 2004 2:14 am Post subject: |
|
|
FYI, OpenVPN 2.0 RC is out! I will update the mini-howto once the official 2.0 is released. |
|
Back to top |
|
|
Meaulnes n00b
Joined: 15 Mar 2004 Posts: 49
|
Posted: Thu Dec 16, 2004 4:04 am Post subject: |
|
|
Thank you very much for this how-to. So far it has been amazing. However, I am stuck on a certain point that I am unable to figure out. My situation is this: I am trying to set up a VPN for a PITA client that needs terminal services access to a Win2k server machine. I need to Win2k machine protected by a firewall. After a lot of head pounding, I found this how-to and am so close I can taste it. Here is how this thing is set up:
Client --> Internet --> Linux (OpenVPN / IPTables / NAT) -> Win2k
The linux box has a public IP address on eth0 and a 10.10.10.1 / 255.255.255.0 on eth1. The win2k machine is at 10.10.10.13 and is the only machine on the subnet. The only purpose of the linux box is A. to protect that win2k machine and B. act as a VPN server.
I have the client connecting and I am seeing no errors in either the client or the server log. However, I am unable to ping the vpn gateway by its private ip, nor can I ping the client machine from the vpn gateway, and I cannot ping the win2k machine (inside the lan) from the client machine. I am not sure what is wrong. I have checked and port forwarding is on:
Code: | # /etc/sysctl.conf:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/sysctl.conf,v 1.3 2002/11/18 19:39:22 azarah Exp $
# Disables packet forwarding
net.ipv4.ip_forward = 1
|
So, to continue, here is my openvpn server config:
Code: | port 5000
dev tap
tls-server
ca ca.crt
cert gateway.crt
key gateway.key
dh dh2048.pem
tls-auth ta.key 0
mode server
duplicate-cn
ifconfig 10.10.10.1 255.255.255.0 # openvpn gateway
ifconfig-pool 10.10.10.100 10.10.10.200 255.255.255.0 # ip range for openvpn client
push "dhcp-option DNS xxx.xxx.xxx.xxx" # push to client
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "route-gateway 10.10.10.1" # push default gateway
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"
push "route 10.10.10.0 255.255.255.0 10.10.10.1" # add route to to protected network
comp-lzo
status openvpn-status.log
verb 4
|
and here is the client config in linux:
Code: | port 5000
dev tap
remote w.x.y.z # w.x.y.z is external IP of the OpenVPN server
tls-client
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull
comp-lzo
verb 4
|
I am currently testing from a windows machine, so fo the sake of clarity, here is the windows client config:
Code: | port 5000
dev tap
remote w.x.y.z # w.x.y.z is external IP of the OpenVPN server
tls-client
ca ca.crt
cert gateway.crt
key gateway.key
tls-auth ta.key 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull
comp-lzo
verb 4
|
Lastly, here is my iptables startup script:
Code: | PRIVATE=10.10.10.0/24
# Loopback address
LOOP=127.0.0.1
# Delete old iptables rules
# and temporarily block all traffic.
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -F
# Set default policies
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
# Prevent external packets from using loopback addr
$IPTABLES -A INPUT -i eth0 -s $LOOP -j DROP
$IPTABLES -A FORWARD -i eth0 -s $LOOP -j DROP
$IPTABLES -A INPUT -i eth0 -d $LOOP -j DROP
$IPTABLES -A FORWARD -i eth0 -d $LOOP -j DROP
$IPTABLES -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
$IPTABLES -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
# Block outgoing NetBios
$IPTABLES -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
$IPTABLES -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
$IPTABLES -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
$IPTABLES -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP
# Check source address validity on packets going out to internet
$IPTABLES -A FORWARD -s ! $PRIVATE -i eth1 -j DROP
# Allow local loopback
$IPTABLES -A INPUT -s $LOOP -j ACCEPT
$IPTABLES -A INPUT -d $LOOP -j ACCEPT
# Allow incoming pings (can be disabled)
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Allow ssh (can be disabled)
$IPTABLES -A INPUT -p tcp --dport ssh -j ACCEPT
# Allow incoming OpenVPN packets
$IPTABLES -A INPUT -p udp --dport 5000 -j ACCEPT
# Allow packets from TUN/TAP devices.
$IPTABLES -A INPUT -i tun+ -j ACCEPT
$IPTABLES -A FORWARD -i tun+ -j ACCEPT
$IPTABLES -A INPUT -i tap+ -j ACCEPT
$IPTABLES -A FORWARD -i tap+ -j ACCEPT
# Allow packets from private subnets
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -j ACCEPT
# Keep state of connections from local machine and private subnets
$IPTABLES -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Masquerade local subnet
$IPTABLES -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE
|
Any help will be appreciated. And thanks again for this how-to |
|
Back to top |
|
|
Meaulnes n00b
Joined: 15 Mar 2004 Posts: 49
|
Posted: Thu Dec 16, 2004 1:42 pm Post subject: |
|
|
Well I got in to work this morning and figured it out. I was trying to use the same subnet for both the physical and the virtual. B/c of this, my tap0 and eth1 both had the same IP. I moved the virtual network over to a different subnet, and now all seems to be working swimmingly. |
|
Back to top |
|
|
AppleMasher n00b
Joined: 09 Jul 2004 Posts: 11 Location: Chattanooga, TN
|
Posted: Sat Jan 01, 2005 8:33 pm Post subject: Routing |
|
|
First this is a great howto its definetly put me on the right track.
Routing Issue (This is the part I am having trouble with)
Quote: | Q:VPN client connected to the VPN server ok, but it can't access any other nodes in the protected network. What do I do?
A: There are two options.
1) In your default gateway, you need to add the route to your protected lan with VPN server as the gateway. Using the sample environment above, you will need to add the following route.
Code:
route add -net 10.1.0.0 netmask 255.255.255.240 gw 10.2.0.3
Note: Why netmask is 255.255.255.240? Because our VPN client IP range is 0 - 10, netmask is given as 255.255.255.240 (which give us 16 entries [0-15]) Power of 2 is always more efficent for router.
2) Use ethernet bridge.
|
Remote Private Network: 10.0.0.0/24
Remote Private VPN Server: 10.0.0.98
Remote Public VPN Server IP: 66.*.*.*
Local Private Network: 10.65.42.0/24
Local Private VPN Client: 10.65.42.22
OpenVPN Network: 10.5.0.0/24
OpenVPN Gateway: 10.5.0.1
So its a fairly typically basic setup to start out with. Right now the only issue i have is i cant seem to get routing correctly to route 10.0.0.0 traffic to my local network, 10.0.0.98 (vpn server) works fine, but 10.0.0.1 (dns server) fails.
Code: | current client routing table (route -n)
10.0.0.0 10.5.0.1 255.255.255.0 UG 0 0 0 tap0
10.65.42.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.5.0.0 10.5.0.1 255.255.255.0 UG 0 0 0 tap0
10.5.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
0.0.0.0 10.65.42.1 0.0.0.0 UG 0 0 0 eth0
|
Code: | current server routing table (route -n)
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.5.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
|
I realize i need an additional route command to map the 10.0.0.0 to the local network, just not sure exactly what i should use, and do I need this route command on the local client or the server?
If someone who has this working could just post me their route -n's on both the client and server I believe it would help me a ton.
thanks. |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Mon Jan 03, 2005 1:18 am Post subject: |
|
|
You need to add the route at your default gateway/firewall for your 10.0.0.0 network using your VPN server 10.0.0.98 as the "gateway" for 10.5.0.0 traffic.
In your case, your add route command is:
Code: | route add -net 10.5.0.0 netmask 255.255.255.0 gw 10.0.0.98 |
|
|
Back to top |
|
|
AppleMasher n00b
Joined: 09 Jul 2004 Posts: 11 Location: Chattanooga, TN
|
Posted: Mon Jan 03, 2005 8:08 pm Post subject: |
|
|
Thanks it all makes sense now. I just misinterpreted what you said the first time. |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Sat Jan 08, 2005 7:13 pm Post subject: |
|
|
mini HOWTO updated to include support for openvpn 2.0 rc6. |
|
Back to top |
|
|
whit Tux's lil' helper
Joined: 26 Oct 2002 Posts: 121 Location: VT
|
Posted: Thu Jan 20, 2005 5:19 pm Post subject: Bridging? |
|
|
Has anyone basically followed this recipe but added bridging? |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|