View previous topic :: View next topic |
Author |
Message |
ponzio n00b
Joined: 09 Mar 2005 Posts: 41
|
Posted: Fri Jun 10, 2005 10:40 am Post subject: |
|
|
now the client seems to be connected
Code: | Jun 10 12:44:02 ponzio openvpn-client[31114]: TLS: Initial packet from x.x.x.x:5000, sid=ae79a4ab 8cae93bd
Jun 10 12:44:03 ponzio openvpn-client[31114]: VERIFY OK: depth=1, /C=IT/ST=Italia/L=Milano/O=OpenVPN-test |
but ifconfig does not show any tun/tap device.
on the server there is an error:
Code: | Jun 10 12:41:41 test openvpn-test[321]: x.x.x.x:24880 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=IT/ST=Italia/O=OpenVPN-test
Jun 10 12:41:41 test openvpn-test[321]: x.x.x.x:24880 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned |
|
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Mon Aug 29, 2005 8:25 pm Post subject: |
|
|
Just notice version 2.0.1 is in portage, the configuration should be the same for official 2.0. |
|
Back to top |
|
|
evol262 n00b
Joined: 10 May 2004 Posts: 25
|
Posted: Mon Sep 19, 2005 9:19 pm Post subject: |
|
|
Any way to allow multiple connections from the same IP? My OpenVPN server's behind a router (DMZed), and it works fine if I only have one external client. Any more than that and it chokes, forbidding new clients from connecting...
Edit: It seems to classify every connection coming from the same IP as the same client, regardless of how the keys and certs are setup. Duplicate-cn does not solve this. Do I just need to have only one client key? I don't like that... Doesn't seem to work either >.<. Any suggestions? From what I've seen, ccd can't do this, but I really need a way around it. It seems that all packets appear to be coming from my router, forbidding extra connections
Code: | Sep 19 16:28:28 server openvpn[27207]: client2/192.168.1.1:1194 TLS Error: Unroutable control packet received from 192.168.1.1:1194 (si=3 op=P_ACK_V1)
Sep 19 16:28:30 server openvpn[27207]: client2/192.168.1.1:1194 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #36 / time = (1127165452) Mon Sep 19 16:30:52 2005 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sep 19 16:28:30 server openvpn[27207]: client2/192.168.1.1:1194 TLS Error: incoming packet authentication failed from 192.168.1.1:1194
Sep 19 16:28:30 server openvpn[27207]: client2/192.168.1.1:1194 TLS Error: Unroutable control packet received from 192.168.1.1:1194 (si=3 op=P_ACK_V1)
|
When client 1 is also connected. If I connect client1 through the local network, I can connect client2 fine. I cannot get client2 and client3 to connect simulatenously (both external).
Sorry, that should read "client1/192.blah.blah" when client 1 is connected and client 2 is trying to connect through the same IP. |
|
Back to top |
|
|
evol262 n00b
Joined: 10 May 2004 Posts: 25
|
Posted: Fri Sep 30, 2005 12:44 pm Post subject: |
|
|
-bump-
Any suggestions? Is there a way to make OpenVPN look up NAT traversal? |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Sat Oct 15, 2005 1:12 pm Post subject: |
|
|
Updated troubleshooting section to include workaround for openvpn 2.0.2 init script problem. IMHO, init script should define the --cd option, it is way too restrictive especially for people with multiple vpn connections setup. The --cd option should be left to the configuation file instead. |
|
Back to top |
|
|
UberLord Retired Dev
Joined: 18 Sep 2003 Posts: 6835 Location: Blighty
|
Posted: Sun Oct 16, 2005 6:16 pm Post subject: |
|
|
cchee wrote: | Updated troubleshooting section to include workaround for openvpn 2.0.2 init script problem. IMHO, init script should define the --cd option, it is way too restrictive especially for people with multiple vpn connections setup. The --cd option should be left to the configuation file instead. |
You mean that the init script should not define the --cd option?
AFAIK (and I may be wrong) but the --cd option changes the relative directory. This means that
relies on cert.pem existing in the /etc/openvpn directory
however Code: | ca /etc/ssl/certs/cert.pem | always works regardless of the --cd option.
Could you explain how the init script setting the option make it more restrictive for multiple connections? _________________ Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool |
|
Back to top |
|
|
l0ner n00b
Joined: 10 Jul 2004 Posts: 37 Location: Germany
|
Posted: Tue Oct 18, 2005 9:52 am Post subject: |
|
|
evol262 wrote: | -bump-
Any suggestions? Is there a way to make OpenVPN look up NAT traversal? |
Why would you want to do that
I use both site to site, and client/server versions and have never seen a need.
The beautiful thing about OpenVPN is that you need no NAT traversal support, not like IPSEC.
Perhaps there is a different way to solve whatever problem you are having.
-l0ner |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Tue Oct 18, 2005 5:12 pm Post subject: |
|
|
UberLord wrote: | cchee wrote: | Updated troubleshooting section to include workaround for openvpn 2.0.2 init script problem. IMHO, init script should define the --cd option, it is way too restrictive especially for people with multiple vpn connections setup. The --cd option should be left to the configuation file instead. |
You mean that the init script should not define the --cd option?
AFAIK (and I may be wrong) but the --cd option changes the relative directory. This means that
relies on cert.pem existing in the /etc/openvpn directory
however Code: | ca /etc/ssl/certs/cert.pem | always works regardless of the --cd option.
Could you explain how the init script setting the option make it more restrictive for multiple connections? |
it makes the script only work with one VPN connection setup, i.e. the config file has to be openvpn.conf and it must be under /etc/openvpn. if I want to have multiple VPN connections to different "sites", the init script needs to be modded to fit that need. Or, as some of the developers already suggested in https://bugs.gentoo.org/show_bug.cgi?id=109363, duplicate the /etc/init.d/openvpn to /etc/init.d/openvpn.foo, /etc/init.d/openvpn.bar, etc... My personal preference is not multiple copies of /etc/init.d/openvpn and certificates all over the place in different directories (for the sake of keeping things tidy, I prefer to keep them in the single directory for each "set" of files [anyway this is just personal preference]) but have multiple copies of /etc/init.d/openvpn give us the ability to selectively start and stop specific VPN connection. In the bug note, there is a latest attachment for the modded openvpn init.d script. it looks into /etc/openvpn for *.conf and for each *.conf it will start and stop the openvpn connection. It relies on the individual config file to specify "directory" for files set relative to the corresponding VPN connection (i.e. cd option). IMHO, my preference may not fit your need, so it is really up to individual work habit. |
|
Back to top |
|
|
spunki n00b
Joined: 02 Nov 2005 Posts: 2
|
Posted: Wed Nov 02, 2005 8:50 pm Post subject: OpenVPN |
|
|
how can i add push "ip route add default via 213.157.224.193 dev tap0" in config file local.conf |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Mon Nov 28, 2005 5:14 pm Post subject: Re: OpenVPN |
|
|
spunki wrote: | how can i add push "ip route add default via 213.157.224.193 dev tap0" in config file local.conf |
Best source, as usual, is read the latest manual that matches the version you have installed.
Code: |
ifconfig-pool 10.254.254.156 10.254.254.199 255.255.255.128
push "dhcp-renew"
push "dhcp-option DOMAIN domain.tld"
push "dhcp-option DNS 10.10.10.5"
push "dhcp-option DNS 10.10.10.9"
push "route-gateway 10.254.254.155"
|
First line, tells openvpn the range of IP addresses to be used for DHCP within the VPN segment.
Second line, tells openvpn to have "client" to renew it's DHCP
Last line, tells openvpn to have "client" to assign 10.254.254.155 as default gateway for all VPN traffic. Mind you you still need to have a rule in your default gateway/firewall on your remote network (server side) to tell other machines in the remote network (server side) which gateway to use for VPN traffic, in case you want to have the ability to remote access to other machines **directly** on the remote network via the VPN.
Hope this help. |
|
Back to top |
|
|
LL0rd l33t
Joined: 24 May 2004 Posts: 652 Location: Schlundcity
|
Posted: Mon Dec 05, 2005 2:05 pm Post subject: |
|
|
Hi,
I had set up a openvpn server to secure my wlan network. Now I want to use the server to dialin into the LAN (windows xp notebook). That works allready, but: I'm student on a german university. There we have two ways to use the wlan:
1)
NIC ==> (Webauth) ==> Internet
2)
NIC ==> Cisco VPN client ==> VPN NIC ==> Internet
When i go the first way, I can connect to PCs that are in the VPN. But the whole Internet traffic is unencryped. When I go the second way, I can connect to the VPN Network. I also get the IP adress by the dhcp, but I can't connect to the PCs of the VPN network.
My idea is, that there is a wrong routing table. Can anybody help me? _________________ Alte Mathematiker sterben nicht - sie verlieren nur einige ihrer Funktionen. |
|
Back to top |
|
|
d4h0od Tux's lil' helper
Joined: 27 Jun 2002 Posts: 80 Location: Europe => Sweden => Blekinge => Karlskrona => h0odet
|
Posted: Sat Mar 25, 2006 9:35 pm Post subject: confused OpenVPN beginner |
|
|
first off thanx for a very good howto. Although it hasnt solved all my problems, it still guided me very far and i managed to setup a vpn-server & vpn-client and can ping both ways
I want to do the following,
i have a gentoo server back home with full access to internet (no firewalls etc) and i want to route all traffic from my client laptop (thats located behind a hotel firewall that i have no control over) through my gentoo-server and use that as a "proxy" for all my traffic, so i can freely connect to any service on any port.
And no its not to download warez/porn
I'm just a poker-addict and playing at several different sites, but now that im away on a trip for several months im forced to sit behind a firewall that blocks most (if not all) ports that i need open to be able to continue playing
First of all is it possible for me to route all internet traffic from my hotel computer to my vpn-server and then out on internet? And will the fact that im recieving my client ip-address from the hotel fw via dhcp cause any problems?
Do i need 1 or 2 NIC's on the server and what configuration would i need to perform on the server?
So far i have maneged to setup a vpn-server on the gentoo-server and connecting to it with my laptop (winxp) using ssl certificates so those parts work ok.
This is my lame attemtp to try and illustrate my idea
Code: |
--------------- --------------- ------------ -----------------
| Client | <<RESP<< | Hotel FW | <<RESP<< | Internet | <<RESP<< | Gentoo server |
| | | | | | | |
| 192.168.3.x | >>REQ>> | 192.168.3.x | >>REQ>> | | >>REQ>> | 194.10.180.x |
--------------- --------------- ------------ -----------------
|v ^^ v| ^^
Rv R^ vR ^|
Ev E^ vE ^R
Sv Q^ vQ ^E
Pv |^<<<<<<<<<<<<<<<<<| ^S
|v \------------------/ ^P
|v ^|
|v>>>>>>>>>>>>>>>>>>>>>>>>>>>>^|
\--------------RESP------------/
|
_________________ // d4h0od |
|
Back to top |
|
|
ethzural n00b
Joined: 11 May 2006 Posts: 1
|
Posted: Thu May 18, 2006 7:12 am Post subject: bridging |
|
|
hi guys, before i start on my openvpn, i suppose i need to setup the bridge between eth0 and tap0 first?
however, i had include the bridge(built-in) and tun/tap(module) in the kernel, yet, the /dev/net/tun keep on dissapear each time i reboot the server. so, how am i going to create tap0? |
|
Back to top |
|
|
b1f30 Apprentice
Joined: 16 Nov 2005 Posts: 262 Location: USA
|
Posted: Fri Jun 16, 2006 1:09 am Post subject: Re: DNS lookup for OpenVPN client (Linux only) |
|
|
cchee wrote: | For those who has Linux as their OpenVPN client, if they want to have the DNS lookup working properly, they will need to add the following into their Linux client configuration (using the above example environment): Code: | up /etc/openvpn/client/client.up
down /etc/openvpn/client/client.down |
where client.up is a shell script with the following content: Code: | sed -i \
-e '1,1 i nameserver 10.2.0.1' \
-e '1,1 i nameserver 10.2.0.2' \
-e '1,1 i search homenetwork.local.' /etc/resolv.conf
| and client.down is another shell script with the following content: Code: | sed -i \
-e '/nameserver 10.2.0/d'
-e '/search homenetwork.local/d' /etc/resolv.conf
|
Make sure you have Code: | chmod 755 client.up client.down | And have these scripts under the same directory as the configuration file. Note: Absolute path is needed for client.up in OpenVPN configuration file in order for the up command to work. At least that is the case for my environment. |
I'm trying to get the 'up' and 'down' scripts to work, and I've placed the following two lines in my /etc/openvpn/openvpn.conf:
up /etc/openvpn/client.up
down /etc/openvpn/client.down
chmod'ed the scripts with 755, and openvpn starts up just fine. It adds the nameserver info to /etc/resolv.conf, but when I bring openvpn down, the two new entries still remain in /etc/resolv.conf leaving me to manually edit every time I bring it down. Absolute paths are fine, permissions are set - what the heck am I doing wrong here?
:evil: _________________ H T T P : / / W W W . B I N A R Y F R E E D O M . I N F O / |
|
Back to top |
|
|
UberLord Retired Dev
Joined: 18 Sep 2003 Posts: 6835 Location: Blighty
|
|
Back to top |
|
|
julmust n00b
Joined: 13 Oct 2002 Posts: 57 Location: Landskrona, Sweden
|
Posted: Mon Jul 03, 2006 11:39 pm Post subject: Can't reach remote subnet |
|
|
I can't figure out how to enable the clients to reach the entire remote subnet, my setup is this:
OpenVPN running on a server (192.168.0.200) behind firewall.
Client is WinXP.
192.168.0.0/24 - remote subnet
192.168.100.0/24 - virtual subnet
192.168.1.0/24 - client subnet
serverconf (basically set up as in this how to):
Code: |
port 1194
dev tap
tls-server
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh1024.pem
tls-auth /etc/openvpn/server/static.key 0
duplicate-cn
mode server
ifconfig 192.168.100.100 255.255.255.0
ifconfig-pool 192.168.100.101 192.168.100.105 255.255.255.0
push "dhcp-option DNS 192.168.0.1"
push "route-gateway 192.168.100.100"
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"
push "route 192.168.0.0 255.255.255.0 192.168.100.100"
push "route 192.168.100.0 255.255.255.0 192.168.100.100"
comp-lzo
|
client config:
Code: |
port 1194 # or any other port you want to use
dev tap
remote remote-address #is external IP of the OpenVPN server
tls-client
ca ca.crt
cert client.crt
key client-key.txt
tls-auth static-key.txt 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull
comp-lzo
verb 4
|
After starting the server the client gets an IP (192.168.100.101), so that seems to be fine. The client can ping the virtual VPN server address 192.168.100.100 and vice versa. From the client I can also reach 192.168.0.200, which is eth0 on the VPN server. Now I want to be able to reach the other clients in the subnet. Been scratching my head all day long about this issue. I guess i need to somehow route traffic from tap0 to eth0 or similar. This is where i need som help..
Output on server side:
Code: |
PC01_server ~ # route -N
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
PC01_server ~ # cat /proc/sys/net/ipv4/ip_forward
1
|
On client side:
Code: |
c:\>route PRINT
....
192.168.0.0 255.255.255.0 192.168.100.100 192.168.100.101
|
This would mean all traffic to 192.168.0.0/24 would go to gateway 192.168.100.100 via the 192.168.100.101-adapter, right?
As I read in the troubleshooting section of this howto the other option would be to use an ethernet bridge, this i have not tried, and it seems as if that wouldn't be necessary?
I'm probably overlooking something vital so it would be really great if someone could point me in the right direction! _________________ hm.. help me. |
|
Back to top |
|
|
UberLord Retired Dev
Joined: 18 Sep 2003 Posts: 6835 Location: Blighty
|
|
Back to top |
|
|
julmust n00b
Joined: 13 Oct 2002 Posts: 57 Location: Landskrona, Sweden
|
Posted: Tue Jul 04, 2006 8:57 am Post subject: |
|
|
I have, and it's enabled in the kernel, iv'e loaded the ip_tables module as well. Do I have to do anything with iptables?
I've tried various combinations without success. _________________ hm.. help me. |
|
Back to top |
|
|
UberLord Retired Dev
Joined: 18 Sep 2003 Posts: 6835 Location: Blighty
|
Posted: Tue Jul 04, 2006 10:17 am Post subject: |
|
|
I've had this problem before, but I cannot remember what exactly I did to fix it.
As you can ping the remote server ip on the remote subnet but not anything else on the subnet then it's simply a routing/forwarding/iptables issue on the server.
One thing I could suggest is that you try the firewall init script I have here
http://dev.gentoo.org/~uberlord/firewall
and configure /etc/conf.d/firewall to read
Code: |
LOCAL_IPV4="192.168.0.0/24 192.168.100.0/24"
FORWARD_INTERFACES=( "tap0 eth0" ) |
If it works, then configure it for the ports you want to open, close and you're set to go. Otherwise, post your problem in a new thread as it's no longer an openvpn issue. _________________ Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool |
|
Back to top |
|
|
julmust n00b
Joined: 13 Oct 2002 Posts: 57 Location: Landskrona, Sweden
|
Posted: Tue Jul 04, 2006 3:45 pm Post subject: |
|
|
What is the recommended way to set the open ports in your firewall script? Since I for the moment only has got ssh access I want to make sure that ssh and other ports are open before I try it.. _________________ hm.. help me. |
|
Back to top |
|
|
UberLord Retired Dev
Joined: 18 Sep 2003 Posts: 6835 Location: Blighty
|
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Fri Jul 28, 2006 3:18 pm Post subject: |
|
|
julmust,
Your gateway/router on your server subnet need to add a rule to tell the rest of the machines (on the same subnet as your server) which "vpn gateway" to use for VPN traffic.
In your case: Code: | 192.168.0.0/24 - remote subnet
192.168.100.0/24 - virtual subnet
192.168.1.0/24 - client subnet |
You will need to have the router on your remote subnet (192.168.0.0/24) to add a rule to tell the rest of the machines on your remote subnet how to route the VPN traffic from/to your virtual subnet (192.168.100.0/24) via your VPN server (192.168.0.200) to your client (192.168.100.101).
And as UberLord mentioned, you need to make sure you have ip_forwarding enabled in your VPN server to make it works. |
|
Back to top |
|
|
mmx87 n00b
Joined: 30 Mar 2006 Posts: 7
|
Posted: Thu Sep 21, 2006 6:36 pm Post subject: |
|
|
Great tutorial...although you forget to note where easyrsa is located when you use the official portage ebuild of openvpn. Easyrsa is located in /usr/share/openvpn/easyrsa. Also, the openvpn init script from the ebuild has changed as well and the configuration file is expected to be found at /etc/openvpn/openvpn.conf. Just letting everyone know of a few hurdles I had to overcome to get openvpn working. |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Tue Oct 03, 2006 3:44 am Post subject: |
|
|
Just a fyi, there is a port to PocketPC underway for OpenVPN. I will update the mini-howto to include PocketPC setup later once I give it a try... For those who can't wait, you can check it out here:
http://www.ziggurat29.com/OVPNPPCAlpha/OVPNPPCAlpha.htm |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1496
|
Posted: Sat Oct 07, 2006 6:08 am Post subject: |
|
|
Hello
I'm having trouble with my OpenVPN configuration, but only when trying to connect from WAN to local network. I also have a DMZ network (wireless) that I'm able to connect to just fine with VPN. I keep receiving the following error on the server when trying to connect on the WAN:
Code: | Oct 6 23:50:52 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 TLS: new session incoming connection from xxx.xxx.xxx.xxx:50264
Oct 6 23:51:04 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 6 23:51:04 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 TLS Error: TLS handshake failed
Oct 6 23:51:04 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 SIGUSR1[soft,tls-error] received, client-instance restarting
Oct 6 23:51:05 comp openvpn[8844]: MULTI: multi_create_instance called
Oct 6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Re-using SSL/TLS context
Oct 6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 LZO compression initialized
Oct 6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Oct 6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Oct 6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Oct 6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Oct 6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Local Options hash (VER=V4): '360696c5'
Oct 6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Expected Remote Options hash (VER=V4): '13a273ba'
Oct 6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 TLS: Initial packet from xxx.xxx.xxx.xxx:50264, sid=dcb36b41 f3607908 |
This is the error on the client (Windows XP using OpenVPNGUI)
Code: | Fri Oct 06 23:50:58 2006 us=685483 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 06 23:50:58 2006 us=685538 TLS Error: TLS handshake failed
Fri Oct 06 23:50:58 2006 us=686068 TCP/UDP: Closing socket
Fri Oct 06 23:50:58 2006 us=686483 SIGUSR1[soft,tls-error] received, process restarting
Fri Oct 06 23:50:58 2006 us=686515 Restart pause, 2 second(s)
Fri Oct 06 23:51:00 2006 us=686483 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Oct 06 23:51:00 2006 us=690118 Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file
Fri Oct 06 23:51:00 2006 us=690177 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 06 23:51:00 2006 us=690260 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 06 23:51:00 2006 us=690410 LZO compression initialized
Fri Oct 06 23:51:00 2006 us=690567 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Oct 06 23:51:00 2006 us=693216 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Oct 06 23:51:00 2006 us=693299 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Oct 06 23:51:00 2006 us=693329 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Oct 06 23:51:00 2006 us=693390 Local Options hash (VER=V4): '13a273ba'
Fri Oct 06 23:51:00 2006 us=693426 Expected Remote Options hash (VER=V4): '360696c5'
Fri Oct 06 23:51:00 2006 us=693481 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Oct 06 23:51:00 2006 us=693535 UDPv4 link local (bound): [undef]:800
Fri Oct 06 23:51:00 2006 us=693568 UDPv4 link remote: xxx.xxx.xxx.xxx:800 |
Now, as I said, when I connect while on the DMZ (172.16.0.0/24) network, everything works fine. My internal network is (10.0.0.0/26). It seems like this might be a NAT or routing issue.. possibly the client is not receiving response. There are no blocks showing in the /var/log/messages, and it should be if it's not allowed. That's why I keep thinking it's a route problem.
Here is my route table on the firewall/vpn server
Code: | Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 * 255.255.255.192 U 0 0 0 eth0
172.16.0.0 * 255.255.255.0 U 0 0 0 eth2
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
10.1.0.0 * 255.255.255.0 U 0 0 0 tap0
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1 |
eth1 is connected directly to Cisco 800 series DSL modem, eth0 is my internal network and eth2 is my DMZ network.
I'm running my OpenVPN on a non-standard port UDP/800. Here are some interesting pieces of my iptables script
Code: | $IPT -A INPUT -p udp --dport 800 -d $NATIP -j ACCEPT
$IPT -A OUTPUT -p udp --dport 800 -o eth1 -s 192.168.0.3 -j ACCEPT
$IPT -A OUTPUT -p udp -s 192.168.0.3 --sport 800 -j ACCEPT
$IPT -A INPUT -i tap0 -j ACCEPT
$IPT -A FORWARD -i tap0 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE |
Any help to get this working is greatly appreciated!
thanks
hanji _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|