OpenVPN 2.x TAP mini-HOWTO (linux 2 wifi-linux, wifi-xp)

[ponzio]

now the client seems to be connected

Code: Select all

Jun 10 12:44:02 ponzio openvpn-client[31114]: TLS: Initial packet from x.x.x.x:5000, sid=ae79a4ab 8cae93bd
Jun 10 12:44:03 ponzio openvpn-client[31114]: VERIFY OK: depth=1, /C=IT/ST=Italia/L=Milano/O=OpenVPN-test

but ifconfig does not show any tun/tap device.
on the server there is an error:

Code: Select all

Jun 10 12:41:41 test openvpn-test[321]: x.x.x.x:24880 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=IT/ST=Italia/O=OpenVPN-test
Jun 10 12:41:41 test openvpn-test[321]: x.x.x.x:24880 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

[cchee]

Just notice version 2.0.1 is in portage, the configuration should be the same for official 2.0.

[evol262]

Any way to allow multiple connections from the same IP? My OpenVPN server's behind a router (DMZed), and it works fine if I only have one external client. Any more than that and it chokes, forbidding new clients from connecting...

Edit: It seems to classify every connection coming from the same IP as the same client, regardless of how the keys and certs are setup. Duplicate-cn does not solve this. Do I just need to have only one client key? I don't like that... Doesn't seem to work either >.<. Any suggestions? From what I've seen, ccd can't do this, but I really need a way around it. It seems that all packets appear to be coming from my router, forbidding extra connections

Code: Select all

Sep 19 16:28:28 server openvpn[27207]: client2/192.168.1.1:1194 TLS Error: Unroutable control packet received from 192.168.1.1:1194 (si=3 op=P_ACK_V1)
Sep 19 16:28:30 server openvpn[27207]: client2/192.168.1.1:1194 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #36 / time = (1127165452) Mon Sep 19 16:30:52 2005 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sep 19 16:28:30 server openvpn[27207]: client2/192.168.1.1:1194 TLS Error: incoming packet authentication failed from 192.168.1.1:1194
Sep 19 16:28:30 server openvpn[27207]: client2/192.168.1.1:1194 TLS Error: Unroutable control packet received from 192.168.1.1:1194 (si=3 op=P_ACK_V1)

When client 1 is also connected. If I connect client1 through the local network, I can connect client2 fine. I cannot get client2 and client3 to connect simulatenously (both external).

Sorry, that should read "client1/192.blah.blah" when client 1 is connected and client 2 is trying to connect through the same IP.

[evol262]

-bump-

Any suggestions? Is there a way to make OpenVPN look up NAT traversal?

[cchee]

Updated troubleshooting section to include workaround for openvpn 2.0.2 init script problem. IMHO, init script should define the --cd option, it is way too restrictive especially for people with multiple vpn connections setup. The --cd option should be left to the configuation file instead.

[UberLord]

Updated troubleshooting section to include workaround for openvpn 2.0.2 init script problem. IMHO, init script should define the --cd option, it is way too restrictive especially for people with multiple vpn connections setup. The --cd option should be left to the configuation file instead.

You mean that the init script should not define the --cd option?

AFAIK (and I may be wrong) but the --cd option changes the relative directory. This means that

Code: Select all

ca cert.perm

relies on cert.pem existing in the /etc/openvpn directory
however

Code: Select all

ca /etc/ssl/certs/cert.pem

always works regardless of the --cd option.

Could you explain how the init script setting the option make it more restrictive for multiple connections?

[l0ner]

-bump-

Any suggestions? Is there a way to make OpenVPN look up NAT traversal?

Why would you want to do that
I use both site to site, and client/server versions and have never seen a need.
The beautiful thing about OpenVPN is that you need no NAT traversal support, not like IPSEC.
Perhaps there is a different way to solve whatever problem you are having.

-l0ner

[cchee]

Updated troubleshooting section to include workaround for openvpn 2.0.2 init script problem. IMHO, init script should define the --cd option, it is way too restrictive especially for people with multiple vpn connections setup. The --cd option should be left to the configuation file instead.

You mean that the init script should not define the --cd option?

AFAIK (and I may be wrong) but the --cd option changes the relative directory. This means that

Code: Select all

ca cert.perm

relies on cert.pem existing in the /etc/openvpn directory
however

Code: Select all

ca /etc/ssl/certs/cert.pem

always works regardless of the --cd option.

Could you explain how the init script setting the option make it more restrictive for multiple connections?

it makes the script only work with one VPN connection setup, i.e. the config file has to be openvpn.conf and it must be under /etc/openvpn. if I want to have multiple VPN connections to different "sites", the init script needs to be modded to fit that need. Or, as some of the developers already suggested in http://bugs.gentoo.org/show_bug.cgi?id=109363, duplicate the /etc/init.d/openvpn to /etc/init.d/openvpn.foo, /etc/init.d/openvpn.bar, etc... My personal preference is not multiple copies of /etc/init.d/openvpn and certificates all over the place in different directories (for the sake of keeping things tidy, I prefer to keep them in the single directory for each "set" of files [anyway this is just personal preference]) but have multiple copies of /etc/init.d/openvpn give us the ability to selectively start and stop specific VPN connection. In the bug note, there is a latest attachment for the modded openvpn init.d script. it looks into /etc/openvpn for *.conf and for each *.conf it will start and stop the openvpn connection. It relies on the individual config file to specify "directory" for files set relative to the corresponding VPN connection (i.e. cd option). IMHO, my preference may not fit your need, so it is really up to individual work habit.

[spunki]

how can i add push "ip route add default via 213.157.224.193 dev tap0" in config file local.conf

[cchee]

how can i add push "ip route add default via 213.157.224.193 dev tap0" in config file local.conf

Best source, as usual, is read the latest manual that matches the version you have installed.

Code: Select all

ifconfig-pool 10.254.254.156 10.254.254.199 255.255.255.128
push "dhcp-renew"
push "dhcp-option DOMAIN domain.tld"
push "dhcp-option DNS 10.10.10.5"
push "dhcp-option DNS 10.10.10.9"
push "route-gateway 10.254.254.155"

First line, tells openvpn the range of IP addresses to be used for DHCP within the VPN segment.
Second line, tells openvpn to have "client" to renew it's DHCP
Last line, tells openvpn to have "client" to assign 10.254.254.155 as default gateway for all VPN traffic. Mind you you still need to have a rule in your default gateway/firewall on your remote network (server side) to tell other machines in the remote network (server side) which gateway to use for VPN traffic, in case you want to have the ability to remote access to other machines **directly** on the remote network via the VPN.

Hope this help.

[LL0rd]

Hi,

I had set up a openvpn server to secure my wlan network. Now I want to use the server to dialin into the LAN (windows xp notebook). That works allready, but: I'm student on a german university. There we have two ways to use the wlan:

1)
NIC ==> (Webauth) ==> Internet

2)
NIC ==> Cisco VPN client ==> VPN NIC ==> Internet

When i go the first way, I can connect to PCs that are in the VPN. But the whole Internet traffic is unencryped. When I go the second way, I can connect to the VPN Network. I also get the IP adress by the dhcp, but I can't connect to the PCs of the VPN network.

My idea is, that there is a wrong routing table. Can anybody help me?

[d4h0od]

first off thanx for a very good howto. Although it hasnt solved all my problems, it still guided me very far and i managed to setup a vpn-server & vpn-client and can ping both ways

I want to do the following,

i have a gentoo server back home with full access to internet (no firewalls etc) and i want to route all traffic from my client laptop (thats located behind a hotel firewall that i have no control over) through my gentoo-server and use that as a "proxy" for all my traffic, so i can freely connect to any service on any port.

And no its not to download warez/porn
I'm just a poker-addict and playing at several different sites, but now that im away on a trip for several months im forced to sit behind a firewall that blocks most (if not all) ports that i need open to be able to continue playing

First of all is it possible for me to route all internet traffic from my hotel computer to my vpn-server and then out on internet? And will the fact that im recieving my client ip-address from the hotel fw via dhcp cause any problems?

Do i need 1 or 2 NIC's on the server and what configuration would i need to perform on the server?

So far i have maneged to setup a vpn-server on the gentoo-server and connecting to it with my laptop (winxp) using ssl certificates so those parts work ok.

This is my lame attemtp to try and illustrate my idea

Code: Select all

---------------           ---------------          ------------          -----------------
| Client      | <<RESP<<  | Hotel FW    | <<RESP<< | Internet | <<RESP<< | Gentoo server |
|             |           |             |          |          |          |               |
| 192.168.3.x | >>REQ>>   | 192.168.3.x | >>REQ>>  |          | >>REQ>>  | 194.10.180.x  |
---------------           ---------------          ------------          -----------------
                                                     |v    ^^                v|    ^^
                                                     Rv    R^                vR    ^|
                                                     Ev    E^                vE    ^R
                                                     Sv    Q^                vQ    ^E
                                                     Pv    |^<<<<<<<<<<<<<<<<<|    ^S
                                                     |v    \------------------/    ^P
                                                     |v                            ^|
                                                     |v>>>>>>>>>>>>>>>>>>>>>>>>>>>>^|
                                                     \--------------RESP------------/

[ethzural]

hi guys, before i start on my openvpn, i suppose i need to setup the bridge between eth0 and tap0 first?
however, i had include the bridge(built-in) and tun/tap(module) in the kernel, yet, the /dev/net/tun keep on dissapear each time i reboot the server. so, how am i going to create tap0?

[b1f30]

For those who has Linux as their OpenVPN client, if they want to have the DNS lookup working properly, they will need to add the following into their Linux client configuration (using the above example environment):

Code: Select all

up /etc/openvpn/client/client.up
down /etc/openvpn/client/client.down

where client.up is a shell script with the following content:

Code: Select all

sed -i \
-e '1,1 i nameserver 10.2.0.1' \
-e '1,1 i nameserver 10.2.0.2' \
-e '1,1 i search homenetwork.local.' /etc/resolv.conf

and client.down is another shell script with the following content:

Code: Select all

sed -i \
-e '/nameserver 10.2.0/d' 
-e '/search homenetwork.local/d' /etc/resolv.conf

Make sure you have

Code: Select all

chmod 755 client.up client.down

And have these scripts under the same directory as the configuration file. Note: Absolute path is needed for client.up in OpenVPN configuration file in order for the up command to work. At least that is the case for my environment.

I'm trying to get the 'up' and 'down' scripts to work, and I've placed the following two lines in my /etc/openvpn/openvpn.conf:

up /etc/openvpn/client.up
down /etc/openvpn/client.down

chmod'ed the scripts with 755, and openvpn starts up just fine. It adds the nameserver info to /etc/resolv.conf, but when I bring openvpn down, the two new entries still remain in /etc/resolv.conf leaving me to manually edit every time I bring it down. Absolute paths are fine, permissions are set - what the heck am I doing wrong here?

:evil:

[UberLord]

You could always use the p.masked openvpn beta and use it's supplied up and down scripts.
You may also want to emerge resolvconf-gentoo and baselayout-1.12.1 for really good support too

[julmust]

I can't figure out how to enable the clients to reach the entire remote subnet, my setup is this:

OpenVPN running on a server (192.168.0.200) behind firewall.
Client is WinXP.

192.168.0.0/24 - remote subnet
192.168.100.0/24 - virtual subnet
192.168.1.0/24 - client subnet

serverconf (basically set up as in this how to):

Code: Select all

port 1194
dev tap

tls-server

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh1024.pem
tls-auth /etc/openvpn/server/static.key  0

duplicate-cn
mode server

ifconfig 192.168.100.100 255.255.255.0
ifconfig-pool 192.168.100.101 192.168.100.105 255.255.255.0
push "dhcp-option DNS 192.168.0.1"
push "route-gateway 192.168.100.100"

mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"

push "route 192.168.0.0 255.255.255.0 192.168.100.100"
push "route 192.168.100.0 255.255.255.0 192.168.100.100"

comp-lzo

client config:

Code: Select all

port 1194 # or any other port you want to use
dev tap
remote remote-address #is external IP of the OpenVPN server

tls-client
ca ca.crt
cert client.crt
key client-key.txt
tls-auth static-key.txt 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull

comp-lzo
verb 4

After starting the server the client gets an IP (192.168.100.101), so that seems to be fine. The client can ping the virtual VPN server address 192.168.100.100 and vice versa. From the client I can also reach 192.168.0.200, which is eth0 on the VPN server. Now I want to be able to reach the other clients in the subnet. Been scratching my head all day long about this issue. I guess i need to somehow route traffic from tap0 to eth0 or similar. This is where i need som help..

Output on server side:

Code: Select all

PC01_server ~ # route -N
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 tap0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
PC01_server ~ # cat /proc/sys/net/ipv4/ip_forward
1

On client side:

Code: Select all

c:\>route PRINT
....
192.168.0.0   255.255.255.0  192.168.100.100  192.168.100.101

This would mean all traffic to 192.168.0.0/24 would go to gateway 192.168.100.100 via the 192.168.100.101-adapter, right?
As I read in the troubleshooting section of this howto the other option would be to use an ethernet bridge, this i have not tried, and it seems as if that wouldn't be necessary?

I'm probably overlooking something vital so it would be really great if someone could point me in the right direction!

[UberLord]

Have you enabled ip forwarding on the server?

[julmust]

I have, and it's enabled in the kernel, iv'e loaded the ip_tables module as well. Do I have to do anything with iptables?
I've tried various combinations without success.

[UberLord]

I've had this problem before, but I cannot remember what exactly I did to fix it.
As you can ping the remote server ip on the remote subnet but not anything else on the subnet then it's simply a routing/forwarding/iptables issue on the server.

One thing I could suggest is that you try the firewall init script I have here
http://dev.gentoo.org/~uberlord/firewall

and configure /etc/conf.d/firewall to read

Code: Select all

LOCAL_IPV4="192.168.0.0/24 192.168.100.0/24"
FORWARD_INTERFACES=( "tap0 eth0" )

If it works, then configure it for the ports you want to open, close and you're set to go. Otherwise, post your problem in a new thread as it's no longer an openvpn issue.

[julmust]

What is the recommended way to set the open ports in your firewall script? Since I for the moment only has got ssh access I want to make sure that ssh and other ports are open before I try it..

[UberLord]

PORTS_IN="ssh"

or just on the defined local IP's

LOCAL_PORTS_IN="ssh"

Add either numerics, numeric ranges (100:110) or names in /etc/services

[cchee]

julmust,

Your gateway/router on your server subnet need to add a rule to tell the rest of the machines (on the same subnet as your server) which "vpn gateway" to use for VPN traffic.

In your case:

Code: Select all

192.168.0.0/24 - remote subnet
192.168.100.0/24 - virtual subnet
192.168.1.0/24 - client subnet 

You will need to have the router on your remote subnet (192.168.0.0/24) to add a rule to tell the rest of the machines on your remote subnet how to route the VPN traffic from/to your virtual subnet (192.168.100.0/24) via your VPN server (192.168.0.200) to your client (192.168.100.101).

And as UberLord mentioned, you need to make sure you have ip_forwarding enabled in your VPN server to make it works.

[mmx87]

Great tutorial...although you forget to note where easyrsa is located when you use the official portage ebuild of openvpn. Easyrsa is located in /usr/share/openvpn/easyrsa. Also, the openvpn init script from the ebuild has changed as well and the configuration file is expected to be found at /etc/openvpn/openvpn.conf. Just letting everyone know of a few hurdles I had to overcome to get openvpn working.

[cchee]

Just a fyi, there is a port to PocketPC underway for OpenVPN. I will update the mini-howto to include PocketPC setup later once I give it a try... For those who can't wait, you can check it out here:

http://www.ziggurat29.com/OVPNPPCAlpha/OVPNPPCAlpha.htm

[hanj]

Hello

I'm having trouble with my OpenVPN configuration, but only when trying to connect from WAN to local network. I also have a DMZ network (wireless) that I'm able to connect to just fine with VPN. I keep receiving the following error on the server when trying to connect on the WAN:

Code: Select all

Oct  6 23:50:52 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 TLS: new session incoming connection from xxx.xxx.xxx.xxx:50264
Oct  6 23:51:04 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct  6 23:51:04 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 TLS Error: TLS handshake failed
Oct  6 23:51:04 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 SIGUSR1[soft,tls-error] received, client-instance restarting
Oct  6 23:51:05 comp openvpn[8844]: MULTI: multi_create_instance called
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Re-using SSL/TLS context
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 LZO compression initialized
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Local Options hash (VER=V4): '360696c5'
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Expected Remote Options hash (VER=V4): '13a273ba'
Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 TLS: Initial packet from xxx.xxx.xxx.xxx:50264, sid=dcb36b41 f3607908

This is the error on the client (Windows XP using OpenVPNGUI)

Code: Select all

Fri Oct 06 23:50:58 2006 us=685483 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 06 23:50:58 2006 us=685538 TLS Error: TLS handshake failed
Fri Oct 06 23:50:58 2006 us=686068 TCP/UDP: Closing socket
Fri Oct 06 23:50:58 2006 us=686483 SIGUSR1[soft,tls-error] received, process restarting
Fri Oct 06 23:50:58 2006 us=686515 Restart pause, 2 second(s)
Fri Oct 06 23:51:00 2006 us=686483 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Oct 06 23:51:00 2006 us=690118 Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file
Fri Oct 06 23:51:00 2006 us=690177 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 06 23:51:00 2006 us=690260 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 06 23:51:00 2006 us=690410 LZO compression initialized
Fri Oct 06 23:51:00 2006 us=690567 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Oct 06 23:51:00 2006 us=693216 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Oct 06 23:51:00 2006 us=693299 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Oct 06 23:51:00 2006 us=693329 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Oct 06 23:51:00 2006 us=693390 Local Options hash (VER=V4): '13a273ba'
Fri Oct 06 23:51:00 2006 us=693426 Expected Remote Options hash (VER=V4): '360696c5'
Fri Oct 06 23:51:00 2006 us=693481 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Oct 06 23:51:00 2006 us=693535 UDPv4 link local (bound): [undef]:800
Fri Oct 06 23:51:00 2006 us=693568 UDPv4 link remote: xxx.xxx.xxx.xxx:800

Now, as I said, when I connect while on the DMZ (172.16.0.0/24) network, everything works fine. My internal network is (10.0.0.0/26). It seems like this might be a NAT or routing issue.. possibly the client is not receiving response. There are no blocks showing in the /var/log/messages, and it should be if it's not allowed. That's why I keep thinking it's a route problem.

Here is my route table on the firewall/vpn server

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        *               255.255.255.192 U     0      0        0 eth0
172.16.0.0      *               255.255.255.0   U     0      0        0 eth2
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
10.1.0.0        *               255.255.255.0   U     0      0        0 tap0
loopback        *               255.0.0.0       U     0      0        0 lo
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1

eth1 is connected directly to Cisco 800 series DSL modem, eth0 is my internal network and eth2 is my DMZ network.

I'm running my OpenVPN on a non-standard port UDP/800. Here are some interesting pieces of my iptables script

Code: Select all

$IPT -A INPUT -p udp --dport 800 -d $NATIP -j ACCEPT
$IPT -A OUTPUT -p udp --dport 800 -o eth1 -s 192.168.0.3 -j ACCEPT
$IPT -A OUTPUT -p udp -s 192.168.0.3 --sport 800 -j ACCEPT
$IPT -A INPUT -i tap0 -j ACCEPT
$IPT -A FORWARD -i tap0 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE

Any help to get this working is greatly appreciated!

thanks
hanji