[lug] Wanted: Help with openvpn
siegfried
siegfried at heintze.com
Mon Aug 7 10:41:10 MDT 2006
Normally I would post this on the openvpn mailing list, but since I
previously had a discussion on the hacking society chat channel with getting
openvpn to work in routing mode I am posting it here.
When I am at Café Sole:
1. I cannot ping my home desktop machine (10.169.1.8) in routing mode. Why
not?
2. I can ping my home desktop machine when in bridge mode. In fact,
everything works great in bridge mode.
3. I can ping my home router in either mode.
4. When I am in route mode, my home router appears as both 10.169.1.2 and
10.169.6.1 and I can ping both of these addresses successfully.
Can anyone suggest what is wrong? Can anyone suggest a fix?
Thank you much!
Siegfried
Here is what netstat -rn looks like in bridge mode:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.89.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth0
10.169.0.0 0.0.0.0 255.255.0.0 U 0 0 0
tap0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.89.1 0.0.0.0 UG 0 0 0
eth0
Here is what netstate -rn looks like in route mode (where ping 10.169.1.8
does not work):
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
10.169.6.5 0.0.0.0 255.255.255.255 UH 0 0 0
tun0
10.169.6.1 10.169.6.5 255.255.255.255 UGH 0 0 0
tun0
10.169.1.0 10.169.6.5 255.255.255.0 UG 0 0 0
tun0
192.168.89.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.89.1 0.0.0.0 UG 0 0 0
eth0
Here is what traceroute looks like when I specify my router in route mode:
traceroute to 10.169.1.2 (10.169.1.2), 30 hops max, 40 byte packets
1 10.169.1.2 140.147 ms 129.418 ms 130.816 ms
Here is the log from the client in route mode:
Sat Aug 5 21:35:19 2006 OpenVPN 2.0.5 i686-suse-linux [SSL] [LZO] [EPOLL]
built on Nov 3 2005
Sat Aug 5 21:35:19 2006 IMPORTANT: OpenVPN's default port number is now
1194, based on an official port number assignment by IANA. OpenVPN
2.0-beta16 and earlier used 5000 as the default port.
Sat Aug 5 21:35:19 2006 WARNING: No server certificate verification method
has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Aug 5 21:35:19 2006 WARNING: file 'angel-client.key' is group or others
accessible
Sat Aug 5 21:35:19 2006 LZO compression initialized
Sat Aug 5 21:35:19 2006 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0
ET:0 EL:0 ]
Sat Aug 5 21:35:19 2006 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135
ET:0 EL:0 AF:3/1 ]
Sat Aug 5 21:35:19 2006 Local Options hash (VER=V4): '41690919'
Sat Aug 5 21:35:19 2006 Expected Remote Options hash (VER=V4): '530fdded'
Sat Aug 5 21:35:19 2006 UDPv4 link local: [undef]
Sat Aug 5 21:35:19 2006 UDPv4 link remote: 209.97.230.250:1195
Sat Aug 5 21:35:19 2006 TLS: Initial packet from 209.97.230.250:1195,
sid=cb785401 61e89f28
Sat Aug 5 21:35:20 2006 VERIFY OK: depth=1,
/C=US/ST=CO/L=Boulder/O=SIGNITEK/OU=Development/CN=KING-MARK/emailAddress=si
egfried at heintze.com
Sat Aug 5 21:35:20 2006 VERIFY OK: depth=0,
/C=US/ST=CO/O=SIGNITEK/OU=Development/CN=KING-MARK/emailAddress=siegfried at he
intze.com
Sat Aug 5 21:35:22 2006 Data Channel Encrypt: Cipher 'BF-CBC' initialized
with 128 bit key
Sat Aug 5 21:35:22 2006 Data Channel Encrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Sat Aug 5 21:35:22 2006 Data Channel Decrypt: Cipher 'BF-CBC' initialized
with 128 bit key
Sat Aug 5 21:35:22 2006 Data Channel Decrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Sat Aug 5 21:35:22 2006 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Aug 5 21:35:22 2006 [KING-MARK] Peer Connection Initiated with
209.97.230.250:1195
Sat Aug 5 21:35:23 2006 SENT CONTROL [KING-MARK]: 'PUSH_REQUEST' (status=1)
Sat Aug 5 21:35:23 2006 PUSH: Received control message: 'PUSH_REPLY,route
10.169.1.0 255.255.255.0,route 10.169.6.1,ifconfig 10.169.6.6 10.169.6.5'
Sat Aug 5 21:35:23 2006 OPTIONS IMPORT: --ifconfig/up options modified
Sat Aug 5 21:35:23 2006 OPTIONS IMPORT: route options modified
Sat Aug 5 21:35:23 2006 TUN/TAP device tun0 opened
Sat Aug 5 21:35:23 2006 /sbin/ifconfig tun0 10.169.6.6 pointopoint
10.169.6.5 mtu 1500
Sat Aug 5 21:35:23 2006 /sbin/route add -net 10.169.1.0 netmask
255.255.255.0 gw 10.169.6.5
Sat Aug 5 21:35:23 2006 /sbin/route add -net 10.169.6.1 netmask
255.255.255.255 gw 10.169.6.5
Sat Aug 5 21:35:23 2006 Initialization Sequence Completed
Sat Aug 5 21:36:56 2006 event_wait : Interrupted system call (code=4)
Sat Aug 5 21:36:56 2006 TCP/UDP: Closing socket
Sat Aug 5 21:36:56 2006 /sbin/route del -net 10.169.6.1 netmask
255.255.255.255
Sat Aug 5 21:36:56 2006 /sbin/route del -net 10.169.1.0 netmask
255.255.255.0
Sat Aug 5 21:36:56 2006 Closing TUN/TAP interface
Sat Aug 5 21:36:56 2006 SIGINT[hard,] received, process exiting
Here is my server side configuration file:
# tap0 replaces tun0 for bridging isntead of routing
dev tun0
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
##server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
#server-bridge 10.169.1.2 255.255.0.0 10.169.5.1 10.169.5.254
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.169.6.0 255.255.255.0
#secret /etc/openvpn/wlan_home.key
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
push "route 10.169.1.0 255.255.255.0"
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /etc/openvpn/dh1024.pem
comp-lzo
port 1195
#ping 15
#ping-restart 45
#ping-timer-rem
persist-key
persist-tun
verb 2
Here is my client side configuration file:
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
;remote 209.97.230.250 1194
remote 209.97.230.250 1195
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert angel-client.crt
key angel-client.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
More information about the LUG
mailing list