You are not logged in.
- Topics: Active | Unanswered
#1 2007-02-14 20:43:56
- efossvold
- Member
- From: Kamloops, Canada
- Registered: 2006-07-23
- Posts: 59
tunnel does not come up using openVPN
I'm just installed openvpn, I've defined a profile, but the the tunnel device doesn't seem to work properly.
This is my configuration:
#############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap0
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote ##.##.##.## 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca cacert.pem
cert erikCert.pem
key erikKey.pem
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
mute 20I start openVPN
modprobe tun
sudo openvpn --config erikvpn.confI get the following output:
Wed Feb 14 12:29:08 2007 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] [EPOLL] built on Oct 24 2006
Wed Feb 14 12:29:08 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Feb 14 12:29:08 2007 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Enter Private Key Password:
Wed Feb 14 12:29:13 2007 WARNING: file 'erikKey.pem' is group or others accessible
Wed Feb 14 12:29:13 2007 LZO compression initialized
Wed Feb 14 12:29:13 2007 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Feb 14 12:29:13 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Feb 14 12:29:13 2007 Local Options hash (VER=V4): '41690919'
Wed Feb 14 12:29:13 2007 Expected Remote Options hash (VER=V4): '530fdded'
Wed Feb 14 12:29:13 2007 UDPv4 link local: [undef]
Wed Feb 14 12:29:13 2007 UDPv4 link remote: ##.##.##.##:1194
Wed Feb 14 12:29:13 2007 TLS Error: Unroutable control packet received from ##.##.##.##:1194 (si=3 op=P_CONTROL_V1)
Wed Feb 14 12:29:13 2007 TLS: Initial packet from##.##.##.##:1194, sid=0fd2b57a eda656a9
Wed Feb 14 12:29:13 2007 TLS Error: local/remote TLS keys are out of sync: ##.##.##.##:1194 [0]
Wed Feb 14 12:29:14 2007 VERIFY OK: depth=1, ######
Wed Feb 14 12:29:14 2007 VERIFY OK: depth=0, ######
Wed Feb 14 12:29:14 2007 TLS Error: local/remote TLS keys are out of sync: ##.##.##.##:1194 [0]
Wed Feb 14 12:29:15 2007 TLS Error: Unroutable control packet received from ##.##.##.##:1194 (si=3 op=P_CONTROL_V1)
Wed Feb 14 12:29:15 2007 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Feb 14 12:29:15 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 14 12:29:15 2007 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Feb 14 12:29:15 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 14 12:29:15 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Feb 14 12:29:15 2007 [VPN] Peer Connection Initiated with ##.##.##.##:1194
Wed Feb 14 12:29:16 2007 SENT CONTROL [VPN]: 'PUSH_REQUEST' (status=1)
Wed Feb 14 12:29:16 2007 PUSH: Received control message: 'PUSH_REPLY,route 192.168.100.3 255.255.255.255,route 192.168.1.0 255.255.255.0,route 192.168.3.0 255.255.255.0,route 172.16.0.0 255.255.0.0,route 10.123.123.0 255.255.255.0,redirect-gateway,dhcp-option DNS 172.16.70.12,dhcp-option WINS 172.16.70.2,dhcp-option DOMAIN timberline.int,route-gateway 172.16.70.254,ping 10,ping-restart 120,ifconfig 172.16.70.216 255.255.255.0'
Wed Feb 14 12:29:16 2007 OPTIONS IMPORT: timers and/or timeouts modified
Wed Feb 14 12:29:16 2007 OPTIONS IMPORT: --ifconfig/up options modified
Wed Feb 14 12:29:16 2007 OPTIONS IMPORT: route options modified
Wed Feb 14 12:29:16 2007 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Feb 14 12:29:16 2007 WARNING: Since you are using --dev tun, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
Wed Feb 14 12:29:16 2007 TUN/TAP device tun1 opened
Wed Feb 14 12:29:16 2007 /sbin/ifconfig tun1 172.16.70.216 pointopoint 255.255.255.0 mtu 1500
SIOCSIFDSTADDR: Invalid argument
Wed Feb 14 12:29:16 2007 Linux ifconfig failed: shell command exited with error status: 1
Wed Feb 14 12:29:16 2007 ExitingSeems as though ifconfig is not able to configure the tunnel device, what could be wrong?
Last edited by efossvold (2007-02-14 21:16:24)
Offline
#2 2007-02-14 21:03:56
- cactus
- Taco Eater
- From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
- Registered: 2004-05-25
- Posts: 4,622
- Website
Re: tunnel does not come up using openVPN
comment out the dev tap0 line in your config.
either tun or tap..not both.
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
#3 2007-02-14 21:15:49
- efossvold
- Member
- From: Kamloops, Canada
- Registered: 2006-07-23
- Posts: 59
Re: tunnel does not come up using openVPN
Done. Didn't help though... 
Offline
#4 2007-02-14 21:29:57
- cactus
- Taco Eater
- From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
- Registered: 2004-05-25
- Posts: 4,622
- Website
Re: tunnel does not come up using openVPN
aha!
Wed Feb 14 12:29:16 2007
PUSH:
Received control message:
'PUSH_REPLY,
route 192.168.100.3 255.255.255.255,
route 192.168.1.0 255.255.255.0,
route 192.168.3.0 255.255.255.0,
route 172.16.0.0 255.255.0.0,
route 10.123.123.0 255.255.255.0,
redirect-gateway,
dhcp-option DNS 172.16.70.12,
dhcp-option WINS 172.16.70.2,
dhcp-option DOMAIN timberline.int,
route-gateway 172.16.70.254,
ping 10,ping-restart 120,
ifconfig 172.16.70.216 255.255.255.0'The ifconfig line the server is pushing is not right. That is meant for a point to point connection. That is why the local client is puking on it...it is not correct. At least for a tun type device. If it was a tap, then it would be fine.
http://openvpn.net/man.html
(look for "--ifconfig l rn" )
so.... change the line to dev tap, and then do this stuff..
http://wiki.archlinux.org/index.php/OpenVPN_Bridge
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
#5 2007-02-15 04:05:07
- efossvold
- Member
- From: Kamloops, Canada
- Registered: 2006-07-23
- Posts: 59
Re: tunnel does not come up using openVPN
Thanks! Got it working now. Sort of that is... I can now connect to the hosts on the remote network, but I'm not able to ping any of the hosts inside the network, nor am I able to Internet through my browser (gmail, slashdot.org etc..).
Offline