You are not logged in.

Pages: 1

#1 2009-11-30 13:38:44

3nd3r
Member
From: /dev/null
Registered: 2002-12-08
Posts: 301
Website

[SOLVED] openvpn issue

Hello,

I am having a bit of an issue with openvpn, it starts to connect to my server but crashes out. Ill paste the output and my config

root @ /etc/openvpn # openvpn --config vpn0.conf 
Mon Nov 30 07:37:59 2009 OpenVPN 2.1_rc20 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Oct 18 2009
Mon Nov 30 07:37:59 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Nov 30 07:37:59 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Nov 30 07:37:59 2009 WARNING: file 'test02.key' is group or others accessible
Mon Nov 30 07:37:59 2009 LZO compression initialized
Mon Nov 30 07:37:59 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Nov 30 07:38:00 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Nov 30 07:38:00 2009 Local Options hash (VER=V4): '41690919'
Mon Nov 30 07:38:00 2009 Expected Remote Options hash (VER=V4): '530fdded'
Mon Nov 30 07:38:00 2009 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mon Nov 30 07:38:00 2009 Socket Buffers: R=[114688->131072] S=[114688->131072]
Mon Nov 30 07:38:00 2009 UDPv4 link local (bound): [undef]:1194
Mon Nov 30 07:38:00 2009 UDPv4 link remote: 94.23.24.141:1194
Mon Nov 30 07:38:00 2009 TLS: Initial packet from 94.23.24.141:1194, sid=ab0ba9fd 92569497
Mon Nov 30 07:38:00 2009 TLS Error: Unroutable control packet received from 94.23.24.141:1194 (si=3 op=P_CONTROL_V1)
Mon Nov 30 07:38:00 2009 VERIFY OK: depth=1, /C=US/ST=FL/L=NA/O=OpenVPN-TEST/OU=na/CN=voodeedoo.org/emailAddress=lord3nd3r@gmail.com
Mon Nov 30 07:38:00 2009 VERIFY OK: nsCertType=SERVER
Mon Nov 30 07:38:00 2009 VERIFY OK: depth=0, /C=US/ST=FL/O=OpenVPN-TEST/CN=voodeedoo.org/emailAddress=lord3nd3r@gmail.com
Mon Nov 30 07:38:02 2009 TLS Error: Unroutable control packet received from 94.23.24.141:1194 (si=3 op=P_CONTROL_V1)
Mon Nov 30 07:38:02 2009 WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'
Mon Nov 30 07:38:02 2009 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1574'
Mon Nov 30 07:38:02 2009 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
Mon Nov 30 07:38:02 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Nov 30 07:38:02 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 30 07:38:02 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Nov 30 07:38:02 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 30 07:38:02 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Nov 30 07:38:02 2009 [voodeedoo.org] Peer Connection Initiated with 94.23.24.141:1194
Mon Nov 30 07:38:04 2009 SENT CONTROL [voodeedoo.org]: 'PUSH_REQUEST' (status=1)
Mon Nov 30 07:38:04 2009 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.5 255.255.255.0'
Mon Nov 30 07:38:04 2009 OPTIONS IMPORT: timers and/or timeouts modified
Mon Nov 30 07:38:04 2009 OPTIONS IMPORT: --ifconfig/up options modified
Mon Nov 30 07:38:04 2009 OPTIONS IMPORT: route-related options modified
Mon Nov 30 07:38:04 2009 WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address.  You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
Mon Nov 30 07:38:04 2009 ROUTE default_gateway=192.168.0.1
Mon Nov 30 07:38:04 2009 TUN/TAP device tun0 opened
Mon Nov 30 07:38:04 2009 TUN/TAP TX queue length set to 100
Mon Nov 30 07:38:04 2009 /sbin/ifconfig tun0 10.8.0.5 pointopoint 255.255.255.0 mtu 1500
SIOCSIFDSTADDR: Invalid argument
Mon Nov 30 07:38:04 2009 Linux ifconfig failed: external program exited with error status: 1
Mon Nov 30 07:38:04 2009 Exiting
Mon Nov 30 07:38 AM

Here is my config


ca ca.crt
cert test02.crt
key test02.key
client
dev tun
proto udp
remote voodeedoo.org 1194
resolv-retry infinite
user nobody
group nobody
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
mute 20
#auth-user-pass /etc/openvpn/openvpn_password
redirect-gateway

if it helps, I am used to using openvpn clients on windows, not linux.
I will post the windows config if it will help

##############################################

# Sample client-side OpenVPN 2.0 config file #

# for connecting to multi-client server.     #

#                                            #

# This configuration can be used by multiple #

# clients, however each client should have   #

# its own cert and key files.                #

#                                            #

# On Windows, you might want to rename this  #

# file so it has a .ovpn extension           #

##############################################



# Specify that we are a client and that we

# will be pulling certain config file directives

# from the server.

client



# Use the same setting as you are using on

# the server.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

dev tap

;dev tun



# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel

# if you have more than one.  On XP SP2,

# you may need to disable the firewall

# for the TAP adapter.

;dev-node MyTap

dev-node OpenVPN_Tap



# Are we connecting to a TCP or

# UDP server?  Use the same setting as

# on the server.

;proto tcp

proto udp



# The hostname/IP and port of the server.

# You can have multiple remote entries

# to load balance between the servers.

remote voodeedoo.org 1194

;remote my-server-2 1194



# Choose a random host from the remote

# list for load-balancing.  Otherwise

# try hosts in the order specified.

;remote-random



# Keep trying indefinitely to resolve the

# host name of the OpenVPN server.  Very useful

# on machines which are not permanently connected

# to the internet such as laptops.

resolv-retry infinite



# Most clients don't need to bind to

# a specific local port number.

nobind



# Downgrade privileges after initialization (non-Windows only)

;user nobody

;group nobody



# Try to preserve some state across restarts.

persist-key

persist-tun



# If you are connecting through an

# HTTP proxy to reach the actual OpenVPN

# server, put the proxy server/IP and

# port number here.  See the man page

# if your proxy server requires

# authentication.

;http-proxy-retry # retry on connection failures

;http-proxy [proxy server] [proxy port #]



# Wireless networks often produce a lot

# of duplicate packets.  Set this flag

# to silence duplicate packet warnings.

;mute-replay-warnings



# SSL/TLS parms.

# See the server config file for more

# description.  It's best to use

# a separate .crt/.key file pair

# for each client.  A single ca

# file can be used for all clients.

;ca ca.crt

;cert client.crt

;key client.key



ca ca.crt

cert test02.crt

key test02.key

ns-cert-type server



# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to "server".  This is an

# important precaution to protect against

# a potential attack discussed here:

#  http://openvpn.net/howto.html#mitm

#

# To use this feature, you will need to generate

# your server certificates with the nsCertType

# field set to "server".  The build-key-server

# script in the easy-rsa folder will do this.

ns-cert-type server



# If a tls-auth key is used on the server

# then every client must also have the key.

;tls-auth ta.key 1



# Select a cryptographic cipher.

# If the cipher option is used on the server

# then you must also specify it here.

;cipher x



# Enable compression on the VPN link.

# Don't enable this unless it is also

# enabled in the server config file.

comp-lzo



# Set log file verbosity.

verb 3



# Silence repeating messages

;mute 20

Last edited by 3nd3r (2009-12-01 01:58:29)

Proud Arch i686 & x86_64 User
Share your knowledge!
Arch Linux Forum Etiquette

Offline

#2 2009-11-30 14:44:35

Andrwe
Member
From: Leipzig/Germany
Registered: 2009-06-17
Posts: 322
Website

Re: [SOLVED] openvpn issue

pointopoint 255.255.255.0

The client tries to initiate a point-to-point connection with a wrong subnet address.
If you want to use point-to-point it has to be 255.255.255.255 otherwise it would be a point-to-net connection.
see:

WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address.  You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)

It seems your sites are using different devices, your win use tap and your linux tun.

Website: andrwe.org

Offline

#3 2009-11-30 19:13:18

3nd3r
Member
From: /dev/null
Registered: 2002-12-08
Posts: 301
Website

Re: [SOLVED] openvpn issue

ok
got the ip,
however, when it is active, DNS does not work and I cant connect to anything outside of the vpn, example, I cant ping google or go to any IP outside of the network.

root @ /etc/openvpn # openvpn vpn0.conf
Mon Nov 30 13:08:20 2009 OpenVPN 2.1_rc20 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Oct 18 2009
Mon Nov 30 13:08:20 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Nov 30 13:08:20 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Nov 30 13:08:20 2009 WARNING: file 'test02.key' is group or others accessible
Mon Nov 30 13:08:20 2009 LZO compression initialized
Mon Nov 30 13:08:20 2009 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Nov 30 13:08:20 2009 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Nov 30 13:08:20 2009 Local Options hash (VER=V4): 'd79ca330'
Mon Nov 30 13:08:20 2009 Expected Remote Options hash (VER=V4): 'f7df56b8'
Mon Nov 30 13:08:20 2009 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mon Nov 30 13:08:20 2009 Socket Buffers: R=[114688->131072] S=[114688->131072]
Mon Nov 30 13:08:20 2009 UDPv4 link local (bound): [undef]:1194
Mon Nov 30 13:08:20 2009 UDPv4 link remote: 94.23.24.141:1194
Mon Nov 30 13:08:20 2009 TLS: Initial packet from 94.23.24.141:1194, sid=6f6bf2a7 338693b3
Mon Nov 30 13:08:21 2009 VERIFY OK: depth=1, /C=US/ST=FL/L=NA/O=OpenVPN-TEST/OU=na/CN=voodeedoo.org/emailAddress=lord3nd3r@gmail.com
Mon Nov 30 13:08:21 2009 VERIFY OK: nsCertType=SERVER
Mon Nov 30 13:08:21 2009 VERIFY OK: depth=0, /C=US/ST=FL/O=OpenVPN-TEST/CN=voodeedoo.org/emailAddress=lord3nd3r@gmail.com
Mon Nov 30 13:08:27 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Nov 30 13:08:27 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 30 13:08:27 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Nov 30 13:08:27 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 30 13:08:27 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Nov 30 13:08:27 2009 [voodeedoo.org] Peer Connection Initiated with 94.23.24.141:1194
Mon Nov 30 13:08:29 2009 SENT CONTROL [voodeedoo.org]: 'PUSH_REQUEST' (status=1)
Mon Nov 30 13:08:29 2009 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.5 255.255.255.0'
Mon Nov 30 13:08:29 2009 OPTIONS IMPORT: timers and/or timeouts modified
Mon Nov 30 13:08:29 2009 OPTIONS IMPORT: --ifconfig/up options modified
Mon Nov 30 13:08:29 2009 OPTIONS IMPORT: route-related options modified
Mon Nov 30 13:08:29 2009 ROUTE default_gateway=192.168.0.1
Mon Nov 30 13:08:29 2009 TUN/TAP device tap0 opened
Mon Nov 30 13:08:29 2009 TUN/TAP TX queue length set to 100
Mon Nov 30 13:08:29 2009 /sbin/ifconfig tap0 10.8.0.5 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Mon Nov 30 13:08:29 2009 /sbin/route add -net 94.23.24.141 netmask 255.255.255.255 gw 192.168.0.1
Mon Nov 30 13:08:29 2009 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Mon Nov 30 13:08:29 2009 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.8.0.1
Mon Nov 30 13:08:29 2009 GID set to nobody
Mon Nov 30 13:08:29 2009 UID set to nobody
Mon Nov 30 13:08:29 2009 Initialization Sequence Completed

new conf

ca ca.crt
cert test02.crt
key test02.key
client
dev tap
proto udp
remote 94.23.24.141 1194
resolv-retry infinite
user nobody
group nobody
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
mute 20
#auth-user-pass /etc/openvpn/openvpn_password
redirect-gateway

Last edited by 3nd3r (2009-11-30 19:13:42)

Proud Arch i686 & x86_64 User
Share your knowledge!
Arch Linux Forum Etiquette

Offline

#4 2009-11-30 22:54:39

Andrwe
Member
From: Leipzig/Germany
Registered: 2009-06-17
Posts: 322
Website

Re: [SOLVED] openvpn issue

You can't reach anything because of this option:

redirect-gateway

This tells the client to use the server for all requests and all traffic.

Website: andrwe.org

Offline

#5 2009-12-01 01:57:27

3nd3r
Member
From: /dev/null
Registered: 2002-12-08
Posts: 301
Website

Re: [SOLVED] openvpn issue

thank you so much, that solved my issue smile

Proud Arch i686 & x86_64 User
Share your knowledge!
Arch Linux Forum Etiquette

Offline

Pages: 1

Board footer

Powered by FluxBB