You are not logged in.
EDIT: the problem was caused by this, in my /etc/openvpn/server.conf:
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.logONLY ONE of those two lines is necessary; they are two different ways of logging to openvpn.log.
Now that it's finally done and I have a working OpenVPN server, I almost feel like writing about some of my discoveries and the things I learned along the way in the Wiki article.
Original post:
**********************************
The openvpn daemon script is reporting failure, and when I try openvpn from the command line (as "/usr/sbin/openvpn --verb 9 --conf /etc/openvpn/server.conf") I get no output, no messages, nothing; it's as if I hit enter on an empty line. Is there any way to monitor what the program is doing when it attempts to start up (i.e. get information about what's going on), so that I can finally diagnose the problem properly and be finished with this time-hungry pet project?
For at least a week I have been trying and trying and trying to get an OpenVPN server successfully running on my Arch Linux machine, and now I'm at my wits' end. I decided to post after having spent the past seven hours reading the OpenVPN FAQ's and HOWTO's, the manual page, and the partially obsolete wiki pages about configuring OpenVPN.
As for my setup, here's a rough chronology of what I have accomplished so far. I'm pretty sure I took all the necessary steps;
1. I set up a bridge; my Arch box was previously acting as a gateway with a class A subnet. To continue having this functionality while adding a bridge so that OpenVPN could run in bridged mode, I configured a bridge, br0, to serve the same essential purpose as eth1 initially did in controlling the subnet. Essentially, I made the following changes (taking advice from http://www.openvpn.net/index.php/open-s … ging.html):
/etc/rc.conf, FROM:
eth0="dhcp"
eth1="10.1.1.1 netmask 255.255.255.224 broadcast 10.1.1.31"TO:
eth0="dhcp"
eth1="eth1 0.0.0.0 promisc up"
br0="br0 10.1.1.1 netmask 255.255.255.224 broadcast 10.1.1.31"
INTERFACES=(eth0 eth1 br0)Also, I added "tun" and "bridge" to the MODULES list in rc.conf, and added to /etc/conf.d/bridges:
bridge_br0="eth1"
BRIDGE_INTERFACES=(br0)After adding the following firewall rules, everything was working as it was previously (machines could connect to the bridge-controlled subnet through eth1 and hence to the WAN);
iptables -N fw-interfaces
iptables -A FORWARD -j fw-interfaces
iptables -A fw-interfaces -i br0 -j ACCEPT
iptables -A fw-interfaces -i eth1 -j ACCEPT
iptables -A fw-interfaces -i tap0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.42.144.0/16 -d 10.42.144.0/16 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.42.144.0/16 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.42.144.0/16 -o eth0 -j MASQUERADEFurthermore, the following is written in /etc/dnsmasq.conf:
listen-address=10.1.1.1
dhcp-range=10.1.1.2,10.1.1.5,24h2. I wrote init scripts for adding a virtual interface (tap0) to be used by OpenVPN; Since I want to be able to use the bridge/gateway when OpenVPN isn't running (since my desktop computer uses the gateway!) and most of the openvpn init scripts out there (on the community wiki / OpenVPN website) create and destroy bridges as needed by the OVPN daemon, I decided to keep my bridge configuration as it is and put the necessary commands for adding a virtual tap device, configuring it and attaching it to the existing bridge (and finally attempting to start OpenVPN) in /etc/rc.local, and to write these commands I referred to http://www.openvpn.net/index.php/open-s … dging.html ;
/usr/sbin/openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
/etc/rc.d/openvpn start3. I took the necessary steps to configure openvpn; I generated the client/server keys, copied them to /etc/openvpn/ and wrote my server configuration file as follows:
mode server
port 1194
proto udp
dev tap0
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server-bridge 10.1.1.1 255.255.255.224 10.1.1.6 10.1.1.30 # I set this option using the instructions at http://openvpn.net/index.php/open-source/faq.html#bridge-addressing, since I already use dnsmasq on the first 4 available client addresses on the subnet
client-to-client
comp-lzo
user nobody # I have tried leaving this line commented out
group nobody # I have tried leaving this line commented out
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 9Also, for the daemon script I'm using with the one supplied in the Arch package, and verified that the command it uses for starting the daemon isn't broken; I put "echo" before the command to see what it was, and it put out:
/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --cd /etc/openvpn --config /etc/openvpn/server.confIs there something I'm missing? should I change permissions on any of the key files or directories that the daemon will be using?
Last edited by deconstrained (2009-12-06 04:43:55)
Offline