Topic: openvpn on 6.01

[Knuddi]

aha then I wasn't so wrong about the client conf file Happy to hear that its resolved.

[p-jones]

I hadnt swapped them as you suggested ...I just had both !! Coming from a Windoze / M$ background, that was a delightful little trap...

The client set up in about 30 seconds on an XP Pro box and works a treat..

Now to get it doing real work.

Thanks SO MUCH for your time and guidance.

P

[p-jones]

OK - Firstly, Knuddi's Howto is absolutely spot-on. It all works EXACTLY as he has described and if followed precisely, no more, no less it works. After resolving my own dip-stick errors, I have since set up two more in a very short time.

I have heaps of questions but I sill com back to most of them if I cannot find answers.

My most pressing question, and I cannot find the answer relates to client certificates in a one-server, may client relationship. The docs on the openvpn site state that each client should have their own certs. OK rather tedious but not impossible.

How does one configure the server to handle a different cert from each client ? Multiple conf files ? If yes, then what about the ports, a different port for each conf (client) ? Or does one just rely on the duplicat-cn setting and box on with the same certs for all clients ?

Also do overlapping subnets cause problems when joining two networks or is it just overlapping IP's that cause problems ?

Peter

[Appesteijn]

You can use just 1 certificate. I guess the duplicate-sn takes care of that. I had multiple users login on the same port, with the same certificate. The VPN-device was in the same ip-range as my internal network. But I think that that doesn't matter, you still have to tell your clients how to reach your internal network, so setting the VPN-clients on a different subnet, is more of a personal choice.

[p-jones]

I am srill struggling a bit and please forive me if this is a dumb question...I have tried to find answers and reason it out first..

I have a functional vpn on my (SME)server (in the north pole) and now want all my clients (in the south pole)to get their mail, preferably pop'd, through the tunnel.

I figure I need to do some port mapping and maybe have the vpm operating in a TUN mode rather than a TAP mode ?

Peter

[kevins]

Hello, I had a similar problem, but none of the solutions mentioned so far has fixed it.  The latest portion of the log file ( I've been mistyping things all day) says:

Jan  5 14:31:24 server openvpn[1155]: OpenVPN 2.0_rc6 i386-redhat-linux [SSL] [LZO] built on Dec 30 2004
Jan  5 14:31:24 server openvpn[1155]: Diffie-Hellman initialized with 1024 bit key
Jan  5 14:31:24 server openvpn[1155]: WARNING: file 'server.key' is group or others accessible
Jan  5 14:31:24 server openvpn[1155]: TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Jan  5 14:31:24 server openvpn[1155]: TUN/TAP device tap0 opened
Jan  5 14:31:24 server openvpn[1155]: /sbin/ifconfig tap0 10.0.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.0.0.255
Jan  5 14:31:24 server openvpn[1155]: /etc/openvpn/openvpn.up tap0 1500 1574 10.0.0.1 255.255.255.0 init
Jan  5 14:31:24 server openvpn[1155]: script failed: shell command exited with error status: 126
Jan  5 14:31:24 server openvpn[1155]: Exiting

Anyone have any ideas?  I reviewed all of the config files, but I'm either being a total starfish or the problem is something else.  Given that nobody else has had problems, I think it's the former rather than the latter.  since my server.conf file is now working, I'm not going to attach it.

#!/bin/sh

route del -net 10.0.100.0 netmask 255.255.255.0 gw 10.0.1.1
route del -net 10.0.100.0 netmask 255.255.255.0 dev tap0
route add -net 10.0.100.0 netmask 255.255.255.0 gw 10.0.100.1

My LAN IP for the server is 10.0.0.1; my WAN IP for the server is apparently irrelevant for this somehow.

[kevins]

One change, I didn't notice, had no effect on the problem:  One of the IPs should read "10.0.0.1", not "10.0.1.1".  Would have caused problems down the line, but isn't today's issue.

[kevins]

OK...  someone at http://www.techjamaica.com/forums/showthread.php?t=1990 had a solution to that issue.  apparently the script file isn't set as an executable; using
# chmod +x openvpn.up
makes that part work.

Now it's giving me error 7, network unavailable.  I must have goofed someplace earlier.

[kevins]

And now it mostly works.  It will claim that it starts, but it says "SIOCDELRT:  No such process" before it does so.  The current startup log is below.

Jan  5 16:11:30 server openvpn[3841]: OpenVPN 2.0_rc6 i386-redhat-linux [SSL] [LZO] built on Dec 30 2004
Jan  5 16:11:30 server openvpn[3841]: Diffie-Hellman initialized with 1024 bit key
Jan  5 16:11:30 server openvpn[3841]: WARNING: file 'server.key' is group or others accessible
Jan  5 16:11:30 server openvpn[3841]: TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Jan  5 16:11:30 server openvpn[3841]: TUN/TAP device tap0 opened
Jan  5 16:11:30 server openvpn[3841]: /sbin/ifconfig tap0 10.0.100.1 netmask 255.255.255.0 mtu 1500 broadcast 10.0.100.255
Jan  5 16:11:30 server openvpn[3841]: /etc/openvpn/openvpn.up tap0 1500 1574 10.0.100.1 255.255.255.0 init
Jan  5 16:11:30 server openvpn[3841]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:23 ET:32 EL:0 AF:3/1 ]
Jan  5 16:11:30 server openvpn[3856]: UDPv4 link local (bound): [undef]:1194
Jan  5 16:11:30 server openvpn[3856]: UDPv4 link remote: [undef]
Jan  5 16:11:30 server openvpn[3856]: MULTI: multi_init called, r=256 v=256
Jan  5 16:11:30 server openvpn[3856]: IFCONFIG POOL: base=10.0.100.100 size=101
Jan  5 16:11:30 server openvpn[3856]: Initialization Sequence Completed


2 questions:

First, I'm assuming that it shouldn't be complaining about the process.  Second, should server.key be set to chmod 755 as well, or should I ignore that complaint?

[cydonia]

I am unable to connect to my server through OpenVPN from a remote office, only because it is on a different subnet and ip address type.  I'm not sure what parts of the config i have to change, and i don't want to wreck it, since it works, but i get messages alerting me that the path is not routeable.

Remote Details
Ip = 192.100.10.123
Subnet = 255.255.0.0
Gateway = 192.100.10.254

Server Details
Gateway = 192.168.1.1
Subnet = 255.255.255.0


As i said, it all works, i just need to add this network somehow.


Thanks
Tristan

[kevins]

The VPN sort-of works.  I can access the local network from a remote machine (which was the #1 reason to do this), but no local machines can see the remote ones (which would be nice both for security and functionality reasons).  It looked to me like this should be possible fairly easily; do I need to do anything special to gain access that way?  Would I need to set up another server on the other end (theoretically possible, but preferably not necessary)?

I still have not gotten that errors that popped up to go away.  Not that I have had the time to try, really.

Thanks for your help.

[jgreen2173]

Hi,
 All i seem to get is the following errors...

 rpm -Uvh *.rpm
Preparing...                ########################################### [100%]
package perl-DateManip-5.40-15 is already installed
file /usr/sbin/openvpn conflicts between attempted installs of openvpn-2.0_rc6-1 and openvpn-2.0_beta18-1
file /usr/share/man/man8/openvpn.8.gz conflicts between attempted installs of openvpn-2.0_rc6-1 and openvpn-2.0_beta18-1
file /usr/share/openvpn/easy-rsa/README conflicts between attempted installs of openvpn-2.0_rc6-1 and openvpn-2.0_beta18-1
file /usr/share/openvpn/sample-config-files/client.conf conflicts between attempted installs of openvpn-2.0_rc6-1 and openvpn-2.0_beta18-1
[root@jassserver01 OpenVPN]# /sbin/e-smith/db configuration setprop openvpn status enabled
[root@jassserver01 OpenVPN]# cd /etc/openvpn/easy-rsa
bash: cd: /etc/openvpn/easy-rsa: No such file or directory


Any help would be appreciated...

[kevins]

Wel, the VPN works fine now.  I can access my home machine.  Haven't actually figured out what was causing the problem, since I haven't touched the config files on either machine.  Maybe it was a bandwidth issue; my wife had a few files downloading today.

[Knuddi]

jgreen2173,

Start by not installing the perl-DateManip-5.40-15 package (simply remove the file before you run the rpm -Uvh *.rpm command.

Also make sure that the directory from where you install ONLY contain the files you just downloaded - I suspect that the old beta18 files are located in the same dir.

[kevins]

Well, it was a bandwidth issue.  My wife's downloads had all finished by the time I got home.

So at this point:

I have 2-way communication between one office and a single client set up elsewhere.

I am still having a "SIOCDELRT: No such process" error when I run "service openvpn start".  It appears to be choking on one of the commands in the openvpn.up file.

It is still giving me the floowing error:  "WARNING: file 'server.key' is group or others accessible".

Can I get help fixing these please?

Also, I want to connect it to another network, and I just found out that one of my coworkers sometimes brings in his home machine - and it runs '98.  Is there any way to connect it to the network (I know it can't run as a client, I'm thinking maybe by running a piece of client software on their firewall/router/nat system (which is currently a hardware router, but that needs to be changed anyway) ...  that way if they try to go to a VPN IP the router will forward them to the other network, in theory.)

Thoughts?  Questions?  Comments?