Topic: [ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm

[gerd]

...last but not least I discovered a strange message (red characters) in the following file:

usr/share/doc: can't open: stunnel-tls-3.22

this message is dated the 28th of april - the day when I have installed the openvpn contrib....

Can anyone enlighten me more about this message (tls key negotiation failed...)

regards

gerd

[AndrewR]

I have forgotten to mention that there is nor port forwarding. The SME server is configured as a gateway-server mode: therefore ETH1 is connected directly to the DSL modem. The local network of the SME server is DHCP mode. The client which should be connected via OVPN to the SME is connected viaa a modem to the DSL network.

The IP of the remote client is 192.168.20.xxx, the IP range of the local network of the SME server is DHCP mode fm 192.168.1.40 (start) to 192.168.1.80 (end). The DHCP range for OVPN is fm 192.168.1.90 (start) to 192.168.1.99 (end). So to my guess this should be ok.

Sometimes I wonder whether TCP instead of UDP could be a solution to my problems - however I like to know the root cause....

regards

gerd

Even though the SME box is the first point to your DSL.. you still need to create a firewall rule for the port, allowing traffic, and direct it to your SME server (which should have a static internal IP address on the 192.X.X.X range) in order for the traffic to work.. because that internal address is still behind the firewall that SME provides.

[gerd]

Andrew,

if so, then a lot of things have changed in comparison to SME7.0 and the openvpn software which I installed in january '07 (the most recent version
of openvpn the time being - unfortunenately I do not remember the exact version): at that time I installed SME7.0, installed the openvpn contrib - configuered openvpn on my XP client (certificates & keys) and everthing worked fine from scratch.

Do you really mean that "today" I have to create firewall rules for the UDP-Port 1194??? I haven't found any hints in this context on the "HowTo's install smeserver-openvpn-bridge" as of the 28th of february 07 fm http://sme.firewall-services.com !!!!

Any comments are highly appreciated...

gerd

[AndrewR]

Andrew,

if so, then a lot of things have changed in comparison to SME7.0 and the openvpn software which I installed in january '07 (the most recent version
of openvpn the time being - unfortunenately I do not remember the exact version): at that time I installed SME7.0, installed the openvpn contrib - configuered openvpn on my XP client (certificates & keys) and everthing worked fine from scratch.

Do you really mean that "today" I have to create firewall rules for the UDP-Port 1194??? I haven't found any hints in this context on the "HowTo's install smeserver-openvpn-bridge" as of the 28th of february 07 fm http://sme.firewall-services.com !!!!

Any comments are highly appreciated...

gerd

Hmm. I can't really find anything in the how to on that per say.. but it's just basic networking. More and more, Firewalls are starting to take the approach that BSD did years ago: close everything, and only open what you're specifically told to. In the various security updates to SME, it wouldn't surprise me if that was the case. It never hurts to try and see if that is the case.

As for the TLS case..one thing to look at, that I've discovered in my workings... check the filesize of the certificates. A couple of times, I've run into it where the certs are generated...but they're just not big enough. they should be in the neighbourhood of about 4k per... if they're not.. delete all keys, generate a new DH key, and start over. Safest way, and then try again.

Your subnetting is ok.. now.. your remote client...  does it share the same DSL connection? So it's a subnet within a subnet? Multiple Nats can always be somewhat tricky. Not impossible mind you, but tricky.

Finally.. in my own case, in order to get it working in the office here, I had to roll back to 7.1 and disable updates with OVPN 1.1...as the updates would break my OVPN connection. My server is in server-only mode, partly because I prefer to separate server roles, and also because I didn't need another firewall to administer in the office. (I'm the network admin).

One last thing to check: on your SME server.. check the logs to see if the connection traffic is even hitting the SME box or not. See if there is a request coming from anywhere.. the client logs won't tell you that information, but your openvpn logs will. If you can, try connecting from an external network, not just a different subnet. When I was testing mine... I used RDP to connect to my home network, and would try and connect from there. made for a field test without the hassle of leaving my desk.

Hope this helps.

[gerd]

Andrew,

thanx for your reply. In the meantime I have reinstalled again the SME7.1.3 server (SME7.1 update via "yum update" to 7.1.3).

Then I have installed again OpenVPN, this time with wget http://sme.firewall-services.com......etc, to make a final yum localinstall ./*.rpm followed by a signal-event post-upgrade and a signal-event reboot.

And again - no way to get OpenVPN to work; still the same error message:

- connection reset py peer (WSAECONNRESET)(Code=10054)
- TLS key negotiation failed to occur within 60 sec (check your network connectivity)
- TLS handshake failed
- TCP/UPD: closing socket

Having again a look at the file: usr/share/doc I find the same message: can't open stunnel-tls-3.22. Believe or not: with exactly the same time (and date) as for the installation of the open vpn. Coincidence or hasard??
(I have translated the message fm German to English, so in fact this error message could be slightly different).

Is my understanding correct that you are running openvpn with SME7.1 instead of 7.1.3??? I will test it tomorrow - today I am really too tired now...

best regards (fm Germany/Hannover)

gerd

[AndrewR]

Andrew,

thanx for your reply. In the meantime I have reinstalled again the SME7.1.3 server (SME7.1 update via "yum update" to 7.1.3).

Then I have installed again OpenVPN, this time with wget http://sme.firewall-services.com......etc, to make a final yum localinstall ./*.rpm followed by a signal-event post-upgrade and a signal-event reboot.

And again - no way to get OpenVPN to work; still the same error message:

- connection reset py peer (WSAECONNRESET)(Code=10054)
- TLS key negotiation failed to occur within 60 sec (check your network connectivity)
- TLS handshake failed
- TCP/UPD: closing socket

Having again a look at the file: usr/share/doc I find the same message: can't open stunnel-tls-3.22. Believe or not: with exactly the same time (and date) as for the installation of the open vpn. Coincidence or hasard??
(I have translated the message fm German to English, so in fact this error message could be slightly different).

Is my understanding correct that you are running openvpn with SME7.1 instead of 7.1.3??? I will test it tomorrow - today I am really too tired now...

best regards (fm Germany/Hannover)

gerd

Gerd,

You are correct. I am running 7.1...not 7.1.3. I have disabled all yum updates.

[gerd]

Meanwhile I have set up a new SME7.1 - next friday I will give a try with regards to OpenVPN (1.0.3) again - the combination of this OpenVPN worked perfect with SME7.0.

But pls allow me a question: The SME Version 7.1.3 - configured as a server-gateway in combination with smeserver-openvpn-bridge (release 1.1-1) - who did successfull install this OpenVPN - without fumbling in the firewall rules of the SME server.  And if yes - how did you manage?  
It is definitely not my intention to blame someone for something and on top I am a Linux novice. It is just to know to learn where are my mistakes during the installation....

By the way - the message I have mentioned yesterday:
Having again a look at the file: usr/share/doc I find the same message: can't open stunnel-tls-3.22. Believe or not: with exactly the same time (and date) as for the installation of the open vpn. Coincidence or hasard??
has nothing to do with OpenVPN - this message is shown on my fresh installed SME Server 7.1 as well - without any contribs....

best regards

gerd

[crazybob]

gerd,
   I have installed this on 2 SME 7.1.3 server/gatway systems with out any problems, and no need to adjust iptables

Bob

[Franco]

Code: [Select]

unregister_netdevice: waiting for br0 to become free. Usage count = 1

I get this message everytime I need to reboot it stays there for about 30 lines and then the system reboots.

me too..

is this something to worry about?

Ciao
stefano

I guess so, today my system became stuck on this message for over an hour and I had to reboot by hand  

Also there seems to be a problem with DHCP after I installed the openvpn:

May  2 00:10:19 sme7 dhcpd: No subnet declaration for eth0 (0.0.0.0).
May  2 00:10:19 sme7 dhcpd: ** Ignoring requests on eth0.  If this is not what
May  2 00:10:19 sme7 dhcpd:    you want, please write a subnet declaration
May  2 00:10:19 sme7 dhcpd:    in your dhcpd.conf file for the network segment
May  2 00:10:19 sme7 dhcpd:    to which interface eth0 is attached. **

This happens everytime I enter a new host under 'Hostnames and Addresses' and my DHCPD becomes unresponsive.
Unfortunatelly there's no entry for this contrib on the bugtracker.

[gerd]

Bingo!!

This morning is disabled the OVPN service, deleted all certificates, recreated all certificates, enabled the open-service again and made a reboot of the sme-server 7.1.3 - and it works....

My problem is now - I don't know what happend yesterday and the days before. Might be I created the certificates when the OPENVPN was still running (can this be the reason for my OVPN problems??).

Anyway, thanx to all who supported me...

best regards

[Daniel B.]

Code: [Select]

unregister_netdevice: waiting for br0 to become free. Usage count = 1

I get this message everytime I need to reboot it stays there for about 30 lines and then the system reboots.

me too..

is this something to worry about?

Ciao
stefano

I guess so, today my system became stuck on this message for over an hour and I had to reboot by hand  

Also there seems to be a problem with DHCP after I installed the openvpn:

May  2 00:10:19 sme7 dhcpd: No subnet declaration for eth0 (0.0.0.0).
May  2 00:10:19 sme7 dhcpd: ** Ignoring requests on eth0.  If this is not what
May  2 00:10:19 sme7 dhcpd:    you want, please write a subnet declaration
May  2 00:10:19 sme7 dhcpd:    in your dhcpd.conf file for the network segment
May  2 00:10:19 sme7 dhcpd:    to which interface eth0 is attached. **

This happens everytime I enter a new host under 'Hostnames and Addresses' and my DHCPD becomes unresponsive.
Unfortunatelly there's no entry for this contrib on the bugtracker.

The problem of DHCPD after adding a hostname should be fixed quickly, I think I've found a solution, I'll just test it on several server to be sure. The other problem (unregister_netdevice: waiting for br0 to become free. Usage count = 1), I must admit I don't know where it comes from. There's the bug 1780 for this contrib if you want to repport.

Gerd, the certificates can be generated when the server is running, it shouldn't be a problem so your error is not here.

[Franco]

How are you fixing the DHCP problem?
This has worked so far, but I'm unsure if it's propper:

Code: [Select]

Edit /etc/init.d/rc.d/dhcpd
#daemon /usr/sbin/dhcpd ${DHCPDARGS} 2>/dev/null
daemon /usr/sbin/dhcpd br0 2>/dev/null


[Daniel B.]

Well, I've just modified two lines in /etc/openvpn/server-bridge-startup and /etc/openvpn/server-bridge-shutdown

you can replace each instance of

Code: [Select]


/sbin/service dhcpd start

with this:

Code: [Select]


/usr/local/bin/svc -u /service/dhcpd/


and each instance of this:

Code: [Select]


/sbin/service dhcpd stop

with this:

Code: [Select]


/usr/local/bin/svc -d /service/dhcpd/


In fact the problem comes from a conflict between dhcp started directly with /etc/init.d/dhcpd, and the one run with the supervisor in /service/dhcpd

Everyone who want to test could do that, it shouldn't be riscky for the server. If this modification is validate as a fix for this problem, I'll include it in the next release with some others minor changes

[Franco]

Great!
I'm trying that!

Thanks,

[gerd]

Daniel,

I am not shure whether your contrib has a "view record" with 38782 views, but at least your contrib seems to belong to the interesting ones. Might be the time has come now to consider an integration of your contrib into the SME distribution - provided the consent of all concerned parts. It is just an idea - not more please.  

But personally I would just to like to say a "simple thank you" for your contribution. And I am keen to see your ovpn version "du sud-ouest".

salutations

gerd