Topic: [ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm

[AndrewR]

OK, I'm starting to go a little nuts trying to figure this out on my own, so I'm sharing the pain    

I installed the OpenVPN bridge yesterday, and when it is enabled the other computers lose some internet access.

Here's my setup:

                         T1
                          |
           SME/VPN--------*
                 |
            Network

The * is a router owned by a company sharing our building and T1 connection.

The SME server is running a fully updated SME7.1 server, with the OpenVPN software installed per the instructions here: http://sme.firewall-services.com/spip.php?article4

Basically, what's happening is that when the computers on the network attempt to access some (not all) sites, the connection gets reset (and continues to get reset no matter how many times I try to refresh).

A sample of sites that work:
http://www.eve-online.com
http://www.google.com

A sample of sites that do not work:
http://www.yahoo.com
http://www.cnn.com

The sites are still pingable, so it is not the DNS or a general outage; also, as soon as I disable the VPN the network functionality returns to normal.

Any questions or suggestions?  (I'm not currently in front of the machine)

Well.. for troubleshooting, try using the option "redirect gateway". This will force all traffic through the VPN interface. See if that exhibits the same symptoms or not. If not.. then there's something fishy in your network.

[imcintyre]

When you say "computers on the network" do you mean both companies or just the one on the "network" side. Not sure about your symptoms but, I had a bit of an issue when I installed Openvpn. Hopefully your not as noob as I but here goes.

When I assigned addresses for people to VPN into, I forgot to exclude those addresses from the range that the SME box could assign. Even though I had nowhere near enough computers on the network to cause a problem (I thought) it caused a problem.

Hope this helps

[del]

Hi VIP-ire,

Thanks for your help and this contrib, I did this:

cd /tmp && \
wget http://sme.firewall-services.com/downloads/smeserver-openvpn/patch/panel-openvpn-patch-1.1-0 && \
mv panel-openvpn-patch-1.1-0 /etc/e-smith/web/functions/openvpn-bridge && \
chown root:admin /etc/e-smith/web/functions/openvpn-bridge && \
chmod 4750 /etc/e-smith/web/functions/openvpn-bridge && \
wget http://sme.firewall-services.com/downloads/smeserver-openvpn/patch/fr-openvpn-patch-1.1-0 && \
mv fr-openvpn-patch-1.1-0 /usr/share/locale/fr/LC_MESSAGES/openvpn-bridge.mo

then this:

Then, just replace protocol with proto on the client you have already installed, and everything will be ok.

Hey Presto, it works OK now. Thanks for your patience

Regards,
Del

[Shevaresh]

When you say "computers on the network" do you mean both companies or just the one on the "network" side. Not sure about your symptoms but, I had a bit of an issue when I installed Openvpn. Hopefully your not as noob as I but here goes.

When I assigned addresses for people to VPN into, I forgot to exclude those addresses from the range that the SME box could assign. Even though I had nowhere near enough computers on the network to cause a problem (I thought) it caused a problem.

Hope this helps

Actually, I didn't worry about it - DHCP is disabled.

Only my company's computers are behind the SME server (the other system forwards the port directly).  Only the computers behind the SME server lost access; anything on the other side was fine.

[Daniel B.]

OK, I'm starting to go a little nuts trying to figure this out on my own, so I'm sharing the pain    

I installed the OpenVPN bridge yesterday, and when it is enabled the other computers lose some internet access.

Here's my setup:

                         T1
                          |
           SME/VPN--------*
                 |
            Network

The * is a router owned by a company sharing our building and T1 connection.

The SME server is running a fully updated SME7.1 server, with the OpenVPN software installed per the instructions here: http://sme.firewall-services.com/spip.php?article4

Basically, what's happening is that when the computers on the network attempt to access some (not all) sites, the connection gets reset (and continues to get reset no matter how many times I try to refresh).

A sample of sites that work:
http://www.eve-online.com
http://www.google.com

A sample of sites that do not work:
http://www.yahoo.com
http://www.cnn.com

The sites are still pingable, so it is not the DNS or a general outage; also, as soon as I disable the VPN the network functionality returns to normal.

Any questions or suggestions?  (I'm not currently in front of the machine)

That's a strange problem, I never saw something like that. Can you look at the logs (in the panel, you can see the last 100 lines). You should also
- look at the 'messages' log with tail -f /var/log/messages
- check you have those three interfaces: br0 which is configured with the internal address, eth0 which has address 0.0.0.0 and promiscuous mode, tap0 which has also address 0.0.0.0 and promiscuous.
- try to restart the vpn with the command line: /etc/init.d/openvpn-bridge restart, and see if there's an error message

It seems that your problem only affect the web, so maybe you should check squid's log.

What others contribs are you running?

Please, repport here, or send me an email (daniel at firewall-services dot com) if you see anything strange in the logs.

[freak_DK]

I have used this excellent contrib, and it works great. However one small problem : After i have logged in with my domain username and password in the OpenVPN GUI, i still have to enter the same username and password when i try to access the server (7.1 in server only mode)?

Any idea ?

[Daniel B.]

Well, to be honest, I mainly use it with linux clients. I've tested it quickly with win clients, it was connecting without problem so I didn't search further. I'll try to do more tests on that issue. Has anyone having the same problem? Are you using 1.1-0 or 1.0-3?

[freak_DK]

Thanks for a quick reply. It is version 1.1-0.

When i use the build-in pptp function, i have no problem getting access to the domain shares, but this is very unstable, often it is impossible to connect.

[freak_DK]

2007 us=509497   route_method = 0
Fri Feb 23 16:19:19 2007 us=509519   ip_win32_defined = DISABLED
Fri Feb 23 16:19:19 2007 us=509542   ip_win32_type = 3
Fri Feb 23 16:19:19 2007 us=509565   dhcp_masq_offset = 0
Fri Feb 23 16:19:19 2007 us=509588   dhcp_lease_time = 31536000
Fri Feb 23 16:19:19 2007 us=509610   tap_sleep = 0
Fri Feb 23 16:19:19 2007 us=509632   dhcp_options = DISABLED
Fri Feb 23 16:19:19 2007 us=537778   dhcp_renew = DISABLED
Fri Feb 23 16:19:19 2007 us=537817   dhcp_pre_release = DISABLED
Fri Feb 23 16:19:19 2007 us=537840   dhcp_release = DISABLED
Fri Feb 23 16:19:19 2007 us=537861   domain = '

[UNDEF]'
Fri Feb 23 16:19:19 2007 us=537882   netbios_scope = '[UNDEF]'
Fri Feb 23 16:19:19 2007 us=537905   netbios_node_type = 0
Fri Feb 23 16:19:19 2007 us=537931   disable_nbt = DISABLED
Fri Feb 23 16:19:19 2007 us=538235 OpenVPN 2.0.7 Win32-MinGW [SSL] [LZO] built on Apr 12 2006
Fri Feb 23 16:19:38 2007 us=396567 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Fri Feb 23 16:19:38 2007 us=396627 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 23 16:19:38 2007 us=396662 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 23 16:19:38 2007 us=396717 LZO compression initialized
Fri Feb 23 16:19:38 2007 us=396945 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Feb 23 16:19:38 2007 us=408455 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Feb 23 16:19:38 2007 us=408547 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Feb 23 16:19:38 2007 us=408585 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Feb 23 16:19:38 2007 us=408786 Local Options hash (VER=V4): '13a273ba'
Fri Feb 23 16:19:38 2007 us=408830 Expected Remote Options hash (VER=V4): '360696c5'
Fri Feb 23 16:19:38 2007 us=408899 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Feb 23 16:19:38 2007 us=408939 UDPv4 link local: [undef]
Fri Feb 23 16:19:38 2007 us=408964 UDPv4 link remote: x.x.x.x:1194
Fri Feb 23 16:19:38 2007 us=448509 TLS: Initial packet from x.x.x.x:1194, sid=46f570e6 9ac28549
Fri Feb 23 16:19:38 2007 us=634954 VERIFY OK: depth=1, /C=DK/ST=Denmark/L=Kar/O=karup/OU=VPN/CN=myserver.mydomain.dk/emailAddress=myemail
Fri Feb 23 16:19:38 2007 us=636127 VERIFY OK: nsCertType=SERVER
Fri Feb 23 16:19:38 2007 us=636167 VERIFY X509NAME OK: /C=DK/ST=Denmark/O=karup/OU=VPN/CN=server/emailAddress=Myemail
Fri Feb 23 16:19:38 2007 us=636194 VERIFY OK: depth=0, /C=DK/ST=Denmark/O=karup/OU=VPN/CN=server/emailAddress=Myemail
Fri Feb 23 16:19:38 2007 us=851674 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 23 16:19:38 2007 us=851717 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 23 16:19:38 2007 us=851817 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 23 16:19:38 2007 us=851857 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 23 16:19:38 2007 us=852050 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Feb 23 16:19:38 2007 us=852107 [server] Peer Connection Initiated with x.x.x.x:1194
Fri Feb 23 16:19:39 2007 us=506433 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Feb 23 16:19:39 2007 us=545287 PUSH: Received control message: 'PUSH_REPLY,ping 10,ping-restart 120,dhcp-option DOMAIN mydomain.dk,dhcp-option DNS 192.168.1.4,dhcp-option WINS 192.168.1.4,route-gateway 192.168.1.4,ping 10,ping-restart 120,ifconfig 192.168.1.241 255.255.255.0'
Fri Feb 23 16:19:39 2007 us=545438 OPTIONS IMPORT: timers and/or timeouts modified
Fri Feb 23 16:19:39 2007 us=545467 OPTIONS IMPORT: --ifconfig/up options modified
Fri Feb 23 16:19:39 2007 us=545489 OPTIONS IMPORT: route options modified
Fri Feb 23 16:19:39 2007 us=545509 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Feb 23 16:19:39 2007 us=549906 TAP-WIN32 device [LAN-forbindelse 4] opened: \\.\Global\{71ED9F8D-FE0E-4AB2-BAE1-05B72ACE88CA}.tap
Fri Feb 23 16:19:39 2007 us=549960 TAP-Win32 Driver Version 8.1
Fri Feb 23 16:19:39 2007 us=549985 TAP-Win32 MTU=1500
Fri Feb 23 16:19:39 2007 us=550025 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.1.241/255.255.255.0 on interface {71ED9F8D-FE0E-4AB2-BAE1-05B72ACE88CA} [DHCP-serv: 192.168.1.0, lease-time: 31536000]
Fri Feb 23 16:19:39 2007 us=550070 DHCP option string: 0f087664 6b61722e 646b0604 c0a80104 2c04c0a8 0104
Fri Feb 23 16:19:39 2007 us=561772 Successful ARP Flush on interface [3] {71ED9F8D-FE0E-4AB2-BAE1-05B72ACE88CA}
Fri Feb 23 16:19:39 2007 us=565159 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Fri Feb 23 16:19:39 2007 us=565289 Route: Waiting for TUN/TAP interface to come up...
Fri Feb 23 16:19:40 2007 us=596082 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Fri Feb 23 16:19:40 2007 us=596117 Route: Waiting for TUN/TAP interface to come up...
Fri Feb 23 16:19:41 2007 us=509680 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Fri Feb 23 16:19:41 2007 us=509719 Route: Waiting for TUN/TAP interface to come up...
Fri Feb 23 16:19:41 2007 us=516119 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
Fri Feb 23 16:19:42 2007 us=248757 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Fri Feb 23 16:19:42 2007 us=248799 Initialization Sequence Completed
[/list]

Here is something from my connection log, maybe it helps

[Toppi]

Hi, i have got the problem to start the openvpn daemon.

i become this error message:

Feb 26 19:11:18 server e-smith-bg: Starting dhcpd:[  OK  ]
Feb 26 19:11:18 server openvpn[11252]: Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/server-bridge.conf:46: server-bridge (2.0.7)
Feb 26 19:11:18 server openvpn[11252]: Use --help for more information.
Feb 26 19:11:18 server openvpn-bridge:  failed
Feb 26 19:11:18 server e-smith-bg:

[FAILED][/list]

and this is my server-bridge.conf:

#------------------------------------------------------------
#              !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at

http://wiki.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
# Virtual Interface Configuration
lport   1194
proto udp
dev tap0

# Drop down privileges
user nobody
group nobody
chroot /etc/openvpn

persist-key
persist-tun

# Certificates config
dh easy-rsa/keys/bridge/dh.pem
ca easy-rsa/keys/bridge/ca.crt
cert easy-rsa/keys/bridge/server.crt
key easy-rsa/keys/bridge/server.key


tls-server
tls-auth easy-rsa/keys/bridge/ta.key 0

# CRL file for certificates verification
crl-verify easy-rsa/keys/bridge/crl.pem

# Auth method options
client-cert-not-required
username-as-common-name

# Plugin for user-auth as replacement of the script
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login


# Server mode
server-bridge   192.168.1.2     255.255.255.0

# Options
keepalive 10 120
push "ping 10"
push "ping-restart 120"
push "dhcp-option DOMAIN home.ralf"
push "dhcp-option DNS 192.168.1.2"
push "dhcp-option WINS 192.168.1.2"
fragment 1400
mssfix

# Clients options
client-config-dir ccd-bridge
ccd-exclusive
max-clients 1


# Log
status-version 2
log-append /var/log/openvpn/server-bridge.log
status server-bridge.log
verb 1
[/list]

My SME 7.1 runs in Server/Gateway mode
smeserver-openvpn-bridge-fws-1.1-0.noarch.rpm is installed

maybe someone can help me...

greetings, ralf

[Daniel B.]

Toppi, the solution is very simple, the log tells you that you have an error on line 46, which is

Code: [Select]

server-bridge 192.168.1.2 255.255.255.0

That means you haven't enter the IP range in the main page, this line should be
server-bridge serverIP serverMask firstAddr lastAddr, for exemple

Code: [Select]

server-bridge 192.168.1.2 255.255.255.0 192.168.1.20 192.168.1.30

Just enter the address range in the panel and restart the service

[Toppi]

you're answer is really very simple. but i entered the adressrange in the panel!

i will edut the configfile in the evening and give you feedback if it's ok.

thanks and have a good day...

[Daniel B.]

Well, strange if you have entered the address range. Can you please post the range you have entered, and if you have an error running this command:

expand-template /etc/openvpn/server-bridge.conf

and what does this return:

config show openvpn-bridge

you should have startPool and endPool which have the values of the range.

[Toppi]

The range is 192.168.1.220 - 192.168.1.230

expand-template /etc/openvpn/server-bridge.conf
WARNING in /etc/e-smith/templates-custom//etc/openvpn/server-bridge.conf/50server_mode: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates-custom//etc/openvpn/server-bridge.conf/50server_mode line 8.
WARNING in /etc/e-smith/templates-custom//etc/openvpn/server-bridge.conf/50server_mode: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates-custom//etc/openvpn/server-bridge.conf/50server_mode line 8.
WARNING in /etc/e-smith/templates-custom//etc/openvpn/server-bridge.conf/80clients: Use of uninitialized value in string eq at /etc/e-smith/templates-custom//etc/openvpn/server-bridge.conf/80clients line 20.
WARNING: Template processing succeeded for //etc/openvpn/server-bridge.conf: 3 fragments generated warnings
 at /sbin/e-smith/expand-template line 45

and the config:

config show openvpn-bridge
openvpn-bridge=service
    UDPPort=1194
    access=public
    brIf=br0
    cipher=auto
    clientToClient=disabled
    compLzo=enabled
    endPool=192.168.1.230
    fragment=1400
    localCN=server
    localIf=eth0
    maxClients=20
    mtuTest=enabled
    nice=0
    ping=10
    pingRestart=120
    protocol=udp
    redirectGW=0
    renegociation=3600
    startPool=192.168.1.220
    status=enabled
    tapIf=tap0
    tunMtu=1400
    userAuth=1
    verbose=1

[Daniel B.]

Ok, it seems that you had a problem while upgrading from 1.0-3 to 1.1-0, the templates in templates-custom should have been removed, now they are in /etc/e-smith/templates. You have this eror because I changed the name of the keys in the DB between the two releases. The thing that I don't understand is that upgrading should have removed thisold templates. Anyway, just verify that you have the new templates:

ll /etc/e-smith/templates/etc/openvpn/server-bridge.conf/

should return

-rw-r--r--  1 root root  452 jan 29 15:07 10dev
-rw-r--r--  1 root root   94 jan 29 15:07 20daemon
-rw-r--r--  1 root root  612 jan 29 15:07 30cert
-rw-r--r--  1 root root  290 jan 29 15:07 40scripts
-rw-r--r--  1 root root  217 jan 29 15:07 50server_mode
-rw-r--r--  1 root root 1322 jan 29 15:07 60options
-rw-r--r--  1 root root  495 jan 29 15:07 80clients
-rw-r--r--  1 root root  187 jan 29 15:07 90log

if it's ok, you can safly remove the old one:

rm -Rf /etc/e-smith/templates-custom/etc/openvpn

then

expand-templates /etc/openvpn/server-bridge.conf
/etc/init.d/openvpn-bridge restart