Topic: [ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm

[Toppi]

it runs!

you're the best!!!

many thanks and have a good day, my will be  

[wispaway]

I would like to be able to configure  custom options for each client connection , specifically, gateway and dns options.
I am connecting multiple routers to a central network that does not use SME as it's gateway and using the gateway-redirect function and default "push" options is not going to do it.

How might I go about changing these values without losing them all on restart?

Network looks like:

client router<-->VPN(thru internet)<-->SME<-->AAA server<-->internet

Or at least that's what I want the network to look like.

I've looked at the PERL and though I only have the vaguest idea of what I'm looking at, it seems as though the "push" params are fetched from SME's configuration database.

[imcintyre]

Freak_Dk/Vip-ire;

FYI
I only run this on xp and w2k laptops and pc's. I have not upgraded to the latest and greatest, I guess I have the earliest stable release.

i still have to enter the same username and password when i try to access the server (7.1 in server only mode)?

I also have to enter the username/password to access the server after I "vpn" onto the network. It never occurred to me that I shouldn't have to.
Other facilites that I vpn into where file server is separate from gateway appliance always work this way (don't they?).

[AndrewR]

UGH. I knew I shouldn't have updated..

I just updated all of SME's updates through Software installer. After the reconfiguration reboot... OpenVPN no longer works. Fails on the TLS handshake. Thinking it was an update gone wrong, I wiped the server and started over.

No luck. Damn thing is still broken. OpenVPN will not complete the TLS Handshake. Times out every time.

The Log on the server tells me nothing... help?

This is what the client log says:

Wed Mar 07 15:43:36 2007 us=567114 Current Parameter Settings:
Wed Mar 07 15:43:36 2007 us=567867   config = 'andrewr.ovpn'
Wed Mar 07 15:43:36 2007 us=567880   mode = 0
Wed Mar 07 15:43:36 2007 us=567892   show_ciphers = DISABLED
Wed Mar 07 15:43:36 2007 us=567902   show_digests = DISABLED
Wed Mar 07 15:43:36 2007 us=567913   show_engines = DISABLED
Wed Mar 07 15:43:36 2007 us=567924   genkey = DISABLED
Wed Mar 07 15:43:36 2007 us=567935   key_pass_file = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=567947   show_tls_ciphers = DISABLED
Wed Mar 07 15:43:36 2007 us=567957   proto = 0
Wed Mar 07 15:43:36 2007 us=567967   local = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=567979   remote_list[0] = {'209.89.132.81', 1194}
Wed Mar 07 15:43:36 2007 us=567990   remote_random = DISABLED
Wed Mar 07 15:43:36 2007 us=568000   local_port = 1194
Wed Mar 07 15:43:36 2007 us=568011   remote_port = 1194
Wed Mar 07 15:43:36 2007 us=568154   remote_float = DISABLED
Wed Mar 07 15:43:36 2007 us=568178   ipchange = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=568189   bind_local = DISABLED
Wed Mar 07 15:43:36 2007 us=568638   dev = 'tap'
Wed Mar 07 15:43:36 2007 us=568652   dev_type = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=568662   dev_node = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=568672   tun_ipv6 = DISABLED
Wed Mar 07 15:43:36 2007 us=568683   ifconfig_local = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=568693   ifconfig_remote_netmask = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=568704   ifconfig_noexec = DISABLED
Wed Mar 07 15:43:36 2007 us=568715   ifconfig_nowarn = DISABLED
Wed Mar 07 15:43:36 2007 us=568724   shaper = 0
Wed Mar 07 15:43:36 2007 us=568737   tun_mtu = 1500
Wed Mar 07 15:43:36 2007 us=568748   tun_mtu_defined = ENABLED
Wed Mar 07 15:43:36 2007 us=568758   link_mtu = 1500
Wed Mar 07 15:43:36 2007 us=568769   link_mtu_defined = DISABLED
Wed Mar 07 15:43:36 2007 us=568779   tun_mtu_extra = 32
Wed Mar 07 15:43:36 2007 us=568813   tun_mtu_extra_defined = ENABLED
Wed Mar 07 15:43:36 2007 us=568825   fragment = 1450
Wed Mar 07 15:43:36 2007 us=568837   mtu_discover_type = -1
Wed Mar 07 15:43:36 2007 us=568847   mtu_test = 0
Wed Mar 07 15:43:36 2007 us=568858   mlock = DISABLED
Wed Mar 07 15:43:36 2007 us=568868   keepalive_ping = 0
Wed Mar 07 15:43:36 2007 us=568879   keepalive_timeout = 0
Wed Mar 07 15:43:36 2007 us=568891   inactivity_timeout = 0
Wed Mar 07 15:43:36 2007 us=568902   ping_send_timeout = 0
Wed Mar 07 15:43:36 2007 us=569243   ping_rec_timeout = 120
Wed Mar 07 15:43:36 2007 us=569262   ping_rec_timeout_action = 2
Wed Mar 07 15:43:36 2007 us=569274   ping_timer_remote = DISABLED
Wed Mar 07 15:43:36 2007 us=569284   remap_sigusr1 = 0
Wed Mar 07 15:43:36 2007 us=569297   explicit_exit_notification = 0
Wed Mar 07 15:43:36 2007 us=569307   persist_tun = DISABLED
Wed Mar 07 15:43:36 2007 us=569318   persist_local_ip = DISABLED
Wed Mar 07 15:43:36 2007 us=569329   persist_remote_ip = DISABLED
Wed Mar 07 15:43:36 2007 us=569339   persist_key = DISABLED
Wed Mar 07 15:43:36 2007 us=569349   mssfix = 1450
Wed Mar 07 15:43:36 2007 us=569360   resolve_retry_seconds = 1000000000
Wed Mar 07 15:43:36 2007 us=569371   connect_retry_seconds = 5
Wed Mar 07 15:43:36 2007 us=569382   username = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569391   groupname = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569403   chroot_dir = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569413   cd_dir = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569423   writepid = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569433   up_script = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569443   down_script = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569454   down_pre = DISABLED
Wed Mar 07 15:43:36 2007 us=569463   up_restart = DISABLED
Wed Mar 07 15:43:36 2007 us=569474   up_delay = DISABLED
Wed Mar 07 15:43:36 2007 us=569484   daemon = DISABLED
Wed Mar 07 15:43:36 2007 us=569493   inetd = 0
Wed Mar 07 15:43:36 2007 us=569503   log = DISABLED
Wed Mar 07 15:43:36 2007 us=569513   suppress_timestamps = DISABLED
Wed Mar 07 15:43:36 2007 us=569828   nice = 0
Wed Mar 07 15:43:36 2007 us=569838   verbosity = 4
Wed Mar 07 15:43:36 2007 us=569847   mute = 0
Wed Mar 07 15:43:36 2007 us=569857   gremlin = 0
Wed Mar 07 15:43:36 2007 us=569867   status_file = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569878   status_file_version = 1
Wed Mar 07 15:43:36 2007 us=569889   status_file_update_freq = 60
Wed Mar 07 15:43:36 2007 us=569899   occ = ENABLED
Wed Mar 07 15:43:36 2007 us=569910   rcvbuf = 0
Wed Mar 07 15:43:36 2007 us=569920   sndbuf = 0
Wed Mar 07 15:43:36 2007 us=569931   socks_proxy_server = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569950   socks_proxy_port = 0
Wed Mar 07 15:43:36 2007 us=569961   socks_proxy_retry = DISABLED
Wed Mar 07 15:43:36 2007 us=569971   fast_io = DISABLED
Wed Mar 07 15:43:36 2007 us=569981   comp_lzo = ENABLED
Wed Mar 07 15:43:36 2007 us=569991   comp_lzo_adaptive = ENABLED
Wed Mar 07 15:43:36 2007 us=570001   route_script = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=570012   route_default_gateway = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=570022   route_noexec = DISABLED
Wed Mar 07 15:43:36 2007 us=570032   route_delay = 0
Wed Mar 07 15:43:36 2007 us=576135   route_delay_window = 30
Wed Mar 07 15:43:36 2007 us=576147   route_delay_defined = ENABLED
Wed Mar 07 15:43:36 2007 us=576158   management_addr = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=576167   management_port = 0
Wed Mar 07 15:43:36 2007 us=576177   management_user_pass = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=576188   management_log_history_cache = 250
Wed Mar 07 15:43:36 2007 us=576198   management_echo_buffer_size = 100
Wed Mar 07 15:43:36 2007 us=576208   management_query_passwords = DISABLED
Wed Mar 07 15:43:36 2007 us=576218   management_hold = DISABLED
Wed Mar 07 15:43:36 2007 us=576228   shared_secret_file = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=576238   key_direction = 2
Wed Mar 07 15:43:36 2007 us=576247   ciphername_defined = ENABLED
Wed Mar 07 15:43:36 2007 us=576257   ciphername = 'AES-128-CBC'
Wed Mar 07 15:43:36 2007 us=576267   authname_defined = ENABLED
Wed Mar 07 15:43:36 2007 us=576277   authname = 'SHA1'
Wed Mar 07 15:43:36 2007 us=576424   keysize = 0
Wed Mar 07 15:43:36 2007 us=594669   engine = DISABLED
Wed Mar 07 15:43:36 2007 us=594726   replay = ENABLED
Wed Mar 07 15:43:36 2007 us=594739   mute_replay_warnings = DISABLED
Wed Mar 07 15:43:36 2007 us=594751   replay_window = 64
Wed Mar 07 15:43:36 2007 us=594762   replay_time = 15
Wed Mar 07 15:43:36 2007 us=594774   packet_id_file = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=594785   use_iv = ENABLED
Wed Mar 07 15:43:36 2007 us=594796   test_crypto = DISABLED
Wed Mar 07 15:43:36 2007 us=594809   tls_server = DISABLED
Wed Mar 07 15:43:36 2007 us=594820   tls_client = ENABLED
Wed Mar 07 15:43:36 2007 us=594830   key_method = 2
Wed Mar 07 15:43:36 2007 us=594841   ca_file = 'ca.crt'
Wed Mar 07 15:43:36 2007 us=594851   dh_file = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=594861   cert_file = 'andrewr.crt'
Wed Mar 07 15:43:36 2007 us=594873   priv_key_file = 'andrewr.key'
Wed Mar 07 15:43:36 2007 us=594883   pkcs12_file = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=594894   cryptoapi_cert = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=612681   cipher_list = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=612707   tls_verify = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=612718   tls_remote = 'server'
Wed Mar 07 15:43:36 2007 us=612728   crl_file = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=612737   ns_cert_type = 64
Wed Mar 07 15:43:36 2007 us=612747   tls_timeout = 2
Wed Mar 07 15:43:36 2007 us=612757   renegotiate_bytes = 0
Wed Mar 07 15:43:36 2007 us=612767   renegotiate_packets = 0
Wed Mar 07 15:43:36 2007 us=612777   renegotiate_seconds = 3600
Wed Mar 07 15:43:36 2007 us=612787   handshake_window = 60
Wed Mar 07 15:43:36 2007 us=612797   transition_window = 3600
Wed Mar 07 15:43:36 2007 us=612807   single_session = DISABLED
Wed Mar 07 15:43:36 2007 us=612816   tls_exit = DISABLED
Wed Mar 07 15:43:36 2007 us=612826   tls_auth_file = 'ta.key'
Wed Mar 07 15:43:36 2007 us=612840   server_network = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=612851   server_netmask = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=626276   server_bridge_ip = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=626315   server_bridge_netmask = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=626329   server_bridge_pool_start = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=626343   server_bridge_pool_end = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=628656   ifconfig_pool_defined = DISABLED
Wed Mar 07 15:43:36 2007 us=629042   ifconfig_pool_start = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=629054   ifconfig_pool_end = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=629065   ifconfig_pool_netmask = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=629076   ifconfig_pool_persist_filename = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=629087   ifconfig_pool_persist_refresh_freq = 600
Wed Mar 07 15:43:36 2007 us=629097   ifconfig_pool_linear = DISABLED
Wed Mar 07 15:43:36 2007 us=629107   n_bcast_buf = 256
Wed Mar 07 15:43:36 2007 us=629117   tcp_queue_limit = 64
Wed Mar 07 15:43:36 2007 us=629127   real_hash_size = 256
Wed Mar 07 15:43:36 2007 us=629136   virtual_hash_size = 256
Wed Mar 07 15:43:36 2007 us=640659   client_connect_script = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=640702   learn_address_script = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=640739   client_disconnect_script = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=640754   client_config_dir = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=640766   ccd_exclusive = DISABLED
Wed Mar 07 15:43:36 2007 us=640777   tmp_dir = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=640788   push_ifconfig_defined = DISABLED
Wed Mar 07 15:43:36 2007 us=640803   push_ifconfig_local = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=640816   push_ifconfig_remote_netmask = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=640827   enable_c2c = DISABLED
Wed Mar 07 15:43:36 2007 us=640837   duplicate_cn = DISABLED
Wed Mar 07 15:43:36 2007 us=640847   cf_max = 0
Wed Mar 07 15:43:36 2007 us=640858   cf_per = 0
Wed Mar 07 15:43:36 2007 us=640869   max_clients = 1024
Wed Mar 07 15:43:36 2007 us=640879   max_routes_per_client = 256
Wed Mar 07 15:43:36 2007 us=781426   client_cert_not_required = DISABLED
Wed Mar 07 15:43:36 2007 us=781458   username_as_common_name = DISABLED
Wed Mar 07 15:43:36 2007 us=781471   auth_user_pass_verify_script = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=781483   auth_user_pass_verify_script_via_file = DISABLED
Wed Mar 07 15:43:36 2007 us=781494   client = DISABLED
Wed Mar 07 15:43:36 2007 us=781505   pull = ENABLED
Wed Mar 07 15:43:36 2007 us=781547   auth_user_pass_file = 'stdin'
Wed Mar 07 15:43:36 2007 us=781563   show_net_up = DISABLED
Wed Mar 07 15:43:36 2007 us=781573   route_method = 0
Wed Mar 07 15:43:36 2007 us=781583   ip_win32_defined = DISABLED
Wed Mar 07 15:43:36 2007 us=781607   ip_win32_type = 3
Wed Mar 07 15:43:36 2007 us=781618   dhcp_masq_offset = 0
Wed Mar 07 15:43:36 2007 us=781629   dhcp_lease_time = 31536000
Wed Mar 07 15:43:36 2007 us=781639   tap_sleep = 0
Wed Mar 07 15:43:36 2007 us=781650   dhcp_options = DISABLED
Wed Mar 07 15:43:36 2007 us=781660   dhcp_renew = DISABLED
Wed Mar 07 15:43:36 2007 us=793333   dhcp_pre_release = DISABLED
Wed Mar 07 15:43:36 2007 us=793365   dhcp_release = DISABLED
Wed Mar 07 15:43:36 2007 us=793378   domain = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=793389   netbios_scope = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=793400   netbios_node_type = 0
Wed Mar 07 15:43:36 2007 us=793410   disable_nbt = DISABLED
Wed Mar 07 15:43:36 2007 us=793435 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Wed Mar 07 15:43:44 2007 us=594979 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Wed Mar 07 15:43:44 2007 us=595101 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 07 15:43:44 2007 us=595118 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 07 15:43:44 2007 us=595151 LZO compression initialized
Wed Mar 07 15:43:44 2007 us=596088 Control Channel MTU parms [ L:1594 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Mar 07 15:43:44 2007 us=599271 Data Channel MTU parms [ L:1594 D:1450 EF:62 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Mar 07 15:43:44 2007 us=599321 Fragmentation MTU parms [ L:1594 D:1450 EF:61 EB:135 ET:33 EL:0 AF:3/1 ]
Wed Mar 07 15:43:44 2007 us=599386 Local Options String: 'V4,dev-type tap,link-mtu 1594,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Mar 07 15:43:44 2007 us=599427 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1594,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Mar 07 15:43:44 2007 us=599457 Local Options hash (VER=V4): '29f2fd82'
Wed Mar 07 15:43:44 2007 us=599476 Expected Remote Options hash (VER=V4): 'b35f3855'
Wed Mar 07 15:43:44 2007 us=599511 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Mar 07 15:43:44 2007 us=599533 UDPv4 link local: [undef]
Wed Mar 07 15:43:44 2007 us=599546 UDPv4 link remote: XXXXXXXXX:1194
Wed Mar 07 15:44:45 2007 us=222207 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Mar 07 15:44:45 2007 us=222238 TLS Error: TLS handshake failed
Wed Mar 07 15:44:45 2007 us=222469 TCP/UDP: Closing socket
Wed Mar 07 15:44:45 2007 us=222587 SIGUSR1[soft,tls-error] received, process restarting
Wed Mar 07 15:44:45 2007 us=222602 Restart pause, 2 second(s)

I know the traffic is getting through our firewall.. as I am getting a message from my Firewall saying it is going through ok.

Any suggestions as to where I should be looking?

[imcintyre]

I have updated to 7.1.2 and have no problems with first stable version of this contrib. I know that's perhaps NOT overly helpful but maybe informative as to where problem may lie.

I am currently logged on through vpn. I compared your log and mine. They appear largely identical however, close to the end of yours I found:

Wed Mar 07 15:43:44 2007 us=599546 UDPv4 link remote: XXXXXXXXX:1194

(Edit) On further review I noticed the line at the beginning:

us=567979 remote_list[0] = {'209.89.132.81', 1194}

In my log, where you have a numeric address, I have the domain name of the server I am logged into. If I take either my numeric address or domain name and plug into I.E. it resolves to the same place. If I plug your numeric address into IE, it does not resolve. (times out)

Hope I am not stating the obvious but your XXXXXXX needs to be the address of the site you are connecting to. Maybe you have edited your log for security reasons. Hope this helps.

[Daniel B.]

Hi everyone. I know some people have problems with this contrib and SME 7.1.2, I'm looking where this could come from but for now I don't know. I've just updated my own server to 7.1.2 and the latest openvpn, everything is working like before. Please, if you have any problem, send me a email with as much details as possible (server mode, others contrib, version of the contrib, error messages etc...) or open a bug in the bug tracker and send me the bug num, because I can't provide help like this in the forum.

daniel AT firewall-services DOT com

[AndrewR]

I have updated to 7.1.2 and have no problems with first stable version of this contrib. I know that's perhaps NOT overly helpful but maybe informative as to where problem may lie.

I am currently logged on through vpn. I compared your log and mine. They appear largely identical however, close to the end of yours I found:

Wed Mar 07 15:43:44 2007 us=599546 UDPv4 link remote: XXXXXXXXX:1194

(Edit) On further review I noticed the line at the beginning:

us=567979 remote_list[0] = {'209.89.132.81', 1194}

heh that was me just not blanking out my address. I've been using a numeric address since the very beginning, before updating to 7.1.2. Numeric addresses work well enough... saves the DNS having to do a resolution.  

[AndrewR]

Well, I'm still unsure as to which part of the update was the problem.. but after a reinstall back to 7.1, OpenVPN works fine. It's something to do with the updates to 7.1.2 which are causing the problems, so for now I've disabled the updates.

I'm running SME in server-only mode, and its only function on the network is the OpenVPN service. No other contribs present.

[AndrewR]

Anyone aware of any issues with upgrading to OpenVPN 2.09? There's an RPM for it at Dag's site:

http://dag.wieers.com/rpm/packages/openvpn/openvpn-2.0.9-1.el4.rf.i386.rpm


if I disable the service, do a wget, and then install the rpm... is that the correct procedure? Or should I be doing additional steps? Also.. VIP.. will that break your contrib?

[stefan24]

OpenVPN 2.0.9 simply does not work on the SME 7 server (cannot be installed due to dependency errors)
It asks for a liblzo2, which does not exist on the SME 7 Server and I cannot find it somewhere else.

[AndrewR]

Hmm.. ya, I see what you mean Stefan.

I was able to find an RPM for the lzo.. but it's a mandrake only. No good for Sme.

liblzo2_2-2.01-1mdk.i586.rpm   

Can't even find the source for that... ah well. It'll pop up eventually. The good news is... a server running 2.07 will work with clients running 2.09 (I know because one of my clients is running Vista32 bit... and 2.07 won't install).

[jonic]

I don't know if this is related, but I guessing it is.
I am using the latest openvpn rpm on one server, and beta4 on another. Both servers are updated to 7.1.2. I'm getting a lot of errors in /var/log/messages, like this:

Code: [Select]


No subnet declaration for eth0 (0.0.0.0).
** Ignoring requests on eth0.  If this is not what
     you want, please write a subnet declaration
     in your dhcpd.conf file for the network segment
     to which interface eth0 is attached. **


This is caused, I think, by the fact that the local network is now br0.
I noticed this because I have some problems with dhcp not granting new leases, though it is still running. On reboot everything is back to normal.

Has anyone experienced this?
Should I open a bug?

[AndrewR]

I don't know if this is related, but I guessing it is.
I am using the latest openvpn rpm on one server, and beta4 on another. Both servers are updated to 7.1.2. I'm getting a lot of errors in /var/log/messages, like this:

Code: [Select]


No subnet declaration for eth0 (0.0.0.0).
** Ignoring requests on eth0.  If this is not what
     you want, please write a subnet declaration
     in your dhcpd.conf file for the network segment
     to which interface eth0 is attached. **


This is caused, I think, by the fact that the local network is now br0.
I noticed this because I have some problems with dhcp not granting new leases, though it is still running. On reboot everything is back to normal.

Has anyone experienced this?
Should I open a bug?

Don't know if you should open a bug or not... but your supposition that br0 is the local network is incorrect. br0 is merely a virtual adapter that is created by OpenVPN. The local network should still be eth0. Check your eth0 configuration to ensure that you do have a subnet specified. Since the problem was fixed by a reboot, it may be that it was simply before the reboot, the configuration file wasn't read.

[Daniel B.]

No, jonic is right, when the VPN is started, the internal interface becomes br0 instead of eth0. This is because to bridge the interface, we must set eth0 and tap in promiscuous mode, with ip 0.0.0.0, and br0 take the internal ip. For iptables, we cannot have a internal interface with ip 0.0.0.0, so we set it to be br0, like this tap0 and eth0 are 'the internal interface'.

I know we can have problems with the DHCP server when the VPN is started, I've just notified that the problem was still here. It occures for example when you add an host name (DNS) through the server-manager, the DHCP server restart and enter in a loop, always restarting. The solution for now is then to restart openvpn with  /etc/init.d/openvpn-bridge restart.

[sits]

I have had this working great running om SME 7.1, since doing the upgrade to SME 7.1.3 it has stopped
I also upgraded to smeserver-openvpn-bridge-fws-1.1-1.noarch.rpm from smeserver-openvpn-bridge-fws-1.0-3.noarch.rpm

the strange part is i did this to 2 different servers one works and the other dosn't

Last few lines of the log

Wed Mar 28 09:07:27 2007 us=897776 OpenVPN 2.0.7 Win32-MinGW [SSL] [LZO] built on Apr 12 2006
Wed Mar 28 09:07:35 2007 us=38990 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Wed Mar 28 09:07:35 2007 us=39031 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 28 09:07:35 2007 us=39046 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 28 09:07:35 2007 us=39072 LZO compression initialized
Wed Mar 28 09:07:35 2007 us=39166 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Mar 28 09:07:35 2007 us=46043 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Mar 28 09:07:35 2007 us=46101 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Mar 28 09:07:35 2007 us=46115 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Mar 28 09:07:35 2007 us=46146 Local Options hash (VER=V4): '13a273ba'
Wed Mar 28 09:07:35 2007 us=46165 Expected Remote Options hash (VER=V4): '360696c5'
Wed Mar 28 09:07:35 2007 us=46195 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Mar 28 09:07:35 2007 us=50827 UDPv4 link local: [undef]
Wed Mar 28 09:07:35 2007 us=50853 UDPv4 link remote: 150.101.103.143:1194

it then restarts again
any ideas please