Topic: Noobie needs some help.

[AndrewR]

Ok, so I managed to install SME Server 7.0 onto a machine. Fabulous. I have it as part of my network as a server only... fabulous. Here's where it gets fun.

1) I want to install an RPM or two onto the server. How do I do that? Can this be done from the web interface, or do I have to be logged onto the machine directly?

2) This is a silly question... but when downloading RPMs... um.. which ones should I be choosing for SME? I know that SME is a stripped down version of RH.. but which redhat? If I download say.. a fedora core 3 RPM, will that work?

For the record, I am planning on installing OpenVPN from  http://openvpn.net/ onto this machine to use as our VPN server. I'm following some of the guidelines outlined here:

http://www.linuxjournal.com/article/7949

The RPMs in question will be OpenVPN and LZO... since it is required and stuff.

I did this once.. like 9 years ago..  and haven't done anything since. So some help would be appreciated. Thanks a Bundle!

[byte]

Ok, so I managed to install SME Server 7.0 onto a machine. Fabulous. I have it as part of my network as a server only... fabulous. Here's where it gets fun.

First thing I would say is have a good read of the manual its a excellent starting point to learn what you are using with SME Server.

1) I want to install an RPM or two onto the server. How do I do that? Can this be done from the web interface, or do I have to be logged onto the machine directly?

To install rpm's we use...

rpm -Uvh <rpmname-1.3.0.rpm>

Do "man rpm" for what the Uvh does and for more switchs.

You can do this via the command line which you can also do via SSH using PUTTY or directly depends where you are

2) This is a silly question... but when downloading RPMs... um.. which ones should I be choosing for SME?

Take a look in the contribs forum for rpms and the archived wiki up the top of this forum.

I know that SME is a stripped down version of RH.. but which redhat? If I download say.. a fedora core 3 RPM, will that work?

This SME Server 7 is based on Centos 4.3 which it self is based on RedHat Linux Enterprise 4.x so installing fedora core rpms will not work, I tend to look at Dag Wieers rpms

For the record, I am planning on installing OpenVPN from  http://openvpn.net/ onto this machine to use as our VPN server. I'm following some of the guidelines outlined here:

http://www.linuxjournal.com/article/7949

The RPMs in question will be OpenVPN and LZO... since it is required and stuff.

I did this once.. like 9 years ago..  and haven't done anything since. So some help would be appreciated. Thanks a Bundle!

Again take a look in the forums contribs someone there has already done a contrib/how-to to get OpenVPN working with SME.

Hope this gives you a good starting point  

[AndrewR]

Thanks for the help so far. I followed the setup on Swerts-Knudsen.. it was exactly what I needed. But I'm having a problem creating the keys.. I can create the Server key just fine... but the client key is being problematic. When I go through the checklist to create the key, I get the following error:

Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

I don't know what to do from here.. help?

[AndrewR]

Ok, so I managed to fix the DB error. Didn't have an FQDN on the Common Name. But that is now done. Problem is now I can't seem to connect.

When I try, here's what happens according to the Log:

Fri Nov 03 10:35:25 2006 us=805688 Current Parameter Settings:
Fri Nov 03 10:35:25 2006 us=805744   config = 'VPN.ovpn'
Fri Nov 03 10:35:25 2006 us=805753   mode = 0
Fri Nov 03 10:35:25 2006 us=805761   show_ciphers = DISABLED
Fri Nov 03 10:35:25 2006 us=805768   show_digests = DISABLED
Fri Nov 03 10:35:25 2006 us=805775   show_engines = DISABLED
Fri Nov 03 10:35:25 2006 us=805784   genkey = DISABLED
Fri Nov 03 10:35:25 2006 us=805791   key_pass_file = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=805799   show_tls_ciphers = DISABLED
Fri Nov 03 10:35:25 2006 us=805807   proto = 0
Fri Nov 03 10:35:25 2006 us=805814   local = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=805822   remote_list[0] = {'<IPADDRESSREMOVEDBYANDREWR>', 1194}
Fri Nov 03 10:35:25 2006 us=805830   remote_random = DISABLED
Fri Nov 03 10:35:25 2006 us=805839   local_port = 1194
Fri Nov 03 10:35:25 2006 us=805846   remote_port = 1194
Fri Nov 03 10:35:25 2006 us=805853   remote_float = DISABLED
Fri Nov 03 10:35:25 2006 us=805861   ipchange = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=805869   bind_local = ENABLED
Fri Nov 03 10:35:25 2006 us=805876   dev = 'tap'
Fri Nov 03 10:35:25 2006 us=805883   dev_type = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=805890   dev_node = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=805898   tun_ipv6 = DISABLED
Fri Nov 03 10:35:25 2006 us=805905   ifconfig_local = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=805913   ifconfig_remote_netmask = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=805926   ifconfig_noexec = DISABLED
Fri Nov 03 10:35:25 2006 us=805933   ifconfig_nowarn = DISABLED
Fri Nov 03 10:35:25 2006 us=805941   shaper = 0
Fri Nov 03 10:35:25 2006 us=805947   tun_mtu = 1500
Fri Nov 03 10:35:25 2006 us=805955   tun_mtu_defined = ENABLED
Fri Nov 03 10:35:25 2006 us=805962   link_mtu = 1500
Fri Nov 03 10:35:25 2006 us=805970   link_mtu_defined = DISABLED
Fri Nov 03 10:35:25 2006 us=805977   tun_mtu_extra = 32
Fri Nov 03 10:35:25 2006 us=805984   tun_mtu_extra_defined = ENABLED
Fri Nov 03 10:35:25 2006 us=805992   fragment = 0
Fri Nov 03 10:35:25 2006 us=805999   mtu_discover_type = -1
Fri Nov 03 10:35:25 2006 us=806007   mtu_test = 1
Fri Nov 03 10:35:25 2006 us=806014   mlock = DISABLED
Fri Nov 03 10:35:25 2006 us=806022   keepalive_ping = 0
Fri Nov 03 10:35:25 2006 us=806029   keepalive_timeout = 0
Fri Nov 03 10:35:25 2006 us=806037   inactivity_timeout = 0
Fri Nov 03 10:35:25 2006 us=806044   ping_send_timeout = 0
Fri Nov 03 10:35:25 2006 us=806052   ping_rec_timeout = 120
Fri Nov 03 10:35:25 2006 us=806060   ping_rec_timeout_action = 2
Fri Nov 03 10:35:25 2006 us=806067   ping_timer_remote = DISABLED
Fri Nov 03 10:35:25 2006 us=806075   remap_sigusr1 = 0
Fri Nov 03 10:35:25 2006 us=806089   explicit_exit_notification = 0
Fri Nov 03 10:35:25 2006 us=806097   persist_tun = DISABLED
Fri Nov 03 10:35:25 2006 us=806105   persist_local_ip = DISABLED
Fri Nov 03 10:35:25 2006 us=806112   persist_remote_ip = DISABLED
Fri Nov 03 10:35:25 2006 us=806120   persist_key = DISABLED
Fri Nov 03 10:35:25 2006 us=806127   mssfix = 1450
Fri Nov 03 10:35:25 2006 us=806136   resolve_retry_seconds = 1000000000
Fri Nov 03 10:35:25 2006 us=806143   connect_retry_seconds = 5
Fri Nov 03 10:35:25 2006 us=806151   username = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=806158   groupname = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=806166   chroot_dir = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=806174   cd_dir = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=806181   writepid = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=806189   up_script = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=806197   down_script = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=806205   down_pre = DISABLED
Fri Nov 03 10:35:25 2006 us=806212   up_restart = DISABLED
Fri Nov 03 10:35:25 2006 us=806220   up_delay = DISABLED
Fri Nov 03 10:35:25 2006 us=806227   daemon = DISABLED
Fri Nov 03 10:35:25 2006 us=806234   inetd = 0
Fri Nov 03 10:35:25 2006 us=806241   log = DISABLED
Fri Nov 03 10:35:25 2006 us=806249   suppress_timestamps = DISABLED
Fri Nov 03 10:35:25 2006 us=806256   nice = 0
Fri Nov 03 10:35:25 2006 us=806264   verbosity = 4
Fri Nov 03 10:35:25 2006 us=971911   mute = 0
Fri Nov 03 10:35:25 2006 us=975520   gremlin = 0
Fri Nov 03 10:35:25 2006 us=975584   status_file = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=975690   status_file_version = 1
Fri Nov 03 10:35:25 2006 us=975702   status_file_update_freq = 60
Fri Nov 03 10:35:25 2006 us=975709   occ = ENABLED
Fri Nov 03 10:35:25 2006 us=975716   rcvbuf = 0
Fri Nov 03 10:35:25 2006 us=975722   sndbuf = 0
Fri Nov 03 10:35:25 2006 us=975731   socks_proxy_server = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=975745   socks_proxy_port = 0
Fri Nov 03 10:35:25 2006 us=975752   socks_proxy_retry = DISABLED
Fri Nov 03 10:35:25 2006 us=975759   fast_io = DISABLED
Fri Nov 03 10:35:25 2006 us=975766   comp_lzo = ENABLED
Fri Nov 03 10:35:25 2006 us=975773   comp_lzo_adaptive = ENABLED
Fri Nov 03 10:35:25 2006 us=975780   route_script = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=975787   route_default_gateway = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=975795   route_noexec = DISABLED
Fri Nov 03 10:35:25 2006 us=987008   route_delay = 0
Fri Nov 03 10:35:25 2006 us=987024   route_delay_window = 30
Fri Nov 03 10:35:25 2006 us=987032   route_delay_defined = ENABLED
Fri Nov 03 10:35:25 2006 us=987039   management_addr = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=987046   management_port = 0
Fri Nov 03 10:35:25 2006 us=987055   management_user_pass = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=987063   management_log_history_cache = 250
Fri Nov 03 10:35:25 2006 us=987071   management_echo_buffer_size = 100
Fri Nov 03 10:35:25 2006 us=987079   management_query_passwords = DISABLED
Fri Nov 03 10:35:25 2006 us=987088   management_hold = DISABLED
Fri Nov 03 10:35:25 2006 us=987095   shared_secret_file = '[UNDEF]'
Fri Nov 03 10:35:25 2006 us=987103   key_direction = 0
Fri Nov 03 10:35:25 2006 us=987139   ciphername_defined = ENABLED
Fri Nov 03 10:35:25 2006 us=987147   ciphername = 'BF-CBC'
Fri Nov 03 10:35:25 2006 us=987155   authname_defined = ENABLED
Fri Nov 03 10:35:25 2006 us=987162   authname = 'SHA1'
Fri Nov 03 10:35:26 2006 us=75131   keysize = 0
Fri Nov 03 10:35:26 2006 us=75161   engine = DISABLED
Fri Nov 03 10:35:26 2006 us=75198   replay = ENABLED
Fri Nov 03 10:35:26 2006 us=75206   mute_replay_warnings = DISABLED
Fri Nov 03 10:35:26 2006 us=75214   replay_window = 64
Fri Nov 03 10:35:26 2006 us=75244   replay_time = 15
Fri Nov 03 10:35:26 2006 us=75255   packet_id_file = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=75263   use_iv = ENABLED
Fri Nov 03 10:35:26 2006 us=75270   test_crypto = DISABLED
Fri Nov 03 10:35:26 2006 us=75278   tls_server = DISABLED
Fri Nov 03 10:35:26 2006 us=75286   tls_client = ENABLED
Fri Nov 03 10:35:26 2006 us=75294   key_method = 2
Fri Nov 03 10:35:26 2006 us=75301   ca_file = 'ca.crt'
Fri Nov 03 10:35:26 2006 us=75309   dh_file = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=75318   cert_file = 'client.crt'
Fri Nov 03 10:35:26 2006 us=75325   priv_key_file = 'client.key'
Fri Nov 03 10:35:26 2006 us=75333   pkcs12_file = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=113149   cryptoapi_cert = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=113180   cipher_list = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=113211   tls_verify = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=113220   tls_remote = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=113228   crl_file = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=113235   ns_cert_type = 0
Fri Nov 03 10:35:26 2006 us=113243   tls_timeout = 2
Fri Nov 03 10:35:26 2006 us=113251   renegotiate_bytes = 0
Fri Nov 03 10:35:26 2006 us=113258   renegotiate_packets = 0
Fri Nov 03 10:35:26 2006 us=113266   renegotiate_seconds = 3600
Fri Nov 03 10:35:26 2006 us=113274   handshake_window = 60
Fri Nov 03 10:35:26 2006 us=113281   transition_window = 3600
Fri Nov 03 10:35:26 2006 us=113289   single_session = DISABLED
Fri Nov 03 10:35:26 2006 us=113296   tls_exit = DISABLED
Fri Nov 03 10:35:26 2006 us=113305   tls_auth_file = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=132829   server_network = 0.0.0.0
Fri Nov 03 10:35:26 2006 us=132848   server_netmask = 0.0.0.0
Fri Nov 03 10:35:26 2006 us=132856   server_bridge_ip = 0.0.0.0
Fri Nov 03 10:35:26 2006 us=132864   server_bridge_netmask = 0.0.0.0
Fri Nov 03 10:35:26 2006 us=132872   server_bridge_pool_start = 0.0.0.0
Fri Nov 03 10:35:26 2006 us=132880   server_bridge_pool_end = 0.0.0.0
Fri Nov 03 10:35:26 2006 us=132888   ifconfig_pool_defined = DISABLED
Fri Nov 03 10:35:26 2006 us=132896   ifconfig_pool_start = 0.0.0.0
Fri Nov 03 10:35:26 2006 us=132904   ifconfig_pool_end = 0.0.0.0
Fri Nov 03 10:35:26 2006 us=132912   ifconfig_pool_netmask = 0.0.0.0
Fri Nov 03 10:35:26 2006 us=132919   ifconfig_pool_persist_filename = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=132928   ifconfig_pool_persist_refresh_freq = 600
Fri Nov 03 10:35:26 2006 us=132935   ifconfig_pool_linear = DISABLED
Fri Nov 03 10:35:26 2006 us=132943   n_bcast_buf = 256
Fri Nov 03 10:35:26 2006 us=132950   tcp_queue_limit = 64
Fri Nov 03 10:35:26 2006 us=132958   real_hash_size = 256
Fri Nov 03 10:35:26 2006 us=152346   virtual_hash_size = 256
Fri Nov 03 10:35:26 2006 us=152398   client_connect_script = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=152410   learn_address_script = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=152420   client_disconnect_script = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=152428   client_config_dir = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=152436   ccd_exclusive = DISABLED
Fri Nov 03 10:35:26 2006 us=152443   tmp_dir = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=152456   push_ifconfig_defined = DISABLED
Fri Nov 03 10:35:26 2006 us=152468   push_ifconfig_local = 0.0.0.0
Fri Nov 03 10:35:26 2006 us=152477   push_ifconfig_remote_netmask = 0.0.0.0
Fri Nov 03 10:35:26 2006 us=152485   enable_c2c = DISABLED
Fri Nov 03 10:35:26 2006 us=152493   duplicate_cn = DISABLED
Fri Nov 03 10:35:26 2006 us=152501   cf_max = 0
Fri Nov 03 10:35:26 2006 us=152508   cf_per = 0
Fri Nov 03 10:35:26 2006 us=152516   max_clients = 1024
Fri Nov 03 10:35:26 2006 us=152524   max_routes_per_client = 256
Fri Nov 03 10:35:26 2006 us=163178   client_cert_not_required = DISABLED
Fri Nov 03 10:35:26 2006 us=163237   username_as_common_name = DISABLED
Fri Nov 03 10:35:26 2006 us=163253   auth_user_pass_verify_script = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=163263   auth_user_pass_verify_script_via_file = DISABLED
Fri Nov 03 10:35:26 2006 us=163271   client = DISABLED
Fri Nov 03 10:35:26 2006 us=163278   pull = ENABLED
Fri Nov 03 10:35:26 2006 us=163286   auth_user_pass_file = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=163300   show_net_up = DISABLED
Fri Nov 03 10:35:26 2006 us=163308   route_method = 0
Fri Nov 03 10:35:26 2006 us=163316   ip_win32_defined = DISABLED
Fri Nov 03 10:35:26 2006 us=163324   ip_win32_type = 3
Fri Nov 03 10:35:26 2006 us=163332   dhcp_masq_offset = 0
Fri Nov 03 10:35:26 2006 us=163340   dhcp_lease_time = 31536000
Fri Nov 03 10:35:26 2006 us=163348   tap_sleep = 0
Fri Nov 03 10:35:26 2006 us=163355   dhcp_options = DISABLED
Fri Nov 03 10:35:26 2006 us=205987   dhcp_renew = DISABLED
Fri Nov 03 10:35:26 2006 us=206017   dhcp_pre_release = DISABLED
Fri Nov 03 10:35:26 2006 us=206053   dhcp_release = DISABLED
Fri Nov 03 10:35:26 2006 us=206061   domain = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=206069   netbios_scope = '[UNDEF]'
Fri Nov 03 10:35:26 2006 us=206076   netbios_node_type = 0
Fri Nov 03 10:35:26 2006 us=206084   disable_nbt = DISABLED
Fri Nov 03 10:35:26 2006 us=206107 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Fri Nov 03 10:35:26 2006 us=206435 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Nov 03 10:35:26 2006 us=260643 LZO compression initialized
Fri Nov 03 10:35:26 2006 us=260739 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Nov 03 10:35:26 2006 us=260408 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Nov 03 10:35:26 2006 us=260459 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Nov 03 10:35:26 2006 us=260470 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Nov 03 10:35:26 2006 us=272841 Local Options hash (VER=V4): 'd79ca330'
Fri Nov 03 10:35:26 2006 us=272892 Expected Remote Options hash (VER=V4): 'f7df56b8'
Fri Nov 03 10:35:26 2006 us=272947 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Nov 03 10:35:26 2006 us=272971 UDPv4 link local (bound): [undef]:1194
Fri Nov 03 10:35:26 2006 us=272981 UDPv4 link remote: <IPADDRESSREMOVEDBYANDREWR>:1194
Fri Nov 03 10:36:27 2006 us=321911 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Nov 03 10:36:27 2006 us=321942 TLS Error: TLS handshake failed
Fri Nov 03 10:36:27 2006 us=318777 TCP/UDP: Closing socket
Fri Nov 03 10:36:27 2006 us=322458 SIGUSR1[soft,tls-error] received, process restarting
Fri Nov 03 10:36:27 2006 us=318975 Restart pause, 2 second(s)
Fri Nov 03 10:36:29 2006 us=321940 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Nov 03 10:36:29 2006 us=323042 LZO compression initialized
Fri Nov 03 10:36:29 2006 us=319610 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Nov 03 10:36:29 2006 us=320899 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Nov 03 10:36:29 2006 us=320937 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Nov 03 10:36:29 2006 us=320947 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Nov 03 10:36:29 2006 us=320968 Local Options hash (VER=V4): 'd79ca330'
Fri Nov 03 10:36:29 2006 us=320983 Expected Remote Options hash (VER=V4): 'f7df56b8'
Fri Nov 03 10:36:29 2006 us=321016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Nov 03 10:36:29 2006 us=321032 UDPv4 link local (bound): [undef]:1194
Fri Nov 03 10:36:29 2006 us=321042 UDPv4 link remote: <IPADDRESSREMOVEDBYANDREWR>:1194
Fri Nov 03 10:37:29 2006 us=979980 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Nov 03 10:37:29 2006 us=980012 TLS Error: TLS handshake failed
Fri Nov 03 10:37:29 2006 us=980497 TCP/UDP: Closing socket
Fri Nov 03 10:37:29 2006 us=980624 SIGUSR1[soft,tls-error] received, process restarting
Fri Nov 03 10:37:29 2006 us=980643 Restart pause, 2 second(s)
Fri Nov 03 10:37:31 2006 us=980012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Nov 03 10:37:31 2006 us=981086 LZO compression initialized
Fri Nov 03 10:37:31 2006 us=977667 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Nov 03 10:37:31 2006 us=978994 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Nov 03 10:37:31 2006 us=982593 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Nov 03 10:37:31 2006 us=982610 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Nov 03 10:37:31 2006 us=982632 Local Options hash (VER=V4): 'd79ca330'
Fri Nov 03 10:37:31 2006 us=982647 Expected Remote Options hash (VER=V4): 'f7df56b8'
Fri Nov 03 10:37:31 2006 us=979160 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Nov 03 10:37:31 2006 us=979193 UDPv4 link local (bound): [undef]:1194
Fri Nov 03 10:37:31 2006 us=979207 UDPv4 link remote: <IPADDRESSREMOVEDBYANDREWR>:1194
Fri Nov 03 10:38:31 2006 us=544247 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Nov 03 10:38:31 2006 us=544277 TLS Error: TLS handshake failed
Fri Nov 03 10:38:31 2006 us=541145 TCP/UDP: Closing socket
Fri Nov 03 10:38:31 2006 us=541263 SIGUSR1[soft,tls-error] received, process restarting
Fri Nov 03 10:38:31 2006 us=544832 Restart pause, 2 second(s)
Fri Nov 03 10:38:33 2006 us=544302 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Nov 03 10:38:33 2006 us=545257 LZO compression initialized
Fri Nov 03 10:38:33 2006 us=545315 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Nov 03 10:38:33 2006 us=546451 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Nov 03 10:38:33 2006 us=542968 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Nov 03 10:38:33 2006 us=542988 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Nov 03 10:38:33 2006 us=543010 Local Options hash (VER=V4): 'd79ca330'
Fri Nov 03 10:38:33 2006 us=543025 Expected Remote Options hash (VER=V4): 'f7df56b8'
Fri Nov 03 10:38:33 2006 us=543080 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Nov 03 10:38:33 2006 us=543096 UDPv4 link local (bound): [undef]:1194
Fri Nov 03 10:38:33 2006 us=543106 UDPv4 link remote: <IPADDRESSREMOVEDBYANDREWR>:1194
Fri Nov 03 10:39:33 2006 us=374194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Nov 03 10:39:33 2006 us=374225 TLS Error: TLS handshake failed
Fri Nov 03 10:39:33 2006 us=370988 TCP/UDP: Closing socket
Fri Nov 03 10:39:33 2006 us=371116 SIGUSR1[soft,tls-error] received, process restarting
Fri Nov 03 10:39:33 2006 us=371128 Restart pause, 2 second(s)
Fri Nov 03 10:39:35 2006 us=374226 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Nov 03 10:39:35 2006 us=375275 LZO compression initialized
Fri Nov 03 10:39:35 2006 us=371864 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Nov 03 10:39:35 2006 us=372988 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Nov 03 10:39:35 2006 us=376592 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Nov 03 10:39:35 2006 us=376604 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Nov 03 10:39:35 2006 us=373100 Local Options hash (VER=V4): 'd79ca330'
Fri Nov 03 10:39:35 2006 us=373125 Expected Remote Options hash (VER=V4): 'f7df56b8'
Fri Nov 03 10:39:35 2006 us=373171 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Nov 03 10:39:35 2006 us=373186 UDPv4 link local (bound): [undef]:1194
Fri Nov 03 10:39:35 2006 us=373195 UDPv4 link remote: <IPADDRESSREMOVEDBYANDREWR>:1194



And it just hangs there, attempting to connect. I feel like I am missing a step... what should I be looking at?

[AndrewR]

Ok, so I am starting to get the hang of all this.. but I still need some help. The "problem" seems to lie in the strings for the following (the bolded parts):

Client config:

port 1194
dev tap

remote XXXXXXXX

tls-client
auth-user-pass

ca ca.crt
cert client.crt
key client.key

mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull

comp-lzo
verb 4

Server Conf:

port 1194
dev tap

tls-server

dh dh1024.pem
ca ca.crt
cert server.crt
key server.key

auth-user-pass-verify ./validate.sh via-env
client-disconnect ./logoff.sh

up ./openvpn.up

mode server
duplicate-cn
ifconfig 192.168.100.1 255.255.255.0

ifconfig-pool 192.168.100.100 192.168.100.200 255.255.255.0 # IP range for openvpn client

mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120

push "ping 10"
push "ping-restart 60"

push "dhcp-option DOMAIN ecl.ca"             # push the DNS domain suffix
push "dhcp-option DNS 10.10.1.50"                   # push DNS entries to openvpn client
push "route 10.10.1.0 255.255.255.0 192.168.100.1" # add route to to protected network

comp-lzo
status-version 2
status openvpn-status.log
verb 3



Now.. um.. I haven't made any users yet. So, for fun, I tried the root user. No luck. where and how should I be creating the users? Should they be LDAP user accounts already existing in our domain (AD with a Windows 2003 DC) or should they be user accounts on the SME? And what's the best way to create the damn things?

The firewall is letting the traffic through.. I just need to know what I am doing wrong.

[AndrewR]

Ok, so I seem to be answering a lot of my own questions in this thread so far, but I figured I'd just keep posting in case someone else runs into these headaches. The answer to the user question is I create them in SME Server manager. That does the trick, getting me past the UserName and PW hurdle.

Problem now is that I get stuck during connecting.. still giving me grief. Here's the log file:

Fri Nov 03 11:09:22 2006 us=814257 LZO compression initialized
Fri Nov 03 11:09:22 2006 us=817895 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Nov 03 11:09:22 2006 us=819395 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Nov 03 11:09:22 2006 us=819440 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Nov 03 11:09:22 2006 us=819464 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Nov 03 11:09:22 2006 us=819485 Local Options hash (VER=V4): 'd79ca330'
Fri Nov 03 11:09:22 2006 us=819501 Expected Remote Options hash (VER=V4): 'f7df56b8'
Fri Nov 03 11:09:22 2006 us=819537 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Nov 03 11:09:22 2006 us=819554 UDPv4 link local (bound): [undef]:1194
Fri Nov 03 11:09:22 2006 us=819563 UDPv4 link remote: <IPREMOVEDBYANDREWR>:1194
Fri Nov 03 11:16:48 2006 us=470543 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Nov 03 11:16:48 2006 us=470581 TLS Error: TLS handshake failed
Fri Nov 03 11:16:48 2006 us=470901 TCP/UDP: Closing socket
Fri Nov 03 11:16:48 2006 us=471044 SIGUSR1[soft,tls-error] received, process restarting
Fri Nov 03 11:16:48 2006 us=471056 Restart pause, 2 second(s)


Now it's giving me a headache.. it will hang at this point, and then restart, posting the same lines over and over again. So... what's going wrong? Where should I start looking?

[AndrewR]

Well.. I seem to be making some headway. After installing the OpenVPN server manager add-on, I've rebuilt my certs, and here are the details on my config files:

Server:

#------------------------------------------------------------
#          !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://wiki.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
port   1194
proto udp
dev tap0
dh dh1024.pem
ca ca.crt
cert server.crt
key server.key
auth-user-pass-verify ./validate.sh via-env
client-disconnect ./logoff.sh
up ./openvpn.up
duplicate-cn



server-bridge   10.10.1.58   255.255.255.0   192.168.100.100   192.168.100.150
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 120"
push "dhcp-option DOMAIN ecl.ca"
push "dhcp-option DNS 10.10.1.58"
push "dhcp-option WINS 10.10.1.58"
fragment 1400
mssfix
cipher AES-128-CBC


max-clients 20
comp-lzo



status-version 2
log-append /var/log/openvpn/openvpn.log
status openvpn-status.log
verb 7


Client:
port 1194
proto udp
dev tap

remote ######## (server address blocked out)
ns-cert-type server
tls-client
auth-user-pass

ca ca.crt
cert client.crt
key client.key


mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull

cipher AES-128-CBC
comp-lzo
verb 7

But when I try and connect from my remote host:

Client information:
Fri Nov 03 13:42:59 2006 us=700865 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Nov 03 13:42:59 2006 us=700895 UDPv4 READ [-1] from [undef]: DATA UNDEF len=-1
Fri Nov 03 13:43:01 2006 us=726366 UDPv4 WRITE [14] to XXXXXXXX:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Fri Nov 03 13:43:01 2006 us=765634 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Nov 03 13:43:01 2006 us=765665 UDPv4 READ [-1] from [undef]: DATA UNDEF len=-1


And the info in the Log from the server says:

--server-bridge IP addresses 10.10.1.58 and 192.168.100.100 are not in the same 255.255.255.0 subnet
Use --help for more information.

Ok, my first reaction to this is "like duh". Of course they're not part of the same subnet. The traffic is getting through my router ok.. but WTF? should I be adding routes to my firewall?

[AndrewR]

*sigh*

OK, so I am still having some troubles. Here's what I WANT to ultimately be accomplished:

1) Have remote clients connect to OpenVPN using ethernet bridging. bridged IP range should be 10.10.2.0 255.255.255.0 , with an IP range of 10.10.2.100-10.10.2.125

2) Have the Tap interface use internal DNS servers 10.10.1.50 and 10.10.1.51. GW should be 10.10.1.1

3) Once I get one key pair working... make additional keys so that I use the 1 key pair per user scenario.

Please help, and offer suggestions where ye may.

[mmccarn]

Have you looked at OpenVPN for Sme 7.0, which includes a contrib with a server-manager panel to configure OpenVPN?

[AndrewR]

Have you looked at OpenVPN for Sme 7.0, which includes a contrib with a server-manager panel to configure OpenVPN?

Not Until you mentioned it. So, I uninstalled OpenVPN and followed his how-to. Mucho easier batman. Problem is, I still am having an issue:

When connecting, I now get the following error:

Mon Nov 06 08:01:37 2006 us=173779 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Mon Nov 06 08:01:46 2006 us=183040 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Nov 06 08:01:46 2006 us=183372 Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Mon Nov 06 08:01:46 2006 us=183382 Exiting

I'm almost at the point where I want to blow out the whole server and start again.. which I suppose I could do, seeing as it's only a test server, and no big deal to kill. I've tried deleting and regenerating the keys... with no luck. Help?

[mmccarn]

You should re-post this same info in the OpenVPN post that I refereneced above - that way the contrib author will get a notification and can give you an informed answer...

[AndrewR]

You should re-post this same info in the OpenVPN post that I refereneced above - that way the contrib author will get a notification and can give you an informed answer...

I reposted.. and finally, I admit, I just got lucky. I installed Beta4, and now it is working wonderfully. The Panel applet does make things easier too I must admit.

For all those having similar problems, I would reccommend the thread OpenVPN for Sme 7.0  it's been really helpful.