Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: hanscees on November 15, 2004, 11:56:36 PM
-
Hi,
has anybody installed openvpn server on sme 6.01? The new version 2.0 seems very powerfull indeed. Ther client now works on recent windows hosts using ip=-routing with tun devices.
any help would be apreciated.
Hans-Cees
-
Yes, works great!!!!
regards
Michael
-
I am finalizing a Howto for Win2k/XP GUI client access to the SME Server.
If you have the balls :-) then try out out from:
http://sme.swerts-knudsen.dk/howtos/howto_30.htm
Let me know whether it works as expected.
-
I will try this tonight. having a howto on demand is truly wonderfull!
Only I want to use a tun setup with routing.
I will try to change your configs to the tun scenario. But if you already know what things I have to change to do that please let me know.
I take it the tls-scenario still works the same?
hc
-
Hi,
I have trouble getting the udp port 1194 in.
I installed
[root@sme home]# rpm -Uvh http://sme.swerts-knudsen.dk/downloads/dmc-mitel-portopening-0.0.1-4.noarch.rpm
I see the following:
Nov 16 14:34:53 vmw kernel: denylog:IN=eth1 OUT= MAC=00:50:56:40:00:b8:00:40:95:30:11:d4:08:00 SRC=192.168.0.2 DST=192.168.0.114 LEN=42 TOS=0x00 PREC=0x00 TTL=128 ID=17833 PROTO=UDP SPT=1194 DPT=1194 LEN=22
The outside for me in this test is 192.168.0.114.
I see no iptables rule with port 1194 . So I guess the rpm to let in this traffic has a problem.
Hans-Cees
-
I've no problem with the port-opening rpm. (SME5.6) But I get the following error:
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 17 20:58:42 server-one openvpn[3565]: 194.109.xxx.xxx:1194 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 17 20:58:42 server-one openvpn[3565]: 194.109.xxx.xxx:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
Nov 17 20:58:42 server-one openvpn[3565]: 194.109.xxx.xxx:1194 [Client] Peer Connection Initiated with 194.109.xxx.xxx:1194
Nov 17 20:58:43 server-one openvpn[3565]: 194.109.xxx.xxx:1194 PUSH: Received control message: 'PUSH_REQUEST'
Nov 17 20:58:43 server-one openvpn[3565]: 194.109.xxx.xxx:1194 SENT CONTROL [Client]: 'AUTH_FAILED' (status=1)
And then read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Is this because the 'connector' is behind a NAT and also has to forward port 1194 ?
-
I got it working at last.
The howto is very good. The only thing that really got me stuck is that on my windows 2000 box the tap interface did not get an ip address.
I could see with "ipconfig /all" that it had an dhcpserver address but no ip.
This was solved by reading the man page and finding the option:
ip-win32 ipapi
in my client xx.ovpn configfile.
I also deleted the lines in the server conf about auth and logoff.sh.
My whole setup, using routing, and not bridging, is like below:
server:
================================
#TUN setup (routing not bridging)
mode server
duplicate-cn
port 1194
dev tun #in stead of dev tap
tls-server
dh dh1024.pem
ca ca.crt
cert SERVER.crt
key SERVER.key
#here authentication. Whithout it this
#setup is not safe: your laptop might
#be stolen.
#you could put the client keys on i-keys
#with pincode, or use a passphrase in the
#client ssl keys.
#the two lines below use password authentication.
#not perfect but better than nothing any time.
auth-user-pass-verify ./validate.sh via-env
client-disconnect ./logoff.sh
ifconfig 192.168.100.1 192.168.100.2
# IP range for openvpn clients
ifconfig-pool 192.168.100.5 192.168.100.200
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
#route to be established on the server
route-up "route delete -net 192.168.100.0/24"
route-up "route add -net 192.168.100.0/24 tun0"
#route to push to the other side
push "route 172.16.1.0 255.255.255.0"
push "ping 10"
push "ping-restart 60"
push "dhcp-option DOMAIN hansceess.net" # #push the DNS domain suffix
push "dhcp-option DNS 172.16.1.1" #push DNS #entries to openvpn client
push "route 192.168.100.1"
comp-lzo
status-version 2
status openvpn-status.log
verb 5
===========================================
config on the windows 2000 client:
=======================================
port 1194
dev tun
remote 192.168.0.114
tls-client
auth-user-pass
ca ca.crt
cert CLIENT.crt
key CLIENT.key
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull
#ifconfig 192.168.100.2 192.168.100.1
#ip-win32 ipapi|manual|dynamic|netsh (see
#man page, use #when ip address on interface
#does not appear, but dhcp server
#is visable in ipconfig /all)
ip-win32 ipapi
comp-lzo
verb 5
=====================================
This works for me. In iptables on the server you need rules like these:
/sbin/iptables --append FORWARD -i tun0 -j ACCEPT
To let traffic pass through the VPN box to networks behind it.
Hans-Cees
-
=====================================
This works for me. In iptables on the server you need rules like these:
/sbin/iptables --append FORWARD -i tun0 -j ACCEPT
To let traffic pass through the VPN box to networks behind it.
Hans-Cees
Hi,
There is no requirement for this. This is achieved by adding the remote network (in the case of Lan - Lan vpns) as well as the p-t-p network in "local networks".
Regards Duncan
-
=====================================
This works for me. In iptables on the server you need rules like these:
/sbin/iptables --append FORWARD -i tun0 -j ACCEPT
To let traffic pass through the VPN box to networks behind it.
Hans-Cees
Hi,
There is no requirement for this. This is achieved by adding the remote network (in the case of Lan - Lan vpns) as well as the p-t-p network in "local networks".
Regards Duncan
I was talking generally. I do not use the sme-iptables rules, but a set of my own. Iptables-wise such rules are needed. Also rules to let in port 1194 (I think it was 1194).
What astonished me was that if you use "iptables-input-accept -i tun0", you let the tunnel-clients into the open-vpn-server, at eth0 (intranet interface), even if you block forward. That is counter-intuitive. You would expect traffic from tun0 to go through a forward chain to eth0, and then the input chain of your internal interface, eth0. Not so! So just block input -i tun0 and no traffic will get into your openvpn server,
I find the sme iptables rules too unclear to depend on (personnaly).
Hans-Cees
-
With the updated HowTo made by Knuddi, it also worked on my SME5.6. I'm still trying to get the Networkneighbourhood and multi-player-games working. Anyway thanx alot!
-
Does a connecting client has to be assigned a ip-adres in another ip-range than the existing LAN-ip-range?
I'm trying to get some LAN games running and would like to try if it would make any difference wether the client is in my same ip-range. Or would it give complications with regard to routing?
Also the client doesn't see my computers in his network-neighbourhood. I'm seeing his computer in my neighbourhood. But that would be a Netbios thing I guess.
-
I got this error when i tried to start openvpn:
Starting openvpn: sh: ./openvpn.up: /bin/sh: bad interpreter: Permission denied
What have i left out...?
-
Make sure that you've done 'chmod 700 openvpn.up'
-
Make sure that you've done 'chmod 700 openvpn.up'
:P thanks, thought i had done that. Working fine now.
Another question though, what is the difference/advantage/disadvantage between OpenVPN & Freeswan?
On my previous SME box i used Freeswan and it seemed to work fine, using the built in WinXP VPN configuration settings.
I am trying this to try something different, but curious to know how they differ.
-
If you want to play games over you VPN, you've to bridge your VPN (tap0) with your LAN (eth0). OpenVPN includes a bridge startup script that worked for me.(/usr/share/openvpn/sample-scripts) You only have to install bridge-utils-0.9.6-46.i586.rpm (www.rpmfind.net) If anybody wants it I can post my config files.
-
Another question though, what is the difference/advantage/disadvantage between OpenVPN & Freeswan?
On my previous SME box i used Freeswan and it seemed to work fine, using the built in WinXP VPN configuration settings.
I am trying this to try something different, but curious to know how they differ.
What did you do with the winxp VPN configuration then?
Windows cannot do ipsec with tunneling mode, except with l2tp, which is inmature on linux so they say.
So with ipsec you annot route entire networks. With openvpn you can.
Also you can traverse nat.
Hans-Cees
-
What did you do with the winxp VPN configuration then?
Windows cannot do ipsec with tunneling mode, except with l2tp, which is inmature on linux so they say.
So with ipsec you annot route entire networks. With openvpn you can.
Also you can traverse nat.
Hans-Cees
I'm not sure its that long ago, perhaps a registry mod... Nothing that isn't available on here.
It was only PPTP though, not ipsec.
I hope OpenVPN can do PPTP also...
-
It was only PPTP though, not ipsec.
I hope OpenVPN can do PPTP also...
The question is weird. Pptp is a way to make a tunnel. OpenVpn is also. They both use similar "virtual" devices. They both use something like dhcp to give out ip addresses and so on.
Differences are huge though in other respects. Pptp is not as safe crytographically speaking: only when you use very long passwords. OpenVPN is much safer.
Pptp is mainly a windows thing, where other OS-es implemented it because windows has it. Pptp has a lot of packet overhead as well, more than openvpn I think.
Pptp is not adjustable whereas you can timker a lot with openvpn.
hc
-
I am getting the following error after entering username/password in the OpenVPN gui:
Tue Nov 30 00:40:58 2004 us=93392 Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Tue Nov 30 00:40:58 2004 us=93461 Exiting
I don't know if this is the problem, but my client.crt is 0kb in size, it has nothing in it at all.
I have followed the how to, and actually did it all again to make sure i didn't miss anything.
Any ideas why this file is empty?
-
Does the client.crt has anything in it when you've made it on your server? Maybe you could try to remove all certificates on your server and then rebuild them.
-
Oops... what a noob..:P
I used "Server" as the common name to generate Client.key instead of "Client".
All working now.
One question though, what is the difference between port forwarding and port opening? And why do we use port opening for this?
Thanks for the how to.
-
With the portforwarding you can 'redirect' ports from your server to a client. In this way the outside-world can contact your client-pc. The port-opening module only opens a port in your firewall so that traffic can come past your firewall and thus reach your server.(e.g. the openvpn-daemon)
-
With the portforwarding you can 'redirect' ports from your server to a client. In this way the outside-world can contact your client-pc. The port-opening module only opens a port in your firewall so that traffic can come past your firewall and thus reach your server.(e.g. the openvpn-daemon)
Oh, ok. In the past i used redirection (to the local address of the server) to open ports on the server. But in fact, i always had problems when trying to use VoIP remotely.
I will open the VoIP port rather than forward it and see what happens...
-
Hi i installed OpenVPN with this HowTo:
http://sme.swerts-knudsen.com/howtos/howto_30.htm
Now i got a "auth-failure", i also tried out to logon as admin, same error.
---------------------
Tue Nov 30 08:17:29 2004 us=265854 [Server] Peer Connection Initiated with xxx.x.xxx.xx:1194
Tue Nov 30 08:17:30 2004 us=308847 SENT CONTROL [Server]: 'PUSH_REQUEST' (status=1)
Tue Nov 30 08:17:30 2004 us=351133 AUTH: Received AUTH_FAILED control message
Tue Nov 30 08:17:30 2004 us=352683 TCP/UDP: Closing socket
Tue Nov 30 08:17:30 2004 us=354120 SIGTERM[soft,auth-failure] received, process exiting
Tue Nov 30 08:17:31 2004 us=746251 Current Parameter Settings:
Tue Nov 30 08:17:31 2004 us=746339 config = 'VPN.ovpn'
---------------
Any suggestions ??
-
What SME version do you run? The only way I could get it to run was to comment the line 'use Data::Manip;' in the 'validate_user.pl' file. For some reason 5.6 didn't have that function onboard. As far as I understand it this only removes some logging information.
But maybe the maker of this HowTo could confirm this.
-
Thats it, after comment out the 'use Data::Manip;', the logon works.
I use SME 6.01 with all updates.
Thanks
-
I'm having a a problem with OpenVPN and just wanted to confirm a basic setup question.
I get the following message after i log in. I'm not sure that i actually log in though, since i can use any combo of user/pass and it still says it.
Fri Dec 10 17:37:22 2004 us=775475 TLS Error: Unroutable control packet received from 220.245.132.171:1194 (si=3 op=P_CONTROL_V1)
Fri Dec 10 17:37:22 2004 us=783189 TLS Error: Unroutable control packet received from 220.245.132.171:1194 (si=3 op=P_CONTROL_V1)
The network i am trying to access my server from is on:
192.100.10.xxx
Now, where do i have to add this in my config files?
Also, do i have to allow this network in the server-manager.
Thanks
Tristan
-
Try read through the Howto and see whether you have done everything as specified.
http://sme.swerts-knudsen.com/howtos/howto_30.htm
-
Thanks again Jesper...
I have set this up on 4 of my boxes - it works great.
I now need to bridge to the local network behind the SME - I guess I'll try the bridge rpm mentioned here.
Kevin
-
I have the bridging working, that wasn't the hard part. But now my dhcp-server can't find the eth0 because it is bridged with tap0 to br0. I must find where I could alter the network interface at which the dhcpd is listening. I found /usr/sysconfig/dhcpd and editted that file, DHCPDARGS=br0 but that doesn't deem to work. Service dhcpd start still fails:
Starting dhcpd: SIOCADDRT: File exists
Internet Software Consortium DHCP Server 2.0pl5
Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium.
All rights reserved.
Multiple interfaces match the same subnet: br0 tap0
Multiple interfaces match the same shared network: br0 tap0
eth0: not found
exiting.
Any suggestions?
-
Hi, I have followed your howto but get a failed message when starting openvpn service.
I am running sme 6.0.1-01
Here are the logs:
Dec 20 17:57:51 sm-e-smith openvpn[3676]: OpenVPN 2.0_rc1 i386-redhat-linux [SSL] [LZO] built on Dec 9 2004
Dec 20 17:57:51 sm-e-smith openvpn[3676]: Diffie-Hellman initialized with 1024 bit key
Dec 20 17:57:51 sm-e-smith openvpn[3676]: Cannot load certificate file server.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:missing asn1 eos
Dec 20 17:57:51 sm-e-smith openvpn[3676]: Exiting
Dec 20 17:57:51 sm-e-smith openvpn: failed
Thanks
-
Cannot load certificate file server.crt
is the server.crt in the 'keys' directory? And are the security settings ok? Try chmod 700 server.crt
-
I found the problem ... did not fully follow the howto (forget name Server abd client ...
Thanks
Gaetan
-
Hi,
I am now trying to install openvpn onto another machine - this time running sme 5.5.
I know thqt the howto mention Version 6.01 ... but maybe someone can help.
I follow the HowTo without any issues until I try to start the service which fails.
Here is the log:
Dec 20 20:52:01 QCK-MAIL openvpn[2520]: OpenVPN 2.0_rc1 i386-redhat-linux [SSL] [LZO] built on Dec 9 2004
Dec 20 20:52:02 QCK-MAIL openvpn[2520]: Diffie-Hellman initialized with 1024 bit key
Dec 20 20:52:02 QCK-MAIL openvpn[2520]: WARNING: file 'server.key' is group or others accessible
Dec 20 20:52:02 QCK-MAIL openvpn[2520]: TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Dec 20 20:52:02 QCK-MAIL modprobe: modprobe: Can't locate module char-major-90
Dec 20 20:52:02 QCK-MAIL openvpn[2520]: Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
Dec 20 20:52:02 QCK-MAIL openvpn[2520]: Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Dec 20 20:52:02 QCK-MAIL openvpn[2520]: Cannot allocate TUN/TAP dev dynamically
Dec 20 20:52:02 QCK-MAIL openvpn[2520]: Exiting
Dec 20 20:52:02 QCK-MAIL openvpn: failed
I don't want to re-install the sme ...
Can something done (ie manual updates) to clear the problem ?
Thanks
Gaëtan
-
Its been a while - but Im pretty sure the 5.5 kernel does not support tun/tap devices.
The original howto (which seems to have disappeared) had a tun/tap howto. Basically compile it as you would a driver.
Regards Duncan
-
Hi,
Thaks for the reply.
I have found an howto for tun on google (http://www.google.fr/search?q=cache:RcYxT2fpMboJ:www.e-smith.org/docs/howto/contrib/OpenVPN_HOWTO.html+sme+tun+tap+howto&hl=fr&start=1) ...
After installing the various packages, I get the following error:
[root@QCK-MAIL tun-1.1]# make install
cd linux; make all
make[1]: Entering directory /opt/tun-1.1/linux'
make[1]: Nothing to be done for all'.
make[1]: Leaving directory /opt/tun-1.1/linux'
cd linux; make inst
make[1]: Entering directory /opt/tun-1.1/linux'
/usr/bin/install -c -d -m 755 -o root -g root /lib/modules/2.2.19-7.0.8/net
/usr/bin/install -c -m 644 -o root -g root tun.o /lib/modules/2.2.19-7.0.8/net
/sbin/depmod -a
depmod: *** Unresolved symbols in /lib/modules/2.2.19-7.0.8/net/tun.o
make[1]: *** [kernel] Error 1
make[1]: Leaving directory /opt/tun-1.1/linux'
make: *** [install] Error 2
[root@QCK-MAIL tun-1.1]#
The same apply if I try to directly install the following rpm (http://vtun.sourceforge.net/tun/tun-1.1-6.rh72.i386.rpm)
Any idea ?
Thanks
Gaetan
-
Rather than building all this you might get away with a simpler solution.
mkdir /dev/net
mknod /dev/net/tun c 10 200
chmod 750 /dev/net
chmod 660 /dev/net/tun
-
Hi,
I have tried this ...
Still cannot start the service.
Here is the log:
Dec 21 15:00:29 QCK-MAIL openvpn[7037]: OpenVPN 2.0_rc1 i386-redhat-linux [SSL] [LZO] built on Dec 9 2004
Dec 21 15:00:29 QCK-MAIL openvpn[7037]: Diffie-Hellman initialized with 1024 bit key
Dec 21 15:00:29 QCK-MAIL openvpn[7037]: WARNING: file 'server.key' is group or others accessible
Dec 21 15:00:29 QCK-MAIL openvpn[7037]: TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Dec 21 15:00:29 QCK-MAIL insmod: /lib/modules/2.2.19-7.0.8/net/tun.o: insmod char-major-10-200 failed
Dec 21 15:00:29 QCK-MAIL openvpn[7037]: Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
Dec 21 15:00:29 QCK-MAIL openvpn[7037]: Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Dec 21 15:00:30 QCK-MAIL openvpn[7037]: Cannot allocate TUN/TAP dev dynamically
Dec 21 15:00:30 QCK-MAIL openvpn[7037]: Exiting
Dec 21 15:00:30 QCK-MAIL openvpn: failed
Cheers
Gaetan
-
Did you install smeserver-openvpn-0.0.1-2.noarch.rpm?
-
Yes I did.
Gaëtan
-
Hi, I am a newbie here. I have a SME 6.0 server only setup on my LAN and installed the OpenVPN on it following this how-to step by step, http://sme.swerts-knudsen.dk/howtos/howto_30.htm (Great instruction indeed). Now I can VPN to the server but can not see the rest of the LAN. What step I need to do to access the rest of the LAN??
-
jamesli, in what way cant you communicate with the rest of the LAN? Remember to set the 192.168.100.0 range as local net on all servers you want to communicate with. Otherwise they will not know where to return the requests to.
Can you ping the local LAN IP address on the server (not the 192.168.100.xx but the old eth0 net)?
-
My setting is using an server only SME(internal ip 192.168.1.100) as the VPN server , it is behind a router(internal ip 192.168.1.1), I have forward the VPN port to the SME server. When I VPN from outside into the SME, I can see the SME server as 192.168.100.1, and also as 192.168.1.100. but I can not see the rest of the 192.168.1.x machines included the route (192.168.1.1). Ping for any internal ip other than 192.168.1.100 goes nowhere. I did add the 192.168.100.0 in the local network panel from the server manager. I am confused.
-
If your client get a ip-adres but you can't ping the other machines in your local network may the route isn't right. Make sure that the following line in your server.conf is set correct:
push "route 192.168.internal.net 255.255.255.0 192.168.your.server"
-
Ahh, i couldn't get this to work before but i hadn't really looked much further into it, just realised why today!
Great how to! thanks.
I see now, OpenVPN is much more secure and controlled than pptp VPN.
-
Still not working, same situation as above. As you can see, my network setup is the same as the How-to's default. I had keep my setting as the same as the How-to. Any ideas?
-
jamesli, you don't say what router your using. I also do this with a server only sme and a linksys router. I had to go into the router setup and configure a static route of the ip address my vpn was using and point it back at my server as the gateway. ex. destination ip 192.168.100.0 nm 255.255.255.0 default gateway (your sme server ip).
-
Interesting point. I am using a Netgear router, it give me some on and off PPTP problems which is the reason I try to use OpenVPN as an alternative. I had a linksys router in my toolbox as well. If you can tell me how to setup the static route in the linksys, maybe I will try the linksys to see if it makes any difference.
-
My linksys befsr11 has a static route tab under the advanced tab. The info I listed in my previous post goes in just as I listed it execpt for the interface which I have as lan. That's about it except you must also forward the udp or tcp openvpn port through your router to your server, see the forwarding tab.
-
You are right on, rmarshall. Now my Netgear and Linksys are both working with OpenVPN. Thanks so much for your help. Even though I don't quiet understand the logic behind this, but I am a happy man now. :pint:
-
just curious, but what kind of speed can I expect out of a vpn? I've setup hardware vpn's before (ipsec) and the speed wasn't all that quick.
I have this setup and working (routed). The server is on a t1, and clients will connect via dsl, wireless, and dialup. Right now I'm connected to the box via dialup and it's pretty slow.
Is this what I can expect?
Just wondering because I will have to answer the client's questions
-
I have followed the howto right down to dotted i's and crossed t's (so I believe) TWICE and each time when I start the openvpn service I get the following
message:
Starting openvpn: Enter Auth Username:
sh: ./openvpn.up: /bin/sh: bad interpreter: Permission denied
[ FAILED ]
Any suggestions as to were I have gone wrong would be appreciated.
Peter
-
Please try the chmod *.pl and *.sh with 755 rather than 700
# chmod 755 *.pl
# chmod 755 *.sh
-
Sorry - Didnt help
[root@server1 openvpn]# chmod 755 *.pl
[root@server1 openvpn]# chmod 755 *.sh
[root@server1 openvpn]# service openvpn start
Starting openvpn: Enter Auth Username:
SIOCDELRT: No such process
SIOCADDRT: File exists
[ FAILED ]
-
This looks as if the server.conf file is different than what I has indicated in the howto?
Could it be that you have swapped content of the client and server config file?
-
Attached is my server.conf. It does contain my proper domain name. My SME Server IP (internal) is 192.168.1.10.
I have opened 1194-UDP.
My external NIC has my public IP obtained via Half-Bridging my DSL Router (DHCP Spoofed)
Have added another network 192.168.100.0 as per your example
Have done both CHMOD's s suggested.
/var/log/openvpn contains no entries. likewise openvpn-status.log
Have checked everything MANY times now !
Am using Tony Keanes enhanced SME distro
-----------------------------------------
port 1194
dev tap
tls-server
dh dh1024.pem
ca ca.crt
cert server.crt
key server.key
auth-user-pass-verify ./validate.sh via-env
client-disconnect ./logoff.sh
up ./openvpn.up
mode server
duplicate-cn
ifconfig 192.168.100.1 255.255.255.0
ifconfig-pool 192.168.100.100 192.168.100.200 255.255.255.0 # IP range for openvpn client
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"
push "dhcp-option DOMAIN my.domain.com" # push the DNS domain suffix
push "dhcp-option DNS 192.168.1.10" # push DNS entries to openvpn client
push "route 192.168.1.0 255.255.255.0 192.168.100.1" # add route to to protected network
comp-lzo
status-version 2
status openvpn-status.log
verb 3
-
I will also take this opportunity to thank you enormously for your other works as well. They have been enormously useful. Your efforts are very much appreciated.
Best Rgds
Peter
-
Peter,
Try to comment out the following lines to start the elimination work :-)
auth-user-pass-verify ./validate.sh via-env
client-disconnect ./logoff.sh
up ./openvpn.up
From you post it seems as the first line is the problem. Which version of OpenVPN do you use?
-
Same result. 2.0_rc6
-
Success:
Well I am a real dipstick....On reading through the openvpn script in init.d I found this
# The init script does the following:
#
# - Starts an openvpn process for each .conf file it finds in
# /etc/openvpn.
On looking through the files in /etc/openvpn I had also copied the client.conf accross. I WAS VAGUELY AWARE OF THIS, I just thought it to be a redundant file that could be cleaned up at the end.
On removing this file, and restarting the server, it all burst into life.
Thanks for the help. Hope my dipstick actions have at least added one more line to the knowledge base....
Rgds
Peter
-
aha then I wasn't so wrong about the client conf file :-D Happy to hear that its resolved.
-
I hadnt swapped them as you suggested ...I just had both !! Coming from a Windoze / M$ background, that was a delightful little trap...
The client set up in about 30 seconds on an XP Pro box and works a treat..
Now to get it doing real work.
Thanks SO MUCH for your time and guidance.
P
-
OK - Firstly, Knuddi's Howto is absolutely spot-on. It all works EXACTLY as he has described and if followed precisely, no more, no less it works. After resolving my own dip-stick errors, I have since set up two more in a very short time.
I have heaps of questions but I sill com back to most of them if I cannot find answers.
My most pressing question, and I cannot find the answer relates to client certificates in a one-server, may client relationship. The docs on the openvpn site state that each client should have their own certs. OK rather tedious but not impossible.
How does one configure the server to handle a different cert from each client ? Multiple conf files ? If yes, then what about the ports, a different port for each conf (client) ? Or does one just rely on the duplicat-cn setting and box on with the same certs for all clients ?
Also do overlapping subnets cause problems when joining two networks or is it just overlapping IP's that cause problems ?
Peter
-
You can use just 1 certificate. I guess the duplicate-sn takes care of that. I had multiple users login on the same port, with the same certificate. The VPN-device was in the same ip-range as my internal network. But I think that that doesn't matter, you still have to tell your clients how to reach your internal network, so setting the VPN-clients on a different subnet, is more of a personal choice.
-
I am srill struggling a bit and please forive me if this is a dumb question...I have tried to find answers and reason it out first..
I have a functional vpn on my (SME)server (in the north pole) and now want all my clients (in the south pole)to get their mail, preferably pop'd, through the tunnel.
I figure I need to do some port mapping and maybe have the vpm operating in a TUN mode rather than a TAP mode ?
Peter
-
Hello, I had a similar problem, but none of the solutions mentioned so far has fixed it. The latest portion of the log file ( I've been mistyping things all day) says:
Jan 5 14:31:24 server openvpn[1155]: OpenVPN 2.0_rc6 i386-redhat-linux [SSL] [LZO] built on Dec 30 2004
Jan 5 14:31:24 server openvpn[1155]: Diffie-Hellman initialized with 1024 bit key
Jan 5 14:31:24 server openvpn[1155]: WARNING: file 'server.key' is group or others accessible
Jan 5 14:31:24 server openvpn[1155]: TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Jan 5 14:31:24 server openvpn[1155]: TUN/TAP device tap0 opened
Jan 5 14:31:24 server openvpn[1155]: /sbin/ifconfig tap0 10.0.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.0.0.255
Jan 5 14:31:24 server openvpn[1155]: /etc/openvpn/openvpn.up tap0 1500 1574 10.0.0.1 255.255.255.0 init
Jan 5 14:31:24 server openvpn[1155]: script failed: shell command exited with error status: 126
Jan 5 14:31:24 server openvpn[1155]: Exiting
Anyone have any ideas? I reviewed all of the config files, but I'm either being a total starfish or the problem is something else. Given that nobody else has had problems, I think it's the former rather than the latter. since my server.conf file is now working, I'm not going to attach it.
#!/bin/sh
route del -net 10.0.100.0 netmask 255.255.255.0 gw 10.0.1.1
route del -net 10.0.100.0 netmask 255.255.255.0 dev tap0
route add -net 10.0.100.0 netmask 255.255.255.0 gw 10.0.100.1
My LAN IP for the server is 10.0.0.1; my WAN IP for the server is apparently irrelevant for this somehow.
-
One change, I didn't notice, had no effect on the problem: One of the IPs should read "10.0.0.1", not "10.0.1.1". Would have caused problems down the line, but isn't today's issue.
-
OK... someone at http://www.techjamaica.com/forums/showthread.php?t=1990 had a solution to that issue. apparently the script file isn't set as an executable; using
# chmod +x openvpn.up
makes that part work.
Now it's giving me error 7, network unavailable. I must have goofed someplace earlier.
-
And now it mostly works. It will claim that it starts, but it says "SIOCDELRT: No such process" before it does so. The current startup log is below.
Jan 5 16:11:30 server openvpn[3841]: OpenVPN 2.0_rc6 i386-redhat-linux [SSL] [LZO] built on Dec 30 2004
Jan 5 16:11:30 server openvpn[3841]: Diffie-Hellman initialized with 1024 bit key
Jan 5 16:11:30 server openvpn[3841]: WARNING: file 'server.key' is group or others accessible
Jan 5 16:11:30 server openvpn[3841]: TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Jan 5 16:11:30 server openvpn[3841]: TUN/TAP device tap0 opened
Jan 5 16:11:30 server openvpn[3841]: /sbin/ifconfig tap0 10.0.100.1 netmask 255.255.255.0 mtu 1500 broadcast 10.0.100.255
Jan 5 16:11:30 server openvpn[3841]: /etc/openvpn/openvpn.up tap0 1500 1574 10.0.100.1 255.255.255.0 init
Jan 5 16:11:30 server openvpn[3841]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:23 ET:32 EL:0 AF:3/1 ]
Jan 5 16:11:30 server openvpn[3856]: UDPv4 link local (bound): [undef]:1194
Jan 5 16:11:30 server openvpn[3856]: UDPv4 link remote: [undef]
Jan 5 16:11:30 server openvpn[3856]: MULTI: multi_init called, r=256 v=256
Jan 5 16:11:30 server openvpn[3856]: IFCONFIG POOL: base=10.0.100.100 size=101
Jan 5 16:11:30 server openvpn[3856]: Initialization Sequence Completed
2 questions:
First, I'm assuming that it shouldn't be complaining about the process. Second, should server.key be set to chmod 755 as well, or should I ignore that complaint?
-
I am unable to connect to my server through OpenVPN from a remote office, only because it is on a different subnet and ip address type. I'm not sure what parts of the config i have to change, and i don't want to wreck it, since it works, but i get messages alerting me that the path is not routeable.
Remote Details
Ip = 192.100.10.123
Subnet = 255.255.0.0
Gateway = 192.100.10.254
Server Details
Gateway = 192.168.1.1
Subnet = 255.255.255.0
As i said, it all works, i just need to add this network somehow.
Thanks
Tristan
-
The VPN sort-of works. I can access the local network from a remote machine (which was the #1 reason to do this), but no local machines can see the remote ones (which would be nice both for security and functionality reasons). It looked to me like this should be possible fairly easily; do I need to do anything special to gain access that way? Would I need to set up another server on the other end (theoretically possible, but preferably not necessary)?
I still have not gotten that errors that popped up to go away. Not that I have had the time to try, really.
Thanks for your help.
-
Hi,
All i seem to get is the following errors...
rpm -Uvh *.rpm
Preparing... ########################################### [100%]
package perl-DateManip-5.40-15 is already installed
file /usr/sbin/openvpn conflicts between attempted installs of openvpn-2.0_rc6-1 and openvpn-2.0_beta18-1
file /usr/share/man/man8/openvpn.8.gz conflicts between attempted installs of openvpn-2.0_rc6-1 and openvpn-2.0_beta18-1
file /usr/share/openvpn/easy-rsa/README conflicts between attempted installs of openvpn-2.0_rc6-1 and openvpn-2.0_beta18-1
file /usr/share/openvpn/sample-config-files/client.conf conflicts between attempted installs of openvpn-2.0_rc6-1 and openvpn-2.0_beta18-1
[root@jassserver01 OpenVPN]# /sbin/e-smith/db configuration setprop openvpn status enabled
[root@jassserver01 OpenVPN]# cd /etc/openvpn/easy-rsa
bash: cd: /etc/openvpn/easy-rsa: No such file or directory
Any help would be appreciated...
-
Wel, the VPN works fine now. I can access my home machine. Haven't actually figured out what was causing the problem, since I haven't touched the config files on either machine. Maybe it was a bandwidth issue; my wife had a few files downloading today.
-
jgreen2173,
Start by not installing the perl-DateManip-5.40-15 package (simply remove the file before you run the rpm -Uvh *.rpm command.
Also make sure that the directory from where you install ONLY contain the files you just downloaded - I suspect that the old beta18 files are located in the same dir.
-
Well, it was a bandwidth issue. My wife's downloads had all finished by the time I got home.
So at this point:
I have 2-way communication between one office and a single client set up elsewhere.
I am still having a "SIOCDELRT: No such process" error when I run "service openvpn start". It appears to be choking on one of the commands in the openvpn.up file.
It is still giving me the floowing error: "WARNING: file 'server.key' is group or others accessible".
Can I get help fixing these please?
Also, I want to connect it to another network, and I just found out that one of my coworkers sometimes brings in his home machine - and it runs '98. Is there any way to connect it to the network (I know it can't run as a client, I'm thinking maybe by running a piece of client software on their firewall/router/nat system (which is currently a hardware router, but that needs to be changed anyway) ... that way if they try to go to a VPN IP the router will forward them to the other network, in theory.)
Thoughts? Questions? Comments?
-
Well after removing that rpm I still get the following errors....
Is there a way to uninstall the previous version of openvpn that never really got installed properly...
rpm -Uvh *.rpm
Preparing... ########################################### [100%]
file /usr/sbin/openvpn conflicts between attempted installs of openvpn-2.0_rc6-1 and openvpn-2.0_beta18-1
file /usr/share/man/man8/openvpn.8.gz conflicts between attempted installs of openvpn-2.0_rc6-1 and openvpn-2.0_beta18-1
file /usr/share/openvpn/easy-rsa/README conflicts between attempted installs of openvpn-2.0_rc6-1 and openvpn-2.0_beta18-1
file /usr/share/openvpn/sample-config-files/client.conf conflicts between attempted installs of openvpn-2.0_rc6-1 and openvpn-2.0_beta18-1
-
Hi all,
I have been looking to set this up on my server, unfortunatly i am unable to 'Add Local Network'
i get the following error "Error: router address is not accessible from local network. Did not add network"
i am running in server-gateway mode
my internal ip is 192.168.0.5
my external ip is 192.168.1.2
my router ip is 192.168.1.1
any ideas/suggestions
thanks
mark
-
I'm having a a problem with OpenVPN and just wanted to confirm a basic setup question.
I get the following message after i log in. I'm not sure that i actually log in though, since i can use any combo of user/pass and it still says it.
Fri Dec 10 17:37:22 2004 us=775475 TLS Error: Unroutable control packet received from 220.245.132.171:1194 (si=3 op=P_CONTROL_V1)
Fri Dec 10 17:37:22 2004 us=783189 TLS Error: Unroutable control packet received from 220.245.132.171:1194 (si=3 op=P_CONTROL_V1)
Reading later in the list it seems that the howto answered this chaps question.
Well I get the error and I don't see a fix in the howto.
Could someone please advise?
Thanks!
-
Reading later in the list it seems that the howto answered this chaps question.
Well I get the error and I don't see a fix in the howto.
Could someone please advise?
Thanks!
Steve, make sure you add the local network as defined in server.conf, that is in the how to. I forgot to do that part. Its still not working for me though. I can login, and everything in the log looks fine, but i can't ping any of the remote computers.
Good luck. let us know how you go.
Tristan
-
Hi all,
I have been looking to set this up on my server, unfortunatly i am unable to 'Add Local Network'
i get the following error "Error: router address is not accessible from local network. Did not add network"
i am running in server-gateway mode
my internal ip is 192.168.0.5
my external ip is 192.168.1.2
my router ip is 192.168.1.1
any ideas/suggestions
thanks
mark
The router in this case would be 192.168.0.5.
-
Hi all,
I have been looking to set this up on my server, unfortunatly i am unable to 'Add Local Network'
i get the following error "Error: router address is not accessible from local network. Did not add network"
i am running in server-gateway mode
my internal ip is 192.168.0.5
my external ip is 192.168.1.2
my router ip is 192.168.1.1
any ideas/suggestions
thanks
mark
How is it possible to have a router on a different IP than the client? shouldn't it be 192.168.1.5?
Tristan
-
How is it possible to have a router on a different IP than the client? shouldn't it be 192.168.1.5?
Tristan
Nope. 192.168.0.5 is the address of the machine doing the routing. It is doing the routing because it is running openvpn. The internet router (192.168.1.1) has nothing to do with this. Adding a local network like this sets up the routes in the gateway (usually it points to another local router)and adjusts the firewall rules.
-
Does the client.crt has anything in it when you've made it on your server? Maybe you could try to remove all certificates on your server and then rebuild them.
I do the following:
[root@sme easy-rsa]# ./build-key client
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Generating a 1024 bit RSA private key
However my client.crt file contains 0 lines!! Any ideas as to why this is?? The server.crt file is ok however.
Regards,
Bart
-
I have read all posts on the forums and on the openvpn site, and I'm not able to make openvpn work for me.
I get this error initializing it:
[root@SME openvpn]# service openvpn start
Starting openvpn: SIOCDELRT: No such process
[ OK ]
I found that if I comment the line openvpn.up the service starts fine, but I'm still unable to connect in both situations. I'm assuming that the error above is the responsible for not letting me in.
I was able to connect once and after rebooting the server...if anyone can shed me a light in the right direction, I would much appreciate it.
Thanks,
This is my log file from the client side:
Thu Feb 24 12:57:19 2005 us=223104 Current Parameter Settings:
Thu Feb 24 12:57:19 2005 us=223502 config = 'VPN.ovpn'
Thu Feb 24 12:57:19 2005 us=223573 mode = 0
Thu Feb 24 12:57:19 2005 us=225913 show_ciphers = DISABLED
Thu Feb 24 12:57:19 2005 us=226014 show_digests = DISABLED
Thu Feb 24 12:57:19 2005 us=226080 show_engines = DISABLED
Thu Feb 24 12:57:19 2005 us=226144 genkey = DISABLED
Thu Feb 24 12:57:19 2005 us=226206 key_pass_file = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=226271 show_tls_ciphers = DISABLED
Thu Feb 24 12:57:19 2005 us=226334 proto = 0
Thu Feb 24 12:57:19 2005 us=226395 local = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=226485 remote_list[0] = {'200.180.0.48, 1194}
Thu Feb 24 12:57:19 2005 us=226569 remote_random = DISABLED
Thu Feb 24 12:57:19 2005 us=226637 local_port = 1194
Thu Feb 24 12:57:19 2005 us=226702 remote_port = 1194
Thu Feb 24 12:57:19 2005 us=226767 remote_float = DISABLED
Thu Feb 24 12:57:19 2005 us=227180 ipchange = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=227248 bind_local = ENABLED
Thu Feb 24 12:57:19 2005 us=227311 dev = 'tap0'
Thu Feb 24 12:57:19 2005 us=227375 dev_type = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=227440 dev_node = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=227504 tun_ipv6 = DISABLED
Thu Feb 24 12:57:19 2005 us=227569 ifconfig_local = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=227637 ifconfig_remote_netmask = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=227704 ifconfig_noexec = DISABLED
Thu Feb 24 12:57:19 2005 us=227769 ifconfig_nowarn = DISABLED
Thu Feb 24 12:57:19 2005 us=227834 shaper = 0
Thu Feb 24 12:57:19 2005 us=227898 tun_mtu = 1500
Thu Feb 24 12:57:19 2005 us=227962 tun_mtu_defined = ENABLED
Thu Feb 24 12:57:19 2005 us=228028 link_mtu = 1500
Thu Feb 24 12:57:19 2005 us=228094 link_mtu_defined = DISABLED
Thu Feb 24 12:57:19 2005 us=228160 tun_mtu_extra = 32
Thu Feb 24 12:57:19 2005 us=228225 tun_mtu_extra_defined = ENABLED
Thu Feb 24 12:57:19 2005 us=228292 fragment = 0
Thu Feb 24 12:57:19 2005 us=228357 mtu_discover_type = -1
Thu Feb 24 12:57:19 2005 us=242617 mtu_test = 1
Thu Feb 24 12:57:19 2005 us=242744 mlock = DISABLED
Thu Feb 24 12:57:19 2005 us=242807 keepalive_ping = 0
Thu Feb 24 12:57:19 2005 us=242869 keepalive_timeout = 0
Thu Feb 24 12:57:19 2005 us=242931 inactivity_timeout = 0
Thu Feb 24 12:57:19 2005 us=242993 ping_send_timeout = 0
Thu Feb 24 12:57:19 2005 us=243056 ping_rec_timeout = 120
Thu Feb 24 12:57:19 2005 us=243119 ping_rec_timeout_action = 2
Thu Feb 24 12:57:19 2005 us=243182 ping_timer_remote = DISABLED
Thu Feb 24 12:57:19 2005 us=243244 remap_sigusr1 = 0
Thu Feb 24 12:57:19 2005 us=243308 explicit_exit_notification = 0
Thu Feb 24 12:57:19 2005 us=243368 persist_tun = DISABLED
Thu Feb 24 12:57:19 2005 us=243430 persist_local_ip = DISABLED
Thu Feb 24 12:57:19 2005 us=243492 persist_remote_ip = DISABLED
Thu Feb 24 12:57:19 2005 us=243554 persist_key = DISABLED
Thu Feb 24 12:57:19 2005 us=243617 mssfix = 1450
Thu Feb 24 12:57:19 2005 us=243684 resolve_retry_seconds = 1000000000
Thu Feb 24 12:57:19 2005 us=243749 connect_retry_seconds = 5
Thu Feb 24 12:57:19 2005 us=243812 username = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=243875 groupname = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=243937 chroot_dir = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=243998 cd_dir = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=244060 writepid = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=244122 up_script = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=244184 down_script = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=244246 down_pre = DISABLED
Thu Feb 24 12:57:19 2005 us=244308 up_restart = DISABLED
Thu Feb 24 12:57:19 2005 us=244427 up_delay = DISABLED
Thu Feb 24 12:57:19 2005 us=244497 daemon = DISABLED
Thu Feb 24 12:57:19 2005 us=244558 inetd = 0
Thu Feb 24 12:57:19 2005 us=244617 log = DISABLED
Thu Feb 24 12:57:19 2005 us=244681 suppress_timestamps = DISABLED
Thu Feb 24 12:57:19 2005 us=325502 nice = 0
Thu Feb 24 12:57:19 2005 us=325584 verbosity = 4
Thu Feb 24 12:57:19 2005 us=325643 mute = 0
Thu Feb 24 12:57:19 2005 us=325701 gremlin = 0
Thu Feb 24 12:57:19 2005 us=325761 status_file = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=325822 status_file_version = 1
Thu Feb 24 12:57:19 2005 us=325885 status_file_update_freq = 60
Thu Feb 24 12:57:19 2005 us=325943 occ = ENABLED
Thu Feb 24 12:57:19 2005 us=326002 rcvbuf = 0
Thu Feb 24 12:57:19 2005 us=326060 sndbuf = 0
Thu Feb 24 12:57:19 2005 us=326150 socks_proxy_server = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=326216 socks_proxy_port = 0
Thu Feb 24 12:57:19 2005 us=326278 socks_proxy_retry = DISABLED
Thu Feb 24 12:57:19 2005 us=326338 fast_io = DISABLED
Thu Feb 24 12:57:19 2005 us=326398 comp_lzo = ENABLED
Thu Feb 24 12:57:19 2005 us=326458 comp_lzo_adaptive = ENABLED
Thu Feb 24 12:57:19 2005 us=326519 route_script = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=326583 route_default_gateway = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=326646 route_noexec = DISABLED
Thu Feb 24 12:57:19 2005 us=326708 route_delay = 0
Thu Feb 24 12:57:19 2005 us=326770 route_delay_window = 30
Thu Feb 24 12:57:19 2005 us=326832 route_delay_defined = ENABLED
Thu Feb 24 12:57:19 2005 us=326896 management_addr = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=326959 management_port = 0
Thu Feb 24 12:57:19 2005 us=327022 management_user_pass = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=327089 management_log_history_cache = 250
Thu Feb 24 12:57:19 2005 us=327156 management_echo_buffer_size = 100
Thu Feb 24 12:57:19 2005 us=327221 management_query_passwords = DISABLED
Thu Feb 24 12:57:19 2005 us=327285 management_hold = DISABLED
Thu Feb 24 12:57:19 2005 us=327350 shared_secret_file = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=327413 key_direction = 0
Thu Feb 24 12:57:19 2005 us=327475 ciphername_defined = ENABLED
Thu Feb 24 12:57:19 2005 us=327537 ciphername = 'BF-CBC'
Thu Feb 24 12:57:19 2005 us=327601 authname_defined = ENABLED
Thu Feb 24 12:57:19 2005 us=327663 authname = 'SHA1'
Thu Feb 24 12:57:19 2005 us=327723 keysize = 0
Thu Feb 24 12:57:19 2005 us=327783 engine = DISABLED
Thu Feb 24 12:57:19 2005 us=327843 replay = ENABLED
Thu Feb 24 12:57:19 2005 us=327907 mute_replay_warnings = DISABLED
Thu Feb 24 12:57:19 2005 us=327971 replay_window = 64
Thu Feb 24 12:57:19 2005 us=328033 replay_time = 15
Thu Feb 24 12:57:19 2005 us=328097 packet_id_file = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=328158 use_iv = ENABLED
Thu Feb 24 12:57:19 2005 us=328219 test_crypto = DISABLED
Thu Feb 24 12:57:19 2005 us=328282 tls_server = DISABLED
Thu Feb 24 12:57:19 2005 us=328345 tls_client = ENABLED
Thu Feb 24 12:57:19 2005 us=328407 key_method = 2
Thu Feb 24 12:57:19 2005 us=328467 ca_file = 'ca.crt'
Thu Feb 24 12:57:19 2005 us=328528 dh_file = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=392540 cert_file = 'client.crt'
Thu Feb 24 12:57:19 2005 us=392621 priv_key_file = 'client.key'
Thu Feb 24 12:57:19 2005 us=392685 pkcs12_file = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=392746 cryptoapi_cert = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=392806 cipher_list = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=392866 tls_verify = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=392925 tls_remote = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=392985 crl_file = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=393046 ns_cert_type = 0
Thu Feb 24 12:57:19 2005 us=393104 tls_timeout = 2
Thu Feb 24 12:57:19 2005 us=393165 renegotiate_bytes = 0
Thu Feb 24 12:57:19 2005 us=393228 renegotiate_packets = 0
Thu Feb 24 12:57:19 2005 us=393292 renegotiate_seconds = 3600
Thu Feb 24 12:57:19 2005 us=393353 handshake_window = 60
Thu Feb 24 12:57:19 2005 us=393417 transition_window = 3600
Thu Feb 24 12:57:19 2005 us=393479 single_session = DISABLED
Thu Feb 24 12:57:19 2005 us=393542 tls_exit = DISABLED
Thu Feb 24 12:57:19 2005 us=393605 tls_auth_file = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=408230 server_network = 0.0.0.0
Thu Feb 24 12:57:19 2005 us=408325 server_netmask = 0.0.0.0
Thu Feb 24 12:57:19 2005 us=408396 server_bridge_ip = 0.0.0.0
Thu Feb 24 12:57:19 2005 us=408468 server_bridge_netmask = 0.0.0.0
Thu Feb 24 12:57:19 2005 us=408540 server_bridge_pool_start = 0.0.0.0
Thu Feb 24 12:57:19 2005 us=408611 server_bridge_pool_end = 0.0.0.0
Thu Feb 24 12:57:19 2005 us=408681 ifconfig_pool_defined = DISABLED
Thu Feb 24 12:57:19 2005 us=408752 ifconfig_pool_start = 0.0.0.0
Thu Feb 24 12:57:19 2005 us=408823 ifconfig_pool_end = 0.0.0.0
Thu Feb 24 12:57:19 2005 us=408895 ifconfig_pool_netmask = 0.0.0.0
Thu Feb 24 12:57:19 2005 us=408966 ifconfig_pool_persist_filename = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=409034 ifconfig_pool_persist_refresh_freq = 600
Thu Feb 24 12:57:19 2005 us=409102 ifconfig_pool_linear = DISABLED
Thu Feb 24 12:57:19 2005 us=409169 n_bcast_buf = 256
Thu Feb 24 12:57:19 2005 us=409233 tcp_queue_limit = 64
Thu Feb 24 12:57:19 2005 us=409296 real_hash_size = 256
Thu Feb 24 12:57:19 2005 us=409359 virtual_hash_size = 256
Thu Feb 24 12:57:19 2005 us=409423 client_connect_script = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=409490 learn_address_script = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=409557 client_disconnect_script = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=409622 client_config_dir = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=409686 ccd_exclusive = DISABLED
Thu Feb 24 12:57:19 2005 us=409748 tmp_dir = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=409814 push_ifconfig_defined = DISABLED
Thu Feb 24 12:57:19 2005 us=409886 push_ifconfig_local = 0.0.0.0
Thu Feb 24 12:57:19 2005 us=409959 push_ifconfig_remote_netmask = 0.0.0.0
Thu Feb 24 12:57:19 2005 us=410026 enable_c2c = DISABLED
Thu Feb 24 12:57:19 2005 us=410088 duplicate_cn = DISABLED
Thu Feb 24 12:57:19 2005 us=487811 cf_max = 0
Thu Feb 24 12:57:19 2005 us=487883 cf_per = 0
Thu Feb 24 12:57:19 2005 us=487945 max_clients = 1024
Thu Feb 24 12:57:19 2005 us=488011 client_cert_not_required = DISABLED
Thu Feb 24 12:57:19 2005 us=488076 username_as_common_name = DISABLED
Thu Feb 24 12:57:19 2005 us=488141 auth_user_pass_verify_script = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=488212 auth_user_pass_verify_script_via_file = DISABLED
Thu Feb 24 12:57:19 2005 us=488275 client = DISABLED
Thu Feb 24 12:57:19 2005 us=488333 pull = ENABLED
Thu Feb 24 12:57:19 2005 us=488393 auth_user_pass_file = 'stdin'
Thu Feb 24 12:57:19 2005 us=488464 show_net_up = DISABLED
Thu Feb 24 12:57:19 2005 us=488524 route_method = 0
Thu Feb 24 12:57:19 2005 us=488584 ip_win32_defined = DISABLED
Thu Feb 24 12:57:19 2005 us=488644 ip_win32_type = 3
Thu Feb 24 12:57:19 2005 us=488705 dhcp_masq_offset = 0
Thu Feb 24 12:57:19 2005 us=488771 dhcp_lease_time = 31536000
Thu Feb 24 12:57:19 2005 us=488832 tap_sleep = 0
Thu Feb 24 12:57:19 2005 us=488892 dhcp_options = DISABLED
Thu Feb 24 12:57:19 2005 us=488953 dhcp_renew = DISABLED
Thu Feb 24 12:57:19 2005 us=489015 dhcp_pre_release = DISABLED
Thu Feb 24 12:57:19 2005 us=489076 dhcp_release = DISABLED
Thu Feb 24 12:57:19 2005 us=489137 domain = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=489198 netbios_scope = '[UNDEF]'
Thu Feb 24 12:57:19 2005 us=489260 netbios_node_type = 0
Thu Feb 24 12:57:19 2005 us=489320 disable_nbt = DISABLED
Thu Feb 24 12:57:19 2005 us=489389 OpenVPN 2.0_rc10 Win32-MinGW [SSL] [LZO] built on Jan 27 2005
Enter Auth Password:
Thu Feb 24 12:57:27 2005 us=380006 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Feb 24 12:57:27 2005 us=622625 LZO compression initialized
Thu Feb 24 12:57:27 2005 us=623318 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Feb 24 12:57:27 2005 us=713401 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:23 ET:32 EL:0 AF:3/1 ]
Thu Feb 24 12:57:27 2005 us=713666 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Feb 24 12:57:27 2005 us=713751 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Feb 24 12:57:27 2005 us=713900 Local Options hash (VER=V4): 'd79ca330'
Thu Feb 24 12:57:27 2005 us=714016 Expected Remote Options hash (VER=V4): 'f7df56b8'
Thu Feb 24 12:57:27 2005 us=714194 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Feb 24 12:57:27 2005 us=714309 UDPv4 link local (bound): [undef]:1194
Thu Feb 24 12:57:27 2005 us=714380 UDPv4 link remote: 200.180.0.48:1194
Thu Feb 24 12:58:16 2005 us=558390 TCP/UDP: Closing socket
Thu Feb 24 12:58:16 2005 us=562151 SIGTERM[hard,] received, process exiting
-
If you are using the howto from sme.swerts-knudsen.dk then it seems as if your server and maybe also client conf files are not complete.
Could you post them and also a "ls -la /etc/openvpn/"
/jesper
-
Jesper,
Thank you for the reply.
I'm using the tutorial, and confess that I changed attributes trying to fix the problem. I have tried the connection from behind another SME (not sure if it would make a difference) and from a Dialup connection without success.
root]# ls -la /etc/openvpn/
total 56
drwxr-xr-x 3 root root 4096 Feb 24 13:00 .
drwxr-xr-x 45 root root 4096 Feb 24 14:21 ..
-rw-r--r-- 1 root root 1269 Feb 24 10:53 ca.crt
-rw-r--r-- 1 root root 245 Feb 24 10:56 dh1024.pem
drwxr-xr-x 3 root root 4096 Feb 24 10:45 easy-rsa
-rwxr-xr-x 1 root root 104 Nov 17 06:31 logoff.sh
-rwxr-xr-x 1 root root 562 Nov 17 06:32 logoff_user.pl
-rwxr-xr-x 1 root root 378 Feb 24 15:17 openvpn-status.log
-rwx------ 1 root root 198 Feb 24 12:56 openvpn.up
-rw-r--r-- 1 root root 762 Feb 24 13:00 server.conf
-rw-r--r-- 1 root root 3579 Feb 24 10:53 server.crt
-rw-r--r-- 1 root root 891 Feb 24 10:54 server.key
-rwxr-xr-x 1 root root 108 Nov 17 06:32 validate.sh
-rwxr-xr-x 1 root root 1242 Feb 24 09:16 validate_user.pl
my server.conf:
port 1194
dev tap
tls-server
dh dh1024.pem
ca ca.crt
cert server.crt
key server.key
auth-user-pass-verify ./validate.sh via-env
client-disconnect ./logoff.sh
up ./openvpn.up
mode server
duplicate-cn
ifconfig 192.168.1.1 255.255.255.0
ifconfig-pool 192.168.1.100 192.168.1.200 255.255.255.0 # IP range for openvpn client
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
push "ping 20"
push "ping-restart 60"
push "dhcp-option DOMAIN XXXXXXX.com" # push the DNS domain suffixpush "dhcp-option DNS 192.168.0.5" # push DNS entries to openvpn clientpush "route 192.168.0.0 255.255.255.0 192.168.1.1" # add route to to protected network
comp-lzo
status-version 2status openvpn-status.log
verb 3
openvpn.up
#!/bin/sh
route del -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.0.5
route del -net 192.168.1.0 netmask 255.255.255.0 dev tap0
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
Where 192.168.0.5 is my server.
My client's file:
port 1194
dev tap0
remote XXXXXXXX.com
tls-client
auth-user-pass
ca ca.crt
cert client.crt
key client.key
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull
comp-lzo
verb
I have opened UDP 1194 both TCP and UDP (to see if it would work), iptables -L show it open.
I added the 192.168.1.0/24 and 192.168.0.5 local network.
When trying to connect, the client get stuck right after sending the login/pass.
I re-did the keys many times and var/log/messages show errors as:
kernel: denylog:IN=eth1 OUT= MAC=00:e0:7d:96:52:5d:00:04:27:fd:a6:5e:08:00 SRC=200.180.XXX.XXX DST=XXX.XX.XXX.XX LEN=42 TOS=0x00 PREC=0x00 TTL=122 ID=51641 PROTO=UDP SPT=1194 DPT=1194 LEN=22
-
Jesper,
You're right on,
I re-did the whole thing and the keys were the problem, I can now connect, ping, trace and everything. I can resolve other machines on the network but I cannot resolve SME, and cannot access it either, not even ping it, even thou it shows correctly on my client. And the reason for all that may be that I have no gateway:
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : sme.com.br
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-DE-9D-BD-FF
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.100.107
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
DHCP Server . . . . . . . . . . . : 192.168.100.0
DNS Servers . . . . . . . . . . . : 192.168.0.5
Lease Obtained. . . . . . . . . . : Saturday, March 05, 2005 8:11:09
Lease Expires . . . . . . . . . . : Sunday, March 05, 2006 8:11:09 PM
Do you have any idea on what could be wrong?
192.168.0.5 is my SME
Thanks,
-
Hi All,
I've had a play with jespers openvpn setup, server and client side installed fine..??!!??
1) i have a few ms machines on the server side and i can ping the ip's(but they don't show up in network browser) i can still use the printers and shares but i have to type the ip address's(server side pc's have static ip's, could this cause probs?)
2) I also have a SCO unix host system but i am unable to ping its ip from the client,( if i log into the SME server console i can ping it from there???)
thanks
-
Jesper,
You're right on,
I re-did the whole thing and the keys were the problem, I can now connect, ping, trace and everything. I can resolve other machines on the network but I cannot resolve SME, and cannot access it either, not even ping it, even thou it shows correctly on my client. And the reason for all that may be that I have no gateway:
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : sme.com.br
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-DE-9D-BD-FF
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.100.107
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
DHCP Server . . . . . . . . . . . : 192.168.100.0
DNS Servers . . . . . . . . . . . : 192.168.0.5
Lease Obtained. . . . . . . . . . : Saturday, March 05, 2005 8:11:09
Lease Expires . . . . . . . . . . : Sunday, March 05, 2006 8:11:09 PM
Do you have any idea on what could be wrong?
192.168.0.5 is my SME
Thanks,
Is it normal your interface shows an adresse in 192.168.100 network ? Your server.conf showed a dhcp attibution in 192.168.1 network and you wrote you added 192.168.1.O in local network.
So I think you're not in a "local-considered" network and perhaps you have no route on SME to the 192.168.100 network ?
-
Precisely onsy,
I tried adding the routes manually but it didn't work. When I try to add via the panel it tells me I cannot add them.
Thanks,
-
Precisely onsy,
I tried adding the routes manually but it didn't work. When I try to add via the panel it tells me I cannot add them.
Thanks,
What I ment : your IP@ seems strange : how can you have a 192.168.100.xxx when your server.conf should give you a 192.168.1.xxx, according to the conf files you wrote above ?
-
That is correct, I actually re-did the server with the same settings and added the 192.168.100.0 network before installing the OpenVpn and everything works as a charm. For some reason that didn't happened the first time, when I installed OVPN and tryed adding a network.
Thanks,[/i]
-
Hi all,
well, I followed the how to install openvpn goodie, but I do not get the /etc/openvpn directory????
Following the howto, this directory gets created in order to create keys etc...anyone...some help please????
THanks in advance
GB
-
xebec,
Have you tried reinstalling it?
-
Hi There,
Indeed I have, but now I am getting confused 'cause the howto mentiones some files, but if you got to the ftp site where those files are located, there are other versions as well...which ones are the ones to download???
Thanks for the help
regards
-
This is the How-to you should be using:
http://sme.swerts-knudsen.dk/howtos/howto_30.htm
-
HI,
yes, that's the one I am using. WHen I tryu to change to /etc/openvpn, it tells me that there is no such directory. I have used find / -name openvpn -print, as well as the file vars, but there is nothing on the system!!!
I have re-installed openvpn, but to no avail..
regards
-
xebec,
Are you following this How-To step by step?
rpm -q openvpn
or
which openvpn
should tell if the RPM is installed.
This last line on the first block is the installation process:
[root@sme openvpn]# rpm -Uvh *.rpm
If you doing it, then I don't know what could be wrong! :-?
-
Hi there,
OK it tells me now that the perl-DateManip* is already installed and that it is needed by sme antivirus. When I query rpm -q it tells me that openvpn is not installed. Now, I cannot remove perl-DateManip because of its dependencies....Any ideas??
THanks again and regards
GB
-
Don't remove that package, follow the how-to bypassing the perl-DateManip and you should do fine.
-
stuntshell,
thanks a million for the reply, sorry to be a pest, but where is that how-to located?? I tried on the swerts-knudsen site, but no joy
thanks again for all the help and patience
GB
-
http://sme.swerts-knudsen.dk/howtos/howto_30.htm
You're welcome!
-
http://forums.contribs.org/index.php?topic=26632.0
-
Hi.
I've been around the loop a few times with Jesper's howto without success on SME 6.5.rc1. Everything seems just about OK, but when I try to connect, I keep getting bounced back to the login dialog.
Fri Mar 25 17:22:28 2005 us=750933 [Server] Peer Connection Initiated with 217.207.xxx.xxx:1194
Fri Mar 25 17:22:29 2005 us=958141 SENT CONTROL [Server]: 'PUSH_REQUEST' (status=1)
Fri Mar 25 17:22:29 2005 us=997708 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
Fri Mar 25 17:22:30 2005 us=883 AUTH: Received AUTH_FAILED control message
Fri Mar 25 17:22:30 2005 us=1439 TCP/UDP: Closing socket
Fri Mar 25 17:22:30 2005 us=1542 SIGTERM[soft,auth-failure] received, process exiting
Fri Mar 25 17:22:29 2005 us=83772 Current Parameter Settings:
Fri Mar 25 17:22:29 2005 us=83833 config = 'VPN.ovpn'
Fri Mar 25 17:22:29 2005 us=83845 mode = 0
Fri Mar 25 17:22:29 2005 us=83857 show_ciphers = DISABLED
So, a few questions, please:
(from the HowTo) ..the tunneled VPN network will be 192.168.100.0/24.
Does the client machine(s) actually need to have an ip in that range in Windows, or is this a virtual concept, handled by the tunnel?
Do not add "A Challenge password" when asked, just press <ENTER>.
Do I need to use the period ".<ENTER>" to keep the field empty, as described on-screen?
..."C:/Program Files/OpenVPN/config" called VPN.ovpn with the following content and where you change the vpn.yourdomain.com to match your configuration.
Do I need to create a hostname in SME called vpn, or can I replace vpn.domain.com with my SME external ip?
The Client installation is now complete and the user will be prompted upon login for the username and passwords.
Is this an SME username & password, or is this an openvpn user/password?
Do I need to enable the SME user accounts with the allow VPN drop-down?
Where can I look to fix the SIOCDELRT: no such process error? Perhaps it is not fatal because service openvpn does start with an [OK]
Many thanks, David
-
1- handled by the tunnel which is handled by the server.conf and openvpn.up
2- yes, use .
3- no, use existing hostname (if that's registered or IP)
4- Yes, SME username, no need to give user VPN access on Panel.
5- SIOCDELRT: no such process error = means configuration errors, look at the files on answer 1.
-
Within the openvpn how-to it list change to a couple of files - /etc/openvpn/server.conf, /etc/openvpn/openvpn.up, C:/Program Files/OpenVPN/config and to the server-manager under the Security section.
What has me confused is how this relates to my setup and what goes where.
My details.
SME server 6.0.1 with ip address 192.168.1.242
Hardware router with ip address 192.168.1.1
Domain name is magicwilly.info
Can some help with what goes where?
Thanks,
William.
-
I have installed openvpn on 4 servers using Knuddi's how to, and they all came up with only one small hitch (the chmode on openvpn.up).
I may have missed something, but while I am connected to the server, I can not browse it from windows explorer. I can access it by ip or server name, but it does not appear in my list of network places.
Doing an ipconfig shows an ip is resolved, but there is no default gatway for the vpn connection.
Is this normal?
Have I missed something? Do I need to add something?
Discoered I had some problem with my XP box. All is good now
Bob
Thanx
Bob
The xp box I am using is also behind an SME 6.0-01 server (if that makes any difference)
-
I have been deploying this with mixed success. I am still having a couple of servers that are giving me a couple of problems.
The install I mentioned in the post just above this one. I did find a work arround, but I still can not browse the shares on the server.
The second server I am having a little problem with may not be my problem, but I am not sure. The server is connected to a router which is behind a firewall. I have no control over either the firewall or router. I have to rely on a third party for this. I have requested that port 1194 be forwarded to the server. I can connect to the server with the vpn, and can access server manager through the tunnel. I can access the server with putty through the tunnel. but I can not access the shared ibays to map it, or browse the server. Servers are sme 6.0-01 with the update script from Greg Swallow. Any ideas would be appreciated
Bob
-
I've been trying to get OpenVPN working, following the howto that has been linked to many times so far. I've gotten to the "service openvpn start" stage, but it fails when executing that command. I've traced the problem to the tun kernel module. It seems that the module isn't loaded. When trying to load the module by hand, I get the following:
[root@sme root]# modprobe tun
/lib/modules/2.4.20-18.7/kernel/drivers/net/tun.o: unresolved symbol dev_alloc_name_Rb7ff7f15
/lib/modules/2.4.20-18.7/kernel/drivers/net/tun.o: unresolved symbol alloc_skb_Rf0b0d440
/lib/modules/2.4.20-18.7/kernel/drivers/net/tun.o: unresolved symbol __dev_get_by_name_R2874edee
/lib/modules/2.4.20-18.7/kernel/drivers/net/tun.o: unresolved symbol dev_close_R13fc4fd7
/lib/modules/2.4.20-18.7/kernel/drivers/net/tun.o: unresolved symbol eth_type_trans_R7225c177
/lib/modules/2.4.20-18.7/kernel/drivers/net/tun.o: unresolved symbol register_netdevice_Rdbb802e2
/lib/modules/2.4.20-18.7/kernel/drivers/net/tun.o: unresolved symbol skb_copy_datagram_iovec_R31176bc8
/lib/modules/2.4.20-18.7/kernel/drivers/net/tun.o: unresolved symbol skb_over_panic_Rd3ef3250
/lib/modules/2.4.20-18.7/kernel/drivers/net/tun.o: unresolved symbol irq_stat_R743917bd
/lib/modules/2.4.20-18.7/kernel/drivers/net/tun.o: unresolved symbol netif_rx_Rc4ca0af4
/lib/modules/2.4.20-18.7/kernel/drivers/net/tun.o: unresolved symbol __kfree_skb_R03a733b2
/lib/modules/2.4.20-18.7/kernel/drivers/net/tun.o: unresolved symbol unregister_netdevice_R7a637664
/lib/modules/2.4.20-18.7/kernel/drivers/net/tun.o: insmod /lib/modules/2.4.20-18.7/kernel/drivers/net/tun.o failed
/lib/modules/2.4.20-18.7/kernel/drivers/net/tun.o: insmod tun failed
I've double-checked my configs, and everything seems to be in order. Short of re-compiling the kernel is there anything that I can do to get around this?
-
did you chmod 700 openvpn.up? I have had a few similar problems, and it turned out to be the chmod, or an error in openvpn.conf.
Bob
-
Could you post your openvpn.conf? I've got a server.conf in /etc/openvpn but no openvpn.conf file. I also checked permissions on openvpn.up and changed it to 700, but the service fails to start.
I'm currently running SME inside qemu, and it works just fine, had to enable tun on the host OS (Slackware) in order to get SME visible to the rest of the network. The tun kernel module operates independantly of openvpn, and that module is where my problem lies.
Anything else, I can't check because nothing is getting dumped into the logs while trying to start the service. Maybe I should just start over, after all, this install is a trial run before putting it on a system at a customer's request. SME has got a nice web frontend, but I really do not like rpm-based distros ;-)
UPDATE: I've tried reinstalling with no luck. I am going to download the 6.5 RC1 and try that out, and see if I have any better luck.
-
Right i've installed openvpn by the book, and when I try start the service, I get an instant [FAILED]. There are no entries in the logs. So I was wandering, how do I uninstall all the rpm's and try again.
Here is my server.conf
port 1194
dev tap
tls-server
dh dh1024.pem
ca ca.crt
cert server.crt
key server.key
auth-user-pass-verify ./validate.sh via-env
client-disconnect ./logoff.sh
up ./openvpn.up
mode server
duplicate-cn
ifconfig 192.168.100.1 255.255.255.0
ifconfig-pool 192.168.100.100 192.168.100.200 255.255.255.0 # IP range for openvpn client
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"
push "dhcp-option DOMAIN xxxxxxxxx.com" # push the DNS domain suffix
push "dhcp-option DNS 192.168.0.200" # push DNS entries to openvpn client
push "route 192.168.0.200 255.255.255.0 192.168.100.1" # add route to to protected network
comp-lzo
status-version 2
status openvpn-status.log
verb 3
Here is my openvpn.up
#!/bin/sh
route del -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.0.200
route del -net 192.168.100.0 netmask 255.255.255.0 dev tap0
route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.100.1
My SME is in server + routing mode.
It has two ethernet cards, one for the internal network (eth0) and one connected to an adsl modem (eth1). The sme ip address for the internal network is 192.168.0.200
I've opened up the local nework on the server-manager.
I think there is an issue closer to the server.conf for it to fail so fast. Installation of rpms whent w/o error.
Thanks for any help in adv.
-
Ah I just checked the messages log:
Aug 3 15:23:32 mail openvpn[10402]: OpenVPN 2.0 i386-redhat-linux [SSL] [LZO] built on Apr 18 2005
Aug 3 15:23:32 mail openvpn[10402]: WARNING: --keepalive option is missing from server config
Aug 3 15:23:32 mail openvpn[10402]: Diffie-Hellman initialized with 1024 bit key
Aug 3 15:23:32 mail openvpn[10402]: Cannot load certificate file server.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Aug 3 15:23:32 mail openvpn[10402]: Exiting
Aug 3 15:23:32 mail openvpn: failed
like a dipstick I forgot to copy the certs to /etc/openvpn!
Now it starts, with a warning
Starting openvpn: SIOCDELRT: No such process
[ OK ]
[root@mail openvpn]#
When I try connect from the client side I'm asked for a username and password. I try the admin account for the server, and a few user accounts but i'm kicked. Did know I set up any vpn logins. Is this another oversight?
-
It's funny how just writing the issue down, allows you to figure out what's gone wrong. Anyway, it all works fine, connects and log's in.
Now I need to be able to access the windows network behind the VPN server. Hope I work it out b4 a reply comes.
-
just a quick question. feel like a bit of a noob sometimes.
If I have two NICs in a machine, one local and the other WAN, with a smilar server in another location, and i run openvpn in bridge mode, will either of the two machines be able to access the internet, or just themselves.
Last time i tried it, I had no external internet access from either of the machines, and this seems a bit unreal.
Tell me it isnt so, please.
Or do I just concentrate on getting routing working between a 6.01 and 7RC1 server running. having iptables denylog problem going from 6.01 server to 7RC1 server, works great the other way around.
Only other issue with routed network, I cant get the 7RC1 clients to see the clients on the 6.01 server. Is this to be expected as well??
I am nearly bald now from pulling my hair out on this one!!