Koozali.org: home of the SME Server
Obsolete Releases => SME 7.x Contribs => Topic started by: Daniel B. on July 27, 2006, 03:02:17 PM
-
I've just made a little pack wich install openVPN in bridge mode on SME 7.0
The hardest work have been done by swerts knudsen so all the thanks are for him, i've just made a little panel in the server manager to change some configuration, this panel can also generate the client configuration according to the server configuration. You can also download the different certificate and key needed by the client. As bridging can be dangerous for the connexion (if something goes wrong during the start of the service, you may loose all the connexion, even the local one so be sure you have an physical access to your server) I think you should only install it on test server for now. When it would be tested enough I think it will be very usefull.
For now, the panel just work for the bridge mode, maybe I'll try to integrate other functions latter.
If you have some suggest or comment, email me: daniel@firewall-services.com
you can find the last release here:
http://sme.firewall-services.com/downloads/smeserver-openvpn/rpms/smeserver-openvpn-bridge-fws-1.1-2.noarch.rpm
and its how-to:
http://sme.firewall-services.com/spip.php?article43
-
Daniel,
This is GREAT! :-D
I'll start testing this weekend, is there a section in the bug tracker for this contrib?!
Kind regards,
jester.
-
I've just open the bug no 1780.
-
I've just see a big bug that I corrected, a script were absent from the archive :/
If you have downloaded and that it doesn't work, it's "normal". You should re-download and replace the file /etc/e-smith/web/functions/openvpn by the one in the archive (panel/openvpn)
-
I just tried this contrib in two different setups, one using server-gateway and another using server-only.
The server-gateway works fine, the server-only mode looses it's IP Route table after the install.
I removed the contrib and things went back to normal, I use the same OpenVPN setup when in server-only mode so I can reach the system itself. This has worked fine using Swert's directions. In this setup I forward the right ports from the firewall to the server-only mode system.
-
ok. That's true that most of my tests were on a server and gateway mode and I didn't take many time for server-only. Anyway, I'm still working on it especially for the support of others functions such as routed and client mode (and maybe a certificat manager). I'll try to solve this problem. Thanks for your repport and have a good weekend :p
-
hello
does someone have this working, in server only mode with this setup like
[router]
dhcp server
IP 192.168.0.1
[SME7 Server]
IP 192.168.0.5
-
what steps did you use to uninstall this contrib? There did not seem to be an uninstall script, or did I miss it?
OR did you ust do a RPM -e on the three installed RPMS and got your routing table back? I have experienced the same problem after installing in server only mode.
-
there's an uninstall script in the archive. If you don't have it copy and past these lines in a text file and execute it:
#!/bin/bash
config='/sbin/e-smith/db configuration'
rm='/bin/rm'
echo 'stoping the service'
/etc/init.d/openvpn stop
$config setprop InternalInterface $($config getprop openvpn localInf)
echo 'ok'
echo 'removing openvpn entries from the configuration db'
$config delete openvpn
echo 'ok'
echo 'removing rpms'
rpm -e smeserver-openvpn-0.0.1-2
rpm -e openvpn-2.0.2-1.2.el4.rf
rpm -e lzo-1.08-4.2.el4.rf
echo 'ok'
echo 'removing scripts'
$rm -f /etc/openvpn/logoff.sh
$rm -f /etc/openvpn/logoff_user.pl
$rm -f /etc/openvpn/openvpn-shutdown
$rm -f /etc/openvpn/openvpn-startup
$rm -f /etc/openvpn/validate.sh
$rm -f /etc/openvpn/validate_user.pl
$rm -f /etc/openvpn/server.conf
echo 'ok'
echo 'removing tempaltes'
$rm -Rf /etc/e-smith/templates/etc/openvpn/server.conf
echo 'ok'
echo 'removing log file'
$rm -f /var/log/openvpn/openvpn.log
echo 'ok'
echo 'removing the panel'
$rm -f /etc/e-smith/web/functions/openvpn
$rm -f /etc/e-smith/web/panels/manager/cgi-bin/openvpn
/etc/e-smith/events/actions/navigation-conf >/dev/null 2>&1
echo 'ok'
-
I've just made a little pack wich install openVPN in bridge mode on SME 7.0
The hardest work have been done by swerts knudsen so all the thanks are for him, i've just made a little panel in the server manager to change some configuration, this panel can also generate the client configuration according to the server configuration. You can also download the different certificate and key needed by the client. As bridging can be dangerous for the connexion (if something goes wrong during the start of the service, you may loose all the connexion, even the local one so be sure you have an physical access to your server) I think you should only install it on test server for now. When it would be tested enough I think it will be very usefull.
For now, the panel just work for the bridge mode, maybe I'll try to integrate other functions latter.
If you have some suggest or comment, email me: daniel@firewall-services.com
you can download the archive at
http://sme.firewall-services.com/files/openvpn/smeserver-openvpn-bridge_beta1.tar.gz
and its how-to:
http://sme.firewall-services.com/files/openvpn/smeserver-openvpn-bridge_beta1.pdf
Hi
Is this still beta or can I install it on a live production server?
Best regrads
Jesper vels
-
Yes, it's still beta. I've started the new release but it's more work than I thought. I'm also working on a small contrib for motion (video supervision), and I've just finish corecting my first contrib backuppc, so the development of openvpn's one has been slow down. But I use this beta on 3 prod servers and I haven't any problem for more than two months. If you use the server&gateway mode, I think you can use this.
There's one thing you must take care (but this were present in the base of the contrib): you must not restart dhcpd service while openvpn is running. If you do, dhcpd wont start corectly, and it will fill the messages log very quickly (more than 700 Mo per day) and this can slow down the server. I'll try to correct this.
dani
-
Hi Daniel
I posted a note in the bug tracker. Not sure if you get it CC'd or not so I thought I'd drop a line here.
Nice work by the way. When I get it off the VMWare and into the real world I'll give a bit more feedback on any other bugs or problems i encounter.
Rob
-
Daniel,
Does your contrib need any additional configuration other than described in the PDF and the obvious enabling the service in the panel ?!
Like: port opening, adding a range to the local networks, adjusting the number of PPTP clients, granting VPN access rights to users....
Regards,
jester.
-
No, normaly it shouldn't, the port opening should be done automatically during the install process, the number of clients is set in the panel and is different from the number of PPTP client.
Just tree more things:
- it works only for server and gateway
- you need to set a correct range of IP address in the panel, in the same subnet that your standard local network but out of the standard DHCP range. By default, this range is from 192.168.200.25 to 192.168.200.50 but need to be change.
- verify in the file /etc/e-smith/templates/etc/openvpn/server.conf/80clients that line 9 is:
$OUT .= "max-clients $maxClient\n";
and not$OUT .= "max-clients $maxClient";
You can verify if the service is running with the command
ps aux | grep openvpn
it should return something like
/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn
-
Also, in 40scripts
line - $OUT .= "client-disconnect ./logoff.sh";
should be - $OUT .= "client-disconnect ./logoff.sh\n";
If you add client-cert-not-required to the server.conf you only need the ca.crt on the client.
Also,
you can rpm -Uvh the latest openvpn rpm (2.7) from http://dag.wieers.com/packages/openvpn/
Also,
I'm working on an adea to add a line to the validate_user.pl that checks to see if the user has VPNAccess set to yes in the configuration database.
Something logically like if `db accounts getprop $user VPNClientAccess` = no then die?
This would give simple control over who has access
I'll cut and paste this to the bug tracker
-
Thanks a lot robwellesley for your interest and your repports. You're right, that's not a bad idea to verify if the user has VPN access.
I'll try to add the client-cert-not-requierd as an option in the panel, but I think it's less secure. The thing I'd like to do is a certificate manager. With this, we could generate one certificate by client. With this, openvpn can easily recognise who is connecting, and always give the same IP. But this will take some more time to implement. I'll try to add your ideas as soon as I can.
-
Thanks a lot robwellesley for your interest and your reports
You're welcome! Thank you for sharing your knowledge and expertise.
It got us over the persistent problem, whereby multiple PC's on a LAN behind a smeserver can't simultaneously connect using PPTP to a remote smeserver. With OpenVPN they can.
-
beta2 is available, you can see the change log, and the how-to here (https://dedibox.firewall-services.com/contribs/spip.php?rubrique3)
I haven't tested all the new functions. Even if everything should works, please, try it on a test server first.
By the way, you can see all the others contribs and how-to from firewall-services on this site: http://dedibox.firewall-services.com/contribs
best regards, daniel
-
There was a error in the script which validate the user name/password, I forgot to chomp the variable VPNClienAccess, I've just correted it and uploaded it. You can download the new archive at the same place :
http://dedibox.firewall-services.com/downloads/smeserver/smeserver-openvpn/smeserver-openvpn-bridge_beta2.tar.gz
-
Hi Daniel,
Thanks for this excellent contrib! I'm new to Sme (about a month maybe?) and was having issues with the standard pptp due to firewalls blocking GRE from work (at least that's what I *think* was happening).
Anyway, installed this and messed with this a bit and can now get access. :)
One thing I did have to do, and you and others might be able to tell me why this might be bad: I modified the panel code and templates to allow selecting of a TCP port instead of UDP.
The only way I could get through the firewall at work -- it seemed -- was to use the pptp port of 1723 and shut off the standard pptp.
I can supply diffs in the bug tracker for the TCP/UDP changes if there's any worth in that...
Cheers, and thanks again for the great work!
-Skip.
-
I see:
It seems to work in server-only mode
Must the dhcp service = enable in server-only mode or can I run with out it enabled.
Best Regrads
Jesper Vels
-
Well, in fact, don't use it yet in server only mode, I've noticed some little bugs. I'll think I'll release beta3 soon with no real changes but with bugs correction, and maybe the choice between TCP and UDP as proto. I'll keep you informed
-
smeserver-openvpn-bridge_beta3.
I've corrected several bugs of beta2 and added some functions:
- default gateway bug in server only mode
- if dhcpd is disabled, then it's no more started when openvpn start
- bugs in certificate generation at the fisrt install (now it works :p)
- french translation
- you can choose between tcp and udp (even if udp is recommanded)
- possibility to remove all your certificates and to regererate it
It shouldn't be risked to install it on prod server but there maybe some others bugs. (As far as I've tested, everything works)
https://dedibox.firewall-services.com/contribs/spip.php?article2
-
Don't know if you guys can help me, but I'm looking for a VPN solution to bridge between two networks (e.g. SME to SME).
We have two sites connected by a dedicated leased line, which we want to get rid of. For reasons I won't go into, the two sites need to share the same IP subnet.
Will this contrib give me to option to replace the leased line by bridging our two sites over an Internet link?
Any thoughts much appreciated.
Jon
-
Hallo,
Nice contribution.
When I was testing it, I have discovered a small problem.
After an unclean or forced shutdown of the server there is a problem with a network setup.
If before shutdown openvpn was running, the configuration file states that the internal interface is still br0. This will give problems on startup.
One possible solution would be to run a script at boot-time to reset the configuration file just before launching of any scripts using this settings.
I could be:
/etc/rc7.d/S15reset-openvpn -> /etc/init.d/reset-openvpn
#!/bin/bash
####################################
# Reset SME openvpn configuration after unclean shutdown
####################################
eth=$(/sbin/e-smith/db configuration getprop openvpn localInf)
/sbin/e-smith/db configuration setprop InternalInterface Name $eth
It would be nice if VIP-ire could integrate it in his rpm.
Any other solutions much appreciated.
Eryk
-
Not a bad idea at all. Will Integrate it in beta3.1 this afternoon as I've noticed some error in beta3
-
Don't know if you guys can help me, but I'm looking for a VPN solution to bridge between two networks (e.g. SME to SME).
We have two sites connected by a dedicated leased line, which we want to get rid of. For reasons I won't go into, the two sites need to share the same IP subnet.
Will this contrib give me to option to replace the leased line by bridging our two sites over an Internet link?
Any thoughts much appreciated.
Jon
Well openvpn in bridge mode can be a good solution for interconnecting two sites with same subnet. I'll write an how-to for the configuration of an SME server as a client of another SME with this contrib. Will post when it'll be online
-
I'll write an how-to for the configuration of an SME server as a client of another SME with this contrib. Will post when it'll be online
Hey, that would be great & certainly be a massive help for me. I'll look forward to reading it.
Thanks
Jon
-
smeserver-openvpn-bridge_beta3.1 available.
https://dedibox.firewall-services.com/contribs/spip.php?article2
-
I've just made a little pack wich install openVPN in bridge mode on SME 7.0
The hardest work have been done by swerts knudsen so all the thanks are for him, i've just made a little panel in the server manager to change some configuration, this panel can also generate the client configuration according to the server configuration. You can also download the different certificate and key needed by the client. As bridging can be dangerous for the connexion (if something goes wrong during the start of the service, you may loose all the connexion, even the local one so be sure you have an physical access to your server) I think you should only install it on test server for now. When it would be tested enough I think it will be very usefull.
For now, the panel just work for the bridge mode, maybe I'll try to integrate other functions latter.
If you have some suggest or comment, email me: daniel@firewall-services.com
you can download the archive at
http://sme.firewall-services.com/files/openvpn/smeserver-openvpn-bridge_beta1.tar.gz
and its how-to:
http://sme.firewall-services.com/files/openvpn/smeserver-openvpn-bridge_beta1.pdf
I tried to DL these files from the links above... but they're not present. Is there an alternate Download Location?
-
Yes, sorry, I forgot to edit the previous URL. Now you can access it at
http://sme.firewall-services.com/downloads/smeserver-openvpn
and the how-to and others contrib at
http://sme.firewall-services.com
The next release is about to be ready(next week I think). It will integrate the certificate manager I want to add since I've started this contrib, you will be able to generate as many certificates as you want and revoke it when you want. Usefull if you want to give someone temporary access to your server via VPN.
-
Hi. I announce the 4th and probably the latest beta release of the contrib. There some big changes, mainly the famous certificate manager. I've tested it much than others release and I think everything is OK. I wait just a little and if nobody repport a bug, I'll package it as an rpm and stop the developpment for a moment. Please try it.
http://sme.firewall-services.com/spip.php?article2
-
Great work!!!! :D
A idea... what about "client" in the server admin panel?
So it is possibel to type in the connection information if the SME server should bridge to another SME server, and then press connect, so it conenct and if the server have to reboot, it auto reconnect after reboot.... just a idea... I do not know if there someone there need it... or it is smart...
-
Well, i'm writting a how-to for the configuration of a SME as a client of another SME with this contrib. It's not so hard (a least for a simple connection, for the sharing of the same subnet over the two sites, it's a bit harder, I'm also working on it). I think I wont integrate it in the panel but will post when the how-to is online.
-
I am now using openvpn in routed mode, but I am thinking about changing to bridge mode. Can you see any problems with just installing it over an existing installation, or should I try to remove the old one first?
-
You should uninstall all the previous rpms first and even remove all the /etc/openvpn directory. My package install the needed one and if they are already installed (but not in the same version), it can causes problems
-
I'm pleased to announce beta5 of this contrib. The main goal of this release is to improve the security. Here's the change log:
- login verification script has been replaced with openvpn-auth-pam.so, which add this advatages (from openvpn's site):
* The shared object openvpn-auth-pam plugin uses a split-privilege execution model for better security. This means that the OpenVPN server can run with reduced privileges by using the directives user nobody, group nobody, and chroot, and will still be able to authenticate against the root-readable-only shadow password file.
* OpenVPN can pass the username/password to a plugin via virtual memory, rather than via a file or the environment, which is better for local security on the server machine.
* C-compiled plugin modules generally run faster than scripts.
- dameon runs under user nobody, group nobody
- daemon chrooted in /etc/openvpn
- added tls-auth with a shared static key (secret). The tls-auth protect against
* DoS attacks or port flooding on the OpenVPN UDP port.
* Port scanning to determine which server UDP ports are in a listening state.
* Buffer overflow vulnerabilities in the SSL/TLS implementation.
* SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).
- certificates are marked as client or server. At the connexion time, the client verify that the server present a server certificate. This prevent from spoofing attacks.
- The common name of the server is verified each time a client connect.
- during the first certificate generation, you can choose the key size (1024, 2048 or 4096)
- Only 4 authentication methods are available now, the old second one has been removed
- the generation of the certificates, keys and paramaters has changed so that there no more a time out error on the web page
- the contrib is ready to co-exist with the soon comming contrib for site to site connexion
- you can generate another certificate than the default one for the serve-side
- you can see the last 100 lines of the log through the interface for easyer debugging.
- The interface tells you if the daemon is running (and gives you its PID)
- the certificate manager has been modified (available certificates and revokated ones are display in two differents tables).
https://sme.firewall-services.com/spip.php?rubrique3
-
OpenVPN needs a master certificat (ca.crt)
OpenVPN needs several files:
- A master CA certificate which will sign all others
- Un X.509 certificate for the server side
- A Diffie-Helman parameter for the key negociation
- A shared secret key for the tls-authentication during the hand-shake
Click here to generate these files
After clicking I get this:
Software error:
Can't call method "prop" on an undefined value at /etc/e-smith/web/panels/manager/cgi-bin/openvpn line 981.
For help, please send mail to the webmaster (admin), giving this error message and the time and date of the error.
SME Server 7.0 with all updates no other addons
Fresh Install of smeserver-openvpn-bridge_beta5.tar.gz
-
oups, my fault. I finished it yesterday (about 4:00 am) and I worked more on the upgrade script, I forgot to change the name of a key in the install script. I've just uploaded again the archive with the correction. To fix it, type the following:
db openvpn-bridge set default_config config
db openvpn-bridge setprop default_config countryCode 'FR'
db openvpn-bridge setprop default_config countryName 'France'
db openvpn-bridge setprop default_config localityName 'Bordeaux'
db openvpn-bridge setprop default_config organizationName 'Firewall-Services'
db openvpn-bridge setprop default_config sectionName 'VPN'
db openvpn-bridge setprop default_config commonName 'server-bridge'
db openvpn-bridge setprop default_config mailAddress 'admin'
db openvpn-bridge setprop default_config serial '00'
db openvpn-bridge setprop default_config certType 'server'
db openvpn-bridge setprop default_config keySize '1024'
db openvpn-bridge delete bridge_config
And reload the page, you'll be prompt for some informations and then, the certificates will be generated.
Sorry for this mistake.
-
Hello VIP-ire,
I am currently using your beta-3, which is working great. Should I unstall it befroe upgrading o beta-5?
Thanks
Bob
-
Hello VIP-ire,
I am currently using your beta-3, which is working great. Should I unstall it befroe upgrading o beta-5?
Thanks
Bob
Yes you should. I provide an upgrade script but only from beta4. You should uninstall beta3 and remove the entire directory /etc/openvpn. You'll have to reconfigure every clients with the new certificates and the new configuration file.
-
this thread should be edited to point to beta5
http://sme.firewall-services.com/downloads/smeserver-openvpn/smeserver-openvpn-bridge_beta5.tar.gz
-
I've noticed another little problem in beta5 wich prevent fixed IP to be reserved for authentication method 2 and 4. The archive has been updated but for those who have already install beta 5, just do this to correct the problem:
rm -f /etc/e-smith/templates-custom//etc/openvpn/ccd-bridge/.config
vim /etc/e-smith/templates-custom//etc/openvpn/ccd-bridge/.config
and copy/past these lines:
{
my $OUT = '';
use esmith::ConfigDB;
my $db_cert = esmith::ConfigDB->open_ro('openvpn-bridge');
my @certs = $db_cert->get_all_by_prop(type => 'cert');
my $db_users = esmith::ConfigDB->open_ro('accounts');
my @users = $db_users->get_all_by_prop(type => 'user');
my $netmask = ${'LocalNetmask'};
my $userAuth = ${'openvpn-bridge'}{userAuth};
my $fic = '';
system('/bin/rm -f /etc/openvpn/ccd-bridge/*');
if (($userAuth eq '1') || ($userAuth eq '3')){
foreach (@users){
my $user = $_->key;
my $rec_user = $db_users->get("$user");
my $VPNAccess = $rec_user->prop('VPNClientAccess');
my $cert = $db_cert->get("$user");
if ($VPNAccess eq 'yes'){
$fic = "# user $user has VPN access. This file is only used to control the acces with the ccd-exclusive directive"
}
else{
$fic = "--disable";
}
if ($fic ne ''){
system("/bin/echo '$fic' > /etc/openvpn/ccd-bridge/$user");
}
}
}
else{
foreach (@certs){
my $cert = $_->key;
my $rec_cert = $db_cert->get("$cert");
my $ip = $rec_cert->prop('ip');
my $user = $cert;
my $status = $rec_cert->prop('status');
my $type = $rec_cert->prop('cert-type');
if ($type eq 'client'){
if (($ip ne 'undef') && ($status eq 'available')){
$fic = "--ifconfig-push $ip $netmask";
}
elsif (($status eq 'available') && ($ip eq 'undef')){
$fic = "# User $user doesnt have a fixed IP";
}
elsif ($status eq 'revoked'){
$fic = "--disable";
}
}
if ($fic ne ''){
system("/bin/echo '$fic' > /etc/openvpn/ccd-bridge/$user");
}
}
}
$OUT = 'This file is only used to generate the per client config file.';
}
Now save it and expand-it:
expand-template /etc/openvpn/ccd-bridge/.config
That's all
-
It appears that it does not matter what is entered in the "State" box when creating the server certificate - the resulting ST entry always says "France" :)
I have observed this behaviour in both beta4 and beta5.
Many thanks for this useful contrib.
-
Thanks for the report. I didn't see this error because I used "France" for all my test. You can get the patch I've just uploaded on my server, then remove all your certificates and restart the generation, you should be able to enter the correct country name
wget http://sme.firewall-services.com/downloads/smeserver-openvpn/patch/panel_patch_1
cp ./panel_patch_1 /etc/e-smith/web/functions/openvpn
wget http://sme.firewall-services.com/downloads/smeserver-openvpn/patch/locale_fr_patch_1.mo
cp ./locale_fr_patch_1.mo /usr/share/locale/fr/LC_MESSAGES/openvpn.mo
-
You don't have permission to access /downloads/smeserver-openvpn/patch/panel_patch_1 on this server.
-
Sorry, permissions are corrected now
-
Attempted an install of beta 5. When creating the ca, it is erroring out.
These are the last few lines in the message file
Nov 25 15:15:42 server1 e-smith-bg: Generating DH parameters, 1024 bit long safe prime, generator 2
Nov 25 15:15:42 server1 e-smith-bg: This is going to take a long time
Nov 25 15:16:00 server1 e-smith-bg: ...........+.........+...........+....+...........+....................+
................................+........................+...................
.................................................................................
................................................+....................+..........
..................................................................................
+.+...............................+....................................+
...............+.......+...........+........................................
..............................+..................+...........................+
..................+..........................................+............+....
.....................................................................+.........
.........+.....................................................................
..................................................................+............
......................................................
Nov 25 15:16:18 server1 e-smith-bg: ........................................................+....................+
....................+............................................................
...................................................................................
..............................................................+....................
.............................................+....................................
..........................................................+......+............+.
....................+.............................................................
......................+..........................................................
...+........+........................+..............................+........
..............................................................................+.
....................................+............................................
............+........................................+..........+.............
.......................
Nov 25 15:16:26 server1 e-smith-bg:
..................................................................................
...................+.......................+...................................
...................................+.....+.....................................
..............+...........................+.+....+...........................
...................+...+.......................................................
...............................................................................+
.
........................................++*++*++*
Nov 25 15:16:26 server1 e-smith-bg: unable to write 'random state'
Nov 25 15:16:26 server1 e-smith-bg: /etc/openvpn/easy-rsa/keys/bridge/dh.pem: No such file or directory
I am going to try to find the beta4, then do the update to see what happens.
Bob
-
To get it to work I had to create the directory
etc/openvpn/easy-rsa/keys/bridge/
-
I was sure I had uploaded the archive which correct this, but it seems I forgot to do it. You're right katray, if you manually create the directory /etc/openvpn/easy-rsa/keys/bridge, it works. The archive is now updated.
-
VIP-ire
Just tried it again, on another server, and it is not making the '/etc/openvpn/easy-rsa/keys/bridge' directory. I just downloaded it from your site.
Other than that, it works great!!!!!
Bob
-
Ok, I understand the problem now. I had updated the archive the last time but my archiver (file-roller) doesn't keep empty directorys during the archiving, so the directorys keys/brdige wasn't created. As during my tests, I don't use the archive but the uncompressed files, it worked for me. I've modified the install script to create it now and it should be ok.
-
Just installed on my server. Everything works as expected.
Thanks VIP-ire, and your team.You have made openvpn very easy to install and configure.
Bob
-
Yes, it's still beta. I've started the new release but it's more work than I thought. I'm also working on a small contrib for motion (video supervision), and I've just finish corecting my first contrib backuppc, so the development of openvpn's one has been slow down. But I use this beta on 3 prod servers and I haven't any problem for more than two months. If you use the server&gateway mode, I think you can use this.
There's one thing you must take care (but this were present in the base of the contrib): you must not restart dhcpd service while openvpn is running. If you do, dhcpd wont start corectly, and it will fill the messages log very quickly (more than 700 Mo per day) and this can slow down the server. I'll try to correct this.
dani
How far did you get with the contrib for motion? I would like to help, if I can. I had motion running on 6.x.
-
How far did you get with the contrib for motion? I would like to help, if I can. I had motion running on 6.x.
I'll start a new thread when it will be ready for testing. For now, I wrote a panel to controle it, you can monitor as many cams as you wan't, you can set the time motion will be enabled, you can lunch an action each time a motion is detected (I just wrote a simple script to send a mail with the snapshot attached, but it's possible to make everything you want), there's a small php gallery to see the last snapshot and some other things... I don't know when it'll be ready because I havn't an IP cam anymore, but as soon as I get one, I'll continue the developpement and release a beta.
-
I installed the new beta5 on a new server, and I chose authentication method 3 and I just couldn't get my client to connect. I rechecked the settings, created the certificates again, but to no avail. I was getting a "TLS handshake error" right after I introduced my user name and password.
Then I changed the authentication method to 4, didn't change any other setting - and it worked! (the client certificate already had to correct common name). Then I changed back to auth. method 3 and it worked also.
Very strange.
Anyways, Vip-ire thanks for this great contrib!
-
I installed the new beta5 on a new server, and I chose authentication method 3 and I just couldn't get my client to connect. I rechecked the settings, created the certificates again, but to no avail. I was getting a "TLS handshake error" right after I introduced my user name and password.
Then I changed the authentication method to 4, didn't change any other setting - and it worked! (the client certificate already had to correct common name). Then I changed back to auth. method 3 and it worked also.
Very strange.
Anyways, Vip-ire thanks for this great contrib!
Quite strange, I'll try to look why this is appening and I'll let you informed if I find something.
Thanks for the repport
-
Update :
Auth. method 3 seems to work like method 4, meaning that I have to get a certificate for each client. If the common name for the client certificate isn't the same as the user-name I can't log in. And this only after selecting first method 4, and then switching back to method 3.
Hope this will help you sort thing out.
-
How far did you get with the contrib for motion? I would like to help, if I can. I had motion running on 6.x.
I'll start a new thread when it will be ready for testing. For now, I wrote a panel to controle it, you can monitor as many cams as you wan't, you can set the time motion will be enabled, you can lunch an action each time a motion is detected (I just wrote a simple script to send a mail with the snapshot attached, but it's possible to make everything you want), there's a small php gallery to see the last snapshot and some other things... I don't know when it'll be ready because I havn't an IP cam anymore, but as soon as I get one, I'll continue the developpement and release a beta.
Very nice and thank you for your answer. Could you tell me which RPM's you installed on 7.x to get the latest motion package running?
-
Collaboration
Users
Groups
Quotas
Pseudonyms
Information bays
Administration
Backup or restore
View log files
Mail log file analysis
Reboot or shutdown
Security
Remote access
Local networks
Port forwarding
Proxy settings
Configuration
Software installer
Date and time
Workgroup
Directory
Printers
Hostnames and addresses
Domains
E-mail
Antivirus (ClamAV)
Review configuration
Crontab Manager
Miscellaneous
Support and licensing
Create starter web site
Unknown
.rnd
I am still trying to get beta 5 going. I tried uninstalling everything and removing all directories and power down/up. I still have the "Unknown" selection possible at the bottom of my toolbar on the left of my smeserver manager screen. Shouldn't this have gone away?
Anyways I am the point where I may wipe everything and start again (ouch) unless you have any ideas re fix.
Thx in advance for any help.
Ian
-
Very nice and thank you for your answer. Could you tell me which RPM's you installed on 7.x to get the latest motion package running?
I didn't find any rpm so I compiled it myself on a test server.
I am still trying to get beta 5 going. I tried uninstalling everything and removing all directories and power down/up. I still have the "Unknown" selection possible at the bottom of my toolbar on the left of my smeserver manager screen. Shouldn't this have gone away?
Anyways I am the point where I may wipe everything and start again (ouch) unless you have any ideas re fix.
Thx in advance for any help.
Ian
To remove the .rnd from the panel, you need to delete a file:
rm -f /etc/e-smith/web/panels/manager/cgi-bin/.rnd
and to rebuild the left frame
/etc/e-smith/events/actions/navigation-conf
But for your openvpn which doesn't work, I don't know. I know there's still one or two problems to fix that's why I'm working on beta6 (which should manly bring sme6.x compatibility, and correct some problems of auth method 3/4) but beta5 should work.
-
Well; I removed those files and did a new install from your nov 26th update and got nowhere, tabarnak!
The only other thing that I can think of, that is different from other people's systems in general is that I have a dynamic ip address. I use zone edit to handle or resolve the address issues. I implemented the chron manager and a custom script I can always see my page so it can't be that???
It's funny that beta 4 worked perfectly on two different clients and 5 on neither. Perhaps in my ignorance I removed something that was required.
So I have backed all info up and will do a fresh install sme 7 over again.
I'll let you know how it goes.
-
The problem cannot comes from the dynamic IP as my personal server has a dynamic IP also (I use a dyndns free account). If you don't wan't to do a fresh install, you can continu using beta4, but you loose the security improvement of beta5. Don't you have a test machine to perform a fresh install and check if it works with it?
-
Hi imcintyre,
I am using the latest beta5 on 5 or 6 SME7.0 boxes, and the only problems were self inflicted. I had the same .rnd entry in server-manager from the beta4 install , but as long as I didn't click on it, it was OK. I removed it on my server using VIP-ire's suggestion.
I guess I am curious as to what's not working for you.
Bob
-
Vip-ire/Bob
I have the cd in the drawer and the drawer is still open and I thought Iwould look one last time here to see if there was anything else I could try.
I am not sure what is wrong except the trivial "it doesn't work". Beta4 worked right out of the can on xp home client and after an windows upgrade to my xp pro client it worked also. Like perfectly, I was happy!
I tried to follow the instructions exactly as presented when upgrading to 5 but it does not work on either my xp home or xp pro clients.
I done two uninstall/install on the server and at least once on the xp pro client. I seem to make some progress each time but can't get it complete. I sent my certificates, keys and certs to Vipire and he said he doesn't see why not. I am a complete noobie (ubernoobie) so I can provide some feedback but not alot of original thought.
I will post the latest from my log, just need to switch machines. If you can help it would be muchly appreciated.
-
I see that it cannot load my crt. It is in the correct folder. When I try to open it in notepad it has nothing in it and appears to be 0k in size.
Is this right? I created it last night and downloaded it then tried it off site.
What if anything should I be doing with the server certificates and keys?
When I created my server certificates, should I have given it the same name as my server and should I have assigned it a local address?
Thx for any help you can lend.
Wed Nov 29 10:43:46 2006 us=634854 Current Parameter Settings:
Wed Nov 29 10:43:46 2006 us=634956 config = 'VPN.ovpn'
Wed Nov 29 10:43:46 2006 us=634982 mode = 0
Wed Nov 29 10:43:46 2006 us=635007 show_ciphers = DISABLED
Wed Nov 29 10:43:46 2006 us=635030 show_digests = DISABLED
Wed Nov 29 10:43:46 2006 us=635055 show_engines = DISABLED
Wed Nov 29 10:43:46 2006 us=635078 genkey = DISABLED
Wed Nov 29 10:43:46 2006 us=635101 key_pass_file = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=635126 show_tls_ciphers = DISABLED
Wed Nov 29 10:43:46 2006 us=635149 proto = 0
Wed Nov 29 10:43:46 2006 us=635172 local = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=635200 remote_list[0] = {'mcintyres.ca', 1194}
Wed Nov 29 10:43:46 2006 us=635225 remote_random = DISABLED
Wed Nov 29 10:43:46 2006 us=635251 local_port = 1194
Wed Nov 29 10:43:46 2006 us=635275 remote_port = 1194
Wed Nov 29 10:43:46 2006 us=635299 remote_float = DISABLED
Wed Nov 29 10:43:46 2006 us=635322 ipchange = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=635346 bind_local = DISABLED
Wed Nov 29 10:43:46 2006 us=635369 dev = 'tap'
Wed Nov 29 10:43:46 2006 us=635393 dev_type = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=635417 dev_node = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=635441 tun_ipv6 = DISABLED
Wed Nov 29 10:43:46 2006 us=635467 ifconfig_local = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=635492 ifconfig_remote_netmask = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=635517 ifconfig_noexec = DISABLED
Wed Nov 29 10:43:46 2006 us=635541 ifconfig_nowarn = DISABLED
Wed Nov 29 10:43:46 2006 us=635564 shaper = 0
Wed Nov 29 10:43:46 2006 us=635588 tun_mtu = 1500
Wed Nov 29 10:43:46 2006 us=635612 tun_mtu_defined = ENABLED
Wed Nov 29 10:43:46 2006 us=635636 link_mtu = 1500
Wed Nov 29 10:43:46 2006 us=635660 link_mtu_defined = DISABLED
Wed Nov 29 10:43:46 2006 us=635684 tun_mtu_extra = 32
Wed Nov 29 10:43:46 2006 us=635709 tun_mtu_extra_defined = ENABLED
Wed Nov 29 10:43:46 2006 us=635733 fragment = 1400
Wed Nov 29 10:43:46 2006 us=635758 mtu_discover_type = -1
Wed Nov 29 10:43:46 2006 us=635781 mtu_test = 0
Wed Nov 29 10:43:46 2006 us=635803 mlock = DISABLED
Wed Nov 29 10:43:46 2006 us=635827 keepalive_ping = 0
Wed Nov 29 10:43:46 2006 us=635851 keepalive_timeout = 0
Wed Nov 29 10:43:46 2006 us=635875 inactivity_timeout = 0
Wed Nov 29 10:43:46 2006 us=635899 ping_send_timeout = 0
Wed Nov 29 10:43:46 2006 us=635923 ping_rec_timeout = 120
Wed Nov 29 10:43:46 2006 us=635947 ping_rec_timeout_action = 2
Wed Nov 29 10:43:46 2006 us=635971 ping_timer_remote = DISABLED
Wed Nov 29 10:43:46 2006 us=635995 remap_sigusr1 = 0
Wed Nov 29 10:43:46 2006 us=636020 explicit_exit_notification = 0
Wed Nov 29 10:43:46 2006 us=636044 persist_tun = DISABLED
Wed Nov 29 10:43:46 2006 us=636068 persist_local_ip = DISABLED
Wed Nov 29 10:43:46 2006 us=636093 persist_remote_ip = DISABLED
Wed Nov 29 10:43:46 2006 us=636117 persist_key = DISABLED
Wed Nov 29 10:43:46 2006 us=636141 mssfix = 1450
Wed Nov 29 10:43:46 2006 us=636175 resolve_retry_seconds = 1000000000
Wed Nov 29 10:43:46 2006 us=636201 connect_retry_seconds = 5
Wed Nov 29 10:43:46 2006 us=636225 username = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=636250 groupname = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=636274 chroot_dir = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=636297 cd_dir = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=636321 writepid = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=636345 up_script = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=636368 down_script = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=636392 down_pre = DISABLED
Wed Nov 29 10:43:46 2006 us=636416 up_restart = DISABLED
Wed Nov 29 10:43:46 2006 us=636439 up_delay = DISABLED
Wed Nov 29 10:43:46 2006 us=636463 daemon = DISABLED
Wed Nov 29 10:43:46 2006 us=636485 inetd = 0
Wed Nov 29 10:43:46 2006 us=636508 log = DISABLED
Wed Nov 29 10:43:46 2006 us=636532 suppress_timestamps = DISABLED
Wed Nov 29 10:43:46 2006 us=636555 nice = 0
Wed Nov 29 10:43:46 2006 us=636578 verbosity = 4
Wed Nov 29 10:43:46 2006 us=677207 mute = 0
Wed Nov 29 10:43:46 2006 us=677231 gremlin = 0
Wed Nov 29 10:43:46 2006 us=677243 status_file = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=677254 status_file_version = 1
Wed Nov 29 10:43:46 2006 us=677265 status_file_update_freq = 60
Wed Nov 29 10:43:46 2006 us=677275 occ = ENABLED
Wed Nov 29 10:43:46 2006 us=677285 rcvbuf = 0
Wed Nov 29 10:43:46 2006 us=677295 sndbuf = 0
Wed Nov 29 10:43:46 2006 us=677308 socks_proxy_server = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=677332 socks_proxy_port = 0
Wed Nov 29 10:43:46 2006 us=677343 socks_proxy_retry = DISABLED
Wed Nov 29 10:43:46 2006 us=677353 fast_io = DISABLED
Wed Nov 29 10:43:46 2006 us=677364 comp_lzo = ENABLED
Wed Nov 29 10:43:46 2006 us=677375 comp_lzo_adaptive = ENABLED
Wed Nov 29 10:43:46 2006 us=677386 route_script = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=677396 route_default_gateway = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=677407 route_noexec = DISABLED
Wed Nov 29 10:43:46 2006 us=677417 route_delay = 0
Wed Nov 29 10:43:46 2006 us=677428 route_delay_window = 30
Wed Nov 29 10:43:46 2006 us=677438 route_delay_defined = ENABLED
Wed Nov 29 10:43:46 2006 us=677450 management_addr = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=677460 management_port = 0
Wed Nov 29 10:43:46 2006 us=677471 management_user_pass = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=677484 management_log_history_cache = 250
Wed Nov 29 10:43:46 2006 us=677496 management_echo_buffer_size = 100
Wed Nov 29 10:43:46 2006 us=677508 management_query_passwords = DISABLED
Wed Nov 29 10:43:46 2006 us=677519 management_hold = DISABLED
Wed Nov 29 10:43:46 2006 us=677531 shared_secret_file = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=677542 key_direction = 2
Wed Nov 29 10:43:46 2006 us=677553 ciphername_defined = ENABLED
Wed Nov 29 10:43:46 2006 us=677564 ciphername = 'BF-CBC'
Wed Nov 29 10:43:46 2006 us=677575 authname_defined = ENABLED
Wed Nov 29 10:43:46 2006 us=677586 authname = 'SHA1'
Wed Nov 29 10:43:46 2006 us=698598 keysize = 0
Wed Nov 29 10:43:46 2006 us=698622 engine = DISABLED
Wed Nov 29 10:43:46 2006 us=698633 replay = ENABLED
Wed Nov 29 10:43:46 2006 us=698644 mute_replay_warnings = DISABLED
Wed Nov 29 10:43:46 2006 us=698654 replay_window = 64
Wed Nov 29 10:43:46 2006 us=698665 replay_time = 15
Wed Nov 29 10:43:46 2006 us=698676 packet_id_file = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=698687 use_iv = ENABLED
Wed Nov 29 10:43:46 2006 us=698697 test_crypto = DISABLED
Wed Nov 29 10:43:46 2006 us=698708 tls_server = DISABLED
Wed Nov 29 10:43:46 2006 us=698718 tls_client = ENABLED
Wed Nov 29 10:43:46 2006 us=698729 key_method = 2
Wed Nov 29 10:43:46 2006 us=698739 ca_file = 'ca.crt'
Wed Nov 29 10:43:46 2006 us=698751 dh_file = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=698761 cert_file = 'ian.crt'
Wed Nov 29 10:43:46 2006 us=698772 priv_key_file = 'ian.key'
Wed Nov 29 10:43:46 2006 us=698783 pkcs12_file = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=707452 cryptoapi_cert = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=707472 cipher_list = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=707484 tls_verify = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=707494 tls_remote = 'server'
Wed Nov 29 10:43:46 2006 us=707505 crl_file = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=707515 ns_cert_type = 64
Wed Nov 29 10:43:46 2006 us=707525 tls_timeout = 2
Wed Nov 29 10:43:46 2006 us=707536 renegotiate_bytes = 0
Wed Nov 29 10:43:46 2006 us=707546 renegotiate_packets = 0
Wed Nov 29 10:43:46 2006 us=707557 renegotiate_seconds = 3600
Wed Nov 29 10:43:46 2006 us=707567 handshake_window = 60
Wed Nov 29 10:43:46 2006 us=707578 transition_window = 3600
Wed Nov 29 10:43:46 2006 us=707589 single_session = DISABLED
Wed Nov 29 10:43:46 2006 us=707599 tls_exit = DISABLED
Wed Nov 29 10:43:46 2006 us=707609 tls_auth_file = 'ta.key'
Wed Nov 29 10:43:46 2006 us=707642 server_network = 0.0.0.0
Wed Nov 29 10:43:46 2006 us=716176 server_netmask = 0.0.0.0
Wed Nov 29 10:43:46 2006 us=716194 server_bridge_ip = 0.0.0.0
Wed Nov 29 10:43:46 2006 us=716206 server_bridge_netmask = 0.0.0.0
Wed Nov 29 10:43:46 2006 us=716219 server_bridge_pool_start = 0.0.0.0
Wed Nov 29 10:43:46 2006 us=716232 server_bridge_pool_end = 0.0.0.0
Wed Nov 29 10:43:46 2006 us=716243 ifconfig_pool_defined = DISABLED
Wed Nov 29 10:43:46 2006 us=716256 ifconfig_pool_start = 0.0.0.0
Wed Nov 29 10:43:46 2006 us=716267 ifconfig_pool_end = 0.0.0.0
Wed Nov 29 10:43:46 2006 us=716279 ifconfig_pool_netmask = 0.0.0.0
Wed Nov 29 10:43:46 2006 us=716291 ifconfig_pool_persist_filename = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=716303 ifconfig_pool_persist_refresh_freq = 600
Wed Nov 29 10:43:46 2006 us=716315 ifconfig_pool_linear = DISABLED
Wed Nov 29 10:43:46 2006 us=716325 n_bcast_buf = 256
Wed Nov 29 10:43:46 2006 us=716336 tcp_queue_limit = 64
Wed Nov 29 10:43:46 2006 us=716347 real_hash_size = 256
Wed Nov 29 10:43:46 2006 us=724821 virtual_hash_size = 256
Wed Nov 29 10:43:46 2006 us=724838 client_connect_script = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=724850 learn_address_script = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=724862 client_disconnect_script = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=724873 client_config_dir = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=724883 ccd_exclusive = DISABLED
Wed Nov 29 10:43:46 2006 us=724894 tmp_dir = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=724905 push_ifconfig_defined = DISABLED
Wed Nov 29 10:43:46 2006 us=724918 push_ifconfig_local = 0.0.0.0
Wed Nov 29 10:43:46 2006 us=724930 push_ifconfig_remote_netmask = 0.0.0.0
Wed Nov 29 10:43:46 2006 us=724941 enable_c2c = DISABLED
Wed Nov 29 10:43:46 2006 us=724951 duplicate_cn = DISABLED
Wed Nov 29 10:43:46 2006 us=724961 cf_max = 0
Wed Nov 29 10:43:46 2006 us=724971 cf_per = 0
Wed Nov 29 10:43:46 2006 us=724981 max_clients = 1024
Wed Nov 29 10:43:46 2006 us=732413 max_routes_per_client = 256
Wed Nov 29 10:43:46 2006 us=732429 client_cert_not_required = DISABLED
Wed Nov 29 10:43:46 2006 us=732441 username_as_common_name = DISABLED
Wed Nov 29 10:43:46 2006 us=732453 auth_user_pass_verify_script = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=732465 auth_user_pass_verify_script_via_file = DISABLED
Wed Nov 29 10:43:46 2006 us=732476 client = DISABLED
Wed Nov 29 10:43:46 2006 us=732486 pull = ENABLED
Wed Nov 29 10:43:46 2006 us=732497 auth_user_pass_file = 'stdin'
Wed Nov 29 10:43:46 2006 us=732511 show_net_up = DISABLED
Wed Nov 29 10:43:46 2006 us=732522 route_method = 0
Wed Nov 29 10:43:46 2006 us=732533 ip_win32_defined = DISABLED
Wed Nov 29 10:43:46 2006 us=732543 ip_win32_type = 3
Wed Nov 29 10:43:46 2006 us=732554 dhcp_masq_offset = 0
Wed Nov 29 10:43:46 2006 us=732565 dhcp_lease_time = 31536000
Wed Nov 29 10:43:46 2006 us=732575 tap_sleep = 0
Wed Nov 29 10:43:46 2006 us=732585 dhcp_options = DISABLED
Wed Nov 29 10:43:46 2006 us=740995 dhcp_renew = DISABLED
Wed Nov 29 10:43:46 2006 us=741010 dhcp_pre_release = DISABLED
Wed Nov 29 10:43:46 2006 us=741020 dhcp_release = DISABLED
Wed Nov 29 10:43:46 2006 us=741031 domain = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=741041 netbios_scope = '[UNDEF]'
Wed Nov 29 10:43:46 2006 us=741052 netbios_node_type = 0
Wed Nov 29 10:43:46 2006 us=741062 disable_nbt = DISABLED
Wed Nov 29 10:43:46 2006 us=741085 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Wed Nov 29 10:43:58 2006 us=3134 Cannot load certificate file ian.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Wed Nov 29 10:43:58 2006 us=3180 Exiting
-
Vip-ire said
Don't you have a test machine to perform a fresh install and check if it works with it?
I was thinking that this might be the way to go, but had some practical considerations.
Seeing as I am running this at home, how does one test vpn access when you already have a server as gateway and server. I can think of how it might be done but am easily confused and the practical knowledge eludes me. I searched this site for any posts or how to's but couldnt find any.
imcintyre
-
I had one install that gave me a cert that was empty like that, and I used the delete all certs, then recreated them. then everything worked fine. When you create the certs, give it a little extra time (30 sec. or so) to complete the task.
bob
-
Bob;
I am currently travelling, but just before I left I recreated and left more time as you mentioned. Now that I am in my hotel, I try to connect and the I get the repeating "connection reset by peer" (see below).
I go onto the internet and I had created some bs on the beginner web site, which I can see with no problems so I know that the connectivity is there.
I had gotten this far before, but cannot begin to fathom the problem.
Beta 4 worked flawlessly, so it must be something with the certs, keys or beta 5. Are any of your client machines running xp pro?
Thx in advance for any help you can lend.
Wed Nov 29 22:07:10 2006 us=636839 Current Parameter Settings:
Wed Nov 29 22:07:10 2006 us=636947 config = 'VPN.ovpn'
Wed Nov 29 22:07:10 2006 us=636975 mode = 0
Wed Nov 29 22:07:10 2006 us=636999 show_ciphers = DISABLED
Wed Nov 29 22:07:10 2006 us=637023 show_digests = DISABLED
Wed Nov 29 22:07:10 2006 us=637046 show_engines = DISABLED
Wed Nov 29 22:07:10 2006 us=637070 genkey = DISABLED
Wed Nov 29 22:07:10 2006 us=637093 key_pass_file = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=637118 show_tls_ciphers = DISABLED
Wed Nov 29 22:07:10 2006 us=637141 proto = 0
Wed Nov 29 22:07:10 2006 us=637163 local = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=637191 remote_list[0] = {'mcintyres.ca', 1194}
Wed Nov 29 22:07:10 2006 us=637216 remote_random = DISABLED
Wed Nov 29 22:07:10 2006 us=637240 local_port = 1194
Wed Nov 29 22:07:10 2006 us=637263 remote_port = 1194
Wed Nov 29 22:07:10 2006 us=637286 remote_float = DISABLED
Wed Nov 29 22:07:10 2006 us=637310 ipchange = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=637333 bind_local = DISABLED
Wed Nov 29 22:07:10 2006 us=637355 dev = 'tap'
Wed Nov 29 22:07:10 2006 us=637378 dev_type = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=637401 dev_node = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=637424 tun_ipv6 = DISABLED
Wed Nov 29 22:07:10 2006 us=637447 ifconfig_local = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=637472 ifconfig_remote_netmask = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=637496 ifconfig_noexec = DISABLED
Wed Nov 29 22:07:10 2006 us=637519 ifconfig_nowarn = DISABLED
Wed Nov 29 22:07:10 2006 us=637541 shaper = 0
Wed Nov 29 22:07:10 2006 us=637564 tun_mtu = 1500
Wed Nov 29 22:07:10 2006 us=637587 tun_mtu_defined = ENABLED
Wed Nov 29 22:07:10 2006 us=637610 link_mtu = 1500
Wed Nov 29 22:07:10 2006 us=637634 link_mtu_defined = DISABLED
Wed Nov 29 22:07:10 2006 us=637657 tun_mtu_extra = 32
Wed Nov 29 22:07:10 2006 us=637681 tun_mtu_extra_defined = ENABLED
Wed Nov 29 22:07:10 2006 us=637704 fragment = 1400
Wed Nov 29 22:07:10 2006 us=637728 mtu_discover_type = -1
Wed Nov 29 22:07:10 2006 us=637750 mtu_test = 0
Wed Nov 29 22:07:10 2006 us=637772 mlock = DISABLED
Wed Nov 29 22:07:10 2006 us=637795 keepalive_ping = 0
Wed Nov 29 22:07:10 2006 us=637817 keepalive_timeout = 0
Wed Nov 29 22:07:10 2006 us=637841 inactivity_timeout = 0
Wed Nov 29 22:07:10 2006 us=637864 ping_send_timeout = 0
Wed Nov 29 22:07:10 2006 us=637887 ping_rec_timeout = 120
Wed Nov 29 22:07:10 2006 us=637910 ping_rec_timeout_action = 2
Wed Nov 29 22:07:10 2006 us=637934 ping_timer_remote = DISABLED
Wed Nov 29 22:07:10 2006 us=637957 remap_sigusr1 = 0
Wed Nov 29 22:07:10 2006 us=637981 explicit_exit_notification = 0
Wed Nov 29 22:07:10 2006 us=638004 persist_tun = DISABLED
Wed Nov 29 22:07:10 2006 us=638027 persist_local_ip = DISABLED
Wed Nov 29 22:07:10 2006 us=638051 persist_remote_ip = DISABLED
Wed Nov 29 22:07:10 2006 us=638074 persist_key = DISABLED
Wed Nov 29 22:07:10 2006 us=638097 mssfix = 1450
Wed Nov 29 22:07:10 2006 us=638134 resolve_retry_seconds = 1000000000
Wed Nov 29 22:07:10 2006 us=638159 connect_retry_seconds = 5
Wed Nov 29 22:07:10 2006 us=638182 username = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=638205 groupname = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=638228 chroot_dir = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=638251 cd_dir = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=638274 writepid = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=638297 up_script = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=638320 down_script = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=638343 down_pre = DISABLED
Wed Nov 29 22:07:10 2006 us=638365 up_restart = DISABLED
Wed Nov 29 22:07:10 2006 us=638388 up_delay = DISABLED
Wed Nov 29 22:07:10 2006 us=638410 daemon = DISABLED
Wed Nov 29 22:07:10 2006 us=638432 inetd = 0
Wed Nov 29 22:07:10 2006 us=638454 log = DISABLED
Wed Nov 29 22:07:10 2006 us=638477 suppress_timestamps = DISABLED
Wed Nov 29 22:07:10 2006 us=638499 nice = 0
Wed Nov 29 22:07:10 2006 us=638521 verbosity = 4
Wed Nov 29 22:07:10 2006 us=638543 mute = 0
Wed Nov 29 22:07:10 2006 us=661247 gremlin = 0
Wed Nov 29 22:07:10 2006 us=661282 status_file = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=661306 status_file_version = 1
Wed Nov 29 22:07:10 2006 us=661330 status_file_update_freq = 60
Wed Nov 29 22:07:10 2006 us=661353 occ = ENABLED
Wed Nov 29 22:07:10 2006 us=661374 rcvbuf = 0
Wed Nov 29 22:07:10 2006 us=661396 sndbuf = 0
Wed Nov 29 22:07:10 2006 us=661419 socks_proxy_server = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=661453 socks_proxy_port = 0
Wed Nov 29 22:07:10 2006 us=661477 socks_proxy_retry = DISABLED
Wed Nov 29 22:07:10 2006 us=661500 fast_io = DISABLED
Wed Nov 29 22:07:10 2006 us=661522 comp_lzo = ENABLED
Wed Nov 29 22:07:10 2006 us=661544 comp_lzo_adaptive = ENABLED
Wed Nov 29 22:07:10 2006 us=661567 route_script = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=661591 route_default_gateway = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=661614 route_noexec = DISABLED
Wed Nov 29 22:07:10 2006 us=661636 route_delay = 0
Wed Nov 29 22:07:10 2006 us=678873 route_delay_window = 30
Wed Nov 29 22:07:10 2006 us=678908 route_delay_defined = ENABLED
Wed Nov 29 22:07:10 2006 us=678934 management_addr = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=678957 management_port = 0
Wed Nov 29 22:07:10 2006 us=678981 management_user_pass = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=679007 management_log_history_cache = 250
Wed Nov 29 22:07:10 2006 us=679032 management_echo_buffer_size = 100
Wed Nov 29 22:07:10 2006 us=679056 management_query_passwords = DISABLED
Wed Nov 29 22:07:10 2006 us=679080 management_hold = DISABLED
Wed Nov 29 22:07:10 2006 us=679104 shared_secret_file = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=679127 key_direction = 2
Wed Nov 29 22:07:10 2006 us=679150 ciphername_defined = ENABLED
Wed Nov 29 22:07:10 2006 us=679173 ciphername = 'BF-CBC'
Wed Nov 29 22:07:10 2006 us=679197 authname_defined = ENABLED
Wed Nov 29 22:07:10 2006 us=679220 authname = 'SHA1'
Wed Nov 29 22:07:10 2006 us=679242 keysize = 0
Wed Nov 29 22:07:10 2006 us=746684 engine = DISABLED
Wed Nov 29 22:07:10 2006 us=746834 replay = ENABLED
Wed Nov 29 22:07:10 2006 us=746861 mute_replay_warnings = DISABLED
Wed Nov 29 22:07:10 2006 us=746886 replay_window = 64
Wed Nov 29 22:07:10 2006 us=746910 replay_time = 15
Wed Nov 29 22:07:10 2006 us=746934 packet_id_file = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=746957 use_iv = ENABLED
Wed Nov 29 22:07:10 2006 us=746980 test_crypto = DISABLED
Wed Nov 29 22:07:10 2006 us=747003 tls_server = DISABLED
Wed Nov 29 22:07:10 2006 us=747027 tls_client = ENABLED
Wed Nov 29 22:07:10 2006 us=747050 key_method = 2
Wed Nov 29 22:07:10 2006 us=747072 ca_file = 'ca.crt'
Wed Nov 29 22:07:10 2006 us=747095 dh_file = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=747119 cert_file = 'ian.crt'
Wed Nov 29 22:07:10 2006 us=747142 priv_key_file = 'ian.key'
Wed Nov 29 22:07:10 2006 us=747165 pkcs12_file = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=747189 cryptoapi_cert = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=804993 cipher_list = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=805031 tls_verify = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=805055 tls_remote = 'server'
Wed Nov 29 22:07:10 2006 us=805078 crl_file = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=805102 ns_cert_type = 64
Wed Nov 29 22:07:10 2006 us=805124 tls_timeout = 2
Wed Nov 29 22:07:10 2006 us=805147 renegotiate_bytes = 0
Wed Nov 29 22:07:10 2006 us=805171 renegotiate_packets = 0
Wed Nov 29 22:07:10 2006 us=805195 renegotiate_seconds = 3600
Wed Nov 29 22:07:10 2006 us=805218 handshake_window = 60
Wed Nov 29 22:07:10 2006 us=805242 transition_window = 3600
Wed Nov 29 22:07:10 2006 us=805265 single_session = DISABLED
Wed Nov 29 22:07:10 2006 us=805288 tls_exit = DISABLED
Wed Nov 29 22:07:10 2006 us=805311 tls_auth_file = 'ta.key'
Wed Nov 29 22:07:10 2006 us=805358 server_network = 0.0.0.0
Wed Nov 29 22:07:10 2006 us=805385 server_netmask = 0.0.0.0
Wed Nov 29 22:07:10 2006 us=866481 server_bridge_ip = 0.0.0.0
Wed Nov 29 22:07:10 2006 us=866522 server_bridge_netmask = 0.0.0.0
Wed Nov 29 22:07:10 2006 us=866551 server_bridge_pool_start = 0.0.0.0
Wed Nov 29 22:07:10 2006 us=866578 server_bridge_pool_end = 0.0.0.0
Wed Nov 29 22:07:10 2006 us=866604 ifconfig_pool_defined = DISABLED
Wed Nov 29 22:07:10 2006 us=866631 ifconfig_pool_start = 0.0.0.0
Wed Nov 29 22:07:10 2006 us=866657 ifconfig_pool_end = 0.0.0.0
Wed Nov 29 22:07:10 2006 us=866684 ifconfig_pool_netmask = 0.0.0.0
Wed Nov 29 22:07:10 2006 us=866710 ifconfig_pool_persist_filename = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=866736 ifconfig_pool_persist_refresh_freq = 600
Wed Nov 29 22:07:10 2006 us=866761 ifconfig_pool_linear = DISABLED
Wed Nov 29 22:07:10 2006 us=866785 n_bcast_buf = 256
Wed Nov 29 22:07:10 2006 us=866808 tcp_queue_limit = 64
Wed Nov 29 22:07:10 2006 us=866832 real_hash_size = 256
Wed Nov 29 22:07:10 2006 us=866856 virtual_hash_size = 256
Wed Nov 29 22:07:10 2006 us=926090 client_connect_script = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=926129 learn_address_script = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=926157 client_disconnect_script = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=926182 client_config_dir = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=926206 ccd_exclusive = DISABLED
Wed Nov 29 22:07:10 2006 us=926229 tmp_dir = '[UNDEF]'
Wed Nov 29 22:07:10 2006 us=926253 push_ifconfig_defined = DISABLED
Wed Nov 29 22:07:10 2006 us=926283 push_ifconfig_local = 0.0.0.0
Wed Nov 29 22:07:10 2006 us=926310 push_ifconfig_remote_netmask = 0.0.0.0
Wed Nov 29 22:07:10 2006 us=926334 enable_c2c = DISABLED
Wed Nov 29 22:07:10 2006 us=926357 duplicate_cn = DISABLED
Wed Nov 29 22:07:10 2006 us=926380 cf_max = 0
Wed Nov 29 22:07:10 2006 us=926402 cf_per = 0
Wed Nov 29 22:07:10 2006 us=926425 max_clients = 1024
Wed Nov 29 22:07:10 2006 us=926449 max_routes_per_client = 256
Wed Nov 29 22:07:11 2006 us=13888 client_cert_not_required = DISABLED
Wed Nov 29 22:07:11 2006 us=13932 username_as_common_name = DISABLED
Wed Nov 29 22:07:11 2006 us=13960 auth_user_pass_verify_script = '[UNDEF]'
Wed Nov 29 22:07:11 2006 us=13987 auth_user_pass_verify_script_via_file = DISABLED
Wed Nov 29 22:07:11 2006 us=14011 client = DISABLED
Wed Nov 29 22:07:11 2006 us=14033 pull = ENABLED
Wed Nov 29 22:07:11 2006 us=14057 auth_user_pass_file = 'stdin'
Wed Nov 29 22:07:11 2006 us=14088 show_net_up = DISABLED
Wed Nov 29 22:07:11 2006 us=14111 route_method = 0
Wed Nov 29 22:07:11 2006 us=14135 ip_win32_defined = DISABLED
Wed Nov 29 22:07:11 2006 us=14158 ip_win32_type = 3
Wed Nov 29 22:07:11 2006 us=14181 dhcp_masq_offset = 0
Wed Nov 29 22:07:11 2006 us=14206 dhcp_lease_time = 31536000
Wed Nov 29 22:07:11 2006 us=14228 tap_sleep = 0
Wed Nov 29 22:07:11 2006 us=14250 dhcp_options = DISABLED
Wed Nov 29 22:07:11 2006 us=14272 dhcp_renew = DISABLED
Wed Nov 29 22:07:11 2006 us=66815 dhcp_pre_release = DISABLED
Wed Nov 29 22:07:11 2006 us=66852 dhcp_release = DISABLED
Wed Nov 29 22:07:11 2006 us=66876 domain = '[UNDEF]'
Wed Nov 29 22:07:11 2006 us=66899 netbios_scope = '[UNDEF]'
Wed Nov 29 22:07:11 2006 us=66922 netbios_node_type = 0
Wed Nov 29 22:07:11 2006 us=66944 disable_nbt = DISABLED
Wed Nov 29 22:07:11 2006 us=66987 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Wed Nov 29 22:07:25 2006 us=42972 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Wed Nov 29 22:07:25 2006 us=43059 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Nov 29 22:07:25 2006 us=43102 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Nov 29 22:07:25 2006 us=43164 LZO compression initialized
Wed Nov 29 22:07:25 2006 us=43379 Control Channel MTU parms [ L:1578 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Nov 29 22:07:25 2006 us=214027 Data Channel MTU parms [ L:1578 D:1450 EF:46 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Nov 29 22:07:25 2006 us=214092 Fragmentation MTU parms [ L:1578 D:1400 EF:45 EB:135 ET:33 EL:0 AF:3/1 ]
Wed Nov 29 22:07:25 2006 us=214189 Local Options String: 'V4,dev-type tap,link-mtu 1578,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Nov 29 22:07:25 2006 us=214224 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1578,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Nov 29 22:07:25 2006 us=214293 Local Options hash (VER=V4): 'a257ef04'
Wed Nov 29 22:07:25 2006 us=214343 Expected Remote Options hash (VER=V4): '8f3da10b'
Wed Nov 29 22:07:25 2006 us=214408 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Nov 29 22:07:25 2006 us=216452 UDPv4 link local: [undef]
Wed Nov 29 22:07:25 2006 us=216488 UDPv4 link remote: 70.48.39.53:1194
Wed Nov 29 22:07:25 2006 us=282954 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:07:26 2006 us=544161 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:07:29 2006 us=51585 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:07:30 2006 us=311382 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:07:32 2006 us=848300 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:07:35 2006 us=369898 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:07:37 2006 us=686658 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:07:40 2006 us=8853 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:07:42 2006 us=332480 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:07:44 2006 us=655802 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:07:47 2006 us=71361 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:07:48 2006 us=332873 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:07:50 2006 us=851444 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:07:53 2006 us=350539 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:07:55 2006 us=850847 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:07:57 2006 us=969311 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:08:00 2006 us=89575 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:08:02 2006 us=221719 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:08:03 2006 us=303333 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:08:05 2006 us=426187 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:08:07 2006 us=953637 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:08:10 2006 us=477587 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:08:13 2006 us=2638 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:08:15 2006 us=524357 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:08:17 2006 us=946061 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:08:20 2006 us=366486 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Nov 29 22:08:22 2006 us=780949 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
-
did you enable vpn for yourself under users? It kind of looks like you didn't
-
I'll have to have a look. It was working.......
-
I was thinking that this might be the way to go, but had some practical considerations.
Seeing as I am running this at home, how does one test vpn access when you already have a server as gateway and server. I can think of how it might be done but am easily confused and the practical knowledge eludes me. I searched this site for any posts or how to's but couldnt find any.
imcintyre
If you have a test machine you can:
- perform a fresh install of SME7 in server-only mode
- give it a fixed IP on you local network, for example 192.168.1.50
- install the contrib smeserver-openvpn-bridge_beta5 on it
- configure it as you want, you can let the default port 1194 or choose another
- disable openvpn-server-bridge on your server&gateway
- redirect a port on the server&gateway server: port 1194, proto UDP, destination host 192.168.1.50
Now your server-only host is rechable on port 1194 for proto UDP and you can test the contrib.
As crazybob told you, if you have an emty certificate, you must erease all the certificate and regenerate them. I know you already try this but if you have an empty certificate, you had a problem with the generation.
For your server certificate, a default one should configured with the common-name server-bridge. You can generate a new one if you want but it shouldn't be necessary.
When all the certificates are generated, can you post the result of
ll /etc/openvpn/easy-rsa/keys/server-bridge
you should see all the certificates, the dh file, the crl, the ta.key and the client cert if you have generate one. None of this file should be empty.
If you still have an empty file, please mail me your /var/log/httpd/admin_error_log file.
Cheers, Daniel
-
Thx, I'll follow both these up when I get home Friday
-
Well I made sure I had the vpn option turned on and I did. I also remembered that I did an upgrade to Internet Explorer 7 from 6. I uninstalled v7. It did tell me that Openvpn may not work properly as well as 4 other programs I wasn't aware of. Uninstalled anyways but same error as previously posted.
I guess I will try beta 4 again to see if that is the issue.
-
Vip-ire:
I tried running your command line "ll etc/openvpn/easy-rsa/keys/server-bridge" but got error about no command, no directory. I went in and found that I had a directory named "bridge". Below are the contents of the directory "bridge". Is this a mistake that I made with the naming? Or is "server-bridge" a generic name and I should have used the name of my server itself. Using Midnight Commander, I can see that none of the files are empty.
01.pem ca.key ian.crt index.txt serial.old server.key
02.pem crl.pem ian.csr index.txt.old server.crt ta.key
ca.crt dh.pem ian.key serial server.csr
Imcintyre
-
Sorry, you're right, it's /etc/openvpn/easy-rsa/keys/bridge, not /etc/openvpn/easy-rsa/server-bridge. All the files should be ok if they are not empty. If the installation of ie7 told you that openvpn may not work properly, you should uninstall your client and re-install it so that tap-win32 driver is reinstalled. Maybe it's the issue. If this doesn't fix your problem, please erease all your certificates, regenerate them and send me your /var/log/httpd/admin_error_log files (by mail: daniel@firewall-services.com)
-
the 1st stable release (1.0-1) is available as an rpm. have a look at http://sme.firewall-services.com/spip.php?article2
-
a stupid empty directory is missing from 1.0-1, if you have done a fresh install a the contrib smeserver-openvpn-bridge-fws-1.0-1, please upgrade to smeserver-openvpn-bridge-fws-1.0-2, I've just uploaded it.
-
Hi Guys,
I'm having the same problem as Imcintyre has been having.
Did you ever find the solution to this?
I am using a freshly installed smeserver-openvpn-bridge-fws-1.0-2 following the directions given in the how-to.
I have tried deleting the certs and regenerating them but still got the same result.
The user definitely has VPN access enabled.
My client is WinXP Pro running Firefox 2.0 & IE 6.
Heres a copy of OpenVPN's output:
Mon Dec 11 15:20:29 2006 us=405932 Current Parameter Settings:
Mon Dec 11 15:20:29 2006 us=406246 config = 'C:\Program Files\OpenVPN\config\VPN.ovpn'
Mon Dec 11 15:20:29 2006 us=406376 mode = 0
Mon Dec 11 15:20:29 2006 us=406459 show_ciphers = DISABLED
Mon Dec 11 15:20:29 2006 us=406545 show_digests = DISABLED
Mon Dec 11 15:20:29 2006 us=408572 show_engines = DISABLED
Mon Dec 11 15:20:29 2006 us=408738 genkey = DISABLED
Mon Dec 11 15:20:29 2006 us=415313 key_pass_file = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=415449 show_tls_ciphers = DISABLED
Mon Dec 11 15:20:29 2006 us=415517 proto = 0
Mon Dec 11 15:20:29 2006 us=415584 local = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=415649 remote_list[0] = {'kevinblackmore.dyndns.org', 1194}
Mon Dec 11 15:20:29 2006 us=415971 remote_random = DISABLED
Mon Dec 11 15:20:29 2006 us=416025 local_port = 1194
Mon Dec 11 15:20:29 2006 us=416079 remote_port = 1194
Mon Dec 11 15:20:29 2006 us=416141 remote_float = DISABLED
Mon Dec 11 15:20:29 2006 us=416207 ipchange = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=416277 bind_local = DISABLED
Mon Dec 11 15:20:29 2006 us=416344 dev = 'tap'
Mon Dec 11 15:20:29 2006 us=416402 dev_type = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=416448 dev_node = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=416494 tun_ipv6 = DISABLED
Mon Dec 11 15:20:29 2006 us=416556 ifconfig_local = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=419413 ifconfig_remote_netmask = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=421926 ifconfig_noexec = DISABLED
Mon Dec 11 15:20:29 2006 us=424783 ifconfig_nowarn = DISABLED
Mon Dec 11 15:20:29 2006 us=427240 shaper = 0
Mon Dec 11 15:20:29 2006 us=429707 tun_mtu = 1500
Mon Dec 11 15:20:29 2006 us=431926 tun_mtu_defined = ENABLED
Mon Dec 11 15:20:29 2006 us=434402 link_mtu = 1500
Mon Dec 11 15:20:29 2006 us=436707 link_mtu_defined = DISABLED
Mon Dec 11 15:20:29 2006 us=439201 tun_mtu_extra = 32
Mon Dec 11 15:20:29 2006 us=441878 tun_mtu_extra_defined = ENABLED
Mon Dec 11 15:20:29 2006 us=444345 fragment = 1400
Mon Dec 11 15:20:29 2006 us=446813 mtu_discover_type = -1
Mon Dec 11 15:20:29 2006 us=449014 mtu_test = 0
Mon Dec 11 15:20:29 2006 us=451484 mlock = DISABLED
Mon Dec 11 15:20:29 2006 us=453776 keepalive_ping = 0
Mon Dec 11 15:20:29 2006 us=456886 keepalive_timeout = 0
Mon Dec 11 15:20:29 2006 us=459337 inactivity_timeout = 0
Mon Dec 11 15:20:29 2006 us=461807 ping_send_timeout = 0
Mon Dec 11 15:20:29 2006 us=466724 ping_rec_timeout = 120
Mon Dec 11 15:20:29 2006 us=469163 ping_rec_timeout_action = 2
Mon Dec 11 15:20:29 2006 us=472354 ping_timer_remote = DISABLED
Mon Dec 11 15:20:29 2006 us=474831 remap_sigusr1 = 0
Mon Dec 11 15:20:29 2006 us=477300 explicit_exit_notification = 0
Mon Dec 11 15:20:29 2006 us=479790 persist_tun = DISABLED
Mon Dec 11 15:20:29 2006 us=482014 persist_local_ip = DISABLED
Mon Dec 11 15:20:29 2006 us=484497 persist_remote_ip = DISABLED
Mon Dec 11 15:20:29 2006 us=486797 persist_key = DISABLED
Mon Dec 11 15:20:29 2006 us=489515 mssfix = 1450
Mon Dec 11 15:20:29 2006 us=491969 resolve_retry_seconds = 1000000000
Mon Dec 11 15:20:29 2006 us=494448 connect_retry_seconds = 5
Mon Dec 11 15:20:29 2006 us=496905 username = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=499119 groupname = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=501599 chroot_dir = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=504360 cd_dir = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=506836 writepid = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=509359 up_script = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=527804 down_script = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=530353 down_pre = DISABLED
Mon Dec 11 15:20:29 2006 us=532647 up_restart = DISABLED
Mon Dec 11 15:20:29 2006 us=536491 up_delay = DISABLED
Mon Dec 11 15:20:29 2006 us=538818 daemon = DISABLED
Mon Dec 11 15:20:29 2006 us=541196 inetd = 0
Mon Dec 11 15:20:29 2006 us=543545 log = DISABLED
Mon Dec 11 15:20:29 2006 us=545921 suppress_timestamps = DISABLED
Mon Dec 11 15:20:29 2006 us=548001 nice = 0
Mon Dec 11 15:20:29 2006 us=550584 verbosity = 4
Mon Dec 11 15:20:29 2006 us=552907 mute = 0
Mon Dec 11 15:20:29 2006 us=555100 gremlin = 0
Mon Dec 11 15:20:29 2006 us=557463 status_file = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=559816 status_file_version = 1
Mon Dec 11 15:20:29 2006 us=562165 status_file_update_freq = 60
Mon Dec 11 15:20:29 2006 us=564252 occ = ENABLED
Mon Dec 11 15:20:29 2006 us=567581 rcvbuf = 0
Mon Dec 11 15:20:29 2006 us=569882 sndbuf = 0
Mon Dec 11 15:20:29 2006 us=576831 socks_proxy_server = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=579264 socks_proxy_port = 0
Mon Dec 11 15:20:29 2006 us=582033 socks_proxy_retry = DISABLED
Mon Dec 11 15:20:29 2006 us=584386 fast_io = DISABLED
Mon Dec 11 15:20:29 2006 us=586709 comp_lzo = ENABLED
Mon Dec 11 15:20:29 2006 us=588971 comp_lzo_adaptive = ENABLED
Mon Dec 11 15:20:29 2006 us=591360 route_script = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=593723 route_default_gateway = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=596099 route_noexec = DISABLED
Mon Dec 11 15:20:29 2006 us=598204 route_delay = 0
Mon Dec 11 15:20:29 2006 us=600545 route_delay_window = 30
Mon Dec 11 15:20:29 2006 us=602904 route_delay_defined = ENABLED
Mon Dec 11 15:20:29 2006 us=605086 management_addr = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=607461 management_port = 0
Mon Dec 11 15:20:29 2006 us=609820 management_user_pass = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=612286 management_log_history_cache = 250
Mon Dec 11 15:20:29 2006 us=614356 management_echo_buffer_size = 100
Mon Dec 11 15:20:29 2006 us=616736 management_query_passwords = DISABLED
Mon Dec 11 15:20:29 2006 us=624996 management_hold = DISABLED
Mon Dec 11 15:20:29 2006 us=627362 shared_secret_file = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=630649 key_direction = 2
Mon Dec 11 15:20:29 2006 us=632958 ciphername_defined = ENABLED
Mon Dec 11 15:20:29 2006 us=635325 ciphername = 'BF-CBC'
Mon Dec 11 15:20:29 2006 us=637574 authname_defined = ENABLED
Mon Dec 11 15:20:29 2006 us=639895 authname = 'SHA1'
Mon Dec 11 15:20:29 2006 us=642264 keysize = 0
Mon Dec 11 15:20:29 2006 us=644644 engine = DISABLED
Mon Dec 11 15:20:29 2006 us=646916 replay = ENABLED
Mon Dec 11 15:20:29 2006 us=649045 mute_replay_warnings = DISABLED
Mon Dec 11 15:20:29 2006 us=651420 replay_window = 64
Mon Dec 11 15:20:29 2006 us=653784 replay_time = 15
Mon Dec 11 15:20:29 2006 us=655967 packet_id_file = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=658334 use_iv = ENABLED
Mon Dec 11 15:20:29 2006 us=660756 test_crypto = DISABLED
Mon Dec 11 15:20:29 2006 us=663085 tls_server = DISABLED
Mon Dec 11 15:20:29 2006 us=665155 tls_client = ENABLED
Mon Dec 11 15:20:29 2006 us=668595 key_method = 2
Mon Dec 11 15:20:29 2006 us=670901 ca_file = 'ca.crt'
Mon Dec 11 15:20:29 2006 us=673140 dh_file = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=675634 cert_file = 'kevin.crt'
Mon Dec 11 15:20:29 2006 us=677970 priv_key_file = 'kevin.key'
Mon Dec 11 15:20:29 2006 us=680257 pkcs12_file = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=682394 cryptoapi_cert = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=684764 cipher_list = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=687129 tls_verify = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=689301 tls_remote = 'server'
Mon Dec 11 15:20:29 2006 us=691706 crl_file = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=694041 ns_cert_type = 64
Mon Dec 11 15:20:29 2006 us=696385 tls_timeout = 2
Mon Dec 11 15:20:29 2006 us=698453 renegotiate_bytes = 0
Mon Dec 11 15:20:29 2006 us=700817 renegotiate_packets = 0
Mon Dec 11 15:20:29 2006 us=703175 renegotiate_seconds = 3600
Mon Dec 11 15:20:29 2006 us=705355 handshake_window = 60
Mon Dec 11 15:20:29 2006 us=707998 transition_window = 3600
Mon Dec 11 15:20:29 2006 us=710489 single_session = DISABLED
Mon Dec 11 15:20:29 2006 us=712819 tls_exit = DISABLED
Mon Dec 11 15:20:29 2006 us=714884 tls_auth_file = 'ta.key'
Mon Dec 11 15:20:29 2006 us=717267 server_network = 0.0.0.0
Mon Dec 11 15:20:29 2006 us=719624 server_netmask = 0.0.0.0
Mon Dec 11 15:20:29 2006 us=722128 server_bridge_ip = 0.0.0.0
Mon Dec 11 15:20:29 2006 us=724484 server_bridge_netmask = 0.0.0.0
Mon Dec 11 15:20:29 2006 us=726860 server_bridge_pool_start = 0.0.0.0
Mon Dec 11 15:20:29 2006 us=729229 server_bridge_pool_end = 0.0.0.0
Mon Dec 11 15:20:29 2006 us=731321 ifconfig_pool_defined = DISABLED
Mon Dec 11 15:20:29 2006 us=733690 ifconfig_pool_start = 0.0.0.0
Mon Dec 11 15:20:29 2006 us=736068 ifconfig_pool_end = 0.0.0.0
Mon Dec 11 15:20:29 2006 us=739039 ifconfig_pool_netmask = 0.0.0.0
Mon Dec 11 15:20:29 2006 us=741467 ifconfig_pool_persist_filename = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=743871 ifconfig_pool_persist_refresh_freq = 600
Mon Dec 11 15:20:29 2006 us=746245 ifconfig_pool_linear = DISABLED
Mon Dec 11 15:20:29 2006 us=748323 n_bcast_buf = 256
Mon Dec 11 15:20:29 2006 us=750673 tcp_queue_limit = 64
Mon Dec 11 15:20:29 2006 us=753862 real_hash_size = 256
Mon Dec 11 15:20:29 2006 us=756042 virtual_hash_size = 256
Mon Dec 11 15:20:29 2006 us=758412 client_connect_script = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=760791 learn_address_script = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=763154 client_disconnect_script = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=765239 client_config_dir = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=767603 ccd_exclusive = DISABLED
Mon Dec 11 15:20:29 2006 us=770249 tmp_dir = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=772424 push_ifconfig_defined = DISABLED
Mon Dec 11 15:20:29 2006 us=774802 push_ifconfig_local = 0.0.0.0
Mon Dec 11 15:20:29 2006 us=777171 push_ifconfig_remote_netmask = 0.0.0.0
Mon Dec 11 15:20:29 2006 us=779538 enable_c2c = DISABLED
Mon Dec 11 15:20:29 2006 us=781597 duplicate_cn = DISABLED
Mon Dec 11 15:20:29 2006 us=783999 cf_max = 0
Mon Dec 11 15:20:29 2006 us=786324 cf_per = 0
Mon Dec 11 15:20:29 2006 us=788662 max_clients = 1024
Mon Dec 11 15:20:29 2006 us=790871 max_routes_per_client = 256
Mon Dec 11 15:20:29 2006 us=793248 client_cert_not_required = DISABLED
Mon Dec 11 15:20:29 2006 us=795730 username_as_common_name = DISABLED
Mon Dec 11 15:20:29 2006 us=797795 auth_user_pass_verify_script = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=801256 auth_user_pass_verify_script_via_file = DISABLED
Mon Dec 11 15:20:29 2006 us=805861 client = DISABLED
Mon Dec 11 15:20:29 2006 us=808154 pull = ENABLED
Mon Dec 11 15:20:29 2006 us=810525 auth_user_pass_file = 'stdin'
Mon Dec 11 15:20:29 2006 us=812885 show_net_up = DISABLED
Mon Dec 11 15:20:29 2006 us=814954 route_method = 0
Mon Dec 11 15:20:29 2006 us=817418 ip_win32_defined = DISABLED
Mon Dec 11 15:20:29 2006 us=819765 ip_win32_type = 3
Mon Dec 11 15:20:29 2006 us=822126 dhcp_masq_offset = 0
Mon Dec 11 15:20:29 2006 us=824303 dhcp_lease_time = 31536000
Mon Dec 11 15:20:29 2006 us=826667 tap_sleep = 0
Mon Dec 11 15:20:29 2006 us=829021 dhcp_options = DISABLED
Mon Dec 11 15:20:29 2006 us=831103 dhcp_renew = DISABLED
Mon Dec 11 15:20:29 2006 us=833436 dhcp_pre_release = DISABLED
Mon Dec 11 15:20:29 2006 us=835800 dhcp_release = DISABLED
Mon Dec 11 15:20:29 2006 us=838163 domain = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=841011 netbios_scope = '[UNDEF]'
Mon Dec 11 15:20:29 2006 us=843362 netbios_node_type = 0
Mon Dec 11 15:20:29 2006 us=845721 disable_nbt = DISABLED
Mon Dec 11 15:20:29 2006 us=848855 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Enter Auth Username:kevin
Enter Auth Password:
Mon Dec 11 15:20:36 2006 us=307997 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Dec 11 15:20:36 2006 us=312694 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 11 15:20:36 2006 us=317617 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 11 15:20:36 2006 us=322372 LZO compression initialized
Mon Dec 11 15:20:36 2006 us=325101 Control Channel MTU parms [ L:1578 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Dec 11 15:20:36 2006 us=518555 Data Channel MTU parms [ L:1578 D:1450 EF:46EB:135 ET:32 EL:0 AF:3/1 ]
Mon Dec 11 15:20:36 2006 us=523441 Fragmentation MTU parms [ L:1578 D:1400 EF:45 EB:135 ET:33 EL:0 AF:3/1 ]
Mon Dec 11 15:20:36 2006 us=528118 Local Options String: 'V4,dev-type tap,link-mtu 1578,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Mon Dec 11 15:20:36 2006 us=535421 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1578,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Mon Dec 11 15:20:36 2006 us=542598 Local Options hash (VER=V4): 'a257ef04'
Mon Dec 11 15:20:36 2006 us=544877 Expected Remote Options hash (VER=V4): '8f3da10b'
Mon Dec 11 15:20:36 2006 us=549798 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Dec 11 15:20:36 2006 us=557953 UDPv4 link local: [undef]
Mon Dec 11 15:20:36 2006 us=560427 UDPv4 link remote: 58.28.144.144:1194
Mon Dec 11 15:20:36 2006 us=627887 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Dec 11 15:20:38 2006 us=683518 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Dec 11 15:20:40 2006 us=739173 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Dec 11 15:20:42 2006 us=801852 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Dec 11 15:20:44 2006 us=869476 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Dec 11 15:20:46 2006 us=918894 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Dec 11 15:20:49 2006 us=154990 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Dec 11 15:20:50 2006 us=310630 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Dec 11 15:20:52 2006 us=559165 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Dec 11 15:20:54 2006 us=811819 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Dec 11 15:20:56 2006 us=280684 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Dec 11 15:20:58 2006 us=411166 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Dec 11 15:21:01 2006 us=156582 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Dec 11 15:21:02 2006 us=721709 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Dec 11 15:21:04 2006 us=264479 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
-
Well, it looks like several people are having problems with this contrib. It's quite strange because for me it's working. Can you post the last lines of your server's log just after trying to connect your client.
-
VIP
I'm having the same problem as well.. damned
read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
errors on the client side, and on the server, well.. I finally got it working, after 2 reboots. Didn't change anything... but I would advise people do the follwing:
1) Reboot your server.
2) In Server Manager, verify that the Panel item shows that the daemon is running.
In my case, I think it was the Daemon not running that caused the problem. but now it is, and it is working. The service didn't appear to re-enable after applying on the OVPN Panel page.. and it took a reboot to make it work. But VIP, you're right, it is stable!
Thanks for making the contrib VIP, it's great!
-
Hi All,
I have installed this on a test server that is in server-only mode and behind my SME server that is in Server-Gateway mode. I have forwared port 1194 but the daemon is still not starting, I suspect that this is something to do with the IP range. My question is if my server-gateway is the DHCP server for the network do I choose a range on this server or do I need to make the test server the DHCP server (turning it off in the server-gateway machine first :) ). Or should I just forget the test server and install it on my server-gateway? Thanks.
Regards,
Del
-
I got really busy and this is the first time I got back to this. As before, I am still okay with beta 4, couldn't make beta 5 work, and am now having problems with rpms.
I had tried beta5 again and failed. I ran sh uninstall, deleted that directory and deleted /etc/openvpn directory and try a "fresh install"
I downloaded lzo-1.08-4.2.el4.rf.i386.rpm, openvpn-2.0.7-1.el4.rf.i386.rpm, smeserver-openvpn-bridge-fws-1.0-1.noarch.rpm. I then saw the chat about an upgrade so I downloaded smeserver-openvpn-bridge-fws-1.0-2.noarch.rpm.
This is what I got when I installed this file
[root@mcserver1 home]# yum localinstall smeserver-openvpn-bridge-fws-1.0-2.noarch.rpm
==============================================================
WARNING: Additional commands may be required after running yum
==============================================================
Setting up Local Package Process
Examining smeserver-openvpn-bridge-fws-1.0-2.noarch.rpm: smeserver-openvpn-bridge-fws - 1.0-2.noarch
Marking smeserver-openvpn-bridge-fws-1.0-2.noarch.rpm as an update to smeserver-openvpn-bridge-fws - 1.0-1.noarch
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Package smeserver-openvpn-bridge-fws.noarch 0:1.0-2 set to be updated
--> Running transaction check
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Updating:
smeserver-openvpn-bridge-fws noarch 1.0-2 smeserver-openvpn-bridge-fws-1.0-2.noarch.rpm 96 k
Transaction Summary
=============================================================================
Install 0 Package(s)
Update 1 Package(s)
Remove 0 Package(s)
Total download size: 96 k
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Shutting down openvpn: Sat Dec 9 08:12:57 2006 TUN/TAP device tap0 opened
Sat Dec 9 08:12:57 2006 Persist state set to: OFF
Stopping dhcpd:[ OK ]
Shutting down IP masquerade and firewall rules: Done!
Enabling IP masquerading: done
Starting dhcpd:[ OK ]
[ OK ]
Updating : smeserver-openvpn-bridge-fws ######################### [1/2]
Shutting down openvpn: /etc/rc.d/init.d/openvpn-bridge: line 175: /etc/openvpn/server-bridge-shutdown: Permission denied
[ OK ]
Cleanup : smeserver-openvpn-bridge-fws ######################### [2/2]
Updated: smeserver-openvpn-bridge-fws.noarch 0:1.0-2
Complete!
==============================================================
WARNING: You now need to run BOTH of the following commands
to ensure consistent system state:
signal-event post-upgrade; signal-event reboot
You should run these commands unless you are certain that
yum made no changes to your system.
==============================================================
[root@mcserver1 home]# signal-event post-upgrade
[root@mcserver1 home]# sh signal-event post-upgrade
/sbin/e-smith/signal-event: line 9: use: command not found
/sbin/e-smith/signal-event: line 10: use: command not found
/sbin/e-smith/signal-event: line 11: use: command not found
/sbin/e-smith/signal-event: line 13: my: command not found
/sbin/e-smith/signal-event: signal-event: line 17: syntax error near unexpected token `$event,'
/sbin/e-smith/signal-event: signal-event: line 17: `my ($event, @args) = @ARGV;'
[root@mcserver1 home]#
When I ran the signal-event post-upgrade command, as you can see there "funny" statements near the end. Is this expected?
-
Hi All,
I have installed this on a test server that is in server-only mode and behind my SME server that is in Server-Gateway mode. I have forwared port 1194 but the daemon is still not starting, I suspect that this is something to do with the IP range. My question is if my server-gateway is the DHCP server for the network do I choose a range on this server or do I need to make the test server the DHCP server (turning it off in the server-gateway machine first :) ). Or should I just forget the test server and install it on my server-gateway? Thanks.
Regards,
Del
You can let openvpn running on the server-only and the DHCP on the server and gateway. You just have to set correctly the address range. For example, your network has the address 192.168.45.0 with netmask 255.255.255.0. Your server & gateway has address 192.168.45.1, standard DHCP range is from 192.168.45.65 to 192.168.45.250, and your server only has address 192.168.45.2. You can choose the range 192.168.45.10 to 192.168.45.50 for openvpn because these address will never be given to a real local machine on the network.
errors on the client side, and on the server, well.. I finally got it working, after 2 reboots. Didn't change anything... but I would advise people do the follwing:
1) Reboot your server.
2) In Server Manager, verify that the Panel item shows that the daemon is running.
Rebboting shouldn't be needed, you just have to wait a few seconds (or minutes if your server is slow) and if everything is configurered correctly, when you reload the panel, you can see that the service is enabled.
[root@mcserver1 home]# signal-event post-upgrade
[root@mcserver1 home]# sh signal-event post-upgrade
/sbin/e-smith/signal-event: line 9: use: command not found
/sbin/e-smith/signal-event: line 10: use: command not found
/sbin/e-smith/signal-event: line 11: use: command not found
/sbin/e-smith/signal-event: line 13: my: command not found
/sbin/e-smith/signal-event: signal-event: line 17: syntax error near unexpected token `$event,'
/sbin/e-smith/signal-event: signal-event: line 17: `my ($event, @args) = @ARGV;'
Well, I don't really understand the problem, you ran a first time the command signal-event post-upgrade which seems to be ok, then you ran sh signal-event post-upgrade, I don't know why you ran this but it's 'normal' to have error message, signal-event don't have to be interpreted with sh (it's a perl script, and anyway, it wasn't in the current directory). Anyway, signal-event post-upgrade and reboot are not usefull with this contrib has every needed config files are expanded by the panel when you click on apply. Ian, for beta5 and 1.0-2, is the daemon running or not?
-
VIP
1) Reboot your server.
2) In Server Manager, verify that the Panel item shows that the daemon is running.
In my case, I think it was the Daemon not running that caused the problem. but now it is, and it is working. The service didn't appear to re-enable after applying on the OVPN Panel page.. and it took a reboot to make it work. But VIP, you're right, it is stable!
Thanks for making the contrib VIP, it's great!
Ok, I understand the problem now, you're right, a reboot were needed because of a permission problem on the startup and shutdown script, I dont quite understand why because the rpm scriplet should have set it correctly. Anyway, I've just corrected it and uploaded 1.0-3, please upgrade everyone, it should be ok this time. Sorry for the problem, I'm not a rpm guru yet :/
rpm -Uvh http://sme.firewall-services.com/downloads/smeserver-openvpn/rpms/smeserver-openvpn-bridge-fws-1.0-3.noarch.rpm
-
Vip-ire wrote
Ian, for beta5 and 1.0-2, is the daemon running or not?
Yes, unless there is something I am missing, the daemon is running.
When I open up server manager, this is the first thing I see:
Do you wan't to enable the service ?
Status: Enabled
When I open up "Users", I see this:
Account User name VPN Client Access Action
admin Local Administrator No Modify Reset Password
ian Ian McIntyre Yes Modify Reset Password
If I missed something let me know.
Regarding:
you ran a first time the command signal-event post-upgrade which seems to be ok, then you ran sh signal-event post-upgrade, I don't know why you ran this but it's 'normal' to have error message, signal-event don't have to be interpreted with sh
This came up on the screen after I ran the yum command, so I did it. Apparently I don't know sh** from Perls (couldn't resist pun :) )
Anyway, I will run upgrade and see what happens today.
Regarding your rpm knowledge, I still think it stands for revolutions per minute. Oscar Wilde said "Nothing worth learning can be taught" (rough quote).
Sincerely, thanks for help, keep up good work.
Ian
-
You can easily see if the daemon is running or not (independently from the status enabled or disabled beacause, for example, if the status is enabled and the IP address range not set correctly, the daemon won't start). At the top of the panel, just under the link 'Click here to view the last 100 lines of the log', you've got the real status. It can be:
- daemon is running, pid: xxxxx
- daemon not running
-
I ran the upgrade and was interested in the first couple of lines where is says "br0: unknown interface". Is this a problem?
[root@mcserver1 home]# rpm -Uvh http://sme.firewall-services.com/downloads/smeserver-openvpn/rpms/smeserver-openvpn-bridge-fws-1.0-3.noarch.rpm
Retrieving http://sme.firewall-services.com/downloads/smeserver-openvpn/rpms/smeserver-openvpn-bridge-fws-1.0-3.noarch.rpm
Preparing... ########################################### [100%]
Shutting down openvpn: br0: unknown interface: No such device
bridge br0 doesn't exist; can't delete it
Tue Dec 12 06:38:59 2006 TUN/TAP device tap0 opened
Tue Dec 12 06:38:59 2006 Persist state set to: OFF
Stopping dhcpd:[ OK ]
Shutting down IP masquerade and firewall rules: Done!
Enabling IP masquerading: done
Starting dhcpd:[ OK ]
[ OK ]
1:smeserver-openvpn-bridg########################################### [100%]
Shutting down openvpn: br0: unknown interface: No such device
bridge br0 doesn't exist; can't delete it
Tue Dec 12 06:39:07 2006 TUN/TAP device tap0 opened
Tue Dec 12 06:39:08 2006 Persist state set to: OFF
Stopping dhcpd:[ OK ]
Shutting down IP masquerade and firewall rules: Done!
Enabling IP masquerading: done
Starting dhcpd:[ OK ]
[ OK ]
-
It's a problem corrected, don't pay attention. It's because the upgrade shutdown the service two times (the new rpm shutdown before the install and the old shutdown after the uninstall). This is corrected in 1.0-3 so the next upgrade shouldn't have this little problem.
-
When I got to work this morning I tried to connect and got the following. After the last line of the log below, the username/password window returns. Almost as if my username/password is wrong but I am 99.73% certain that I have the correct username/password. I haven't changed it since beta 4 was working.
Tue Dec 12 09:26:32 2006 us=730627 chroot_dir = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=730650 cd_dir = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=730673 writepid = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=730696 up_script = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=730719 down_script = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=730742 down_pre = DISABLED
Tue Dec 12 09:26:32 2006 us=730765 up_restart = DISABLED
Tue Dec 12 09:26:32 2006 us=730788 up_delay = DISABLED
Tue Dec 12 09:26:32 2006 us=730810 daemon = DISABLED
Tue Dec 12 09:26:32 2006 us=730832 inetd = 0
Tue Dec 12 09:26:32 2006 us=730854 log = DISABLED
Tue Dec 12 09:26:32 2006 us=730877 suppress_timestamps = DISABLED
Tue Dec 12 09:26:32 2006 us=730900 nice = 0
Tue Dec 12 09:26:32 2006 us=730922 verbosity = 4
Tue Dec 12 09:26:32 2006 us=821314 mute = 0
Tue Dec 12 09:26:32 2006 us=821336 gremlin = 0
Tue Dec 12 09:26:32 2006 us=821348 status_file = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=821358 status_file_version = 1
Tue Dec 12 09:26:32 2006 us=821369 status_file_update_freq = 60
Tue Dec 12 09:26:32 2006 us=821380 occ = ENABLED
Tue Dec 12 09:26:32 2006 us=821389 rcvbuf = 0
Tue Dec 12 09:26:32 2006 us=821399 sndbuf = 0
Tue Dec 12 09:26:32 2006 us=821411 socks_proxy_server = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=821426 socks_proxy_port = 0
Tue Dec 12 09:26:32 2006 us=821437 socks_proxy_retry = DISABLED
Tue Dec 12 09:26:32 2006 us=821447 fast_io = DISABLED
Tue Dec 12 09:26:32 2006 us=821457 comp_lzo = ENABLED
Tue Dec 12 09:26:32 2006 us=821467 comp_lzo_adaptive = ENABLED
Tue Dec 12 09:26:32 2006 us=821478 route_script = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=821489 route_default_gateway = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=821499 route_noexec = DISABLED
Tue Dec 12 09:26:32 2006 us=832042 route_delay = 0
Tue Dec 12 09:26:32 2006 us=832059 route_delay_window = 30
Tue Dec 12 09:26:32 2006 us=832070 route_delay_defined = ENABLED
Tue Dec 12 09:26:32 2006 us=832081 management_addr = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=832092 management_port = 0
Tue Dec 12 09:26:32 2006 us=832102 management_user_pass = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=832114 management_log_history_cache = 250
Tue Dec 12 09:26:32 2006 us=832125 management_echo_buffer_size = 100
Tue Dec 12 09:26:32 2006 us=832136 management_query_passwords = DISABLED
Tue Dec 12 09:26:32 2006 us=832147 management_hold = DISABLED
Tue Dec 12 09:26:32 2006 us=832157 shared_secret_file = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=832168 key_direction = 2
Tue Dec 12 09:26:32 2006 us=832178 ciphername_defined = ENABLED
Tue Dec 12 09:26:32 2006 us=832189 ciphername = 'BF-CBC'
Tue Dec 12 09:26:32 2006 us=832200 authname_defined = ENABLED
Tue Dec 12 09:26:32 2006 us=832210 authname = 'SHA1'
Tue Dec 12 09:26:32 2006 us=842551 keysize = 0
Tue Dec 12 09:26:32 2006 us=842569 engine = DISABLED
Tue Dec 12 09:26:32 2006 us=842580 replay = ENABLED
Tue Dec 12 09:26:32 2006 us=842591 mute_replay_warnings = DISABLED
Tue Dec 12 09:26:32 2006 us=842602 replay_window = 64
Tue Dec 12 09:26:32 2006 us=842612 replay_time = 15
Tue Dec 12 09:26:32 2006 us=842624 packet_id_file = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=842634 use_iv = ENABLED
Tue Dec 12 09:26:32 2006 us=842645 test_crypto = DISABLED
Tue Dec 12 09:26:32 2006 us=842655 tls_server = DISABLED
Tue Dec 12 09:26:32 2006 us=842666 tls_client = ENABLED
Tue Dec 12 09:26:32 2006 us=842676 key_method = 2
Tue Dec 12 09:26:32 2006 us=842686 ca_file = 'ca.crt'
Tue Dec 12 09:26:32 2006 us=842697 dh_file = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=842707 cert_file = 'ian.crt'
Tue Dec 12 09:26:32 2006 us=842718 priv_key_file = 'ian.key'
Tue Dec 12 09:26:32 2006 us=842728 pkcs12_file = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=852215 cryptoapi_cert = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=852232 cipher_list = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=852244 tls_verify = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=852254 tls_remote = 'server'
Tue Dec 12 09:26:32 2006 us=852265 crl_file = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=852275 ns_cert_type = 64
Tue Dec 12 09:26:32 2006 us=852285 tls_timeout = 2
Tue Dec 12 09:26:32 2006 us=852296 renegotiate_bytes = 0
Tue Dec 12 09:26:32 2006 us=852306 renegotiate_packets = 0
Tue Dec 12 09:26:32 2006 us=852317 renegotiate_seconds = 3600
Tue Dec 12 09:26:32 2006 us=852327 handshake_window = 60
Tue Dec 12 09:26:32 2006 us=852338 transition_window = 3600
Tue Dec 12 09:26:32 2006 us=852348 single_session = DISABLED
Tue Dec 12 09:26:32 2006 us=852358 tls_exit = DISABLED
Tue Dec 12 09:26:32 2006 us=852369 tls_auth_file = 'ta.key'
Tue Dec 12 09:26:32 2006 us=852392 server_network = 0.0.0.0
Tue Dec 12 09:26:32 2006 us=862820 server_netmask = 0.0.0.0
Tue Dec 12 09:26:32 2006 us=862841 server_bridge_ip = 0.0.0.0
Tue Dec 12 09:26:32 2006 us=862854 server_bridge_netmask = 0.0.0.0
Tue Dec 12 09:26:32 2006 us=862866 server_bridge_pool_start = 0.0.0.0
Tue Dec 12 09:26:32 2006 us=862879 server_bridge_pool_end = 0.0.0.0
Tue Dec 12 09:26:32 2006 us=862890 ifconfig_pool_defined = DISABLED
Tue Dec 12 09:26:32 2006 us=862902 ifconfig_pool_start = 0.0.0.0
Tue Dec 12 09:26:32 2006 us=862914 ifconfig_pool_end = 0.0.0.0
Tue Dec 12 09:26:32 2006 us=862926 ifconfig_pool_netmask = 0.0.0.0
Tue Dec 12 09:26:32 2006 us=862939 ifconfig_pool_persist_filename = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=862951 ifconfig_pool_persist_refresh_freq = 600
Tue Dec 12 09:26:32 2006 us=862962 ifconfig_pool_linear = DISABLED
Tue Dec 12 09:26:32 2006 us=862973 n_bcast_buf = 256
Tue Dec 12 09:26:32 2006 us=862983 tcp_queue_limit = 64
Tue Dec 12 09:26:32 2006 us=862994 real_hash_size = 256
Tue Dec 12 09:26:32 2006 us=873239 virtual_hash_size = 256
Tue Dec 12 09:26:32 2006 us=873256 client_connect_script = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=873269 learn_address_script = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=873281 client_disconnect_script = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=873292 client_config_dir = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=873303 ccd_exclusive = DISABLED
Tue Dec 12 09:26:32 2006 us=873313 tmp_dir = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=873324 push_ifconfig_defined = DISABLED
Tue Dec 12 09:26:32 2006 us=873336 push_ifconfig_local = 0.0.0.0
Tue Dec 12 09:26:32 2006 us=873349 push_ifconfig_remote_netmask = 0.0.0.0
Tue Dec 12 09:26:32 2006 us=873360 enable_c2c = DISABLED
Tue Dec 12 09:26:32 2006 us=873370 duplicate_cn = DISABLED
Tue Dec 12 09:26:32 2006 us=873380 cf_max = 0
Tue Dec 12 09:26:32 2006 us=873390 cf_per = 0
Tue Dec 12 09:26:32 2006 us=873400 max_clients = 1024
Tue Dec 12 09:26:32 2006 us=882357 max_routes_per_client = 256
Tue Dec 12 09:26:32 2006 us=882374 client_cert_not_required = DISABLED
Tue Dec 12 09:26:32 2006 us=882387 username_as_common_name = DISABLED
Tue Dec 12 09:26:32 2006 us=882399 auth_user_pass_verify_script = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=882411 auth_user_pass_verify_script_via_file = DISABLED
Tue Dec 12 09:26:32 2006 us=882422 client = DISABLED
Tue Dec 12 09:26:32 2006 us=882432 pull = ENABLED
Tue Dec 12 09:26:32 2006 us=882443 auth_user_pass_file = 'stdin'
Tue Dec 12 09:26:32 2006 us=882457 show_net_up = DISABLED
Tue Dec 12 09:26:32 2006 us=882467 route_method = 0
Tue Dec 12 09:26:32 2006 us=882478 ip_win32_defined = DISABLED
Tue Dec 12 09:26:32 2006 us=882489 ip_win32_type = 3
Tue Dec 12 09:26:32 2006 us=882499 dhcp_masq_offset = 0
Tue Dec 12 09:26:32 2006 us=882510 dhcp_lease_time = 31536000
Tue Dec 12 09:26:32 2006 us=882520 tap_sleep = 0
Tue Dec 12 09:26:32 2006 us=882530 dhcp_options = DISABLED
Tue Dec 12 09:26:32 2006 us=892645 dhcp_renew = DISABLED
Tue Dec 12 09:26:32 2006 us=892663 dhcp_pre_release = DISABLED
Tue Dec 12 09:26:32 2006 us=892673 dhcp_release = DISABLED
Tue Dec 12 09:26:32 2006 us=892683 domain = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=892694 netbios_scope = '[UNDEF]'
Tue Dec 12 09:26:32 2006 us=892704 netbios_node_type = 0
Tue Dec 12 09:26:32 2006 us=892715 disable_nbt = DISABLED
Tue Dec 12 09:26:32 2006 us=892736 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Is this helpful
-
The last lines of the server's log (you can get it through the panel) would be more helpfull. Just do the following:
- restart openvpn-bridge (/etc/init.d/openvpn-bridge restart)
- try to connect again (it should do the same error)
go in the server manager and copy past the last 30~40 lines of the logs
-
Hi VIP-ire,
This is my setup:
SME Server set as server/gateway = 10.0.0.1 Subnet: 255.0.0.0
DHCP Range on this server = 10.0.0.65 - 10.0.0.250
Test server in server only mode = 10.0.0.2 (DHCP turned off)
Ethernet Print Server = 10.0.0.20
Wireless Access = 10.0.0.10
One Local machine = 10.0.0.21
OpenVPN Range = 10.0.0.50 - 10.0.0.60 (OpenVPN is set for a max of 5 users)
But the server-manager panel still says that the Daemon is NOT running, can you tell me if I am missing something :?
Thanks.
Regards,
Del
-
Hi VIP-ire,
This is my setup:
SME Server set as server/gateway = 10.0.0.1 Subnet: 255.0.0.0
DHCP Range on this server = 10.0.0.65 - 10.0.0.250
Test server in server only mode = 10.0.0.2 (DHCP turned off)
Ethernet Print Server = 10.0.0.20
Wireless Access = 10.0.0.10
One Local machine = 10.0.0.21
OpenVPN Range = 10.0.0.50 - 10.0.0.60 (OpenVPN is set for a max of 5 users)
But the server-manager panel still says that the Daemon is NOT running, can you tell me if I am missing something :?
Thanks.
Regards,
Del
Your configuration seems to be ok. You should have a look at your log to see why the deamon cannot start. The log of the server is accessibl through the panel. You can post the log or send me by mail (daniel@firewall-services.com), I'll try to see what's going on.
-
Del,
1) Which version of the panel are you running?
2) Have you created the Certicificates yet?
3) Since the install, have you done a reboot... enabing / disabling the service does not restart the daemon.
-
Del,
1) Which version of the panel are you running?
2) Have you created the Certicificates yet?
3) Since the install, have you done a reboot... enabing / disabling the service does not restart the daemon.
Yes, I forgot to ask wich version you're running. You should use 1.0-3 which I released this morning. It does correct the problem of the daemon not restarting without rebooting.
-
Hi AndrewR,
1) Which version of the panel are you running?
I installed smeserver-openvpn-bridge-fws-1.0-2
2) Have you created the Certicificates yet?
Yes, but I have tried a couple of different IP ranges so do they need to be recreated?
3) Since the install, have you done a reboot... enabing / disabling the service does not restart the daemon.
I have rebooted a couple of times but it doesn't make any difference :shock:
Thanks for your response.
Regards,
Del
-
Del,
If I were you, this is what I would do:
1) Run the upgrade to 1.03
2) delete all Certificates. Create new ones.
3) Pick one range and stick to it. Make sure the range of IPs chosen is OUTSIDE your DHCP range, otherwise you could run into addressing conflicts. So, for example, your networks DHCP address range runs from 10.0.0.50-10.0.0.150, then make your VPN addresses be from 10.0.0.151-10.0.0.175 (or however many clients you need). ***NOTE: if your SME Server is the DHCP server for the network, then disregard. But if you are using another server as a DHCP (eg a Windows Server in an Active Directory Setup) Then you may want to do this. ***
4) Reconfigure all your clients with the new certificates and configuration files.
If that doesn't work... then uninstall OVPN and do a clean install. It sounds like some corrupt information and / or incomplete information, so the Daemon isn't starting due to the fact not everything is in order.
Cheers and good luck.
-
The last lines of the server's log (you can get it through the panel) would be more helpfull. Just do the following:
- restart openvpn-bridge (/etc/init.d/openvpn-bridge restart)
- try to connect again (it should do the same error)
go in the server manager and copy past the last 30~40 lines of the logs
I am at work now so this will have to wait until tonight/tomorrow morning.
-
Hi All,
I have now uninstalled the rpms, where can I get smeserver-openvpn-bridge-fws-1.0-3.noarch.rpm from? The link still downloads smeserver-openvpn-bridge-fws-1.0-2.noarch.rpm :shock: and are the other 2 rpms the same? One other question, can put the rpms in their own directory and then install them? Only I like to keep things tidy :D Thanks.
Regards,
Del
-
You will find everything about smeserver-openvpn-bridge-fws here:http://sme.firewall-services.com/downloads/smeserver-openvpn/
Of corse, you can download it, put it in the directory you want and then install locally with rpm -Uvh /path/to/the/rpm
or
yum localinstall /path/to/the/rpm
-
Hi VIP-ire,
I have now installed again, but the daemon is still not running :shock: Also the old certs are still there, can you tell me how to delete all of them so I can then recreate them and see if that helps :?
This is the log:Tue Dec 12 18:26:07 2006 OpenVPN 2.0.7 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006
Tue Dec 12 18:26:07 2006 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so 'login' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Tue Dec 12 18:26:07 2006 Diffie-Hellman initialized with 1024 bit key
Tue Dec 12 18:26:07 2006 Cannot load certificate file easy-rsa/keys/bridge/server.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Tue Dec 12 18:26:07 2006 Exiting
Tue Dec 12 18:54:54 2006 OpenVPN 2.0.7 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006
Tue Dec 12 18:54:54 2006 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so 'login' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Tue Dec 12 18:54:54 2006 Diffie-Hellman initialized with 1024 bit key
Tue Dec 12 18:54:54 2006 Cannot load certificate file easy-rsa/keys/bridge/server.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Tue Dec 12 18:54:54 2006 Exiting
Tue Dec 12 18:58:40 2006 OpenVPN 2.0.7 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006
Tue Dec 12 18:58:40 2006 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so 'login' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Tue Dec 12 18:58:40 2006 Diffie-Hellman initialized with 1024 bit key
Tue Dec 12 18:58:40 2006 Cannot load certificate file easy-rsa/keys/bridge/server.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Tue Dec 12 18:58:40 2006 Exiting
Sorry for being a pain :roll:
Regards,
Del
-
Hi VIP-ire,
I have now installed again, but the daemon is still not running :shock: Also the old certs are still there, can you tell me how to delete all of them so I can then recreate them and see if that helps :?
Del,
To Delete Certificates:
1) Go to the OpenVPN section in Server Manager.
2) At the top, there is a link that Says:
Click here to manage the certificates
Click on that link.
3) On the page that loads, click on the link that reads as follows:
Click here to delete all the certificate and regenerate it
4) This will delete all your certificates, and create a new Server Certificate, ta.key, and a Diffle Hillmen key.
5) You will need to MANUALLY create NEW certificates for all of your users. Make sure you update your client installs with the new certificates and keys, and config file.
Hope this helps.
-
Hi AndrewR,
I have done that and recreated them but it is still the same. I noticed from the last log that my time zone was set to GMT and not EST, so I have put that right although I didn't think it would have anything to do with my problem. This is the new log:Tue Dec 12 14:11:09 2006 OpenVPN 2.0.7 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006
Tue Dec 12 14:11:09 2006 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so 'login' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Tue Dec 12 14:11:09 2006 Diffie-Hellman initialized with 1024 bit key
Tue Dec 12 14:11:09 2006 Cannot load certificate file easy-rsa/keys/bridge/server.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Tue Dec 12 14:11:09 2006 Exiting
I must be doing something wrong :cry: Is there a way I can start the daemon manually? Thanks again.
Regards,
Del
-
Del,
It looks like your Certs are not deleting correctly... I encountered a similar problem when I first tried Beta4.. and it seems so long ago. Ultimately.. I had to reinstall SME entirely, and then do a fresh install of OVPN. That was fairly easy for me to do, since I was using SME in server only mode, and its only role is to be the OVPN server. If that's all you're using your SME server for... well... I would suggest doing a complete reinstall of SME (wipe the drive, install from scratch) and then do the OVPN install.
If you're using SME for more than that... hmm... I dunno. Anybody got any suggestions, to see if we can "force" the daemon to start?
-
When you were removing openvpn, did you delete the entire /etc/openvpn folder? That is what I did when I changed from routing to bridge, and things went pretty well.
Bob
-
Hi Bob,
When you were removing openvpn, did you delete the entire /etc/openvpn folder? That is what I did when I changed from routing to bridge, and things went pretty well.
No I didn't :shock: But I have removed all three rpms, deleted the entire /etc/openvpn folder, rebooted for good measure and reinstalled the rpms created the cert and it works :D So I still don't know what I did wrong :? but it is now saying the daemon is running. I just need to try and connect from my client :D I will let you know the outcome :D
Regards,
Del
-
Well, I'm glade it's finally working for you (or at least, the daemon is running). But I still wonder why the certificate generation doesn't work all the time. I cannot understand. I had some problems with the previous beta, but since beta4, I never had a problem with the generation. Del, can you please send me your file /var/log/httpd/admin_error_log by mail so I try to understand the problem.
-
Hi VIP-ire,
Del, can you please send me your file /var/log/httpd/admin_error_log by mail so I try to understand the problem.
Email sent, I hope it helps.
Regards,
Del
-
@ VIP-ire
I am just considering to install your contrib "smeserver-openvpn-bridge-fws-1.0-3.noarch" during christmas holidays. As of today, I have installed the OPENVPN according to SWERTS-Knudsen - and it works (SAMBA shares etc), however I can get through the firewall to get access to the network printer or to my workstation in the company office. Say I have to modify the IP-tables...and I don't like that too much.
Does the Open VPN bridge mode means that I can get through the firewall of the SME server and e.g. to start a print job fm the home office for the network printer in the company office or to access my office computer without "touching" the IP-tabel rules of the SME server??
Would be great if you can enlighten me...
thanx
gerd
-
Yes you can, my contrib uses bridge mode wich means that when you are connected to the VPN (from anywhere outside your network), it's exactly as if you where in your local network: you have an IP address in the same subnet as your local network so there's no need to modify iptables. You can access every hosts of your internal network, every printers, every services. The only difference is the bandwidth. That's why I worked on the bridge mode, because SME's iptables rules are quite hard to modify
-
Bon dieu, c'est vraiement une réponse rapide.
Jesus, what a quick reply. So fist of all thanx.
What do you mean by "The only difference is the bandwith"? Does this mean that the routed network connection needs higher bandwith, hence lower transmission speed??
Any concerns as to security routed VPN versus Bridge Mode VPN???
regards
gerd
-
I mean, when you're connected through the VPN, it's just as if you where on your local network but you have less bandwith because it uses your internet connexion. If you have a 100Mb internet connexion, it'll be exactly the same, but I don't think so. For the security, I spent a lot of time to improve it since the first beta. I think it's now quite secure (depending on the authentication method you choose, the size of the key, the strengh of the passwords and of course, the way you deploy the certificates: they must be kept secret). But it's more for mobile clients than for site-to-site connexion, even if it can work, it's not optimized.
-
Is it mandatory that the local network uses DHCP?? In the company office for the moment I use fix IP fm 192.168.yy.1xx to 192.168.yy.200 . For the VPN address range I have opted for 192.168.yy.060 to 192.168.yy.70. Number of clients allowed at the same time: 4.
Possible / not possible??
best regards
gerd
-
Seems to be ok, if nobody uses the range 192.168.yy.60 to 192.168.yy.70 (nor DHCP neither fixed IP), it's ok.
-
Is it mandatory that the local network uses DHCP?? In the company office for the moment I use fix IP fm 192.168.yy.1xx to 192.168.yy.200 . For the VPN address range I have opted for 192.168.yy.060 to 192.168.yy.70. Number of clients allowed at the same time: 4.
Possible / not possible??
best regards
gerd
It's never mandatory to use DHCP... but you sure make your life hell if there's a change on the network. In your office... how many machines are there? If you're using all 100 address... that's a lot of unecessary work. Depending on your infrastructure.. configuring DHCP can save you a lot of time as the administrator to focus on more important aspects like security, infrastructure upgrades / maintenance, etc... Why are you not using DHCP?
-
Hi VIP-ere,
Well I tried to connect today and had no luck, so I just turned off my test server and installed openvpn on my server/gateway and I connected straight away :D I must admit that I have never had much luck with port forwarding in SME, I couldn't get SAIL/Asterisk to work on my test server, but that worked OK as soon as I installed on my main server :shock: So thanks for all your help and hard work with this contrib, I look forward to using my network even when I am away 8)
Regards,
Del
-
Vip-ire wrote:
The last lines of the server's log (you can get it through the panel) would be more helpfull. Just do the following:
- restart openvpn-bridge (/etc/init.d/openvpn-bridge restart)
- try to connect again (it should do the same error)
go in the server manager and copy past the last 30~40 lines of the logs
I restarted ovenvpn-bridge as above and got the following (which looks okay):
[root@mcserver1 etc]# /etc/init.d/openvpn-bridge restart
Shutting down openvpn: Tue Dec 12 21:38:39 2006 TUN/TAP device tap0 opened
Tue Dec 12 21:38:39 2006 Persist state set to: OFF
Stopping dhcpd: [ OK ]
Shutting down IP masquerade and firewall rules: Done!
Enabling IP masquerading: done
Starting dhcpd: [ OK ]
[ OK ]
Starting openvpn: Tue Dec 12 21:38:47 2006 TUN/TAP device tap0 opened
Tue Dec 12 21:38:47 2006 Persist state set to: ON
Stopping dhcpd: [ OK ]
Shutting down IP masquerade and firewall rules: Done!
Enabling IP masquerading: done
Starting dhcpd: [ OK ]
[ OK ]
[root@mcserver1 etc]#
I tried to connect again today and got the same problem, the username and password window keeps popping up. This is all of my log from today:
Wed Dec 13 11:39:05 2006 MULTI: multi_create_instance called
Wed Dec 13 11:39:06 2006 207.245.239.187:53670 Re-using SSL/TLS context
Wed Dec 13 11:39:06 2006 207.245.239.187:53670 LZO compression initialized
Wed Dec 13 11:39:06 2006 207.245.239.187:53670 Control Channel MTU parms [ L:1578 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Dec 13 11:39:06 2006 207.245.239.187:53670 Data Channel MTU parms [ L:1578 D:1400 EF:46 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Dec 13 11:39:06 2006 207.245.239.187:53670 Fragmentation MTU parms [ L:1578 D:1400 EF:45 EB:135 ET:33 EL:0 AF:3/1 ]
Wed Dec 13 11:39:06 2006 207.245.239.187:53670 Local Options hash (VER=V4): '8f3da10b'
Wed Dec 13 11:39:06 2006 207.245.239.187:53670 Expected Remote Options hash (VER=V4): 'a257ef04'
Wed Dec 13 11:39:06 2006 207.245.239.187:53670 TLS: Initial packet from 207.245.239.187:53670, sid=cf27f5cc af1c7310
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 CRL CHECK OK: /C=CA/ST=Canada/L=Toronto/O=McIntyres/OU=VPN/CN=server-bridge/emailAddress=ianmcintyre@sympatico.ca
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 VERIFY OK: depth=1, /C=CA/ST=Canada/L=Toronto/O=McIntyres/OU=VPN/CN=server-bridge/emailAddress=ianmcintyre@sympatico.ca
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 CRL CHECK OK: /C=CA/ST=Canada/O=McIntyres/OU=VPN/CN=ian/emailAddress=ianmcintyre@sympatico.ca
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 VERIFY OK: depth=0, /C=CA/ST=Canada/O=McIntyres/OU=VPN/CN=ian/emailAddress=ianmcintyre@sympatico.ca
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 PLUGIN_CALL: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 TLS: Username/Password authentication succeeded for username 'ian'
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 TLS Auth Error: --client-config-dir authentication failed for common name 'ian' file='ccd-bridge/ian'
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec 13 11:39:07 2006 207.245.239.187:53670 [ian] Peer Connection Initiated with 207.245.239.187:53670
Wed Dec 13 11:39:08 2006 207.245.239.187:53670 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec 13 11:39:08 2006 207.245.239.187:53670 SENT CONTROL [ian]: 'AUTH_FAILED' (status=1)
Wed Dec 13 11:39:08 2006 207.245.239.187:53670 Delayed exit in 5 seconds
Wed Dec 13 11:39:13 2006 207.245.239.187:53670 SIGTERM[soft,delayed-exit] received, client-instance exiting
Wed Dec 13 11:39:31 2006 MULTI: multi_create_instance called
Wed Dec 13 11:39:31 2006 207.245.239.187:53688 Re-using SSL/TLS context
Wed Dec 13 11:39:31 2006 207.245.239.187:53688 LZO compression initialized
Wed Dec 13 11:39:31 2006 207.245.239.187:53688 Control Channel MTU parms [ L:1578 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Dec 13 11:39:31 2006 207.245.239.187:53688 Data Channel MTU parms [ L:1578 D:1400 EF:46 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Dec 13 11:39:31 2006 207.245.239.187:53688 Fragmentation MTU parms [ L:1578 D:1400 EF:45 EB:135 ET:33 EL:0 AF:3/1 ]
Wed Dec 13 11:39:31 2006 207.245.239.187:53688 Local Options hash (VER=V4): '8f3da10b'
Wed Dec 13 11:39:31 2006 207.245.239.187:53688 Expected Remote Options hash (VER=V4): 'a257ef04'
Wed Dec 13 11:39:31 2006 207.245.239.187:53688 TLS: Initial packet from 207.245.239.187:53688, sid=dcdfa94f 91218fda
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 CRL CHECK OK: /C=CA/ST=Canada/L=Toronto/O=McIntyres/OU=VPN/CN=server-bridge/emailAddress=ianmcintyre@sympatico.ca
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 VERIFY OK: depth=1, /C=CA/ST=Canada/L=Toronto/O=McIntyres/OU=VPN/CN=server-bridge/emailAddress=ianmcintyre@sympatico.ca
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 CRL CHECK OK: /C=CA/ST=Canada/O=McIntyres/OU=VPN/CN=ian/emailAddress=ianmcintyre@sympatico.ca
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 VERIFY OK: depth=0, /C=CA/ST=Canada/O=McIntyres/OU=VPN/CN=ian/emailAddress=ianmcintyre@sympatico.ca
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 PLUGIN_CALL: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 TLS: Username/Password authentication succeeded for username 'ian'
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 TLS Auth Error: --client-config-dir authentication failed for common name 'ian' file='ccd-bridge/ian'
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec 13 11:39:32 2006 207.245.239.187:53688 [ian] Peer Connection Initiated with 207.245.239.187:53688
Wed Dec 13 11:39:33 2006 207.245.239.187:53688 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec 13 11:39:33 2006 207.245.239.187:53688 SENT CONTROL [ian]: 'AUTH_FAILED' (status=1)
Wed Dec 13 11:39:33 2006 207.245.239.187:53688 Delayed exit in 5 seconds
Wed Dec 13 11:39:39 2006 207.245.239.187:53688 SIGTERM[soft,delayed-exit] received, client-instance exiting
It says on the sme server manager page that "daemon is running, pid: 5102". I didn't notice this before and you had asked if the daemon is running so I guess I can answer yes.
Thanks in advance for your help.
Ian
-
ok, now I've got a better idea of what's going wrong (I still don't know exactly). Here is the problem:
TLS Auth Error: --client-config-dir authentication failed for common name 'ian' file='ccd-bridge/ian'
It's because, as additionnal security, I prevent any user who don't have a specific configuration file in /etc/openvpn/ccd-bridge to connect. These configuration files should be generated automaticaly according to the authentication method:
for method 1 and 3, it uses the user account. Each user who have VPNClientAcces=yes will have a configuration file, the others will have one with the directive --diable and this is how the access is controled with the VPNClientAccess variable. For method 1 and 3, the CN of the user is set to it's login and the CN of the certificate (if used with method 3) is ignored so the configuration file name must match the login of the user
for method 2 and 4, the clients certificates are used to generate the config files. A file is generated only for non-revoked certificates of course, the revokated one has a file with the directive --disable. For those two method, the CN is set to the CN of the certificate presented so the configuration file name must match the CN of the certificate presented.
You can have a look at the template /etc/e-smith/templates-custom/etc/openvpn/ccd-bridge/.config if you wan't, I think it'll be easier for you to understand how it works.
Now, look at your directory /etc/openvpn/ccd-bridge and which configuration files are present. If there's no 'ian' file, there's a problem somewhere, try the following:
expand-template /etc/openvpn/ccd-bridge/.config
and if there's still no 'ian' file, repport it here.
If there's a 'ian' file, it will probably have the directive --disable, that mean either:
- you use method 1 or 3 and you don't have VPNClientAccess set to yes
- you use method 2 or 4 and your certificate is marked as revoked
Hi VIP-ere,
Well I tried to connect today and had no luck, so I just turned off my test server and installed openvpn on my server/gateway and I connected straight away Very Happy I must admit that I have never had much luck with port forwarding in SME, I couldn't get SAIL/Asterisk to work on my test server, but that worked OK as soon as I installed on my main server Shocked So thanks for all your help and hard work with this contrib, I look forward to using my network even when I am away Cool
Regards,
Del
Quite strange, I think it's a port redirection problem because I developped it on a server-only SME and everything seems to work (but I tested most of the functions on a server& gateway mode so maybe I forgot something). Does anyone else uses server-only mode and can tell if it's working or not please?
-
Vip-ire
Some "interesting" results to your instructions.
Vip-ire wroteexpand-template /etc/openvpn/ccd-bridge/.config
I tried this at the root log in with no obvious result. I went into the directory and found two files ian and server. I went into midnight commander and found 3 files, .config, ian, and server.
The contents of .config are:This file is only used to generate the per client config file
The contents of ian are:--ifconfig-push 192.168.7.200 255.255.255.0
The contents of server are:--ifconfig-push 192.168.7.200 255.255.255.0
I noticed that they were identical, so I checked again to confirm and they are.
I went back through your instructions:You can have a look at the template /etc/e-smith/templates-custom/etc/openvpn/ccd-bridge/.config if you wan't, I think it'll be easier for you to understand how it works.
I changed directories to look at the .config file and found there was nothing in the directory:[root@mcserver1 ~]# cd /etc/e-smith/templates-custom/etc/openvpn/ccd-bridge/
[root@mcserver1 ccd-bridge]# ls
[root@mcserver1 ccd-bridge]#
I checked my vpn status in the SME Server manager page as follows:ian Ian McIntyre Yes Modify Reset password Lock account Remove
I checked the status of Openvpn and got the following:daemon is running, pid: 5102
Do you wan't to enable the service ?
Status: Enabled
I hope that this is helpful, thanks again for your patience
-
the .config file is normal, don't touch it, I didn't find a way to generate all the config files without this one. The most interesting is the content of the file ian
please try a
cat /etc/openvpn/ccd-bridge/ian
and post the result
I noticed a little error in the template .config which generate all the config files but it has nothing to do with your porblem, it's just that the config file server should have the directive --disable.
-
I will post the result tonight. The ip address is the one that I specified "ian" to use when using the vpn. I thought the server file content was the issue.
-
I will post the result tonight. The ip address is the one that I specified "ian" to use when using the vpn. I thought the server file content was the issue.
Ian, for you and for others... the following is a good way to be able to test connections without having to wait days in between:
1) On the workstation that is connecting to the VPN server, if it is running Windows XP or later.. enable Remote Desktop. If that workstation is behind a router, give it a static private address, and then on your router forward port 3389 to that address / machine. Then all you need to know is your public address from your ISP... and you can connect to your workstation from anymachine that has the Remote Desktop Client installed (windows XP, server 2003 have it built-in. Otherwise it can be downloaded from Microsoft).
2) Remotely connect to your workstation, and then using the GUI, try connecting to the VPN. If it works, great. if not, well.. you can make changes without having to wait a day to do so.
I used this to setup my VPN and test... and it probably cut down the "development" time by several days.
-
Andrew;
My set up is as follows:
modem
|
|
SME Server
in gateway/server mode
|
|
wireless router
|
|
various wireless pc's and xbox.
Will your suggestion work with this setup?
Thanks for your suggestion
Ian
-
Andrew;
My set up is as follows:
modem
|
|
SME Server
in gateway/server mode
|
|
wireless router
|
|
various wireless pc's and xbox.
Will your suggestion work with this setup?
Thanks for your suggestion
Ian
yes, it should. The rules get fun.. but it's not impossible.
One question: does your wireless router do NAT as well, or are your PCs and XBOX on the same subnet as the SME server?
So.. in plain English.. if the Address of the SME Server is 192.168.1.1, do the PCs etc have addresses of 192.168.1.x?
If not, well, all we need to do is do port forwarding twice. not hard.. but it means your Wireless Router will also need an address on it WAN port that is static. To give you an idea of my own home setup:
MODEM
___|
LINUX ROUTER-(Currently Runnning ClarkConnect, going to be upgraded to SME)
___|
--------------------------SWITCH---------------------
|.....................................|.............................|
ROOMATE..................WIRELESS...............ROUTERa
.................................................................|
.................................................................Private Network (PC,
.................................................................printers, etc)
The Linux Router has a Subnet of 192.168.66.0. RouterA has a WAN Address of 192.168.66.101, and internal network of 192.168.3.0. The Wireless is on its on Subnet (192.168.4.0)
My rules, in basic form for remote access look like this:
1) ON Linux Router: Port 12000 (TCP and UDp) on the External interface (IP provided by ISP) is forwarded to Port 12000 on 192.168.66.101 (the WAN IP of RouterA)
2) ON RouterA: Port 12000 (TCP and UDP) on the WAN is forwarded to port 3389 (TCP and UDP) on 192.168.3.17, my workstation.
My workstation has a static IP. Anytime you do port forwarding and / or translation.. make sure your destination IP(s) have static addresses, otherwise if DHCP changes the address, the rules are broken.
**I chose to open up port 12000 on the public interface instead of 3389 simply because I didn't want to open a "common" port. The port translation is completely voluntary, you don't have to do it. If you do choose to do port translation, to continue with my example, this is what you would type into the Remote Desktop Client when connecting:
XXX.XXX.XXX.XXX:12000 (where XXX.XXX.XXX.XXX is the IP address on the external interface of your SME server).
Also remember to enable Remote Desktop on your workstation. Members of the Administrators group have remote desktop rights by default, but Remote Desktop is turned OFF by default in Windows XP. To turn RDP on, simply right click on My Computer - Properties. In the window that pops up, click on "Remote" and then put a checkmark beside the option "Allow users to connect remotely to my Machine". Click Apply then ok, and you're good to go.**
-
To answer the first question. My Server is handing out the local addresses.
So SME is 192.168.1.1
Router is 192.168.1.2
As I recall I did fixed xbox but it may be dynamic
Everything else is dynamic.
-
Vipire wrote
cat /etc/openvpn/ccd-bridge/ian
[root@mcserver1 ~]# cat /etc/openvpn/ccd-bridge/ian
--ifconfig-push 192.168.7.200 255.255.255.0
Is this helpful?
Thx in advance for help.
Ian
-
Vipire wrote
cat /etc/openvpn/ccd-bridge/ian
[root@mcserver1 ~]# cat /etc/openvpn/ccd-bridge/ian
--ifconfig-push 192.168.7.200 255.255.255.0
Is this helpful?
Thx in advance for help.
Ian
Well, it cannot work with this configuration. In the previous post you told that your SME is 192.168.1.1 so I guess it's on the subnet 192.168.1.0/255.255.255.0
All your VPN clients should have an IP in this subnet 192.168.1.X, not 192.168.7.X
-
Vip-ire
Sorry for the confusion, a momentary lapse in clarity of thought. My home network is on 192.168.7.*
Work, where I was when I posted, is different.
Ian
-
Well, look at the permission on the file /etc/openvpn/ccd-bridge/ian. The server complains he cannot access this file, if it's not a permission problem, I really don't know
-
Ok if the permissions are not correct as they are, how should they be?
Ian <~~noob
-
Well, they should be rw-r-r (world readable) but I just saw that they are (on my own server) rw-rw-rw (world writable), it shouldn't prevent it to work but it's a security problem. another thing I must correct.
-
The permissions are as follows:
root@mcserver1 ccd-bridge]# ls -l
total 8
-rw-r--r-- 1 root root 44 Dec 14 06:32 ian
-rw-r--r-- 1 root root 44 Dec 14 06:32 server
[root@mcserver1 ccd-bridge]#
Which matches what you have.
-
Well, this means the file is world readable, there's not reason why the server cannot access or find the file /etc/openvpn/ccd-bridge/ian
The best would be to install it on a test server (fresh install) to be sure there's not a problem, or conflict with another contrib. If you don't have a test server you can change a little template to remove the verification of the specific configuration file but you will lost the advantage of the fixed IP through the VPN:
vim /etc/e-smith/templates-custom/etc/openvpn/server-bridge.conf/80clients
comment the line 14
$OUT .= "ccd-exclusive\n"; becomes# $OUT .= "ccd-exclusive\n";
Then expand-template /etc/openvpn/server-bridge.conf
/etc/init.d/openvpn-bridge restart
-
I was trying to avoid the test server route. I may go back to beta 4.
There was one other thing that I thought of when you questioned my internal addresses. I checked my server settings and I had allowed the range to be 192.168.7.1~~254. Could this be a problem? I have changed it to only go to 199 and will let me vpn settings be 200 and above. I will let you know.
Then I will try your next suggestions. It will give me something to do over the holdiays.
Thanks for all your help.
-
Ok; I changed my addressing and the permissions on the files and now it works ok. I will find out which solved the problem and post the answer.
Ian
-
OK cool. I don't think it was a file permission problem, more probably the address range.
-
Ok; I changed my addressing and the permissions on the files and now it works ok. I will find out which solved the problem and post the answer.
Ian
While the addressing isn't necessarily required, it's a good idea. Avoids potential DHCP headaches. As a rule, for ease of Administration, it's best to limit your scope of addresses to amount needed +25% (to allow for growth etc). Then, when you add things like VPN, you use addresses outside the scope, and no problems. Also, when assigning static addresses, assign them outside your scope.
Again, none of this is absolutely necessary..but it does prevent headaches arising from address conflicts.
The permissions probably played a factor.. but after reading VIP's post, I think he might be right. Might have to do with how the DHCP daemon works on that box... but I'm just guessing. I'd have to really look at the code for DHCP and Ovpn.. and frankly, I don't have that kind of time. Glad it's working now!
-
I have tried it from a couple of locations and it is as sweet as Beta4. Well almost, it does seem a little slower but that might be my imagination.
The addressing thing is kind of funny. At work we have a device that does the vpn and the dhcp service and we don't set aside addresses and there is never a conflict.
Regarding the security issue, doesn't this mean somebody would have to log on to the server and find the files to overwrite. If it is not a trivial security detail I may just leave it. You know the old if it ain't broke don't F....ix it rule.
Anyway the reason I started the VPN is that I started a family tree wiki on my server and I wanted my widespread family to contribute stuff I don't know about. I already have my mom beavering away so to speak.
Thanks again Vip-ire for all your help. I will put a reference on the wiki referring to your help.
Ian
-
I have tried it from a couple of locations and it is as sweet as Beta4. Well almost, it does seem a little slower but that might be my imagination.
The hand-shake can be a bit slower because of TLS auth and certificate CN validation, but once the tunnel is established, it should have the same performances as previous beta. (if you've configured the same cipher)
The addressing thing is kind of funny. At work we have a device that does the vpn and the dhcp service and we don't set aside addresses and there is never a conflict.
I don't know many VPN solution, I mainly worked with openvpn but I think there's always a address range to configure. This contrib uses bridge mode, that's why the address range must be in the same subnet, for routed mode you can choose another subnet.
Regarding the security issue, doesn't this mean somebody would have to log on to the server and find the files to overwrite. If it is not a trivial security detail I may just leave it. You know the old if it ain't broke don't F....ix it rule.
If you're talking about the file permission in ccd-bridge, in fact, it's not a problem, there's no security issue, it was only on my own server and a simple expand-template /etc/openvpn/ccd-bridge/.config solved it. Sounds like I've changed the permission manually before.
-
Hi VIP-ere,
Today I did a fresh install of SME 7 at my office, did a yum update and then installed your openvpn contrib, generated the keys etc. and put them in the directory for windows as per your how-to. Now when I get back home I can connect, it gives me the IP I asked for and OpenVPN GUI says I am connected but when I go to network places I can only see my own PC :shock: No matter what I do I can't browse any of the network or see any resources :cry: Can you please tell me what I am missing here :? Any help or suggestions welcome. There are no other contribs on the server.
Regards,
Del
-
try \\ip of the server from the run command.
-
Are you on the same workgroup as the remote server?
-
Hi Crazybob,
Are you on the same workgroup as the remote server?
Yes :)
try \\ip of the server from the run command
Now this may have solved the puzzle :oops: Although the workgroup in my office is the same as my laptop, the IP range and subnet are the same at the office and at home :oops: so maybe this is the problem, I will try and change the IP and subnet mask at the office and start again :wink: I realized this when I ran \\ip of the server from the run command I got all my home server ibays even though the workgroup is not the same :shock: Thanks for the suggestions, I will report back tomorrow evening.
Regards,
Del
-
Del wrote
Although the workgroup in my office is the same as my laptop, the IP range and subnet are the same at the office and at home so maybe this is the problem, I will try and change the IP and subnet mask at the office and start again
Originally I VPN into the office with no problems.
I started to have problems similar to yours, after installing sme server . I could connect at office and at home, could vpn into home from office but had difficulty with connecting from home to work. I tried making the change to the addressing but that did not solve it. What I found was that the "Server Redirect" function was implemented on the work vpn device. When I turned that off everything went back to normal.
Not sure the reason, but relatively certain of the effect. Try this first.
I also have not turned on the server redirect for the openvpn contrib from vip-ire.
Good luck.
-
Hi imcintyre,
The server redirect is disabled in openvpn (if I am right in believing that this is the Redirect gateway: option) and it is still the same, is there somewhere else I should be looking to turn it off? :wink: If so please enlighten me before I go to the office this afternoon and change all the IP settings :D
Regards.
Del
-
Hi everyone. Del it cannot work if your home network and your office network have the same private subnet. You should set different one like for example
192.168.39.0/255.255.255.0 for your home network
192.168.42.0/255.255.255.0 for your office
if they have the same network address, there's a routing problem, your VPN client will try to locally reach your remote server without passing through the VPN.
It'll work then.
The redirect Gateway function doesn't work properly (I've just saw it yesterday). There's a stupid typo. I'll correct this in next release. for now, it's allways disabled even if the panel tells you it's enabled.
-
Hi VIP-ire,
I currently use 10.0.0.x/255.0.0.0 for both, can I use 10.0.0.x/255.255.255.0 for one of them? Or should I use 192.168.0.x/255.255.255.0 and make sure they are completely different networks? Thanks again.
Regards,
Del
-
It'd be better if you have totally different network address, like this
10.1.x.x/255.255.0.0 for one of your network
10.2.x.x/255.255.0.0 for the other one
This way, the two networks cannot be confused
-
Del;
I would follow vip-ire's advice in this instance. I changed my home from 192.168.1.* which is same as works to 192.168.7.* and didn't see an end to my problems until after changing redirect. I guess if you still have issues, try my change.
My vpn device at work (not sme server 7 but a hardware firewall/vpn device) also has a redirect option that when enabled, caused connectivity and mail issues.
Ian
-
Vip-ire;
A question about the keys and certificates. When I am giving a new person vpn access. I have been giving them user.key, user.crt, ca.crt, ta.key, and VPN.ovpn.
Do they need all of this? I had a paranoid moment that I may be creating a security issue.
Thx in advance for your help.
Ian
-
Vip-ire;
A question about the keys and certificates. When I am giving a new person vpn access. I have been giving them user.key, user.crt, ca.crt, ta.key, and VPN.ovpn.
Do they need all of this? I had a paranoid moment that I may be creating a security issue.
Thx in advance for your help.
Ian
Ian,
Those keys are necessary... and in this case, it's because of paranoia that they all are. Without them, they can't have access... and they way the contrib is set up, all it's doing is giving them an address on your network. To further secure your network and file shares, then you can create additional security / group policy.
To give you an idea, this is how OVPN is being used in our office:
OVPN clients connect and establish a connection. From there, the users in question connect to their machines via RDP, and within those remote sessions, they access printers, file shares, etc, using our existing AD structure. Seeing as we didn't want to provide everyone with laptops, when they use their personal machines, this affords us some security. while it is true that the users still could connect to the network from home, not without a great deal of savvy, and it's better than opening up ports for RDP for each machine (and much easier to manage).
If you don't want to be distributing so many files, consider using one of the other 3 levels of security in the OVPN server brigde panel. honestly, unless you have a good reason not to, go with #4 (the default) as it is the most secure.
Hope this helps.
-
Vip-ire;
A question about the keys and certificates. When I am giving a new person vpn access. I have been giving them user.key, user.crt, ca.crt, ta.key, and VPN.ovpn.
Do they need all of this? I had a paranoid moment that I may be creating a security issue.
Thx in advance for your help.
Ian
Yes, they need all these files. You shouldn't be too worried about the security (especially if you're using auth method 4). I've worked a lot on this part. It's protected against a client trying to spoof the server (with the verification of the type and the CN of the server certificate) and some other attack
Of course, you need to take care on the way you distribute these files, for example, you should never send them by email. The best is to download these files directly from the server-manager on the PC, and to be sure there's no windows share activated. Restrict the permission on these files to the user account (with NTFS permission). And don't forget to have a firewall/AV on.
The only problem then is if one of your allowed client lost is laptop for exemple: someone have all the needed certificate and key but:
- he still needs the password of the user
- you can and you should immediatly revoke this certificate
with this, there's no real danger, you just have to react quickly if someone tells you he may have lost his certificate.
I'd like to implement a new security option in the next version:
- every certificate as an email address associated (the email address of the user who will use the certificate)
- each time a client connect, he is sent an email telling he is connected
So, when a client receive an email while he's not connected, he can imediatly prevent the admin.
I'd also like to regularly parse the log, extract all the connexion informations and enter them in a mysql database, then with something like rrd, we could see the activity of each client.
I don't know when it'll be ready, and if others think it's good ideas, but I think I'll implement this as an option.
-
[
I'd like to implement a new security option in the next version:
- every certificate as an email address associated (the email address of the user who will use the certificate)
- each time a client connect, he is sent an email telling he is connected
So, when a client receive an email while he's not connected, he can imediatly prevent the admin.
I'd also like to regularly parse the log, extract all the connexion informations and enter them in a mysql database, then with something like rrd, we could see the activity of each client.
I don't know when it'll be ready, and if others think it's good ideas, but I think I'll implement this as an option.
I like where you're going with the proposed new features.. one thing I would like to see is a "who's online" area on the panel.. basically showing who is currently connected to the VPN, and maybe their source IP (gives us a who and where type deal). Being able to track activity would be helpful too, but just getting a SQL db that I do reports from is fine.
-
Well, the email function will be quite easy to implement (I think) but for the connexions informations, I don't know for now. I never played with mysql or rrd (just a little mysql when I was at school), so I don't know when I'll implement that, for now it's just some ideas for the futur. If anyone have other ideas, you're welcom.
-
Thanks for the information. The extra layer of security is appreciated. I just wanted to make sure I wasn't handing out anything "extra", that could be used.
I know that the files VPN.ovpn, username.crt, and username.key are unique. Are the ta.key and ca.crt also unique for each user? I won't have the opportunity to always set up other people's machines, so I am trying to be careful with passwords/keys etc.
Vip-ire obviously this should work with the other contribs you have on your site??? I wanted to try them out.
-
Thanks for the information. The extra layer of security is appreciated. I just wanted to make sure I wasn't handing out anything "extra", that could be used.
I know that the files VPN.ovpn, username.crt, and username.key are unique. Are the ta.key and ca.crt also unique for each user? I won't have the opportunity to always set up other people's machines, so I am trying to be careful with passwords/keys etc.
Vip-ire obviously this should work with the other contribs you have on your site??? I wanted to try them out.
the Ta.key and ca.crt are common to all clients.. that's what allows the certificates to be authenticated etc. If those are missing with your client files, then those clients won't be able to connect.
If you haven't already.. look at the following how to:
http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html
You can create executables that will install the OpenVPN GUI on a windows system, and have the config files be pre-loaded into their config directory. I use this method and simply create the exe for the user, and install it onto their computer. Using this method also allows you to make sure that the setup on the user's machines are correct... without necessarily having to babysit the install.
-
Hi VIP-ire,
I followed your advice and changed the IP/subnet at the office and it now works according to plan :D Thank you very much.
Regards,
Del
-
Vip-ire obviously this should work with the other contribs you have on your site??? I wanted to try them out.
Well, yes, all our contribs on the site http://sme.firewall-services.com can work on the same server, there's no conflict. (sme7admin, backuppc and trixbox)
-
@VIP-ire
I have installed your contrib on the office-server (client installation to be done next week). My problem: during the installation of the (fresh) SME7.0 server I named the server: xxxyyy.local. As we got very night at midnight a new IP-address, I published a virtual domain name zzzzyyyy.dyndns.org . This domain can be pinged without problem.
But: when I controlled the server-bridge.conf file (etc/openvpn/server-bridge.conf) I found:
push "dhcp-option Domain xxxyyy.local".
To my understanding I will never ever be able to contact xxxyyy.local....How can I manage to have:
push "dhcp-option Domain zzzzyyy.dyndns.org" ?
Did I miss something during the installation procedure??
thanx in advance for your help and
"Joyeux Fete de Noel et une bonne nouvelle annee"
regards
gerd
-
@VIP-ire
I have installed your contrib on the office-server (client installation to be done next week). My problem: during the installation of the (fresh) SME7.0 server I named the server: xxxyyy.local. As we got very night at midnight a new IP-address, I published a virtual domain name zzzzyyyy.dyndns.org . This domain can be pinged without problem.
But: when I controlled the server-bridge.conf file (etc/openvpn/server-bridge.conf) I found:
push "dhcp-option Domain xxxyyy.local".
To my understanding I will never ever be able to contact xxxyyy.local....How can I manage to have:
push "dhcp-option Domain zzzzyyy.dyndns.org" ?
Did I miss something during the installation procedure??
It shouldn't be a problem for you. This directive is used to tell the client to search in this domain for DNS querry. Because, when a client connect to the server, he automatically uses the DNS of the VPN server. All your PC behind your server use this configuration (because DHCP tells them to do so). The thing you should changed is in the client configuration file, you'll have something like:
remote xxxyyy.local
just replace this by remote xxxyyy.dyndns.org and it should work.
-
It's ok.
So I made a fresh install of a SME7 server and installed your contrib - and installed the client on WinXP. I copied the key files & certificates
(ca.cert/client.cert/client.key/ta.key; created the VPN.ovpn file as follows:
=================================================
rport 1194
proto udp
dev tap
nobind
remote xxxxyyyyy.dyndns.org 1194
tls-client
tls-auth ta.key
tls-remote server
ns-cert-type server
auth-user-pass
ca ca.crt
cert client.crt
key client.key
fragment 1400
mssfix 1450
tun-mtu-extra 32
pull
comp-lzo
verb 4
and started the openvpn client....: Connecting to VPN has failed.
The log file shows fianally
==================================================
Sat Dec 23 21:50:27 2006 us=398227 Current Parameter Settings:
Sat Dec 23 21:50:27 2006 us=398313 config = 'VPN.ovpn'
Sat Dec 23 21:50:27 2006 us=398338 mode = 0
Sat Dec 23 21:50:27 2006 us=398360 show_ciphers = DISABLED
Sat Dec 23 21:50:27 2006 us=398383 show_digests = DISABLED
Sat Dec 23 21:50:27 2006 us=398406 show_engines = DISABLED
Sat Dec 23 21:50:27 2006 us=398428 genkey = DISABLED
Sat Dec 23 21:50:27 2006 us=398450 key_pass_file = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=398473 show_tls_ciphers = DISABLED
Sat Dec 23 21:50:27 2006 us=398495 proto = 0
Sat Dec 23 21:50:27 2006 us=398517 local = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=398543 remote_list[0] = {'power-be.dyndns.org', 1194}
Sat Dec 23 21:50:27 2006 us=398567 remote_random = DISABLED
Sat Dec 23 21:50:27 2006 us=398590 local_port = 1194
Sat Dec 23 21:50:27 2006 us=398611 remote_port = 1194
Sat Dec 23 21:50:27 2006 us=398633 remote_float = DISABLED
Sat Dec 23 21:50:27 2006 us=398655 ipchange = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=398678 bind_local = DISABLED
Sat Dec 23 21:50:27 2006 us=398699 dev = 'tap'
Sat Dec 23 21:50:27 2006 us=398721 dev_type = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=398743 dev_node = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=398764 tun_ipv6 = DISABLED
Sat Dec 23 21:50:27 2006 us=398786 ifconfig_local = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=398810 ifconfig_remote_netmask = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=398833 ifconfig_noexec = DISABLED
Sat Dec 23 21:50:27 2006 us=398855 ifconfig_nowarn = DISABLED
Sat Dec 23 21:50:27 2006 us=398877 shaper = 0
Sat Dec 23 21:50:27 2006 us=398898 tun_mtu = 1500
Sat Dec 23 21:50:27 2006 us=398920 tun_mtu_defined = ENABLED
Sat Dec 23 21:50:27 2006 us=398942 link_mtu = 1500
Sat Dec 23 21:50:27 2006 us=398965 link_mtu_defined = DISABLED
Sat Dec 23 21:50:27 2006 us=398987 tun_mtu_extra = 32
Sat Dec 23 21:50:27 2006 us=399010 tun_mtu_extra_defined = ENABLED
Sat Dec 23 21:50:27 2006 us=399032 fragment = 1400
Sat Dec 23 21:50:27 2006 us=399054 mtu_discover_type = -1
Sat Dec 23 21:50:27 2006 us=399076 mtu_test = 0
Sat Dec 23 21:50:27 2006 us=399097 mlock = DISABLED
Sat Dec 23 21:50:27 2006 us=399118 keepalive_ping = 0
Sat Dec 23 21:50:27 2006 us=399141 keepalive_timeout = 0
Sat Dec 23 21:50:27 2006 us=399170 inactivity_timeout = 0
Sat Dec 23 21:50:27 2006 us=399193 ping_send_timeout = 0
Sat Dec 23 21:50:27 2006 us=399216 ping_rec_timeout = 120
Sat Dec 23 21:50:27 2006 us=399239 ping_rec_timeout_action = 2
Sat Dec 23 21:50:27 2006 us=399261 ping_timer_remote = DISABLED
Sat Dec 23 21:50:27 2006 us=399283 remap_sigusr1 = 0
Sat Dec 23 21:50:27 2006 us=399306 explicit_exit_notification = 0
Sat Dec 23 21:50:27 2006 us=399328 persist_tun = DISABLED
Sat Dec 23 21:50:27 2006 us=399351 persist_local_ip = DISABLED
Sat Dec 23 21:50:27 2006 us=399374 persist_remote_ip = DISABLED
Sat Dec 23 21:50:27 2006 us=399396 persist_key = DISABLED
Sat Dec 23 21:50:27 2006 us=399418 mssfix = 1450
Sat Dec 23 21:50:27 2006 us=399442 resolve_retry_seconds = 1000000000
Sat Dec 23 21:50:27 2006 us=399465 connect_retry_seconds = 5
Sat Dec 23 21:50:27 2006 us=399515 username = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=399537 groupname = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=399559 chroot_dir = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=399581 cd_dir = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=399603 writepid = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=399625 up_script = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=399647 down_script = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=399669 down_pre = DISABLED
Sat Dec 23 21:50:27 2006 us=399691 up_restart = DISABLED
Sat Dec 23 21:50:27 2006 us=399713 up_delay = DISABLED
Sat Dec 23 21:50:27 2006 us=399735 daemon = DISABLED
Sat Dec 23 21:50:27 2006 us=399756 inetd = 0
Sat Dec 23 21:50:27 2006 us=399777 log = DISABLED
Sat Dec 23 21:50:27 2006 us=399799 suppress_timestamps = DISABLED
Sat Dec 23 21:50:27 2006 us=399821 nice = 0
Sat Dec 23 21:50:27 2006 us=399841 verbosity = 4
Sat Dec 23 21:50:27 2006 us=491011 mute = 0
Sat Dec 23 21:50:27 2006 us=491028 gremlin = 0
Sat Dec 23 21:50:27 2006 us=491037 status_file = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=491045 status_file_version = 1
Sat Dec 23 21:50:27 2006 us=491054 status_file_update_freq = 60
Sat Dec 23 21:50:27 2006 us=491062 occ = ENABLED
Sat Dec 23 21:50:27 2006 us=491070 rcvbuf = 0
Sat Dec 23 21:50:27 2006 us=491078 sndbuf = 0
Sat Dec 23 21:50:27 2006 us=491087 socks_proxy_server = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=491100 socks_proxy_port = 0
Sat Dec 23 21:50:27 2006 us=491108 socks_proxy_retry = DISABLED
Sat Dec 23 21:50:27 2006 us=491116 fast_io = DISABLED
Sat Dec 23 21:50:27 2006 us=491124 comp_lzo = ENABLED
Sat Dec 23 21:50:27 2006 us=491133 comp_lzo_adaptive = ENABLED
Sat Dec 23 21:50:27 2006 us=491142 route_script = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=491150 route_default_gateway = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=491159 route_noexec = DISABLED
Sat Dec 23 21:50:27 2006 us=491646 route_delay = 0
Sat Dec 23 21:50:27 2006 us=491657 route_delay_window = 30
Sat Dec 23 21:50:27 2006 us=491666 route_delay_defined = ENABLED
Sat Dec 23 21:50:27 2006 us=491675 management_addr = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=491683 management_port = 0
Sat Dec 23 21:50:27 2006 us=491692 management_user_pass = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=491701 management_log_history_cache = 250
Sat Dec 23 21:50:27 2006 us=491710 management_echo_buffer_size = 100
Sat Dec 23 21:50:27 2006 us=491719 management_query_passwords = DISABLED
Sat Dec 23 21:50:27 2006 us=491728 management_hold = DISABLED
Sat Dec 23 21:50:27 2006 us=491736 shared_secret_file = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=491745 key_direction = 0
Sat Dec 23 21:50:27 2006 us=491753 ciphername_defined = ENABLED
Sat Dec 23 21:50:27 2006 us=491761 ciphername = 'BF-CBC'
Sat Dec 23 21:50:27 2006 us=491770 authname_defined = ENABLED
Sat Dec 23 21:50:27 2006 us=503701 authname = 'SHA1'
Sat Dec 23 21:50:27 2006 us=503713 keysize = 0
Sat Dec 23 21:50:27 2006 us=503721 engine = DISABLED
Sat Dec 23 21:50:27 2006 us=503729 replay = ENABLED
Sat Dec 23 21:50:27 2006 us=503738 mute_replay_warnings = DISABLED
Sat Dec 23 21:50:27 2006 us=503746 replay_window = 64
Sat Dec 23 21:50:27 2006 us=503812 replay_time = 15
Sat Dec 23 21:50:27 2006 us=503821 packet_id_file = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=503829 use_iv = ENABLED
Sat Dec 23 21:50:27 2006 us=503838 test_crypto = DISABLED
Sat Dec 23 21:50:27 2006 us=503846 tls_server = DISABLED
Sat Dec 23 21:50:27 2006 us=503854 tls_client = ENABLED
Sat Dec 23 21:50:27 2006 us=503863 key_method = 2
Sat Dec 23 21:50:27 2006 us=503871 ca_file = 'ca.crt'
Sat Dec 23 21:50:27 2006 us=503879 dh_file = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=503887 cert_file = 'client.crt'
Sat Dec 23 21:50:27 2006 us=517225 priv_key_file = 'client.key'
Sat Dec 23 21:50:27 2006 us=517236 pkcs12_file = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=517245 cryptoapi_cert = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=517253 cipher_list = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=517262 tls_verify = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=517271 tls_remote = 'server'
Sat Dec 23 21:50:27 2006 us=517279 crl_file = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=517287 ns_cert_type = 64
Sat Dec 23 21:50:27 2006 us=517295 tls_timeout = 2
Sat Dec 23 21:50:27 2006 us=517304 renegotiate_bytes = 0
Sat Dec 23 21:50:27 2006 us=517312 renegotiate_packets = 0
Sat Dec 23 21:50:27 2006 us=517321 renegotiate_seconds = 3600
Sat Dec 23 21:50:27 2006 us=517329 handshake_window = 60
Sat Dec 23 21:50:27 2006 us=517338 transition_window = 3600
Sat Dec 23 21:50:27 2006 us=517346 single_session = DISABLED
Sat Dec 23 21:50:27 2006 us=517354 tls_exit = DISABLED
Sat Dec 23 21:50:27 2006 us=531336 tls_auth_file = 'ta.key'
Sat Dec 23 21:50:27 2006 us=531356 server_network = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531366 server_netmask = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531376 server_bridge_ip = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531385 server_bridge_netmask = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531395 server_bridge_pool_start = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531405 server_bridge_pool_end = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531415 ifconfig_pool_defined = DISABLED
Sat Dec 23 21:50:27 2006 us=531424 ifconfig_pool_start = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531433 ifconfig_pool_end = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531442 ifconfig_pool_netmask = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531452 ifconfig_pool_persist_filename = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=531462 ifconfig_pool_persist_refresh_freq = 600
Sat Dec 23 21:50:27 2006 us=531471 ifconfig_pool_linear = DISABLED
Sat Dec 23 21:50:27 2006 us=531480 n_bcast_buf = 256
Sat Dec 23 21:50:27 2006 us=545465 tcp_queue_limit = 64
Sat Dec 23 21:50:27 2006 us=545476 real_hash_size = 256
Sat Dec 23 21:50:27 2006 us=545486 virtual_hash_size = 256
Sat Dec 23 21:50:27 2006 us=545495 client_connect_script = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=545504 learn_address_script = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=545513 client_disconnect_script = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=545522 client_config_dir = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=545530 ccd_exclusive = DISABLED
Sat Dec 23 21:50:27 2006 us=545538 tmp_dir = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=545547 push_ifconfig_defined = DISABLED
Sat Dec 23 21:50:27 2006 us=545557 push_ifconfig_local = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=545567 push_ifconfig_remote_netmask = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=545576 enable_c2c = DISABLED
Sat Dec 23 21:50:27 2006 us=545584 duplicate_cn = DISABLED
Sat Dec 23 21:50:27 2006 us=545592 cf_max = 0
Sat Dec 23 21:50:27 2006 us=557937 cf_per = 0
Sat Dec 23 21:50:27 2006 us=557948 max_clients = 1024
Sat Dec 23 21:50:27 2006 us=557957 max_routes_per_client = 256
Sat Dec 23 21:50:27 2006 us=557966 client_cert_not_required = DISABLED
Sat Dec 23 21:50:27 2006 us=557975 username_as_common_name = DISABLED
Sat Dec 23 21:50:27 2006 us=557985 auth_user_pass_verify_script = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=558044 auth_user_pass_verify_script_via_file = DISABLED
Sat Dec 23 21:50:27 2006 us=558054 client = DISABLED
Sat Dec 23 21:50:27 2006 us=558062 pull = ENABLED
Sat Dec 23 21:50:27 2006 us=558071 auth_user_pass_file = 'stdin'
Sat Dec 23 21:50:27 2006 us=558081 show_net_up = DISABLED
Sat Dec 23 21:50:27 2006 us=558089 route_method = 0
Sat Dec 23 21:50:27 2006 us=558098 ip_win32_defined = DISABLED
Sat Dec 23 21:50:27 2006 us=558106 ip_win32_type = 3
Sat Dec 23 21:50:27 2006 us=558115 dhcp_masq_offset = 0
Sat Dec 23 21:50:27 2006 us=558123 dhcp_lease_time = 31536000
Sat Dec 23 21:50:27 2006 us=572126 tap_sleep = 0
Sat Dec 23 21:50:27 2006 us=572136 dhcp_options = DISABLED
Sat Dec 23 21:50:27 2006 us=572145 dhcp_renew = DISABLED
Sat Dec 23 21:50:27 2006 us=572154 dhcp_pre_release = DISABLED
Sat Dec 23 21:50:27 2006 us=572162 dhcp_release = DISABLED
Sat Dec 23 21:50:27 2006 us=572170 domain = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=572178 netbios_scope = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=572187 netbios_node_type = 0
Sat Dec 23 21:50:27 2006 us=572195 disable_nbt = DISABLED
Sat Dec 23 21:50:27 2006 us=572208 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Sat Dec 23 21:50:29 2006 us=732621 ERROR: could not read Auth username from stdin
Sat Dec 23 21:50:29 2006 us=732644 Exiting :cry:
What is the meaning of: could not read Auth username from stdin ??
I used the same user name/password as in the office, so I have no idea as to the aforementioned error message. The SME 7.0 is running (24/24H). On my client laptop I switvched off Zone Alarm and the antivirus soft...
Any further ideas as to the roozt cause of the error message??
thanx in advance & merry christmas
gerd
[/b]
-
Mystere et boule de gomme...
I just discovered that:
- my (wireless connection) to the internert is ok
(I can ping my server in the office)
- the TAP-Win32 Adapter V8 was installed by Open VPN
(I use OpenVPN GUI 1.03 with OpenVPN 2.09 with DHCP options).
- however after the input of user- and passwort the OpenVPN soft
doesn't establish an internet connection... the symbol of the
TAP-Win32 adapter remains inactive.
- The error message of my previous mail net remains the same, even I
switch off the internet connection.
Seems that I have first a local problem which needs to be solved. But have yet no ideas where to look for the error. :(
regards
gerd
-
In order to exclude a what-so-ever error, I made a fresh installation of WinXP SP2 on my laptop and installed OpenVPN. Then I created the VPN.opvn file, installed it in the config.file and added into this file the ca.cert, client.crt, client.key and ta.key.
But no way out:
Mon Dec 25 12:23:06 2006 us=773193 Current Parameter Settings:
Mon Dec 25 12:23:06 2006 us=773287 config = 'VPN.ovpn'
Mon Dec 25 12:23:06 2006 us=773312 mode = 0
Mon Dec 25 12:23:06 2006 us=773334 show_ciphers = DISABLED
Mon Dec 25 12:23:06 2006 us=773357 show_digests = DISABLED
Mon Dec 25 12:23:06 2006 us=773501 show_engines = DISABLED
Mon Dec 25 12:23:06 2006 us=773525 genkey = DISABLED
Mon Dec 25 12:23:06 2006 us=773547 key_pass_file = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=773572 show_tls_ciphers = DISABLED
Mon Dec 25 12:23:06 2006 us=773594 proto = 0
Mon Dec 25 12:23:06 2006 us=773616 local = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=773642 remote_list[0] = {'xxxyyy.dyndns.org', 1194}
Mon Dec 25 12:23:06 2006 us=773666 remote_random = DISABLED
Mon Dec 25 12:23:06 2006 us=773690 local_port = 1194
Mon Dec 25 12:23:06 2006 us=773712 remote_port = 1194
Mon Dec 25 12:23:06 2006 us=773860 remote_float = DISABLED
Mon Dec 25 12:23:06 2006 us=773888 ipchange = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=773911 bind_local = DISABLED
Mon Dec 25 12:23:06 2006 us=773933 dev = 'tap'
Mon Dec 25 12:23:06 2006 us=773955 dev_type = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=773978 dev_node = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774000 tun_ipv6 = DISABLED
Mon Dec 25 12:23:06 2006 us=774024 ifconfig_local = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774048 ifconfig_remote_netmask = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774072 ifconfig_noexec = DISABLED
Mon Dec 25 12:23:06 2006 us=774095 ifconfig_nowarn = DISABLED
Mon Dec 25 12:23:06 2006 us=774117 shaper = 0
Mon Dec 25 12:23:06 2006 us=774139 tun_mtu = 1500
Mon Dec 25 12:23:06 2006 us=774162 tun_mtu_defined = ENABLED
Mon Dec 25 12:23:06 2006 us=774185 link_mtu = 1500
Mon Dec 25 12:23:06 2006 us=774208 link_mtu_defined = DISABLED
Mon Dec 25 12:23:06 2006 us=774231 tun_mtu_extra = 32
Mon Dec 25 12:23:06 2006 us=774254 tun_mtu_extra_defined = ENABLED
Mon Dec 25 12:23:06 2006 us=774277 fragment = 1400
Mon Dec 25 12:23:06 2006 us=774300 mtu_discover_type = -1
Mon Dec 25 12:23:06 2006 us=774323 mtu_test = 0
Mon Dec 25 12:23:06 2006 us=774344 mlock = DISABLED
Mon Dec 25 12:23:06 2006 us=774366 keepalive_ping = 0
Mon Dec 25 12:23:06 2006 us=774389 keepalive_timeout = 0
Mon Dec 25 12:23:06 2006 us=774411 inactivity_timeout = 0
Mon Dec 25 12:23:06 2006 us=774434 ping_send_timeout = 0
Mon Dec 25 12:23:06 2006 us=774464 ping_rec_timeout = 120
Mon Dec 25 12:23:06 2006 us=774489 ping_rec_timeout_action = 2
Mon Dec 25 12:23:06 2006 us=774512 ping_timer_remote = DISABLED
Mon Dec 25 12:23:06 2006 us=774536 remap_sigusr1 = 0
Mon Dec 25 12:23:06 2006 us=774559 explicit_exit_notification = 0
Mon Dec 25 12:23:06 2006 us=774582 persist_tun = DISABLED
Mon Dec 25 12:23:06 2006 us=774606 persist_local_ip = DISABLED
Mon Dec 25 12:23:06 2006 us=774630 persist_remote_ip = DISABLED
Mon Dec 25 12:23:06 2006 us=774653 persist_key = DISABLED
Mon Dec 25 12:23:06 2006 us=774676 mssfix = 1450
Mon Dec 25 12:23:06 2006 us=774700 resolve_retry_seconds = 1000000000
Mon Dec 25 12:23:06 2006 us=774724 connect_retry_seconds = 5
Mon Dec 25 12:23:06 2006 us=774747 username = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774769 groupname = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774793 chroot_dir = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774816 cd_dir = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774838 writepid = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774861 up_script = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774884 down_script = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774907 down_pre = DISABLED
Mon Dec 25 12:23:06 2006 us=774930 up_restart = DISABLED
Mon Dec 25 12:23:06 2006 us=774953 up_delay = DISABLED
Mon Dec 25 12:23:06 2006 us=774975 daemon = DISABLED
Mon Dec 25 12:23:06 2006 us=774997 inetd = 0
Mon Dec 25 12:23:06 2006 us=775018 log = DISABLED
Mon Dec 25 12:23:06 2006 us=775042 suppress_timestamps = DISABLED
Mon Dec 25 12:23:06 2006 us=775063 nice = 0
Mon Dec 25 12:23:06 2006 us=775085 verbosity = 4
Mon Dec 25 12:23:06 2006 us=848565 mute = 0
Mon Dec 25 12:23:06 2006 us=848581 gremlin = 0
Mon Dec 25 12:23:06 2006 us=848590 status_file = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=848598 status_file_version = 1
Mon Dec 25 12:23:06 2006 us=848607 status_file_update_freq = 60
Mon Dec 25 12:23:06 2006 us=848615 occ = ENABLED
Mon Dec 25 12:23:06 2006 us=848624 rcvbuf = 0
Mon Dec 25 12:23:06 2006 us=848632 sndbuf = 0
Mon Dec 25 12:23:06 2006 us=848641 socks_proxy_server = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=848653 socks_proxy_port = 0
Mon Dec 25 12:23:06 2006 us=848661 socks_proxy_retry = DISABLED
Mon Dec 25 12:23:06 2006 us=848669 fast_io = DISABLED
Mon Dec 25 12:23:06 2006 us=848677 comp_lzo = ENABLED
Mon Dec 25 12:23:06 2006 us=848686 comp_lzo_adaptive = ENABLED
Mon Dec 25 12:23:06 2006 us=848694 route_script = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=848703 route_default_gateway = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=848712 route_noexec = DISABLED
Mon Dec 25 12:23:06 2006 us=862000 route_delay = 0
Mon Dec 25 12:23:06 2006 us=862013 route_delay_window = 30
Mon Dec 25 12:23:06 2006 us=862022 route_delay_defined = ENABLED
Mon Dec 25 12:23:06 2006 us=862031 management_addr = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=862039 management_port = 0
Mon Dec 25 12:23:06 2006 us=862048 management_user_pass = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=862057 management_log_history_cache = 250
Mon Dec 25 12:23:06 2006 us=862066 management_echo_buffer_size = 100
Mon Dec 25 12:23:06 2006 us=862076 management_query_passwords = DISABLED
Mon Dec 25 12:23:06 2006 us=862085 management_hold = DISABLED
Mon Dec 25 12:23:06 2006 us=862093 shared_secret_file = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=862102 key_direction = 0
Mon Dec 25 12:23:06 2006 us=862110 ciphername_defined = ENABLED
Mon Dec 25 12:23:06 2006 us=862119 ciphername = 'BF-CBC'
Mon Dec 25 12:23:06 2006 us=862128 authname_defined = ENABLED
Mon Dec 25 12:23:06 2006 us=875350 authname = 'SHA1'
Mon Dec 25 12:23:06 2006 us=875361 keysize = 0
Mon Dec 25 12:23:06 2006 us=875370 engine = DISABLED
Mon Dec 25 12:23:06 2006 us=875378 replay = ENABLED
Mon Dec 25 12:23:06 2006 us=875387 mute_replay_warnings = DISABLED
Mon Dec 25 12:23:06 2006 us=875395 replay_window = 64
Mon Dec 25 12:23:06 2006 us=875404 replay_time = 15
Mon Dec 25 12:23:06 2006 us=875413 packet_id_file = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=875421 use_iv = ENABLED
Mon Dec 25 12:23:06 2006 us=875430 test_crypto = DISABLED
Mon Dec 25 12:23:06 2006 us=875438 tls_server = DISABLED
Mon Dec 25 12:23:06 2006 us=875447 tls_client = ENABLED
Mon Dec 25 12:23:06 2006 us=875455 key_method = 2
Mon Dec 25 12:23:06 2006 us=875464 ca_file = 'ca.crt'
Mon Dec 25 12:23:06 2006 us=875472 dh_file = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=875502 cert_file = 'client.crt'
Mon Dec 25 12:23:06 2006 us=888734 priv_key_file = 'client.key'
Mon Dec 25 12:23:06 2006 us=888747 pkcs12_file = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=888756 cryptoapi_cert = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=888764 cipher_list = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=888773 tls_verify = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=888782 tls_remote = 'server'
Mon Dec 25 12:23:06 2006 us=888790 crl_file = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=888799 ns_cert_type = 64
Mon Dec 25 12:23:06 2006 us=888807 tls_timeout = 2
Mon Dec 25 12:23:06 2006 us=888815 renegotiate_bytes = 0
Mon Dec 25 12:23:06 2006 us=888824 renegotiate_packets = 0
Mon Dec 25 12:23:06 2006 us=888832 renegotiate_seconds = 3600
Mon Dec 25 12:23:06 2006 us=888841 handshake_window = 60
Mon Dec 25 12:23:06 2006 us=888849 transition_window = 3600
Mon Dec 25 12:23:06 2006 us=888857 single_session = DISABLED
Mon Dec 25 12:23:06 2006 us=888866 tls_exit = DISABLED
Mon Dec 25 12:23:06 2006 us=902716 tls_auth_file = 'ta.key'
Mon Dec 25 12:23:06 2006 us=902736 server_network = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902746 server_netmask = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902756 server_bridge_ip = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902765 server_bridge_netmask = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902775 server_bridge_pool_start = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902784 server_bridge_pool_end = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902793 ifconfig_pool_defined = DISABLED
Mon Dec 25 12:23:06 2006 us=902803 ifconfig_pool_start = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902813 ifconfig_pool_end = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902822 ifconfig_pool_netmask = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902832 ifconfig_pool_persist_filename = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=902842 ifconfig_pool_persist_refresh_freq = 600
Mon Dec 25 12:23:06 2006 us=902851 ifconfig_pool_linear = DISABLED
Mon Dec 25 12:23:06 2006 us=902860 n_bcast_buf = 256
Mon Dec 25 12:23:06 2006 us=916799 tcp_queue_limit = 64
Mon Dec 25 12:23:06 2006 us=916810 real_hash_size = 256
Mon Dec 25 12:23:06 2006 us=916819 virtual_hash_size = 256
Mon Dec 25 12:23:06 2006 us=916828 client_connect_script = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=916837 learn_address_script = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=916846 client_disconnect_script = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=916855 client_config_dir = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=916864 ccd_exclusive = DISABLED
Mon Dec 25 12:23:06 2006 us=916872 tmp_dir = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=916880 push_ifconfig_defined = DISABLED
Mon Dec 25 12:23:06 2006 us=916891 push_ifconfig_local = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=916900 push_ifconfig_remote_netmask = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=916909 enable_c2c = DISABLED
Mon Dec 25 12:23:06 2006 us=916918 duplicate_cn = DISABLED
Mon Dec 25 12:23:06 2006 us=916926 cf_max = 0
Mon Dec 25 12:23:06 2006 us=929136 cf_per = 0
Mon Dec 25 12:23:06 2006 us=929147 max_clients = 1024
Mon Dec 25 12:23:06 2006 us=929156 max_routes_per_client = 256
Mon Dec 25 12:23:06 2006 us=929165 client_cert_not_required = DISABLED
Mon Dec 25 12:23:06 2006 us=929174 username_as_common_name = DISABLED
Mon Dec 25 12:23:06 2006 us=929184 auth_user_pass_verify_script = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=929193 auth_user_pass_verify_script_via_file = DISABLED
Mon Dec 25 12:23:06 2006 us=929202 client = DISABLED
Mon Dec 25 12:23:06 2006 us=929210 pull = ENABLED
Mon Dec 25 12:23:06 2006 us=929218 auth_user_pass_file = 'stdin'
Mon Dec 25 12:23:06 2006 us=929229 show_net_up = DISABLED
Mon Dec 25 12:23:06 2006 us=929237 route_method = 0
Mon Dec 25 12:23:06 2006 us=929246 ip_win32_defined = DISABLED
Mon Dec 25 12:23:06 2006 us=929254 ip_win32_type = 3
Mon Dec 25 12:23:06 2006 us=929263 dhcp_masq_offset = 0
Mon Dec 25 12:23:06 2006 us=929272 dhcp_lease_time = 31536000
Mon Dec 25 12:23:06 2006 us=942784 tap_sleep = 0
Mon Dec 25 12:23:06 2006 us=942794 dhcp_options = DISABLED
Mon Dec 25 12:23:06 2006 us=942803 dhcp_renew = DISABLED
Mon Dec 25 12:23:06 2006 us=942811 dhcp_pre_release = DISABLED
Mon Dec 25 12:23:06 2006 us=942820 dhcp_release = DISABLED
Mon Dec 25 12:23:06 2006 us=942828 domain = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=942836 netbios_scope = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=942844 netbios_node_type = 0
Mon Dec 25 12:23:06 2006 us=942853 disable_nbt = DISABLED
Mon Dec 25 12:23:06 2006 us=942866 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Mon Dec 25 12:23:23 2006 us=45042 Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Mon Dec 25 12:23:23 2006 us=45083 Exiting
===============================================
Especially as to the error messsage:
us=45042 Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
I found in http://forums.contribs.org/index.php?topic=33194.0
an identical error message, but contrary to hayman my client.crt is not empty at all....
Any ideas???
regards
gerd[/i]
-
VIP-ire,
I have just finished installing another copy of this wonderful contrib, and thanks for the great job. I was wondering why openvpn may not be starting by its self. I have to start it manually during each install. In an unrelated issue, I receive a bunch of errors concerning form-magic. I will post them if needed.
Thanks
Bob
-
In order to exclude a what-so-ever error, I made a fresh installation of WinXP SP2 on my laptop and installed OpenVPN. Then I created the VPN.opvn file, installed it in the config.file and added into this file the ca.cert, client.crt, client.key and ta.key.
...
Mon Dec 25 12:23:23 2006 us=45042 Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Mon Dec 25 12:23:23 2006 us=45083 Exiting
===============================================
Especially as to the error messsage:
us=45042 Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
I found in http://forums.contribs.org/index.php?topic=33194.0
an identical error message, but contrary to hayman my client.crt is not empty at all....
Any ideas???
regards
gerd[/i]
What do you mean by "added into this file the ca.cert, client.crt, client.key and ta.key". These files (ca.crt, ta.key, client.crt and client.key) must be in the same directory (C:\\Program Files\OpenVPN\config) but not in the same file as the configuration file.
VIP-ire,
I have just finished installing another copy of this wonderful contrib, and thanks for the great job. I was wondering why openvpn may not be starting by its self. I have to start it manually during each install. In an unrelated issue, I receive a bunch of errors concerning form-magic. I will post them if needed.
I choosed not to start it automatically because we must configure the IP range first (default is 192.168.xx.xx wich isn't valid). I do so because I'm to lazy to detect the network address, the dhcp parameters etc... and to configure openvpn according to these settings.
For the error messages, I think it comes from some sub's prototype not declared at the begining of the panel. It's not really important but I'll try to fix it for the next release.[/code]
-
First of all a happy and prosperous new year...
Of course, the ca.crt, ta.key, client.crt and client.key are in the config directory....
So I restarted fm scratch again:
Today (as I am in the office again) I deleted all certifiactes, recreated them and downloaded them via an USB stick to my laptop - in the config file directory:
- I tried to download the certificates and keys via the OPERA Browser - no way. What you can see is the content of the files, but no download. So I used again the Internet Browser.
- When I tried to download the client certificate/client key the download window (Internet Explorer 7.0) showed instead: server certificate/server key. When I chose "display configuration file" I get the message: "Configuration file are only generated for client certificate, not server". Strange... So I had a look intothe file : "etc/openvpn/easy-rsa/keys/bridge" ...no client certificate/client key is availible.
Do I have to rename server certificate/server key into client certificate/client key (thats what I have done during my trial runs at christmas time)?? Or what else could be wrong?
How comes that I can't see the configuration file for the client??
Any ideas???
-
Ok, it's not working because you are trying to use the server certificate on a client. Each certificate is marked as server or as client. By default, there's only one certificate in the certificate-manager which the one used on the server side. You need to generate a new certificate, choose a unique CN, an optionnal IP and comment, then, let the type to 'client'. Now configure your client with this new certificate. When you click on the link 'display' of a client certificate, you'll have the correct configuration file, it doesn't work for servers' certificate, that's why you get the message "Configuration file are only generated for client certificate, not server"
-
....un grand merci... :lol:
It seems to work, le WinXP client starts smoothly now (et il ne rouspete plus....). But I can't check now, because the network I am connected to is the same as the OpenVpn Server - say I am in the office....
I will keep you informed as soon as I have the opportunity to test...
best regards
gerx
-
VIP-ire,
I understand, Thanks
Bob
-
....I have just made some extensive tests: ca marche nickel... It works perfectly.
VPI-ire, thankx
gerd
-
hi,
perhaps a stupid question.
The setup is a bridged one. What does the resulting ip-setup look like?
something like this?
client-tap device 192.168.1.11 --- server-tap 192.168.1.1 -- /
internal network 192.168.2.0/24
and the client has a route to 192.168.2.0/24 via 192.168.1.11?
Just curious.
Hans-Cees
-
Well, in bridge mode, the tap interface of the server (tap0) and the internal interface (eth0) are bridge in one interface: br0. br0 take the IP of eth0, so eth0 and tap0 share the same IP.
If you have a local network with ip 192.168.2.0/24, in this network, your server is 192.168.2.1
When a client connects to the VPN server from the outside, the server gives him an IP address in the same subnet: 192.168.2.0/24 (you can configure a range of IP address). As the client has now an interface in the subnet 192.168.2.0/24, he can directly reach the internal network, it's exactly as if he were connected inside the internal network.
client tap device 192.168.2.20 ----- server tap interface --------\
|----- br0 192.168.2.1
server internal interface --/
I hope this post answere your question.
Cheers, Daniel
-
Well, in bridge mode, the tap interface of the server (tap0) and the internal interface (eth0) are bridge in one interface: br0. br0 take the IP of eth0, so eth0 and tap0 share the same IP.
If you have a local network with ip 192.168.2.0/24, in this network, your server is 192.168.2.1
When a client connects to the VPN server from the outside, the server gives him an IP address in the same subnet: 192.168.2.0/24 (you can configure a range of IP address). As the client has now an interface in the subnet 192.168.2.0/24, he can directly reach the internal network, it's exactly as if he were connected inside the internal network.
client tap device 192.168.2.20 ----- server tap interface --------\
|----- br0 192.168.2.1
server internal interface --/
I hope this post answere your question.
Cheers, Daniel
It does exactly. Thanks!
-
Hi VIP-ire,
Due to my own stupidity I have had to reinstall SME 7.1 (if want to know why see here :oops: http://forums.contribs.org/index.php?topic=34950.0 ) I therefore installed openvpn contrib as before but know I can't get it to connect :shock: After looking through things I have noticed that when I add a client and download the certificates that the client user.crt file is 0 (zero) bytes :shock: but the old one from the previous installation of SME was about 4kb If I open up the new user.crt in a text editor it is in fact a blank document :? and of course there is lots of text stuff if I open the old user.crt Any ideas or pointers to what I am doing wrong? I have revoked and added the user and the result is the same everytime :shock: Thanks.
Regards,
Del
-
Del,
I ran into similar problems.. what I ended up having to do was delete all certificates and regenerate them. You may have to do it a few times before it will work.. so be patient. Once the certs actually have a size, then you should be fine. Don't know what caused the problem.. but that's what fixed it for me.
-
Hi AndrewR,
Thanks for the reply, I have already deleted/created a few times but I will give it a go and see :D
Regards,
Del
-
Hi AndrewR,
Just a thought, do you mean the client or server certificates or both?
Regards,
Del
-
Del,
I meant both. You will also want to re-generate the DH key.
-
Del, AndrewR means delete them via the panel with the link ''click here to delete all the certificate and to regenerate it'. It's curious because I'm not having this problem anymore since beta4. You can have a look at the log /var/log/httpd/admin_error_log. You can have some information why the generation has failed
-
Is there something we can do about the rootkit hunter warning :
"Checking network interfaces (promiscuous mode)... [ WARNING ]".
I started receiving this emails after installing this contrib.
Not really a problem, just annoying.
Anyway, thanks for this great contrib! It really does the job.
-
No, I don't know how to remove this warning from rkhunter report, it doesn't bother me so I never looked at this, but from my memory, there's no option for rkhunter to ignore promiscuous interfaces. Maybe there's one in more recent versions.
-
Hi VIP-ire,
Thanks for the great contrib. I have been using your beta5 release for awhile, but last week I installed a server for a client and installed your latest release. Very easy to install and start using (with the exception of the "Use of uninitialized value" errors that I have seen on almost every contrib that I have installed on a 7.1 system...)
I was wondering if in your future releases you might consider the option to be able to customize the name of the ca.crt? The reason that I ask is that I have several SME servers that I VPN into and using the OpenVPN GUI all you have to do is create a xxx.ovpn file in the config directory of the client for every server you want to VPN into. Then you copy the .crt and .key files and you can select which server you want to connect to. The only problem was that for my second server when I tried to copy the ca.crt to OpenVPN\config the file already existed from the first server.
It was a pretty easy fix to rename the ca.crt and then modify the xxx.ovpn file to use the name I created instead of ca.crt. If the certificate would have been named name_of_server.crt or something similar, I would not have to change anything...
Now I still haven't figured out a way to use the same login name for each VPN session though as I can't have two files named admin.crt, etc...
Thanks again, your work has been quite helpful and I hope this post makes sense...
Ryan
-
haymann, I also use openvpn into about a dozen servers. I keep each remote servers certs, ca's and config files in seperate folders in the config folder for the openvpn gui.
Bob
-
haymann, I also use openvpn into about a dozen servers. I keep each remote servers certs, ca's and config files in seperate folders in the config folder for the openvpn gui.
Bob
Ahh... I didn't think to try sub-folders :oops: That would be nicer anyway, could use the same user name, and keeps each config together. Thank you for the tip!
Ryan
-
Hi All,
Is there something we can do about the rootkit hunter warning :
"Checking network interfaces (promiscuous mode)... [ WARNING ]".
I started receiving this emails after installing this contrib.
Not really a problem, just annoying.
There is a post here: http://forums.contribs.org/index.php?topic=35361.0
Although it is in the French forum the last post is English. The command appears to bemcedit /etc/rkhunter.conf ALLOW_SSH_ROOT_USER=1
I hope this helps.
Regards,
Del
-
I love this contrib. I can't believe that this thread is still going strong. Is this a record for the number of viewings, postings, and pages?
Is there any reason why this would not work on a modem line that is 33.6 (kbps) rated? I have a relative who lives in God's country without high speed. He connects to the internet on his modem, throught his company's website (they pay the long distance).
He has connected through a high speed connection so I think the openvpn install is good. I can connect to my network on a high speed modem (50 kbps?), so I don't think that is the issue. I probably can't do anything if his corporate website is blocking something, but I would be interested to know what it is?
Thanks in advance for your help.
-
Here's a quickie one-line command to disable the rkhunter warnings for root SSH logins.
perl -i -p -e 's/\#ALLOW_SSH_ROOT_USER=0/ALLOW_SSH_ROOT_USER=1/' /etc/rkhunter.conf
I just discovered you could do in-place edits with Perl...
...and mcedit. Very cool.
G
-
I love this contrib. I can't believe that this thread is still going strong. Is this a record for the number of viewings, postings, and pages?
Is there any reason why this would not work on a modem line that is 33.6 (kbps) rated? I have a relative who lives in God's country without high speed. He connects to the internet on his modem, throught his company's website (they pay the long distance).
He has connected through a high speed connection so I think the openvpn install is good. I can connect to my network on a high speed modem (50 kbps?), so I don't think that is the issue. I probably can't do anything if his corporate website is blocking something, but I would be interested to know what it is?
Thanks in advance for your help.
No, there's no reason for it not to work on a slow connexion (even if I never tested it on slow connexion).
Maybe you should try the last release (v 1.1-0), it's available on our website http://sme.firewall-services.com/spip.php?article2
This release adds some features (advanced configuration, who is connected, etc...) but the most interesting part for you is that it uses by default the directive test-mtu instead of a fixed fragment value. This removes 4 bytes of overhead per pakets and should increase the performances. I think you can see a difference on a very slow connexion. The downside is that you will have to modify the configuration of the client (you can still use the panel to generate the good config file).
Don't worry for those who have a lot of clients and don't want to modify all the config. You can configure this release to be compatible with the old one (1.0-3) and continue using the fragment directive. You won't improve the performances but you'll have some new features...
Cheers, Daniel
-
The modification that you mention to the client, how complicated is it? Is it just updating their key or their crt or the openvpn text? I don't have so many clients and faster is better...
-
It's very simle, you just have to remove the lines
fragment 1400
mssfix 1450
tun-mtu-extra 32
and add one line
test-mtu
But the panel should generate the good file for you, then you just have to send the new config file to the client.
-
Hi All,
Today I had my server HDD go faulty, I have replaced it and reinstalled SME 7.1 with all updates and then installed this openvpn contrib, generated new keys etc and put them in the config folder and then I tried to connect and it opens a window with this message:Options error:Unrecognized option or missing parameter(s) in VPN.ovpn:2: protocol (2.0.7) Use Help for more information
Then a window sayingConnecting to VPN failed
The log in server-manager shows:Wed Feb 14 14:56:28 2007 OpenVPN 2.0.7 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006
Wed Feb 14 14:56:28 2007 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so 'login' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Wed Feb 14 14:56:28 2007 Cannot open easy-rsa/keys/bridge/dh.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Wed Feb 14 14:56:28 2007 Exiting
Wed Feb 14 15:04:02 2007 OpenVPN 2.0.7 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006
Wed Feb 14 15:04:02 2007 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so 'login' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Wed Feb 14 15:04:02 2007 Diffie-Hellman initialized with 1024 bit key
Wed Feb 14 15:04:02 2007 Control Channel Authentication: using 'easy-rsa/keys/bridge/ta.key' as a OpenVPN static key file
Wed Feb 14 15:04:02 2007 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 14 15:04:02 2007 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 14 15:04:02 2007 TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Feb 14 15:04:02 2007 TUN/TAP device tap0 opened
Wed Feb 14 15:04:02 2007 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Feb 14 15:04:02 2007 chroot to '/etc/openvpn' and cd to '/' succeeded
Wed Feb 14 15:04:02 2007 GID set to nobody
Wed Feb 14 15:04:02 2007 UID set to nobody
Wed Feb 14 15:04:02 2007 UDPv4 link local (bound): [undef]:1194
Wed Feb 14 15:04:02 2007 UDPv4 link remote: [undef]
Wed Feb 14 15:04:02 2007 MULTI: multi_init called, r=256 v=256
Wed Feb 14 15:04:02 2007 IFCONFIG POOL: base=10.0.0.60 size=11
Wed Feb 14 15:04:02 2007 Initialization Sequence Completed
Wed Feb 14 15:05:07 2007 event_wait : Interrupted system call (code=4)
Wed Feb 14 15:05:07 2007 TCP/UDP: Closing socket
Wed Feb 14 15:05:07 2007 Closing TUN/TAP interface
Wed Feb 14 15:05:07 2007 PLUGIN_CLOSE: /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so
Wed Feb 14 15:05:07 2007 SIGTERM[hard,] received, process exiting
Wed Feb 14 15:05:14 2007 OpenVPN 2.0.7 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006
Wed Feb 14 15:05:14 2007 Control Channel Authentication: using 'easy-rsa/keys/bridge/ta.key' as a OpenVPN static key file
Wed Feb 14 15:05:14 2007 TUN/TAP device tap0 opened
Wed Feb 14 15:05:14 2007 chroot to '/etc/openvpn' and cd to '/' succeeded
Wed Feb 14 15:05:14 2007 GID set to nobody
Wed Feb 14 15:05:14 2007 UID set to nobody
Wed Feb 14 15:05:14 2007 UDPv4 link local (bound): [undef]:1194
Wed Feb 14 15:05:14 2007 UDPv4 link remote: [undef]
Wed Feb 14 15:05:14 2007 Initialization Sequence Completed
This is the only contrib I have installed and it worked OK before the reinstall. I have deleted and generated the the keys etc again but still the same problem. I have downloaded the latest rpms from VIP-ire's site. Any help is appreciated.
EDITED TO ADD: I have compared the old VPN.ovpn and line 2 in the old one reads:proto udp but in the new one it reads:protocol udp
Regards,
Del
-
Oups, sorry for this problem, I have just uploaded the good rpm. For those who have already install it, just edit the file /etc/e-smith/web/functions/openvpn-bridge
and change the line 1025 from $fic .= "protocol $config{protocol}\n";
to $fic .= "proto $config{protocol}\n";
-
HI VIP-ire,
Thanks for the reply, when I have edited /etc/e-smith/web/functions/openvpn-bridge do have to delete and recreate all the certificates or can I just edit line 2 in the VPN.ovpn file from: protocol udp to: proto udp? Thanks again.
EDITED TO ADD: $fic .= "protocol $config{protocol}\n is on line 1012 not 1025, is this possible?
Regards,
Del
-
well, I have changed some comment in this file, I think that's why it's line 1012 instaed of 1025. Anyway, to be sure, just type the following:
cd /tmp && \
wget http://sme.firewall-services.com/downloads/smeserver-openvpn/patch/panel-openvpn-patch-1.1-0 && \
mv panel-openvpn-patch-1.1-0 /etc/e-smith/web/functions/openvpn-bridge && \
chown root:admin /etc/e-smith/web/functions/openvpn-bridge && \
chmod 4750 /etc/e-smith/web/functions/openvpn-bridge && \
wget http://sme.firewall-services.com/downloads/smeserver-openvpn/patch/fr-openvpn-patch-1.1-0 && \
mv fr-openvpn-patch-1.1-0 /usr/share/locale/fr/LC_MESSAGES/openvpn-bridge.mo
it should download the patch and install it automatically, it will just ask you if you want to overwrite two files, just answere 'yes'.
Then, just replace protocol with proto on the client you have already installed, and everything will be ok.
-
OK, I'm starting to go a little nuts trying to figure this out on my own, so I'm sharing the pain :twisted:
I installed the OpenVPN bridge yesterday, and when it is enabled the other computers lose some internet access.
Here's my setup:
T1
|
SME/VPN--------*
|
Network
The * is a router owned by a company sharing our building and T1 connection.
The SME server is running a fully updated SME7.1 server, with the OpenVPN software installed per the instructions here: http://sme.firewall-services.com/spip.php?article4
Basically, what's happening is that when the computers on the network attempt to access some (not all) sites, the connection gets reset (and continues to get reset no matter how many times I try to refresh).
A sample of sites that work:
http://www.eve-online.com
http://www.google.com
A sample of sites that do not work:
http://www.yahoo.com
http://www.cnn.com
The sites are still pingable, so it is not the DNS or a general outage; also, as soon as I disable the VPN the network functionality returns to normal.
Any questions or suggestions? (I'm not currently in front of the machine)
-
OK, I'm starting to go a little nuts trying to figure this out on my own, so I'm sharing the pain :twisted:
I installed the OpenVPN bridge yesterday, and when it is enabled the other computers lose some internet access.
Here's my setup:
T1
|
SME/VPN--------*
|
Network
The * is a router owned by a company sharing our building and T1 connection.
The SME server is running a fully updated SME7.1 server, with the OpenVPN software installed per the instructions here: http://sme.firewall-services.com/spip.php?article4
Basically, what's happening is that when the computers on the network attempt to access some (not all) sites, the connection gets reset (and continues to get reset no matter how many times I try to refresh).
A sample of sites that work:
http://www.eve-online.com
http://www.google.com
A sample of sites that do not work:
http://www.yahoo.com
http://www.cnn.com
The sites are still pingable, so it is not the DNS or a general outage; also, as soon as I disable the VPN the network functionality returns to normal.
Any questions or suggestions? (I'm not currently in front of the machine)
Well.. for troubleshooting, try using the option "redirect gateway". This will force all traffic through the VPN interface. See if that exhibits the same symptoms or not. If not.. then there's something fishy in your network.
-
When you say "computers on the network" do you mean both companies or just the one on the "network" side. Not sure about your symptoms but, I had a bit of an issue when I installed Openvpn. Hopefully your not as noob as I but here goes.
When I assigned addresses for people to VPN into, I forgot to exclude those addresses from the range that the SME box could assign. Even though I had nowhere near enough computers on the network to cause a problem (I thought) it caused a problem.
Hope this helps
-
Hi VIP-ire,
Thanks for your help and this contrib, I did this:cd /tmp && \
wget http://sme.firewall-services.com/downloads/smeserver-openvpn/patch/panel-openvpn-patch-1.1-0 && \
mv panel-openvpn-patch-1.1-0 /etc/e-smith/web/functions/openvpn-bridge && \
chown root:admin /etc/e-smith/web/functions/openvpn-bridge && \
chmod 4750 /etc/e-smith/web/functions/openvpn-bridge && \
wget http://sme.firewall-services.com/downloads/smeserver-openvpn/patch/fr-openvpn-patch-1.1-0 && \
mv fr-openvpn-patch-1.1-0 /usr/share/locale/fr/LC_MESSAGES/openvpn-bridge.mo
then this:Then, just replace protocol with proto on the client you have already installed, and everything will be ok.
Hey Presto, it works OK now. Thanks for your patience :D
Regards,
Del
-
When you say "computers on the network" do you mean both companies or just the one on the "network" side. Not sure about your symptoms but, I had a bit of an issue when I installed Openvpn. Hopefully your not as noob as I but here goes.
When I assigned addresses for people to VPN into, I forgot to exclude those addresses from the range that the SME box could assign. Even though I had nowhere near enough computers on the network to cause a problem (I thought) it caused a problem.
Hope this helps
Actually, I didn't worry about it - DHCP is disabled.
Only my company's computers are behind the SME server (the other system forwards the port directly). Only the computers behind the SME server lost access; anything on the other side was fine.
-
OK, I'm starting to go a little nuts trying to figure this out on my own, so I'm sharing the pain :twisted:
I installed the OpenVPN bridge yesterday, and when it is enabled the other computers lose some internet access.
Here's my setup:
T1
|
SME/VPN--------*
|
Network
The * is a router owned by a company sharing our building and T1 connection.
The SME server is running a fully updated SME7.1 server, with the OpenVPN software installed per the instructions here: http://sme.firewall-services.com/spip.php?article4
Basically, what's happening is that when the computers on the network attempt to access some (not all) sites, the connection gets reset (and continues to get reset no matter how many times I try to refresh).
A sample of sites that work:
http://www.eve-online.com
http://www.google.com
A sample of sites that do not work:
http://www.yahoo.com
http://www.cnn.com
The sites are still pingable, so it is not the DNS or a general outage; also, as soon as I disable the VPN the network functionality returns to normal.
Any questions or suggestions? (I'm not currently in front of the machine)
That's a strange problem, I never saw something like that. Can you look at the logs (in the panel, you can see the last 100 lines). You should also
- look at the 'messages' log with tail -f /var/log/messages
- check you have those three interfaces: br0 which is configured with the internal address, eth0 which has address 0.0.0.0 and promiscuous mode, tap0 which has also address 0.0.0.0 and promiscuous.
- try to restart the vpn with the command line: /etc/init.d/openvpn-bridge restart, and see if there's an error message
It seems that your problem only affect the web, so maybe you should check squid's log.
What others contribs are you running?
Please, repport here, or send me an email (daniel at firewall-services dot com) if you see anything strange in the logs.
-
I have used this excellent contrib, and it works great. However one small problem : After i have logged in with my domain username and password in the OpenVPN GUI, i still have to enter the same username and password when i try to access the server (7.1 in server only mode)?
Any idea ?
-
Well, to be honest, I mainly use it with linux clients. I've tested it quickly with win clients, it was connecting without problem so I didn't search further. I'll try to do more tests on that issue. Has anyone having the same problem? Are you using 1.1-0 or 1.0-3?
-
Thanks for a quick reply. It is version 1.1-0.
When i use the build-in pptp function, i have no problem getting access to the domain shares, but this is very unstable, often it is impossible to connect.
-
2007 us=509497 route_method = 0
Fri Feb 23 16:19:19 2007 us=509519 ip_win32_defined = DISABLED
Fri Feb 23 16:19:19 2007 us=509542 ip_win32_type = 3
Fri Feb 23 16:19:19 2007 us=509565 dhcp_masq_offset = 0
Fri Feb 23 16:19:19 2007 us=509588 dhcp_lease_time = 31536000
Fri Feb 23 16:19:19 2007 us=509610 tap_sleep = 0
Fri Feb 23 16:19:19 2007 us=509632 dhcp_options = DISABLED
Fri Feb 23 16:19:19 2007 us=537778 dhcp_renew = DISABLED
Fri Feb 23 16:19:19 2007 us=537817 dhcp_pre_release = DISABLED
Fri Feb 23 16:19:19 2007 us=537840 dhcp_release = DISABLED
Fri Feb 23 16:19:19 2007 us=537861 domain = '
[UNDEF]'
Fri Feb 23 16:19:19 2007 us=537882 netbios_scope = '[UNDEF]'
Fri Feb 23 16:19:19 2007 us=537905 netbios_node_type = 0
Fri Feb 23 16:19:19 2007 us=537931 disable_nbt = DISABLED
Fri Feb 23 16:19:19 2007 us=538235 OpenVPN 2.0.7 Win32-MinGW [SSL] [LZO] built on Apr 12 2006
Fri Feb 23 16:19:38 2007 us=396567 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Fri Feb 23 16:19:38 2007 us=396627 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 23 16:19:38 2007 us=396662 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 23 16:19:38 2007 us=396717 LZO compression initialized
Fri Feb 23 16:19:38 2007 us=396945 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Feb 23 16:19:38 2007 us=408455 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Feb 23 16:19:38 2007 us=408547 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Feb 23 16:19:38 2007 us=408585 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Feb 23 16:19:38 2007 us=408786 Local Options hash (VER=V4): '13a273ba'
Fri Feb 23 16:19:38 2007 us=408830 Expected Remote Options hash (VER=V4): '360696c5'
Fri Feb 23 16:19:38 2007 us=408899 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Feb 23 16:19:38 2007 us=408939 UDPv4 link local: [undef]
Fri Feb 23 16:19:38 2007 us=408964 UDPv4 link remote: x.x.x.x:1194
Fri Feb 23 16:19:38 2007 us=448509 TLS: Initial packet from x.x.x.x:1194, sid=46f570e6 9ac28549
Fri Feb 23 16:19:38 2007 us=634954 VERIFY OK: depth=1, /C=DK/ST=Denmark/L=Kar/O=karup/OU=VPN/CN=myserver.mydomain.dk/emailAddress=myemail
Fri Feb 23 16:19:38 2007 us=636127 VERIFY OK: nsCertType=SERVER
Fri Feb 23 16:19:38 2007 us=636167 VERIFY X509NAME OK: /C=DK/ST=Denmark/O=karup/OU=VPN/CN=server/emailAddress=Myemail
Fri Feb 23 16:19:38 2007 us=636194 VERIFY OK: depth=0, /C=DK/ST=Denmark/O=karup/OU=VPN/CN=server/emailAddress=Myemail
Fri Feb 23 16:19:38 2007 us=851674 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 23 16:19:38 2007 us=851717 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 23 16:19:38 2007 us=851817 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 23 16:19:38 2007 us=851857 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 23 16:19:38 2007 us=852050 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Feb 23 16:19:38 2007 us=852107 [server] Peer Connection Initiated with x.x.x.x:1194
Fri Feb 23 16:19:39 2007 us=506433 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Feb 23 16:19:39 2007 us=545287 PUSH: Received control message: 'PUSH_REPLY,ping 10,ping-restart 120,dhcp-option DOMAIN mydomain.dk,dhcp-option DNS 192.168.1.4,dhcp-option WINS 192.168.1.4,route-gateway 192.168.1.4,ping 10,ping-restart 120,ifconfig 192.168.1.241 255.255.255.0'
Fri Feb 23 16:19:39 2007 us=545438 OPTIONS IMPORT: timers and/or timeouts modified
Fri Feb 23 16:19:39 2007 us=545467 OPTIONS IMPORT: --ifconfig/up options modified
Fri Feb 23 16:19:39 2007 us=545489 OPTIONS IMPORT: route options modified
Fri Feb 23 16:19:39 2007 us=545509 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Feb 23 16:19:39 2007 us=549906 TAP-WIN32 device [LAN-forbindelse 4] opened: \\.\Global\{71ED9F8D-FE0E-4AB2-BAE1-05B72ACE88CA}.tap
Fri Feb 23 16:19:39 2007 us=549960 TAP-Win32 Driver Version 8.1
Fri Feb 23 16:19:39 2007 us=549985 TAP-Win32 MTU=1500
Fri Feb 23 16:19:39 2007 us=550025 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.1.241/255.255.255.0 on interface {71ED9F8D-FE0E-4AB2-BAE1-05B72ACE88CA} [DHCP-serv: 192.168.1.0, lease-time: 31536000]
Fri Feb 23 16:19:39 2007 us=550070 DHCP option string: 0f087664 6b61722e 646b0604 c0a80104 2c04c0a8 0104
Fri Feb 23 16:19:39 2007 us=561772 Successful ARP Flush on interface [3] {71ED9F8D-FE0E-4AB2-BAE1-05B72ACE88CA}
Fri Feb 23 16:19:39 2007 us=565159 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Fri Feb 23 16:19:39 2007 us=565289 Route: Waiting for TUN/TAP interface to come up...
Fri Feb 23 16:19:40 2007 us=596082 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Fri Feb 23 16:19:40 2007 us=596117 Route: Waiting for TUN/TAP interface to come up...
Fri Feb 23 16:19:41 2007 us=509680 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Fri Feb 23 16:19:41 2007 us=509719 Route: Waiting for TUN/TAP interface to come up...
Fri Feb 23 16:19:41 2007 us=516119 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
Fri Feb 23 16:19:42 2007 us=248757 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Fri Feb 23 16:19:42 2007 us=248799 Initialization Sequence Completed
[/list]
Here is something from my connection log, maybe it helps
-
Hi, i have got the problem to start the openvpn daemon.
i become this error message:
Feb 26 19:11:18 server e-smith-bg: Starting dhcpd:[ OK ]
Feb 26 19:11:18 server openvpn[11252]: Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/server-bridge.conf:46: server-bridge (2.0.7)
Feb 26 19:11:18 server openvpn[11252]: Use --help for more information.
Feb 26 19:11:18 server openvpn-bridge: failed
Feb 26 19:11:18 server e-smith-bg:
[FAILED][/list]
and this is my server-bridge.conf:
#------------------------------------------------------------
# !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://wiki.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
# Virtual Interface Configuration
lport 1194
proto udp
dev tap0
# Drop down privileges
user nobody
group nobody
chroot /etc/openvpn
persist-key
persist-tun
# Certificates config
dh easy-rsa/keys/bridge/dh.pem
ca easy-rsa/keys/bridge/ca.crt
cert easy-rsa/keys/bridge/server.crt
key easy-rsa/keys/bridge/server.key
tls-server
tls-auth easy-rsa/keys/bridge/ta.key 0
# CRL file for certificates verification
crl-verify easy-rsa/keys/bridge/crl.pem
# Auth method options
client-cert-not-required
username-as-common-name
# Plugin for user-auth as replacement of the script
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login
# Server mode
server-bridge 192.168.1.2 255.255.255.0
# Options
keepalive 10 120
push "ping 10"
push "ping-restart 120"
push "dhcp-option DOMAIN home.ralf"
push "dhcp-option DNS 192.168.1.2"
push "dhcp-option WINS 192.168.1.2"
fragment 1400
mssfix
# Clients options
client-config-dir ccd-bridge
ccd-exclusive
max-clients 1
# Log
status-version 2
log-append /var/log/openvpn/server-bridge.log
status server-bridge.log
verb 1
My SME 7.1 runs in Server/Gateway mode
smeserver-openvpn-bridge-fws-1.1-0.noarch.rpm is installed
maybe someone can help me...
greetings, ralf
-
Toppi, the solution is very simple, the log tells you that you have an error on line 46, which is
server-bridge 192.168.1.2 255.255.255.0
That means you haven't enter the IP range in the main page, this line should be
server-bridge serverIP serverMask firstAddr lastAddr, for exemple
server-bridge 192.168.1.2 255.255.255.0 192.168.1.20 192.168.1.30
Just enter the address range in the panel and restart the service
-
you're answer is really very simple. but i entered the adressrange in the panel!
i will edut the configfile in the evening and give you feedback if it's ok.
thanks and have a good day...
-
Well, strange if you have entered the address range. Can you please post the range you have entered, and if you have an error running this command:
expand-template /etc/openvpn/server-bridge.conf
and what does this return:
config show openvpn-bridge
you should have startPool and endPool which have the values of the range.
-
The range is 192.168.1.220 - 192.168.1.230
expand-template /etc/openvpn/server-bridge.conf
WARNING in /etc/e-smith/templates-custom//etc/openvpn/server-bridge.conf/50server_mode: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates-custom//etc/openvpn/server-bridge.conf/50server_mode line 8.
WARNING in /etc/e-smith/templates-custom//etc/openvpn/server-bridge.conf/50server_mode: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates-custom//etc/openvpn/server-bridge.conf/50server_mode line 8.
WARNING in /etc/e-smith/templates-custom//etc/openvpn/server-bridge.conf/80clients: Use of uninitialized value in string eq at /etc/e-smith/templates-custom//etc/openvpn/server-bridge.conf/80clients line 20.
WARNING: Template processing succeeded for //etc/openvpn/server-bridge.conf: 3 fragments generated warnings
at /sbin/e-smith/expand-template line 45
and the config:
config show openvpn-bridge
openvpn-bridge=service
UDPPort=1194
access=public
brIf=br0
cipher=auto
clientToClient=disabled
compLzo=enabled
endPool=192.168.1.230
fragment=1400
localCN=server
localIf=eth0
maxClients=20
mtuTest=enabled
nice=0
ping=10
pingRestart=120
protocol=udp
redirectGW=0
renegociation=3600
startPool=192.168.1.220
status=enabled
tapIf=tap0
tunMtu=1400
userAuth=1
verbose=1
-
Ok, it seems that you had a problem while upgrading from 1.0-3 to 1.1-0, the templates in templates-custom should have been removed, now they are in /etc/e-smith/templates. You have this eror because I changed the name of the keys in the DB between the two releases. The thing that I don't understand is that upgrading should have removed thisold templates. Anyway, just verify that you have the new templates:
ll /etc/e-smith/templates/etc/openvpn/server-bridge.conf/
should return
-rw-r--r-- 1 root root 452 jan 29 15:07 10dev
-rw-r--r-- 1 root root 94 jan 29 15:07 20daemon
-rw-r--r-- 1 root root 612 jan 29 15:07 30cert
-rw-r--r-- 1 root root 290 jan 29 15:07 40scripts
-rw-r--r-- 1 root root 217 jan 29 15:07 50server_mode
-rw-r--r-- 1 root root 1322 jan 29 15:07 60options
-rw-r--r-- 1 root root 495 jan 29 15:07 80clients
-rw-r--r-- 1 root root 187 jan 29 15:07 90log
if it's ok, you can safly remove the old one:
rm -Rf /etc/e-smith/templates-custom/etc/openvpn
then
expand-templates /etc/openvpn/server-bridge.conf
/etc/init.d/openvpn-bridge restart
-
it runs!
you're the best!!!
many thanks and have a good day, my will be :D
-
I would like to be able to configure custom options for each client connection , specifically, gateway and dns options.
I am connecting multiple routers to a central network that does not use SME as it's gateway and using the gateway-redirect function and default "push" options is not going to do it.
How might I go about changing these values without losing them all on restart?
Network looks like:
client router<-->VPN(thru internet)<-->SME<-->AAA server<-->internet
Or at least that's what I want the network to look like.
I've looked at the PERL and though I only have the vaguest idea of what I'm looking at, it seems as though the "push" params are fetched from SME's configuration database.
-
Freak_Dk/Vip-ire;
FYI
I only run this on xp and w2k laptops and pc's. I have not upgraded to the latest and greatest, I guess I have the earliest stable release.
i still have to enter the same username and password when i try to access the server (7.1 in server only mode)?
I also have to enter the username/password to access the server after I "vpn" onto the network. It never occurred to me that I shouldn't have to.
Other facilites that I vpn into where file server is separate from gateway appliance always work this way (don't they?).
-
UGH. I knew I shouldn't have updated..
I just updated all of SME's updates through Software installer. After the reconfiguration reboot... OpenVPN no longer works. Fails on the TLS handshake. Thinking it was an update gone wrong, I wiped the server and started over.
No luck. Damn thing is still broken. OpenVPN will not complete the TLS Handshake. Times out every time.
The Log on the server tells me nothing... help?
This is what the client log says:
Wed Mar 07 15:43:36 2007 us=567114 Current Parameter Settings:
Wed Mar 07 15:43:36 2007 us=567867 config = 'andrewr.ovpn'
Wed Mar 07 15:43:36 2007 us=567880 mode = 0
Wed Mar 07 15:43:36 2007 us=567892 show_ciphers = DISABLED
Wed Mar 07 15:43:36 2007 us=567902 show_digests = DISABLED
Wed Mar 07 15:43:36 2007 us=567913 show_engines = DISABLED
Wed Mar 07 15:43:36 2007 us=567924 genkey = DISABLED
Wed Mar 07 15:43:36 2007 us=567935 key_pass_file = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=567947 show_tls_ciphers = DISABLED
Wed Mar 07 15:43:36 2007 us=567957 proto = 0
Wed Mar 07 15:43:36 2007 us=567967 local = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=567979 remote_list[0] = {'209.89.132.81', 1194}
Wed Mar 07 15:43:36 2007 us=567990 remote_random = DISABLED
Wed Mar 07 15:43:36 2007 us=568000 local_port = 1194
Wed Mar 07 15:43:36 2007 us=568011 remote_port = 1194
Wed Mar 07 15:43:36 2007 us=568154 remote_float = DISABLED
Wed Mar 07 15:43:36 2007 us=568178 ipchange = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=568189 bind_local = DISABLED
Wed Mar 07 15:43:36 2007 us=568638 dev = 'tap'
Wed Mar 07 15:43:36 2007 us=568652 dev_type = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=568662 dev_node = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=568672 tun_ipv6 = DISABLED
Wed Mar 07 15:43:36 2007 us=568683 ifconfig_local = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=568693 ifconfig_remote_netmask = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=568704 ifconfig_noexec = DISABLED
Wed Mar 07 15:43:36 2007 us=568715 ifconfig_nowarn = DISABLED
Wed Mar 07 15:43:36 2007 us=568724 shaper = 0
Wed Mar 07 15:43:36 2007 us=568737 tun_mtu = 1500
Wed Mar 07 15:43:36 2007 us=568748 tun_mtu_defined = ENABLED
Wed Mar 07 15:43:36 2007 us=568758 link_mtu = 1500
Wed Mar 07 15:43:36 2007 us=568769 link_mtu_defined = DISABLED
Wed Mar 07 15:43:36 2007 us=568779 tun_mtu_extra = 32
Wed Mar 07 15:43:36 2007 us=568813 tun_mtu_extra_defined = ENABLED
Wed Mar 07 15:43:36 2007 us=568825 fragment = 1450
Wed Mar 07 15:43:36 2007 us=568837 mtu_discover_type = -1
Wed Mar 07 15:43:36 2007 us=568847 mtu_test = 0
Wed Mar 07 15:43:36 2007 us=568858 mlock = DISABLED
Wed Mar 07 15:43:36 2007 us=568868 keepalive_ping = 0
Wed Mar 07 15:43:36 2007 us=568879 keepalive_timeout = 0
Wed Mar 07 15:43:36 2007 us=568891 inactivity_timeout = 0
Wed Mar 07 15:43:36 2007 us=568902 ping_send_timeout = 0
Wed Mar 07 15:43:36 2007 us=569243 ping_rec_timeout = 120
Wed Mar 07 15:43:36 2007 us=569262 ping_rec_timeout_action = 2
Wed Mar 07 15:43:36 2007 us=569274 ping_timer_remote = DISABLED
Wed Mar 07 15:43:36 2007 us=569284 remap_sigusr1 = 0
Wed Mar 07 15:43:36 2007 us=569297 explicit_exit_notification = 0
Wed Mar 07 15:43:36 2007 us=569307 persist_tun = DISABLED
Wed Mar 07 15:43:36 2007 us=569318 persist_local_ip = DISABLED
Wed Mar 07 15:43:36 2007 us=569329 persist_remote_ip = DISABLED
Wed Mar 07 15:43:36 2007 us=569339 persist_key = DISABLED
Wed Mar 07 15:43:36 2007 us=569349 mssfix = 1450
Wed Mar 07 15:43:36 2007 us=569360 resolve_retry_seconds = 1000000000
Wed Mar 07 15:43:36 2007 us=569371 connect_retry_seconds = 5
Wed Mar 07 15:43:36 2007 us=569382 username = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569391 groupname = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569403 chroot_dir = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569413 cd_dir = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569423 writepid = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569433 up_script = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569443 down_script = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569454 down_pre = DISABLED
Wed Mar 07 15:43:36 2007 us=569463 up_restart = DISABLED
Wed Mar 07 15:43:36 2007 us=569474 up_delay = DISABLED
Wed Mar 07 15:43:36 2007 us=569484 daemon = DISABLED
Wed Mar 07 15:43:36 2007 us=569493 inetd = 0
Wed Mar 07 15:43:36 2007 us=569503 log = DISABLED
Wed Mar 07 15:43:36 2007 us=569513 suppress_timestamps = DISABLED
Wed Mar 07 15:43:36 2007 us=569828 nice = 0
Wed Mar 07 15:43:36 2007 us=569838 verbosity = 4
Wed Mar 07 15:43:36 2007 us=569847 mute = 0
Wed Mar 07 15:43:36 2007 us=569857 gremlin = 0
Wed Mar 07 15:43:36 2007 us=569867 status_file = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569878 status_file_version = 1
Wed Mar 07 15:43:36 2007 us=569889 status_file_update_freq = 60
Wed Mar 07 15:43:36 2007 us=569899 occ = ENABLED
Wed Mar 07 15:43:36 2007 us=569910 rcvbuf = 0
Wed Mar 07 15:43:36 2007 us=569920 sndbuf = 0
Wed Mar 07 15:43:36 2007 us=569931 socks_proxy_server = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=569950 socks_proxy_port = 0
Wed Mar 07 15:43:36 2007 us=569961 socks_proxy_retry = DISABLED
Wed Mar 07 15:43:36 2007 us=569971 fast_io = DISABLED
Wed Mar 07 15:43:36 2007 us=569981 comp_lzo = ENABLED
Wed Mar 07 15:43:36 2007 us=569991 comp_lzo_adaptive = ENABLED
Wed Mar 07 15:43:36 2007 us=570001 route_script = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=570012 route_default_gateway = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=570022 route_noexec = DISABLED
Wed Mar 07 15:43:36 2007 us=570032 route_delay = 0
Wed Mar 07 15:43:36 2007 us=576135 route_delay_window = 30
Wed Mar 07 15:43:36 2007 us=576147 route_delay_defined = ENABLED
Wed Mar 07 15:43:36 2007 us=576158 management_addr = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=576167 management_port = 0
Wed Mar 07 15:43:36 2007 us=576177 management_user_pass = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=576188 management_log_history_cache = 250
Wed Mar 07 15:43:36 2007 us=576198 management_echo_buffer_size = 100
Wed Mar 07 15:43:36 2007 us=576208 management_query_passwords = DISABLED
Wed Mar 07 15:43:36 2007 us=576218 management_hold = DISABLED
Wed Mar 07 15:43:36 2007 us=576228 shared_secret_file = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=576238 key_direction = 2
Wed Mar 07 15:43:36 2007 us=576247 ciphername_defined = ENABLED
Wed Mar 07 15:43:36 2007 us=576257 ciphername = 'AES-128-CBC'
Wed Mar 07 15:43:36 2007 us=576267 authname_defined = ENABLED
Wed Mar 07 15:43:36 2007 us=576277 authname = 'SHA1'
Wed Mar 07 15:43:36 2007 us=576424 keysize = 0
Wed Mar 07 15:43:36 2007 us=594669 engine = DISABLED
Wed Mar 07 15:43:36 2007 us=594726 replay = ENABLED
Wed Mar 07 15:43:36 2007 us=594739 mute_replay_warnings = DISABLED
Wed Mar 07 15:43:36 2007 us=594751 replay_window = 64
Wed Mar 07 15:43:36 2007 us=594762 replay_time = 15
Wed Mar 07 15:43:36 2007 us=594774 packet_id_file = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=594785 use_iv = ENABLED
Wed Mar 07 15:43:36 2007 us=594796 test_crypto = DISABLED
Wed Mar 07 15:43:36 2007 us=594809 tls_server = DISABLED
Wed Mar 07 15:43:36 2007 us=594820 tls_client = ENABLED
Wed Mar 07 15:43:36 2007 us=594830 key_method = 2
Wed Mar 07 15:43:36 2007 us=594841 ca_file = 'ca.crt'
Wed Mar 07 15:43:36 2007 us=594851 dh_file = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=594861 cert_file = 'andrewr.crt'
Wed Mar 07 15:43:36 2007 us=594873 priv_key_file = 'andrewr.key'
Wed Mar 07 15:43:36 2007 us=594883 pkcs12_file = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=594894 cryptoapi_cert = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=612681 cipher_list = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=612707 tls_verify = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=612718 tls_remote = 'server'
Wed Mar 07 15:43:36 2007 us=612728 crl_file = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=612737 ns_cert_type = 64
Wed Mar 07 15:43:36 2007 us=612747 tls_timeout = 2
Wed Mar 07 15:43:36 2007 us=612757 renegotiate_bytes = 0
Wed Mar 07 15:43:36 2007 us=612767 renegotiate_packets = 0
Wed Mar 07 15:43:36 2007 us=612777 renegotiate_seconds = 3600
Wed Mar 07 15:43:36 2007 us=612787 handshake_window = 60
Wed Mar 07 15:43:36 2007 us=612797 transition_window = 3600
Wed Mar 07 15:43:36 2007 us=612807 single_session = DISABLED
Wed Mar 07 15:43:36 2007 us=612816 tls_exit = DISABLED
Wed Mar 07 15:43:36 2007 us=612826 tls_auth_file = 'ta.key'
Wed Mar 07 15:43:36 2007 us=612840 server_network = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=612851 server_netmask = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=626276 server_bridge_ip = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=626315 server_bridge_netmask = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=626329 server_bridge_pool_start = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=626343 server_bridge_pool_end = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=628656 ifconfig_pool_defined = DISABLED
Wed Mar 07 15:43:36 2007 us=629042 ifconfig_pool_start = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=629054 ifconfig_pool_end = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=629065 ifconfig_pool_netmask = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=629076 ifconfig_pool_persist_filename = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=629087 ifconfig_pool_persist_refresh_freq = 600
Wed Mar 07 15:43:36 2007 us=629097 ifconfig_pool_linear = DISABLED
Wed Mar 07 15:43:36 2007 us=629107 n_bcast_buf = 256
Wed Mar 07 15:43:36 2007 us=629117 tcp_queue_limit = 64
Wed Mar 07 15:43:36 2007 us=629127 real_hash_size = 256
Wed Mar 07 15:43:36 2007 us=629136 virtual_hash_size = 256
Wed Mar 07 15:43:36 2007 us=640659 client_connect_script = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=640702 learn_address_script = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=640739 client_disconnect_script = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=640754 client_config_dir = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=640766 ccd_exclusive = DISABLED
Wed Mar 07 15:43:36 2007 us=640777 tmp_dir = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=640788 push_ifconfig_defined = DISABLED
Wed Mar 07 15:43:36 2007 us=640803 push_ifconfig_local = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=640816 push_ifconfig_remote_netmask = 0.0.0.0
Wed Mar 07 15:43:36 2007 us=640827 enable_c2c = DISABLED
Wed Mar 07 15:43:36 2007 us=640837 duplicate_cn = DISABLED
Wed Mar 07 15:43:36 2007 us=640847 cf_max = 0
Wed Mar 07 15:43:36 2007 us=640858 cf_per = 0
Wed Mar 07 15:43:36 2007 us=640869 max_clients = 1024
Wed Mar 07 15:43:36 2007 us=640879 max_routes_per_client = 256
Wed Mar 07 15:43:36 2007 us=781426 client_cert_not_required = DISABLED
Wed Mar 07 15:43:36 2007 us=781458 username_as_common_name = DISABLED
Wed Mar 07 15:43:36 2007 us=781471 auth_user_pass_verify_script = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=781483 auth_user_pass_verify_script_via_file = DISABLED
Wed Mar 07 15:43:36 2007 us=781494 client = DISABLED
Wed Mar 07 15:43:36 2007 us=781505 pull = ENABLED
Wed Mar 07 15:43:36 2007 us=781547 auth_user_pass_file = 'stdin'
Wed Mar 07 15:43:36 2007 us=781563 show_net_up = DISABLED
Wed Mar 07 15:43:36 2007 us=781573 route_method = 0
Wed Mar 07 15:43:36 2007 us=781583 ip_win32_defined = DISABLED
Wed Mar 07 15:43:36 2007 us=781607 ip_win32_type = 3
Wed Mar 07 15:43:36 2007 us=781618 dhcp_masq_offset = 0
Wed Mar 07 15:43:36 2007 us=781629 dhcp_lease_time = 31536000
Wed Mar 07 15:43:36 2007 us=781639 tap_sleep = 0
Wed Mar 07 15:43:36 2007 us=781650 dhcp_options = DISABLED
Wed Mar 07 15:43:36 2007 us=781660 dhcp_renew = DISABLED
Wed Mar 07 15:43:36 2007 us=793333 dhcp_pre_release = DISABLED
Wed Mar 07 15:43:36 2007 us=793365 dhcp_release = DISABLED
Wed Mar 07 15:43:36 2007 us=793378 domain = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=793389 netbios_scope = '[UNDEF]'
Wed Mar 07 15:43:36 2007 us=793400 netbios_node_type = 0
Wed Mar 07 15:43:36 2007 us=793410 disable_nbt = DISABLED
Wed Mar 07 15:43:36 2007 us=793435 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Wed Mar 07 15:43:44 2007 us=594979 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Wed Mar 07 15:43:44 2007 us=595101 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 07 15:43:44 2007 us=595118 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 07 15:43:44 2007 us=595151 LZO compression initialized
Wed Mar 07 15:43:44 2007 us=596088 Control Channel MTU parms [ L:1594 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Mar 07 15:43:44 2007 us=599271 Data Channel MTU parms [ L:1594 D:1450 EF:62 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Mar 07 15:43:44 2007 us=599321 Fragmentation MTU parms [ L:1594 D:1450 EF:61 EB:135 ET:33 EL:0 AF:3/1 ]
Wed Mar 07 15:43:44 2007 us=599386 Local Options String: 'V4,dev-type tap,link-mtu 1594,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Mar 07 15:43:44 2007 us=599427 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1594,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Mar 07 15:43:44 2007 us=599457 Local Options hash (VER=V4): '29f2fd82'
Wed Mar 07 15:43:44 2007 us=599476 Expected Remote Options hash (VER=V4): 'b35f3855'
Wed Mar 07 15:43:44 2007 us=599511 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Mar 07 15:43:44 2007 us=599533 UDPv4 link local: [undef]
Wed Mar 07 15:43:44 2007 us=599546 UDPv4 link remote: XXXXXXXXX:1194
Wed Mar 07 15:44:45 2007 us=222207 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Mar 07 15:44:45 2007 us=222238 TLS Error: TLS handshake failed
Wed Mar 07 15:44:45 2007 us=222469 TCP/UDP: Closing socket
Wed Mar 07 15:44:45 2007 us=222587 SIGUSR1[soft,tls-error] received, process restarting
Wed Mar 07 15:44:45 2007 us=222602 Restart pause, 2 second(s)
I know the traffic is getting through our firewall.. as I am getting a message from my Firewall saying it is going through ok.
Any suggestions as to where I should be looking?
-
I have updated to 7.1.2 and have no problems with first stable version of this contrib. I know that's perhaps NOT overly helpful but maybe informative as to where problem may lie.
I am currently logged on through vpn. I compared your log and mine. They appear largely identical however, close to the end of yours I found:
Wed Mar 07 15:43:44 2007 us=599546 UDPv4 link remote: XXXXXXXXX:1194
(Edit) On further review I noticed the line at the beginning:
us=567979 remote_list[0] = {'209.89.132.81', 1194}
In my log, where you have a numeric address, I have the domain name of the server I am logged into. If I take either my numeric address or domain name and plug into I.E. it resolves to the same place. If I plug your numeric address into IE, it does not resolve. (times out)
Hope I am not stating the obvious but your XXXXXXX needs to be the address of the site you are connecting to. Maybe you have edited your log for security reasons. Hope this helps.
-
Hi everyone. I know some people have problems with this contrib and SME 7.1.2, I'm looking where this could come from but for now I don't know. I've just updated my own server to 7.1.2 and the latest openvpn, everything is working like before. Please, if you have any problem, send me a email with as much details as possible (server mode, others contrib, version of the contrib, error messages etc...) or open a bug in the bug tracker and send me the bug num, because I can't provide help like this in the forum.
daniel AT firewall-services DOT com
-
I have updated to 7.1.2 and have no problems with first stable version of this contrib. I know that's perhaps NOT overly helpful but maybe informative as to where problem may lie.
I am currently logged on through vpn. I compared your log and mine. They appear largely identical however, close to the end of yours I found:
Wed Mar 07 15:43:44 2007 us=599546 UDPv4 link remote: XXXXXXXXX:1194
(Edit) On further review I noticed the line at the beginning:
us=567979 remote_list[0] = {'209.89.132.81', 1194}
heh that was me just not blanking out my address. I've been using a numeric address since the very beginning, before updating to 7.1.2. Numeric addresses work well enough... saves the DNS having to do a resolution. :)
-
Well, I'm still unsure as to which part of the update was the problem.. but after a reinstall back to 7.1, OpenVPN works fine. It's something to do with the updates to 7.1.2 which are causing the problems, so for now I've disabled the updates.
I'm running SME in server-only mode, and its only function on the network is the OpenVPN service. No other contribs present.
-
Anyone aware of any issues with upgrading to OpenVPN 2.09? There's an RPM for it at Dag's site:
http://dag.wieers.com/rpm/packages/openvpn/openvpn-2.0.9-1.el4.rf.i386.rpm
if I disable the service, do a wget, and then install the rpm... is that the correct procedure? Or should I be doing additional steps? Also.. VIP.. will that break your contrib?
-
OpenVPN 2.0.9 simply does not work on the SME 7 server (cannot be installed due to dependency errors)
It asks for a liblzo2, which does not exist on the SME 7 Server and I cannot find it somewhere else.
-
Hmm.. ya, I see what you mean Stefan.
I was able to find an RPM for the lzo.. but it's a mandrake only. No good for Sme.
liblzo2_2-2.01-1mdk.i586.rpm
Can't even find the source for that... ah well. It'll pop up eventually. The good news is... a server running 2.07 will work with clients running 2.09 (I know because one of my clients is running Vista32 bit... and 2.07 won't install).
-
I don't know if this is related, but I guessing it is.
I am using the latest openvpn rpm on one server, and beta4 on another. Both servers are updated to 7.1.2. I'm getting a lot of errors in /var/log/messages, like this:
No subnet declaration for eth0 (0.0.0.0).
** Ignoring requests on eth0. If this is not what
you want, please write a subnet declaration
in your dhcpd.conf file for the network segment
to which interface eth0 is attached. **
This is caused, I think, by the fact that the local network is now br0.
I noticed this because I have some problems with dhcp not granting new leases, though it is still running. On reboot everything is back to normal.
Has anyone experienced this?
Should I open a bug?
-
I don't know if this is related, but I guessing it is.
I am using the latest openvpn rpm on one server, and beta4 on another. Both servers are updated to 7.1.2. I'm getting a lot of errors in /var/log/messages, like this:
No subnet declaration for eth0 (0.0.0.0).
** Ignoring requests on eth0. If this is not what
you want, please write a subnet declaration
in your dhcpd.conf file for the network segment
to which interface eth0 is attached. **
This is caused, I think, by the fact that the local network is now br0.
I noticed this because I have some problems with dhcp not granting new leases, though it is still running. On reboot everything is back to normal.
Has anyone experienced this?
Should I open a bug?
Don't know if you should open a bug or not... but your supposition that br0 is the local network is incorrect. br0 is merely a virtual adapter that is created by OpenVPN. The local network should still be eth0. Check your eth0 configuration to ensure that you do have a subnet specified. Since the problem was fixed by a reboot, it may be that it was simply before the reboot, the configuration file wasn't read.
-
No, jonic is right, when the VPN is started, the internal interface becomes br0 instead of eth0. This is because to bridge the interface, we must set eth0 and tap in promiscuous mode, with ip 0.0.0.0, and br0 take the internal ip. For iptables, we cannot have a internal interface with ip 0.0.0.0, so we set it to be br0, like this tap0 and eth0 are 'the internal interface'.
I know we can have problems with the DHCP server when the VPN is started, I've just notified that the problem was still here. It occures for example when you add an host name (DNS) through the server-manager, the DHCP server restart and enter in a loop, always restarting. The solution for now is then to restart openvpn with /etc/init.d/openvpn-bridge restart.
-
I have had this working great running om SME 7.1, since doing the upgrade to SME 7.1.3 it has stopped
I also upgraded to smeserver-openvpn-bridge-fws-1.1-1.noarch.rpm from smeserver-openvpn-bridge-fws-1.0-3.noarch.rpm
the strange part is i did this to 2 different servers one works and the other dosn't
Last few lines of the log
Wed Mar 28 09:07:27 2007 us=897776 OpenVPN 2.0.7 Win32-MinGW [SSL] [LZO] built on Apr 12 2006
Wed Mar 28 09:07:35 2007 us=38990 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Wed Mar 28 09:07:35 2007 us=39031 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 28 09:07:35 2007 us=39046 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 28 09:07:35 2007 us=39072 LZO compression initialized
Wed Mar 28 09:07:35 2007 us=39166 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Mar 28 09:07:35 2007 us=46043 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Mar 28 09:07:35 2007 us=46101 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Mar 28 09:07:35 2007 us=46115 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Mar 28 09:07:35 2007 us=46146 Local Options hash (VER=V4): '13a273ba'
Wed Mar 28 09:07:35 2007 us=46165 Expected Remote Options hash (VER=V4): '360696c5'
Wed Mar 28 09:07:35 2007 us=46195 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Mar 28 09:07:35 2007 us=50827 UDPv4 link local: [undef]
Wed Mar 28 09:07:35 2007 us=50853 UDPv4 link remote: 150.101.103.143:1194
it then restarts again
any ideas please
-
I have had this working great running om SME 7.1, since doing the upgrade to SME 7.1.3 it has stopped
I also upgraded to smeserver-openvpn-bridge-fws-1.1-1.noarch.rpm from smeserver-openvpn-bridge-fws-1.0-3.noarch.rpm
the strange part is i did this to 2 different servers one works and the other dosn't
Last few lines of the log
Wed Mar 28 09:07:27 2007 us=897776 OpenVPN 2.0.7 Win32-MinGW [SSL] [LZO] built on Apr 12 2006
Wed Mar 28 09:07:35 2007 us=38990 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Wed Mar 28 09:07:35 2007 us=39031 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 28 09:07:35 2007 us=39046 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 28 09:07:35 2007 us=39072 LZO compression initialized
Wed Mar 28 09:07:35 2007 us=39166 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Mar 28 09:07:35 2007 us=46043 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Mar 28 09:07:35 2007 us=46101 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Mar 28 09:07:35 2007 us=46115 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Mar 28 09:07:35 2007 us=46146 Local Options hash (VER=V4): '13a273ba'
Wed Mar 28 09:07:35 2007 us=46165 Expected Remote Options hash (VER=V4): '360696c5'
Wed Mar 28 09:07:35 2007 us=46195 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Mar 28 09:07:35 2007 us=50827 UDPv4 link local: [undef]
Wed Mar 28 09:07:35 2007 us=50853 UDPv4 link remote: 150.101.103.143:1194
it then restarts again
any ideas please
Sits: What mode are your servers running in? Is one in Server-only, and another in server-gateway? It seems that 7.1.2 seems to have some problems with server-only.... unknown at this time, but a lot of people had their openvpn break, much like above, when 7.1.2 was released. Me personally, I had to rebuild the server, and disable updates. mine was in server-only.
What is different besides name between the two servers? Any other contribs running? Mail? Web? Ibays?
-
Both servers are running in server only mode, Mail, Web, DHCP, VPN, pretty much what SME is used for.
same motherboards and network cards, 2 hard drives mirrored
behind Netgear routers, with portforwarding setup to the SME boxes.
the only mods installed on them are:
smeserver-dar2-0.0.1-0dmay
smeserver-vacation-1.0-11
smeserver-mailsorting-1.2-5
perl-Unicode-IMAPUtf7-2.01-1
smeserver-openvpn-bridge-fws-1.1-1
dmc-mitel-portopening-0.0.1-4
Edit:
One of the servers was upgraded to 7.1.2 a week ago. then upgraded to 7.1.3 2 days ago.
the other I upgraded 2 days ago from 7.1 straight to 7.1.3
-
OK found the difference between the servers
the server that was working had a local network defined for my IP address
the one that was not working didn't
after adding the local network for my IP it started to work.
So with the upgrade to SME 7.1.3 there must have been some new rule added. since they both worked fine running under SME 7.1
This is all well and good, but i don't want to add local networks for all the vpn connections, as quite a few of my client travel overseas and connect through hotels using their laptop, so the network IP will be different.
Is the only answer going to be to setup server/gateway mode?
-
OK found the difference between the servers
the server that was working had a local network defined for my IP address
the one that was not working didn't
after adding the local network for my IP it started to work.
So with the upgrade to SME 7.1.3 there must have been some new rule added. since they both worked fine running under SME 7.1
This is all well and good, but i don't want to add local networks for all the vpn connections, as quite a few of my client travel overseas and connect through hotels using their laptop, so the network IP will be different.
Is the only answer going to be to setup server/gateway mode?
Hmm.. I sure as hell hope not. That's something that ought to be added automagically. Not to mention.. the whole point of a VPN is to now become a part of the network you're connecting to, in essence, making the remote network "local" in terms of how your computer sees it.
Just so I understand...when you mean the server that was working had a local network defined for my IP... you mean something like below:
Office Network: 192.168.1.0 /24
Your network (laptop from home) 192.168.2.0 / 24
yes? or something else....
-
Hmm.. I sure as hell hope not. That's something that ought to be added automagically. Not to mention.. the whole point of a VPN is to now become a part of the network you're connecting to, in essence, making the remote network "local" in terms of how your computer sees it.
Just so I understand...when you mean the server that was working had a local network defined for my IP... you mean something like below:
Office Network: 192.168.1.0 /24
Your network (laptop from home) 192.168.2.0 / 24
yes? or something else....
no, I mean, I had to add my ISP assigned address (203.133.145.0 subnet 255.255.255.0/256) to the local network in the remote SME i'm VPNing to, to get it to work, not my (laptop from home) 192.168.2.0 / 24 and this is my concern as well.
(203.133.145.0 subnet 255.255.255.0) this is not my real address just example
-
Hi everyone. Sorry for being away so long, I was searching the problem of iptables rejecting packets I I've found the problem. It occures only in server-only mode, since SME 7.1.2. I've open a bug report (no 2812) and I think it'll be corrected in SME 7.2. Waiting for this release, here's a temp fix:
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
cp -a /etc/e-smith/templates/etc/rc.d/init.d/masq/00Definitions /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
vim /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/00Definitions
and change the line 16 from
if (defined $ExternalInterface{Name})
to
if($SystemMode ne "serveronly")
then
signal-event remoteaccess-update
Then openvpn will work again.
Don't forget to remove this custom template when 7.2 is released (if the bug is corrected)
Cheers, Daniel
-
Thanks VIP-ire
That solved my issue with having to add a local network :)
-
Hi everyone. Sorry for being away so long, I was searching the problem of iptables rejecting packets I I've found the problem. It occures only in server-only mode, since SME 7.1.2. I've open a bug report (no 2812) and I think it'll be corrected in SME 7.2. Waiting for this release, here's a temp fix:
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
cp -a /etc/e-smith/templates/etc/rc.d/init.d/masq/00Definitions /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
vim /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/00Definitions
and change the line 16 from
if (defined $ExternalInterface{Name})
to
if($SystemMode ne "serveronly")
then
signal-event remoteaccess-update
Then openvpn will work again.
Don't forget to remove this custom template when 7.2 is released (if the bug is corrected)
Cheers, Daniel
Daniel,
thanks for your diligent research. I think I'll wait and see if this bug gets fixed in 7.2 before I update. Probably safer that way.
-
For whatever reason, this didn't fix mine. I still must add the remote network address to the "local networks" on the server....then it works great. Anything I should check?
This is in the SME logfile over and over again:
2007-04-03 11:42:35.368118500 Apr 3 11:42:35 intranet denylog: IN=br0 OUT= MAC=00:0c:29:dd:8a:80:00:18:19:eb:9b:w8:08:00 SRC=68.113.xxx.xxx DST=192.168.0.7 LEN=70 TOS=00 PREC=0x00 TTL=115 ID=61397 CE PROTO=UDP SPT=62908 DPT=1194 LEN=50
-
OK, the fix works for me. I had tried to change to server-gateway and it failed because it didn't see my other interface (using vmware, this is on a server 2003 host). I backed out of the config...however it saved the server-gateway setting. Switched it back to serveronly and it works great!!! This makes VPN very easy, especially when using vmware (no additional computer)
-
After applying the fix a
signal-event post-upgrade ; signal-event reboot is required
-
No, signal-event post-upgrade && signal-event reboot are not requiered. The signal-event remoteaccess-update will expand the templates for /etc/init.d/masq, and then, will restart the firewall. That's the only changes so, rebooting won't be usefull
-
Hi ich have the same Problem, my server is working in Server Only Mode and after applying your workaround it still doesnt work when I connect from outside
This is what appears in my Iptables log
2007-04-04 18:45:51.494116500 Apr 4 18:45:51 master denylog: IN=br0 OUT= MAC=00:02:b3:30:fc:3f:00:02:a5:ad:cc:3c:08:00 SRC=217.232.225.45 DST=192.168.0.252 LEN=70 TOS=00 PREC=0x00 TTL=55 ID=55544 CE PROTO=UDP SPT=61592 DPT=1194 LEN=50
However it works when I am inside my lan and open an connection to see if the Setup is working.
Any other ideas?
UPDATE
I dont know why a remote access update didnt work but a reconfigure and a reboot did work.
-
No, signal-event post-upgrade && signal-event reboot are not requiered. The signal-event remoteaccess-update will expand the templates for /etc/init.d/masq, and then, will restart the firewall. That's the only changes so, rebooting won't be usefull
I had to do it in 02 of my installations! Otherwise no dice.
-
so are there any full working steps to get this working in server-gateway mode since all these updates ?
-
so are there any full working steps to get this working in server-gateway mode since all these updates ?
It should work without any changes in server & gataway, my own server is in this configuration, sme 7.1.2 and smeserver-openvpn-bridge-fws-1.1-1
-
do you have the sme's inbuilt pptp service disabled while using openvpn ?
-
unregister_netdevice: waiting for br0 to become free. Usage count = 1
I get this message everytime I need to reboot it stays there for about 30 lines and then the system reboots.
-
do you have the sme's inbuilt pptp service disabled while using openvpn ?
I don't use PPTP at all
-
are the correct steps for installation still the ones from the pdf in the first post of this thread ?
also wondering if it is possible have it running on tcp port 8080
-
are the correct steps for installation still the ones from the pdf in the first post of this thread ?
also wondering if it is possible have it running on tcp port 8080
KaiNeR,
The simple answer to both questions is yes. However... I think you're better off using the UDP port 1194, or some other unused UDP. 8080 is generally used for WebProxy servers, and should be left for that kind of traffic.
When selecting a port to use, refer to the following:
http://www.iana.org/assignments/port-numbers
If you're not going to use udp 1194, then be sure to choose an unused port from this list. Cheers.
-
I need to use TCP port 8080 because i want to be able to vpn to my sme server from work. 8080 being the Only port available on the proxy at work
is it possible ?
thanks
-
I need to use TCP port 8080 because i want to be able to vpn to my sme server from work. 8080 being the Only port available on the proxy at work
is it possible ?
thanks
Well, before you do that... perhaps you should check with your Network staff. If they've blocked all port traffic except 8080, then making a connection to your home PC / an external network becomes a security risk. You shouldn't be connecting to another network from your office without first clearing it with your Network Admin / IT department. Besides the risks of virus infection, there's also data integrity / loss, and if it ever came out that you did this without consulting them first, it could be grounds for them to terminate your employment. It's a good practice, and it's being responsible.
Finally, if all you want to do is connect to your SME server from work... rather than using VPN, I would suggest you look at remote management of the SME server. The SME can be configured to allow access to the site from remote addresses, such as the public IP address, and you can just log into Webmin much as you would from within your home network. This doesn't have the same kinds of security risks as vpn, and is little more than a website visit.. whereas creating a VPN connection to a non-corporate network raises all kinds of issues. If that interests you, I suggest you read through the SME manual, as it will detail how you can setup remote management etc.
-
Hi,
can anybody tell me how I have to configure this Contrib when I have a local Domain (something.local) and want to access my server by a DynDNS-Domain?
How do I get the right config and certificates, as I want to use Authentification Method 3? My SME works as Server-Gateway.
Thanks!
Lupo
-
Hi,
can anybody tell me how I have to configure this Contrib when I have a local Domain (something.local) and want to access my server by a DynDNS-Domain?
How do I get the right config and certificates, as I want to use Authentification Method 3? My SME works as Server-Gateway.
Thanks!
Lupo
Hi! In the last release (1.1-1) there's an option in the advance configuration to setup what I call "an external domain", I mean, the domain name used to access your server from the outside, this option is specially usefull for dyndns (my own server uses a dyndns domain). So all you have to do is to configure auth method 3 in the main page, enable the service, then click on apply. After, go in the advance configuration page, and enter your dyndns domain name in External domain Name. After that, go in the certificate manager, generaate one certificate, and the config file should be generated.
-
I have recently made a fresh SME 7.1.3 install (server-gateway mode) and of the required Open VPN release 1.1-1. To my knowledge all client certificates were created properly and installed in the config file of "openvpn-2.0.7-gui-1.0.3" a Windows XP client. But when I try to connect to the server, I am faced with the following messages:
- connection reset py peer (WSAECONNRESET)(Code=10054)
- TLS key negotiation failed to occur within 60 sec (check your network connectivity)
- TLS handshake failed
- TCP/UPD: closing socket
In the latest "How-to: install smeserver-openvpn-bridge" I could read under item 2: Fixing iptables problem for SME7.1.2 and 7.1.3.....there is a bug in the firewall script which prevent any UDP port to be opended...etc, but no restriction whether it is applicable for server-only mode or server-gateway mode....
So finally I hope to get some help/support for two questions:
- Any idea for the message TLS handshake failed??
- In the event that this error message is caused by the "iptables problem" VIP-ire stated in his e-mail as of the 2nd of april...this problem of iptables rejecting occurs only in server-only mode. So in fact, I am not concerned because I have installed a server-gateway mode??
I had the OVPN running smoothly under SME7.0, and my hope is to get it working also under SME7.1.3......
Thanx in advance for your support
best regards
gerd
-
I have recently made a fresh SME 7.1.3 install (server-gateway mode) and of the required Open VPN release 1.1-1. To my knowledge all client certificates were created properly and installed in the config file of "openvpn-2.0.7-gui-1.0.3" a Windows XP client. But when I try to connect to the server, I am faced with the following messages:
- connection reset py peer (WSAECONNRESET)(Code=10054)
- TLS key negotiation failed to occur within 60 sec (check your network connectivity)
- TLS handshake failed
- TCP/UPD: closing socket
In the latest "How-to: install smeserver-openvpn-bridge" I could read under item 2: Fixing iptables problem for SME7.1.2 and 7.1.3.....there is a bug in the firewall script which prevent any UDP port to be opended...etc, but no restriction whether it is applicable for server-only mode or server-gateway mode....
So finally I hope to get some help/support for two questions:
- Any idea for the message TLS handshake failed??
- In the event that this error message is caused by the "iptables problem" VIP-ire stated in his e-mail as of the 2nd of april...this problem of iptables rejecting occurs only in server-only mode. So in fact, I am not concerned because I have installed a server-gateway mode??
I had the OVPN running smoothly under SME7.0, and my hope is to get it working also under SME7.1.3......
Thanx in advance for your support
best regards
gerd
Well, yes, I confirm, the bugs in iptables affects server only but not server & gateway. The error yo have is quite common, it means the client cannot reach the port 1194 of your server (or what ever you have configured). It can be a routing issue, a port redirection issue, a firewall issue etc...
You should check the server side logs (through the server-manager, you can see the last 100 lines),
You should follow this how-to http://smeserver.fr/astuces.php?astuce=net_masq_logging to enable logging of firewall events in a separate log, then check it with tail -f to be sure it's not the firewall blocking the requests.
-
Hum,
mystere et boule de gomme...
As I have told - I have installed a fresh SME7.1.3 server - and then openvpn release 1.1-1.
Nothing was changed as to the ip-rules of the SME server. Concerning the WINXP client - also here nothing was changed as to the client firewall etc. Of course, I have applied new certificates and keys and I installed the new config file... So the absolut minimum of modifications was applied. But neverthless - it still doesn't work.
In summary I had before the SME7.0 server and the OpenVPN software which was availible in january this year. And everything worked perfect...
I will still continue to try to make OVPN running, as usually the problem is in front of the PC and not the PC itself...
best regards
gerd
-
I have forgotten to mention that there is nor port forwarding. The SME server is configured as a gateway-server mode: therefore ETH1 is connected directly to the DSL modem. The local network of the SME server is DHCP mode. The client which should be connected via OVPN to the SME is connected viaa a modem to the DSL network.
The IP of the remote client is 192.168.20.xxx, the IP range of the local network of the SME server is DHCP mode fm 192.168.1.40 (start) to 192.168.1.80 (end). The DHCP range for OVPN is fm 192.168.1.90 (start) to 192.168.1.99 (end). So to my guess this should be ok.
Sometimes I wonder whether TCP instead of UDP could be a solution to my problems - however I like to know the root cause....
regards
gerd
-
unregister_netdevice: waiting for br0 to become free. Usage count = 1
I get this message everytime I need to reboot it stays there for about 30 lines and then the system reboots.
me too..
is this something to worry about?
Ciao
stefano
-
...last but not least I discovered a strange message (red characters) in the following file:
usr/share/doc: can't open: stunnel-tls-3.22
this message is dated the 28th of april - the day when I have installed the openvpn contrib....
Can anyone enlighten me more about this message (tls key negotiation failed...)
regards
gerd
-
I have forgotten to mention that there is nor port forwarding. The SME server is configured as a gateway-server mode: therefore ETH1 is connected directly to the DSL modem. The local network of the SME server is DHCP mode. The client which should be connected via OVPN to the SME is connected viaa a modem to the DSL network.
The IP of the remote client is 192.168.20.xxx, the IP range of the local network of the SME server is DHCP mode fm 192.168.1.40 (start) to 192.168.1.80 (end). The DHCP range for OVPN is fm 192.168.1.90 (start) to 192.168.1.99 (end). So to my guess this should be ok.
Sometimes I wonder whether TCP instead of UDP could be a solution to my problems - however I like to know the root cause....
regards
gerd
Even though the SME box is the first point to your DSL.. you still need to create a firewall rule for the port, allowing traffic, and direct it to your SME server (which should have a static internal IP address on the 192.X.X.X range) in order for the traffic to work.. because that internal address is still behind the firewall that SME provides.
-
Andrew,
if so, then a lot of things have changed in comparison to SME7.0 and the openvpn software which I installed in january '07 (the most recent version
of openvpn the time being - unfortunenately I do not remember the exact version): at that time I installed SME7.0, installed the openvpn contrib - configuered openvpn on my XP client (certificates & keys) and everthing worked fine from scratch.
Do you really mean that "today" I have to create firewall rules for the UDP-Port 1194??? I haven't found any hints in this context on the "HowTo's install smeserver-openvpn-bridge" as of the 28th of february 07 fm http://sme.firewall-services.com !!!!
Any comments are highly appreciated... :oops:
gerd
-
Andrew,
if so, then a lot of things have changed in comparison to SME7.0 and the openvpn software which I installed in january '07 (the most recent version
of openvpn the time being - unfortunenately I do not remember the exact version): at that time I installed SME7.0, installed the openvpn contrib - configuered openvpn on my XP client (certificates & keys) and everthing worked fine from scratch.
Do you really mean that "today" I have to create firewall rules for the UDP-Port 1194??? I haven't found any hints in this context on the "HowTo's install smeserver-openvpn-bridge" as of the 28th of february 07 fm http://sme.firewall-services.com !!!!
Any comments are highly appreciated... :oops:
gerd
Hmm. I can't really find anything in the how to on that per say.. but it's just basic networking. More and more, Firewalls are starting to take the approach that BSD did years ago: close everything, and only open what you're specifically told to. In the various security updates to SME, it wouldn't surprise me if that was the case. It never hurts to try and see if that is the case.
As for the TLS case..one thing to look at, that I've discovered in my workings... check the filesize of the certificates. A couple of times, I've run into it where the certs are generated...but they're just not big enough. they should be in the neighbourhood of about 4k per... if they're not.. delete all keys, generate a new DH key, and start over. Safest way, and then try again.
Your subnetting is ok.. now.. your remote client... does it share the same DSL connection? So it's a subnet within a subnet? Multiple Nats can always be somewhat tricky. Not impossible mind you, but tricky.
Finally.. in my own case, in order to get it working in the office here, I had to roll back to 7.1 and disable updates with OVPN 1.1...as the updates would break my OVPN connection. My server is in server-only mode, partly because I prefer to separate server roles, and also because I didn't need another firewall to administer in the office. (I'm the network admin).
One last thing to check: on your SME server.. check the logs to see if the connection traffic is even hitting the SME box or not. See if there is a request coming from anywhere.. the client logs won't tell you that information, but your openvpn logs will. If you can, try connecting from an external network, not just a different subnet. When I was testing mine... I used RDP to connect to my home network, and would try and connect from there. made for a field test without the hassle of leaving my desk.
Hope this helps.
-
Andrew,
thanx for your reply. In the meantime I have reinstalled again the SME7.1.3 server (SME7.1 update via "yum update" to 7.1.3).
Then I have installed again OpenVPN, this time with wget http://sme.firewall-services.com......etc, to make a final yum localinstall ./*.rpm followed by a signal-event post-upgrade and a signal-event reboot.
And again - no way to get OpenVPN to work; still the same error message:
- connection reset py peer (WSAECONNRESET)(Code=10054)
- TLS key negotiation failed to occur within 60 sec (check your network connectivity)
- TLS handshake failed
- TCP/UPD: closing socket
Having again a look at the file: usr/share/doc I find the same message: can't open stunnel-tls-3.22. Believe or not: with exactly the same time (and date) as for the installation of the open vpn. Coincidence or hasard??
(I have translated the message fm German to English, so in fact this error message could be slightly different).
Is my understanding correct that you are running openvpn with SME7.1 instead of 7.1.3??? I will test it tomorrow - today I am really too tired now...
best regards (fm Germany/Hannover)
gerd
-
Andrew,
thanx for your reply. In the meantime I have reinstalled again the SME7.1.3 server (SME7.1 update via "yum update" to 7.1.3).
Then I have installed again OpenVPN, this time with wget http://sme.firewall-services.com......etc, to make a final yum localinstall ./*.rpm followed by a signal-event post-upgrade and a signal-event reboot.
And again - no way to get OpenVPN to work; still the same error message:
- connection reset py peer (WSAECONNRESET)(Code=10054)
- TLS key negotiation failed to occur within 60 sec (check your network connectivity)
- TLS handshake failed
- TCP/UPD: closing socket
Having again a look at the file: usr/share/doc I find the same message: can't open stunnel-tls-3.22. Believe or not: with exactly the same time (and date) as for the installation of the open vpn. Coincidence or hasard??
(I have translated the message fm German to English, so in fact this error message could be slightly different).
Is my understanding correct that you are running openvpn with SME7.1 instead of 7.1.3??? I will test it tomorrow - today I am really too tired now...
best regards (fm Germany/Hannover)
gerd
Gerd,
You are correct. I am running 7.1...not 7.1.3. I have disabled all yum updates.
-
Meanwhile I have set up a new SME7.1 - next friday I will give a try with regards to OpenVPN (1.0.3) again - the combination of this OpenVPN worked perfect with SME7.0.
But pls allow me a question: The SME Version 7.1.3 - configured as a server-gateway in combination with smeserver-openvpn-bridge (release 1.1-1) - who did successfull install this OpenVPN - without fumbling in the firewall rules of the SME server. And if yes - how did you manage?
It is definitely not my intention to blame someone for something and on top I am a Linux novice. It is just to know to learn where are my mistakes during the installation....
By the way - the message I have mentioned yesterday:
Having again a look at the file: usr/share/doc I find the same message: can't open stunnel-tls-3.22. Believe or not: with exactly the same time (and date) as for the installation of the open vpn. Coincidence or hasard??
has nothing to do with OpenVPN - this message is shown on my fresh installed SME Server 7.1 as well - without any contribs....
best regards
gerd
-
gerd,
I have installed this on 2 SME 7.1.3 server/gatway systems with out any problems, and no need to adjust iptables
Bob
-
unregister_netdevice: waiting for br0 to become free. Usage count = 1
I get this message everytime I need to reboot it stays there for about 30 lines and then the system reboots.
me too..
is this something to worry about?
Ciao
stefano
I guess so, today my system became stuck on this message for over an hour and I had to reboot by hand :cry:
Also there seems to be a problem with DHCP after I installed the openvpn:
May 2 00:10:19 sme7 dhcpd: No subnet declaration for eth0 (0.0.0.0).
May 2 00:10:19 sme7 dhcpd: ** Ignoring requests on eth0. If this is not what
May 2 00:10:19 sme7 dhcpd: you want, please write a subnet declaration
May 2 00:10:19 sme7 dhcpd: in your dhcpd.conf file for the network segment
May 2 00:10:19 sme7 dhcpd: to which interface eth0 is attached. **
This happens everytime I enter a new host under 'Hostnames and Addresses' and my DHCPD becomes unresponsive.
Unfortunatelly there's no entry for this contrib on the bugtracker.
-
Bingo!!
This morning is disabled the OVPN service, deleted all certificates, recreated all certificates, enabled the open-service again and made a reboot of the sme-server 7.1.3 - and it works....
My problem is now - I don't know what happend yesterday and the days before. Might be I created the certificates when the OPENVPN was still running (can this be the reason for my OVPN problems??).
Anyway, thanx to all who supported me...
best regards
-
unregister_netdevice: waiting for br0 to become free. Usage count = 1
I get this message everytime I need to reboot it stays there for about 30 lines and then the system reboots.
me too..
is this something to worry about?
Ciao
stefano
I guess so, today my system became stuck on this message for over an hour and I had to reboot by hand :cry:
Also there seems to be a problem with DHCP after I installed the openvpn:
May 2 00:10:19 sme7 dhcpd: No subnet declaration for eth0 (0.0.0.0).
May 2 00:10:19 sme7 dhcpd: ** Ignoring requests on eth0. If this is not what
May 2 00:10:19 sme7 dhcpd: you want, please write a subnet declaration
May 2 00:10:19 sme7 dhcpd: in your dhcpd.conf file for the network segment
May 2 00:10:19 sme7 dhcpd: to which interface eth0 is attached. **
This happens everytime I enter a new host under 'Hostnames and Addresses' and my DHCPD becomes unresponsive.
Unfortunatelly there's no entry for this contrib on the bugtracker.
The problem of DHCPD after adding a hostname should be fixed quickly, I think I've found a solution, I'll just test it on several server to be sure. The other problem (unregister_netdevice: waiting for br0 to become free. Usage count = 1), I must admit I don't know where it comes from. There's the bug 1780 for this contrib if you want to repport.
Gerd, the certificates can be generated when the server is running, it shouldn't be a problem so your error is not here.
-
How are you fixing the DHCP problem?
This has worked so far, but I'm unsure if it's propper:
Edit /etc/init.d/rc.d/dhcpd
#daemon /usr/sbin/dhcpd ${DHCPDARGS} 2>/dev/null
daemon /usr/sbin/dhcpd br0 2>/dev/null
-
Well, I've just modified two lines in /etc/openvpn/server-bridge-startup and /etc/openvpn/server-bridge-shutdown
you can replace each instance of
/sbin/service dhcpd start
with this:
/usr/local/bin/svc -u /service/dhcpd/
and each instance of this:
/sbin/service dhcpd stop
with this:
/usr/local/bin/svc -d /service/dhcpd/
In fact the problem comes from a conflict between dhcp started directly with /etc/init.d/dhcpd, and the one run with the supervisor in /service/dhcpd
Everyone who want to test could do that, it shouldn't be riscky for the server. If this modification is validate as a fix for this problem, I'll include it in the next release with some others minor changes
-
Great!
I'm trying that!
Thanks,
-
Daniel,
I am not shure whether your contrib has a "view record" with 38782 views, but at least your contrib seems to belong to the interesting ones. Might be the time has come now to consider an integration of your contrib into the SME distribution - provided the consent of all concerned parts. It is just an idea - not more please.
But personally I would just to like to say a "simple thank you" for your contribution. And I am keen to see your ovpn version "du sud-ouest".
salutations
gerd
-
I'd just like to announce version 1.1-2 of the contrib. Just a few changes:
- the bug with dhcpd is fixed (as fare as I've tested)
- italian translation (thanks to Romano Romano)
To upgrade, just type:
rpm -Uvh http://sme.firewall-services.com/downloads/smeserver-openvpn/rpms/smeserver-openvpn-bridge-fws-1.1-2.noarch.rpm
/etc/init.d/openvpn-bridge start
Daniel,
I am not shure whether your contrib has a "view record" with 38782 views, but at least your contrib seems to belong to the interesting ones. Might be the time has come now to consider an integration of your contrib into the SME distribution - provided the consent of all concerned parts. It is just an idea - not more please.
But personally I would just to like to say a "simple thank you" for your contribution. And I am keen to see your ovpn version "du sud-ouest".
salutations
gerd
Well, thanks. I also think it could be a good contribution to add to the base (and of course, I'd be very proud if it was included in the next release of SME), but I think I need to work a little more on it in order to be fully integrated into SME server distribution, espacially:
- replace the start script by a supervisor
- add the possibility to download all the necessary files (certs, key, config) in one zip archive
- add a how-to for the configuration of the client (one for windows, one for mac OS X, one for linux)
- integrate the management interface so we could see active connexions in real time (and kill those we want for example)
- auto-detection of the subnet, and configuration of the IP range according to it (for a first install)
- add verification scripts (if the login of the user doesn't match the CN of the certificate, the connexion is refused)
- add conexion/disconexion scripts (to send a email to the user and the admin for example, or to fill a mysql database so we could keep a trace of every conexion)
By the way, who must I contact to suggest the integration of this contrib into the distribution?
Cheers, Daniel
-
Then *please* consider to make a donation.
I have already done this for two customer servers, which I installed with Daniel's OpenVPN contrib. Including my own SME server, all of them are working perfectly with OpenVPN. Installation is so easy now (unlike my former manual method)!
-
Daniel,
is my assumption correct that the update of the openvpn does not affect the certificates & keys, or do I have to regenerate them??
regards
gerd
-
Daniel,
is my assumption correct that the update of the openvpn does not affect the certificates & keys, or do I have to regenerate them??
regards
gerd
No, certificates and keys won't be affected of course.
-
...new update works perfectly with SME in server-only modus...
un grand merci
gerd
-
Well I hate to make an insanely long thread longer, but...
Well, to be honest, I mainly use it with linux clients.
add a how-to for the configuration of the client (one for windows, one for mac OS X, one for linux)
Can someone point me to some info on configuring a linux client please? I have been using this great contrib on XP for a long time, but I just installed Ubuntu Studio (http://ubuntustudio.org/) (looks like their site as down at the moment...) and would love to be able to connect to my servers from this Linux OS. I installed OpenVPN - Admin (one of the choices listed here (http://openvpn.net/gui.html)), but I was having trouble filling in all the blanks... I would appreciate any assistance!
Thanks,
Ryan
-
Well, I use the command line to use openvpn on linux client, because I didn't find any GUI I like (network-manage-openvpn on ubuntu is nearly a good client, but the pull option is missing). So, to configure openvpn on linux:
- install openvpn, lzo and resolvconf
sudo apt-get install openvpn resolvconf
- create a directory where you store the certificates (for example /hom/user/.ovpn)
- edit a new config file in this directory
vim /home/user/.ovpn/config
- past the config file generated by the panel in it
- add the full path for the key (ta.key), the master certificate (ca.crt), the client certificate (client.crt) and the client private key (client.key). In our example, add /home/user/.ovpn/
- download those 4 files and put them in the directory /home/user/.ovpn
The VPN can work now, but if you wan't the client's DNS to be updated just like windows does, do the following:
- add to your config file
up /home/user/.ovpn/domain.up
down /home/user/.ovpn/domain.down
- edit a new file vim /home/user/.ovpn/domain.up
- past the following in it
#!/bin/sh
# really naff script to add nameserver entry on up
DEV=$1
set | sed -n "
s/^foreign_option_.* DNS \(.*\)'/nameserver \1/; T next; p;
:next; s/^foreign_option_.* DOMAIN \(.*\)'/domain \1/; T; p;
" | resolvconf -a $DEV
resolvconf -u
- edit a new file vim /home/user/.ovpn/domain.down
- past the following in it
#!/bin/sh
# really naff script to delete nameserver entry on down
DEV=$1
resolvconf -d $DEV
resolvconf -u
- make those files executable
chmod +x /home/user/.ovpn/domain.*
You can start the VPN with the command sudo openvpn --config /home/user/.ovpn/config
Hope that can help. I'll try to add this how-to on http://sme.firewall-services.com soon
-
Thank you, I will test this out as soon as I get a chance. I am glad to see that I wasn't the only one that didn't see all the options of the Linux GUIs. I was going to try to install the Windows client using Wine, but I have not had very good results doing anything w/ Wine so far...
Again, thanks for the help.
Ryan
-
Daniel, if you get this into the base install of SME, I'll buy you a beer.
Seriously, if you did.. I use SME + ovpn for my clients who want a VPN solution... as opposed to using the VPN RRAS on a Windows Server (shudder). The install of OVPN is already soooo difficult.. so if you were to save me the downloads after install.. well that just makes my life so much easier.
Daniel: One question: once we do the upgrade... will this contrib work with server-only mode in 7.1.3 and beyond? Rather than do the workaround script.. I just disabled the updates on SME. Can I safely enable them again?
-
Daniel, if you get this into the base install of SME, I'll buy you a beer.
Seriously, if you did.. I use SME + ovpn for my clients who want a VPN solution... as opposed to using the VPN RRAS on a Windows Server (shudder). The install of OVPN is already soooo difficult.. so if you were to save me the downloads after install.. well that just makes my life so much easier.
Daniel: One question: once we do the upgrade... will this contrib work with server-only mode in 7.1.3 and beyond? Rather than do the workaround script.. I just disabled the updates on SME. Can I safely enable them again?
I haven't worked on this contrib since release 1.1-2, and I've just saw that there's still a problem with the dhcp, so, it's not stable enaugh to be aded into the base yet.
I also need to work harder on rpm packaging because, I found really hard to perform clean upgrades between different versions (with my rpms, you can only upgrade from the previous version).
For the bug in server-only mode, it should be corrected in SME 7.2, for now, if you do the upgrade (to 7.1.3), you'll have to add the custom template as explain on my web site.
-
As to SME7.2 in server only mode - and status as of today - OpenVPN release 1.1-2 - works perfect. It tested this week-end with the latest SME7.2 update.
gerd
-
With regards to the DHCP problem, have you tried just doing this:
/sbin/e-smith/db configuration setprop InternalInterface Name br0
service dhcpd restart
I added this to the end of my "openvpn-startup" script and it solved the problem (not sure what else it effects though).
-
With regards to the DHCP problem, have you tried just doing this:
/sbin/e-smith/db configuration setprop InternalInterface Name br0
service dhcpd restart
I added this to the end of my "openvpn-startup" script and it solved the problem (not sure what else it effects though).
This is allready done (of course) by the startup script with the default config. The problem of the dhcp looping seems to come from some signal-events sending the restart signal to the dhcpd daemon instead of the sigterm signal. I've tried to replace each 'restart' signal with a sigterm in the signal-event wich causes problem, and this seems to solve the problem. I need to do more tests before but I think it'll be soon corrected
-
I have installed this contrib on two servers (SME version 7.2) and on both I get the message that the daemon is not running. On both servers the IP ranges have been entered.
DHCP server (which is not the SME server) assigns in teh range of 192.168.2.1 through 192.168.2.255, so I have set the start and end range for OpenVPN connections to 192.168.2.1.150 through 192.168.1.200
Even after a reboot the daemon does not start.
Any ideas?
-
Try
/etc/init.d/openvpn-bridge start
-
Thanks for teh suggestion. I tried it and this is the error message that I'm getting:
Starting openvpn: Tue Aug 7 15:12:31 2007 TUN/TAP device tap0 opened
Tue Aug 7 15:12:31 2007 Persist state set to: ON
device br0 already exists; can't create bridge with the same name
device br0 is a bridge device itself; can't enslave a bridge device to a bridge device.
device tap0 is already a member of a bridge; can't enslave it to bridge br0.
Shutting down IP masquerade and firewall rules: Done!
Enabling IP masquerading: done
[FAILED]
On this machine I initally had installed the PPTP VPN capability, so I tried it on my other server as well. Here the result was:
Starting openvpn: Tue Aug 7 16:10:39 2007 TUN/TAP device tap0 opened
Tue Aug 7 16:10:39 2007 Persist state set to: ON
Shutting down IP masquerade and firewall rules: Done!
Enabling IP masquerading: done
[FAILED]
Similar (?) problem it seems.
These are SME Server 7.2 machines (upgraded from 7.1.3) with the most recent version of the contrib installed. Both machines are in server only mode.
-
Hi,
in a previous e-mail you said:
DHCP server (which is not the SME server) assigns in teh range of 192.168.2.1 through 192.168.2.255, so I have set the start and end range for OpenVPN connections to 192.168.2.1.150 through 192.168.1.200
Even so I don't know your configuration, I would like to recommend to separate the DHCP address range fm the OVPN addresss range; say
DHCP: 192.168.2.2 to 192.168.2.200 and the OVPN range fm 192.168.2.201 to 192.168.2.254, with a DHCP server address at 192.168.2.1. The workstation to be connected to the SME server via OVPN must have a different address range fm 192.168.2.xxx, e.g. 192.168.7.25. If your workstation is conencted also to a DHCP server, then theDHCP address range must be different (192.168.5.2 - 192.168.5.168.
Do you want to bridge two SME servers or is your idea to connect a workstation (e.g. home office) to the SME server via OVPN?? I must confess I haven't quite understood your installation......
regards
gerd
-
I have 2 different servers I need to be able to access from anywhere. SO it's a pure roadwarrior setup that I'm trying to achieve.
However, your response has helped me. What I did was set the IP ranges on both machines to be different from the range assigned by the DHCP server.
My modem (=DHCP server) assigns in the 192.168.2.x range. In order not to overlap I set the contrib to assign in the 192.168.2.1.x range. I'll change that range and will see what happens.
EDIT: made the change and now the daemon is running as expected. Silly me....
-
Don't worry...
Aside the daemon, is your OVPN now running as expected??
gerd
-
Don't worry...
Aside the daemon, is your OVPN now running as expected??
gerd
Works like a charm, thanks for your help! In the future I may actually consider linking multiple sites this way :)
-
I remember well the problems I have faced when I started with OVPN about half a year ago, and I remember well the support granted by VIP-ire. So it is not more than normal to "redistribute" what has been "received".
gerd
-
Now that I have it working there are 3 things that I have not yet figured out - and have not been able to Google either:
1. When the subnet I'm on is the same as for the machine I establish the VPN connection with (e.g. 10.0.0.x), this seems to create problems in Windows. While wanting to access the modem on the VPN network, it points me to the (same) modem on the local network as they have identical IP addresses (e.g. 10.0.0.1). Is this normal behaviour?
2. After establishing a VPN connection I can map a network drive to my Windows PC. I can also browse the contents on the network drive and delete files etc. When trying to upload files, even small ones (0.5MB) I get the error message "Cannot copy .... Network drive no longer available" although I can still see the drive. Is there anything I can do to prevent this?
3. I searched this forum but have not been able to locate a howto that explains how to set up the server to server OpenVPN. Does anyone have a link that can be used for this?
Thanks in advance!
-
Now that I have it working there are 3 things that I have not yet figured out - and have not been able to Google either:
1. When the subnet I'm on is the same as for the machine I establish the VPN connection with (e.g. 10.0.0.x), this seems to create problems in Windows. While wanting to access the modem on the VPN network, it points me to the (same) modem on the local network as they have identical IP addresses (e.g. 10.0.0.1). Is this normal behaviour?
That's not a windows issue but a general network issue, there's no real solution, a routing table is a routing table.
2. After establishing a VPN connection I can map a network drive to my Windows PC. I can also browse the contents on the network drive and delete files etc. When trying to upload files, even small ones (0.5MB) I get the error message "Cannot copy .... Network drive no longer available" although I can still see the drive. Is there anything I can do to prevent this?
It's working for all my sites. It can be a link problem (ping too slow, or not enaugh bandwidth).
3. I searched this forum but have not been able to locate a howto that explains how to set up the server to server OpenVPN. Does anyone have a link that can be used for this?
This contrib is not designed for server to server connexions, but it can be done. Here's a how-to:
http://sme.firewall-services.com/spip.php?article25
Cheers, Daniel
-
That's not a windows issue but a general network issue, there's no real solution, a routing table is a routing table.
It's working for all my sites. It can be a link problem (ping too slow, or not enaugh bandwidth).
This contrib is not designed for server to server connexions, but it can be done. Here's a how-to:
http://sme.firewall-services.com/spip.php?article25
Cheers, Daniel
Ok, I'll test the connection when I'm using a better connection. Of course thanks for the great contrib and excellent howto.
As to the connecting server-to-server, that'll be my next project :)
-
I everyone. I'd like to have some testers for the next release of smeserver-openvpn-bridge. I'm using it on my server, but I'd like to be sure everything is OK on different configurations. If I don't have any bug report in one week, I'll announce it officially.
There won't be many new features (but one interesting one: possibility to download a zip archive with the needed files, cert, keys config file etc...). The biggest work on this release was to make it cleaner:
- everything is performed with signal-event (sign a new cert, revoke it, generate the dh params etc...)
- the daemon is supervised
- the bridge is permanent, not just created at openvpn startup and destroyed when it stops. This should correct the bug of dhcpd and another when you shut down your server and it complains about br0.
If you want to try:
wget http://sme.firewall-services.com/downloads/smeserver-openvpn/rpms-beta/smeserver-openvpn-bridge.fws-1.1-3.noarch.rpm
yum localinstall smeserver-openvpn-bridge.fws-1.1-3.noarch.rpm
/etc/init.d/openvpn stop
Then go to the panel in the server-manager, check the config, and click on the apply link.
I'd also like some people to test the newer openvpn (2.0.9) from dag repository:
db yum_repositories set dag repository BaseURL 'http://apt.sw.be/redhat/el4/en/$basearch/dag' EnableGroups no GPGCheck yes GPGKey http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt Name 'Dag - EL4' Visible no Exclude freetype,htop,iptraf,rsync,syslinux status disabled
expand-template /etc/yum.conf
yum --enablerepo=dag update openvpn
For me it's working, so it shouldn't be too risky.
-
Many Thanks :-)
I'm testing on a test server before I upgrade my own (smeserver-openvpn-bridge-fws-1.1-2).
So far so good, but I'm getting this error as I tried to shutdown the server (Will install a new ethernet interface and test it on Server-Gateway mode)
unregister_netdevice: waiting for br0 to become free. Usage count = -256
-
Hi, and thanks for testing and reporting. I'm just correcting some little problem with the actual 1.1-3, I'll upload it again before announcing it.
For the error "unregister_netdevice: waiting for br0 to become free. Usage count = -256", I saw it on my test server but now I cannot reproduce it. I know this is a bridge related problem, but today, I'm testing it and the error doesn't occure.
-
I can give you access to my test system if you need stuntshell [ ] gmail.com, I also have msn, AIM,etc.. if needed.
-
Hi.
I won't have time to access your server, and as this bug shutdown the connexion, I'll looz access when it'll be interesting.
I've just uploaded again the rpm and srpm, with some corrections. Maybe the bug you're talking about was because the service openvpn-bridge was started before the network, so it creates tap0 and try to enslave it in br0 while br0 haven't been created yet. This is corrected now and openvpn-bridge will be started after the network.
Anyway, I'd like to have some testers for this new rpm. And try to change ssh access, add and remove virtual domains and hostnames to be sure it won't break dhcpd. Of course, repport any positive or negative experience.
Cheers, Daniel
-
Anyway, I'd like to have some testers for this new rpm. And try to change ssh access, add and remove virtual domains and hostnames to be sure it won't break dhcpd. Of course, repport any positive or negative experience.
It does not break DHCP anymore, but the problem: br0: port2(tap0) entering disabled state
unregister_netdevice: waiting for br0 to become free. Usage count = -2remains. :(
I tested this new RPM in two ways: updating (removing the old, installing the new one). I installed a fresh new system and installed the contrib. Same problem.
Thanks,
-
Hi. I think I've got an idea for fixing this issue.
Does this problem appears when you have a client connected to the VPN? or does it occures even if nobody is connected?
From what I've tested, it only occures when client are connected, so tap0 and br0 have some references still actives. If we try to delete br0 while these references are actives, it causes the error. The solution would be to kill each client session before shuting down. I'm currently writing the necessary script using the Net::OpenVPN::Manage module. I think it won't be too hard but I'll need some time to write it cleanly. Can anyone confirm that the problem only occures when client(s) is/are connected?
Cheers, Daniel
-
You'll find on our website a new beta release of the contrib. I won't release version 1.1-3, but 1.2-0 as there's a lot of others changes:
- status page uses Net::OpenVPN::Manage to get the info, which allow real time infos and the possibility to disconnect the client you want
- the shutdown script disconnect all the client, this should prevent the unregister_netdevice waiting for br0 to become free etc... error
- Routes of local networks are pushed to the clients (patch from Jonathan Martens)
- the management interface is configured
To get the full changelog, install it and rpm -qi smeserver-openvpn-bridge.fws (testing environment recommended).
This new release now depend on the two perl modules Net::Telnet and Net::OpenVPN::Manage. You can find the two rpms, the contrib, and other dependences (openvpn, lzo, lzo2) here:
http://sme.firewall-services.com/downloads/smeserver-openvpn/rpms-beta/
-
You'll find on our website a new beta release of the contrib. I won't release version 1.1-3, but 1.2-0 as there's a lot of others changes:
- status page uses Net::OpenVPN::Manage to get the info, which allow real time infos and the possibility to disconnect the client you want
- the shutdown script disconnect all the client, this should prevent the unregister_netdevice waiting for br0 to become free etc... error
- Routes of local networks are pushed to the clients (patch from Jonathan Martens)
- the management interface is configured
To get the full changelog, install it and rpm -qi smeserver-openvpn-bridge.fws (testing environment recommended).
This new release now depend on the two perl modules Net::Telnet and Net::OpenVPN::Manage. You can find the two rpms, the contrib, and other dependences (openvpn, lzo, lzo2) here:
http://sme.firewall-services.com/downloads/smeserver-openvpn/rpms-beta/
Tested this with freesh install and i wish to report i still see this message
unregister_netdevice waiting for br0 to become free etc...
-
I noticed the following behaviour on my server.
When i needed to halt or reboot the server simply by command halt or reboot it will give me the unregister_netdevice waiting for br0 to become free error.
When i halt or reboot the server by signal-event reboot or signal-even halt it halts or reboots without the error.
Coincidence or ....
Regards
Dirk
-
I'm not sure. I have it runing on my two personnal servers without problem. I have reboot it 2 or 3 times and I hadn't the unregister_netdevice problem. But I allways use the signal-event halt/reboot. I'd like to find a solution for this, but after googleling a while, it seems that a lot of people have this problem, and there's no real solution. If anyone has an idea ... I'd like to release this new version because it correct at least the dhcp bug, but each time you reboot the server freez, it's not very cool :/
By the way. Does it occures only when clients are connected ?
-
There were no clients connected at any time when i did the halts/reboots.
Regards
Dirk
-
It makes you think that maybe the solution lies in signal-event reboot/halt.
You and i didnt have any problems when shutting down or rebooting that way.
Regards
Dirk
-
Now that I have it working there are 3 things that I have not yet figured out - and have not been able to Google either:
1. When the subnet I'm on is the same as for the machine I establish the VPN connection with (e.g. 10.0.0.x), this seems to create problems in Windows. While wanting to access the modem on the VPN network, it points me to the (same) modem on the local network as they have identical IP addresses (e.g. 10.0.0.1). Is this normal behaviour?
2. After establishing a VPN connection I can map a network drive to my Windows PC. I can also browse the contents on the network drive and delete files etc. When trying to upload files, even small ones (0.5MB) I get the error message "Cannot copy .... Network drive no longer available" although I can still see the drive. Is there anything I can do to prevent this?
Thanks in advance!
Hi,
Just a couple notes on this:
Problems #1 and #2 are most definitely related. When you're making a virtual network connection, (which is exactly whan OVPN is doing), you can't make a connection to a network you're already a part of. The routing tables won't jive, and it won't work. Even if it says it's connected... it's lying. At the very least, you need to be trying from an entirely different subnet. And, more importantly.. the numbering of the two internal subnets MUST be different.
For example... let's say you're testing from home.
Home Network (private subnet): 10.0.0.x subnet
Office Network (private subnet): 10.0.0.x subnet
It won't work. One of those must be different. Honestly, a home network should never need to be on a 10.0.0.x subnet... no home network needs that many addresses. You can get by with a 192.168.x.x subnet, or, if you want to be different..and have almost as many addresses available as the office, use a 11.0.0.x subnet. The point is, it has to be different, so that your routing tables (which windows builds automatically, with help from the OVPN sw) can actually be done correctly. When you connect to the OVPN, it creates an entry which says "if you're going to address 10.0.0.x, then route through this tunnel / bridge we created. All others, go this way" Problem is.. if the virtual and real subnets are the same number, it gets confused.
Don't confuse windows.. it has a hard enough time as it is :)
-
I'm not sure. I have it runing on my two personnal servers without problem. I have reboot it 2 or 3 times and I hadn't the unregister_netdevice problem. But I allways use the signal-event halt/reboot. I'd like to find a solution for this, but after googleling a while, it seems that a lot of people have this problem, and there's no real solution. If anyone has an idea ... I'd like to release this new version because it correct at least the dhcp bug, but each time you reboot the server freez, it's not very cool :/
By the way. Does it occures only when clients are connected ?
I have my Test VPN server in this inviroment:
I have a subnet6 allowing me to have a number of usable public IP's
VPN server: 2 * nic's one on a public ip and other on a local 192.168.0.* server gateway mode
My work station is on a seperated network on range 192.168.1.* and is using a different gateway on a different public IP
I can connect, map network drives, browse, move files etc.......
I have tested shutdown and rebooting the server using:
shutdown -r now/shutdown -h now
signal-event reboot/signal-evet halt
Does not seem to matter if a user is connected or not it still wont work. Only option is to power route the box or hit the reset button
-
Well, first I would like to thank you all for a long good reading (yes, I really browsed through all the 21 pages in this thread!)
Now to my question:
I need to set up a transparent VPN-connection between two locations like this:
[OFFICE_1]<->[SMESERVER/GATEWAY_1]<->[INTERNET]<->[SMESERVER/GATEWAY_2]<->[OFFICE_2]
The main idea is that [SMESERVER/GATEWAY_1] should act as PDC for the clients in [OFFICE_1] as well as [OFFICE_2], but I think the clients in [OFFICE_2] would still receive their DHCP from [SMESERVER/GATEWAY_2].
So, adding the subnet used in [OFFICE_2] in "local natworks" in [SMESERVER/GATEWAY_1] should work, I think.
Now to the VPN-related issue:
In this thread, there is mentioned that smeserver-openvpn-bridge-fws COULD be used for setting up such a LAN2LAN connection between two Smeservers, but I cannot find any place where this is actually explained in more details.
Maybe I should start a new thread, since this thread doesn't seem to be very active any longer?
Or if someone has a ref to any more relevant place where this has been discussed I would of course be very grateful.
(I'm pretty sure I've seen this mentioned, but of course I cannot find it now when I need it...)
-
I've just installed this contrib and rebooted. When I first run it, it says Open VPN needs a master certificate. I click on the "Create it" link and a form comes up "Generate the needed certificates for your server"
MAJOR ISSUE: When I complete the form and send it I get an error message "Bad caracteres in New Zealand at /etc/e-smith/web/panels/manager/cgi-bin/openvpn-bridge line 1364."
I have also tried an underscore instead of the space and tried putting "New Zealand" in quotes. All are rejected with "bad character" error message and I can go no further.
I have logged this in the bug tracker
Cheers
Pete
-
MAJOR ISSUE: When I complete the form and send it I get an error message "Bad caracteres in New Zealand at /etc/e-smith/web/panels/manager/cgi-bin/openvpn-bridge line 1364."
I have also tried an underscore instead of the space and tried putting "New Zealand" in quotes. All are rejected with "bad character" error message and I can go no further.
According to the regular expression on that line spaces and underscores are not allowed, try a dash as that should be allowed.
sub verif ($) {
my ($string) = @_;
if ($string =~ /^([-\@\w.]+)$/) {
$string = $1;
}
else {
die "Bad caracteres in $string";
}
return $string;
}
I have logged this in the bug tracker
Next time please report the bug number/link to the bug as well for easy reference: bug 3778 (http://bugs.contribs.org/show_bug.cgi?id=3778). Also try to give your summary a more descriptive text, this would make it easier to people searching the bug tracker. Thank in advance.
-
Do yourself a favor:
DO NOT USE THIS CONTRIB!!!
Follow Knudsen's instructions and live happy without bugs.
-
Hi everyone
I haven't worked on this contrib since a while as I don't have too much spare time. I know it would require more work.
For the underscore, maybe I could add it as an allowed character in a next release, for now try "new-zealand" (without quotes).
-
Do yourself a favor:
DO NOT USE THIS CONTRIB!!!
Follow Knudsen's instructions and live happy without bugs.
I have installed the latest release version of the smeserver-openvpn-bridge-fws contrib on 4-5 SME servers so far and can access all of them without problems or bugs.
The OpenVPN solution following the instructions of Jesper Knudsen does *not* create a bridge connection (AFAIR), so I never could connect to another server on the same subnet, because routing did not work.
Additionally, certificates and keys are very easily created with the smeserver-openvpn-bridge-fws contrib.
-
I have installed the latest release version of the smeserver-openvpn-bridge-fws contrib on 4-5 SME servers so far and can access all of them without problems or bugs.
The OpenVPN solution following the instructions of Jesper Knudsen does *not* create a bridge connection (AFAIR), so I never could connect to another server on the same subnet, because routing did not work.
Additionally, certificates and keys are very easily created with the smeserver-openvpn-bridge-fws contrib.
Lucky you! :-)
I installed several times on two different machines over and over and never got it to work correctly. Maybe it has issues with the hardware type as it was proposed earlier... Mine were HP and Dell machines.
In the other hand "Knudsen's How-To" works perfect for me, I can acess all the network resources without being on the same subnet (that's what routing is supposed to do).
Edit: It does works BTW, it breaks other things I should clarify!
-
i have SME 7.3 with OpenVPN from "http://sme.firewall-services.com/spip.php?article4"
but i found these error messages :
[root@primsvr ~]# /etc/init.d/openvpn-bridge start
Starting openvpn: Sun Jan 27 17:01:35 2008 TUN/TAP device tap0 opened
Sun Jan 27 17:01:35 2008 Persist state set to: ON
Shutting down IP masquerade and firewall rules: Done!
Enabling IP masquerading: done
[FAILED]
Regards,
darmasanthi
-
Have you configured all the necessary certificates, d-h parameters etc.. through the panel in the server-manager?
-
On the server side, the OpenVPN_Bridge it's work now,
but i's still not setting up on the client.
FYI here is our network (the plan):
2 SME7.3 Server with "Server & Gateway mode" :
Internal IP.A----SME7.3 Server (A)-------wireless------(B) SME7.3 Server-----Internal IP.B
192.168.0.0/24--192.168.0.100/24--10.10.10.1/16---wireless---10.10.10.2/16--192.168.1.100/24--192.168.1.0/24
my question :
is this a correct configuration?
Or, please give me the solution ...
Regards,
darmasanthi
-
On my server i remove the teamspeakserver contrib.
This fix the "unregister_netdevice waiting for br0" error.
-
On my server i remove the teamspeakserver contrib.
This fix the "unregister_netdevice waiting for br0" error.
WOW!!!
This is a win! :)
I never used the TeamSpeak contrib thou, and I always had the problem :(
-
i have SME 7.3 with OpenVPN from "http://sme.firewall-services.com/spip.php?article4"
but i found these error messages :
[root@primsvr ~]# /etc/init.d/openvpn-bridge start
Starting openvpn: Sun Jan 27 17:01:35 2008 TUN/TAP device tap0 opened
Sun Jan 27 17:01:35 2008 Persist state set to: ON
Shutting down IP masquerade and firewall rules: Done!
Enabling IP masquerading: done
[FAILED]
I had this problem too but reading the small print in the howto it says
"the vpn ip range must be outside the standard DHCP range"
Since I had DHCP switched off in my SME setup, I
imagined that sentence did not apply, but it seems that it does still
apply as described...
"It [the vpn ip range] must be in the same subnet as your local
network but out of the standard DHCP range. For example, you have a
network address of 192.168.165.0/24, the default DHCP range is from
192.168.165.65 to 192.168.165.250, you can choose the range
192.168.165.20 to 192.168.165.50 for the vpn’s clients."
I had chosen the range 192.168.165.201 through 211 but now I've chosen
20 through 30 and the Masquerading error message is fixed and I can now connect OK.
hth,
David.