[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] MULTI CLIENT SERVER TUN: I DO NOT UNDERSTAND [Antonio.Feitosa]

  • Subject: [Openvpn-users] MULTI CLIENT SERVER TUN: I DO NOT UNDERSTAND [Antonio.Feitosa]
  • From: "Toninho" <Feitosa_Neto_A_R@xxxxxxxxxxx>
  • Date: Mon, 5 Dec 2005 01:23:46 -0200
  • Importance: Normal
I am trying to link 3 very small LANs using 2 tunnels under openvpn
2.0.5 via Internet.
I am not a networking specialist, but I have been reading posts, 
the man page, howtos, and I still have problems. 

A present case:

I am trying to link 2 LANS: 

192.168.90.0/24 =================== 192.168.2.0/24
 LINUX RH9                          WINDOWS XP PRO
 OPENVPN 2.0.1                     openvpn 2.0.5

routes at XP with VPN down: (XP portuguese edition)

========================================================================
===
Lista de interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...00 02 44 82 53 e2 ...... Realtek RTL8139/810X Family PCI Fast
Ethernet
========================================================================
=
========================================================================
===
Rotas ativas:
Endere‡o de rede          M scara   Ender. gateway       Interface
Custo
          0.0.0.0          0.0.0.0      192.168.2.1   192.168.2.235   20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
      192.168.2.0    255.255.255.0    192.168.2.235   192.168.2.235   20
    192.168.2.235  255.255.255.255        127.0.0.1       127.0.0.1   20
    192.168.2.255  255.255.255.255    192.168.2.235   192.168.2.235   20
        224.0.0.0        240.0.0.0    192.168.2.235   192.168.2.235   20
  255.255.255.255  255.255.255.255    192.168.2.235   192.168.2.235   1
Gateway:        192.168.2.1
========================================================================
===
Rotas persistentes:
  Nenhuma

Then the vpn is started. here, the 

server conf:
============================================================
dev tun
server 10.3.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca /usr/local/openvpn/easy-rsa/2.0/keys/ca.crt
cert /usr/local/openvpn/easy-rsa/2.0/keys/server.crt
key /usr/local/openvpn/easy-rsa/2.0/keys/server.key
dh /usr/local/openvpn/easy-rsa/2.0/keys/dh1024.pem
route 192.168.2.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.90.0 255.255.255.0"
client-config-dir ccd
client-to-client
keepalive 10 120
status openvpn-status.log
log-append openvpn.log
comp-lzo
verb 3
============================================================

client1 file at ccd dir: 
============================================================
iroute 192.168.2.0 255.255.255.0
============================================================

client config at XP box:
============================================================
client
pull
dev tun
dev-node VPN2
proto udp
remote a.b.c.d 1194
nobind
persist-key
persist-tun
ca "C:\\Arquivos de programas\\OpenVPN\\config\\craf_ca.crt"
cert "C:\\Arquivos de programas\\OpenVPN\\config\\craf_client1.crt"
key "C:\\Arquivos de programas\\OpenVPN\\config\\craf_client1.key"
ns-cert-type server
keepalive 10 120

route 192.168.90.0 255.255.255.0

comp-lzo
verb 3
mute 20
log-append client1.log
============================================================

log at linux rh9 server
============================================================
Sat Dec  3 10:28:52 2005 MULTI: multi_create_instance called
Sat Dec  3 10:28:52 2005 x.y.z.t:61503 Re-using SSL/TLS context
Sat Dec  3 10:28:52 2005 x.y.z.t:61503 LZO compression initialized
Sat Dec  3 10:28:52 2005 x.y.z.t:61503 Control Channel MTU parms [
L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Dec  3 10:28:52 2005 x.y.z.t:61503 Data Channel MTU parms [ L:1542
D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Dec  3 10:28:52 2005 x.y.z.t:61503 Local Options hash (VER=V4):
'530fdded'
Sat Dec  3 10:28:52 2005 x.y.z.t:61503 Expected Remote Options hash
(VER=V4): '41690919'
Sat Dec  3 10:28:52 2005 x.y.z.t:61503 TLS: Initial packet from
x.y.z.t:61503, sid=1a9637a5 dc90095b
Sat Dec  3 10:29:04 2005 x.y.z.t:61503 VERIFY OK: depth=1,
/C=br/ST=SP/L=SaoPaulo/O=CRAFTECH/CN=CRAFTECH_CA/emailAddress=toninho@te
mpus.craftech.local
Sat Dec  3 10:29:04 2005 x.y.z.t:61503 VERIFY OK: depth=0,
/C=br/ST=SP/L=SaoPaulo/O=CRAFTECH/OU=clientes/CN=client1/emailAddress=to
ninho@xxxxxxxxxxxxxxxxxxxxx
Sat Dec  3 10:29:06 2005 x.y.z.t:61503 Data Channel Encrypt: Cipher
'BF-CBC' initialized with 128 bit key
Sat Dec  3 10:29:06 2005 x.y.z.t:61503 Data Channel Encrypt: Using 160
bit message hash 'SHA1' for HMAC authentication
Sat Dec  3 10:29:06 2005 x.y.z.t:61503 Data Channel Decrypt: Cipher
'BF-CBC' initialized with 128 bit key
Sat Dec  3 10:29:06 2005 x.y.z.t:61503 Data Channel Decrypt: Using 160
bit message hash 'SHA1' for HMAC authentication
Sat Dec  3 10:29:07 2005 x.y.z.t:61503 Control Channel: TLSv1, cipher
TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Dec  3 10:29:07 2005 x.y.z.t:61503 [client1] Peer Connection
Initiated with x.y.z.t:61503
Sat Dec  3 10:29:07 2005 OPTIONS IMPORT: reading client specific options
from: ccd/client1
Sat Dec  3 10:29:07 2005 MULTI: Learn: 10.3.0.6 -> client1/x.y.z.t:61503
Sat Dec  3 10:29:07 2005 MULTI: primary virtual IP for
client1/x.y.z.t:61503: 10.3.0.6
Sat Dec  3 10:29:07 2005 MULTI: internal route 192.168.2.0/24 ->
client1/x.y.z.t:61503
Sat Dec  3 10:29:07 2005 MULTI: Learn: 192.168.2.0/24 ->
client1/x.y.z.t:61503
Sat Dec  3 10:29:07 2005 REMOVE PUSH ROUTE: 'route 192.168.2.0
255.255.255.0'
Sat Dec  3 10:29:08 2005 client1/x.y.z.t:61503 PUSH: Received control
message: 'PUSH_REQUEST'
Sat Dec  3 10:29:08 2005 client1/x.y.z.t:61503 SENT CONTROL [client1]:
'PUSH_REPLY,route 192.168.90.0 255.255.255.0,route 10.3.0.0
255.255.255.0,ping 10,ping-restart 120,ifconfig 10.3.0.6 10.3.0.5'
(status=1)
============================================================

log at XP BOX
============================================================
Sat Dec 03 10:28:43 2005 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on
Nov  2 2005
Sat Dec 03 10:28:43 2005 IMPORTANT: OpenVPN's default port number is now
1194, based on an official port number assignment by IANA.  OpenVPN
2.0-beta16 and earlier used 5000 as the default port.
Sat Dec 03 10:28:43 2005 LZO compression initialized
Sat Dec 03 10:28:43 2005 Control Channel MTU parms [ L:1542 D:138 EF:38
EB:0 ET:0 EL:0 ]
Sat Dec 03 10:28:43 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42
EB:135 ET:0 EL:0 AF:3/1 ]
Sat Dec 03 10:28:43 2005 Local Options hash (VER=V4): '41690919'
Sat Dec 03 10:28:43 2005 Expected Remote Options hash (VER=V4):
'530fdded'
Sat Dec 03 10:28:43 2005 UDPv4 link local: [undef]
Sat Dec 03 10:28:43 2005 UDPv4 link remote: 200.206.208.155:1194
Sat Dec 03 10:28:44 2005 TLS: Initial packet from 200.206.208.155:1194,
sid=71c25f36 972f4360
Sat Dec 03 10:28:47 2005 VERIFY OK: depth=1,
/C=br/ST=SP/L=SaoPaulo/O=CRAFTECH/CN=CRAFTECH_CA/emailAddress=toninho@te
mpus.craftech.local
Sat Dec 03 10:28:47 2005 VERIFY OK: nsCertType=SERVER
Sat Dec 03 10:28:47 2005 VERIFY OK: depth=0,
/C=br/ST=SP/L=SaoPaulo/O=CRAFTECH/OU=teste/CN=server/emailAddress=toninh
o@xxxxxxxxxxxxxxxxxxxxx
Sat Dec 03 10:28:58 2005 Data Channel Encrypt: Cipher 'BF-CBC'
initialized with 128 bit key
Sat Dec 03 10:28:58 2005 Data Channel Encrypt: Using 160 bit message
hash 'SHA1' for HMAC authentication
Sat Dec 03 10:28:58 2005 Data Channel Decrypt: Cipher 'BF-CBC'
initialized with 128 bit key
Sat Dec 03 10:28:58 2005 Data Channel Decrypt: Using 160 bit message
hash 'SHA1' for HMAC authentication
Sat Dec 03 10:28:58 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Dec 03 10:28:58 2005 [server] Peer Connection Initiated with
200.206.208.155:1194
Sat Dec 03 10:28:59 2005 SENT CONTROL [server]: 'PUSH_REQUEST'
(status=1)
Sat Dec 03 10:29:00 2005 PUSH: Received control message:
'PUSH_REPLY,route 192.168.90.0 255.255.255.0,route 10.3.0.0
255.255.255.0,ping 10,ping-restart 120,ifconfig 10.3.0.6 10.3.0.5'
Sat Dec 03 10:29:00 2005 OPTIONS IMPORT: timers and/or timeouts modified
Sat Dec 03 10:29:00 2005 OPTIONS IMPORT: --ifconfig/up options modified
Sat Dec 03 10:29:00 2005 OPTIONS IMPORT: route options modified
Sat Dec 03 10:29:00 2005 TAP-WIN32 device [VPN2] opened:
\\.\Global\{6274C47A-E4EA-4E96-B887-09FB9FF5A13B}.tap
Sat Dec 03 10:29:00 2005 TAP-Win32 Driver Version 8.1 
Sat Dec 03 10:29:00 2005 TAP-Win32 MTU=1500
Sat Dec 03 10:29:00 2005 Notified TAP-Win32 driver to set a DHCP
IP/netmask of 10.3.0.6/255.255.255.252 on interface
{6274C47A-E4EA-4E96-B887-09FB9FF5A13B} [DHCP-serv: 10.3.0.5, lease-time:
31536000]
Sat Dec 03 10:29:00 2005 Successful ARP Flush on interface [196611]
{6274C47A-E4EA-4E96-B887-09FB9FF5A13B}
Sat Dec 03 10:29:00 2005 TEST ROUTES: 0/0 succeeded len=3 ret=0 a=0
u/d=down
Sat Dec 03 10:29:00 2005 Route: Waiting for TUN/TAP interface to come
up...
Sat Dec 03 10:29:01 2005 TEST ROUTES: 0/0 succeeded len=3 ret=0 a=0
u/d=down
Sat Dec 03 10:29:01 2005 Route: Waiting for TUN/TAP interface to come
up...
Sat Dec 03 10:29:02 2005 TEST ROUTES: 0/0 succeeded len=3 ret=0 a=0
u/d=down
Sat Dec 03 10:29:02 2005 Route: Waiting for TUN/TAP interface to come
up...
Sat Dec 03 10:29:03 2005 TEST ROUTES: 0/0 succeeded len=3 ret=0 a=0
u/d=down
Sat Dec 03 10:29:03 2005 Route: Waiting for TUN/TAP interface to come
up...
Sat Dec 03 10:29:04 2005 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0
u/d=up
Sat Dec 03 10:29:04 2005 route ADD 192.168.90.0 MASK 255.255.255.0
10.3.0.5
Sat Dec 03 10:29:04 2005 Route addition via IPAPI succeeded
Sat Dec 03 10:29:04 2005 route ADD 192.168.90.0 MASK 255.255.255.0
10.3.0.5
Sat Dec 03 10:29:04 2005 Route addition via IPAPI succeeded
Sat Dec 03 10:29:04 2005 route ADD 10.3.0.0 MASK 255.255.255.0 10.3.0.5
Sat Dec 03 10:29:04 2005 Route addition via IPAPI succeeded
Sat Dec 03 10:29:04 2005 Initialization Sequence Completed

THEN a route print at the XP BOX with the VPN UP:
========================================================================
===
Lista de interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...00 02 44 82 53 e2 ...... Realtek RTL8139/810X Family PCI Fast
Ethernet NIC
0x30003 ...00 ff 62 74 c4 7a ...... TAP-Win32 Adapter V8 #2
========================================================================
===
========================================================================
===
Rotas ativas:
Endere‡o de rede          M scara   Ender. gateway       Interface
Custo
          0.0.0.0          0.0.0.0      192.168.2.1   192.168.2.235   20
         10.3.0.0    255.255.255.0         10.3.0.5        10.3.0.6   1
         10.3.0.4  255.255.255.252         10.3.0.6        10.3.0.6   30
         10.3.0.6  255.255.255.255        127.0.0.1       127.0.0.1   30
   10.255.255.255  255.255.255.255         10.3.0.6        10.3.0.6   30
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
      192.168.2.0    255.255.255.0    192.168.2.235   192.168.2.235   20
    192.168.2.235  255.255.255.255        127.0.0.1       127.0.0.1   20
    192.168.2.255  255.255.255.255    192.168.2.235   192.168.2.235   20
     192.168.90.0    255.255.255.0         10.3.0.5        10.3.0.6   1
        224.0.0.0        240.0.0.0         10.3.0.6        10.3.0.6   30
        224.0.0.0        240.0.0.0    192.168.2.235   192.168.2.235   20
  255.255.255.255  255.255.255.255         10.3.0.6        10.3.0.6   1
  255.255.255.255  255.255.255.255    192.168.2.235   192.168.2.235   1
Gateway padrÆo:        192.168.2.1
========================================================================
===
Rotas persistentes:
  Nenhuma

AND the routing table at the linux box:
========================================================================
===
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.3.0.2        *               255.255.255.255 UH    0      0        0
tun0
192.168.2.0     10.3.0.2        255.255.255.0   UG    0      0        0
tun0
10.3.0.0        10.3.0.2        255.255.255.0   UG    0      0        0
tun0
192.168.90.0    *               255.255.255.0   U     0      0        0
eth1
169.254.0.0     *               255.255.0.0     U     0      0        0
eth1
127.0.0.0       *               255.0.0.0       U     0      0        0
lo
default         192.168.90.1    0.0.0.0         UG    0      0        0
eth1
========================================================================
===


What I do not understand:
I can ping the gateway at the other side of the lan, both sides, at
their 192.168. addresses. 
The multi-server vpn should give the server the very first address of
the server-config range, 
in this case, 10.3.0.1, as the server address. 
In fact I can ping the 10.3.0.1 address from the XP box at 10.3.0.6. 
And I can ping the XP box at 10.3.0.6 from the linux box at 10.3.0.1. 
But what about the 10.3.0.5 would-be address of the tunnel at the linux
side? 
And the 10.3.0.2 end of the tunnel I see in the routing table of the
linux box?

The routing does not work. I do not understand the multi-server option:
I know that I am missing something, but I expected the server to be at
10.3.0.1 for all clients. And the tunnels uses only /30 subnets... 

Could someone please help me to see this the right way?

TIA
Antonio



            

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-12/msg00077.html on line 488

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-12/msg00077.html on line 488