[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Re: openvpn and ccd


  • Subject: Re: [Openvpn-users] Re: openvpn and ccd
  • From: "BlaaT 0001" <blaat0001@xxxxxxxxx>
  • Date: Thu, 13 Apr 2006 15:39:54 +0200

Hello Pierre,

I've put some comments in your previous message.

On 4/13/06, Pierre LEONARD <pier.leonard@xxxxxxx> wrote:
> Pierre LEONARD a écrit :
>
> > hello
> > i'm french student and i work on openvpn during my trainig period
> >
> > in fact i've two problem but maybe it's the same...
> >
> > i would like to use a tunnel with a tun interface in routed mode
> > i generate my certificate, the authentication is succesfull
> > the connection is established.
> >
> > the logs are the following on the server side:
> > ********************************************************************************************************
> >
> > <client public ip>:33743 [nomade.test.pierre] Peer Connection
> > Initiated with <client public ip>:33743
> > nomade.test.pierre/<client public ip>:33743 MULTI: no dynamic or
> > static remote --ifconfig address is available for
> > nomade.test.pierre/<client public ip>:33743
> > nomade.test.pierre/<client public ip>:33743 PUSH: Received control
> > message: 'PUSH_REQUEST'
> > nomade.test.pierre/<client public ip>:33743 SENT CONTROL
> > [nomade.test.pierre]: 'PUSH_REPLY,ifconfig 192.168.1.2
> > 192.168.1.1,route 192.168.1.0 255.255.255.0,ping 10,ping-restart 120'
> > (status=1)
> > ********************************************************************************************************
> >
> > and the initialization of the sequence is completed without error on
> > the client side
> >
> >
> > but with the following configuration i cannot ping the server from the
> > client, i've this message on server side:
> > *********************************************************************************************************
> >
> > nomade.test.pierre/<client public ip>:33743 MULTI: bad source address
> > from client [192.168.1.2], packet dropped
> > *********************************************************************************************************
> >
> > i don't understand why because the tun interface are ok on the both sides
> >
> >
> > my configuration for the server is
> > *********************************************************************************************************
> >
> > local <server public ip>
> > port 1194
> > proto udp
> > dev tun
> > mode server

--server network netmask
    A helper directive designed to simplify the configuration of
OpenVPN's server mode. This directive will set up an OpenVPN server
which will allocate addresses to clients out of the given
network/netmask. The server itself will take the ".1" address of the
given network for use as the server-side endpoint of the local TUN/TAP
interface.

    For example, --server 10.8.0.0 255.255.255.0 expands as follows:

         mode server
         tls-server

         if dev tun:
           ifconfig 10.8.0.1 10.8.0.2
           ifconfig-pool 10.8.0.4 10.8.0.251
           route 10.8.0.0 255.255.255.0
           if client-to-client:
             push "route 10.8.0.0 255.255.255.0"
           else
             push "route 10.8.0.1"

         if dev tap:
           ifconfig 10.8.0.1 255.255.255.0
           ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
           push "route-gateway 10.8.0.1"

This pretty much means you can configure the IP of the server much easier with:

server 192.168.1.0 255.255.255.0

That's it.

##> > tls-server
The server directive obsoletes the tls-server directive, you can
remove it from your server config.


> > tun-mtu 1500
> > mssfix
> >
> > persist-key
> > persist-tun
> > ca .../cacert.pem
> > cert .../vpn.pierre.crt
> > key .../vpn.pierre.key
> > dh .../dh1024.pem
> >
##> > ifconfig 192.168.1.1 192.168.1.2
You don't need this anymore. Remove it from your config file

##> > route 192.168.1.0 255.255.255.0
##> > push "ifconfig 192.168.1.2 192.168.1.1"
##> > push "route 192.168.1.0 255.255.255.0"
You don't need this anymore as well, read the man page on the "server"
directive.

> > client-to-client << don't leave this out if you want your vpn clients to see eachother
> >
> > keepalive 10 120
> > cipher BF-CBC
> > comp-lzo
> > max-clients 15
> > user nobody
> > group nogroup
> > chroot .../logs
> > status ...logs/status_routed.log
> > log-append ...logs/openvpn_routed.log
> > verb 4
> > ************************************************************************************************************
> >
> >
> > and the client:
> > ************************************************************************************************************
> >
> > client
-client
    A helper directive designed to simplify the configuration of
OpenVPN's client mode. This directive is equivalent to:

         pull
         tls-client




> > dev tun
> > proto udp
> > remote <server public ip> 1194
> > resolv-retry infinite
> > nobind
> >
##> > tls-client
You don't need this due to the "client" directive, you can remove it
from your config.

> > persist-key
> > persist-tun
> > ca .../cacert.pem
> > cert .../nomade1.pierre.crt
> > key .../nomade1.pierre.key
> >
> > keepalive 10 60
> > cipher BF-CBC
> > comp-lzo
> > verb 2
> > mute 5
> > **************************************************************************************************************


> >
> >
> >
> > my second problem which maybe is link is that when i try to use ccd
> > directory, i've this error on server
> > **************************************************************************************************************
> >
> > TLS Auth Error: --client-config-dir authentication failed for common
> > name 'nomade.test.pierre' file='/etc/openvpn/ccd/nomade.test.pierre'
> > **************************************************************************************************************
> >
> >
> > but i specify on the client the "pull" directive
> > and on the server i specify:
> > ***********************************************
> > chroot /etc/openvpn/ccd # idon't know if necessary
> > client-config-dir /etc/openvpn/ccd
> > ccd-exclusive
> > ***********************************************
> > whitout "push ifconfig..."

No you don't. You specified:

chroot .../logs in your server config.

If your config files reside in "/etc/openvpn" this would chroot
openvpn into /etc/openvpn/logs or /etc/logs (../ = /etc)

If you specify a CCD dir than this directory must reside in this
/etc/openvpn/logs directory.

I would recommend creating a directory /etc/openvpn/jail
In the server config file specify:

chroot /etc/openvpn/jail
client-config-dir ccd
ccd-exclusive

Create a directory /etc/openvpn/jail/ccd and place all your CCD files
in that directory.




> >
> > i hope i'm clear !
> > who could help me??
> > thanks you for your interesting
> >
> nobody could help me please?
> i don't find any solution on the web
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live webcast
> and join the prime developer group breaking into this new coding territory!
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>


Good luck and don't forget to post your findings,

Cheers,

BlaaT


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users