[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] newbie - vpn connected, however resources not accessable

  • Subject: [Openvpn-users] newbie - vpn connected, however resources not accessable
  • From: "Dustin Krysak" <d.k.emaillists@xxxxxxxxx>
  • Date: Wed, 6 Dec 2006 17:00:31 -0800
Good day, I have just ventured into the openvpn territory, and have a connection working, however any resources I try to access are not working....

This is a long post due to config and log info...

Setup:

-linux firewall/vpn server (centos 4.4 latest patches)
-openvpn-2.0.7
-win xp sp2 client, using the gui installer from openvpn.se

Server config file (trimmed to uncommented config for length):
-all other things are commented out (assuming defaults)

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.90.0 255.255.255.0"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
verb 3

Clientconfig file (trimmed to uncommented config for length):
-all other things are commented out (assuming defaults)

client
dev tun
dev-node vpn
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca c:\\vpn\\ca.crt
cert c:\\vpn\\client.crt
key c:\\vpn\\client.key
comp-lzo
verb 3

I then start the vpn server with:
openvpn server.conf

Wed Dec  6 16:03:48 2006 OpenVPN 2.0.7 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006
Wed Dec  6 16:03:48 2006 Diffie-Hellman initialized with 1024 bit key
Wed Dec  6 16:03:48 2006 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec  6 16:03:48 2006 TUN/TAP device tun0 opened
Wed Dec  6 16:03:48 2006 /sbin/ip link set dev tun0 up mtu 1500
Wed Dec  6 16:03:48 2006 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Dec  6 16:03:48 2006 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Dec  6 16:03:48 2006 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec  6 16:03:48 2006 GID set to nobody
Wed Dec  6 16:03:48 2006 UID set to nobody
Wed Dec  6 16:03:48 2006 UDPv4 link local (bound): [undef]:1194
Wed Dec  6 16:03:48 2006 UDPv4 link remote: [undef]
Wed Dec  6 16:03:48 2006 MULTI: multi_init called, r=256 v=256
Wed Dec  6 16:03:48 2006 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Dec  6 16:03:48 2006 IFCONFIG POOL LIST
Wed Dec  6 16:03:48 2006 dkrysak,10.8.0.4
Wed Dec  6 16:03:48 2006 Initialization Sequence Completed

Which looks ok to me.

Then I connect the client by:
openvpn client.ovpn

Wed Dec 06 16:44:32 2006 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Wed Dec 06 16:44:32 2006 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Dec 06 16:44:32 2006 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Dec 06 16:44:32 2006 LZO compression initialized
Wed Dec 06 16:44:32 2006 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 06 16:44:32 2006 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 06 16:44:32 2006 Local Options hash (VER=V4): '41690919'
Wed Dec 06 16:44:32 2006 Expected Remote Options hash (VER=V4): '530fdded'
Wed Dec 06 16:44:32 2006 UDPv4 link local: [undef]
Wed Dec 06 16:44:32 2006 UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Wed Dec 06 16:44:32 2006 TLS: Initial packet from xxx.xxx.xxx.xxx:1194, sid=1d523b5f 31ebc4ac
Wed Dec 06 16:44:32 2006 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=xxxxxx/OU=IT/emailAddress= support@xxxxxxxxx
Wed Dec 06 16:44:32 2006 VERIFY OK: depth=0, /C=CA/ST=BC/O=xxxxxx/OU=IT/CN=server/emailAddress=support@xxxxxxxxx
Wed Dec 06 16:44:32 2006 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 06 16:44:32 2006 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 06 16:44:32 2006 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 06 16:44:32 2006 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 06 16:44:32 2006 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec 06 16:44:32 2006 [server] Peer Connection Initiated with 204.244.249.170:1194
Wed Dec 06 16:44:33 2006 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Dec 06 16:44:33 2006 PUSH: Received control message: 'PUSH_REPLY,route 192.168.90.0 255.255.255.0,route 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Dec 06 16:44:33 2006 OPTIONS IMPORT: timers and/or timeouts modified
Wed Dec 06 16:44:33 2006 OPTIONS IMPORT: --ifconfig/up options modified
Wed Dec 06 16:44:33 2006 OPTIONS IMPORT: route options modified
Wed Dec 06 16:44:33 2006 TAP-WIN32 device [vpn] opened: \\.\Global\{676A55EB-21B7-426A-95DA-D2C2024B5A95}.tap
Wed Dec 06 16:44:33 2006 TAP-Win32 Driver Version 8.4
Wed Dec 06 16:44:33 2006 TAP-Win32 MTU=1500
Wed Dec 06 16:44:33 2006 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {676A55EB-21B7-426A-95DA-D2C2024B5A95} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Wed Dec 06 16:44:33 2006 Successful ARP Flush on interface [65540] {676A55EB-21B7-426A-95DA-D2C2024B5A95}
Wed Dec 06 16:44:33 2006 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Dec 06 16:44:33 2006 Route: Waiting for TUN/TAP interface to come up...
Wed Dec 06 16:44:35 2006 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Dec 06 16:44:35 2006 Route: Waiting for TUN/TAP interface to come up...
Wed Dec 06 16:44:36 2006 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Dec 06 16:44:36 2006 Route: Waiting for TUN/TAP interface to come up...
Wed Dec 06 16:44:37 2006 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Dec 06 16:44:37 2006 Route: Waiting for TUN/TAP interface to come up...
Wed Dec 06 16:44:38 2006 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Dec 06 16:44:38 2006 Route: Waiting for TUN/TAP interface to come up...
Wed Dec 06 16:44:40 2006 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Wed Dec 06 16:44:40 2006 route ADD 192.168.90.0 MASK 255.255.255.0 10.8.0.5
Wed Dec 06 16:44:40 2006 Route addition via IPAPI succeeded
Wed Dec 06 16:44:40 2006 route ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Dec 06 16:44:40 2006 Route addition via IPAPI succeeded
Wed Dec 06 16:44:40 2006 Initialization Sequence Completed

That too looks good to me.

Now server side it had appended to the console:

Wed Dec  6 16:05:11 2006 MULTI: multi_create_instance called
Wed Dec  6 16:05:11 2006 xxx.xxx.xxx.xxx:1250 Re-using SSL/TLS context
Wed Dec  6 16:05:11 2006 xxx.xxx.xxx.xxx:1250 LZO compression initialized
Wed Dec  6 16:05:11 2006 xxx.xxx.xxx.xxx:1250 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec  6 16:05:11 2006 xxx.xxx.xxx.xxx :1250 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec  6 16:05:11 2006 xxx.xxx.xxx.xxx:1250 Local Options hash (VER=V4): '530fdded'
Wed Dec  6 16:05:11 2006 xxx.xxx.xxx.xxx:1250 Expected Remote Options hash (VER=V4): '41690919'
Wed Dec  6 16:05:11 2006 xxx.xxx.xxx.xxx:1250 TLS: Initial packet from xxx.xxx.xxx.xxx:1250, sid=6d52a90f f29e6e6c
Wed Dec  6 16:05:11 2006 xxx.xxx.xxx.xxx:1250 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=xxxxx/OU=IT/emailAddress= support@xxxxxxxxx
Wed Dec  6 16:05:11 2006 xxx.xxx.xxx.xxx:1250 VERIFY OK: depth=0, /C=CA/ST=BC/O=xxxx/CN=dkrysak/emailAddress=support@xxxxxxxxx
Wed Dec  6 16:05:11 2006 xxx.xxx.xxx.xxx:1250 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec  6 16:05:11 2006 xxx.xxx.xxx.xxx:1250 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec  6 16:05:11 2006 xxx.xxx.xxx.xxx:1250 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec  6 16:05:11 2006 xxx.xxx.xxx.xxx:1250 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec  6 16:05:11 2006 xxx.xxx.xxx.xxx:1250 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec  6 16:05:11 2006 xxx.xxx.xxx.xxx:1250 [dkrysak] Peer Connection Initiated with xxx.xxx.xxx.xxx :1250
Wed Dec  6 16:05:11 2006 dkrysak/xxx.xxx.xxx.xxx:1250 MULTI: Learn: 10.8.0.6 -> dkrysak/xxx.xxx.xxx.xxx:1250
Wed Dec  6 16:05:11 2006 dkrysak/xxx.xxx.xxx.xxx:1250 MULTI: primary virtual IP for dkrysak/xxx.xxx.xxx.xxx:1250: 10.8.0.6
Wed Dec  6 16:05:12 2006 dkrysak/xxx.xxx.xxx.xxx:1250 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec  6 16:05:12 2006 dkrysak/xxx.xxx.xxx.xxx:1250 SENT CONTROL [dkrysak]: 'PUSH_REPLY,route 192.168.90.0 255.255.255.0,route 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Wed Dec  6 16:05:22 2006 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Dec  6 16:05:32 2006 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Dec  6 16:05:42 2006 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Dec  6 16:05:53 2006 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Dec  6 16:05:53 2006 MULTI: multi_create_instance called
Wed Dec  6 16:05:53 2006 xxx.xxx.xxx.xxx:1268 Re-using SSL/TLS context
Wed Dec  6 16:05:53 2006 xxx.xxx.xxx.xxx:1268 LZO compression initialized
Wed Dec  6 16:05:53 2006 xxx.xxx.xxx.xxx:1268 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec  6 16:05:53 2006 xxx.xxx.xxx.xxx :1268 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec  6 16:05:53 2006 xxx.xxx.xxx.xxx:1268 Local Options hash (VER=V4): '530fdded'
Wed Dec  6 16:05:53 2006 xxx.xxx.xxx.xxx:1268 Expected Remote Options hash (VER=V4): '41690919'
Wed Dec  6 16:05:53 2006 xxx.xxx.xxx.xxx:1268 TLS: Initial packet from xxx.xxx.xxx.xxx:1268, sid=30b1de58 5efd5dfe
Wed Dec  6 16:05:54 2006 xxx.xxx.xxx.xxx:1268 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=xxxxx/OU=IT/emailAddress= support@xxxxxxxxx
Wed Dec  6 16:05:54 2006 xxx.xxx.xxx.xxx:1268 VERIFY OK: depth=0, /C=CA/ST=BC/O=xxxxx/CN=dkrysak/emailAddress=support@xxxxxxxxx
Wed Dec  6 16:05:54 2006 xxx.xxx.xxx.xxx:1268 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec  6 16:05:54 2006 xxx.xxx.xxx.xxx:1268 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec  6 16:05:54 2006 xxx.xxx.xxx.xxx:1268 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec  6 16:05:54 2006 xxx.xxx.xxx.xxx:1268 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec  6 16:05:54 2006 xxx.xxx.xxx.xxx:1268 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec  6 16:05:54 2006 xxx.xxx.xxx.xxx:1268 [dkrysak] Peer Connection Initiated with xxx.xxx.xxx.xxx :1268
Wed Dec  6 16:05:54 2006 MULTI: new connection by client 'dkrysak' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Wed Dec  6 16:05:54 2006 MULTI: Learn: 10.8.0.6 -> dkrysak/xxx.xxx.xxx.xxx:1268
Wed Dec  6 16:05:54 2006 MULTI: primary virtual IP for dkrysak/xxx.xxx.xxx.xxx:1268: 10.8.0.6
Wed Dec  6 16:05:55 2006 dkrysak/xxx.xxx.xxx.xxx:1268 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec  6 16:05:55 2006 dkrysak/xxx.xxx.xxx.xxx:1268 SENT CONTROL [dkrysak]: 'PUSH_REPLY,route 192.168.90.0 255.255.255.0,route 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5 ' (status=1)
Wed Dec  6 16:06:25 2006 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Dec  6 16:06:28 2006 MULTI: multi_create_instance called
Wed Dec  6 16:06:28 2006 xxx.xxx.xxx.xxx:1286 Re-using SSL/TLS context
Wed Dec  6 16:06:28 2006 xxx.xxx.xxx.xxx:1286 LZO compression initialized
Wed Dec  6 16:06:28 2006 xxx.xxx.xxx.xxx:1286 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec  6 16:06:28 2006 xxx.xxx.xxx.xxx :1286 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec  6 16:06:28 2006 xxx.xxx.xxx.xxx:1286 Local Options hash (VER=V4): '530fdded'
Wed Dec  6 16:06:28 2006 xxx.xxx.xxx.xxx:1286 Expected Remote Options hash (VER=V4): '41690919'
Wed Dec  6 16:06:28 2006 xxx.xxx.xxx.xxx:1286 TLS: Initial packet from xxx.xxx.xxx.xxx:1286, sid=89604526 10af2dd1
Wed Dec  6 16:06:29 2006 xxx.xxx.xxx.xxx:1286 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=xxxxxx/OU=IT/emailAddress= support@xxxxxxxxxx
Wed Dec  6 16:06:29 2006 xxx.xxx.xxx.xxx:1286 VERIFY OK: depth=0, /C=CA/ST=BC/O=xxxxxx/CN=dkrysak/emailAddress=support@xxxxxxxxxx
Wed Dec  6 16:06:29 2006 xxx.xxx.xxx.xxx:1286 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec  6 16:06:29 2006 xxx.xxx.xxx.xxx:1286 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec  6 16:06:29 2006 xxx.xxx.xxx.xxx:1286 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec  6 16:06:29 2006 xxx.xxx.xxx.xxx:1286 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec  6 16:06:29 2006 xxx.xxx.xxx.xxx:1286 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec  6 16:06:29 2006 xxx.xxx.xxx.xxx:1286 [dkrysak] Peer Connection Initiated with xxx.xxx.xxx.xxx :1286
Wed Dec  6 16:06:29 2006 MULTI: new connection by client 'dkrysak' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Wed Dec  6 16:06:29 2006 MULTI: Learn: 10.8.0.6 -> dkrysak/xxx.xxx.xxx.xxx:1286
Wed Dec  6 16:06:29 2006 MULTI: primary virtual IP for dkrysak/xxx.xxx.xxx.xxx:1286: 10.8.0.6
Wed Dec  6 16:06:30 2006 dkrysak/xxx.xxx.xxx.xxx:1286 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec  6 16:06:30 2006 dkrysak/xxx.xxx.xxx.xxx:1286 SENT CONTROL [dkrysak]: 'PUSH_REPLY,route 192.168.90.0 255.255.255.0,route 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5 ' (status=1)


Now if I try to ping the vpn server from the client...

It just times out. And obviously if i try to access resources on my 192.168.90.0 network.... it is no go go.

for example I just tried to access a share on a win2k3 server

\\192.168.90.xxx

Then the following is appended to the console:

Wed Dec  6 16:12:12 2006 dkrysak/xxx.xxx.xxx.xxx:1286 MULTI: bad source address from client [ 192.168.1.77], packet dropped
Wed Dec  6 16:12:15 2006 dkrysak/xxx.xxx.xxx.xxx:1286 MULTI: bad source address from client [192.168.1.77], packet dropped
Wed Dec  6 16:12:21 2006 dkrysak/xxx.xxx.xxx.xxx:1286 MULTI: bad source address from client [192.168.1.77], packet dropped
Wed Dec  6 16:12:55 2006 dkrysak/xxx.xxx.xxx.xxx:1286 MULTI: bad source address from client [192.168.1.77], packet dropped
Wed Dec  6 16:12:58 2006 dkrysak/xxx.xxx.xxx.xxx:1286 MULTI: bad source address from client [192.168.1.77], packet dropped
Wed Dec  6 16:13:04 2006 dkrysak/xxx.xxx.xxx.xxx:1286 MULTI: bad source address from client [192.168.1.77], packet dropped


Any ideas?

I apologize for the VERY long post....

But any ideas?

Dustin


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-12/msg00066.html on line 252

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-12/msg00066.html on line 252