|
|
Hi,
i'am new on openvpn and i
already have this problem and i have found my solution in that howto:
Juste do that and it will
word. You have to use client-config-dir...
Sorry for my english but i'm
french!
Ludovic.
|
Original
Message |
processed by David
InfoCenter |
|
Subject: |
[Openvpn-users] newbie - vpn connected,
however resources not accessable (07-déc.-2006 2:40) |
|
From: |
|
|
To: |
|
Good day, I have just ventured into the openvpn territory,
and have a connection working, however any resources I try to access are not
working....
This is a long post due to config and log
info...
Setup:
-linux firewall/vpn server (centos 4.4 latest
patches)
-openvpn-2.0.7
-win xp sp2 client, using the gui installer from
openvpn.se
Server config file (trimmed
to uncommented config for length):
-all other things are commented out
(assuming defaults)
port 1194
proto udp
dev tun
ca
/etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key
/etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist
ipp.txt
push "route 192.168.90.0 255.255.255.0"
keepalive 10
120
comp-lzo
user nobody
group
nobody
persist-key
persist-tun
verb 3
Clientconfig file
(trimmed to uncommented config for length):
-all other things are commented
out (assuming defaults)
client
dev tun
dev-node vpn
proto
udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry
infinite
nobind
persist-key
persist-tun
ca c:\\vpn\\ca.crt
cert
c:\\vpn\\client.crt
key c:\\vpn\\client.key
comp-lzo
verb 3
I
then start the vpn server with:
openvpn server.conf
Wed Dec 6
16:03:48 2006 OpenVPN 2.0.7 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on
Apr 29 2006
Wed Dec 6 16:03:48 2006 Diffie-Hellman initialized with
1024 bit key
Wed Dec 6 16:03:48 2006 TLS-Auth MTU parms [ L:1542
D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 6 16:03:48 2006 TUN/TAP device
tun0 opened
Wed Dec 6 16:03:48 2006 /sbin/ip link set dev tun0 up mtu
1500
Wed Dec 6 16:03:48 2006 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Dec 6 16:03:48 2006 /sbin/ip
route add 10.8.0.0/24 via 10.8.0.2
Wed Dec 6 16:03:48 2006 Data
Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed
Dec 6 16:03:48 2006 GID set to nobody
Wed Dec 6 16:03:48 2006
UID set to nobody
Wed Dec 6 16:03:48 2006 UDPv4 link local (bound):
[undef]:1194
Wed Dec 6 16:03:48 2006 UDPv4 link remote:
[undef]
Wed Dec 6 16:03:48 2006 MULTI: multi_init called, r=256
v=256
Wed Dec 6 16:03:48 2006 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Dec 6 16:03:48 2006
IFCONFIG POOL LIST
Wed Dec 6 16:03:48 2006 dkrysak,10.8.0.4
Wed Dec 6 16:03:48 2006
Initialization Sequence Completed
Which looks ok to me.
Then I
connect the client by:
openvpn client.ovpn
Wed Dec 06 16:44:32 2006
OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Wed Dec 06
16:44:32 2006 IMPORTANT: OpenVPN's default port number is now 1194, based on
an official port number assignment by IANA. OpenVPN 2.0-beta16 and
earlier used 5000 as the default port.
Wed Dec 06 16:44:32 2006 WARNING: No
server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm
for more info.
Wed Dec 06 16:44:32 2006 LZO compression
initialized
Wed Dec 06 16:44:32 2006 Control Channel MTU parms [ L:1542
D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 06 16:44:32 2006 Data Channel MTU
parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 06 16:44:32
2006 Local Options hash (VER=V4): '41690919'
Wed Dec 06 16:44:32 2006
Expected Remote Options hash (VER=V4): '530fdded'
Wed Dec 06 16:44:32 2006
UDPv4 link local: [undef]
Wed Dec 06 16:44:32 2006 UDPv4 link remote:
xxx.xxx.xxx.xxx:1194
Wed Dec 06 16:44:32 2006 TLS: Initial packet from
xxx.xxx.xxx.xxx:1194, sid=1d523b5f 31ebc4ac
Wed Dec 06 16:44:32 2006 VERIFY
OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=xxxxxx/OU=IT/emailAddress= support@xxxxxxxxx
Wed Dec 06 16:44:32
2006 VERIFY OK: depth=0, /C=CA/ST=BC/O=xxxxxx/OU=IT/CN=server/emailAddress=support@xxxxxxxxx
Wed Dec 06 16:44:32
2006 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 06 16:44:32 2006 Data Channel Encrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Wed Dec 06 16:44:32 2006 Data Channel
Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 06 16:44:32
2006 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC
authentication
Wed Dec 06 16:44:32 2006 Control Channel: TLSv1, cipher
TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec 06 16:44:32 2006
[server] Peer Connection Initiated with 204.244.249.170:1194
Wed Dec 06
16:44:33 2006 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Dec 06
16:44:33 2006 PUSH: Received control message: 'PUSH_REPLY,route 192.168.90.0 255.255.255.0,route 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Dec 06 16:44:33 2006 OPTIONS
IMPORT: timers and/or timeouts modified
Wed Dec 06 16:44:33 2006 OPTIONS
IMPORT: --ifconfig/up options modified
Wed Dec 06 16:44:33 2006 OPTIONS
IMPORT: route options modified
Wed Dec 06 16:44:33 2006 TAP-WIN32 device
[vpn] opened: \\.\Global\{676A55EB-21B7-426A-95DA-D2C2024B5A95}.tap
Wed
Dec 06 16:44:33 2006 TAP-Win32 Driver Version 8.4
Wed Dec 06 16:44:33 2006
TAP-Win32 MTU=1500
Wed Dec 06 16:44:33 2006 Notified TAP-Win32 driver to
set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on
interface {676A55EB-21B7-426A-95DA-D2C2024B5A95} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Wed Dec 06
16:44:33 2006 Successful ARP Flush on interface [65540]
{676A55EB-21B7-426A-95DA-D2C2024B5A95}
Wed Dec 06 16:44:33 2006 TEST
ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Dec 06 16:44:33 2006
Route: Waiting for TUN/TAP interface to come up...
Wed Dec 06 16:44:35 2006
TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Dec 06 16:44:35
2006 Route: Waiting for TUN/TAP interface to come up...
Wed Dec 06 16:44:36
2006 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Dec 06
16:44:36 2006 Route: Waiting for TUN/TAP interface to come up...
Wed Dec
06 16:44:37 2006 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed
Dec 06 16:44:37 2006 Route: Waiting for TUN/TAP interface to come up...
Wed
Dec 06 16:44:38 2006 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Wed Dec 06 16:44:38 2006 Route: Waiting for TUN/TAP interface to come
up...
Wed Dec 06 16:44:40 2006 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0
u/d=up
Wed Dec 06 16:44:40 2006 route ADD 192.168.90.0 MASK 255.255.255.0 10.8.0.5
Wed Dec 06 16:44:40 2006 Route
addition via IPAPI succeeded
Wed Dec 06 16:44:40 2006 route ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Dec 06 16:44:40 2006 Route
addition via IPAPI succeeded
Wed Dec 06 16:44:40 2006 Initialization
Sequence Completed
That too looks good to me.
Now server side
it had appended to the console:
Wed Dec 6 16:05:11 2006 MULTI:
multi_create_instance called
Wed Dec 6 16:05:11 2006
xxx.xxx.xxx.xxx:1250 Re-using SSL/TLS context
Wed Dec 6 16:05:11
2006 xxx.xxx.xxx.xxx:1250 LZO compression initialized
Wed Dec 6
16:05:11 2006 xxx.xxx.xxx.xxx:1250 Control Channel MTU parms [ L:1542 D:138
EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 6 16:05:11 2006 xxx.xxx.xxx.xxx :1250
Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed
Dec 6 16:05:11 2006 xxx.xxx.xxx.xxx:1250 Local Options hash (VER=V4):
'530fdded'
Wed Dec 6 16:05:11 2006 xxx.xxx.xxx.xxx:1250 Expected
Remote Options hash (VER=V4): '41690919'
Wed Dec 6 16:05:11 2006
xxx.xxx.xxx.xxx:1250 TLS: Initial packet from xxx.xxx.xxx.xxx:1250,
sid=6d52a90f f29e6e6c
Wed Dec 6 16:05:11 2006 xxx.xxx.xxx.xxx:1250
VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=xxxxx/OU=IT/emailAddress= support@xxxxxxxxx
Wed Dec 6
16:05:11 2006 xxx.xxx.xxx.xxx:1250 VERIFY OK: depth=0,
/C=CA/ST=BC/O=xxxx/CN=dkrysak/emailAddress=support@xxxxxxxxx
Wed Dec 6
16:05:11 2006 xxx.xxx.xxx.xxx:1250 Data Channel Encrypt: Cipher 'BF-CBC'
initialized with 128 bit key
Wed Dec 6 16:05:11 2006
xxx.xxx.xxx.xxx:1250 Data Channel Encrypt: Using 160 bit message hash 'SHA1'
for HMAC authentication
Wed Dec 6 16:05:11 2006 xxx.xxx.xxx.xxx:1250
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed
Dec 6 16:05:11 2006 xxx.xxx.xxx.xxx:1250 Data Channel Decrypt: Using 160
bit message hash 'SHA1' for HMAC authentication
Wed Dec 6 16:05:11
2006 xxx.xxx.xxx.xxx:1250 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec 6 16:05:11 2006
xxx.xxx.xxx.xxx:1250 [dkrysak] Peer Connection Initiated with xxx.xxx.xxx.xxx
:1250
Wed Dec 6 16:05:11 2006 dkrysak/xxx.xxx.xxx.xxx:1250 MULTI:
Learn: 10.8.0.6 ->
dkrysak/xxx.xxx.xxx.xxx:1250
Wed Dec 6 16:05:11 2006
dkrysak/xxx.xxx.xxx.xxx:1250 MULTI: primary virtual IP for
dkrysak/xxx.xxx.xxx.xxx:1250: 10.8.0.6
Wed
Dec 6 16:05:12 2006 dkrysak/xxx.xxx.xxx.xxx:1250 PUSH: Received control
message: 'PUSH_REQUEST'
Wed Dec 6 16:05:12 2006
dkrysak/xxx.xxx.xxx.xxx:1250 SENT CONTROL [dkrysak]: 'PUSH_REPLY,route 192.168.90.0 255.255.255.0,route 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
(status=1)
Wed Dec 6 16:05:22 2006 read UDPv4 [ECONNREFUSED]:
Connection refused (code=111)
Wed Dec 6 16:05:32 2006 read UDPv4
[ECONNREFUSED]: Connection refused (code=111)
Wed Dec 6 16:05:42 2006
read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Dec 6
16:05:53 2006 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed
Dec 6 16:05:53 2006 MULTI: multi_create_instance called
Wed Dec
6 16:05:53 2006 xxx.xxx.xxx.xxx:1268 Re-using SSL/TLS context
Wed
Dec 6 16:05:53 2006 xxx.xxx.xxx.xxx:1268 LZO compression
initialized
Wed Dec 6 16:05:53 2006 xxx.xxx.xxx.xxx:1268 Control
Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 6
16:05:53 2006 xxx.xxx.xxx.xxx :1268 Data Channel MTU parms [ L:1542 D:1450
EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 6 16:05:53 2006
xxx.xxx.xxx.xxx:1268 Local Options hash (VER=V4): '530fdded'
Wed Dec
6 16:05:53 2006 xxx.xxx.xxx.xxx:1268 Expected Remote Options hash (VER=V4):
'41690919'
Wed Dec 6 16:05:53 2006 xxx.xxx.xxx.xxx:1268 TLS: Initial
packet from xxx.xxx.xxx.xxx:1268, sid=30b1de58 5efd5dfe
Wed Dec 6
16:05:54 2006 xxx.xxx.xxx.xxx:1268 VERIFY OK: depth=1,
/C=CA/ST=BC/L=Vancouver/O=xxxxx/OU=IT/emailAddress= support@xxxxxxxxx
Wed Dec 6
16:05:54 2006 xxx.xxx.xxx.xxx:1268 VERIFY OK: depth=0,
/C=CA/ST=BC/O=xxxxx/CN=dkrysak/emailAddress=support@xxxxxxxxx
Wed Dec 6
16:05:54 2006 xxx.xxx.xxx.xxx:1268 Data Channel Encrypt: Cipher 'BF-CBC'
initialized with 128 bit key
Wed Dec 6 16:05:54 2006
xxx.xxx.xxx.xxx:1268 Data Channel Encrypt: Using 160 bit message hash 'SHA1'
for HMAC authentication
Wed Dec 6 16:05:54 2006 xxx.xxx.xxx.xxx:1268
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed
Dec 6 16:05:54 2006 xxx.xxx.xxx.xxx:1268 Data Channel Decrypt: Using 160
bit message hash 'SHA1' for HMAC authentication
Wed Dec 6 16:05:54
2006 xxx.xxx.xxx.xxx:1268 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec 6 16:05:54 2006
xxx.xxx.xxx.xxx:1268 [dkrysak] Peer Connection Initiated with xxx.xxx.xxx.xxx
:1268
Wed Dec 6 16:05:54 2006 MULTI: new connection by client
'dkrysak' will cause previous active sessions by this client to be
dropped. Remember to use the --duplicate-cn option if you want multiple
clients using the same certificate or username to concurrently connect.
Wed Dec 6 16:05:54 2006 MULTI: Learn: 10.8.0.6 -> dkrysak/xxx.xxx.xxx.xxx:1268
Wed
Dec 6 16:05:54 2006 MULTI: primary virtual IP for
dkrysak/xxx.xxx.xxx.xxx:1268: 10.8.0.6
Wed
Dec 6 16:05:55 2006 dkrysak/xxx.xxx.xxx.xxx:1268 PUSH: Received control
message: 'PUSH_REQUEST'
Wed Dec 6 16:05:55 2006
dkrysak/xxx.xxx.xxx.xxx:1268 SENT CONTROL [dkrysak]: 'PUSH_REPLY,route 192.168.90.0 255.255.255.0,route 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5 '
(status=1)
Wed Dec 6 16:06:25 2006 read UDPv4 [ECONNREFUSED]:
Connection refused (code=111)
Wed Dec 6 16:06:28 2006 MULTI:
multi_create_instance called
Wed Dec 6 16:06:28 2006
xxx.xxx.xxx.xxx:1286 Re-using SSL/TLS context
Wed Dec 6 16:06:28
2006 xxx.xxx.xxx.xxx:1286 LZO compression initialized
Wed Dec 6
16:06:28 2006 xxx.xxx.xxx.xxx:1286 Control Channel MTU parms [ L:1542 D:138
EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 6 16:06:28 2006 xxx.xxx.xxx.xxx :1286
Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed
Dec 6 16:06:28 2006 xxx.xxx.xxx.xxx:1286 Local Options hash (VER=V4):
'530fdded'
Wed Dec 6 16:06:28 2006 xxx.xxx.xxx.xxx:1286 Expected
Remote Options hash (VER=V4): '41690919'
Wed Dec 6 16:06:28 2006
xxx.xxx.xxx.xxx:1286 TLS: Initial packet from xxx.xxx.xxx.xxx:1286,
sid=89604526 10af2dd1
Wed Dec 6 16:06:29 2006 xxx.xxx.xxx.xxx:1286
VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=xxxxxx/OU=IT/emailAddress= support@xxxxxxxxxx
Wed Dec 6
16:06:29 2006 xxx.xxx.xxx.xxx:1286 VERIFY OK: depth=0,
/C=CA/ST=BC/O=xxxxxx/CN=dkrysak/emailAddress=support@xxxxxxxxxx
Wed Dec 6
16:06:29 2006 xxx.xxx.xxx.xxx:1286 Data Channel Encrypt: Cipher 'BF-CBC'
initialized with 128 bit key
Wed Dec 6 16:06:29 2006
xxx.xxx.xxx.xxx:1286 Data Channel Encrypt: Using 160 bit message hash 'SHA1'
for HMAC authentication
Wed Dec 6 16:06:29 2006 xxx.xxx.xxx.xxx:1286
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed
Dec 6 16:06:29 2006 xxx.xxx.xxx.xxx:1286 Data Channel Decrypt: Using 160
bit message hash 'SHA1' for HMAC authentication
Wed Dec 6 16:06:29
2006 xxx.xxx.xxx.xxx:1286 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec 6 16:06:29 2006
xxx.xxx.xxx.xxx:1286 [dkrysak] Peer Connection Initiated with xxx.xxx.xxx.xxx
:1286
Wed Dec 6 16:06:29 2006 MULTI: new connection by client
'dkrysak' will cause previous active sessions by this client to be
dropped. Remember to use the --duplicate-cn option if you want multiple
clients using the same certificate or username to concurrently connect.
Wed Dec 6 16:06:29 2006 MULTI: Learn: 10.8.0.6 -> dkrysak/xxx.xxx.xxx.xxx:1286
Wed
Dec 6 16:06:29 2006 MULTI: primary virtual IP for
dkrysak/xxx.xxx.xxx.xxx:1286: 10.8.0.6
Wed
Dec 6 16:06:30 2006 dkrysak/xxx.xxx.xxx.xxx:1286 PUSH: Received control
message: 'PUSH_REQUEST'
Wed Dec 6 16:06:30 2006
dkrysak/xxx.xxx.xxx.xxx:1286 SENT CONTROL [dkrysak]: 'PUSH_REPLY,route 192.168.90.0 255.255.255.0,route 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5 '
(status=1)
Now if I try to ping the vpn server from the
client...
It just times out. And obviously if i try to access resources
on my 192.168.90.0 network.... it is no go
go.
for example I just tried to access a share on a win2k3
server
\\192.168.90.xxx
Then the following is appended to the
console:
Wed Dec 6 16:12:12 2006 dkrysak/xxx.xxx.xxx.xxx:1286
MULTI: bad source address from client [ 192.168.1.77], packet dropped
Wed Dec
6 16:12:15 2006 dkrysak/xxx.xxx.xxx.xxx:1286 MULTI: bad source address from
client [192.168.1.77], packet
dropped
Wed Dec 6 16:12:21 2006 dkrysak/xxx.xxx.xxx.xxx:1286 MULTI:
bad source address from client [192.168.1.77], packet dropped
Wed Dec
6 16:12:55 2006 dkrysak/xxx.xxx.xxx.xxx:1286 MULTI: bad source address from
client [192.168.1.77], packet
dropped
Wed Dec 6 16:12:58 2006 dkrysak/xxx.xxx.xxx.xxx:1286 MULTI:
bad source address from client [192.168.1.77], packet dropped
Wed Dec
6 16:13:04 2006 dkrysak/xxx.xxx.xxx.xxx:1286 MULTI: bad source address from
client [192.168.1.77], packet
dropped
Any ideas?
I apologize for the VERY long post....
But any ideas?
Dustin
To: d.k.emaillists@xxxxxxxxx
openvpn-users@xxxxxxxxxxxxxxxxxxxxx
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-12/msg00068.html on line 503
Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-12/msg00068.html on line 503
|