[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] one way tunnel -- what am I doing wrong?


  • Subject: Re: [Openvpn-users] one way tunnel -- what am I doing wrong?
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Sat, 30 Jun 2007 02:50:58 -0500
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID992LFdHzF0085X28

Todd and Margo Chester wrote:
> openvpn-2.0.9-gui-1.0.3-install
> Win XP-Pro, SP2 (both)
>
> Hi All,
>
>     I am trying to test a tunnel between two
> computers on a local network.  I am trying to
> set the server up as a bridge so that other
> computers on the network can be reached
> by the client.  The server-bridge's IP addresses
> are not in the range used by the DHCP server.
>   

This won't work.  First of all, you cannot test the VPN with a client
computer on the same LAN as the destination VPN bridge, because then you
have 2 identical networks and the VPN won't work without the physical
network (which won't be reachable because the client will think the VPN
is how to access that network.)  Second, it looks like you might the
same problem on your server, which I'll go into details about below.

>     The server's OpenVPN-GUI monitors turn
> green and state that they are connected.
>
>     The client's OpenVPN-GUI monitors turn
> yellow and stay that way.  I have a pass phrase
> in my client's certificate and OpenVPN-GUI
> asks for it.
>
>     I have double checked my personal firewall
> and they are configured correctly.  XP's
> firewall is off.  AND, I have tested it with
> both firewall turned OFF.
>
>     What am I doing wrong?  I have added
> my server.ovpn, client.ovpn, and client log
> to the bottom of this posting.
>
> Many thanks,
> -T
>
> ~~~~~~~~~~~~ client log~~~~~~~~~~~~~~~~~~
> Fri Jun 29 18:50:56 2007 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on 
> Oct  1 2006
> Fri Jun 29 18:50:56 2007 IMPORTANT: OpenVPN's default port number is now 
> 1194, based on an official port number assignment by IANA.  OpenVPN 
> 2.0-beta16 and earlier used 5000 as the default port.
> Fri Jun 29 18:51:00 2007 LZO compression initialized
> Fri Jun 29 18:51:00 2007 Control Channel MTU parms [ L:1574 D:138 EF:38 
> EB:0 ET:0 EL:0 ]
> Fri Jun 29 18:51:00 2007 Data Channel MTU parms [ L:1574 D:1450 EF:42 
> EB:135 ET:32 EL:0 AF:3/1 ]
> Fri Jun 29 18:51:00 2007 Local Options hash (VER=V4): 'd79ca330'
> Fri Jun 29 18:51:00 2007 Expected Remote Options hash (VER=V4): 'f7df56b8'
> Fri Jun 29 18:51:00 2007 UDPv4 link local: [undef]
> Fri Jun 29 18:51:00 2007 UDPv4 link remote: 192.168.123.20:5020
> Fri Jun 29 18:52:01 2007 TLS Error: TLS key negotiation failed to occur 
> within 60 seconds (check your network connectivity)
> Fri Jun 29 18:52:01 2007 TLS Error: TLS handshake failed
> Fri Jun 29 18:52:01 2007 TCP/UDP: Closing socket
> Fri Jun 29 18:52:01 2007 SIGUSR1[soft,tls-error] received, process 
> restarting
> Fri Jun 29 18:52:01 2007 Restart pause, 2 second(s)
> Fri Jun 29 18:52:03 2007 IMPORTANT: OpenVPN's default port number is now 
> 1194, based on an official port number assignment by IANA.  OpenVPN 
> 2.0-beta16 and earlier used 5000 as the default port.
> Fri Jun 29 18:52:03 2007 Re-using SSL/TLS context
> Fri Jun 29 18:52:03 2007 LZO compression initialized
> Fri Jun 29 18:52:03 2007 Control Channel MTU parms [ L:1574 D:138 EF:38 
> EB:0 ET:0 EL:0 ]
> Fri Jun 29 18:52:03 2007 Data Channel MTU parms [ L:1574 D:1450 EF:42 
> EB:135 ET:32 EL:0 AF:3/1 ]
> Fri Jun 29 18:52:03 2007 Local Options hash (VER=V4): 'd79ca330'
> Fri Jun 29 18:52:03 2007 Expected Remote Options hash (VER=V4): 'f7df56b8'
> Fri Jun 29 18:52:03 2007 UDPv4 link local: [undef]
> Fri Jun 29 18:52:03 2007 UDPv4 link remote: 192.168.123.20:5020
>
>
> ~~~~~~~~~~~~client.ovpn~~~~~~~~~~~~~~~~
> remote 192.168.123.20 5020
> client
> dev tap
> proto udp
> resolv-retry infinite
> persist-key
> persist-tun
> ca ca.crt
> cert client1.crt
> key client1.key
> ns-cert-type server
> ping 10
> comp-lzo
> verb 3
>
>
> ~~~~~~~~~~~~~server.ovpn~~~~~~~~~~~~~~~~
> float
> port 5020
> proto udp
> dev tap
> ca ca.crt
> cert server.crt
> key server.key
> dh dh1024.pem
> ifconfig-pool-persist ipp.txt
> server-bridge 192.168.123.20 255.255.255.0 192.168.123.50 192.168.123.90
> client-to-client
> keepalive 10 120
> comp-lzo
> persist-key
> persist-tun
> verb 3

It would have been useful if you provided networking details of the
server including the configuration of the physical adapter and any
bridge setup.  Based on the information provided here, it looks like you
may not have actually bridged the tap adapter with a physical adapter,
which is going to cause problems.  In this scenario, the server has 2
identical IP addresses on the same network on 2 separate network
interfaces (the physical interface and the tap interface) and you have
the same problem I described above: the server will be unable to reach
one of the 2 networks, and clients will never be able to connect.

In order to create a bridged setup like your stated goal, you need to
use your operating system's facility to bridge the tap adapter and the
physical interface together to form a logical network adapter that
includes both.  Under Windows XP or higher, you need to select both
interfaces, right-click, and bridge them together.  Then, set the local
IP address on the bridged adapter in the OS, which will be the same IP
you will want to provide in the server-bridge directive in the
configuration file.

-- 
Josh


Attachment: signature.asc
Description: OpenPGP digital signature