|
|
Gert Koning escreveu:
Hi all,
I have been struggling for days now to get a straight forward openvpn
client setup to work - to no avail. I am trying to connect to our office
where they run an openvpn server. Different colleagues succesfully connect
to the office this way.
I am running Ubuntu 7.04 with kernel 2.6.20-16-generic on a laptop,
connected wireless (device eth1) to a DSL modem. IP address is provided by
DHCP and is mostly 192.168.1.102. The internal network at the office is
in the 10.12.0.0 range.
This is my openvpn configuration, supplied by our network guys:
client
nobind
proto udp
dev tun
remote <ip address of our server>
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client19.crt
key /etc/openvpn/client19.key
ns-cert-type server
tls-remote office
tls-auth ta.key 1
tls-client
route-up "route add -net 10.12.0.0/16 gw `route -n |grep 10.11 | head -n1|
awk '{ print$2 }'`"
comp-lzo
keepalive 10 60
daemon
I do have the tun device:
root@sjert-laptop:~# lsmod|grep tun
tun 12032 0
When I start openvpn:
root@sjert-laptop:~# /etc/init.d/openvpn start
Starting virtual private network daemon: clientEnter Private Key Password:
(OK).
So my password is accepted. The daemon is running:
root@sjert-laptop:/etc/openvpn# ps -ef|grep vpn
root 5524 1 0 15:04 ? 00:00:00 /usr/sbin/openvpn
--writepid /var/run/openvpn.client.pid --status
/var/run/openvpn.client.status 10 --cd /etc/openvpn --config
/etc/openvpn/client.conf
Looking at /var/log/daemon:
Dec 8 15:03:59 sjert-laptop openvpn[5523]: OpenVPN 2.0.9
i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Mar 2 2007
Dec 8 15:03:59 sjert-laptop openvpn[5523]: IMPORTANT: OpenVPN's default
port number is now 1194, based on an official port number assignm
ent by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Dec 8 15:04:03 sjert-laptop openvpn[5523]: Control Channel
Authentication: using 'ta.key' as a OpenVPN static key file
Dec 8 15:04:03 sjert-laptop openvpn[5523]: LZO compression initialized
Dec 8 15:04:03 sjert-laptop openvpn[5524]: NOTE: UID/GID downgrade will
be delayed because of --client, --pull, or --up-delay
Dec 8 15:04:03 sjert-laptop openvpn[5524]: UDPv4 link local: [undef]
Dec 8 15:04:03 sjert-laptop openvpn[5524]: UDPv4 link remote:
212.45.32.70:1194
So everything looks OK, except its not working. The tun device is not
shown in ifconfig:
No ..... you cant say everything looks OK. We'll have 'OK' situation
when OpenVPN really establishes the connection with your server ....
which you would see in your logs clearly. The logs you showned just
shows OpenVPN starts and it's running, but it doesnt means it looks OK.
It's not connecting to the office server, at least this is not showned
in your logs.
Route is clearly not being added because your 'grep 10.11' is
returning nothing, we can see that by your provided 'route -n'. But we
can't imagine why it's not connecting if you dont provide full logs.
On a successfully connection, you would see something like ...
please note the LAST line which indicates connection is established.
Sat Dec 08 08:12:12 2007 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on
Oct 1 2006
Sat Dec 08 08:12:12 2007 Control Channel Authentication: using
'chave-tls-auth.key' as a OpenVPN static key file
Sat Dec 08 08:12:12 2007 Outgoing Control Channel Authentication: Using
160 bit message hash 'SHA1' for HMAC authentication
Sat Dec 08 08:12:12 2007 Incoming Control Channel Authentication: Using
160 bit message hash 'SHA1' for HMAC authentication
Sat Dec 08 08:12:12 2007 LZO compression initialized
Sat Dec 08 08:12:12 2007 Control Channel MTU parms [ L:1590 D:166 EF:66
EB:0 ET:0 EL:0 ]
Sat Dec 08 08:12:12 2007 Data Channel MTU parms [ L:1590 D:1450 EF:58
EB:135 ET:32 EL:0 AF:3/1 ]
Sat Dec 08 08:12:12 2007 Local Options hash (VER=V4): '48527533'
Sat Dec 08 08:12:12 2007 Expected Remote Options hash (VER=V4): '44bd8b5e'
Sat Dec 08 08:12:12 2007 UDPv4 link local: [undef]
Sat Dec 08 08:12:12 2007 UDPv4 link remote: 201.24.133.146:1194
Sat Dec 08 08:12:12 2007 TLS: Initial packet from 201.24.133.146:1194,
sid=6f25c713 718db91f
Sat Dec 08 08:12:12 2007 VERIFY OK: depth=1,
/C=BR/ST=Goias/L=Goiania/O=Pinheiros_Veiculos_Ltda/CN=CA-Pinauto/emailAddress=root@xxxxxxxxxxxxxx
Sat Dec 08 08:12:12 2007 VERIFY OK: nsCertType=SERVER
Sat Dec 08 08:12:12 2007 VERIFY OK: depth=0,
/C=BR/ST=Goias/O=Pinheiros_Veiculos_Ltda/CN=SERVIDOR-Pinauto/emailAddress=root@xxxxxxxxxxxxxx
Sat Dec 08 08:12:13 2007 Data Channel Encrypt: Cipher 'AES-256-CBC'
initialized with 256 bit key
Sat Dec 08 08:12:13 2007 Data Channel Encrypt: Using 160 bit message
hash 'SHA1' for HMAC authentication
Sat Dec 08 08:12:13 2007 Data Channel Decrypt: Cipher 'AES-256-CBC'
initialized with 256 bit key
Sat Dec 08 08:12:13 2007 Data Channel Decrypt: Using 160 bit message
hash 'SHA1' for HMAC authentication
Sat Dec 08 08:12:13 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 2048 bit RSA
Sat Dec 08 08:12:13 2007 [SERVIDOR-Pinauto] Peer Connection Initiated
with 201.24.133.146:1194
Sat Dec 08 08:12:14 2007 SENT CONTROL [SERVIDOR-Pinauto]: 'PUSH_REQUEST'
(status=1)
Sat Dec 08 08:12:14 2007 PUSH: Received control message:
'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route-gateway
192.168.100.1,ping 10,ping-restart 30,ifconfig 192.168.100.13 255.255.255.0'
Sat Dec 08 08:12:14 2007 OPTIONS IMPORT: timers and/or timeouts modified
Sat Dec 08 08:12:14 2007 OPTIONS IMPORT: --ifconfig/up options modified
Sat Dec 08 08:12:14 2007 OPTIONS IMPORT: route options modified
Sat Dec 08 08:12:15 2007 TAP-WIN32 device [OpenVPN] opened:
\\.\Global\{77D30A3B-5BAB-42A8-9490-D2612546B59F}.tap
Sat Dec 08 08:12:15 2007 TAP-Win32 Driver Version 8.4
Sat Dec 08 08:12:15 2007 TAP-Win32 MTU=1500
Sat Dec 08 08:12:15 2007 Notified TAP-Win32 driver to set a DHCP
IP/netmask of 192.168.100.13/255.255.255.0 on interface
{77D30A3B-5BAB-42A8-9490-D2612546B59F} [DHCP-serv: 192.168.100.0,
lease-time: 31536000]
Sat Dec 08 08:12:15 2007 Successful ARP Flush on interface [3]
{77D30A3B-5BAB-42A8-9490-D2612546B59F}
Sat Dec 08 08:12:18 2007 Route: Waiting for TUN/TAP interface to come up...
Sat Dec 08 08:12:19 2007 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Sat Dec 08 08:12:19 2007 route ADD 192.168.0.0 MASK 255.255.255.0
192.168.100.1
Sat Dec 08 08:12:19 2007 Route addition via IPAPI succeeded
---->>>> Sat Dec 08 08:12:19 2007 Initialization Sequence Completed
I would also suggest that instead of using 'route -n | grep ..' stuff,
that you published your routes on your server instead of getting them
setup on the clients. Publishing routes on the server will certainly
make your life easier if you need to change routes and/or publish new
ones. You can even publish different routes for different certificates,
using client-config-dir configuration parameters.
Publising on the server would also allow windows clients. the route -n
grep stuff will certainly not work on windows environment ... and
publishing routes on the server works on windows with no problem at all.
root@sjert-laptop:/etc/openvpn# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:12:3F:D7:49:11
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:19
eth1 Link encap:Ethernet HWaddr 00:13:CE:13:91:3C
inet addr:192.168.1.102 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::213:ceff:fe13:913c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3849 errors:0 dropped:0 overruns:0 frame:0
TX packets:3774 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2924710 (2.7 MiB) TX bytes:449634 (439.0 KiB)
Interrupt:18 Base address:0xc000 Memory:dfcfd000-dfcfdfff
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:190 errors:0 dropped:0 overruns:0 frame:0
TX packets:190 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:78165 (76.3 KiB) TX bytes:78165 (76.3 KiB)
And no route has been added:
root@sjert-laptop:/etc/openvpn# route -n
Kernel IP routeing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth1
0.0.0.0 192.168.1.101 0.0.0.0 UG 0 0 0 eth1
The network guys at the office seem to have run out of ideas. Is there
anybody out there that can point me into the right direction?
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@xxxxxxxxxxxxxx
My SPAMTRAP, do not email it
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
|