[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] client-config-dir not working


  • Subject: Re: [Openvpn-users] client-config-dir not working
  • From: Gabriele Bulfon <gbulfon@xxxxxxxxxxx>
  • Date: Wed, 4 Jul 2007 14:03:39 +0200 (CEST)

Hi
I'm still in trouble.
I did as you noted:
ifconfig-push 10.1.1.5 10.1.1.6
ifconfig-push 10.1.1.9 10.1.1.10
ifconfig-push 10.1.1.13 10.1.1.14

I would expect my client to get 5,9 and 13.
...I still get them with 6,10,14 in a fifo logic.
I suspect openvpn is not considering my ccd files at all...

About your mail, I cannot use tap, because my server OS is Solaris 10, and we still don't have tap there...
Thanx for any help.
Gabriele.

Gabriele Bulfon - Sonicle S.r.l.
Tel +39 028246016 Int. 30 - Fax +39 028243880
Via Felice Cavallotti 16 - 20089, Rozzano - Milano - ITALY
http://www.sonicle.com




Da: Peter Barwich <pbarwich@xxxxxxxxxxx>
A: Gabriele Bulfon <gbulfon@xxxxxxxxxxx>
Data: 27 giugno 2007 16.14.18 CEST
Oggetto: Re: [Openvpn-users] client-config-dir not working


Gabriele,

Try the FAQ. (http://openvpn.net/faq.html) and do a manual search for "/30". The permitted pairs of addresses are 05,06; 09,10 etc. moving up by 4 each time, so your pairing of 10,11 is invalid. Also look at the howto (http://openvpn.net/howto.html) with the same search on the page, i.e. "/30" which gives the complete list copied below.


[  1,  2] [  5,  6] [  9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]

But why use dev tun? dev tap is often described as a bridged configuration, and indeed it can be bridged (if your OS supports it; XP does, Win2k doesn't) but it doesn't HAVE to be bridged. If you DON'T bridge you just end up with a dual homed (2 IP addresses) OVPN server. Mine is 192.168.2.50 (LAN) and 10.3.0.1 (VPN). VPN clients get 0.2; 0.3; 0.4 etc, which is nice and manageable and easy to remember. Other LAN machines at the server end get access to all VPN clients by virtue of a fixed route entered into my internet gateway router, which is at 192.168.2.1. The fixed route added is : -

destination IP 10.3.0.0
Subnet Mask 255.255.255.0
Gateway 192.168.2.50

Which allows the router/internet gateway to know to direct packets destined for the VPN, to the VPN server machine, from where OpenVPN knows where the individual client currently is.

I have made no attempt to allow other machines on the CLIENT'S LAN to have access to the VPN machines (though I understand this can be done). In my case the clients could be anywhere and I absolutely do NOT want strange machines getting to my LAN.

A bit more on this odd /30 subnet rule can be found at http://osdir.com/ml/network.openvpn.devel/2004-03/msg00051.html and at http://openvpn.net/relnotes.html.

Also have a look at http://openvpn.net/archive/openvpn-users/2005-09/msg00079.html. This makes it clear that James Yonan himself was unhappy with the /30 subnet approach taken for dev tun type interfaces. It seems that  this went further, but the patch download appears to no longer be available. However if you look at the man page for version 2.1 it has have been folded in to that version with the --topology directive. (see http://openvpn.net/man-beta.html and again search for "/30" on the page.)

If you do a search within the ovpn site for "/30 subnet" you'll get hundreds of hits, many of which show people being very confused. If you do the search with "sundman /30 subnet" you get a shorter list, and Sundman, the author of openvpngui, is well informed. The bottom line is that it seems to be a problem with windows, and you should use the address pairs referred to above, then it will 'just work'. But, as mentioned above, so does using dev tap, and it's much more satisfactory to my mind.

Server Config: -

port 5800
proto tcp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.3.0.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"# Tells VPN client where my LAN machines are
client-config-dir client_configs# non default name; a subdirectory of C:\Program Files\OpenVPN\config which avoids the need for this \\ nonsense in windows addresses
push "dhcp-option DNS 10.3.0.1"#I run my own DNS server
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 4
mute 20

Client Config (client's name 'myacer'): -

client
remote <my (fixed) home ip>
float# not sure if this is needed
port 5800
proto tcp-client
dev tap
persist-key
persist-tun #Yes, you use the word 'tun' here, even though it's a tap connection!
ca ca.crt
cert myacer.crt
key myacer.key
ns-cert-type server
# If you have set the TAP-Win32 adapter Media Status property to "Always Connected"
# (which would allow you never to show the network icon in the tray; connected or not)
# then the following directive is useful to force the adaptor to switch either from an
# automatically generated IP (or, if that is disabled in the registry, 0.0.0.0), to the one
# assigned by the vpn server. Without it ovpn may "think" it has connected when it hasn't.
# Also it breaks long term IP leases, should you need to change your server/client IP pool.

dhcp-renew
ping 10 # Probably should be removed, throws minor error in logs And it pulls the directive from the server later anyway
comp-lzo
verb 4
mute 10

Client ccd file named "myacer" (no .abc type extension): -

ifconfig-push 10.3.0.2 255.255.255.0

Typical client connect log: -

Wed Jun 27 14:31:41 2007 us=125346 Current Parameter Settings:
Wed Jun 27 14:31:41 2007 us=125407   config = 'connect to annie.ovpn'
Wed Jun 27 14:31:41 2007 us=125418   mode = 0
Wed Jun 27 14:31:41 2007 us=125428   show_ciphers = DISABLED
Wed Jun 27 14:31:41 2007 us=125438   show_digests = DISABLED
Wed Jun 27 14:31:41 2007 us=125447   show_engines = DISABLED
Wed Jun 27 14:31:41 2007 us=125457   genkey = DISABLED
Wed Jun 27 14:31:41 2007 us=125466   key_pass_file = '[UNDEF]'
Wed Jun 27 14:31:41 2007 us=125476   show_tls_ciphers = DISABLED
Wed Jun 27 14:31:41 2007 us=125485   proto = 2
Wed Jun 27 14:31:41 2007 us=125494 NOTE: --mute triggered...
Wed Jun 27 14:31:41 2007 us=125522 178 variation(s) on previous 10 message(s) suppressed by --mute
Wed Jun 27 14:31:41 2007 us=125535 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Wed Jun 27 14:31:41 2007 us=131235 WARNING: --ping should normally be used with --ping-restart or --ping-exit #[wrong directive in client config file]
Wed Jun 27 14:31:41 2007 us=255457 LZO compression initialized
Wed Jun 27 14:31:41 2007 us=255594 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Jun 27 14:31:41 2007 us=257556 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Jun 27 14:31:41 2007 us=257604 Local Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed Jun 27 14:31:41 2007 us=257618 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Jun 27 14:31:41 2007 us=263561 Local Options hash (VER=V4): '31fdf004'
Wed Jun 27 14:31:41 2007 us=263586 Expected Remote Options hash (VER=V4): '3e6d1056'
Wed Jun 27 14:31:41 2007 us=263611 Attempting to establish TCP connection with <my home ip>:5800
Wed Jun 27 14:31:41 2007 us=269077 TCP connection established with <my home ip>:5800
Wed Jun 27 14:31:41 2007 us=269115 Socket Buffers: R=[8192->8192] S=[32768->32768]
Wed Jun 27 14:31:41 2007 us=269133 TCPv4_CLIENT link local: [undef]
Wed Jun 27 14:31:41 2007 us=269145 TCPv4_CLIENT link remote: <my home ip>:5800
Wed Jun 27 14:31:41 2007 us=273992 TLS: Initial packet from <my home ip>:5800, sid=af372a1c 42cca8e3
Wed Jun 27 14:31:41 2007 us=367044 VERIFY OK: <cert info>
Wed Jun 27 14:31:41 2007 us=368590 VERIFY OK: nsCertType=SERVER
Wed Jun 27 14:31:41 2007 us=368606 VERIFY OK: <cert info>
Wed Jun 27 14:31:42 2007 us=126490 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 27 14:31:42 2007 us=126529 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 27 14:31:42 2007 us=126607 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 27 14:31:42 2007 us=126622 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 27 14:31:42 2007 us=128841 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 27 14:31:42 2007 us=128880 [server] Peer Connection Initiated with <my home ip>:5800
Wed Jun 27 14:31:43 2007 us=225767 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jun 27 14:31:43 2007 us=427804 PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,dhcp-option DNS 10.3.0.1,route-gateway 10.3.0.1,ping 10,ping-restart 120,ifconfig 10.3.0.2 255.255.255.0'
Wed Jun 27 14:31:43 2007 us=427896 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 27 14:31:43 2007 us=427907 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 27 14:31:43 2007 us=427916 OPTIONS IMPORT: route options modified
Wed Jun 27 14:31:43 2007 us=427926 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 27 14:31:43 2007 us=555157 TAP-WIN32 device [VPN] opened: \\.\Global\{B64A94F5-811D-49AE-A709-3FA0404A6FE3}.tap
Wed Jun 27 14:31:43 2007 us=556055 TAP-Win32 Driver Version 8.4
Wed Jun 27 14:31:43 2007 us=556505 TAP-Win32 MTU=1500
Wed Jun 27 14:31:43 2007 us=556901 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.3.0.2/255.255.255.0 on interface {B64A94F5-811D-49AE-A709-3FA0404A6FE3} [DHCP-serv: 10.3.0.0, lease-time: 31536000]
Wed Jun 27 14:31:43 2007 us=556923 DHCP option string: 06040a03 0001
Wed Jun 27 14:31:43 2007 us=559573 Successful ARP Flush on interface [4] {B64A94F5-811D-49AE-A709-3FA0404A6FE3}
Wed Jun 27 14:31:43 2007 us=662327 WARNING: Failed to renew DHCP IP address lease on TAP-Win32 adapter: The system cannot find the file specified.   (code=2)
############[A funny one this. I think it's because the adaptor already HAS the 10.3.0.2 address. The connection IS made, and the address IS correct. It's definitely related to the dhcp-renew directive in the client file]#############################
Wed Jun 27 14:31:43 2007 us=672438 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Wed Jun 27 14:31:43 2007 us=672470 Route: Waiting for TUN/TAP interface to come up...
Wed Jun 27 14:31:44 2007 us=781943 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Wed Jun 27 14:31:44 2007 us=781973 Route: Waiting for TUN/TAP interface to come up...
Wed Jun 27 14:31:45 2007 us=881276 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Wed Jun 27 14:31:45 2007 us=881306 Route: Waiting for TUN/TAP interface to come up...
Wed Jun 27 14:31:46 2007 us=981821 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Wed Jun 27 14:31:46 2007 us=981849 Route: Waiting for TUN/TAP interface to come up...
Wed Jun 27 14:31:48 2007 us=116714 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Wed Jun 27 14:31:48 2007 us=116745 Route: Waiting for TUN/TAP interface to come up...
Wed Jun 27 14:31:49 2007 us=65024 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Wed Jun 27 14:31:49 2007 us=65061 route ADD 192.168.2.0 MASK 255.255.255.0 10.3.0.1
Wed Jun 27 14:31:49 2007 us=76721 Route addition via IPAPI succeeded
Wed Jun 27 14:31:49 2007 us=76753 Initialization Sequence Completed



Hope this helps,

Peter




Gabriele Bulfon wrote:
Maybe you can point me some other tip.
As you say, I use the tun interface, specify a client-config-dir, place the file as for the Subject CN (client crt for the generated key is [ Subject: C=IT, ST=MI, O=MacDue, CN = cassa1.macdue.eu / emailAddress =info@xxxxxxxxxx ] , so ccd file is cassa1.macdue.eu )  containing "ifconfig-push 10.1.1.10 10.1.1.11", but I still get the IPs in random order. Meaning that if cassa2 comes first, it gets the ifconfig of cassa1.
Where can I investigate more?

Gabriele Bulfon - Sonicle S.r.l.
Tel +39 028246016 Int. 30 - Fax +39 028243880
Via Felice Cavallotti 16 - 20089, Rozzano - Milano - ITALY
http://www.sonicle.com




Da: Peter Barwich <pbarwich@xxxxxxxxxxx>
A: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Data: 23 giugno 2007 17.03.15 CEST
Oggetto: Re: [Openvpn-users] client-config-dir not working


Gabriele

It may just be worth pointing to you and other readers out that Erich's response applies ONLY to the dev tun interface (that you specified in your original config file). For dev tap interfaces the second parameter should be something like 255.255.255.0; the normal netmask for the address you are trying to push. ifconfig-push takes the same parameters as the ifconfig directive you are trying to implement on the client, so see --ifconfig l rn in the man page for openvpn (about 1/6 the way down). It took me a while to figure this out so maybe it'll save someone else time.

Subject:
Re: [Openvpn-users] client-config-dir not working
From:
Erich Titl <erich.titl@xxxxxxxx>
Date:
Fri, 22 Jun 2007 00:49:06 +0200
To:
Gabriele Bulfon <gbulfon@xxxxxxxxxxx>
To:
Gabriele Bulfon <gbulfon@xxxxxxxxxxx>
CC:
openvpn-users@xxxxxxxxxxxxxxxxxxxxx

Gabriele Bulfon schrieb:
  
Thanks for the reply.
What is the meaning of ifconfig-push 10.1.1.7 10.1.1.8 ?
Wich of the IP is the assigned IP?
    

One is assignet to the client end the other is the gateway on the server
end. IIRC the first is assigned to the client.

  
I remember trying this, but I got some kind of debug on the client
saying that the format was not fine, and that I should place the subnet
mask after the IP...
    

Not with 2.0, I am not familiar with 2.1.

  
Where do I place the default subnet other than /30?
    

You don't.....

from the howto I suggested to read:

Each pair of ifconfig-push addresses represent the virtual client and
server IP endpoints. They must be taken from successive /30 subnets in
order to be compatible with Windows clients and the TAP-Win32 driver.
Specifically, the last octet in the IP address of each endpoint pair
must be taken from this set:

cheers

Erich
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users