[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] openvpn OS X connection problem


  • Subject: [Openvpn-users] openvpn OS X connection problem
  • From: Joel Braverman <onephatcat@xxxxxxxxxxxxx>
  • Date: Sun, 14 Oct 2007 20:40:29 -0700

We have installed OpenVPN successfully on windows and mac machines  
(as clients). However, my own personal system at home is unable to  
connect completely -it connects only to our "DMZ" zone (functionally,  
our DMZ isn't really much different from our LAN - they are both  
hanging off the same box, but the DMZ systems are not allowed access  
to the LAN, only the LAN can contact the DMZ, and some machines on  
the DMZ are accessible from the LAN.

My symptoms have been that I cannot access the LAN over OpenVPN, but  
I can access the DMZ machines. I am not able to access the LAN. Other  
machines I have set up have had no problem with this.

Today as part of my troubleshooting, I realized that the default  
address space given out by my AT&T DSL router is exactly the same as  
our LAN address space. So I reconfigured my router address space to  
192.168.8.*  instead of 1.*

This seems to have had exactly affect on my ability to connect to the  
LAN.

One other symptom of the issue is that I am not able to access our  
gateway server (which is running OpenVPN) when I am connected. The  
other machines we have configured seem not to have a problem. I have  
spent quite a bit of time (adding up to several hours) over the past  
few weeks trying to get this connection to work. The config file is a  
clone of the working config we are using on other systems.

One issue we have noticed on Macintosh machines that DO work is that  
they don't get the DNS information automatically like the Windows  
machines do, and we have to add our domain search suffix to get to  
internal servers.

Attempting to ping anything from the terminal after connecting  
results in a "no buffer space availible" error. Connection to the  
Internet works as does connection to DMZ servers using their NAT  
address which means that the connection is at least working to the DMZ.

Here is the log from TunnelBlick, and the config (note xxx replaces  
the actual ip addresses)

Sun 10/14/07 06:56 PM: IMPORTANT: OpenVPN's default port number is  
now 1194
Sun 10/14/07 06:56 PM: WARNING: file 'joel.key' is group or others  
accessible
Sun 10/14/07 06:56 PM: LZO compression initialized
Sun 10/14/07 06:56 PM: Control Channel MTU parms [ L:1542 D:138 EF:38  
EB:0 ET:0 EL:0 ]
Sun 10/14/07 06:56 PM: Data Channel MTU parms [ L:1542 D:1450 EF:42  
EB:135 ET:0 EL:0 AF:3/1 ]
Sun 10/14/07 06:56 PM: Local Options hash (VER=V4): '41690919'
Sun 10/14/07 06:56 PM: Expected Remote Options hash (VER=V4): '530fdded'
Sun 10/14/07 06:56 PM: UDPv4 link local: [undef]
Sun 10/14/07 06:56 PM: UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Sun 10/14/07 06:56 PM: TLS: Initial packet from xxx.xxx.xxx.xxx:1194
Sun 10/14/07 06:56 PM: VERIFY OK: depth=1
Sun 10/14/07 06:56 PM: VERIFY OK: nsCertType=SERVER
Sun 10/14/07 06:56 PM: VERIFY OK: depth=0
Sun 10/14/07 06:56 PM: Data Channel Encrypt: Cipher 'BF-CBC'  
initialized with 128 bit key
Sun 10/14/07 06:56 PM: Data Channel Encrypt: Using 160 bit message  
hash 'SHA1' for HMAC authentication
Sun 10/14/07 06:56 PM: Data Channel Decrypt: Cipher 'BF-CBC'  
initialized with 128 bit key
Sun 10/14/07 06:56 PM: Data Channel Decrypt: Using 160 bit message  
hash 'SHA1' for HMAC authentication
Sun 10/14/07 06:56 PM: Control Channel: TLSv1
Sun 10/14/07 06:56 PM: [server] Peer Connection Initiated with  
xxx.xxx.xxx.xxx:1194
Sun 10/14/07 06:56 PM: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun 10/14/07 06:56 PM: PUSH: Received control message: 'PUSH_REPLY
Sun 10/14/07 06:56 PM: OPTIONS IMPORT: timers and/or timeouts modified
Sun 10/14/07 06:56 PM: OPTIONS IMPORT: --ifconfig/up options modified
Sun 10/14/07 06:56 PM: OPTIONS IMPORT: route options modified
Sun 10/14/07 06:56 PM: OPTIONS IMPORT: --ip-win32 and/or --dhcp- 
option options modified
Sun 10/14/07 06:56 PM: gw 192.168.8.1
Sun 10/14/07 06:56 PM: TUN/TAP device /dev/tun3 opened
Sun 10/14/07 06:56 PM: /sbin/ifconfig tun3 delete
Sun 10/14/07 06:56 PM: NOTE: Tried to delete pre-existing tun/tap  
instance -- No Problem if failure
Sun 10/14/07 06:56 PM: /sbin/ifconfig tun3 10.8.0.30 10.8.0.29 mtu  
1500 netmask 255.255.255.255 up
Sun 10/14/07 06:56 PM: /sbin/route add -net 192.168.1.0 10.8.0.29  
255.255.255.0
Sun 10/14/07 06:56 PM: /sbin/route add -net 10.0.1.0 10.8.0.29  
255.255.255.0
Sun 10/14/07 06:56 PM: /sbin/route add -net 10.8.0.1 10.8.0.29  
255.255.255.255
Sun 10/14/07 06:56 PM: Initialization Sequence Completed
Sun 10/14/07 07:56 PM: VERIFY OK: depth=1
Sun 10/14/07 07:56 PM: VERIFY OK: nsCertType=SERVER
Sun 10/14/07 07:56 PM: VERIFY OK: depth=0
Sun 10/14/07 07:56 PM: Data Channel Encrypt: Cipher 'BF-CBC'  
initialized with 128 bit key
Sun 10/14/07 07:56 PM: Data Channel Encrypt: Using 160 bit message  
hash 'SHA1' for HMAC authentication
Sun 10/14/07 07:56 PM: Data Channel Decrypt: Cipher 'BF-CBC'  
initialized with 128 bit key
Sun 10/14/07 07:56 PM: Data Channel Decrypt: Using 160 bit message  
hash 'SHA1' for HMAC authentication
Sun 10/14/07 07:56 PM: Control Channel: TLSv1

And the OpenVPN config file:

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote xxx.xxx.xxx.xxx 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert joel.crt
key joel.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20



____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users