[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] RV: Problems with OpenVPN in OpenBSD


  • Subject: [Openvpn-users] RV: Problems with OpenVPN in OpenBSD
  • From: "Damian Rivas" <damian@xxxxxxxxxx>
  • Date: Thu, 29 Nov 2007 16:45:18 -0300

Title: Mensaje
I've managed to solve the problem, I've had some rules missing in my PF, I forgot to include the rules for inet incoming and outcoming traffics. Now it works.
 
Thanks to all anyway
___________________________________________________
 
Damián Rivas
Administrador de Hardware y Redes
Departamento de Sistemas
Consult House Turismo S.A.
Tel: 4315-1900
 
 -----Mensaje original-----
De: Damian Rivas
Enviado el: Jueves, 29 de Noviembre de 2007 03:38 p.m.
Para: 'openvpn-users@xxxxxxxxxxxxxxxxxxxxx'
Asunto: RV: [Openvpn-users] Problems with OpenVPN in OpenBSD

Please can anybody give me a hand with this? I'm really in need of making this work and I don't know what to do.

Please I beg your help,
 
Thanks in advance!
 
PS: I 'm editing the previous message with the pasted config for server and client, and also the client's output:
 
-----Mensaje original-----
De: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx] En nombre de Damian Rivas
Enviado el: Viernes, 23 de Noviembre de 2007 05:01 p.m.
Para: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Asunto: [Openvpn-users] Problems with OpenVPN in OpenBSD

Hi people, I'm quite new to the Open Source World, and I'm having some troubles to build a VPN at work.
 
First I will tell you about the idea:
 
At work, I have a LAN with the following IP Addresses: 172.16.48.0/20. The idea is to build a VPN so some employees can work from their homes, therefore I need the VPN clients to enter the LAN as if they were physically inside the network.
 
The clients use Windows OS, XP the most of them from their notebooks or home PCs. So I have multiple windows clients and therefore I need a VPN which allows them to get connected at the same time and if possible to see each other during the connection.
 
With all these ideas I started searching for howtos and guides and started to build the VPN server. I've installed OpenVPN on an OpenBSD firewall because I thought it was the best option for security measures. Of course it got a bit complicated and took me some time to install the server, but I managed apparently to do so, built the certificates for a test client and server with the easy-rsa scripts, the I'd installed the OpenVPN GUI on the Windows test client. And then I began testing.
 
The problem was always the same: the VPN connection had never been successful, first I got the error "Connection Reset By Peer" constantly, then I adjust the config files and only got an error with TLS Handshacking not being accomplished, I removed the TLS keys verifications, adjusted configuration again and again and I keep getting the "Connection Reset By Peer" error, and curiously I'm still getting TLS errors, although I had disabled(commented the respective lines in the config files) that feature. I'm getting a bit desesperate with this and I don't know how to solve it. If you can lend me a hand I will appreciatte it.
 
Here are the rules I added to the PF exclusively for OpenVPN:
 
#################
#OpenVPN Filters #
#################
pass in quick on xl0 proto udp from any to 200.55.14.250 port = 1194
pass out quick on xl0 proto udp from 200.55.14.250 port = 1194 to any
pass in quick on tun1 all
pass out quick on tun1 all
pass out quick on xl1 all
Where:
- xl0 is the NIC connected to the WAN and xl1 is the NIC connected to the LAN.
- 200.55.14.250 is the IP of the OpenBSD Firewall/VPN Server on the Internet.
- tun1 is the interface I created for the tunnel. Yes, I have created the hostname.tun1 file on the /etc directory.
- 1194 UDP Port is the default OpenVPN uses for VPN traffic.
 
If you need further information of my PF rules, just ask me and I'll send you the file.
 
 
Please if you need more details or anything just ask me, I'm eager to finish this as soon as possible or my superiors will hang me because they want the VPN so badly xD. 
 
EDIT: Here are the config files and the client's output:
 
Client's Output when attemping to connect:
 
Thu Nov 29 15:35:34 2007 us=745784 Current Parameter Settings:
Thu Nov 29 15:35:34 2007 us=745935   config = 'C:\keys\client1.ovpn'
Thu Nov 29 15:35:34 2007 us=745976   mode = 0
Thu Nov 29 15:35:34 2007 us=746007   show_ciphers = DISABLED
Thu Nov 29 15:35:34 2007 us=746042   show_digests = DISABLED
Thu Nov 29 15:35:34 2007 us=746065   show_engines = DISABLED
Thu Nov 29 15:35:34 2007 us=746089   genkey = DISABLED
Thu Nov 29 15:35:34 2007 us=746112   key_pass_file = '[UNDEF]'
Thu Nov 29 15:35:34 2007 us=746140   show_tls_ciphers = DISABLED
Thu Nov 29 15:35:34 2007 us=746164   proto = 0
Thu Nov 29 15:35:34 2007 us=746187 NOTE: --mute triggered...
Thu Nov 29 15:35:34 2007 us=746229 178 variation(s) on previous 10 message(s) suppressed by --mute
Thu Nov 29 15:35:34 2007 us=746277 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Thu Nov 29 15:35:34 2007 us=748883 Control Channel Authentication: using 'C:\keys\ta.key' as a OpenVPN static key file
Thu Nov 29 15:35:34 2007 us=749751 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC 
authentication
Thu Nov 29 15:35:34 2007 us=749857 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC 
authentication
Thu Nov 29 15:35:34 2007 us=749936 LZO compression initialized
Thu Nov 29 15:35:34 2007 us=750093 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Nov 29 15:35:34 2007 us=775226 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Nov 29 15:35:34 2007 us=777211 Local Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto 
UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu Nov 29 15:35:34 2007 us=777470 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu Nov 29 15:35:34 2007 us=777609 Local Options hash (VER=V4): 'ec497616'
Thu Nov 29 15:35:34 2007 us=777692 Expected Remote Options hash (VER=V4): '7cd8ed90'
Thu Nov 29 15:35:34 2007 us=777850 Socket Buffers: R=[8192->8192] S=[8192->8192]
 
Thu Nov 29 15:35:34 2007 us=777960 UDPv4 link local (bound): [undef]:1194
Thu Nov 29 15:35:34 2007 us=778032 UDPv4 link remote: 200.55.14.250:1194
Thu Nov 29 15:35:34 2007 us=853446 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Thu Nov 29 15:35:37 2007 us=317436 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Thu Nov 29 15:35:39 2007 us=661325 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Thu Nov 29 15:35:42 2007 us=130258 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Thu Nov 29 15:35:43 2007 us=953580 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Thu Nov 29 15:35:45 2007 us=590920 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Thu Nov 29 15:35:47 2007 us=718859 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Thu Nov 29 15:35:49 2007 us=865147 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
 
 
server.conf:
 
port 1194
proto udp
dev tun1
server 10.8.0.0 255.255.255.0
dh /home/daniel/dh1024.pem
ca /home/daniel/ca.crt
key /home/daniel/server.key
cert /home/daniel/server.crt
tun-mtu 1500
tun-mtu-extra 32
mssfix 32
keepalive 15 120
user nobody
group nobody
persist-key
persist-tun
push "route 172.16.48.0 255.255.240.0"
push "dhcp-option DNS 200.55.14.251"
push "dhcp-option DNS 172.16.48.6"
tls-auth /home/daniel/ta.key 0
comp-lzo
verb 4
mute 20 
 
client1.ovpn:
 
dev tun
client
ns-cert-type server
tls-remote Consult House
port 1194
proto udp
remote 200.55.14.250
ca c:\\keys\\ca.crt
cert C:\\keys\\client1.crt
key C:\\keys\\client1.key
tls-auth C:\\keys\\ta.key 1
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
comp-lzo
verb 4
mute 10
 
Thanks in advance!!!
Regards.-
Damian