[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Can not get openvpn client working


  • Subject: Re: [Openvpn-users] Can not get openvpn client working
  • From: Leonardo Rodrigues Magalhães <leolistas@xxxxxxxxxxxxxx>
  • Date: Sat, 08 Dec 2007 08:20:40 -0200



Gert Koning escreveu:
Hi all,

I have been struggling for days now to get a straight forward openvpn
client setup to work - to no avail. I am trying to connect to our office
where they run an openvpn server. Different colleagues succesfully connect
to the office this way.

I am running Ubuntu 7.04 with kernel 2.6.20-16-generic on a laptop,
connected wireless (device eth1) to a DSL modem. IP address is provided by
DHCP and is mostly 192.168.1.102.  The internal network at the office is
in the 10.12.0.0 range.

This is my openvpn configuration, supplied by our network guys:

client
nobind
proto udp
dev tun
remote <ip address of our server>
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client19.crt
key /etc/openvpn/client19.key
ns-cert-type server
tls-remote office
tls-auth ta.key 1
tls-client
route-up "route add -net 10.12.0.0/16 gw `route -n |grep 10.11 | head -n1|
awk '{ print$2 }'`"
comp-lzo
keepalive 10 60
daemon

I do have the tun device:
root@sjert-laptop:~# lsmod|grep tun
tun                    12032  0

When I start openvpn:
root@sjert-laptop:~# /etc/init.d/openvpn start
Starting virtual private network daemon: clientEnter Private Key Password:
(OK).

So my password is accepted. The daemon is running:
root@sjert-laptop:/etc/openvpn# ps -ef|grep vpn
root      5524     1  0 15:04 ?        00:00:00 /usr/sbin/openvpn
--writepid /var/run/openvpn.client.pid --status
/var/run/openvpn.client.status 10 --cd /etc/openvpn --config
/etc/openvpn/client.conf

Looking at /var/log/daemon:
Dec  8 15:03:59 sjert-laptop openvpn[5523]: OpenVPN 2.0.9
i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Mar  2 2007
Dec  8 15:03:59 sjert-laptop openvpn[5523]: IMPORTANT: OpenVPN's default
port number is now 1194, based on an official port number assignm
ent by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Dec  8 15:04:03 sjert-laptop openvpn[5523]: Control Channel
Authentication: using 'ta.key' as a OpenVPN static key file
Dec  8 15:04:03 sjert-laptop openvpn[5523]: LZO compression initialized
Dec  8 15:04:03 sjert-laptop openvpn[5524]: NOTE: UID/GID downgrade will
be delayed because of --client, --pull, or --up-delay
Dec  8 15:04:03 sjert-laptop openvpn[5524]: UDPv4 link local: [undef]
Dec  8 15:04:03 sjert-laptop openvpn[5524]: UDPv4 link remote:
212.45.32.70:1194

So everything looks OK, except its not working. The tun device is not
shown in ifconfig:


No ..... you cant say everything looks OK. We'll have 'OK' situation when OpenVPN really establishes the connection with your server .... which you would see in your logs clearly. The logs you showned just shows OpenVPN starts and it's running, but it doesnt means it looks OK. It's not connecting to the office server, at least this is not showned in your logs.

Route is clearly not being added because your 'grep 10.11' is returning nothing, we can see that by your provided 'route -n'. But we can't imagine why it's not connecting if you dont provide full logs.

On a successfully connection, you would see something like ... please note the LAST line which indicates connection is established.


Sat Dec 08 08:12:12 2007 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 Sat Dec 08 08:12:12 2007 Control Channel Authentication: using 'chave-tls-auth.key' as a OpenVPN static key file Sat Dec 08 08:12:12 2007 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Dec 08 08:12:12 2007 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Dec 08 08:12:12 2007 LZO compression initialized
Sat Dec 08 08:12:12 2007 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ] Sat Dec 08 08:12:12 2007 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Sat Dec 08 08:12:12 2007 Local Options hash (VER=V4): '48527533'
Sat Dec 08 08:12:12 2007 Expected Remote Options hash (VER=V4): '44bd8b5e'
Sat Dec 08 08:12:12 2007 UDPv4 link local: [undef]
Sat Dec 08 08:12:12 2007 UDPv4 link remote: 201.24.133.146:1194
Sat Dec 08 08:12:12 2007 TLS: Initial packet from 201.24.133.146:1194, sid=6f25c713 718db91f Sat Dec 08 08:12:12 2007 VERIFY OK: depth=1, /C=BR/ST=Goias/L=Goiania/O=Pinheiros_Veiculos_Ltda/CN=CA-Pinauto/emailAddress=root@xxxxxxxxxxxxxx
Sat Dec 08 08:12:12 2007 VERIFY OK: nsCertType=SERVER
Sat Dec 08 08:12:12 2007 VERIFY OK: depth=0, /C=BR/ST=Goias/O=Pinheiros_Veiculos_Ltda/CN=SERVIDOR-Pinauto/emailAddress=root@xxxxxxxxxxxxxx Sat Dec 08 08:12:13 2007 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Sat Dec 08 08:12:13 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Dec 08 08:12:13 2007 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Sat Dec 08 08:12:13 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Dec 08 08:12:13 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Sat Dec 08 08:12:13 2007 [SERVIDOR-Pinauto] Peer Connection Initiated with 201.24.133.146:1194 Sat Dec 08 08:12:14 2007 SENT CONTROL [SERVIDOR-Pinauto]: 'PUSH_REQUEST' (status=1) Sat Dec 08 08:12:14 2007 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route-gateway 192.168.100.1,ping 10,ping-restart 30,ifconfig 192.168.100.13 255.255.255.0'
Sat Dec 08 08:12:14 2007 OPTIONS IMPORT: timers and/or timeouts modified
Sat Dec 08 08:12:14 2007 OPTIONS IMPORT: --ifconfig/up options modified
Sat Dec 08 08:12:14 2007 OPTIONS IMPORT: route options modified
Sat Dec 08 08:12:15 2007 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{77D30A3B-5BAB-42A8-9490-D2612546B59F}.tap
Sat Dec 08 08:12:15 2007 TAP-Win32 Driver Version 8.4
Sat Dec 08 08:12:15 2007 TAP-Win32 MTU=1500
Sat Dec 08 08:12:15 2007 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.100.13/255.255.255.0 on interface {77D30A3B-5BAB-42A8-9490-D2612546B59F} [DHCP-serv: 192.168.100.0, lease-time: 31536000] Sat Dec 08 08:12:15 2007 Successful ARP Flush on interface [3] {77D30A3B-5BAB-42A8-9490-D2612546B59F}
Sat Dec 08 08:12:18 2007 Route: Waiting for TUN/TAP interface to come up...
Sat Dec 08 08:12:19 2007 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Sat Dec 08 08:12:19 2007 route ADD 192.168.0.0 MASK 255.255.255.0 192.168.100.1
Sat Dec 08 08:12:19 2007 Route addition via IPAPI succeeded
---->>>> Sat Dec 08 08:12:19 2007 Initialization Sequence Completed


I would also suggest that instead of using 'route -n | grep ..' stuff, that you published your routes on your server instead of getting them setup on the clients. Publishing routes on the server will certainly make your life easier if you need to change routes and/or publish new ones. You can even publish different routes for different certificates, using client-config-dir configuration parameters.

Publising on the server would also allow windows clients. the route -n grep stuff will certainly not work on windows environment ... and publishing routes on the server works on windows with no problem at all.

root@sjert-laptop:/etc/openvpn# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:12:3F:D7:49:11
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:19

eth1      Link encap:Ethernet  HWaddr 00:13:CE:13:91:3C
          inet addr:192.168.1.102  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::213:ceff:fe13:913c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3849 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3774 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2924710 (2.7 MiB)  TX bytes:449634 (439.0 KiB)
          Interrupt:18 Base address:0xc000 Memory:dfcfd000-dfcfdfff

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:190 errors:0 dropped:0 overruns:0 frame:0
          TX packets:190 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:78165 (76.3 KiB)  TX bytes:78165 (76.3 KiB)

And no route has been added:

root@sjert-laptop:/etc/openvpn# route -n
Kernel IP routeing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth1
0.0.0.0         192.168.1.101   0.0.0.0         UG    0      0        0 eth1


The network guys at the office seem to have run out of ideas. Is there
anybody out there that can point me into the right direction?

--


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@xxxxxxxxxxxxxx
	My SPAMTRAP, do not email it




Attachment: smime.p7s
Description: S/MIME Cryptographic Signature