[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Unexpected WARNINGS


  • Subject: Re: [Openvpn-users] Unexpected WARNINGS
  • From: "Tiger Big" <vpn.mailist@xxxxxxxxx>
  • Date: Tue, 11 Dec 2007 22:35:48 +0800

Hi, Jan
I've followed your guide, here is the output of client:
----------------------------------------------------------------------------
Tue Dec 11 22:15:10 2007 us=497587 Current Parameter Settings:
Tue Dec 11 22:15:10 2007 us=497697   config = 'client.ovpn'
Tue Dec 11 22:15:10 2007 us=497718   mode = 0
Tue Dec 11 22:15:10 2007 us=497736   show_ciphers = DISABLED
Tue Dec 11 22:15:10 2007 us=497755   show_digests = DISABLED
Tue Dec 11 22:15:10 2007 us=497774   show_engines = DISABLED
Tue Dec 11 22:15:10 2007 us=497792   genkey = DISABLED
Tue Dec 11 22:15:10 2007 us=497811   key_pass_file = '[UNDEF]'
Tue Dec 11 22:15:10 2007 us=497830   show_tls_ciphers = DISABLED
Tue Dec 11 22:15:10 2007 us=497849   proto = 2
Tue Dec 11 22:15:10 2007 us=497867 NOTE: --mute triggered...
Tue Dec 11 22:15:10 2007 us=497929 178 variation(s) on previous 10
message(s) suppressed by --mute
Tue Dec 11 22:15:10 2007 us=497954 OpenVPN 2.0.9 Win32-MinGW [SSL]
[LZO] built on Oct  1 2006
Tue Dec 11 22:15:10 2007 us=498255 IMPORTANT: OpenVPN's default port
number is now 1194, based on an official port number assignment by
IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Dec 11 22:15:10 2007 us=511853 LZO compression initialized
Tue Dec 11 22:15:10 2007 us=512125 Control Channel MTU parms [ L:1576
D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Dec 11 22:15:10 2007 us=542366 TAP-WIN32 device [tap0] opened:
\\.\Global\{49F4CC5A-D115-4353-BDAE-16A232DE9E7A}.tap
Tue Dec 11 22:15:10 2007 us=543830 TAP-Win32 Driver Version 8.4
Tue Dec 11 22:15:10 2007 us=544661 TAP-Win32 MTU=1500
Tue Dec 11 22:15:10 2007 us=545424 Notified TAP-Win32 driver to set a
DHCP IP/netmask of 192.168.10.22/255.255.255.0 on interface
{49F4CC5A-D115-4353-BDAE-16A232DE9E7A} [DHCP-serv: 192.168.10.0,
lease-time: 31536000]
Tue Dec 11 22:15:10 2007 us=563496 Successful ARP Flush on interface
[5] {49F4CC5A-D115-4353-BDAE-16A232DE9E7A}
Tue Dec 11 22:15:10 2007 us=580853 Data Channel MTU parms [ L:1576
D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Dec 11 22:15:10 2007 us=580985 Local Options String: 'V4,dev-type
tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,ifconfig
192.168.10.0 255.255.255.0,comp-lzo,cipher BF-CBC,auth SHA1,keysize
128,key-method 2,tls-client'
Tue Dec 11 22:15:10 2007 us=581013 Expected Remote Options String:
'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto
TCPv4_SERVER,ifconfig 192.168.10.0 255.255.255.0,comp-lzo,cipher
BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Dec 11 22:15:10 2007 us=581074 Local Options hash (VER=V4): '1b763cc3'
Tue Dec 11 22:15:10 2007 us=581109 Expected Remote Options hash
(VER=V4): '2f5a5592'
Tue Dec 11 22:15:10 2007 us=581184 Attempting to establish TCP
connection with 192.168.1.1:8080
Tue Dec 11 22:15:10 2007 us=606567 TCP connection established with
192.168.1.1:8080
Tue Dec 11 22:15:10 2007 us=606658 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Dec 11 22:15:10 2007 us=613204 TCPv4_CLIENT link local: 192.168.1.108
Tue Dec 11 22:15:10 2007 us=613277 TCPv4_CLIENT link remote: 192.168.1.1:8080
Tue Dec 11 22:15:10 2007 us=663231 TLS: Initial packet from
192.168.1.1:8080, sid=39649ed5 07f948af
Tue Dec 11 22:15:11 2007 us=980614 VERIFY OK: depth=1,
/C=CN/ST=SH/L=SH/O=Company/OU=Building_3_/CN=WR850G/emailAddress=xxx@xxxxxxx
Tue Dec 11 22:15:11 2007 us=981631 VERIFY OK: nsCertType=SERVER
Tue Dec 11 22:15:11 2007 us=981652 VERIFY OK: depth=0,
/C=CN/ST=SH/O=Company/OU=Building_3_/CN=Server/emailAddress=xxx@xxxxxxx
Tue Dec 11 22:15:13 2007 us=719961 NOTE: Options consistency check may
be skewed by version differences
Tue Dec 11 22:15:13 2007 us=720072 WARNING: 'version' is used
inconsistently, local='version V4', remote='version V0 UNDEF'
Tue Dec 11 22:15:13 2007 us=720105 WARNING: 'dev-type' is present in
local config but missing in remote config, local='dev-type tap'
Tue Dec 11 22:15:13 2007 us=720135 WARNING: 'link-mtu' is present in
local config but missing in remote config, local='link-mtu 1576'
Tue Dec 11 22:15:13 2007 us=720164 WARNING: 'tun-mtu' is present in
local config but missing in remote config, local='tun-mtu 1532'
Tue Dec 11 22:15:13 2007 us=720195 WARNING: 'proto' is present in
local config but missing in remote config, local='proto TCPv4_SERVER'
Tue Dec 11 22:15:13 2007 us=720230 WARNING: 'ifconfig' is present in
local config but missing in remote config, local='ifconfig
192.168.10.0 255.255.255.0'
Tue Dec 11 22:15:13 2007 us=720261 WARNING: 'comp-lzo' is present in
local config but missing in remote config, local='comp-lzo'
Tue Dec 11 22:15:13 2007 us=720290 WARNING: 'cipher' is present in
local config but missing in remote config, local='cipher BF-CBC'
Tue Dec 11 22:15:13 2007 us=720321 WARNING: 'auth' is present in local
config but missing in remote config, local='auth SHA1'
Tue Dec 11 22:15:13 2007 us=720345 NOTE: --mute triggered...
Tue Dec 11 22:15:13 2007 us=730980 3 variation(s) on previous 10
message(s) suppressed by --mute
Tue Dec 11 22:15:13 2007 us=731032 Data Channel Encrypt: Cipher
'BF-CBC' initialized with 128 bit key
Tue Dec 11 22:15:13 2007 us=731083 Data Channel Encrypt: Using 160 bit
message hash 'SHA1' for HMAC authentication
Tue Dec 11 22:15:13 2007 us=731203 Data Channel Decrypt: Cipher
'BF-CBC' initialized with 128 bit key
Tue Dec 11 22:15:13 2007 us=731230 Data Channel Decrypt: Using 160 bit
message hash 'SHA1' for HMAC authentication
Tue Dec 11 22:15:13 2007 us=741795 Control Channel: TLSv1, cipher
TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
Tue Dec 11 22:15:13 2007 us=741924 [Server] Peer Connection Initiated
with 192.168.1.1:8080
Tue Dec 11 22:15:13 2007 us=987940 TEST ROUTES: 0/0 succeeded len=-1
ret=1 a=0 u/d=up
Tue Dec 11 22:15:13 2007 us=987997 Initialization Sequence Completed
-------------------------------------------------------------------------------------------------------------
Warring message still there. Also, I've tried "proto udp", same
result. I havn't tried "dev tun", cause I don't know what other option
should be modified, or should I just leave others untouched?

And I noticed another strange thing: in client's warning message,
there's a line saying "'proto' is present in local config but missing
in remote config, local='proto TCPv4_SERVER'", but as you can see,
what I put in client's config is "proto tcp-client" instead of "proto
tcp-server".

BTW, there is not any hardware firewall between client and server,
I've disabled client's windows firewall. For server, I think iptables
is the firewall? should I post my iptables output ? this mail is too
long :)


On Dec 10, 2007 8:52 PM, Jan Just Keijser <janjust@xxxxxxxxx> wrote:
> the line
>
>
> Mon Dec 10 19:37:13 2007 us=649638 Notified TAP-Win32 driver to set a
> DHCP IP/netmask of 192.168.10.22/255.255.255.0
> <http://192.168.10.22/255.255.255.0> on interface
>
> {49F4CC5A-D115-4353-BDAE-16A232DE9E7A} [DHCP-serv: 192.168.10.0
> <http://192.168.10.0>, lease-time: 31536000]
>
> suggests that the DHCP server is at 192.168.10.0 ... that does not make
> sense. Can you try this in your server config file:
>
>
> server 192.168.10.0 255.255.255.0
> passtos
> proto tcp
> local xx.xx.org
> port 8080
>
> dev tap0
> cert X509/Server/server.crt
> key X509/Server/server.key
> dh X509/Server/dh1024.pem
> ca X509/CA/ca.crt
> keepalive 10 120
> user nobody
> group nobody
> persist-key
> persist-tun
> comp-lzo
> verb 4
> mute 10
>
>
> other than that , I am pretty much at a loss: during the negotiation
> phase there seems to be some data corruption:
> it's doing the certificate verify, it's doing other connection settings
> and Boom, all of a sudden the client receives a completely wrong remote
> config packet. Are there any firewalls in place on your LAN?
>
> Also, try
> dev tun
> instead of
> dev tap
> this will give you a slightly different type of network (TCP/IP only)
> but if this one works then we're one step further.
>
>
> HTH,
>
> JJK
>
> Tiger Big wrote:
>
>
>
> > Hi Jan,
> > Following is the client log without proxy:
> > -------------------------------------------------------------------------------------------------------------------
> >
> > Mon Dec 10 19:37:13 2007 us=367205 Current Parameter Settings:
> > Mon Dec 10 19:37:13 2007 us=367322 config = 'client.ovpn'
> > Mon Dec 10 19:37:13 2007 us=367342 mode = 0
> > Mon Dec 10 19:37:13 2007 us=367361 show_ciphers = DISABLED
> > Mon Dec 10 19:37:13 2007 us=367379 show_digests = DISABLED
> > Mon Dec 10 19:37:13 2007 us=367401 show_engines = DISABLED
> > Mon Dec 10 19:37:13 2007 us=367420 genkey = DISABLED
> > Mon Dec 10 19:37:13 2007 us=367438 key_pass_file = '[UNDEF]'
> > Mon Dec 10 19:37:13 2007 us=367457 show_tls_ciphers = DISABLED
> > Mon Dec 10 19:37:13 2007 us=367475 proto = 2
> > Mon Dec 10 19:37:13 2007 us=367493 NOTE: --mute triggered...
> > Mon Dec 10 19:37:13 2007 us=367552 178 variation(s) on previous 10
> > message(s) suppressed by --mute
> > Mon Dec 10 19:37:13 2007 us=367576 OpenVPN 2.0.9 Win32-MinGW [SSL]
> > [LZO] built on Oct 1 2006
> > Mon Dec 10 19:37:13 2007 us=368035 IMPORTANT: OpenVPN's default port
> > number is now 1194, based on an official port number assignment by
> > IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
> > Mon Dec 10 19:37:13 2007 us=629695 LZO compression initialized
> > Mon Dec 10 19:37:13 2007 us=629952 Control Channel MTU parms [ L:1576
> > D:140 EF:40 EB:0 ET:0 EL:0 ]
> > Mon Dec 10 19:37:13 2007 us=645110 TAP-WIN32 device [tap0] opened:
> > \\.\Global\{49F4CC5A-D115-4353-BDAE-16A232DE9E7A}.tap
> > Mon Dec 10 19:37:13 2007 us=646752 TAP-Win32 Driver Version 8.4
> > Mon Dec 10 19:37:13 2007 us=648748 TAP-Win32 MTU=1500
> > Mon Dec 10 19:37:13 2007 us=649638 Notified TAP-Win32 driver to set a
> > DHCP IP/netmask of 192.168.10.22/255.255.255.0
> > <http://192.168.10.22/255.255.255.0> on interface
>
> > {49F4CC5A-D115-4353-BDAE-16A232DE9E7A} [DHCP-serv: 192.168.10.0
> > <http://192.168.10.0>, lease-time: 31536000]
>
> > Mon Dec 10 19:37:13 2007 us=681801 Successful ARP Flush on interface
> > [5] {49F4CC5A-D115-4353-BDAE-16A232DE9E7A}
> > Mon Dec 10 19:37:13 2007 us=693088 Data Channel MTU parms [ L:1576
> > D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
> > Mon Dec 10 19:37:13 2007 us=693212 Local Options String: 'V4,dev-type
> > tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,ifconfig
> > 192.168.10.0 <http://192.168.10.0> 255.255.255.0
> > <http://255.255.255.0>,comp-lzo,cipher BF-CBC,auth SHA1,keysize
>
> > 128,key-method 2,tls-client'
> > Mon Dec 10 19:37:13 2007 us=693241 Expected Remote Options String:
> > 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto
> > TCPv4_SERVER,ifconfig 192.168.10.0 <http://192.168.10.0> 255.255.255.0
> > <http://255.255.255.0>,comp-lzo,cipher BF-CBC,auth SHA1,keysize
>
> > 128,key-method 2,tls-server'
> > Mon Dec 10 19:37:13 2007 us=724124 Local Options hash (VER=V4):
> > '1b763cc3'
> > Mon Dec 10 19:37:13 2007 us=724228 Expected Remote Options hash
> > (VER=V4): '2f5a5592'
> > Mon Dec 10 19:37:13 2007 us=724315 Attempting to establish TCP
> > connection with 192.168.1.1:8080 <http://192.168.1.1:8080>
>
> > Mon Dec 10 19:37:13 2007 us=749371 TCP connection established with
> > 192.168.1.1:8080 <http://192.168.1.1:8080>
>
> > Mon Dec 10 19:37:13 2007 us=749476 Socket Buffers: R=[8192->8192]
> > S=[8192->8192]
> > Mon Dec 10 19:37:13 2007 us=753208 TCPv4_CLIENT link local:
> > 192.168.1.108 <http://192.168.1.108>
>
> > Mon Dec 10 19:37:13 2007 us=753278 TCPv4_CLIENT link remote:
> > 192.168.1.1:8080 <http://192.168.1.1:8080>
>
> > Mon Dec 10 19:37:13 2007 us=903624 TLS: Initial packet from
> > 192.168.1.1:8080 <http://192.168.1.1:8080>, sid=37941370 92caaa2c
>
> > Mon Dec 10 19:37:15 2007 us=183361 VERIFY OK: depth=1,
> > /C=CN/ST=SH/L=SH/O=Company/OU=Building_3_/CN=WR850G/emailAddress=xxx@xxxxxxx
> > <mailto:xxx@xxxxxxx>
>
> > Mon Dec 10 19:37:15 2007 us=184410 VERIFY OK: nsCertType=SERVER
> > Mon Dec 10 19:37:15 2007 us=184431 VERIFY OK: depth=0,
> > /C=CN/ST=SH/O=Company/OU=Building_3_/CN=Server/emailAddress=xxx@xxxxxxx
> > <mailto:xxx@xxxxxxx>
>
> > Mon Dec 10 19:37:17 2007 us=38580 NOTE: Options consistency check may
> > be skewed by version differences
> > Mon Dec 10 19:37:17 2007 us=38695 WARNING: 'version' is used
> > inconsistently, local='version V4', remote='version V0 UNDEF'
> > Mon Dec 10 19:37:17 2007 us=40350 WARNING: 'dev-type' is present in
> > local config but missing in remote config, local='dev-type tap'
> > Mon Dec 10 19:37:17 2007 us=40385 WARNING: 'link-mtu' is present in
> > local config but missing in remote config, local='link-mtu 1576'
> > Mon Dec 10 19:37:17 2007 us=40415 WARNING: 'tun-mtu' is present in
> > local config but missing in remote config, local='tun-mtu 1532'
> > Mon Dec 10 19:37:17 2007 us=40445 WARNING: 'proto' is present in local
> > config but missing in remote config, local='proto TCPv4_SERVER'
> > Mon Dec 10 19:37:17 2007 us=40482 WARNING: 'ifconfig' is present in
> > local config but missing in remote config, local='ifconfig
> > 192.168.10.0 <http://192.168.10.0> 255.255.255.0 <http://255.255.255.0>'
>
> > Mon Dec 10 19:37:17 2007 us=40512 WARNING: 'comp-lzo' is present in
> > local config but missing in remote config, local='comp-lzo'
> > Mon Dec 10 19:37:17 2007 us=40542 WARNING: 'cipher' is present in
> > local config but missing in remote config, local='cipher BF-CBC'
> > Mon Dec 10 19:37:17 2007 us=40571 WARNING: 'auth' is present in local
> > config but missing in remote config, local='auth SHA1'
> > Mon Dec 10 19:37:17 2007 us=40597 NOTE: --mute triggered...
> > Mon Dec 10 19:37:17 2007 us=41150 3 variation(s) on previous 10
> > message(s) suppressed by --mute
> > Mon Dec 10 19:37:17 2007 us=41171 Data Channel Encrypt: Cipher
> > 'BF-CBC' initialized with 128 bit key
> > Mon Dec 10 19:37:17 2007 us=41199 Data Channel Encrypt: Using 160 bit
> > message hash 'SHA1' for HMAC authentication
> > Mon Dec 10 19:37:17 2007 us=41319 Data Channel Decrypt: Cipher
> > 'BF-CBC' initialized with 128 bit key
> > Mon Dec 10 19:37:17 2007 us=41348 Data Channel Decrypt: Using 160 bit
> > message hash 'SHA1' for HMAC authentication
> > Mon Dec 10 19:37:17 2007 us=59439 Control Channel: TLSv1, cipher
> > TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
> > Mon Dec 10 19:37:17 2007 us=59558 [Server] Peer Connection Initiated
> > with 192.168.1.1:8080 <http://192.168.1.1:8080>
>
> > Mon Dec 10 19:37:18 2007 us=534876 TEST ROUTES: 0/0 succeeded len=-1
> > ret=1 a=0 u/d=up
> > Mon Dec 10 19:37:18 2007 us=534935 Initialization Sequence Completed
> > --------------------------------------------------------------------------------------------------------------------------------
> > As you see, this time I setup Openvpn in a LAN environment, .
> > Server IP:192.168.1.1 <http://192.168.1.1>; Client IP 192.168.1.108
> > <http://192.168.1.108>;
> > Server VPN IP:192.168.10.11 <http://192.168.10.11> Client VPN IP
> > 192.168.10.22 <http://192.168.10.22>
>
> > but still get same warnings
> > And I have to say sorry about previous mis-config, maybe you havn't
> > noticed:
> > I have assigned the same VPN IP(192.168.10.11 <http://192.168.10.11>)
>
> > to both server and client, I've corrected that now.
> > On Dec 10, 2007 6:24 AM, Jan Just Keijser <janjust@xxxxxxxxx
>
> > <mailto:janjust@xxxxxxxxx>> wrote:
> > > OK you can restore the mtu setting again... can you post the client log
> > > when trying to connect *without* the proxy (127.0.0.1:3128
> > <http://127.0.0.1:3128>) ?
>
> > >
> > > JJK
> > >
> > >
> > > Tiger Big wrote:
> > > > Hi ,Jan
> > > > I have tried to avoide using proxy and set tun-mtu to a lower value,
> > > > but still the same result.
> > > >
> > > > BTW, if setting tun-mtu to 1200 in server conf, there will be a
> > > > warning message saying:
> > > >
> > > > "WARNING: normally if you use --mssfix and/or --fragment, you should
> > > > also set --tun-mtu 1500 (currently it is 1200)"
> > > >
> > > > I have no idea with that message.
> > > >
> > > > anyway, I'll try using a linux client to see if all those warnings
> > > > comes out because of the windows platform.
> > > >
> > > > On Dec 7, 2007 6:14 PM, Jan Just Keijser <janjust@xxxxxxxxx
>
>
>
> > <mailto:janjust@xxxxxxxxx>> wrote:
> > > >
> > > >> Hi Tiger Big,
> > > >>
> > > >> hmmm I misread your config file a little bit. I saw
> > > >> tls-client
> > > >> ifconfig <IP> <IP>
> > > >> the first statement is a client/server setup (openvpn 2.x)
> > whereas the
> > > >> second statement is used mostly in point-to-point (openvpn 1.x)
> > setups.
> > > >> However, if you use
> > > >> ifconfig <IP> <NETMASK>
> > > >> which your config file shows then you're fine. Sorry about that.
> > > >>
> > > >> As for the warnings, your client log file shows that you're
> > connecting
> > > >> thru an HTTP proxy - I presume this is intentional; it might be
> > best to
> > > >> reflect this in the openvpn client config file. It should not
> > make much
> > > >> difference but you never know.
> > > >>
> > > >> Finally, try reducing the 'tun-mtu' parameter on both sides (to e.g.
> > > >> 1200) and see if that helps at all.
> > > >>
> > > >> cheers,
> > > >>
> > > >> JJK
> > > >>
> > > >>
> > > >> Tiger Big wrote:
> > > >>
> > > >>> thanks Jan, but still the same results/warnings.
> > > >>>
> > > >>> one more question, why would you say "config files don't make
> > sense" ?
> > > >>> the only difference between my original conf and your modified
> > version
> > > >>> is the method of how to obtain IP address.
> > > >>>
> > > >>>
> > > >>>
> > > >>> On Dec 6, 2007 5:06 PM, Jan Just Keijser <janjust@xxxxxxxxx
>
> > <mailto:janjust@xxxxxxxxx>> wrote:
> > > >>>
> > > >>>
> > > >>>> your client and server config files don't make sense. Try this
> > for the
> > > >>>> server config:
> > > >>>>
> > > >>>> local xxx.xxx.org <http://xxx.xxx.org>
>
> > > >>>>
> > > >>>> port 8080
> > > >>>> proto tcp-server
> > > >>>> tls-server
> > > >>>> server 192.168.10.0 <http://192.168.10.0> 255.255.255.0
> > <http://255.255.255.0>
>
> > > >>>>
> > > >>>> dev tap0
> > > >>>> cert X509/Server/server.crt
> > > >>>> key X509/Server/server.key
> > > >>>> dh X509/Server/dh1024.pem
> > > >>>> ca X509/CA/ca.crt
> > > >>>>
> > > >>>> keepalive 10 120
> > > >>>> user nobody
> > > >>>> group nobody
> > > >>>> persist-key
> > > >>>> persist-tun
> > > >>>> comp-lzo
> > > >>>> verb 4
> > > >>>> mute 10
> > > >>>>
> > > >>>> and this for the client
> > > >>>>
> > > >>>> local abc
> > > >>>> remote xxx.xxx.org <http://xxx.xxx.org> 8080
>
> > > >>>>
> > > >>>> proto tcp-client
> > > >>>> tls-client
> > > >>>> dev tap
> > > >>>> dev-node tap0
> > > >>>> nobind
> > > >>>> cert D:\\OpenVPN\\easy-rsa\\keys\\Tiger.crt
> > > >>>> key D:\\OpenVPN\\easy-rsa\\keys\\Tiger.key
> > > >>>> ca D:\\OpenVPN\\easy-rsa\\keys\\ca.crt
> > > >>>>
> > > >>>> keepalive 10 120
> > > >>>> comp-lzo
> > > >>>> verb 4
> > > >>>> mute 10
> > > >>>>
> > > >>>> HTH,
> > > >>>>
> > > >>>> JJK
> > > >>>>
> > > >>>>
> > > >>>> Tiger Big wrote:
> > > >>>>
> > > >>>>
> > > >>>>> Server Configuration (Linux):
> > > >>>>> −−−−−−−−−−−−−−−−−−
> > > >>>>> local xxx.xxx.org <http://xxx.xxx.org>
>
> > > >>>>> port 8080
> > > >>>>> proto tcp-server
> > > >>>>> tls-server
> > > >>>>> dev tap0
> > > >>>>> cert X509/Server/server.crt
> > > >>>>> key X509/Server/server.key
> > > >>>>> dh X509/Server/dh1024.pem
> > > >>>>> ca X509/CA/ca.crt
> > > >>>>> ifconfig 192.168.10.11 <http://192.168.10.11> 255.255.255.0
> > <http://255.255.255.0>
>
> > > >>>>> keepalive 10 120
> > > >>>>> user nobody
> > > >>>>> group nobody
> > > >>>>> persist-key
> > > >>>>> persist-tun
> > > >>>>> comp-lzo
> > > >>>>> verb 4
> > > >>>>> mute 10
> > > >>>>> −−−−−−−−−−−−−−−−−−
> > > >>>>>
> > > >>>>>
> > > >>>>> Client Configuration (WinXP):
> > > >>>>> ------------------------------------------
> > > >>>>> local abc
> > > >>>>> remote xxx.xxx.org <http://xxx.xxx.org> 8080
>
> > > >>>>> proto tcp-client
> > > >>>>> tls-client
> > > >>>>> dev tap
> > > >>>>> dev-node tap0
> > > >>>>> nobind
> > > >>>>> cert D:\\OpenVPN\\easy-rsa\\keys\\Tiger.crt
> > > >>>>> key D:\\OpenVPN\\easy-rsa\\keys\\Tiger.key
> > > >>>>> ca D:\\OpenVPN\\easy-rsa\\keys\\ca.crt
> > > >>>>> ifconfig 192.168.10.11 <http://192.168.10.11> 255.255.255.0
> > <http://255.255.255.0>
>
> > > >>>>> keepalive 10 120
> > > >>>>> comp-lzo
> > > >>>>> verb 4
> > > >>>>> mute 10
> > > >>>>> --------------------------------------------
> > > >>>>>
> > > >>>>> Output of Server:
> > > >>>>> −−−−−−−−−−−−−−−−−−−−−−
> > > >>>>> Wed Nov 7 22:46:52 2007 us=395451 OpenVPN 2.0.9
> > mipsel-unknown-linux
> > > >>>>> [SSL] [LZO] built on Oct 8 2007
> > > >>>>> Wed Nov 7 22:46:53 2007 us=139174 Diffie-Hellman initialized with
> > > >>>>> 1024 bit key
> > > >>>>> Wed Nov 7 22:46:53 2007 us=167393 LZO compression initialized
> > > >>>>> Wed Nov 7 22:46:53 2007 us=177324 Control Channel MTU parms [
> > L:1576
> > > >>>>> D:140 EF:40 EB:0 ET:0 EL:0 ]
> > > >>>>> Wed Nov 7 22:46:53 2007 us=207122 TUN/TAP device tap0 opened
> > > >>>>> Wed Nov 7 22:46:53 2007 us=209204 TUN/TAP TX queue length set
> > to 100
> > > >>>>> Wed Nov 7 22:46:53 2007 us=211730 /sbin/ifconfig tap0
> > 192.168.10.11 <http://192.168.10.11>
> > > >>>>> netmask 255.255.255.0 <http://255.255.255.0>
> > > >>>>> mtu 1500 broadcast 192.168.10.255 <http://192.168.10.255>
>
> > > >>>>>
> > > >>>>> Wed Nov 7 22:46:53 2007 us=276813 Data Channel MTU parms [ L:1576
> > > >>>>> D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
> > > >>>>> Wed Nov 7 22:46:53 2007 us=278702 GID set to nobody
> > > >>>>> Wed Nov 7 22:46:53 2007 us=279692 UID set to nobody
> > > >>>>> Wed Nov 7 22:46:53 2007 us=280933 Listening for incoming TCP
> > > >>>>> connection on 123.45.67.89:8080 <http://123.45.67.89:8080>
>
> > > >>>>>
> > > >>>>> Wed Nov 7 22:47:00 2007 us=344674 TCP connection established with
> > > >>>>> 98.76.54.32:48883 <http://98.76.54.32:48883>
>
> > > >>>>>
> > > >>>>> Wed Nov 7 22:47:00 2007 us=345622 Socket Buffers:
> > R=[43689->65534]
> > > >>>>> S=[16384->65534]
> > > >>>>> Wed Nov 7 22:47:00 2007 us=346587 TCPv4_SERVER link local
> > (bound):
> > > >>>>> 123.45.67.89:8080 <http://123.45.67.89:8080>
>
> > > >>>>>
> > > >>>>> Wed Nov 7 22:47:00 2007 us=347462 TCPv4_SERVER link remote:
> > > >>>>> 98.76.54.32:48883 <http://98.76.54.32:48883>
>
> > > >>>>>
> > > >>>>> Wed Nov 7 22:47:00 2007 us=354161 TLS: Initial packet from
> > > >>>>> 98.76.54.32:48883 <http://98.76.54.32:48883> sid=2e4d871b
>
> > 12ba58ca
> > > >>>>>
> > > >>>>> Wed Nov 7 22:47:02 2007 us=930794 VERIFY OK: depth=1,
> > > >>>>>
> > /C=CN/ST=SH/L=SH/O=Company/OU=Building_3_/CN=WR850G/Email=xxx@xxxxxxx
> > <mailto:xxx@xxxxxxx>
> > > >>>>> <mailto:xxx@xxxxxxx <mailto:xxx@xxxxxxx>>
>
> > > >>>>>
> > > >>>>> Wed Nov 7 22:47:02 2007 us=953126 VERIFY OK: depth=0,
> > > >>>>> /C=CN/ST=SH/O=Company/OU=Building_3_/CN=Tiger/Email=
> > xxx@xxxxxxx <mailto:xxx@xxxxxxx>
> > > >>>>> <mailto:xxx@xxxxxxx <mailto:xxx@xxxxxxx>>
>
> > > >>>>>
> > > >>>>> Wed Nov 7 22:47:04 2007 us=189347 Data Channel Encrypt: Cipher
> > > >>>>> 'BF-CBC' initialized with 128 bit key
> > > >>>>> Wed Nov 7 22:47:04 2007 us=192065 Data Channel Encrypt: Using
> > 160 bit
> > > >>>>> message hash 'SHA1' for HMAC authentication
> > > >>>>> Wed Nov 7 22:47:04 2007 us=196237 Data Channel Decrypt: Cipher
> > > >>>>> 'BF-CBC' initialized with 128 bit key
> > > >>>>> Wed Nov 7 22:47:04 2007 us=198498 Data Channel Decrypt: Using
> > 160 bit
> > > >>>>> message hash 'SHA1' for HMAC authentication
> > > >>>>> Wed Nov 7 22:47:04 2007 us=388832 Control Channel: TLSv1, cipher
> > > >>>>> TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
> > > >>>>> Wed Nov 7 22:47:04 2007 us=392021 [Tiger] Peer Connection
> > Initiated
> > > >>>>> with 98.76.54.32:48883 <http://98.76.54.32:48883>
>
>
>
> > > >>>>>
> > > >>>>>
> > > >>>>
> > > >>>>> Wed Nov 7 22:47:05 2007 us=629230 Initialization Sequence
> > Completed
> > > >>>>> −−−−−−−−−−−−−−−−−−−−−−
> > > >>>>>
> > > >>>>> Output of Client:
> > > >>>>> -----------------------------------------------------
> > > >>>>> Thu Nov 08 14:46:58 2007 us=24485 Current Parameter Settings:
> > > >>>>> Thu Nov 08 14:46:58 2007 us=24531 config = 'client.ovpn'
> > > >>>>> Thu Nov 08 14:46:58 2007 us=24541 mode = 0
> > > >>>>> Thu Nov 08 14:46:58 2007 us=24552 show_ciphers = DISABLED
> > > >>>>> Thu Nov 08 14:46:58 2007 us=24562 show_digests = DISABLED
> > > >>>>> Thu Nov 08 14:46:58 2007 us=24572 show_engines = DISABLED
> > > >>>>> Thu Nov 08 14:46:58 2007 us=24582 genkey = DISABLED
> > > >>>>> Thu Nov 08 14:46:58 2007 us=24593 key_pass_file = '[UNDEF]'
> > > >>>>> Thu Nov 08 14:46:58 2007 us=24603 show_tls_ciphers = DISABLED
> > > >>>>> Thu Nov 08 14:46:58 2007 us=24614 proto = 2
> > > >>>>> Thu Nov 08 14:46:58 2007 us=24624 NOTE: --mute triggered...
> > > >>>>> Thu Nov 08 14:46:58 2007 us=24651 188 variation(s) on previous 10
> > > >>>>> message(s) suppressed by --mute
> > > >>>>> Thu Nov 08 14:46:58 2007 us=24666 OpenVPN 2.0.9 Win32-MinGW [SSL]
> > > >>>>> [LZO] built on Oct 1 2006
> > > >>>>> Thu Nov 08 14:46:58 2007 us=24748 IMPORTANT: OpenVPN's default
> > port
> > > >>>>> number is now 1194, based on an official port number
> > assignment by
> > > >>>>> IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default
> > port.
> > > >>>>> Thu Nov 08 14:46:58 2007 us=24763 WARNING: No server certificate
> > > >>>>> verification method has been enabled. See
> > > >>>>> http://openvpn.net/howto.html#mitm for more info.
> > > >>>>> Thu Nov 08 14:46:58 2007 us=26495 LZO compression initialized
> > > >>>>> Thu Nov 08 14:46:58 2007 us=26589 Control Channel MTU parms [
> > L:1576
> > > >>>>> D:140 EF:40 EB:0 ET:0 EL:0 ]
> > > >>>>> Thu Nov 08 14:46:58 2007 us=46092 TAP-WIN32 device [tap0] opened:
> > > >>>>> \\.\Global\{B45A907D-B030-4F6F-9FE1-001F6C3AEB48}.tap
> > > >>>>> Thu Nov 08 14:46:58 2007 us=46122 TAP-Win32 Driver Version 8.4
> > > >>>>> Thu Nov 08 14:46:58 2007 us=46135 TAP-Win32 MTU=1500
> > > >>>>> Thu Nov 08 14:46:58 2007 us=46156 Notified TAP-Win32 driver to
> > set a
> > > >>>>> DHCP IP/netmask of 192.168.10.11/255.255.255.0
> > <http://192.168.10.11/255.255.255.0>
>
> > > >>>>> on interface
> > > >>>>>
> > > >>>>> {B45A907D-B030-4F6F-9FE1-001F6C3AEB48} [DHCP-serv:
> > 192.168.10.0 <http://192.168.10.0>
>
> > > >>>>> lease-time: 31536000]
> > > >>>>>
> > > >>>>> Thu Nov 08 14:46:58 2007 us=53796 Successful ARP Flush on
> > interface
> > > >>>>> [3] {B45A907D-B030-4F6F-9FE1-001F6C3AEB48}
> > > >>>>> Thu Nov 08 14:46:58 2007 us=55539 Data Channel MTU parms [ L:1576
> > > >>>>> D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
> > > >>>>> Thu Nov 08 14:46:58 2007 us=55586 Local Options String:
> > 'V4,dev-type
> > > >>>>> tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,ifconfig
> > > >>>>> 192.168.10.0 <http://192.168.10.0> 255.255.255.0
> > <http://255.255.255.0>
>
> > > >>>>> ,comp-lzo,cipher BF-CBC,auth SHA1,keysize
> > > >>>>>
> > > >>>>> 128,key-method 2,tls-client'
> > > >>>>> Thu Nov 08 14:46:58 2007 us=55602 Expected Remote Options String:
> > > >>>>> 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto
> > > >>>>> TCPv4_SERVER,ifconfig 192.168.10.0 <http://192.168.10.0>
> > 255.255.255.0 <http://255.255.255.0>
>
> > > >>>>> ,comp-lzo,cipher BF-CBC,auth SHA1,keysize
> > > >>>>>
> > > >>>>> 128,key-method 2,tls-server'
> > > >>>>> Thu Nov 08 14:46:58 2007 us=55634 Local Options hash (VER=V4):
> > '1b763cc3'
> > > >>>>> Thu Nov 08 14:46:58 2007 us=55652 Expected Remote Options hash
> > > >>>>> (VER=V4): '2f5a5592'
> > > >>>>> Thu Nov 08 14:46:58 2007 us=55680 Attempting to establish TCP
> > > >>>>> connection with 127.0.0.1:3128 <http://127.0.0.1:3128>
>
> > > >>>>>
> > > >>>>> Thu Nov 08 14:46:58 2007 us=63009 TCP connection established with
> > > >>>>> 127.0.0.1:3128 <http://127.0.0.1:3128>
>
> > > >>>>>
> > > >>>>> Thu Nov 08 14:46:58 2007 us=63039 Send to HTTP proxy: 'CONNECT
> > > >>>>> xxx.xxx.org:8080 <http://xxx.xxx.org:8080> HTTP/1.0'
>
> > > >>>>>
> > > >>>>> Thu Nov 08 14:46:59 2007 us=159521 HTTP proxy returned:
> > 'HTTP/1.1 200
> > > >>>>> Connection established'
> > > >>>>> Thu Nov 08 14:47:01 2007 us=158850 Socket Buffers: R=[8192->8192]
> > > >>>>> S=[8192->8192]
> > > >>>>> Thu Nov 08 14:47:01 2007 us=159020 TCPv4_CLIENT link local:
> > > >>>>> 172.24.201.50 <http://172.24.201.50>
>
> > > >>>>>
> > > >>>>> Thu Nov 08 14:47:01 2007 us=159037 TCPv4_CLIENT link remote:
> > > >>>>> 127.0.0.1:3128 <http://127.0.0.1:3128>
>
> > > >>>>>
> > > >>>>> Thu Nov 08 14:47:01 2007 us=390961 TLS: Initial packet from
> > > >>>>> 127.0.0.1:3128 <http://127.0.0.1:3128> , sid=9696962b 6944c74a
>
> > > >>>>>
> > > >>>>> Thu Nov 08 14:47:03 2007 us=206615 VERIFY OK: depth=1,
> > > >>>>> /C=CN/ST=SH/L=SH/O=Company/OU=Building_3_/CN=WR850G/emailAddress=
> > > >>>>> xxx@xxxxxxx <mailto:xxx@xxxxxxx> <mailto:xxx@xxxxxxx
>
> > <mailto:xxx@xxxxxxx>>
> > > >>>>>
> > > >>>>> Thu Nov 08 14:47:03 2007 us=208774 VERIFY OK: depth=0,
> > > >>>>>
> > /C=CN/ST=SH/O=Company/OU=Building_3_/CN=Server/emailAddress=xxx@xxxxxxx
> > <mailto:xxx@xxxxxxx>
> > > >>>>> <mailto:xxx@xxxxxxx <mailto:xxx@xxxxxxx>>
>
> > > >>>>>
> > > >>>>> Thu Nov 08 14:47:05 2007 us=389449 NOTE: Options consistency
> > check may
> > > >>>>> be skewed by version differences
> > > >>>>> Thu Nov 08 14:47:05 2007 us=389494 WARNING: 'version' is used
> > > >>>>> inconsistently, local='version V4', remote='version V0 UNDEF'
> > > >>>>> Thu Nov 08 14:47:05 2007 us=389513 WARNING: 'dev-type' is
> > present in
> > > >>>>> local config but missing in remote config, local='dev-type tap'
> > > >>>>> Thu Nov 08 14:47:05 2007 us=389531 WARNING: 'link-mtu' is
> > present in
> > > >>>>> local config but missing in remote config, local='link-mtu 1576'
> > > >>>>> Thu Nov 08 14:47:05 2007 us=389549 WARNING: 'tun-mtu' is
> > present in
> > > >>>>> local config but missing in remote config, local='tun-mtu 1532'
> > > >>>>> Thu Nov 08 14:47:05 2007 us=389571 WARNING: 'proto' is present in
> > > >>>>> local config but missing in remote config, local='proto
> > TCPv4_SERVER'
> > > >>>>> Thu Nov 08 14:47:05 2007 us=389607 WARNING: 'ifconfig' is
> > present in
> > > >>>>> local config but missing in remote config, local='ifconfig
> > > >>>>> 192.168.10.0 <http://192.168.10.0> 255.255.255.0
> > <http://255.255.255.0> '
>
>
>
> > > >>>>>
> > > >>>>> Thu Nov 08 14:47:05 2007 us=389625 WARNING: 'comp-lzo' is
> > present in
> > > >>>>> local config but missing in remote config, local='comp-lzo'
> > > >>>>> Thu Nov 08 14:47:05 2007 us=389643 WARNING: 'cipher' is
> > present in
> > > >>>>> local config but missing in remote config, local='cipher BF-CBC'
> > > >>>>> Thu Nov 08 14:47:05 2007 us=389659 WARNING: 'auth' is present
> > in local
> > > >>>>> config but missing in remote config, local='auth SHA1'
> > > >>>>> Thu Nov 08 14:47:05 2007 us=389673 NOTE: --mute triggered...
> > > >>>>> Thu Nov 08 14:47:05 2007 us=389977 3 variation(s) on previous 10
> > > >>>>> message(s) suppressed by --mute
> > > >>>>> Thu Nov 08 14:47:05 2007 us=389991 Data Channel Encrypt: Cipher
> > > >>>>> 'BF-CBC' initialized with 128 bit key
> > > >>>>> Thu Nov 08 14:47:05 2007 us=390009 Data Channel Encrypt: Using
> > 160 bit
> > > >>>>> message hash 'SHA1' for HMAC authentication
> > > >>>>> Thu Nov 08 14:47:05 2007 us=390090 Data Channel Decrypt: Cipher
> > > >>>>> 'BF-CBC' initialized with 128 bit key
> > > >>>>> Thu Nov 08 14:47:05 2007 us=390106 Data Channel Decrypt: Using
> > 160 bit
> > > >>>>> message hash 'SHA1' for HMAC authentication
> > > >>>>> Thu Nov 08 14:47:05 2007 us=390453 Control Channel: TLSv1, cipher
> > > >>>>> TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
> > > >>>>> Thu Nov 08 14:47:05 2007 us=390487 [Server] Peer Connection
> > Initiated
> > > >>>>> with 127.0.0.1:3128 <http://127.0.0.1:3128>
>
>
>
> > > >>>>>
> > > >>>>> Thu Nov 08 14:47:06 2007 us=630508 TEST ROUTES: 0/0 succeeded
> > len=-1
> > > >>>>> ret=1 a=0 u/d=up
> > > >>>>> Thu Nov 08 14:47:06 2007 us=630535 Initialization Sequence
> > Completed
> > > >>>>> ----------------------------------------------------------
> > > >>>>>
> > > >>>>>
> > > >>>>> Why there're so many WARNINGS:
> > > >>>>>
> > > >>>>> 1.Both client and server use same version - 2.0.9,why does
> > the client
> > > >>>>> say: "NOTE: Options consistency check may be skewed by version
> > > >>>>> differences"
> > > >>>>> 2.Many options (like 'comp-lzo') have been enabled in both
> > client and
> > > >>>>> server's configuration, why does client say " WARNING:
> > 'comp-lzo' is
> > > >>>>> present in local config but missing in remote config,
> > local='comp-lzo'"?______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users