[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Vista and 2.1 rc4


  • Subject: Re: [Openvpn-users] Vista and 2.1 rc4
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Sun, 27 Jan 2008 16:26:32 -0600
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID566maAwAM0239X39

Lee Rocklage wrote:
I am getting the error below and cannot connect via Vista, I have my
comfit file below the error to see if anyone see's anything wrong...
OpenVPN GUI v.1.03 is the version I am running.

You specified "dev tap" on the client side but the server is pushing a tun-specific ifconfig option. You are probably using tun on the server which means your clients must also be using tun.

Thanks

Thanks

Wed Jan 23 16:33:44 2008 OpenVPN 2.1_rc4 Win32-MinGW [SSL] [LZO2] built
on Apr 25 2007
Wed Jan 23 16:33:44 2008 Control Channel Authentication: using 'ta.key'
as a OpenVPN static key file
Wed Jan 23 16:33:44 2008 Outgoing Control Channel Authentication: Using
160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 23 16:33:44 2008 Incoming Control Channel Authentication: Using
160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 23 16:33:44 2008 LZO compression initialized
Wed Jan 23 16:33:45 2008 Control Channel MTU parms [ L:1558 D:166 EF:66
EB:0 ET:0 EL:0 ]
Wed Jan 23 16:33:45 2008 Data Channel MTU parms [ L:1558 D:1450 EF:58
EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jan 23 16:33:45 2008 Local Options hash (VER=V4): '81e1bff4'
Wed Jan 23 16:33:45 2008 Expected Remote Options hash (VER=V4):
'a20a2018'
Wed Jan 23 16:33:45 2008 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Jan 23 16:33:45 2008 UDPv4 link local: [undef]
Wed Jan 23 16:33:45 2008 UDPv4 link remote: 67.152.85.189:1194
Wed Jan 23 16:33:45 2008 TLS: Initial packet from 67.152.85.189:1194,
sid=a05ba525 aeafb506
Wed Jan 23 16:33:45 2008 VERIFY OK: depth=1,
/C=US/ST=California/L=Sunnyvale/O=MaxSP_Corporation/OU=IT_Operations/CN=
MaxSP_Corporation_CA/emailAddress=helpdesk@xxxxxxxxx
Wed Jan 23 16:33:45 2008 VERIFY OK: nsCertType=SERVER
Wed Jan 23 16:33:45 2008 VERIFY OK: depth=0,
/C=US/ST=California/L=Sunnyvale/O=MaxSP_Corporation/OU=IT_Operations/CN=
vpn.maxsp.com/emailAddress=helpdesk@xxxxxxxxx
Wed Jan 23 16:33:45 2008 WARNING: 'dev-type' is used inconsistently,
local='dev-type [unknown-dev-type]', remote='dev-type tun'
Wed Jan 23 16:33:45 2008 Data Channel Encrypt: Cipher 'AES-128-CBC'
initialized with 128 bit key
Wed Jan 23 16:33:45 2008 Data Channel Encrypt: Using 160 bit message
hash 'SHA1' for HMAC authentication
Wed Jan 23 16:33:45 2008 Data Channel Decrypt: Cipher 'AES-128-CBC'
initialized with 128 bit key
Wed Jan 23 16:33:45 2008 Data Channel Decrypt: Using 160 bit message
hash 'SHA1' for HMAC authentication
Wed Jan 23 16:33:45 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Jan 23 16:33:45 2008 [vpn.maxsp.com] Peer Connection Initiated with
67.152.85.189:1194
Wed Jan 23 16:33:47 2008 SENT CONTROL [vpn.maxsp.com]: 'PUSH_REQUEST'
(status=1)
Wed Jan 23 16:33:47 2008 PUSH: Received control message:
'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 192.168.54.0
255.255.255.0,dhcp-option DNS 192.168.1.50,dhcp-option DNS
192.168.1.51,dhcp-option DOMAIN maxsp.local,route 192.168.55.1,topology
net30,ping 10,ping-restart 120,ifconfig 192.168.55.6 192.168.55.5'
Wed Jan 23 16:33:47 2008 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jan 23 16:33:47 2008 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jan 23 16:33:47 2008 OPTIONS IMPORT: route options modified
Wed Jan 23 16:33:47 2008 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option
options modified
Wed Jan 23 16:33:47 2008 Assertion failed at tun.c:380
Wed Jan 23 16:33:47 2008 Exiting

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
;dev tun

;route-method exe
;route-delay 2

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote sjdc-vpn.maxsp.com 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert lee-rocklage.crt
key lee-rocklage.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20


-----Original Message-----
From: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Josh
Cepek
Sent: Wednesday, December 19, 2007 8:44 PM
To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Openvpn-users] Vista and 2.1 rc4

Lee Rocklage wrote:
I am using vista with openvpn 2.1 rc4 and am getting the errors below.

Has anyone seen these and know how to fix them?

Tue Dec 18 19:36:24 2007 WARNING: Since you are using --dev tap, the second argument to --ifconfig must be a netmask, for example something

like 255.255.255.0. (silence this warning with --ifconfig-nowarn) Tue Dec 18 19:36:24 2007 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options Tue Dec 18 19:36:24 2007 OpenVPN

ROUTE: failed to parse/resolve route for host/network: 72.5.73.0 Tue Dec 18 19:36:24 2007 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options Tue Dec 18 19:36:24 2007 OpenVPN

ROUTE: failed to parse/resolve route for host/network: 10.172.192.0 Tue Dec 18 19:36:24 2007 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options Tue Dec 18 19:36:24 2007 OpenVPN

ROUTE: failed to parse/resolve route for host/network: 192.168.56.1 Tue Dec 18 19:36:24 2007 TAP-Win32 adapter 'MyTap' not found Tue Dec 18 19:36:24 2007 Exiting


The first warning is caused by an invalid netmask specified by ifconfig.
In tap mode the "ifconfig" option requires 2 parameters: an IP address
that the computer will take and a netmask for the Ethernet segment.  For
example, the configuration "ifconfig 10.8.0.1 255.255.255.0" tells
OpenVPN to set an IP of 10.8.0.1 with a netmask of 255.255.255.0 for a
standard class-C network.  Fix this warning by correcting the ifconfig
statement to use the proper parameters.  VPN clients can optionally have
the server provide the IP and netmask details if you specify "client" in
the client config files and use "ifconfig-pool" on the server.  When
using "ifconfig-pool" from the server you omit the "ifconfig" on the
client side and must specify "client" or "pull".

All 3 of the route errors exist because you didn't specify the
"route-gateway" option.  In tap mode you must specify the gateway to the
networks so OpenVPN knows how to reach each of them.  If your VPN server
is the gateway to these networks and has the IP 10.8.0.1, you would use
"route-gateway 10.8.0.1".  This too can be pushed from the server to all
clients by putting this command in the server configuration: push
"route-gateway 10.8.0.1" As above, if you push options your clients need
either "client" or "pull".  Note that in a bridged setup the gateway may
be another host on the network being bridged to rather than the VPN
server.

The last error is caused because you specified a tap adapter by the name
of "MyTap" which doesn't exist on your system.  For Windows (including
Vista) you have 3 ways to specify the adapter, listed below.  You can
view the list of adapters by calling running this at a command prompt:
"openvpn --show-adapters" (remember to change to the proper directory
first, usually <Install Path>\OpenVPN\bin.)

Option 1. Use "dev tap" which will cause OpenVPN to use the first
available tap adapter on your system.  For this method do not use
"dev-node".

Option 2. Specify both "dev tap" and "dev-node ADAPTER_NAME" where the
ADAPTER_NAME is the exact name of your tap adapter.

Option 3. Specify both "dev tap" and "dev-node {GUID_OF-ADAPTER}" where
{GUID_OF_ADAPTER} is the long series of numbers including the curly
braces from the command shown above.

Normally when you install OpenVPN it automatically creates a TAP adapter
(often called "Local Area Connection 2" or similar.)  If you need to
create a new adapter run the program <Install
Path>\OpenVPN\bin\addtap.bat which will create a new adapter.  You may
also rename adapters as necessary in the Network Connections control
panel.

Since you didn't provide any config files, most of the information I've
given above is conceptual and pieces may not apply to what you're trying
to do.  It's a lot more helpful if you post your client and server
config files to receive better information.


--
Josh



.


--
Josh


Attachment: signature.asc
Description: OpenPGP digital signature