[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Options error: specify only one of --tls-server, --tls-client, or --secret (OpenVPN GUI)


  • Subject: Re: [Openvpn-users] Options error: specify only one of --tls-server, --tls-client, or --secret (OpenVPN GUI)
  • From: Jan Just Keijser <janjust@xxxxxxxxx>
  • Date: Wed, 30 Jan 2008 10:33:12 +0100

try this:
- set the tap1 adaptor to DHCP (trust me ;-))
- add the lines
  ifconfig 192.168.253.2 192.168.253.1
  tun-mtu 1500
to your config file and try again. If that does not work, try it with
  ifconfig 192.168.253.1 192.168.253.2
  tun-mtu 1500

HTH,

JJK

Gabe Green wrote:
> Okay, *almost* got it working.
>
> Specified the correct LAN adaptor.
>
> Now on the *server* side, this is what I do not get.  Our default LAN is
> 192.168.111.0/24; but I specified 192.168.253.0/24 in the OpenVPN setup.
> DHCP is not enabled on the server-side OpenVPN config.
>
> I set my tap1 adaptor to the following static:
>
> 192.168.253.5
> 255.255.255.0
> 192.168.111.22 (pfsense vpn LAN ip)
>
> DNS:
> 192.168.111.108 (default gateway on pfsense box)
>
> I added a WAN firewall rule, at the top, to permit traffic anywhere on port
> 1194; from the WAN to the LAN (or anywhere else).  No-go.
>
> My current OVPN config file:
>  Specify that we are a client and that we
> # will be pulling certain config file directives
> # from the server.
>
> # Use the same setting as you are using on
> # the server.
> # On most systems, the VPN will not function
> # unless you partially or fully disable
> # the firewall for the TUN/TAP interface.
> ;dev tap
> dev tap1
>
> # Windows needs the TAP-Win32 adapter name
> # from the Network Connections panel
> # if you have more than one.  On XP SP2,
> # you may need to disable the firewall
> # for the TAP adapter.
> dev-node tap1
>
> # Are we connecting to a TCP or
> # UDP server?  Use the same setting as
> # on the server.
> ;proto tcp
> proto udp
>
> # The hostname/IP and port of the server.
> # You can have multiple remote entries
> # to load balance between the servers.
> remote 209.218.92.22 1194
> ;remote my-server-2 1194
>
> # Choose a random host from the remote
> # list for load-balancing.  Otherwise
> # try hosts in the order specified.
> ;remote-random
>
> # Keep trying indefinitely to resolve the
> # host name of the OpenVPN server.  Very useful
> # on machines which are not permanently connected
> # to the internet such as laptops.
> resolv-retry infinite
>
> # Most clients don't need to bind to
> # a specific local port number.
> nobind
>
> # Downgrade privileges after initialization (non-Windows only)
> ;user nobody
> ;group nobody
>
> # Try to preserve some state across restarts.
> persist-key
> persist-tun
>
> # If you are connecting through an
> # HTTP proxy to reach the actual OpenVPN
> # server, put the proxy server/IP and
> # port number here.  See the man page
> # if your proxy server requires
> # authentication.
> ;http-proxy-retry # retry on connection failures
> ;http-proxy [proxy server] [proxy port #]
>
> # Wireless networks often produce a lot
> # of duplicate packets.  Set this flag
> # to silence duplicate packet warnings.
> ;mute-replay-warnings
>
> # SSL/TLS parms.
> # See the server config file for more
> # description.  It's best to use
> # a separate .crt/.key file pair
> # for each client.  A single ca
> # file can be used for all clients.
> secret static.key
>
> # Verify server certificate by checking
> # that the certicate has the nsCertType
> # field set to "server".  This is an
> # important precaution to protect against
> # a potential attack discussed here:
> #  http://openvpn.net/howto.html#mitm
> #
> # To use this feature, you will need to generate
> # your server certificates with the nsCertType
> # field set to "server".  The build-key-server
> # script in the easy-rsa folder will do this.
> ;ns-cert-type server
>
> # If a tls-auth key is used on the server
> # then every client must also have the key.
> ;tls-auth ta.key 1
>
> # Select a cryptographic cipher.
> # If the cipher option is used on the server
> # then you must also specify it here.
> cipher AES-128-CBC
>
> # Enable compression on the VPN link.
> # Don't enable this unless it is also
> # enabled in the server config file.
> comp-lzo
>
> # Set log file verbosity.
> verb 3
>
> # Silence repeating messages
> ;mute 20
>
>
> == LOG FILE FROM OVPN ==
> Wed Jan 30 01:15:40 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct
> 1 2006
> Wed Jan 30 01:15:40 2008 IMPORTANT: OpenVPN's default port number is now
> 1194, based on an official port number assignment by IANA.  OpenVPN
> 2.0-beta16 and earlier used 5000 as the default port.
> Wed Jan 30 01:15:40 2008 Static Encrypt: Cipher 'AES-128-CBC' initialized
> with 128 bit key
> Wed Jan 30 01:15:40 2008 Static Encrypt: Using 160 bit message hash 'SHA1'
> for HMAC authentication
> Wed Jan 30 01:15:40 2008 Static Decrypt: Cipher 'AES-128-CBC' initialized
> with 128 bit key
> Wed Jan 30 01:15:40 2008 Static Decrypt: Using 160 bit message hash 'SHA1'
> for HMAC authentication
> Wed Jan 30 01:15:40 2008 LZO compression initialized
> Wed Jan 30 01:15:40 2008 TAP-WIN32 device [tap1] opened:
> \\.\Global\{7249534D-3F7F-4D7F-95EF-F25FF13C1887}.tap
> Wed Jan 30 01:15:40 2008 TAP-Win32 Driver Version 8.4
> Wed Jan 30 01:15:40 2008 TAP-Win32 MTU=1500
> Wed Jan 30 01:15:40 2008 Successful ARP Flush on interface [4]
> {7249534D-3F7F-4D7F-95EF-F25FF13C1887}
> Wed Jan 30 01:15:40 2008 Data Channel MTU parms [ L:1593 D:1450 EF:61 EB:135
> ET:32 EL:0 AF:3/1 ]
> Wed Jan 30 01:15:40 2008 Local Options hash (VER=V4): 'ea48dbff'
> Wed Jan 30 01:15:40 2008 Expected Remote Options hash (VER=V4): 'ea48dbff'
> Wed Jan 30 01:15:40 2008 UDPv4 link local: [undef]
> Wed Jan 30 01:15:40 2008 UDPv4 link remote: REMOTEWANIP:1194
> Wed Jan 30 01:15:50 2008 Peer Connection Initiated with REMOTEWANIP:1194
> Wed Jan 30 01:15:50 2008 WARNING: 'dev-type' is used inconsistently,
> local='dev-type tap', remote='dev-type tun'
> Wed Jan 30 01:15:50 2008 WARNING: 'link-mtu' is used inconsistently,
> local='link-mtu 1593', remote='link-mtu 1561'
> Wed Jan 30 01:15:50 2008 WARNING: 'tun-mtu' is used inconsistently,
> local='tun-mtu 1532', remote='tun-mtu 1500'
> Wed Jan 30 01:15:50 2008 WARNING: 'ifconfig' is present in remote config but
> missing in local config, remote='ifconfig 192.168.253.2 192.168.253.1'
> Wed Jan 30 01:15:51 2008 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
> Wed Jan 30 01:15:51 2008 Initialization Sequence Completed
>
> What am I missing here?  I want my local tap1 adaptor to be able to connect
> to the 192.168.111.0/24 network (the default LAN).
>
> Thanks -
> Gabe
> -----Original Message-----
> From: Jan Just Keijser [mailto:janjust@xxxxxxxxx]
> Sent: Wednesday, January 30, 2008 12:26 AM
> To: Gabriel Green
> Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re: [Openvpn-users] Options error: specify only one of
> --tls-server, --tls-client, or --secret (OpenVPN GUI)
>
>
> the error says it all: you're specifying both
>   client
> and
>   secret static.key
> in your config file. you're not supposed to do that : 'client' is for
> client/server style configs, 'secret' is for "old-style" point-to-point
> links. what are you trying to achieve ?
>
> HTH,
>
> JJK
>
> Gabriel Green wrote:
>   
>> Config file included, secret.key is in C:\Program Files\OpenVPN\config
>>
>> # Specify that we are a client and that we
>> # will be pulling certain config file directives
>> # from the server.
>> client
>>
>> # Use the same setting as you are using on
>> # the server.
>> # On most systems, the VPN will not function
>> # unless you partially or fully disable
>> # the firewall for the TUN/TAP interface.
>> ;dev tap
>> dev tun
>>
>> # Windows needs the TAP-Win32 adapter name
>> # from the Network Connections panel
>> # if you have more than one.  On XP SP2,
>> # you may need to disable the firewall
>> # for the TAP adapter.
>> dev-node tap1
>>
>> # Are we connecting to a TCP or
>> # UDP server?  Use the same setting as
>> # on the server.
>> ;proto tcp
>> proto udp
>>
>> # The hostname/IP and port of the server.
>> # You can have multiple remote entries
>> # to load balance between the servers.
>> remote XXX.XXX.XXX.XXX 1194
>> ;remote my-server-2 1194
>>
>> # Choose a random host from the remote
>> # list for load-balancing.  Otherwise
>> # try hosts in the order specified.
>> ;remote-random
>>
>> # Keep trying indefinitely to resolve the
>> # host name of the OpenVPN server.  Very useful
>> # on machines which are not permanently connected
>> # to the internet such as laptops.
>> resolv-retry infinite
>>
>> # Most clients don't need to bind to
>> # a specific local port number.
>> nobind
>>
>> # Downgrade privileges after initialization (non-Windows only)
>> ;user nobody
>> ;group nobody
>>
>> # Try to preserve some state across restarts.
>> persist-key
>> persist-tun
>>
>> # If you are connecting through an
>> # HTTP proxy to reach the actual OpenVPN
>> # server, put the proxy server/IP and
>> # port number here.  See the man page
>> # if your proxy server requires
>> # authentication.
>> ;http-proxy-retry # retry on connection failures
>> ;http-proxy [proxy server] [proxy port #]
>>
>> # Wireless networks often produce a lot
>> # of duplicate packets.  Set this flag
>> # to silence duplicate packet warnings.
>> ;mute-replay-warnings
>>
>> secret static.key
>>
>> # Verify server certificate by checking
>> # that the certicate has the nsCertType
>> # field set to "server".  This is an
>> # important precaution to protect against
>> # a potential attack discussed here:
>> #  http://openvpn.net/howto.html#mitm
>> #
>> # To use this feature, you will need to generate
>> # your server certificates with the nsCertType
>> # field set to "server".  The build-key-server
>> # script in the easy-rsa folder will do this.
>> ;ns-cert-type server
>>
>> # If a tls-auth key is used on the server
>> # then every client must also have the key.
>> ;tls-auth ta.key 1
>>
>> # Select a cryptographic cipher.
>> # If the cipher option is used on the server
>> # then you must also specify it here.
>> cipher aes
>>
>> # Enable compression on the VPN link.
>> # Don't enable this unless it is also
>> # enabled in the server config file.
>> comp-lzo
>>
>> # Set log file verbosity.
>> verb 3
>>
>> # Silence repeating messages
>> ;mute 20
>>
>>
>>     

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users