LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-27-2011, 11:46 AM   #1
tobylockyer
LQ Newbie
 
Registered: May 2011
Posts: 12

Rep: Reputation: Disabled
OpenVPN (and I think Routing)


Hey everyone, this is my first post.

I'm hoping you guys can help me with something.

So I'm in the process of setting up a VPN server so that a few of our serves can talk over SSL.

I successfully installed openvpn, and seem to have it set up, however the client can't ping the server.

Here is the setup...

Server:

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)


Client:

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:47 errors:0 dropped:226 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:3444 (3.3 KiB)


The client has recived the IP address from the server, however when I try to ping 10.8.0.1 is doesn't respond.

Here is the routing table on the server:

root@vpn-server:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
88.198.*.* 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 88.198.*.* 0.0.0.0 UG 0 0 0


And the client:

root@vpn-client:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
173.244.*.* 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
10.8.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 173.192.*.* 0.0.0.0 UG 0 0 0 eth0



Not sure what other information to give so let me know what you need.

Really hope I can get this working, looks like I'm nearly there!!!

Iptables are off too at the moment! So its not that!

Thanks
Toby

Last edited by tobylockyer; 05-27-2011 at 11:47 AM.
 
Old 05-28-2011, 06:57 AM   #2
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Servers: Debian Squeeze and Wheezy. Desktop: Slackware64 14.0. Netbook: Slackware 13.37
Posts: 8,557
Blog Entries: 28

Rep: Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178
What is in the logs?
 
Old 05-31-2011, 04:56 AM   #3
tobylockyer
LQ Newbie
 
Registered: May 2011
Posts: 12

Original Poster
Rep: Reputation: Disabled
I can see a few errors on the client in regards to routing, but I would assume (incorrectly it seems) that they should be able to ping each other!

Server:

root@vpn-server:~# cat /var/log/openvpn
Fri May 27 14:58:49 2011 OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 22 2010
Fri May 27 14:58:49 2011 WARNING: --keepalive option is missing from server config
Fri May 27 14:58:49 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri May 27 14:58:49 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Fri May 27 14:58:49 2011 TUN/TAP device tun0 opened
Fri May 27 14:58:49 2011 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri May 27 14:58:49 2011 GID set to nogroup
Fri May 27 14:58:49 2011 UID set to nobody
Fri May 27 14:58:49 2011 Listening for incoming TCP connection on [undef]
Fri May 27 14:58:49 2011 TCPv4_SERVER link local (bound): [undef]
Fri May 27 14:58:49 2011 TCPv4_SERVER link remote: [undef]
Fri May 27 14:58:49 2011 Initialization Sequence Completed
Fri May 27 14:59:25 2011 Re-using SSL/TLS context
Fri May 27 14:59:25 2011 LZO compression initialized
Fri May 27 14:59:25 2011 TCP connection established with [AF_INET]*.*.203.95:57623
Fri May 27 14:59:25 2011 TCPv4_SERVER link local: [undef]
Fri May 27 14:59:25 2011 TCPv4_SERVER link remote: [AF_INET]*.*.203.95:57623
Fri May 27 14:59:36 2011 173.244.203.95:57623 [vpn-client] Peer Connection Initiated with [AF_INET]*.*.203.95:57623
Fri May 27 15:17:04 2011 vpn-client/173.244.203.95:57623 read TCPv4_SERVER [NO-INFO]: Connection timed out (code=110)
Fri May 27 15:17:04 2011 vpn-client/173.244.203.95:57623 Connection reset, restarting [0]
Fri May 27 15:37:52 2011 OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 22 2010
Fri May 27 15:37:52 2011 WARNING: --keepalive option is missing from server config
Fri May 27 15:37:52 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri May 27 15:37:52 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Fri May 27 15:37:53 2011 TUN/TAP device tun0 opened
Fri May 27 15:37:53 2011 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri May 27 15:37:53 2011 GID set to nogroup
Fri May 27 15:37:53 2011 UID set to nobody
Fri May 27 15:37:53 2011 Listening for incoming TCP connection on [undef]
Fri May 27 15:37:53 2011 TCPv4_SERVER link local (bound): [undef]
Fri May 27 15:37:53 2011 TCPv4_SERVER link remote: [undef]
Fri May 27 15:37:53 2011 Initialization Sequence Completed
Tue May 31 08:41:34 2011 Re-using SSL/TLS context
Tue May 31 08:41:34 2011 LZO compression initialized
Tue May 31 08:41:34 2011 TCP connection established with [AF_INET]*.*.203.95:56798
Tue May 31 08:41:34 2011 TCPv4_SERVER link local: [undef]
Tue May 31 08:41:34 2011 TCPv4_SERVER link remote: [AF_INET]*.*.203.95:56798
Tue May 31 08:41:45 2011 173.244.203.95:56798 [vpn-client] Peer Connection Initiated with [AF_INET]*.*.203.95:56798


Client:
root@vpn-client:~# cat /var/log/openvpn.log
Tue May 31 08:48:18 2011 OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 22 2010
Tue May 31 08:48:18 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue May 31 08:48:18 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue May 31 08:48:18 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue May 31 08:48:19 2011 LZO compression initialized
Tue May 31 08:48:19 2011 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue May 31 08:48:19 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue May 31 08:48:19 2011 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue May 31 08:48:19 2011 Local Options hash (VER=V4): '69109d17'
Tue May 31 08:48:19 2011 Expected Remote Options hash (VER=V4): 'c0103fa8'
Tue May 31 08:48:19 2011 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Tue May 31 08:48:19 2011 Attempting to establish TCP connection with [AF_INET]*.*.63.48:1194 [nonblock]
Tue May 31 08:48:20 2011 TCP connection established with [AF_INET]*.*.63.48:1194
Tue May 31 08:48:20 2011 TCPv4_CLIENT link local: [undef]
Tue May 31 08:48:20 2011 TCPv4_CLIENT link remote: [AF_INET]*.*.63.48:1194
Tue May 31 08:48:20 2011 TLS: Initial packet from [AF_INET]*.*.63.48:1194, sid=db753192 869b6596
Tue May 31 08:48:22 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain
Tue May 31 08:48:22 2011 VERIFY OK: depth=0, /C=UK/ST=UK/L=Cambridge/O=Reciva-Vpn/CN=vpn-server/name=Toby/emailAddress=sevices@reciva.com
Tue May 31 08:48:28 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 31 08:48:28 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 31 08:48:28 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 31 08:48:28 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 31 08:48:28 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue May 31 08:48:28 2011 [vpn-server] Peer Connection Initiated with [AF_INET]*.*.63.48:1194
Tue May 31 08:48:31 2011 SENT CONTROL [vpn-server]: 'PUSH_REQUEST' (status=1)
Tue May 31 08:48:31 2011 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route 10.8.0.0 255.255.255.0,topology net30,ifconfig 10.8.0.6 10.8.0.5'
Tue May 31 08:48:31 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue May 31 08:48:31 2011 OPTIONS IMPORT: route options modified
Tue May 31 08:48:31 2011 ROUTE default_gateway=*.*.187.129
Tue May 31 08:48:31 2011 TUN/TAP device tun0 opened
Tue May 31 08:48:31 2011 TUN/TAP TX queue length set to 100
Tue May 31 08:48:31 2011 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Tue May 31 08:48:31 2011 /sbin/route add -net *.*.63.48 netmask 255.255.255.255 gw *.*.187.129
SIOCADDRT: No such process
Tue May 31 08:48:31 2011 ERROR: Linux route add command failed: external program exited with error status: 7
Tue May 31 08:48:31 2011 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Tue May 31 08:48:31 2011 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Tue May 31 08:48:31 2011 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.5
Tue May 31 08:48:31 2011 GID set to nogroup
Tue May 31 08:48:31 2011 UID set to nobody
Tue May 31 08:48:31 2011 Initialization Sequence Completed
 
Old 05-31-2011, 06:18 AM   #4
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Servers: Debian Squeeze and Wheezy. Desktop: Slackware64 14.0. Netbook: Slackware 13.37
Posts: 8,557
Blog Entries: 28

Rep: Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178
Is your configuration for bridged or routed?

It looks like the key log message is "/sbin/route add -net *.*.63.48 netmask 255.255.255.255 gw *.*.187.129
SIOCADDRT: No such process".

Can you post both OpenVPN server config files? You can cut out the comments and empty lines with
grep -v '^#' openvpn.conf | grep -v '^$'
 
Old 05-31-2011, 06:20 AM   #5
tobylockyer
LQ Newbie
 
Registered: May 2011
Posts: 12

Original Poster
Rep: Reputation: Disabled
Yeah, I saw that.. I'm not really to hot on routing!!

Server:
root@vpn-server:/etc/openvpn# grep -v '^#' openvpn.conf | grep -v '^$'
dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
client-to-client
push "redirect-gateway def1"
log-append /var/log/openvpn
comp-lzo


Client:
root@vpn-client:/etc/openvpn# grep -v '^#' openvpn.conf | grep -v '^$'
dev tun
client
proto tcp
remote 88.198.63.48 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca /root/ca.crt
cert /root/client1.crt
key /root/client1.key
comp-lzo
verb 3
log-append /var/log/openvpn.log
 
Old 05-31-2011, 07:03 AM   #6
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Servers: Debian Squeeze and Wheezy. Desktop: Slackware64 14.0. Netbook: Slackware 13.37
Posts: 8,557
Blog Entries: 28

Rep: Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178
Caveat: I'm replying because nobody else had/is, not because I know much about OpenVPN having only set it up three times but let's see if we can solve this one.

Almost certainly not relevant to your problem but "good practice" is to use udp, not tcp (IDK why, just parroting advice from credible contributors).

Server

Again almost certainly not relevant to your problem but the server normally runs as a daemon. Maybe you haven't set it yet so you can see the server messages at the command prompt ...

IDK what your intended usage is but client-to-client is not necessary with a single client. On the basis that it is easiest to get things working with minimal changes from the default settings and then evolve to a more customised setup, you might like to comment this out at this stage.

Now for probably the relevant line, 'push "redirect-gateway def1"'. I have never used this and a quick netsearch wasn't very enlightening but it seems you do need a pull in the client config for it to work. As above you may like to comment this out at this stage.
 
Old 05-31-2011, 08:01 AM   #7
tobylockyer
LQ Newbie
 
Registered: May 2011
Posts: 12

Original Poster
Rep: Reputation: Disabled
Hello,

I am running this so I can see the messages. Once sorted I will deamonise it

I will look into using UDP, I didn't know you could! Thanks!

I am creating one server, then multiple clients will connect to it (thus all being in the same lan).

I have removed client-client and also the push "redirect-gateway def1".

I stopped the client on both ends, and started up again. The client still gets a 10.8.x.x address but I can't ping the server...
 
Old 05-31-2011, 08:03 AM   #8
tobylockyer
LQ Newbie
 
Registered: May 2011
Posts: 12

Original Poster
Rep: Reputation: Disabled
Wow,

It works... Thanks so much for your help.. it really has been SO helpful

Cheers guys

I will go and help someone else now so I feel better
 
Old 05-31-2011, 10:20 AM   #9
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Servers: Debian Squeeze and Wheezy. Desktop: Slackware64 14.0. Netbook: Slackware 13.37
Posts: 8,557
Blog Entries: 28

Rep: Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178
Great it's working now

In case anybody else finds this thread looking for a solution, what did you do between the last two posts that got it working?

Threads can be marked SOLVED via the Thread Tools drop-down list.
 
Old 05-31-2011, 10:31 AM   #10
tobylockyer
LQ Newbie
 
Registered: May 2011
Posts: 12

Original Poster
Rep: Reputation: Disabled
It was simply the:

push "redirect-gateway def1"

This caused a problem, I got it from a website that said to put this in, but I didn't understand what it did!
 
Old 06-01-2011, 09:08 AM   #11
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Servers: Debian Squeeze and Wheezy. Desktop: Slackware64 14.0. Netbook: Slackware 13.37
Posts: 8,557
Blog Entries: 28

Rep: Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178
Thanks for the update. AFAIK the effect of redirect-gateway is that once the client connects to the OpenVPN server, its default gateway becomes the OpenVPN server; the purpose it to create a more secure system (but I'm vague on how it makes things more secure).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN and Routing metallica1973 Linux - Networking 6 09-07-2010 08:50 AM
OpenVPN routing. MheAd Linux - Networking 6 06-25-2010 01:35 PM
Error When converting Routing OpenVPN to bridge mode openvpn danmartinj Linux - Software 0 11-06-2009 10:23 AM
routing using openvpn williebens Linux - Newbie 1 07-11-2008 10:28 PM
OpenVPN and Routing. Eightpock Linux - Networking 2 07-10-2008 07:48 AM


All times are GMT -5. The time now is 12:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration