configuring openvpn with iptables rules (internet connection freezes when tun0 is up)
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
configuring openvpn with iptables rules (internet connection freezes when tun0 is up)
hello everyone, first i would like to apologize because i feel like i am almost spamming the forum so please forgive me.
I wanted to see how i could basically open my vpn to outside users to get hosting experience. I realized that i could do this with port forwarding, openvpn, and nat with iptables rules. So first thing i did was configure openvpn, and let me tell you that took more than a smile to get that thing configured (i hope i have it configured right) after running openvpn here is my ifconfig output:
Okay now i hope i have that configured right, if anyone sees anything wrong with it please let me know, oh and if you need to see any options configured in /etc/openvpn/server.conf i will be happy to get them for you.
Okay well next i know that i need nat rules with iptables because what i want is for tun0 to have full access with input/output/forward and what i want is to have my public ip address from my isp routed back to my linux box i don't know if its supposed to go to em1 or tun0 ?
Here is an output of my iptables script
Code:
#!/bin/bash
###### TURN ON PORT FORWARDING ########
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -v -F;
iptables -F -t mangle
iptables -F -t nat;
iptables -v -A INPUT -i lo -j ACCEPT;
# iptables -A PREROUTING -t nat -i em1 -p tcp --dport 80 -j DNAT --to 192.168.1.3:80
# iptables -t nat -A POSTROUTING -s 192.168.1.3 -j SNAT --to 173.XX.XXX.XXX (my public ip)
# iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j MASQUERADE
# iptables -A INPUT -i tun0 -j ACCEPT
# iptables -A OUTPUT -o tun0 -j ACCEPT
# iptables -A FORWARD -i tun0 -j ACCEPT
# iptables -I FORWARD -i em1 -o tun0 -j ACCEPT
# iptables -I FORWARD -i tun0 -o em1 -j ACCEPT
########### BASIC RULE SET #############
iptables -v -P INPUT DROP # Default Policy DROP
# iptables -v -A INPUT -m state --state RELATED,ESTABLISHED -j LOG --log-prefix "ACCEPT"
iptables -v -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT; # ACCEPT ESTABLISHED
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i em1 -j ACCEPT
iptables -A INPUT -i em1 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT #ALLOW SSL
iptables -A INPUT -i em1 -p tcp --dport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT #ALLOW OPENVPN
########## CONNECTION LIMIT LOG/DROP ############
iptables -A INPUT -p tcp -i em1 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp -i em1 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j LOG --log-level 4 --log-prefix "LIMIT:"
iptables -A INPUT -p tcp -i em1 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP
########### DROP SPOOFED PACKETS ###############
iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j LOG --log-level 4 --log-prefix "SPOOF PACKETS:"
iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
########### LOG/DROP NEW CONNECTIONS ##############
# iptables -A INPUT -p tcp -m state --state NEW -j LOG # LOG NEW TCP CONNECTIONS
# iptables -A INPUT -p tcp -m state --state NEW -j DROP # BLOCK NEW TCP CONNECTIONS
######### LOG/DROP FTP SSH AND SEDMAIL ############
iptables -v -A INPUT -p tcp -s 0/0 --dport 21 -j LOG # LOG FTP ATTEMPTS
iptables -v -A INPUT -p tcp -s 0/0 --dport 21 -j REJECT --reject-with tcp-reset # RESET FTP
iptables -v -A INPUT -p tcp -s 0/0 --dport 22 -j LOG # LOG SSH ATTEMPTS
iptables -v -A INPUT -p tcp -s 0/0 --dport 22 -j DROP # BLOCK SSH
iptables -v -A INPUT -p tcp -s 0/0 --dport 25 -j LOG # LOG SENDMAIL
iptables -v -A INPUT -p tcp -s 0/0 --dport 25 -j DROP # BLOCK SENDMAIL
########### INPUT THAT IS NEEDED #################
iptables -v -A INPUT -m state -m tcp --proto tcp --dport 80 --state NEW -j ACCEPT; # HTTP
iptables -v -A INPUT -m state -m udp --proto udp --dport 53 --state NEW -j ACCEPT; # DNS
iptables -v -A INPUT -m state -m tcp --proto tcp --dport 53 --state NEW -j ACCEPT; # DNS
########### BLOCK SYN FLOOD ######################
iptables -A INPUT -i em1 -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "SYN DROP:"
iptables -A INPUT -i em1 -p tcp ! --syn -m state --state NEW -j DROP
########### DENY FRAGMENT PACKETS ###############
iptables -A INPUT -i em1 -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FRAG DROP:"
iptables -A INPUT -i em1 -f -j DROP
########### DROPS BAD PACKETS ###############
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -i em1 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -i em1 -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -i em1 -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL DROP:"
iptables -A INPUT -i em1 -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
iptables -A INPUT -i em1 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i em1 -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS DROP:"
iptables -A INPUT -i em1 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
iptables -A INPUT -i em1 -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FIN DROP:"
iptables -A INPUT -i em1 -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
iptables -A INPUT -i em1 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
########### LIMIT PING ATTEMPTS ###################
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
########### BLOCK CERTAIN ICMP ###################
iptables -v -A INPUT -p icmp -j ACCEPT # ACCEPT ICMP PACKETS
iptables -v -A INPUT -p icmp --icmp-type echo-request -j DROP # BLOCK ICMP ECHO
########## BLOCK INVALID ICMP #####################
iptables -v -A INPUT -i em1 -m state -p icmp --state INVALID -j DROP # BLOCK INVALID ICMP
iptables -v -A FORWARD -i em1 -m state -p icmp --state INVALID -j DROP # BLOCK INVALID ICMP
iptables -A OUTPUT -o em1 -m state -p icmp --state INVALID -j DROP # BLOCK INVALID ICMP
iptables -A FORWARD -o em1 -m state -p icmp --state INVALID -j DROP # BLOCK INVALID ICMP
############ BLOCK STEALTH SCAN ###################
iptables -N st_scan # STEALTH SCAN CHAIN
iptables -A st_scan -p tcp --tcp-flags SYN,FIN,RST,ACK RST,ACK -j RETURN # BLOCK STEALTH SCAN
iptables -A st_scan -j LOG --log-level 4 --log-prefix "STEALTH SCAN:" # LOG STEALTH SCAN
iptables -A st_scan -j DROP # DROP STEALTH SCAN
########## PORTSCAN RULE SETUP ###################
iptables -N port-scan # BEGIN PORTSCAN RULES
iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN #BLOCK PSCAN
iptables -A port-scan -j LOG --log-level 4 --log-prefix "PORT SCAN:" # LOG PORT SCAN
iptables -A port-scan -j DROP # DROP PORT SCAN
########## LOG ALL DROPPED PACKETS #################
iptables -N logdrop
iptables -A logdrop -j LOG --log-level 4 --log-prefix "DROPPED:" # LOG DROPPED PACKETS
iptables -A logdrop -j DROP
iptables -v -A INPUT -j REJECT; # REJECT EVERYTHING ELSE
######## OUTPUT FOR SERVICES NEEDED ########
iptables -v -P OUTPUT ACCEPT # Default Policy Accept
iptables -v -A OUTPUT -o lo -j ACCEPT;
iptables -v -A OUTPUT -o em1 -j ACCEPT;
iptables -v -A OUTPUT -m tcp --proto tcp --dport 80 -j ACCEPT; # HTTP
iptables -v -A OUTPUT -m tcp --proto tcp --dport 443 -j ACCEPT; # HTTPS
iptables -v -A OUTPUT -m tcp --proto tcp --dport 445 -j ACCEPT; # SMB
iptables -v -A OUTPUT -m tcp --proto tcp --dport 53 -j ACCEPT; # DNS
iptables -v -A OUTPUT -m udp --proto udp --dport 53 -j ACCEPT; # DNS
iptables -v -A OUTPUT -m tcp --proto tcp --dport 5222 -j ACCEPT; #Google Talk or Jabber
iptables -v -A OUTPUT -m tcp --proto tcp --dport 5050 -j ACCEPT; #Yahoo
iptables -v -A OUTPUT -m tcp --proto tcp --dport 6667 -j ACCEPT; #IRC
iptables -v -A OUTPUT -m tcp --proto tcp --dport 7777 -j ACCEPT; #Jabber file Transfers
iptables -A OUTPUT -o em1 -p tcp --dport 31337 --sport 31337 -j DROP # BLOCK BACKDOOR
iptables -v -A OUTPUT -j REJECT;
######### DEFAULT DROPS #######
iptables -v -P FORWARD DROP # Default Policy DROP
iptables -A FORWARD -p tcp -i em1 -m state --state NEW -m recent --set
iptables -A FORWARD -p tcp -i em1 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT # SYN FLOOD PROTECT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # DEATH BY PING
iptables -A FORWARD -p tcp -i em1 --dport 31337 --sport 31337 -j DROP # BLOCK BACKDOOR
iptables -v -A FORWARD -j REJECT; # DEFAULT REJECT
######### IPTABLES SAVE ##################
iptables-save > /tmp/iptables;
iptables-restore < /tmp/iptables;
/etc/init.d/iptables save
Again, please forgive me for the large output i wanted to post my whole iptables script just in case i have a problem that is blocking a certain service. Here is the problem when i run openvpn my internet connection freezes up and i know its because i need to add certain iptables rules i am just not sure which ones i don't have much experience with nat.
The nat rules you see commented out in the begging of the iptables script i tried those rules however the connection still froze so i am lost about where to go from here if anyone has any input i would really appreciate it.
Also if i want my public ip address to go to my fedora linux box do i have it point to em1 or tun0 or how would i go about doing it?
For right now i only want port 80 to be unfiltered until i get things better organized, what i am looking for is that when people do http://mypublicip it gets routed back to my fedora linux box.
NOTE: The other thing that i did notice is for openvpn, the server.conf file says that openvpn should be running on port 1194 and when i did nmap on my system it didn't come up but tun0 still showed up on my ifconfig output... (just a thought)
If you need any more info from me i will be happy to supply it.
Your subnets for em1 and tun0 overlap; they should not. Use a different subnet for tun0 (e.g. 192.168.2.0/24). That means, for example, tun0 should have 192.168.2.1/24, and a VPN client should have 192.168.2.2/24. (I'm not sure if this is actually a problem - but it really makes more sense to have VPN in its own network.)
First get rid of all the filtering rules. Never try to setup the whole thing in one shot - it won't work, and it will be hard to see which part is problematic.
Then make sure the VPN link itself works (ping from server a VPN client, or the other way).
Then, to allow VPN clients to access the local network and the Internet (assuming no other relevant rules are already present):
This should work right away. Be aware that the iptables command above will use NAT when VPN clients access the Internet or the local network. This means that they cannot be identified from within the local network (any traffic will originate from the VPN server's local IP). If you don't want that, do not issue that iptables command above, and instead add a route to your router (Internet gateway) for the VPN subnet (e.g. if it was a Linux router: route add -net 192.168.2.0/24 gw 192.168.1.3).
Now you have a baseline and you can play with filtering.
hey ambrop7 thank you so much for your reply, i took your advise and tried moving tun0 over to 192.168.2.1 and em1 is on 192.168.1.3 however whenever i try running the openvpn service my internet connection just freezes. I tried only using the iptables rules that placed above however when i run the command i get this (oh i caught the em0 i changed it to em1)
when i run the command i get this:
iptables v1.4.10: Can't use -i with POSTROUTING
The internet connection still freezes i am thinking that this is probably a firewall problem, however i may be doing something wrong in server.conf file with openvpn.
Sorry about the wrong iptables command. Use these instead:
iptables -t mangle -A FORWARD -i tun0 -o em1 -j MARK --or-mark 0x100
iptables -t nat -A POSTROUTING -m mark --mark 0x100/0x100 -j MASQUERADE
What do you mean by "the internet connection freezes"? Where - on the client or on the server? Also, what platform is your client and how have you configured it?
Why does your ifconfig for tun0 say Mask:255.255.255.255? I told you to use 192.168.2.0/24, i.e. mask 255.255.255.0. I am sure this is why nothing is working - there are no IP addresses available for VPN clients.
As I have said before: remove all firewall rules first and anything which could interfere with the VPN. Then test the system one step at a time. From the client, once connected to the VPN, try pinging (in that order):
- your network's NATed Internet address (the one the client uses to connect to the VPN)
- the server's VPN address (192.168.2.1)
- the server's em1 address (192.168.1.3)
- an external Internet address
okay here is where i am at with this now... i tried moving tun0 to a different private ip address so here is my current ifconfig output and it seems to running okay..
I can ping 10.0.0.1 no problem, that works. Netstat -a |grep openvpn shows that openvpn is LISTENING
okay what i figured out is that i logged into my router (verizon fios) and what i did was used port forwarding to have services such as FTP SSHD SMTP HTTPD all forwared back to my linux box on 192.168.1.3
I also wrote a rule on my router's firewall setting to allow tcp port 1194 for OpenVPN.
Here is what i need to know...
I am not really sure how to put this... Is it possible to use iptables to protect my linux box now that public ip address is being forwarded back to my linux box? I am not sure, but do i need to route data from my public ip address back to em1 = 192.168.1.3 with iptables?
Okay here is a situation i am wondering, now that my router is using port forwarding to redirect services like ssh from my public ip address to my linux box (192.168.1.3) can i write rules with iptables to block ssh brute forcing?
When i run my current iptables script which is displayed above i get this (i know you told me to start fresh with new rules and i did but i am showing you this in an example)
Output from nmap:
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp open telnet
25/tcp filtered smtp
80/tcp open http
443/tcp filtered https
My iptables rules currently close off ftp/ssh/smtp but i am not sure what routing rules i am going to need with nat and masquerade to have data routed back to my linux box done correctly with iptables. I really hope you get what i am trying to do...
If you have any input on the situation i would really appreciate it...
What i am wondering is should i have packets routed from my public ip back to 192.168.1.3 (my fedora box) and how do i do that with iptables ? I wrote rules to allow all INPUT OUTPUT FORWARD to tun0 and my internet seems to be running fine but i want to be able to use iptables to write secure rules to block things like malicious packets and brute force attempts to my public ip (now being forwared to 192.168.1.3)
I am not sure what NAT rules i am going to need and other things like MASQUERADE options etc... etc...
and how do i go about routing it?
Any input as always is greatly appreciate, and again thank you for your time...
I can't be of much help to you, as you seem to be repeatedly ignoring my advice, and instead of focusing on one thing at a time, you invent new "problems" before you have reached one goal.
You haven't said what specific goal you have reached now. Does the VPN link work? Does accessing Internet through the VPN work? I asked you to ping several IP addresses, and you haven't confirmed for all these which are successful and which fail. I suggested using a 255.255.255.0 netmask for tun0, but you are still using 255.255.255.255.
Basically, if you can ping the tun0 address from the client, your VPN link is working, and you can stop worrying whether your VPN server is reachable - it is.
If you have configured the router to forward everything to the Linux box (probably called the "DMZ Host" option), then everything will go the Linux box - there is nothing more to be done about it. If you want filtering on the Linux box, it can be done independently in iptables 'nat' and maybe 'mangle' tables - it has absolutely nothing to do with NAT or port forwarding. The only NAT the Linux box is concerned with is NATing VPN clients to the server's local address when they access the local network or the Internet
If you want to forward an external connection to the router to a VPN client, simply do:
ambrop7 i am sorry if you feel like i am not taking your advise i am just trying to get this figured out that is all..
actually i am taking your advise
If you look above i did post that i can ping 10.0.0.1 no problem it works on my internal network but i know that does not mean that it is working 100% I can ping 10.0.0.1 from the box that is running openvpn but when i try to ping it from another box on my network it is not working could be an iptables issue though. I am trying to resolve this now.
i did try to put tun0 on 255.255.255.0 but for some reason it ends up on 255.255.255.255, maybe because 192.168.1.3 uses 255.255.255.0 ?
My fedora box running openvpn is on 192.168.1.3 when i ping 10.0.0.1 from that box it works fine i can even ssh into 10.0.0.1 works fine but when i ping 10.0.0.1 from another linux box on my network -> 192.168.1.6 well 10.0.0.1 doesn't respond so i am trying to figure this out
when i ping 192.168.1.3 from 192.168.1.6 it works so any thoughts you might have would be great
ambrop7 here is some of the options i have enabled on my server.conf file for openvpn (located /etc/openvpn/server.conf)
# Server and client IP and Pool
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Routes to push to the client
push "route 10.0.0.0 255.255.255.0"
As you can now see i did take your advise and try to put it on that netmask for some reason tun0 goes to -> 255.255.255.255
Is it a problem that i can't ping 10.0.0.1 from another linux box on my network? i have written rules to allow all INPUT OUTPUT AND FORWARD for tun0 however i haven't written anything else for that interface so maybe this is the reason that i can't ping it from another box on the network?
I think i am going to need those nat rules or prerouting options if i want stuff routed through tun0 right?
The example client and server config files at http://openvpn.net/index.php/open-so....html#examples should work fine without any changes. I don't see anything wrong with the part of the config file you showed me, though the "push route" thing is not really required (clients will add it automatically because they receive an IP address in this subnet).
Your first goal is to be able to ping through the VPN, that is, to ping 10.0.0.1 from the client while the VPN is up.
Don't try anything else until you've got this working. As I have already said: do not worry about NAT or masquerading (they are not needed to get the pinging working, except for forwarding the appropritate ports on your router) and do not worry about filtering (just remove the filtering rules temporarily). If for whatever reason you are still refusing to remove the firewall rules, you can see if packets are being dropped due to firewall rules by running "iptables -t filter --list --verbose" and checking the match counters.
I have just tried the above mentioned config files, and they do in fact work as-is (except for changing the "remote" address in the client file). Here's what I've done:
On the server:
Code:
cd /usr/share/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client
./build-dh
cp keys/ca.crt keys/server.crt keys/server.key keys/dh1024.pem /etc/openvpn/
sftp root@client_machine
sftp> cd /etc/openvpn/
sftp> put ca.crt 100% 1318 1.3KB/s 1.3KB/s 00:00
sftp> put client.crt 100% 3857 3.8KB/s 3.8KB/s 00:00
sftp> put client.key
Also copy the server config file from the howto to /etc/openvpn/openvpn.conf
Then start the server by hand in the terminal:
Code:
# cd /etc/openvpn/
# openvpn openvpn.conf
Thu Jun 16 13:08:57 2011 OpenVPN 2.1.4 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [MH] [PF_INET6] built on May 18 2011
Thu Jun 16 13:08:57 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Jun 16 13:08:57 2011 Diffie-Hellman initialized with 1024 bit key
Thu Jun 16 13:08:57 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Jun 16 13:08:57 2011 Socket Buffers: R=[126976->131072] S=[126976->131072]
Thu Jun 16 13:08:57 2011 ROUTE default_gateway=192.168.111.1
Thu Jun 16 13:08:57 2011 TUN/TAP device tun1 opened
Thu Jun 16 13:08:57 2011 TUN/TAP TX queue length set to 100
Thu Jun 16 13:08:57 2011 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Thu Jun 16 13:08:57 2011 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Thu Jun 16 13:08:57 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Jun 16 13:08:57 2011 UDPv4 link local (bound): [undef]
Thu Jun 16 13:08:57 2011 UDPv4 link remote: [undef]
Thu Jun 16 13:08:57 2011 MULTI: multi_init called, r=256 v=256
Thu Jun 16 13:08:57 2011 IFCONFIG POOL: base=10.8.0.4 size=62
Thu Jun 16 13:08:57 2011 IFCONFIG POOL LIST
Thu Jun 16 13:08:57 2011 client,10.8.0.4
Thu Jun 16 13:08:57 2011 Initialization Sequence Completed
On the server machine, you should now have (my iface is tun1 because I changed it):
I see that the mask really is always 255.255.255.255; don't worry about it, it's because OpenVPN adds routes separately, so the mask is irrelevant.
On the client machine, copy the client config file from the howto to /etc/openvpn/openvpn.conf, and adjust the server address ("remote" option).
Then start the client from the terminal:
Code:
# cd /etc/openvpn/
# openvpn openvpn.conf
Thu Jun 16 13:15:11 2011 OpenVPN 2.1.4 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [MH] [PF_INET6] built on Apr 3 2011
Thu Jun 16 13:15:11 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Jun 16 13:15:11 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Jun 16 13:15:11 2011 LZO compression initialized
Thu Jun 16 13:15:11 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Jun 16 13:15:11 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]
Thu Jun 16 13:15:11 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Jun 16 13:15:11 2011 Local Options hash (VER=V4): '41690919'
Thu Jun 16 13:15:11 2011 Expected Remote Options hash (VER=V4): '530fdded'
Thu Jun 16 13:15:11 2011 UDPv4 link local: [undef]
Thu Jun 16 13:15:11 2011 UDPv4 link remote: [AF_INET]192.168.111.118:1194
Thu Jun 16 13:15:11 2011 TLS: Initial packet from [AF_INET]192.168.111.118:1194, sid=2aa31ec9 beb1b933
Thu Jun 16 13:15:11 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/name=ca/emailAddress=me@myhost.mydomain
Thu Jun 16 13:15:11 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain
Thu Jun 16 13:15:11 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jun 16 13:15:11 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 16 13:15:11 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jun 16 13:15:11 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 16 13:15:11 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jun 16 13:15:11 2011 [server] Peer Connection Initiated with [AF_INET]192.168.111.118:1194
Thu Jun 16 13:15:13 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jun 16 13:15:13 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Thu Jun 16 13:15:13 2011 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jun 16 13:15:13 2011 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jun 16 13:15:13 2011 OPTIONS IMPORT: route options modified
Thu Jun 16 13:15:13 2011 ROUTE default_gateway=192.168.111.1
Thu Jun 16 13:15:13 2011 TUN/TAP device tun1 opened
Thu Jun 16 13:15:13 2011 TUN/TAP TX queue length set to 100
Thu Jun 16 13:15:13 2011 /sbin/ifconfig tun1 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Thu Jun 16 13:15:13 2011 /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.5
Thu Jun 16 13:15:13 2011 Initialization Sequence Completed
Now on the client you should have:
Code:
# ifconfig tun1
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=1.24 ms
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=0.865 m
If you have done all of the above, the server and client are starting up properly (i.e. you get "Initialization Sequence Completed" for both), but you can't ping, it's almost surely due to filtering rules.
If they aren't initializing properly, it may be because you haven't properly configured port forwarding on your router, or, again, have bad filtering rules on the Linux box.
I am sorry i haven't replied to this thread in a timely manner...
All is well with openvpn moving to another private subnet address worked great for me and i am able to ping tun0 and it works great, and i have no problem on the startup. When fedora boots up tun0 starts up right away with no issues. I need to test tun0 from outside my lan to make sure it is really working, i will let you all know how that goes, but for now it seems to be working great!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
