Open VPN

elliotfuller · 03-01-2006, 08:01 AM

I have a file server with SuSE Linux 9.3 installed. The server is located behind a linksys router with a built in firewall. The Server itself has its own software firewall. My ISP has granted me 6 Static IP adresses. The 3 computers inside our internal network (also behind the linksys router and firewall) are x.x.x.2-4, the server is x.x.x.1 and the router is x.x.x.6! I got my coworker to forward port 22 UDP and TCP and 1194 UDP and TCP on the router to the server and enable IPsec passthrough. I then SSH'd into the machine in California from Tokyo where I live. I then successfully installed the default openvpn package for SuSE 9.3. I then immediately began following the tutorial for creating a Routed VPN. I moved the eas-rsa directory to /etc/openvpn as the guide recommended. I edited the vars file to point to my intended directories. I then successfully built my server, client and ca keys. I also generated the Diffie Helman parameters. I then securely moved the appropriate keys to the appropriate computers.
I then edited the server.conf to point to the correct keys on the server as well as the DH parameters.

I am currently trying to connect my first client to the server. I installed openvpn on my Ubuntu satellite computer. I edited the vars file to again point to the correct locations (although I am not generating keys)

Code:

. ./vars
./clean-all

But I did not run ./build-ca because I already generated the key on another computer. I then moved the correct keys into place: client1.ca, client1.crt and ca.crt! I then edited the client.conf file to point to the correct keys.

When I run

Code:

openvpn /etc/openvpn/server.conf

I get

Code:

Wed Mar  1 05:37:10 2006 OpenVPN 2.0_rc14 i686-suse-linux [SSL] [LZO] [EPOLL] built on Nov  3 2005
Wed Mar  1 05:37:10 2006 Diffie-Hellman initialized with 1024 bit key
Wed Mar  1 05:37:10 2006 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Mar  1 05:37:10 2006 TUN/TAP device tun0 opened
Wed Mar  1 05:37:10 2006 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Wed Mar  1 05:37:10 2006 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Wed Mar  1 05:37:10 2006 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
Wed Mar  1 05:37:10 2006 GID set to nobody
Wed Mar  1 05:37:10 2006 UID set to nobody
Wed Mar  1 05:37:10 2006 UDPv4 link local (bound): [undef]:1194
Wed Mar  1 05:37:10 2006 UDPv4 link remote: [undef]
Wed Mar  1 05:37:10 2006 MULTI: multi_init called, r=256 v=256
Wed Mar  1 05:37:10 2006 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Mar  1 05:37:10 2006 IFCONFIG POOL LIST
Wed Mar  1 05:37:10 2006 Initialization Sequence Completed

Nothing seems too suspicious to me there.
Then on the client side I run

Code:

openvpn /etc/openvpn/client.conf

And all I get is:

Code:

Wed Mar  1 22:53:20 2006 OpenVPN 2.0.2 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Aug 31 2005
Wed Mar  1 22:53:20 2006 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Mar  1 22:53:20 2006 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Mar  1 22:53:20 2006 LZO compression initialized
Wed Mar  1 22:53:20 2006 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Mar  1 22:53:20 2006 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Mar  1 22:53:20 2006 Local Options hash (VER=V4): '41690919'
Wed Mar  1 22:53:20 2006 Expected Remote Options hash (VER=V4): '530fdded'
Wed Mar  1 22:53:20 2006 UDPv4 link local: [undef]
Wed Mar  1 22:53:20 2006 UDPv4 link remote: 69.233.233.206:1194
Wed Mar  1 22:53:20 2006 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Mar  1 22:53:24 2006 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Mar  1 22:53:26 2006 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

The verification method part it spit back seems a bit suspicous but I think that is just extra security. It should be able to connect. I checked my server firewall software to make sure the firewall was allowing port 1194 on both UDP and TCP. I also made sure the firewall on the server allowed IPsec protocol. The router before the server has ports 22 and 1194 forwarded to the address of the server. I decided to run a portscan on the IP address I was trying to connect to. When I run a port scan on x.x.x.6 (which is the router, and the ip I use to SSH into the server) all it shows is port 22. Shouldn't it also show 1194? Is this an openvpn set up problem or am I not breaking down the firewall correctly? Any hints or suggestions? What am I leaving out?