Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ok, I have setup openVPN on CENTOS 5.4 and am having issue with my test client externally connecting. It says something about the routes. My internal network is 192.168.3.0/27 and the subnet of my VPN network is 192.168.4.0/27 or at least what I want. The openVPN machine is the same as my firewall/router. Here is the error message from the test client side:
PHP Code:
n Aug 09 19:55:48 2010 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 Mon Aug 09 19:55:48 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Mon Aug 09 19:55:48 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Mon Aug 09 19:55:48 2010 LZO compression initialized Mon Aug 09 19:55:48 2010 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Aug 09 19:55:48 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Mon Aug 09 19:55:48 2010 Local Options hash (VER=V4): '41690919' Mon Aug 09 19:55:48 2010 Expected Remote Options hash (VER=V4): '530fdded' Mon Aug 09 19:55:48 2010 UDPv4 link local: [undef] Mon Aug 09 19:55:48 2010 UDPv4 link remote: XX.XX.XX.XX:1723 Mon Aug 09 19:55:49 2010 TLS: Initial packet from XX.XX.XX.XX:1723, sid=a9cc76e5 67250902 Mon Aug 09 19:55:49 2010 VERIFY OK: depth=1, /C=US/ST=MD/L=Gburg/O=Colexis/OU=Colexis/CN=192.168.3.1/emailAddress=me@myhost.mydomain Mon Aug 09 19:55:49 2010 VERIFY OK: depth=0, /C=US/ST=MD/O=Colexis/OU=Colexis/CN=192.168.3.1/emailAddress=me@myhost.mydomain Mon Aug 09 19:55:51 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Mon Aug 09 19:55:51 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Aug 09 19:55:51 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Mon Aug 09 19:55:51 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Aug 09 19:55:51 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Mon Aug 09 19:55:51 2010 [192.168.3.1] Peer Connection Initiated with XX.XX.XX.XX:1723 Mon Aug 09 19:55:52 2010 SENT CONTROL [192.168.3.1]: 'PUSH_REQUEST' (status=1) Mon Aug 09 19:55:52 2010 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.3.1,dhcp-option DNS 4.2.2.5,route 192.168.4.0 255.255.255.224,route 192.168.4.0 255.255.255.224,ping 10,ping-restart 120,ifconfig 192.168.4.6 192.168.4.5' Mon Aug 09 19:55:52 2010 OPTIONS IMPORT: timers and/or timeouts modified Mon Aug 09 19:55:52 2010 OPTIONS IMPORT: --ifconfig/up options modified Mon Aug 09 19:55:52 2010 OPTIONS IMPORT: route options modified Mon Aug 09 19:55:52 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Mon Aug 09 19:55:52 2010 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{EC361F10-EB47-4B14-A3DF-FEB8AD7D2013}.tap Mon Aug 09 19:55:52 2010 TAP-Win32 Driver Version 8.4 Mon Aug 09 19:55:52 2010 TAP-Win32 MTU=1500 Mon Aug 09 19:55:52 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.4.6/255.255.255.252 on interface {EC361F10-EB47-4B14-A3DF-FEB8AD7D2013} [DHCP-serv: 192.168.4.5, lease-time: 31536000] Mon Aug 09 19:55:52 2010 Successful ARP Flush on interface [16] {EC361F10-EB47-4B14-A3DF-FEB8AD7D2013} Mon Aug 09 19:55:52 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down Mon Aug 09 19:55:52 2010 Route: Waiting for TUN/TAP interface to come up... Mon Aug 09 19:55:54 2010 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up Mon Aug 09 19:55:54 2010 route ADD 192.168.4.0 MASK 255.255.255.224 192.168.4.5 Mon Aug 09 19:55:54 2010 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=16] Mon Aug 09 19:55:54 2010 Route addition via IPAPI failed Mon Aug 09 19:55:54 2010 route ADD 192.168.4.0 MASK 255.255.255.224 192.168.4.5 Mon Aug 09 19:55:54 2010 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=16] Mon Aug 09 19:55:54 2010 Route addition via IPAPI failed Mon Aug 09 19:55:54 2010 Initialization Sequence Completed
and here is my server.conf:
PHP Code:
# listen on? (optional) ;local a.b.c.d port 1723 ;proto tcp proto udp ;dev tap dev tun ;dev-node MyTap ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem server 192.168.4.0 255.255.255.224 ifconfig-pool-persist ipp.txt ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 push "dhcp-option DNS 192.168.3.1" push "dhcp-option DNS 4.2.2.5" #route-up "route delete -net 192.168.100.0/24" #route-up "route add -net 192.168.100.0/24 tun0" push "route 192.168.4.0 255.255.255.224" ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 #ifconfig-push 10.9.0.1 10.9.0.2 ;learn-address ./script ;push "redirect-gateway" ;push "dhcp-option DNS 10.8.0.1" ;push "dhcp-option WINS 10.8.0.1" client-to-client duplicate-cn keepalive 10 120 ;tls-auth ta.key 0 # This file is secret ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES comp-lzo ;max-clients 100 user nobody group users persist-key persist-tun status openvpn-status.log ;log openvpn.log ;log-append openvpn.log verb 3 ;mute 20
here are my firewall rules:
PHP Code:
Chain INPUT (policy DROP 3 packets, 272 bytes) pkts bytes target prot opt in out source destination 3 136 LINVALID all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 6605 894K CHECKBADFLAG tcp -- * * 0.0.0.0/0 0.0.0.0/0 3007 363K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 LREJECT all -- * * 0.0.0.0/0 127.0.0.0 1417 113K ACCEPT all -- eth1 * 192.168.3.0/27 0.0.0.0/0 12 2826 ACCEPT all -- eth2 * 0.0.0.0/0 192.168.2.0/27 0 0 ACCEPT all -- eth2 * 192.168.3.0/27 0.0.0.0/0 2650 466K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12022 state NEW 1 42 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1723 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1723 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 0 0 LDROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33523 374 118K SMB all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 reject-with tcp-reset 362 115K SPECIALPORTS all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 TCPACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED 0 0 ACCEPT udp -- eth1 * 192.168.3.0/27 0.0.0.0/0 udp dpt:69 state NEW 483 155K LDROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LINVALID all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 8929 3698K CHECKBADFLAG tcp -- * * 0.0.0.0/0 0.0.0.0/0 60211 6017K SMB all -- * eth0 0.0.0.0/0 0.0.0.0/0 4419 551K ACCEPT tcp -- eth1 eth0 192.168.3.0/27 0.0.0.0/0 tcp spts:1024:65535 55285 5362K ACCEPT udp -- eth1 eth0 192.168.3.0/27 0.0.0.0/0 udp spts:1024:65535 27 2424 ACCEPT icmp -- eth1 eth0 192.168.3.0/27 0.0.0.0/0 0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 40249 6628K SMB all -- eth0 * 0.0.0.0/0 0.0.0.0/0 40248 6628K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 TCPACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED 480 102K ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 1 437 ACCEPT all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 ACCEPT all -- eth1 eth2 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth2 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- eth1 eth2 0.0.0.0/0 192.168.2.2 tcp dpt:12444 state NEW 0 0 ACCEPT udp -- eth0 eth2 0.0.0.0/0 192.168.2.2 udp dpts:5050:5065 state NEW 0 0 ACCEPT udp -- eth0 eth2 0.0.0.0/0 192.168.2.2 udp dpts:10000:20000 state NEW 0 0 ACCEPT udp -- eth0 eth2 0.0.0.0/0 192.168.2.20 udp dpts:5050:5065 state NEW 0 0 ACCEPT udp -- eth0 eth2 0.0.0.0/0 192.168.2.20 udp dpts:10000:20000 state NEW 0 0 LDROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 5 packets, 1140 bytes) pkts bytes target prot opt in out source destination 3007 363K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * eth0 192.168.2.0/27 0.0.0.0/0 12 2826 ACCEPT all -- * eth2 0.0.0.0/0 0.0.0.0/0 2657 188K ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 1725 358K ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * eth0 192.168.3.0/27 0.0.0.0/0 0 0 ACCEPT all -- * eth1 192.168.4.0/27 0.0.0.0/0 0 0 ACCEPT all -- * tun0 192.168.4.0/27 0.0.0.0/0 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 LDROP all -- * * 0.0.0.0/0 0.0.0.0/0
Looks like the route addition isn't failing on the server side, but on your client side. if it doesn't disconnect you try adding a route manually to your client and see if that works. What version of OpenVPN are you running and on what OS are you running it as a client. Also how are you doing authentication? I noticed no certs were setup.
I am using centos 5.4, openVPN 1.5.4. I am using a server that is my firewall/router and my VPN. I am using openVPN GUI 1.0.3. I have 3 interfaces eth0:Internet, Eth1:LAN,ETH2MZ,my subnets are eth1:192.168.3.0/27,eth2:192.168.2.0/27.
Here is my client config on her vista machine:
PHP Code:
client
;dev tap dev tun
;dev-node MyTap
;proto tcp proto udp
remote XX.XX.XX.XX 1723 ;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
;user nobody ;group nobody
persist-key persist-tun
;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca "C:\\PROGRA~1\\OpenVPN\\config\\ca.crt" cert "C:\\PROGRA~1\\OpenVPN\\config\\colexis.crt" key "C:\\PROGRA~1\\OpenVPN\\config\\colexis.key"
;ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
;mute 20
I noticed that an error on the client side that said:
PHP Code:
No server certificate verification method has been enabled
???
Last edited by metallica1973; 08-10-2010 at 06:57 PM.
Gotta run, but real quick, try specifying dev-node as the name of your tap adapter in windows also if I recall off the top of my head enable ns-cert-type
;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca "C:\\PROGRA~1\\OpenVPN\\config\\ca.crt" cert "C:\\PROGRA~1\\OpenVPN\\config\\dachit.crt" key "C:\\PROGRA~1\\OpenVPN\\config\\dachit.key"
;ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
route-method exe
route-delay 2
;mute 20
and the server.conf
PHP Code:
# listen on? (optional) ;local a.b.c.d port 1723 ;proto tcp proto udp ;dev tap dev tun ;dev-node MyTap ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh1024.pem #tls-auth ta.key 0 server 192.168.4.0 255.255.255.224 ifconfig-pool-persist ipp.txt push "dhcp-option DNS 192.168.3.1" #push "dhcp-option DNS 4.2.2.5" route 192.168.4.0 255.255.255.224 push "route 192.168.3.0 255.255.255.224" push "route 192.168.4.0 255.255.255.224" #push "redirect-gateway def1 bypass-dhcp" ;client-config-dir ccd ;client-config-dir ccd ;learn-address ./script ;push "redirect-gateway" client-to-client duplicate-cn keepalive 10 120 ;tls-auth ta.key 0 # This file is secret #cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES comp-lzo max-clients 2 user nobody group nobody persist-key persist-tun status openvpn-status.log ;log openvpn.log ;log-append openvpn.log verb 3 ;mute 20
The client connects and now but I cannot talk to the client on the 4.0 network and she cannot talk to me on the 3.0 networks so I believe the problems
relies in the firewall.
here are my routes:
PHP Code:
oute -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.4.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 192.168.3.0 0.0.0.0 255.255.255.224 U 0 0 0 eth1 192.168.4.0 192.168.4.2 255.255.255.224 UG 0 0 0 tun0 192.168.2.0 0.0.0.0 255.255.255.224 U 0 0 0 eth2 XX.XX.XXX.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2 0.0.0.0 XX.XX.XXX.X 0.0.0.0 UG 0 0 0 eth0
Last edited by metallica1973; 09-05-2010 at 09:19 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.