LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-09-2010, 08:16 PM   #1
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,181

Rep: Reputation: 60
OpenVPN Setup Issues


Ok, I have setup openVPN on CENTOS 5.4 and am having issue with my test client externally connecting. It says something about the routes. My internal network is 192.168.3.0/27 and the subnet of my VPN network is 192.168.4.0/27 or at least what I want. The openVPN machine is the same as my firewall/router. Here is the error message from the test client side:

PHP Code:
n Aug 09 19:55:48 2010 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZObuilt on Oct  1 2006
Mon Aug 09 19
:55:48 2010 IMPORTANTOpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Aug 09 19:55:48 2010 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Aug 09 19:55:48 2010 LZO compression initialized
Mon Aug 09 19:55:48 2010 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Aug 09 19:55:48 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Aug 09 19:55:48 2010 Local Options hash (VER=V4): '
41690919'
Mon Aug 09 19:55:48 2010 Expected Remote Options hash (VER=V4): '
530fdded'
Mon Aug 09 19:55:48 2010 UDPv4 link local: [undef]
Mon Aug 09 19:55:48 2010 UDPv4 link remote: XX.XX.XX.XX:1723
Mon Aug 09 19:55:49 2010 TLS: Initial packet from XX.XX.XX.XX:1723, sid=a9cc76e5 67250902
Mon Aug 09 19:55:49 2010 VERIFY OK: depth=1, /C=US/ST=MD/L=Gburg/O=Colexis/OU=Colexis/CN=192.168.3.1/emailAddress=me@myhost.mydomain
Mon Aug 09 19:55:49 2010 VERIFY OK: depth=0, /C=US/ST=MD/O=Colexis/OU=Colexis/CN=192.168.3.1/emailAddress=me@myhost.mydomain
Mon Aug 09 19:55:51 2010 Data Channel Encrypt: Cipher '
BF-CBC' initialized with 128 bit key
Mon Aug 09 19:55:51 2010 Data Channel Encrypt: Using 160 bit message hash '
SHA1' for HMAC authentication
Mon Aug 09 19:55:51 2010 Data Channel Decrypt: Cipher '
BF-CBC' initialized with 128 bit key
Mon Aug 09 19:55:51 2010 Data Channel Decrypt: Using 160 bit message hash '
SHA1' for HMAC authentication
Mon Aug 09 19:55:51 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Aug 09 19:55:51 2010 [192.168.3.1] Peer Connection Initiated with XX.XX.XX.XX:1723
Mon Aug 09 19:55:52 2010 SENT CONTROL [192.168.3.1]: '
PUSH_REQUEST' (status=1)
Mon Aug 09 19:55:52 2010 PUSH: Received control message: '
PUSH_REPLY,dhcp-option DNS 192.168.3.1,dhcp-option DNS 4.2.2.5,route 192.168.4.0 255.255.255.224,route 192.168.4.0 255.255.255.224,ping 10,ping-restart 120,ifconfig 192.168.4.6 192.168.4.5'
Mon Aug 09 19:55:52 2010 OPTIONS IMPORT: timers and/or timeouts modified
Mon Aug 09 19:55:52 2010 OPTIONS IMPORT: --ifconfig/up options modified
Mon Aug 09 19:55:52 2010 OPTIONS IMPORT: route options modified
Mon Aug 09 19:55:52 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Aug 09 19:55:52 2010 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{EC361F10-EB47-4B14-A3DF-FEB8AD7D2013}.tap
Mon Aug 09 19:55:52 2010 TAP-Win32 Driver Version 8.4 
Mon Aug 09 19:55:52 2010 TAP-Win32 MTU=1500
Mon Aug 09 19:55:52 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.4.6/255.255.255.252 on interface {EC361F10-EB47-4B14-A3DF-FEB8AD7D2013} [DHCP-serv: 192.168.4.5, lease-time: 31536000]
Mon Aug 09 19:55:52 2010 Successful ARP Flush on interface [16] {EC361F10-EB47-4B14-A3DF-FEB8AD7D2013}
Mon Aug 09 19:55:52 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Mon Aug 09 19:55:52 2010 Route: Waiting for TUN/TAP interface to come up...
Mon Aug 09 19:55:54 2010 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Mon Aug 09 19:55:54 2010 route ADD 192.168.4.0 MASK 255.255.255.224 192.168.4.5
Mon Aug 09 19:55:54 2010 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.   [if_index=16]
Mon Aug 09 19:55:54 2010 Route addition via IPAPI failed
Mon Aug 09 19:55:54 2010 route ADD 192.168.4.0 MASK 255.255.255.224 192.168.4.5
Mon Aug 09 19:55:54 2010 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.   [if_index=16]
Mon Aug 09 19:55:54 2010 Route addition via IPAPI failed
Mon Aug 09 19:55:54 2010 Initialization Sequence Completed 

and here is my server.conf:

PHP Code:
# listen on? (optional)
;local a.b.c.d
port 1723
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca
.crt
cert server
.crt
key server
.key  # This file should be kept secret
dh dh1024.pem
server 192.168.4.0 255.255.255.224
ifconfig
-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
push 
"dhcp-option DNS 192.168.3.1"
push "dhcp-option DNS 4.2.2.5"
#route-up "route delete -net 192.168.100.0/24"
#route-up "route add -net 192.168.100.0/24 tun0"
push "route 192.168.4.0 255.255.255.224"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
#ifconfig-push 10.9.0.1 10.9.0.2
;learn-address ./script
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
client-to-client
duplicate
-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
;max-clients 100
user nobody
group users
persist
-key
persist
-tun
status openvpn
-status.log
;log         openvpn.log
;log-append  openvpn.log
verb 3
;mute 20 
here are my firewall rules:

PHP Code:
Chain INPUT (policy DROP 3 packets272 bytes)
 
pkts bytes target     prot opt in     out     source               destination
    3   136 LINVALID   all  
--  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
 6605  894K CHECKBADFLAG  tcp  
--  *      *       0.0.0.0/0            0.0.0.0/0
 3007  363K ACCEPT     all  
--  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 LREJECT    all  
--  *      *       0.0.0.0/0            127.0.0.0
 1417  113K ACCEPT     all  
--  eth1   *       192.168.3.0/27       0.0.0.0/0
   12  2826 ACCEPT     all  
--  eth2   *       0.0.0.0/0            192.168.2.0/27
    0     0 ACCEPT     all  
--  eth2   *       192.168.3.0/27       0.0.0.0/0
 2650  466K ACCEPT     all  
--  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  
--  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:12022 state NEW
    
1    42 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:1723
    0     0 ACCEPT     udp  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:1723
    0     0 ACCEPT     all  
--  tun0   *       0.0.0.0/0            0.0.0.0/0
    0     0 LDROP      udp  
--  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:33434:33523
  374  118K SMB        all  
--  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     tcp  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 reject-with tcp-reset
  362  115K SPECIALPORTS  all  
--  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED
    0     0 TCPACCEPT  tcp  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpts:1024:65535 state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  
--  eth1   *       192.168.3.0/27       0.0.0.0/0           udp dpt:69 state NEW
  
483  155K LDROP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD 
(policy DROP 0 packets0 bytes)
 
pkts bytes target     prot opt in     out     source               destination
    0     0 LINVALID   all  
--  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
 8929 3698K CHECKBADFLAG  tcp  
--  *      *       0.0.0.0/0            0.0.0.0/0
60211 6017K SMB        all  
--  *      eth0    0.0.0.0/0            0.0.0.0/0
 4419  551K ACCEPT     tcp  
--  eth1   eth0    192.168.3.0/27       0.0.0.0/0           tcp spts:1024:65535
55285 5362K ACCEPT     udp  
--  eth1   eth0    192.168.3.0/27       0.0.0.0/0           udp spts:1024:65535
   27  2424 ACCEPT     icmp 
--  eth1   eth0    192.168.3.0/27       0.0.0.0/0
    0     0 ACCEPT     all  
--  eth0   tun0    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
40249 6628K SMB        all  
--  eth0   *       0.0.0.0/0            0.0.0.0/0
40248 6628K ACCEPT     all  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 TCPACCEPT  tcp  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpts:1024:65535 state RELATED
    0     0 ACCEPT     udp  
--  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpts:1024:65535 state RELATED
  480  102K ACCEPT     all  
--  eth2   eth0    0.0.0.0/0            0.0.0.0/0
    1   437 ACCEPT     all  
--  eth0   eth2    0.0.0.0/0            0.0.0.0/0           state NEW
    
0     0 ACCEPT     all  --  eth1   eth2    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  
--  eth2   eth1    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  
--  eth1   eth2    0.0.0.0/0            192.168.2.2         tcp dpt:12444 state NEW
    
0     0 ACCEPT     udp  --  eth0   eth2    0.0.0.0/0            192.168.2.2         udp dpts:5050:5065 state NEW
    
0     0 ACCEPT     udp  --  eth0   eth2    0.0.0.0/0            192.168.2.2         udp dpts:10000:20000 state NEW
    
0     0 ACCEPT     udp  --  eth0   eth2    0.0.0.0/0            192.168.2.20        udp dpts:5050:5065 state NEW
    
0     0 ACCEPT     udp  --  eth0   eth2    0.0.0.0/0            192.168.2.20        udp dpts:10000:20000 state NEW
    
0     0 LDROP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT 
(policy DROP 5 packets1140 bytes)
 
pkts bytes target     prot opt in     out     source               destination
 3007  363K ACCEPT     all  
--  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  
--  *      eth0    192.168.2.0/27       0.0.0.0/0
   12  2826 ACCEPT     all  
--  *      eth2    0.0.0.0/0            0.0.0.0/0
 2657  188K ACCEPT     all  
--  *      eth0    0.0.0.0/0            0.0.0.0/0
 1725  358K ACCEPT     all  
--  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  
--  *      eth0    192.168.3.0/27       0.0.0.0/0
    0     0 ACCEPT     all  
--  *      eth1    192.168.4.0/27       0.0.0.0/0
    0     0 ACCEPT     all  
--  *      tun0    192.168.4.0/27       0.0.0.0/0
    0     0 ACCEPT     all  
--  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 LDROP      all  
--  *      *       0.0.0.0/0            0.0.0.0/0

Chain CHECKBADFLAG 
(2 references)
 
pkts bytes target     prot opt in     out     source               destination
    0     0 LBADFLAG   tcp  
--  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29
    0     0 LBADFLAG   tcp  
--  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x37
    0     0 LBADFLAG   tcp  
--  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F
    0     0 LBADFLAG   tcp  
--  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00
    0     0 LBADFLAG   tcp  
--  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06
    0     0 LBADFLAG   tcp  
--  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03

Chain ICMPINBOUND 
(0 references)
 
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp 
--  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limitavg 5/sec burst 10
    0     0 LPINGFLOOD  icmp 
--  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
    0     0 LDROP      icmp 
--  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 5
    0     0 LDROP      icmp 
--  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 13
    0     0 LDROP      icmp 
--  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 14
    0     0 LDROP      icmp 
--  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 17
    0     0 LDROP      icmp 
--  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 18
    0     0 ACCEPT     icmp 
--  *      *       0.0.0.0/0            0.0.0.0/0

Chain ICMPOUTBOUND 
(0 references)
 
pkts bytes target     prot opt in     out     source               destination
    0     0 LDROP      icmp 
--  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 5
    0     0 LDROP      icmp 
--  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 code 0
    0     0 LDROP      icmp 
--  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 code 1
    0     0 LDROP      icmp 
--  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 12
    0     0 LDROP      icmp 
--  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 13
    0     0 LDROP      icmp 
--  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 14
    0     0 LDROP      icmp 
--  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 17
    0     0 LDROP      icmp 
--  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 18
    0     0 ACCEPT     icmp 
--  *      *       0.0.0.0/0            0.0.0.0/0

Chain LBADFLAG 
(6 references)
 
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  
--  *      *       0.0.0.0/0            0.0.0.0/0           limitavg 2/sec burst 10 LOG flags 0 level 4 prefix `fp=BADFLAG:1 a=DROP '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LDROP (17 references)
 pkts bytes target     prot opt in     out     source               destination
   16   648 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 2/sec burst 10 LOG flags 0 level 4 prefix 
`fp=TCP:1 a=DROP '
  466  154K LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 2/sec burst 10 LOG flags 0 level 4 prefix `fp=UDP:2 a=DROP '
    
1    92 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limitavg 2/sec burst 10 LOG flags 0 level 4 prefix `fp=ICMP:3 a=DROP '
    0     0 LOG        all  -f  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 2/sec burst 10 LOG flags 0 level 4 prefix 
`fp=FRAGMENT:4 a=DROP '
  483  155K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LINVALID (2 references)
 pkts bytes target     prot opt in     out     source               destination
    3   136 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 2/sec burst 10 LOG flags 0 level 4 prefix `fp=INVALID:1 a=DROP '
    
3   136 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LPINGFLOOD 
(1 references)
 
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  
--  *      *       0.0.0.0/0            0.0.0.0/0           limitavg 2/sec burst 10 LOG flags 0 level 4 prefix `fp=PINGFLOOD:1 a=DROP '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LREJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 2/sec burst 10 LOG flags 0 level 4 prefix 
`fp=TCP:1 a=REJECT '
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 2/sec burst 10 LOG flags 0 level 4 prefix `fp=UDP:2 a=REJECT '
    
0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limitavg 2/sec burst 10 LOG flags 0 level 4 prefix `fp=ICMP:3 a=REJECT '
    0     0 LOG        all  -f  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 2/sec burst 10 LOG flags 0 level 4 prefix 
`fp=FRAGMENT:4 a=REJECT '
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain LSPECIALPORT (10 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 2/sec burst 10 LOG flags 0 level 4 prefix `fp=SPECIALPORT:1 a=DROP '
    
0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LSYNFLOOD 
(1 references)
 
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  
--  *      *       0.0.0.0/0            0.0.0.0/0           limitavg 2/sec burst 10 LOG flags 0 level 4 prefix `fp=SYNFLOOD:1 a=DROP '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SMB (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:137
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:138
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:139
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:137
   12  2826 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:138
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:139
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:445
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:137
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:138
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:139
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:445
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:137
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:138
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:139
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:445

Chain SPECIALPORTS (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LSPECIALPORT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6670
    0     0 LSPECIALPORT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1243
    0     0 LSPECIALPORT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1243
    0     0 LSPECIALPORT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:27374
    0     0 LSPECIALPORT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:27374
    0     0 LSPECIALPORT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:6711:6713
    0     0 LSPECIALPORT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:12345:12346
    0     0 LSPECIALPORT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20034
    0     0 LSPECIALPORT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:31337:31338
    0     0 LSPECIALPORT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:28431

Chain TCPACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 5/sec burst 10
    0     0 LSYNFLOOD  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 

help?

Last edited by metallica1973; 08-10-2010 at 06:53 AM.
 
Old 08-10-2010, 03:38 PM   #2
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian 6+, CentOS 5+
Posts: 1,323

Rep: Reputation: 100Reputation: 100
Looks like the route addition isn't failing on the server side, but on your client side. if it doesn't disconnect you try adding a route manually to your client and see if that works. What version of OpenVPN are you running and on what OS are you running it as a client. Also how are you doing authentication? I noticed no certs were setup.
 
Old 08-10-2010, 07:49 PM   #3
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,181

Original Poster
Rep: Reputation: 60
I am using centos 5.4, openVPN 1.5.4. I am using a server that is my firewall/router and my VPN. I am using openVPN GUI 1.0.3. I have 3 interfaces eth0:Internet, Eth1:LAN,ETH2MZ,my subnets are eth1:192.168.3.0/27,eth2:192.168.2.0/27.

Here is my client config on her vista machine:

PHP Code:
    client
 
    
;dev tap
    dev tun

 
    
;dev-node MyTap

  
    
;proto tcp
    proto udp

  
    remote XX
.XX.XX.XX 1723
    
;remote my-server-2 1194

  
    
;remote-random

    
    resolv
-retry infinite

   
    nobind

  
    
;user nobody
    
;group nobody

    
    persist
-key
    persist
-tun

   
    
    
;http-proxy-retry # retry on connection failures
    
;http-proxy [proxy server] [proxy port #]

   
    
;mute-replay-warnings

   
    ca 
"C:\\PROGRA~1\\OpenVPN\\config\\ca.crt"
    
cert "C:\\PROGRA~1\\OpenVPN\\config\\colexis.crt"
    
key "C:\\PROGRA~1\\OpenVPN\\config\\colexis.key"

  
    
;ns-cert-type server


    
;tls-auth ta.key 1

    
    
;cipher x

  
    comp
-lzo

   
    verb 3

  
    
;mute 20 


I noticed that an error on the client side that said:

PHP Code:
No server certificate verification method has been enabled 
???

Last edited by metallica1973; 08-10-2010 at 07:57 PM.
 
Old 08-12-2010, 02:00 PM   #4
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian 6+, CentOS 5+
Posts: 1,323

Rep: Reputation: 100Reputation: 100
Gotta run, but real quick, try specifying dev-node as the name of your tap adapter in windows also if I recall off the top of my head enable ns-cert-type
 
Old 09-05-2010, 10:10 PM   #5
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,181

Original Poster
Rep: Reputation: 60
your were right about the ns-cert-type server. That setting is what was needed and in the server configs.

PHP Code:

   
    client

  
    
;dev tap
    dev tun

   
    
;dev-node MyTap

  
    
;proto tcp
    proto udp

  
    remote daman2010
.dachit.com 1723
    
;remote my-server-2 1194

  
    
;remote-random
    
    ns
-cert-type server
    
    resolv
-retry infinite

   
    nobind

  
    
;user nobody
    
;group nobody

    
    persist
-key
    persist
-tun

   
    
    
;http-proxy-retry # retry on connection failures
    
;http-proxy [proxy server] [proxy port #]

   
    
;mute-replay-warnings

   
    ca 
"C:\\PROGRA~1\\OpenVPN\\config\\ca.crt"
    
cert "C:\\PROGRA~1\\OpenVPN\\config\\dachit.crt"
    
key "C:\\PROGRA~1\\OpenVPN\\config\\dachit.key"

  
    
;ns-cert-type server


    
;tls-auth ta.key 1

    
    
;cipher x

  
    comp
-lzo

   
    verb 3

route
-method exe

route
-delay 2

  
    
;mute 20 
and the server.conf

PHP Code:

# listen on? (optional)
;local a.b.c.d
port 1723
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca 
/etc/openvpn/ca.crt
cert 
/etc/openvpn/server.crt
key 
/etc/openvpn/server.key
dh 
/etc/openvpn/dh1024.pem
#tls-auth ta.key 0
server 192.168.4.0 255.255.255.224
ifconfig
-pool-persist ipp.txt
push 
"dhcp-option DNS 192.168.3.1"
#push "dhcp-option DNS 4.2.2.5"
route 192.168.4.0 255.255.255.224
push 
"route 192.168.3.0 255.255.255.224"
push "route 192.168.4.0 255.255.255.224"
#push "redirect-gateway def1 bypass-dhcp"
;client-config-dir ccd
;client-config-dir ccd
;learn-address ./script
;push "redirect-gateway"
client-to-client
duplicate
-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
#cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
max
-clients 2
user nobody
group nobody
persist
-key
persist
-tun
status openvpn
-status.log
;log         openvpn.log
;log-append  openvpn.log
verb 3
;mute 20 
The client connects and now but I cannot talk to the client on the 4.0 network and she cannot talk to me on the 3.0 networks so I believe the problems
relies in the firewall.

here are my routes:

PHP Code:
oute -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    
Use Iface
192.168.4.2     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.3.0     0.0.0.0         255.255.255.224 U     0      0        0 eth1
192.168.4.0     192.168.4.2     255.255.255.224 UG    0      0        0 tun0
192.168.2.0     0.0.0.0         255.255.255.224 U     0      0        0 eth2
XX
.XX.XXX.0     0.0.0.0         255.255.252.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
0.0.0.0         XX
.XX.XXX.X     0.0.0.0         UG    0      0        0 eth0 

Last edited by metallica1973; 09-05-2010 at 10:19 PM.
 
Old 09-06-2010, 03:25 PM   #6
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian 6+, CentOS 5+
Posts: 1,323

Rep: Reputation: 100Reputation: 100
try an allow rule from .3 to .4 and vice versa, also make sure you have forwarding enabled.
 
Old 10-11-2010, 07:52 AM   #7
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,181

Original Poster
Rep: Reputation: 60
works great, thanks for the advice.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN Setup Problem rcmonroig Linux - Networking 1 02-04-2010 07:54 PM
How does OpenVPN Linux server issues IP and netmask to OpenVPN clients on Windows XP pssompura Linux - Networking 0 12-24-2009 03:42 AM
OpenVPN issues on CentOS 4.7 sseeker Linux - Server 1 01-31-2009 07:50 PM
OpenVPN Subnet Issues richinsc Linux - Security 5 04-06-2007 07:41 PM
openVPN and routing issues mdkelly069 Linux - Networking 0 07-12-2004 01:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration