Securitykiss and Openvpn in Arch

konsolelover · 04-15-2012, 09:03 AM

Hey,
I'm trying to create a vpn connection through securitykiss (my vpn provider) and openvpn in my Arch box. Here is my configuration file

Code:

client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 178.238.142.243 123 
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth /etc/openvpn/ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

When I try to connect using
sudo openvpn --config client.conf , I get following info

Code:

Sun Apr 15 19:24:33 2012 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Jan  3 2012
Sun Apr 15 19:24:33 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Apr 15 19:24:33 2012 LZO compression initialized
Sun Apr 15 19:24:33 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Apr 15 19:24:33 2012 Socket Buffers: R=[229376->131072] S=[229376->131072]
Sun Apr 15 19:24:33 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Apr 15 19:24:33 2012 Local Options hash (VER=V4): '41690919'
Sun Apr 15 19:24:33 2012 Expected Remote Options hash (VER=V4): '530fdded'
Sun Apr 15 19:24:33 2012 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sun Apr 15 19:24:33 2012 UDPv4 link local: [undef]
Sun Apr 15 19:24:33 2012 UDPv4 link remote: 178.238.142.243:123
Sun Apr 15 19:24:33 2012 TLS: Initial packet from 178.238.142.243:123, sid=11e04578 ba5e090e
Sun Apr 15 19:24:36 2012 VERIFY OK: depth=1, /C=IE/ST=IE/L=Dublin/O=GL/CN=GL_CA
Sun Apr 15 19:24:36 2012 VERIFY OK: nsCertType=SERVER
Sun Apr 15 19:24:36 2012 VERIFY OK: depth=0, /C=IE/ST=IE/L=Dublin/O=GL/CN=server
Sun Apr 15 19:24:48 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Apr 15 19:24:48 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr 15 19:24:48 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Apr 15 19:24:48 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr 15 19:24:48 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sun Apr 15 19:24:48 2012 [server] Peer Connection Initiated with 178.238.142.243:123
Sun Apr 15 19:24:50 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Apr 15 19:24:51 2012 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.10.0.1,route 10.10.0.1,topology net30,ping 5,ping-restart 28,ifconfig 10.10.139.98 10.10.139.97'
Sun Apr 15 19:24:51 2012 OPTIONS IMPORT: timers and/or timeouts modified
Sun Apr 15 19:24:51 2012 OPTIONS IMPORT: --ifconfig/up options modified
Sun Apr 15 19:24:51 2012 OPTIONS IMPORT: route options modified
Sun Apr 15 19:24:51 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Apr 15 19:24:51 2012 ROUTE: default_gateway=UNDEF
Sun Apr 15 19:24:51 2012 TUN/TAP device tun1 opened
Sun Apr 15 19:24:51 2012 TUN/TAP TX queue length set to 100
Sun Apr 15 19:24:51 2012 /usr/sbin/ip link set dev tun1 up mtu 1500
Sun Apr 15 19:24:51 2012 /usr/sbin/ip addr add dev tun1 local 10.10.139.98 peer 10.10.139.97
Sun Apr 15 19:24:51 2012 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
Sun Apr 15 19:24:51 2012 /usr/sbin/ip route add 10.10.0.1/32 via 10.10.139.97
RTNETLINK answers: File exists
Sun Apr 15 19:24:51 2012 ERROR: Linux route add command failed: external program exited with error status: 2
Sun Apr 15 19:24:51 2012 GID set to nobody
Sun Apr 15 19:24:51 2012 UID set to nobody
Sun Apr 15 19:24:51 2012 Initialization Sequence Completed

But when I open whatismyipaddress.com , I don't see a ip change.Here is the output of netstat -nr

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         0.0.0.0         0.0.0.0         U         0 0          0 ppp0
10.6.6.6        0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
10.10.0.1       10.10.139.97    255.255.255.255 UGH       0 0          0 tun0
10.10.139.97    0.0.0.0         255.255.255.255 UH        0 0          0 tun0

I googled my problem but didn't get a working solution yet. If you need any further info let me know.

TIA!

konsolelover · 04-23-2012, 10:05 AM

I tried to get it done by following this tutorial( which works in my Ubuntu box

),

http://www.securitykiss.com/resource...conf_linux_nm/

So I followed https://wiki.archlinux.org/index.php...anager#Openbox article and installed networkmanager, nm-applet and network-manager-openvpn etc packages. When I rebooted my system, nm-applet didn't show up in tint2 and I had to execute these commands,

Code:

sudo /etc/rc.d/dbus start
sudo /etc/rc.d/networkmanager restart

(btw there is an entry for "dbus-launch" in .xinitrc file and "networkmanager" in /etc/rc.conf(in daemons array))
When I executed sudo nm-applet it finally showed up with these messages

Code:

** Message: applet now removed from the notification area
** Message: applet now embedded in the notification area

** (nm-applet:3830): WARNING **: Failed to register as an agent: (32) Error statting file /var/run/ConsoleKit/database: No such file or directory

I configured openvpn connection and saved the settings but connection is not "clickable"(See the screenshot).

I tried to export the settings from network manager and tried to connect using this config file

Code:

client
remote 184.154.116.156 123
ca /"path"/ca.crt
cert /"path"/client.crt
key /"path"/client.key
comp-lzo yes
dev tun
proto udp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user openvpn
group openvpn

When I executed command sudo openvpn --config openvpn.conf, got the error

Code:

Mon Apr 23 20:13:06 2012 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Jan  3 2012
Mon Apr 23 20:13:06 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Apr 23 20:13:06 2012 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Apr 23 20:13:06 2012 LZO compression initialized
Mon Apr 23 20:13:06 2012 failed to find UID for user openvpn
Mon Apr 23 20:13:06 2012 Exiting

Then executed the command,

Code:

sudo /usr/sbin/groupadd openvpn

but still no luck

(got the same error)

Read similar thread and changed "openvpn" to "root" but it didn't work out too and gave similar error as in my post #1 (Unable to redirect default gateway blahblahblah)

Someone Please tell me what I'm doing really stupid here,
TIA!