LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-23-2008, 05:27 PM   #46
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Mint 17.1 KDE on workstation, CentOS 6.x on servers
Posts: 1,143

Original Poster
Rep: Reputation: 47

This is the server config:

Code:

port 1194

proto tcp

dev tap


ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret

dh /etc/openvpn/easy-rsa/keys/dh1024.pem


ifconfig-pool-persist ipp.txt

server-bridge 10.1.1.15 255.255.255.0 10.1.1.201 10.1.1.254








push "dhcp-option DNS 10.1.1.10"


client-to-client

duplicate-cn

keepalive 10 120


cipher AES-128-CBC   # AES

comp-lzo



persist-key
persist-tun

status openvpn-status.log


verb 3


Client config:


Code:
client 
dev tap 
proto tcp
remote home.iceteks.net 1194 
resolv-retry infinite 
nobind
persist-key 
persist-tun 
tls-client
ca C:\\openvpnkeys\\ca.crt 
cert C:\\openvpnkeys\\ryan.crt 
key C:\\openvpnkeys\\ryan.key 
ns-cert-type server
cipher AES-128-CBC 
comp-lzo 
verb 5


This is the output of ipconfig on windows with the vpn connected:

Code:
Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : host.local
        IP Address. . . . . . . . . . . . : 192.168.142.143
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.142.1

Ethernet adapter Local Area Connection 9:

        Connection-specific DNS Suffix  . : 
        IP Address. . . . . . . . . . . . : 10.1.1.201
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
I think the issue is, the vpn interface is not getting a gateway assigned, it probably should right?


Oh and I can surf the internet with the vpn on, and it seems to try to resolve through the dns that it's suppose to (10.1.1.10) then falls back to the local dns.

Last edited by Red Squirrel; 12-23-2008 at 05:30 PM.
 
Old 12-23-2008, 06:47 PM   #47
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Mint 17.1 KDE on workstation, CentOS 6.x on servers
Posts: 1,143

Original Poster
Rep: Reputation: 47
Oh and this is the serverside ipconfig, does this look right? I noticed that the bridge has the same IP as the physical nic, is that normal? also should the tap have an IP? If yes how do I assign one?

Code:
[root@vpnsrv openvpn]# ifconfig
br0       Link encap:Ethernet  HWaddr 00:0C:29:40:66:7E
          inet addr:10.1.1.15  Bcast:192.168.8.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe40:667e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5284 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4640 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:499419 (487.7 KiB)  TX bytes:1286309 (1.2 MiB)

eth0      Link encap:Ethernet  HWaddr 00:0C:29:40:66:7E
          inet addr:10.1.1.15  Bcast:10.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe40:667e/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:41229 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4958 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9038320 (8.6 MiB)  TX bytes:1314785 (1.2 MiB)
          Base address:0x2000 Memory:d8920000-d8940000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:20 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2096 (2.0 KiB)  TX bytes:2096 (2.0 KiB)

tap0      Link encap:Ethernet  HWaddr 00:FF:4A:67:6C:23
          inet6 addr: fe80::2ff:4aff:fe67:6c23/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:290 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
 
Old 12-23-2008, 07:10 PM   #48
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
I'd be checking my bridging script - the broadcast address for br0 looks wrong to me.
 
Old 12-23-2008, 07:16 PM   #49
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Mint 17.1 KDE on workstation, CentOS 6.x on servers
Posts: 1,143

Original Poster
Rep: Reputation: 47
hmm you're right. I must of missed that in the script. I set it to 10.1.1.255 and restarted the bridge and the openvpn service as well as the client on the other end. still nothing.

Also if the firewall is off then it should work right? or do I still need to turn firewall on then open up the interface?

Last edited by Red Squirrel; 12-23-2008 at 07:21 PM.
 
Old 12-23-2008, 07:32 PM   #50
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
How have you "turned it off"

Check

iptables -L -v
 
Old 12-23-2008, 07:36 PM   #51
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Mint 17.1 KDE on workstation, CentOS 6.x on servers
Posts: 1,143

Original Poster
Rep: Reputation: 47
This is what I get:

Code:
[root@vpnsrv openvpn]# service iptables status
iptables: Firewall is not running.
[root@vpnsrv openvpn]#
[root@vpnsrv openvpn]#
[root@vpnsrv openvpn]#
[root@vpnsrv openvpn]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
[root@vpnsrv openvpn]#

Yeah this is unsecure but I want to take it one step at a time. Once I get the vpn working I'll worry about the firewall. (and thanks for the help btw I'd be lost otherwise, we'll get this working eventually!)


also I'm using a 3rd party client could this be an issue? http://openvpn.se/

I can't find the official client, they only have the server listed on the openvpn site.

Last edited by Red Squirrel; 12-23-2008 at 07:57 PM.
 
Old 12-23-2008, 08:11 PM   #52
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
I still think the base issue is this route entry

Code:
         10.1.1.0    255.255.255.0       10.1.1.200      10.1.1.200	  30
Can you delete this and replace it with a 201 entry?
 
Old 12-23-2008, 09:27 PM   #53
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Mint 17.1 KDE on workstation, CentOS 6.x on servers
Posts: 1,143

Original Poster
Rep: Reputation: 47
Hmm weird, I'm at home now so just tried from home (from an external network) and I get the 10.1.1.201 as gateway now.

Code:
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 29 80 1d bf ...... AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
0x10004 ...00 ff 69 9d 35 ad ...... TAP-Win32 Adapter V8 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.10.0.1     10.10.0.253	  10
         10.1.1.0    255.255.255.0       10.1.1.201      10.1.1.201	  30
       10.1.1.201  255.255.255.255        127.0.0.1       127.0.0.1	  30
        10.10.0.0    255.255.255.0      10.10.0.253     10.10.0.253	  10
      10.10.0.253  255.255.255.255        127.0.0.1       127.0.0.1	  10
   10.255.255.255  255.255.255.255       10.1.1.201      10.1.1.201	  30
   10.255.255.255  255.255.255.255      10.10.0.253     10.10.0.253	  10
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1	  1
        224.0.0.0        240.0.0.0       10.1.1.201      10.1.1.201	  30
        224.0.0.0        240.0.0.0      10.10.0.253     10.10.0.253	  10
  255.255.255.255  255.255.255.255       10.1.1.201      10.1.1.201	  1
  255.255.255.255  255.255.255.255      10.10.0.253     10.10.0.253	  1
Default Gateway:         10.10.0.1
===========================================================================
Persistent Routes:
  None

Still can't access anything though. If it makes a difference the way this network is setup is

10.10.0.0/24 network, then 10.1.1.0/24 network is plugged into that network (NAT). But should not make a difference. Basically from work I was just connecting through two routers, no I'm connecting through one. Port is just forwarded twice.
 
Old 12-23-2008, 09:44 PM   #54
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
I suspect there's something wrong with your bridge setup.

Are you prepared to give a routed solution a quick go? Should only take 15 mins.

I's also try over udp rather than tcp.

NOTE

I just saw something interesting in a sample config - try this first

Code:
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
Uncomment the dev-node entry and replace MyTap with the relevant adapter name.
 
Old 12-23-2008, 09:55 PM   #55
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Mint 17.1 KDE on workstation, CentOS 6.x on servers
Posts: 1,143

Original Poster
Rep: Reputation: 47
Should I name the tap to match the tap name on the client? ex "local area connection 2" or the tap name on the server? Either way tried both, no go.


Code:
Dec 23 22:34:29 vpnsrv openvpn[3271]: Note: Cannot open TUN/TAP dev tap0: No such file or directory (errno=2)
Dec 23 22:34:29 vpnsrv openvpn[3271]: Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Dec 23 22:34:29 vpnsrv openvpn[3271]: Cannot open TUN/TAP dev tap0: No such file or directory (errno=2)
Dec 23 22:34:29 vpnsrv openvpn[3271]: Exiting
[root@vpnsrv openvpn]# ifconfig
br0       Link encap:Ethernet  HWaddr 00:0C:29:40:66:7E
          inet addr:10.1.1.15  Bcast:10.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe40:667e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5114 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3765 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:504458 (492.6 KiB)  TX bytes:532746 (520.2 KiB)

eth0      Link encap:Ethernet  HWaddr 00:0C:29:40:66:7E
          inet addr:10.1.1.15  Bcast:10.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe40:667e/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1128253 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3939 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:823416876 (785.2 MiB)  TX bytes:554903 (541.8 KiB)
          Base address:0x2000 Memory:d8920000-d8940000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1424 (1.3 KiB)  TX bytes:1424 (1.3 KiB)

tap0      Link encap:Ethernet  HWaddr 00:FF:BF:CA:D8:72
          inet6 addr: fe80::2ff:bfff:feca:d872/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:1116 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

[root@vpnsrv openvpn]#


Guess next step is try routed I suppose though I had exact same issues so that's when I decided to try bridged, and bridged will serve my needs more anyway as I need to be able to access samba shares.

Also do I need to do anything special on the client? Like do I need to bridge the tap and the physical adapter? I tried that but it did not work.

I'll give UDP a go as well.
 
Old 12-23-2008, 10:05 PM   #56
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
You can still map samba shares over a route.

http://openvpn.net/index.php/documen...wto.html#samba
 
Old 12-23-2008, 10:21 PM   #57
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Mint 17.1 KDE on workstation, CentOS 6.x on servers
Posts: 1,143

Original Poster
Rep: Reputation: 47
Hmm good to know, I may be able to stick to routed then, less complexity.

Now I'm having other issues though (routed) I get these errors in the client:

Code:
Tue Dec 23 23:18:39 2008 write UDPv4: No Route to Host (WSAEHOSTUNREACH) (code=10065)
Tue Dec 23 23:18:59 2008 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Dec 23 23:18:59 2008 TLS Error: TLS handshake failed
Tue Dec 23 23:18:59 2008 TCP/UDP: Closing socket
I disabled the bridge on the server and made sure client/server is dev tun and I also removed the server-bridge and replaced with server (and different ip in non used ranged)

Edit: ok this is messed. I rebooted the server and the service is not running, yet it's connecting anyway, how is this possible? It's even prompting for a password. (still get those other errors)

Last edited by Red Squirrel; 12-23-2008 at 10:24 PM.
 
Old 12-23-2008, 10:29 PM   #58
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Mint 17.1 KDE on workstation, CentOS 6.x on servers
Posts: 1,143

Original Poster
Rep: Reputation: 47
Getting some progress!

I can ping the server (10.1.1.15) and I can ping the gateway (10.1.10.1 - range I set for vpn)

So now I just need to get it to route properly to the 10.1.1.0/24 network.

this is the client routing table, it looks ok to me, anything there that looks wrong?

Code:
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x30002 ...00 ff 69 9d 35 ad ...... TAP-Win32 Adapter V8 - Packet Scheduler Miniport
0x50004 ...00 0c 29 80 1d bf ...... VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.10.0.1     10.10.0.253	  10
         10.1.1.0    255.255.255.0        10.1.10.5       10.1.10.6	  1
        10.1.10.1  255.255.255.255        10.1.10.5       10.1.10.6	  1
        10.1.10.4  255.255.255.252        10.1.10.6       10.1.10.6	  30
        10.1.10.6  255.255.255.255        127.0.0.1       127.0.0.1	  30
        10.10.0.0    255.255.255.0      10.10.0.253     10.10.0.253	  10
      10.10.0.253  255.255.255.255        127.0.0.1       127.0.0.1	  10
   10.255.255.255  255.255.255.255        10.1.10.6       10.1.10.6	  30
   10.255.255.255  255.255.255.255      10.10.0.253     10.10.0.253	  10
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1	  1
        224.0.0.0        240.0.0.0        10.1.10.6       10.1.10.6	  30
        224.0.0.0        240.0.0.0      10.10.0.253     10.10.0.253	  10
  255.255.255.255  255.255.255.255        10.1.10.6       10.1.10.6	  1
  255.255.255.255  255.255.255.255      10.10.0.253     10.10.0.253	  1
Default Gateway:         10.10.0.1
===========================================================================
Persistent Routes:
  None

Last edited by Red Squirrel; 12-23-2008 at 10:33 PM.
 
Old 12-23-2008, 10:46 PM   #59
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Try

push "route 10.1.1.0 255.255.255.0"


in server.conf
 
Old 12-23-2008, 10:55 PM   #60
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
RS - note that you may have downstream firewall blocking traffic from this subnet.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Dynamic IP VPN between IpSec(OpenBSD) and Linux VPN software Peter_APIIT Linux - Server 2 04-09-2008 05:08 AM
Configure Linux VPN Server for a Windows VPN Client xbaez Linux - Networking 4 04-28-2006 03:29 PM
Linux VPN Software - How to Connect to a Windows VPN wfernley Linux - Software 2 02-07-2006 09:40 AM
VPN: linux VPN server behind Linksys router hamish Linux - Networking 14 08-25-2005 08:42 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration