Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Sun Sep 20 20:29:13 2009 Initialization Sequence Completed
says so.
After you press <Ctrl>+c, you basically terminating the application. Openvpn will not exit until you shut it down. You need to run the application on background. Just put an `&` at the end of the command.
Sun Sep 20 20:29:13 2009 Initialization Sequence Completed
says so.
After you press <Ctrl>+c, you basically terminating the application. Openvpn will not exit until you shut it down. You need to run the application on background. Just put an `&` at the end of the command.
Regards,
--
Prasanta
like this?
Code:
[root@localhost keys]# openvpn /etc/openvpn/easy-rsa/keys/server.conf&
[1] 1821
[root@localhost keys]# Sun Sep 20 20:40:45 2009 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar 8 2007
Sun Sep 20 20:40:45 2009 Diffie-Hellman initialized with 1024 bit key
Sun Sep 20 20:40:45 2009 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Sep 20 20:40:45 2009 TUN/TAP device tun0 opened
Sun Sep 20 20:40:45 2009 /sbin/ip link set dev tun0 up mtu 1500
Sun Sep 20 20:40:45 2009 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Sun Sep 20 20:40:45 2009 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Sun Sep 20 20:40:45 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Sep 20 20:40:45 2009 GID set to nobody
Sun Sep 20 20:40:45 2009 UID set to nobody
Sun Sep 20 20:40:45 2009 UDPv4 link local (bound): [undef]:1194
Sun Sep 20 20:40:45 2009 UDPv4 link remote: [undef]
Sun Sep 20 20:40:45 2009 MULTI: multi_init called, r=256 v=256
Sun Sep 20 20:40:45 2009 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Sep 20 20:40:45 2009 IFCONFIG POOL LIST
Sun Sep 20 20:40:45 2009 Initialization Sequence Completed
[root@localhost keys]#
Now the client
I get a port number os out of range error and it fails to connect.
Now obviously, this could be a few things. The port is open on the server as I have it on udp in my iptables rules.
The client is Windows - not sure what these have to be set to:
Code:
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
#The client conf is.
Code:
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 88.xxx.xxx.xxx -1 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert myfirst.cert.crt
key myfirst.cert.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
Yes, that should be fine enough. Just open the udp port 1194 on your firewall. First try telnet to the port.
Code:
remote 88.xxx.xxx.xxx -1 1194
What the use of `-1` for? It should have been,
Code:
remote 88.xxx.xxx.xxx 1194
Other configuration seems to be fine. Check out the openvpn.log also when you try to connect.
Regards,
--
Prasanta
Hmm...almost there
Sun Sep 20 20:55:06 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Sun Sep 20 20:55:06 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sun Sep 20 20:55:06 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Sep 20 20:55:06 2009 Cannot load certificate file myfirst.cert.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Sun Sep 20 20:55:06 2009 Exiting
I hope you have copied all the files (ca.crt, myfirst.cert.crt, myfirst.cert.key) to your remote machine. Did you use the `pkitool` to create the myfirst.cert.key file or used `build-key-client` script. In case you have use the later one to create the keys, it will not work.
I hope you have copied all the files (ca.crt, myfirst.cert.crt, myfirst.cert.key) to your remote machine. Did you use the `pkitool` to create the myfirst.cert.key file or used `build-key-client` script. In case you have use the later one to create the keys, it will not work.
Code:
./pkitool testuser
Regards,
--
Prasanta
Ok, I have re-created the keys using the pkitool.
So, I have to copy
ca.crt, myfirst.cert.crt, myfirst.cert.key
to the client?
What about myfirst.cert.csr ??
Do they go in the client configuration folder with the client config file?
No, the .csr file stays in the server itself in the keys directory.
Regards,
--
Prasanta
Yes!!!!
Connected. Thank you for all your help.
Is this ok:
Sun Sep 20 21:18:17 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Sep 20 21:18:18 2009 LZO compression initialized
And last question:
If I want my clients to use a VPN, do I give them the 4 files and tell them to put them ina folder?
theircertificate.crt
theircertificate.key
ca.crt
windows.ovpn
Isn't there a better way of getting the certificates?
What is the ca.crt file?
I am connected but the server still shows my IP as my current IP address, shouldn't it be the server's IP address?
Maybe there is a problem because I have a wireless connection though I thought the VPN bypassed all of that automatically?
That is fine. Yes, you need to give 4 files to the client for them to connect. There is no better way of generating the certificates. You need to generate it manually. ca.crt is own root certificate authority.
That is fine. Yes, you need to give 4 files to the client for them to connect. There is no better way of generating the certificates. You need to generate it manually. ca.crt is own root certificate authority.
Please mark the thread as solved.
Regards,
--
Prasanta
what is the server verification method for?
I am connected but the server still shows my IP as my current IP address, shouldn't it be the server's IP address?
Maybe there is a problem because I have a wireless connection though I thought the VPN bypassed all of that automatically?
Your tun0 interface would have been up after you connected to openvpn. As per the log, you should be given a 10.8.x.x ip.
Regards,
--
Prasanta
Yes, it connects and goes green and gives me the IP 10.8.x.x
This is linked to Local Area Connection 5 in my Network connections in Windows but that is a newly created network connection for the TAP win32 adapter.
However, when I open up a webpage with whatsmyip, it gives me my actual WAN IP address not the IP of the server or in fact an IP of 10.8.x.x
Hi
Thanks
I thought the point of the VPN was to be connected to the server network?
I need my users to have a geo specific IP address, ie the IP address of the server. They can't use an HTTP proxy because some if the applications are not HTTP but need to be recognised.
When you are connected to the VPN and start browsing, the IP address that the outside world will see is the address of the outgoing server (external IP of your LAN, in case you have done NAT). In case you are using a proxy server in the LAN, the client should also use the proxy for browsing.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.