linux vpn

Red Squirrel · 12-19-2008, 11:12 PM

Hooking up from windows using this client: http://openvpn.se/

I can't ping anything at all, not even the server.

billymayday · 12-19-2008, 11:28 PM

If you fire openvpn up from the command line (ie rather than starting the service), you should be able to see the chatter that goes on when the client tries to connect.

Try that and post the output.

Can you post the client config as well?

billymayday · 12-19-2008, 11:48 PM

Another question - have you opened upd port 1194 on the server? You may also need to allow traffic through tap0. Here's what I have for tun0:

$IPTABLES -A INPUT -i tun0 -j ACCEPT
$IPTABLES -A OUTPUT -o tun0 -j ACCEPT
$IPTABLES -A FORWARD -i tun0 -j ACCEPT

in addition to opening 1194

ne pas · 12-20-2008, 08:26 AM

Quote:

Originally Posted by Red Squirrel

the reason I want the vpn is so I can also route.

Ex: I open ssh, I have to specify which ports and which servers to tunnel through. With vpn, everything is open. I just access the Ip directly as if I'm plugged right in.

Or is there a way to do this with just ssh? Since if yes that would be even better.

Yes, SSH can do this, you may want to have a look at ssh(1) manpage - Section SSH-BASED VIRTUAL PRIVATE NETWORKS.
It's good if you want to quickly setup a VPN connection, but for long-term usage you should go with OpenVPN.

Red Squirrel · 12-20-2008, 01:51 PM

Quote:

Originally Posted by billymayday

Another question - have you opened upd port 1194 on the server? You may also need to allow traffic through tap0. Here's what I have for tun0:

$IPTABLES -A INPUT -i tun0 -j ACCEPT
$IPTABLES -A OUTPUT -o tun0 -j ACCEPT
$IPTABLES -A FORWARD -i tun0 -j ACCEPT

in addition to opening 1194

To rule out firewall I just turned it off completely for now. Once I get it working I'll then turn it on and open up what I need.

As for client, the GUI does provide some log output, I'll post it when I get to work (can't really test from here as I'm on the network)

Red Squirrel · 12-22-2008, 06:14 PM

Ok when I connect this is the output of the server log:

Code:

Dec 22 18:54:40 extsrv openvpn[7075]: MULTI: multi_create_instance called
Dec 22 18:54:40 extsrv openvpn[7075]: Re-using SSL/TLS context
Dec 22 18:54:40 extsrv openvpn[7075]: LZO compression initialized
Dec 22 18:54:40 extsrv openvpn[7075]: Control Channel MTU parms [ L:1592 D:140 EF:40 EB:0 ET:0 EL:0 ]
Dec 22 18:54:40 extsrv openvpn[7075]: Data Channel MTU parms [ L:1592 D:1450 EF:60 EB:135 ET:32 EL:0 AF:3/1 ]
Dec 22 18:54:40 extsrv openvpn[7075]: Local Options hash (VER=V4): 'de0ebdfe'
Dec 22 18:54:40 extsrv openvpn[7075]: Expected Remote Options hash (VER=V4): '39ac68d4'
Dec 22 18:54:40 extsrv openvpn[7075]: TCP connection established with 142.217.217.197:45370
Dec 22 18:54:40 extsrv openvpn[7075]: Socket Buffers: R=[131072->131072] S=[131072->131072]
Dec 22 18:54:40 extsrv openvpn[7075]: TCPv4_SERVER link local: [undef]
Dec 22 18:54:40 extsrv openvpn[7075]: TCPv4_SERVER link remote: 142.217.217.197:45370
Dec 22 18:54:40 extsrv openvpn[7075]: 142.217.217.197:45370 TLS: Initial packet from 142.217.217.197:45370, sid=04a175d0 81af0fb4
Dec 22 18:54:42 extsrv openvpn[7075]: 142.217.217.197:45370 VERIFY OK: depth=1, /C=CA/ST=ON/L=Timmins/O=IceTeks/OU=n/a/CN=home.iceteks.net/emailAddress=ryan@iceteks.com
Dec 22 18:54:42 extsrv openvpn[7075]: 142.217.217.197:45370 VERIFY OK: depth=0, /C=CA/ST=ON/L=Timmins/O=IceTeks/CN=ryan/emailAddress=ryan@iceteks.com
Dec 22 18:54:42 extsrv openvpn[7075]: 142.217.217.197:45370 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Dec 22 18:54:42 extsrv openvpn[7075]: 142.217.217.197:45370 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 22 18:54:42 extsrv openvpn[7075]: 142.217.217.197:45370 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Dec 22 18:54:42 extsrv openvpn[7075]: 142.217.217.197:45370 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 22 18:54:43 extsrv openvpn[7075]: 142.217.217.197:45370 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Dec 22 18:54:43 extsrv openvpn[7075]: 142.217.217.197:45370 [ryan] Peer Connection Initiated with 142.217.217.197:45370
Dec 22 18:54:44 extsrv openvpn[7075]: ryan/142.217.217.197:45370 PUSH: Received control message: 'PUSH_REQUEST'
Dec 22 18:54:44 extsrv openvpn[7075]: ryan/142.217.217.197:45370 SENT CONTROL [ryan]: 'PUSH_REPLY,dhcp-option DNS 10.1.1.10,route-gateway 10.1.1.15,ping 10,ping-restart 120,ifconfig 10.1.1.200 255.255.255.0' (status=1)
Dec 22 18:54:46 extsrv openvpn[7075]: ryan/142.217.217.197:45370 MULTI: Learn: 00:ff:e4:0a:7a:41 -> ryan/142.217.217.197:45370

And the client:

Code:

Mon Dec 22 19:11:59 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Mon Dec 22 19:11:59 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Dec 22 19:12:03 2008 LZO compression initialized
Mon Dec 22 19:12:03 2008 Attempting to establish TCP connection with 208.101.115.38:1194
Mon Dec 22 19:12:04 2008 TCP connection established with 208.101.115.38:1194
Mon Dec 22 19:12:04 2008 TCPv4_CLIENT link local: [undef]
Mon Dec 22 19:12:04 2008 TCPv4_CLIENT link remote: 208.101.115.38:1194
Mon Dec 22 19:12:06 2008 [home.iceteks.net] Peer Connection Initiated with 208.101.115.38:1194
Mon Dec 22 19:12:08 2008 TAP-WIN32 device [Local Area Connection 9] opened: \\.\Global\{E40A7A41-DA9E-4079-A2B9-23580B57D584}.tap
Mon Dec 22 19:12:08 2008 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.1.1.200/255.255.255.0 on interface {E40A7A41-DA9E-4079-A2B9-23580B57D584} [DHCP-serv: 10.1.1.0, lease-time: 31536000]
Mon Dec 22 19:12:08 2008 Successful ARP Flush on interface [2] {E40A7A41-DA9E-4079-A2B9-23580B57D584}
Mon Dec 22 19:12:10 2008 Initialization Sequence Completed

I cannot ping anything at all or connect to anything when I'm on the vpn. I get an IP assigned and that's it.

This is the client's routing table if it helps:

Code:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 ff e4 0a 7a 41 ...... TAP-Win32 Adapter V8 - Packet Scheduler Miniport
0x10004 ...00 0c 29 b2 50 3a ...... AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.142.1  192.168.142.143	  10
         10.1.1.0    255.255.255.0       10.1.1.200      10.1.1.200	  30
       10.1.1.200  255.255.255.255        127.0.0.1       127.0.0.1	  30
   10.255.255.255  255.255.255.255       10.1.1.200      10.1.1.200	  30
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1	  1
    192.168.142.0    255.255.255.0  192.168.142.143  192.168.142.143	  10
  192.168.142.143  255.255.255.255        127.0.0.1       127.0.0.1	  10
  192.168.142.255  255.255.255.255  192.168.142.143  192.168.142.143	  10
        224.0.0.0        240.0.0.0       10.1.1.200      10.1.1.200	  30
        224.0.0.0        240.0.0.0  192.168.142.143  192.168.142.143	  10
  255.255.255.255  255.255.255.255       10.1.1.200      10.1.1.200	  1
  255.255.255.255  255.255.255.255  192.168.142.143  192.168.142.143	  1
Default Gateway:     192.168.142.1
===========================================================================
Persistent Routes:
  None

billymayday · 12-22-2008, 07:17 PM

I guess that looks OK. Note (from openvpn site)

Quote:

# You get the Initialization Sequence Completed message but the ping test fails -- This usually indicates that a firewall on either server or client is blocking VPN network traffic by filtering on the TUN/TAP interface.

Solution: Disable the client firewall (if one exists) from filtering the TUN/TAP interface on the client. For example on Windows XP SP2, you can do this by going to Windows Security Center -> Windows Firewall -> Advanced and unchecking the box which corresponds to the TAP-Win32 adapter (disabling the client firewall from filtering the TUN/TAP adapter is generally reasonable from a security perspective, as you are essentially telling the firewall not to block authenticated VPN traffic). Also make sure that the TUN/TAP interface on the server is not being filtered by a firewall (having said that, note that selective firewalling of the TUN/TAP interface on the server side can confer certain security benefits. See the access policies section below).

Can you verify linux firewall is fully open (iptables -L -v), and check windows side.

I'd also run "tracert some.ip.on.network" from windows box.

Red Squirrel · 12-22-2008, 07:23 PM

Both firewalls open. I plan to lock it down once I get this working, but for now it's wide open on both ends.

I also cannot tracert anywhere, just timeouts. I can ping my real (on the LAN) gateway though, is that normal? VPN should take over no? it's like if it's not really actually connecting.

billymayday · 12-22-2008, 07:48 PM

If you mean 192.168.142.1, you should still be able to ping that. By default, openvpn just gives you another NIC (effectively) that is connected to the remote network.

You can force it to take over by pushing the default route to the client to point to your LAN (see http://openvpn.net/index.php/documen....html#redirect)

Question - what's the IP of your windows machine before you connect?

Red Squirrel · 12-22-2008, 08:05 PM

Windows machine is 192.168.142.143. The vpn one is 10.1.1.201 which is within the subnet of my home network.

billymayday · 12-22-2008, 08:26 PM

Isn't the VPN IP 10.1.1.200?

What IP are you pinging btw?

Can you start the server from the command line and post the startup messages? SHould look something like

Code:

#openvpn /etc/openvpn/server.conf
Tue Dec 23 13:23:28 2008 OpenVPN 2.1_rc9 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Aug  1 2008
Tue Dec 23 13:23:28 2008 Diffie-Hellman initialized with 1024 bit key
Tue Dec 23 13:23:28 2008 Control Channel Authentication: using '/etc/openvpn/easy-rsa/keys/ta.key' as a OpenVPN static key file
Tue Dec 23 13:23:28 2008 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 23 13:23:28 2008 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 23 13:23:28 2008 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Dec 23 13:23:28 2008 TUN/TAP device tun0 opened
Tue Dec 23 13:23:28 2008 TUN/TAP TX queue length set to 100
Tue Dec 23 13:23:28 2008 /sbin/ip link set dev tun0 up mtu 1500
Tue Dec 23 13:23:28 2008 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Dec 23 13:23:28 2008 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Tue Dec 23 13:23:28 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Dec 23 13:23:28 2008 GID set to nobody
Tue Dec 23 13:23:28 2008 UID set to nobody
Tue Dec 23 13:23:28 2008 Socket Buffers: R=[126976->131072] S=[126976->131072]
Tue Dec 23 13:23:28 2008 UDPv4 link local (bound): [undef]:1194
Tue Dec 23 13:23:28 2008 UDPv4 link remote: [undef]
Tue Dec 23 13:23:28 2008 MULTI: multi_init called, r=256 v=256
Tue Dec 23 13:23:28 2008 IFCONFIG POOL: base=10.8.0.4 size=62
Tue Dec 23 13:23:28 2008 IFCONFIG POOL LIST
...
Tue Dec 23 13:23:28 2008 Initialization Sequence Completed

Comment out log lines in server.conf before starting.

Red Squirrel · 12-23-2008, 12:38 AM

10.1.1.201 is the ip of the client. (assigned by the vpn server)

I tried to pint 10.1.1.1 (gateway) 10.1.1.10 (main server) and 10.1.1.15 (vpn server) no go. I also cannot resolve dns through 10.1.1.10 or connect to any ports through telnet.

This is the server startup output:

Code:

Dec 23 01:20:37 extsrv openvpn[7966]: OpenVPN 2.1_rc4 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Apr 26 2007
Dec 23 01:20:37 extsrv openvpn[7966]: WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Dec 23 01:20:37 extsrv openvpn[7966]: Diffie-Hellman initialized with 1024 bit key
Dec 23 01:20:37 extsrv openvpn[7966]: TLS-Auth MTU parms [ L:1592 D:140 EF:40 EB:0 ET:0 EL:0 ]
Dec 23 01:20:37 extsrv openvpn[7966]: TUN/TAP device tap1 opened
Dec 23 01:20:37 extsrv openvpn[7966]: TUN/TAP TX queue length set to 100
Dec 23 01:20:37 extsrv openvpn[7966]: Data Channel MTU parms [ L:1592 D:1450 EF:60 EB:135 ET:32 EL:0 AF:3/1 ]
Dec 23 01:20:37 extsrv openvpn[7974]: Listening for incoming TCP connection on [undef]:1194
Dec 23 01:20:37 extsrv openvpn[7974]: Socket Buffers: R=[87380->131072] S=[16384->131072]
Dec 23 01:20:37 extsrv openvpn[7974]: TCPv4_SERVER link local (bound): [undef]:1194
Dec 23 01:20:37 extsrv openvpn[7974]: TCPv4_SERVER link remote: [undef]
Dec 23 01:20:37 extsrv openvpn[7974]: MULTI: multi_init called, r=256 v=256
Dec 23 01:20:37 extsrv openvpn[7974]: IFCONFIG POOL: base=10.1.1.201 size=54
Dec 23 01:20:37 extsrv openvpn[7974]: IFCONFIG POOL LIST
Dec 23 01:20:37 extsrv openvpn[7974]: MULTI: TCP INIT maxclients=1024 maxevents=1028
Dec 23 01:20:37 extsrv openvpn[7974]: Initialization Sequence Completed

billymayday · 12-23-2008, 12:42 AM

So why does the client routing table have 200?

Red Squirrel · 12-23-2008, 10:59 AM

I thought that was weird too. I tried to force 10.1.1.1 but no luck. I figured I would not have to touch routing though.

billymayday · 12-23-2008, 01:35 PM

You shouldn't. Can you post your full config for both server and client (use something like

Code:

cat server.conf | sed -e {'/^#/d' -e '/^;/d'}

to strip comments

Can you also add "ipconfig" from the windows box.

I'd expect that route to show "10.1.1.201", not 10.1.1.200 or 10.1.1.1