Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you fire openvpn up from the command line (ie rather than starting the service), you should be able to see the chatter that goes on when the client tries to connect.
Ex: I open ssh, I have to specify which ports and which servers to tunnel through. With vpn, everything is open. I just access the Ip directly as if I'm plugged right in.
Or is there a way to do this with just ssh? Since if yes that would be even better.
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,336
Original Poster
Rep:
Ok when I connect this is the output of the server log:
Code:
Dec 22 18:54:40 extsrv openvpn[7075]: MULTI: multi_create_instance called
Dec 22 18:54:40 extsrv openvpn[7075]: Re-using SSL/TLS context
Dec 22 18:54:40 extsrv openvpn[7075]: LZO compression initialized
Dec 22 18:54:40 extsrv openvpn[7075]: Control Channel MTU parms [ L:1592 D:140 EF:40 EB:0 ET:0 EL:0 ]
Dec 22 18:54:40 extsrv openvpn[7075]: Data Channel MTU parms [ L:1592 D:1450 EF:60 EB:135 ET:32 EL:0 AF:3/1 ]
Dec 22 18:54:40 extsrv openvpn[7075]: Local Options hash (VER=V4): 'de0ebdfe'
Dec 22 18:54:40 extsrv openvpn[7075]: Expected Remote Options hash (VER=V4): '39ac68d4'
Dec 22 18:54:40 extsrv openvpn[7075]: TCP connection established with 142.217.217.197:45370
Dec 22 18:54:40 extsrv openvpn[7075]: Socket Buffers: R=[131072->131072] S=[131072->131072]
Dec 22 18:54:40 extsrv openvpn[7075]: TCPv4_SERVER link local: [undef]
Dec 22 18:54:40 extsrv openvpn[7075]: TCPv4_SERVER link remote: 142.217.217.197:45370
Dec 22 18:54:40 extsrv openvpn[7075]: 142.217.217.197:45370 TLS: Initial packet from 142.217.217.197:45370, sid=04a175d0 81af0fb4
Dec 22 18:54:42 extsrv openvpn[7075]: 142.217.217.197:45370 VERIFY OK: depth=1, /C=CA/ST=ON/L=Timmins/O=IceTeks/OU=n/a/CN=home.iceteks.net/emailAddress=ryan@iceteks.com
Dec 22 18:54:42 extsrv openvpn[7075]: 142.217.217.197:45370 VERIFY OK: depth=0, /C=CA/ST=ON/L=Timmins/O=IceTeks/CN=ryan/emailAddress=ryan@iceteks.com
Dec 22 18:54:42 extsrv openvpn[7075]: 142.217.217.197:45370 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Dec 22 18:54:42 extsrv openvpn[7075]: 142.217.217.197:45370 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 22 18:54:42 extsrv openvpn[7075]: 142.217.217.197:45370 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Dec 22 18:54:42 extsrv openvpn[7075]: 142.217.217.197:45370 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 22 18:54:43 extsrv openvpn[7075]: 142.217.217.197:45370 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Dec 22 18:54:43 extsrv openvpn[7075]: 142.217.217.197:45370 [ryan] Peer Connection Initiated with 142.217.217.197:45370
Dec 22 18:54:44 extsrv openvpn[7075]: ryan/142.217.217.197:45370 PUSH: Received control message: 'PUSH_REQUEST'
Dec 22 18:54:44 extsrv openvpn[7075]: ryan/142.217.217.197:45370 SENT CONTROL [ryan]: 'PUSH_REPLY,dhcp-option DNS 10.1.1.10,route-gateway 10.1.1.15,ping 10,ping-restart 120,ifconfig 10.1.1.200 255.255.255.0' (status=1)
Dec 22 18:54:46 extsrv openvpn[7075]: ryan/142.217.217.197:45370 MULTI: Learn: 00:ff:e4:0a:7a:41 -> ryan/142.217.217.197:45370
And the client:
Code:
Mon Dec 22 19:11:59 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Mon Dec 22 19:11:59 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Dec 22 19:12:03 2008 LZO compression initialized
Mon Dec 22 19:12:03 2008 Attempting to establish TCP connection with 208.101.115.38:1194
Mon Dec 22 19:12:04 2008 TCP connection established with 208.101.115.38:1194
Mon Dec 22 19:12:04 2008 TCPv4_CLIENT link local: [undef]
Mon Dec 22 19:12:04 2008 TCPv4_CLIENT link remote: 208.101.115.38:1194
Mon Dec 22 19:12:06 2008 [home.iceteks.net] Peer Connection Initiated with 208.101.115.38:1194
Mon Dec 22 19:12:08 2008 TAP-WIN32 device [Local Area Connection 9] opened: \\.\Global\{E40A7A41-DA9E-4079-A2B9-23580B57D584}.tap
Mon Dec 22 19:12:08 2008 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.1.1.200/255.255.255.0 on interface {E40A7A41-DA9E-4079-A2B9-23580B57D584} [DHCP-serv: 10.1.1.0, lease-time: 31536000]
Mon Dec 22 19:12:08 2008 Successful ARP Flush on interface [2] {E40A7A41-DA9E-4079-A2B9-23580B57D584}
Mon Dec 22 19:12:10 2008 Initialization Sequence Completed
I cannot ping anything at all or connect to anything when I'm on the vpn. I get an IP assigned and that's it.
# You get the Initialization Sequence Completed message but the ping test fails -- This usually indicates that a firewall on either server or client is blocking VPN network traffic by filtering on the TUN/TAP interface.
Solution: Disable the client firewall (if one exists) from filtering the TUN/TAP interface on the client. For example on Windows XP SP2, you can do this by going to Windows Security Center -> Windows Firewall -> Advanced and unchecking the box which corresponds to the TAP-Win32 adapter (disabling the client firewall from filtering the TUN/TAP adapter is generally reasonable from a security perspective, as you are essentially telling the firewall not to block authenticated VPN traffic). Also make sure that the TUN/TAP interface on the server is not being filtered by a firewall (having said that, note that selective firewalling of the TUN/TAP interface on the server side can confer certain security benefits. See the access policies section below).
Can you verify linux firewall is fully open (iptables -L -v), and check windows side.
I'd also run "tracert some.ip.on.network" from windows box.
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,336
Original Poster
Rep:
Both firewalls open. I plan to lock it down once I get this working, but for now it's wide open on both ends.
I also cannot tracert anywhere, just timeouts. I can ping my real (on the LAN) gateway though, is that normal? VPN should take over no? it's like if it's not really actually connecting.
If you mean 192.168.142.1, you should still be able to ping that. By default, openvpn just gives you another NIC (effectively) that is connected to the remote network.
Can you start the server from the command line and post the startup messages? SHould look something like
Code:
#openvpn /etc/openvpn/server.conf
Tue Dec 23 13:23:28 2008 OpenVPN 2.1_rc9 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Aug 1 2008
Tue Dec 23 13:23:28 2008 Diffie-Hellman initialized with 1024 bit key
Tue Dec 23 13:23:28 2008 Control Channel Authentication: using '/etc/openvpn/easy-rsa/keys/ta.key' as a OpenVPN static key file
Tue Dec 23 13:23:28 2008 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 23 13:23:28 2008 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 23 13:23:28 2008 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Dec 23 13:23:28 2008 TUN/TAP device tun0 opened
Tue Dec 23 13:23:28 2008 TUN/TAP TX queue length set to 100
Tue Dec 23 13:23:28 2008 /sbin/ip link set dev tun0 up mtu 1500
Tue Dec 23 13:23:28 2008 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Dec 23 13:23:28 2008 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Tue Dec 23 13:23:28 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Dec 23 13:23:28 2008 GID set to nobody
Tue Dec 23 13:23:28 2008 UID set to nobody
Tue Dec 23 13:23:28 2008 Socket Buffers: R=[126976->131072] S=[126976->131072]
Tue Dec 23 13:23:28 2008 UDPv4 link local (bound): [undef]:1194
Tue Dec 23 13:23:28 2008 UDPv4 link remote: [undef]
Tue Dec 23 13:23:28 2008 MULTI: multi_init called, r=256 v=256
Tue Dec 23 13:23:28 2008 IFCONFIG POOL: base=10.8.0.4 size=62
Tue Dec 23 13:23:28 2008 IFCONFIG POOL LIST
...
Tue Dec 23 13:23:28 2008 Initialization Sequence Completed
Comment out log lines in server.conf before starting.
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,336
Original Poster
Rep:
10.1.1.201 is the ip of the client. (assigned by the vpn server)
I tried to pint 10.1.1.1 (gateway) 10.1.1.10 (main server) and 10.1.1.15 (vpn server) no go. I also cannot resolve dns through 10.1.1.10 or connect to any ports through telnet.
This is the server startup output:
Code:
Dec 23 01:20:37 extsrv openvpn[7966]: OpenVPN 2.1_rc4 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Apr 26 2007
Dec 23 01:20:37 extsrv openvpn[7966]: WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Dec 23 01:20:37 extsrv openvpn[7966]: Diffie-Hellman initialized with 1024 bit key
Dec 23 01:20:37 extsrv openvpn[7966]: TLS-Auth MTU parms [ L:1592 D:140 EF:40 EB:0 ET:0 EL:0 ]
Dec 23 01:20:37 extsrv openvpn[7966]: TUN/TAP device tap1 opened
Dec 23 01:20:37 extsrv openvpn[7966]: TUN/TAP TX queue length set to 100
Dec 23 01:20:37 extsrv openvpn[7966]: Data Channel MTU parms [ L:1592 D:1450 EF:60 EB:135 ET:32 EL:0 AF:3/1 ]
Dec 23 01:20:37 extsrv openvpn[7974]: Listening for incoming TCP connection on [undef]:1194
Dec 23 01:20:37 extsrv openvpn[7974]: Socket Buffers: R=[87380->131072] S=[16384->131072]
Dec 23 01:20:37 extsrv openvpn[7974]: TCPv4_SERVER link local (bound): [undef]:1194
Dec 23 01:20:37 extsrv openvpn[7974]: TCPv4_SERVER link remote: [undef]
Dec 23 01:20:37 extsrv openvpn[7974]: MULTI: multi_init called, r=256 v=256
Dec 23 01:20:37 extsrv openvpn[7974]: IFCONFIG POOL: base=10.1.1.201 size=54
Dec 23 01:20:37 extsrv openvpn[7974]: IFCONFIG POOL LIST
Dec 23 01:20:37 extsrv openvpn[7974]: MULTI: TCP INIT maxclients=1024 maxevents=1028
Dec 23 01:20:37 extsrv openvpn[7974]: Initialization Sequence Completed
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.