Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,336
Original Poster
Rep:
This is the server config:
Code:
port 1194
proto tcp
dev tap
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.1.1.15 255.255.255.0 10.1.1.201 10.1.1.254
push "dhcp-option DNS 10.1.1.10"
client-to-client
duplicate-cn
keepalive 10 120
cipher AES-128-CBC # AES
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Client config:
Code:
client
dev tap
proto tcp
remote home.iceteks.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
ca C:\\openvpnkeys\\ca.crt
cert C:\\openvpnkeys\\ryan.crt
key C:\\openvpnkeys\\ryan.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 5
This is the output of ipconfig on windows with the vpn connected:
I think the issue is, the vpn interface is not getting a gateway assigned, it probably should right?
Oh and I can surf the internet with the vpn on, and it seems to try to resolve through the dns that it's suppose to (10.1.1.10) then falls back to the local dns.
Last edited by Red Squirrel; 12-23-2008 at 05:30 PM.
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,336
Original Poster
Rep:
Oh and this is the serverside ipconfig, does this look right? I noticed that the bridge has the same IP as the physical nic, is that normal? also should the tap have an IP? If yes how do I assign one?
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,336
Original Poster
Rep:
hmm you're right. I must of missed that in the script. I set it to 10.1.1.255 and restarted the bridge and the openvpn service as well as the client on the other end. still nothing.
Also if the firewall is off then it should work right? or do I still need to turn firewall on then open up the interface?
Last edited by Red Squirrel; 12-23-2008 at 07:21 PM.
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,336
Original Poster
Rep:
This is what I get:
Code:
[root@vpnsrv openvpn]# service iptables status
iptables: Firewall is not running.
[root@vpnsrv openvpn]#
[root@vpnsrv openvpn]#
[root@vpnsrv openvpn]#
[root@vpnsrv openvpn]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@vpnsrv openvpn]#
Yeah this is unsecure but I want to take it one step at a time. Once I get the vpn working I'll worry about the firewall. (and thanks for the help btw I'd be lost otherwise, we'll get this working eventually!)
also I'm using a 3rd party client could this be an issue? http://openvpn.se/
I can't find the official client, they only have the server listed on the openvpn site.
Last edited by Red Squirrel; 12-23-2008 at 07:57 PM.
Still can't access anything though. If it makes a difference the way this network is setup is
10.10.0.0/24 network, then 10.1.1.0/24 network is plugged into that network (NAT). But should not make a difference. Basically from work I was just connecting through two routers, no I'm connecting through one. Port is just forwarded twice.
I suspect there's something wrong with your bridge setup.
Are you prepared to give a routed solution a quick go? Should only take 15 mins.
I's also try over udp rather than tcp.
NOTE
I just saw something interesting in a sample config - try this first
Code:
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
Uncomment the dev-node entry and replace MyTap with the relevant adapter name.
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,336
Original Poster
Rep:
Should I name the tap to match the tap name on the client? ex "local area connection 2" or the tap name on the server? Either way tried both, no go.
Code:
Dec 23 22:34:29 vpnsrv openvpn[3271]: Note: Cannot open TUN/TAP dev tap0: No such file or directory (errno=2)
Dec 23 22:34:29 vpnsrv openvpn[3271]: Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Dec 23 22:34:29 vpnsrv openvpn[3271]: Cannot open TUN/TAP dev tap0: No such file or directory (errno=2)
Dec 23 22:34:29 vpnsrv openvpn[3271]: Exiting
[root@vpnsrv openvpn]# ifconfig
br0 Link encap:Ethernet HWaddr 00:0C:29:40:66:7E
inet addr:10.1.1.15 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe40:667e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5114 errors:0 dropped:0 overruns:0 frame:0
TX packets:3765 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:504458 (492.6 KiB) TX bytes:532746 (520.2 KiB)
eth0 Link encap:Ethernet HWaddr 00:0C:29:40:66:7E
inet addr:10.1.1.15 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe40:667e/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1128253 errors:0 dropped:0 overruns:0 frame:0
TX packets:3939 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:823416876 (785.2 MiB) TX bytes:554903 (541.8 KiB)
Base address:0x2000 Memory:d8920000-d8940000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1424 (1.3 KiB) TX bytes:1424 (1.3 KiB)
tap0 Link encap:Ethernet HWaddr 00:FF:BF:CA:D8:72
inet6 addr: fe80::2ff:bfff:feca:d872/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:1116 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[root@vpnsrv openvpn]#
Guess next step is try routed I suppose though I had exact same issues so that's when I decided to try bridged, and bridged will serve my needs more anyway as I need to be able to access samba shares.
Also do I need to do anything special on the client? Like do I need to bridge the tap and the physical adapter? I tried that but it did not work.
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,336
Original Poster
Rep:
Hmm good to know, I may be able to stick to routed then, less complexity.
Now I'm having other issues though (routed) I get these errors in the client:
Code:
Tue Dec 23 23:18:39 2008 write UDPv4: No Route to Host (WSAEHOSTUNREACH) (code=10065)
Tue Dec 23 23:18:59 2008 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Dec 23 23:18:59 2008 TLS Error: TLS handshake failed
Tue Dec 23 23:18:59 2008 TCP/UDP: Closing socket
I disabled the bridge on the server and made sure client/server is dev tun and I also removed the server-bridge and replaced with server (and different ip in non used ranged)
Edit: ok this is messed. I rebooted the server and the service is not running, yet it's connecting anyway, how is this possible? It's even prompting for a password. (still get those other errors)
Last edited by Red Squirrel; 12-23-2008 at 10:24 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.