View Single Post
  #1   (View Single Post)  
Old 1st February 2011
Emile Emile is offline
Port Guard
 
Join Date: Feb 2011
Posts: 25
Default Does pf conflict with OpenVPN?

I pkg_added openvpn and am testing it out with a VPN service. So I copied the client.ovpn and cert.dat to /etc/openvpn/.

Here is the config:

Code:
# VPN client config
ns-cert-type server
tls-client
pull
verb 3
tls-timeout 6
cipher BF-CBC
keysize 256
pkcs12 cert.dat
keepalive 30 120
hand-window 120
route-delay 2
persist-tun
persist-key
redirect-gateway def1
remote-random
route-metric 2
route-method exe
dev tun0
topology subnet
<connection>
proto tcp-client
remote [vpn url] [vpn port]
remote [vpn IP] [vpn port]
connect-retry 10
</connection>
<connection>
proto udp
remote [vpn url] [vpn port]
remote [vpn IP] [vpn port]
</connection>
The bolded options within brackets are information I substituted accordingly as to not spam/advertise the VPN service.

I changed a couple things: I changed "dev tun" to "dev tun0" for OpenBSD, and I deleted the last line of the config which was "win-sys 'env'" because I got an error about it and removing it seemed safe.

So here I am starting it up:

Code:
$ sudo openvpn client.ovpn 
Tue Feb  1 10:47:09 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8 [SSL] [LZO2] built on Aug 10 2010
Tue Feb  1 10:47:09 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Feb  1 10:47:09 2011 WARNING: file 'cert.dat' is group or others accessible
Tue Feb  1 10:47:09 2011 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb  1 10:47:09 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Feb  1 10:47:09 2011 Local Options hash (VER=V4): 'bf6006bf'
Tue Feb  1 10:47:09 2011 Expected Remote Options hash (VER=V4): '3ce6ab7f'
Tue Feb  1 10:47:09 2011 Attempting to establish TCP connection with [VPN IP]:[VPN port] [nonblock]
Tue Feb  1 10:47:10 2011 TCP connection established with [VPN IP]:[VPN port]
Tue Feb  1 10:47:10 2011 Socket Buffers: R=[16384->65536] S=[16384->65536]
Tue Feb  1 10:47:10 2011 TCPv4_CLIENT link local: [undef]
Tue Feb  1 10:47:10 2011 TCPv4_CLIENT link remote: [VPN IP]:[VPN port]
Tue Feb  1 10:47:10 2011 TLS: Initial packet from [VPN IP]:[VPN port], sid=33085865 6f786d04
Tue Feb  1 10:47:12 2011 VERIFY OK: depth=1, /C=US/ST=NY/L=New_York/O=example.com/CN=example.com_CA/emailAddress=admin@example.com
Tue Feb  1 10:47:12 2011 VERIFY OK: nsCertType=SERVER
Tue Feb  1 10:47:12 2011 VERIFY OK: depth=0, /C=US/ST=NY/L=New_York/O=example.com/CN=server/emailAddress=admin@example.com
Tue Feb  1 10:47:16 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 256 bit key
Tue Feb  1 10:47:16 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  1 10:47:16 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 256 bit key
Tue Feb  1 10:47:16 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  1 10:47:16 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Feb  1 10:47:16 2011 [server] Peer Connection Initiated with [VPN IP]:[VPN port]
Tue Feb  1 10:47:19 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Feb  1 10:47:19 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.100.1.0 255.255.255.0,redirect-gateway,dhcp-option DNS 10.100.1.1,route-gateway 10.100.1.1,topology subnet,ping 120,ping-restart 360,socket-flags TCP_NODELAY,ifconfig 10.100.1.9 255.255.255.0'
Tue Feb  1 10:47:19 2011 OPTIONS IMPORT: timers and/or timeouts modified
Tue Feb  1 10:47:19 2011 OPTIONS IMPORT: --socket-flags option modified
Tue Feb  1 10:47:19 2011 NOTE: setsockopt TCP_NODELAY=1 failed (No kernel support)
Tue Feb  1 10:47:19 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue Feb  1 10:47:19 2011 OPTIONS IMPORT: route options modified
Tue Feb  1 10:47:19 2011 OPTIONS IMPORT: route-related options modified
Tue Feb  1 10:47:19 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Feb  1 10:47:19 2011 ROUTE default_gateway=192.168.1.1
Tue Feb  1 10:47:19 2011 /sbin/ifconfig tun0 destroy
Tue Feb  1 10:47:19 2011 /sbin/ifconfig tun0 create
Tue Feb  1 10:47:19 2011 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Tue Feb  1 10:47:19 2011 /sbin/ifconfig tun0 10.100.1.9 netmask 255.255.255.0 mtu 1500 broadcast 10.100.1.255 link0
Tue Feb  1 10:47:19 2011 TUN/TAP device /dev/tun0 opened
Tue Feb  1 10:47:21 2011 /sbin/route add -net [VPN IP] 192.168.1.1 -netmask 255.255.255.255
add net [VPN IP]: gateway 192.168.1.1
Tue Feb  1 10:47:21 2011 /sbin/route add -net 0.0.0.0 10.100.1.1 -netmask 128.0.0.0
add net 0.0.0.0: gateway 10.100.1.1
Tue Feb  1 10:47:21 2011 /sbin/route add -net 128.0.0.0 10.100.1.1 -netmask 128.0.0.0
add net 128.0.0.0: gateway 10.100.1.1
Tue Feb  1 10:47:21 2011 /sbin/route add -net 10.100.1.0 10.100.1.1 -netmask 255.255.255.0
add net 10.100.1.0: gateway 10.100.1.1
Tue Feb  1 10:47:21 2011 Initialization Sequence Completed
So it seems successful there, but once connected I do not seem to have internet access.

Here is me attempting to ping Google:

Code:
$ ping google.com
PING google.com (74.125.79.99): 56 data bytes
ping: sendto: No route to host
ping: wrote google.com 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote google.com 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote google.com 64 chars, ret=-1
--- google.com ping statistics ---
9 packets transmitted, 0 packets received, 100.0% packet loss
What can I do to debug the situation and find out what's preventing my access to the internet?

At first I was inclined to believe it had something to do with pf but I'm not sure. Could it be an issue with pf? If not, what else can I do to figure out the issue? (I am currently attempting to contact the VPN provider but they only support Windows, Mac, and Linux.)

Last edited by Emile; 1st February 2011 at 07:12 PM.
Reply With Quote