DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 17th September 2009
guitarscn guitarscn is offline
Package Pilot
 
Join Date: Oct 2008
Posts: 166
Default Cannot set up OpenVPN

Code:
# /usr/local/sbin/openvpn --config /etc/openvpn/openvpn.conf 
Thu Sep 17 13:23:29 2009 OpenVPN 2.1_rc15 i386-unknown-openbsd4.5 [SSL] [LZO1] built on Mar  1 2009
Enter Auth Username:guitarscn
Enter Auth Password:
Thu Sep 17 13:23:32 2009 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Sep 17 13:23:32 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Sep 17 13:23:32 2009 LZO compression initialized
Thu Sep 17 13:23:32 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Sep 17 13:23:33 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Sep 17 13:23:33 2009 Local Options hash (VER=V4): '69109d17'
Thu Sep 17 13:23:33 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'
Thu Sep 17 13:23:33 2009 Attempting to establish TCP connection with 87.98.181.223:443 [nonblock]
Thu Sep 17 13:23:34 2009 TCP: connect to x.x.x.x:443 failed, will try again in 5 seconds: Connection refused
Thu Sep 17 13:23:34 2009 SIGUSR1[soft,init_instance] received, process restarting
Thu Sep 17 13:23:34 2009 Restart pause, 5 second(s)
Thu Sep 17 13:23:39 2009 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Sep 17 13:23:39 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Sep 17 13:23:39 2009 Re-using SSL/TLS context
Thu Sep 17 13:23:39 2009 LZO compression initialized
Thu Sep 17 13:23:39 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Sep 17 13:23:39 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Sep 17 13:23:39 2009 Local Options hash (VER=V4): '69109d17'
Thu Sep 17 13:23:39 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'
Thu Sep 17 13:23:39 2009 Attempting to establish TCP connection with x.x.173.x:443 [nonblock]
Thu Sep 17 13:23:40 2009 TCP connection established with x.x.173.x:443
Thu Sep 17 13:23:40 2009 Socket Buffers: R=[16384->65536] S=[16384->65536]
Thu Sep 17 13:23:40 2009 TCPv4_CLIENT link local: [undef]
Thu Sep 17 13:23:40 2009 TCPv4_CLIENT link remote: x.98.173.x:443
Thu Sep 17 13:23:40 2009 TLS: Initial packet from x.98.173.x:443, sid=60191c71 3ab1c059
Thu Sep 17 13:23:40 2009 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Sep 17 13:23:41 2009 VERIFY OK: depth=1, /C=FR/ST=NA/L=BISHKEK/O=OpenVPN-TEST/CN=ludwig/emailAddress=me@myhost.mydomain
Thu Sep 17 13:23:41 2009 VERIFY OK: depth=0, /C=FR/ST=NA/O=OpenVPN-TEST/CN=ludwig/emailAddress=me@myhost.mydomain
Thu Sep 17 13:23:43 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Sep 17 13:23:43 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 17 13:23:43 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Sep 17 13:23:43 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 17 13:23:43 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Sep 17 13:23:43 2009 [ludwig] Peer Connection Initiated with x.98.173.x:443
Thu Sep 17 13:23:44 2009 SENT CONTROL [ludwig]: 'PUSH_REQUEST' (status=1)
Thu Sep 17 13:23:44 2009 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 94.23.39.201,dhcp-option DNS x.251.133.x,route x.13.0.x,topology net30,ping 10,ping-restart 120,ifconfig 1x.13.51.x x.13.51.x'
Thu Sep 17 13:23:44 2009 OPTIONS IMPORT: timers and/or timeouts modified
Thu Sep 17 13:23:44 2009 OPTIONS IMPORT: --ifconfig/up options modified
Thu Sep 17 13:23:44 2009 OPTIONS IMPORT: route options modified
Thu Sep 17 13:23:44 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Sep 17 13:23:44 2009 ROUTE default_gateway=x.17.4.x
Thu Sep 17 13:23:44 2009 /sbin/ifconfig tun destroy
ifconfig: SIOCIFDESTROY: Invalid argument
Thu Sep 17 13:23:44 2009 /sbin/ifconfig tun create
ifconfig: SIOCIFCREATE: Invalid argument
Thu Sep 17 13:23:44 2009 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Thu Sep 17 13:23:44 2009 /sbin/ifconfig tun x.13.51.x x.13.51.x mtu 1500 netmask 255.255.255.255 up
ifconfig: SIOCSIFMTU: Device not configured
ifconfig: SIOCGIFFLAGS: Device not configured
Thu Sep 17 13:23:44 2009 OpenBSD ifconfig failed: external program exited with error status: 1
Thu Sep 17 13:23:44 2009 Exiting

Last edited by guitarscn; 17th September 2009 at 08:16 PM.
Reply With Quote
  #2   (View Single Post)  
Old 17th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

See the man pages for ifconfig(8) and tun(4). Your script has a typo. The same typo over and over.
Reply With Quote
  #3   (View Single Post)  
Old 17th September 2009
guitarscn guitarscn is offline
Package Pilot
 
Join Date: Oct 2008
Posts: 166
Default

Which script? The config file works fine on another OS
Reply With Quote
  #4   (View Single Post)  
Old 18th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by guitarscn View Post
...on another OS...
A short test for guitarscn:
Question #1: How are devices numbered by the OpenBSD kernel?

Question #2: What number device is your first and only tun(4) device?

Question #3 (for extra credit): Why are your ifconfig commands all failing?
I want you to find the answers to these questions on your own. It is the only way you will learn anything.
Reply With Quote
  #5   (View Single Post)  
Old 30th September 2009
guitarscn guitarscn is offline
Package Pilot
 
Join Date: Oct 2008
Posts: 166
Default

I use rl0 for my ehternet line so number come after the device name starting with 0, right? I didn't have tun in my ifconfig so I did "ifconfig tun up" but the device didn't exist, so I did "ifconfig tun0 up" and it's up.

Oh, I just looked in the connect script and now it works after I changed tun to tun0. Wow I figured this out slow. I am thickheaded.

Last edited by guitarscn; 30th September 2009 at 11:23 PM.
Reply With Quote
  #6   (View Single Post)  
Old 1st October 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by guitarscn View Post
...number come after the device name starting with 0, right?
Right.
Quote:
...so I did "ifconfig tun0 up" and it's up.
Good!
Quote:
...Wow I figured this out slow....
But you -did- figure it out. And, you solved the immediate problem. Congratulations on your accomplishment!
Reply With Quote
  #7   (View Single Post)  
Old 1st October 2009
guitarscn guitarscn is offline
Package Pilot
 
Join Date: Oct 2008
Posts: 166
Default

I was familiar with ifconfig but not tun. I had to read up what tun was and then I understood. Thanks
Reply With Quote
  #8   (View Single Post)  
Old 5th October 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Here's what I have in my hostname.tun0 to support openvpn. In openBSD, I found the tun won't come up WITHOUT an IP address. Somewhere in the chicken-and-an-egg dance that openVPN-BSD do, I found this the best way to satisfy both.

Code:
root@gw:/etc/ovpn # pg /etc/hostname.tun0
inet 169.254.235.1 255.255.255.252 169.254.235.2
!/sbin/route add 169.254.235.0/24 169.254.235.1
I'm sure other openvpn.conf and hostname.tun0 combinations work as well.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
  #9   (View Single Post)  
Old 5th October 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

I posted this thread a while back; it may help.

http://www.daemonforums.org/showthre...light=hostname

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
openvpn on openbsd problem.... michaelk OpenBSD Security 8 9th February 2011 04:49 AM
SSH tunneling vs. OpenVPN revzalot OpenBSD Security 8 31st May 2009 06:45 AM
OpenVPN management bichumo General software and network 0 15th July 2008 09:05 AM
OpenVPN - Problem with connections MME General software and network 2 26th May 2008 06:42 PM
openvpn 2.1_rc7 from ports (not packages) s2scott OpenBSD Packages and Ports 14 23rd May 2008 02:30 AM


All times are GMT. The time now is 04:11 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick