|
OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD. |
|
Thread Tools | Display Modes |
|
|||
Does pf conflict with OpenVPN?
I pkg_added openvpn and am testing it out with a VPN service. So I copied the client.ovpn and cert.dat to /etc/openvpn/.
Here is the config: Code:
# VPN client config ns-cert-type server tls-client pull verb 3 tls-timeout 6 cipher BF-CBC keysize 256 pkcs12 cert.dat keepalive 30 120 hand-window 120 route-delay 2 persist-tun persist-key redirect-gateway def1 remote-random route-metric 2 route-method exe dev tun0 topology subnet <connection> proto tcp-client remote [vpn url] [vpn port] remote [vpn IP] [vpn port] connect-retry 10 </connection> <connection> proto udp remote [vpn url] [vpn port] remote [vpn IP] [vpn port] </connection> I changed a couple things: I changed "dev tun" to "dev tun0" for OpenBSD, and I deleted the last line of the config which was "win-sys 'env'" because I got an error about it and removing it seemed safe. So here I am starting it up: Code:
$ sudo openvpn client.ovpn Tue Feb 1 10:47:09 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8 [SSL] [LZO2] built on Aug 10 2010 Tue Feb 1 10:47:09 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Tue Feb 1 10:47:09 2011 WARNING: file 'cert.dat' is group or others accessible Tue Feb 1 10:47:09 2011 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ] Tue Feb 1 10:47:09 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ] Tue Feb 1 10:47:09 2011 Local Options hash (VER=V4): 'bf6006bf' Tue Feb 1 10:47:09 2011 Expected Remote Options hash (VER=V4): '3ce6ab7f' Tue Feb 1 10:47:09 2011 Attempting to establish TCP connection with [VPN IP]:[VPN port] [nonblock] Tue Feb 1 10:47:10 2011 TCP connection established with [VPN IP]:[VPN port] Tue Feb 1 10:47:10 2011 Socket Buffers: R=[16384->65536] S=[16384->65536] Tue Feb 1 10:47:10 2011 TCPv4_CLIENT link local: [undef] Tue Feb 1 10:47:10 2011 TCPv4_CLIENT link remote: [VPN IP]:[VPN port] Tue Feb 1 10:47:10 2011 TLS: Initial packet from [VPN IP]:[VPN port], sid=33085865 6f786d04 Tue Feb 1 10:47:12 2011 VERIFY OK: depth=1, /C=US/ST=NY/L=New_York/O=example.com/CN=example.com_CA/emailAddress=admin@example.com Tue Feb 1 10:47:12 2011 VERIFY OK: nsCertType=SERVER Tue Feb 1 10:47:12 2011 VERIFY OK: depth=0, /C=US/ST=NY/L=New_York/O=example.com/CN=server/emailAddress=admin@example.com Tue Feb 1 10:47:16 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 256 bit key Tue Feb 1 10:47:16 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Feb 1 10:47:16 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 256 bit key Tue Feb 1 10:47:16 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Feb 1 10:47:16 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Tue Feb 1 10:47:16 2011 [server] Peer Connection Initiated with [VPN IP]:[VPN port] Tue Feb 1 10:47:19 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Tue Feb 1 10:47:19 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.100.1.0 255.255.255.0,redirect-gateway,dhcp-option DNS 10.100.1.1,route-gateway 10.100.1.1,topology subnet,ping 120,ping-restart 360,socket-flags TCP_NODELAY,ifconfig 10.100.1.9 255.255.255.0' Tue Feb 1 10:47:19 2011 OPTIONS IMPORT: timers and/or timeouts modified Tue Feb 1 10:47:19 2011 OPTIONS IMPORT: --socket-flags option modified Tue Feb 1 10:47:19 2011 NOTE: setsockopt TCP_NODELAY=1 failed (No kernel support) Tue Feb 1 10:47:19 2011 OPTIONS IMPORT: --ifconfig/up options modified Tue Feb 1 10:47:19 2011 OPTIONS IMPORT: route options modified Tue Feb 1 10:47:19 2011 OPTIONS IMPORT: route-related options modified Tue Feb 1 10:47:19 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Tue Feb 1 10:47:19 2011 ROUTE default_gateway=192.168.1.1 Tue Feb 1 10:47:19 2011 /sbin/ifconfig tun0 destroy Tue Feb 1 10:47:19 2011 /sbin/ifconfig tun0 create Tue Feb 1 10:47:19 2011 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure Tue Feb 1 10:47:19 2011 /sbin/ifconfig tun0 10.100.1.9 netmask 255.255.255.0 mtu 1500 broadcast 10.100.1.255 link0 Tue Feb 1 10:47:19 2011 TUN/TAP device /dev/tun0 opened Tue Feb 1 10:47:21 2011 /sbin/route add -net [VPN IP] 192.168.1.1 -netmask 255.255.255.255 add net [VPN IP]: gateway 192.168.1.1 Tue Feb 1 10:47:21 2011 /sbin/route add -net 0.0.0.0 10.100.1.1 -netmask 128.0.0.0 add net 0.0.0.0: gateway 10.100.1.1 Tue Feb 1 10:47:21 2011 /sbin/route add -net 128.0.0.0 10.100.1.1 -netmask 128.0.0.0 add net 128.0.0.0: gateway 10.100.1.1 Tue Feb 1 10:47:21 2011 /sbin/route add -net 10.100.1.0 10.100.1.1 -netmask 255.255.255.0 add net 10.100.1.0: gateway 10.100.1.1 Tue Feb 1 10:47:21 2011 Initialization Sequence Completed Here is me attempting to ping Google: Code:
$ ping google.com PING google.com (74.125.79.99): 56 data bytes ping: sendto: No route to host ping: wrote google.com 64 chars, ret=-1 ping: sendto: No route to host ping: wrote google.com 64 chars, ret=-1 ping: sendto: No route to host ping: wrote google.com 64 chars, ret=-1 --- google.com ping statistics --- 9 packets transmitted, 0 packets received, 100.0% packet loss At first I was inclined to believe it had something to do with pf but I'm not sure. Could it be an issue with pf? If not, what else can I do to figure out the issue? (I am currently attempting to contact the VPN provider but they only support Windows, Mac, and Linux.) Last edited by Emile; 1st February 2011 at 07:12 PM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenVPN BSD_Auth | There0 | OpenBSD Installation and Upgrading | 0 | 8th May 2010 09:53 AM |
Cannot set up OpenVPN | guitarscn | OpenBSD Security | 8 | 5th October 2009 05:19 PM |
SSH tunneling vs. OpenVPN | revzalot | OpenBSD Security | 8 | 31st May 2009 06:45 AM |
OpenVPN management | bichumo | General software and network | 0 | 15th July 2008 09:05 AM |
OpenVPN - Problem with connections | MME | General software and network | 2 | 26th May 2008 06:42 PM |