|
|
|||
openvpn on openbsd problem....
Hi Everyone,
When trying to connect to my VPN provider using openvpn (2.1_rc15) on openbsd (both 4.4 and 4.5) everything works fine (i.e. i receive ip-adress and correct routing table) except that I can't connect anywhere?! I can ping my own tun0 ip-adress but seems like all other packets gets blocked. (I'm not using pf) The same client conf works fine in freebsd,linux,netbsd and windows so it seems that I'm missing some special sysctl setting on openbsd? Any hints what might be causing this? I tried "tcpdump -i tun0" but all i see is: arp who-has <default gatway> tell <my tun0 ip> Thanks in advance, Michael Last edited by michaelk; 14th May 2009 at 12:07 PM. |
|
|||
Quote:
I'm on the local machine so forwarding should not be needed. Any more clues how to troubleshoot this? Anyone running openvpn successfully on openbsd? (as a client). //Michael |
|
|||
I have an OpenBSD client using openvpn as well, it is a bit dated but I will post.
OpenBSD 4.3 client config client dev tun0 dev-type tap port 5000 proto udp remote xx.xx.xx.xx redirect-gateway resolv-retry infinite nobind user nobody group nobody persist-key persist-tun tls-auth ta.key 1 ca ca.crt cert client.crt key client.key ns-cert-type server cipher BF-CBC comp-lzo verb 4 mute 20 The first 2 bolded lines were the only real difference between this and my Windoz client config, hope it helps. |
|
|||
Can you post the output of the following?
$ route show -inet $ ifconfig -a # or just tun0. Hopefully we'll know more about your setup this way, it's likely a configuration issue.. posting the output of /etc/mygate in [code][/code] blocks might also be helpful. |
|
|||
Quote:
The provider I try to connect to is http://ivacy.com on freebsd: Code:
~> Sat May 16 10:33:01 2009 OpenVPN 2.1_rc15 i386-portbld-freebsd7.1 [SSL] [LZO2] built on May 9 2009 Sat May 16 10:33:01 2009 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sat May 16 10:33:01 2009 Control Channel Authentication: using 'keys/ivacy-tls.key' as a OpenVPN static key file Sat May 16 10:33:01 2009 LZO compression initialized Sat May 16 10:33:01 2009 RESOLVE: NOTE: openvpn.ivacy.com resolves to 2 addresses, choosing one by random Sat May 16 10:33:01 2009 UDPv4 link local: [undef] Sat May 16 10:33:01 2009 UDPv4 link remote: 85.249.223.29:1194 Sat May 16 10:33:01 2009 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Sat May 16 10:33:02 2009 [openvpn.ivacy.com] Peer Connection Initiated with 85.249.223.29:1194 Sat May 16 10:33:04 2009 TUN/TAP device /dev/tun0 opened Sat May 16 10:33:04 2009 /sbin/ifconfig tun0 1.2.116.141 1.2.116.141 netmask 255.255.252.0 mtu 1500 up add net 1.2.116.0: gateway 1.2.116.141 Sat May 16 10:33:04 2009 /usr/local/etc/openvpn/ivacy-up.sh tun0 1500 1542 1.2.116.141 255.255.252.0 init add net 85.249.223.29: gateway 192.168.0.1 delete net 0.0.0.0: gateway 192.168.0.1 add net 0.0.0.0: gateway 1.2.116.1 Sat May 16 10:33:04 2009 WARNING: potential route subnet conflict between local LAN [1.2.116.0/255.255.255.0] and remote VPN [1.0.0.0/255.0.0.0] add net 1.0.0.0: gateway 1.2.116.1 Sat May 16 10:33:04 2009 Initialization Sequence Completed ~> ifconfig tun0 tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 inet 1.2.116.141 --> 1.2.116.141 netmask 0xfffffc00 Opened by PID 11411 ~> netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 1.2.116.1 UGS 0 0 tun0 1.0.0.0/8 1.2.116.1 UGS 0 0 tun0 1.2.116.0/22 1.2.116.141 UGS 2 0 tun0 1.2.116.141 1.2.116.141 UH 1 0 tun0 85.249.223.29/32 192.168.0.1 UGS 0 2 le0 127.0.0.1 127.0.0.1 UH 0 244 lo0 192.168.0.0/24 link#1 UC 0 0 le0 192.168.0.1 00:0f:66:c8:90:fd UHLW 2 2368 le0 1193 192.168.0.102 00:e0:4c:15:0c:1f UHLW 1 188 le0 1180 > nslookup www.yahoo.se Server: 1.254.2.2 Address: 1.254.2.2#53 Non-authoritative answer: www.yahoo.se canonical name = www.euro.fyeu.b.yahoo.com. Name: www.euro.fyeu.b.yahoo.com Address: 87.248.120.129 ~> ping 1.254.2.2 PING 1.254.2.2 (1.254.2.2): 56 data bytes 64 bytes from 1.254.2.2: icmp_seq=0 ttl=63 time=65.528 ms 64 bytes from 1.254.2.2: icmp_seq=1 ttl=63 time=65.315 ms 64 bytes from 1.254.2.2: icmp_seq=2 ttl=63 time=52.479 ms ^C --- 1.254.2.2 ping statistics --- 4 packets transmitted, 3 packets received, 25.0% packet loss round-trip min/avg/max/stddev = 52.479/61.107/65.528/6.102 ms The same thing on openbsd: Code:
openbsd ~ # Sat May 16 10:35:09 2009 OpenVPN 2.1_rc15 i386-unknown-openbsd4.5 [SSL] [LZO1] built on May 12 2009 Sat May 16 10:35:09 2009 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sat May 16 10:35:09 2009 Control Channel Authentication: using 'keys/ivacy-tls.key' as a OpenVPN static key file Sat May 16 10:35:09 2009 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Sat May 16 10:35:09 2009 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Sat May 16 10:35:09 2009 LZO compression initialized Sat May 16 10:35:09 2009 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Sat May 16 10:35:09 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Sat May 16 10:35:09 2009 Local Options hash (VER=V4): '504e774e' Sat May 16 10:35:09 2009 Expected Remote Options hash (VER=V4): '14168603' Sat May 16 10:35:09 2009 Socket Buffers: R=[41600->65536] S=[9216->65536] Sat May 16 10:35:09 2009 UDPv4 link local: [undef] Sat May 16 10:35:09 2009 UDPv4 link remote: 85.249.223.29:1194 Sat May 16 10:35:09 2009 TLS: Initial packet from 85.249.223.29:1194, sid=a435a05c 7c5e375c Sat May 16 10:35:09 2009 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Sat May 16 10:35:10 2009 VERIFY OK: depth=1, /C=RU/ST=MR/L=Moscow/O=ivacy.com/CN=ivacy.com_CA/emailAddress=admin@ivacy.com Sat May 16 10:35:10 2009 VERIFY OK: nsCertType=SERVER Sat May 16 10:35:10 2009 VERIFY OK: depth=0, /C=RU/ST=MR/L=Moscow/O=ivacy.com/CN=openvpn.ivacy.com/emailAddress=admin@ivacy.com Sat May 16 10:35:10 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sat May 16 10:35:10 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sat May 16 10:35:10 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Sat May 16 10:35:10 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sat May 16 10:35:10 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Sat May 16 10:35:10 2009 [openvpn.ivacy.com] Peer Connection Initiated with 85.249.223.29:1194 Sat May 16 10:35:12 2009 SENT CONTROL [openvpn.ivacy.com]: 'PUSH_REQUEST' (status=1) Sat May 16 10:35:12 2009 PUSH: Received control message: 'PUSH_REPLY,route 1.0.0.0 255.0.0.0,dhcp-option DNS 1.254.2.2,dhcp-option DNS 1.254.2.3,dhcp-option DOMAIN vpn,explicit-exit-notify 2,route-gateway 1.2.116.1,topology subnet,ping 10,ping-restart 60,ifconfig 1.2.116.143 255.255.252.0' Sat May 16 10:35:12 2009 OPTIONS IMPORT: timers and/or timeouts modified Sat May 16 10:35:12 2009 OPTIONS IMPORT: explicit notify parm(s) modified Sat May 16 10:35:12 2009 OPTIONS IMPORT: --ifconfig/up options modified Sat May 16 10:35:12 2009 OPTIONS IMPORT: route options modified Sat May 16 10:35:12 2009 OPTIONS IMPORT: route-related options modified Sat May 16 10:35:12 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sat May 16 10:35:12 2009 ROUTE default_gateway=192.168.0.1 Sat May 16 10:35:12 2009 /sbin/ifconfig tun0 destroy ifconfig: SIOCIFDESTROY: Device not configured Sat May 16 10:35:12 2009 /sbin/ifconfig tun0 create Sat May 16 10:35:12 2009 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure Sat May 16 10:35:12 2009 /sbin/ifconfig tun0 1.2.116.143 netmask 255.255.252.0 mtu 1500 broadcast 1.2.119.255 link0 Sat May 16 10:35:12 2009 TUN/TAP device /dev/tun0 opened Sat May 16 10:35:12 2009 /etc/openvpn/ivacy-up.sh tun0 1500 1542 1.2.116.143 255.255.252.0 init Sat May 16 10:35:12 2009 /sbin/route add -net 85.249.223.29 192.168.0.1 -netmask 255.255.255.255 add net 85.249.223.29: gateway 192.168.0.1 Sat May 16 10:35:12 2009 /sbin/route delete -net 0.0.0.0 192.168.0.1 -netmask 0.0.0.0 delete net 0.0.0.0: gateway 192.168.0.1 Sat May 16 10:35:12 2009 /sbin/route add -net 0.0.0.0 1.2.116.1 -netmask 0.0.0.0 add net 0.0.0.0: gateway 1.2.116.1 Sat May 16 10:35:12 2009 WARNING: potential route subnet conflict between local LAN [1.2.116.0/255.255.255.0] and remote VPN [1.0.0.0/255.0.0.0] Sat May 16 10:35:12 2009 /sbin/route add -net 1.0.0.0 1.2.116.1 -netmask 255.0.0.0 add net 1.0.0.0: gateway 1.2.116.1 Sat May 16 10:35:12 2009 Initialization Sequence Completed # route show -inet Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 1.2.116.1 UGS 0 0 - 8 tun0 1/8 1.2.116.1 UGS 0 8 - 8 tun0 1.2.116/22 link#4 UC 1 0 - 4 tun0 1.2.116.1 link#4 UHRLc 2 0 - 4 tun0 85.249.223.29/32 192.168.0.1 UGS 1 20 - 8 vic0 loopback localhost UGRS 0 0 33204 8 lo0 localhost localhost UH 2 314 33204 4 lo0 192.168.0/24 link#1 UC 2 0 - 4 vic0 192.168.0.1 00:0f:66:c8:90:fd UHLc 2 19 - 4 vic0 192.168.0.102 00:e0:4c:15:0c:1f UHLc 2 608 - 4 vic0 192.168.0.126 localhost UGHS 0 0 33204 8 lo0 BASE-ADDRESS.MCAST localhost URS 0 0 33204 8 lo0 openbsd ~ # ifconfig tun0 tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500 lladdr 00:bd:a9:7c:44:01 priority: 0 groups: egress inet 1.2.116.141 netmask 0xfffffc00 broadcast 1.2.119.255 inet6 fe80::2bd:a9ff:fe7c:4401%tun0 prefixlen 64 scopeid 0x4 openbsd ~ # nslookup www.yahoo.com <<= just hangs!!! openbsd ~ # cat /etc/resolv.conf domain vpn nameserver 1.254.2.2 nameserver 1.254.2.3 lookup file bind openbsd ~ # ping 1.254.2.2 PING 1.254.2.2 (1.254.2.2): 56 data bytes ping: sendto: No route to host ping: wrote 1.254.2.2 64 chars, ret=-1 ping: sendto: No route to host ping: wrote 1.254.2.2 64 chars, ret=-1 ping: sendto: No route to host ping: wrote 1.254.2.2 64 chars, ret=-1 --- 1.254.2.2 ping statistics --- 6 packets transmitted, 0 packets received, 100.0% packet loss I also compiled a version on openbsd which is linked with lzo2 but unfortunatly without any luck Any clues? Michael |
|
|||
openvpn on openbsd problem. solved?
I'm running into the same problem with connecting to my openvpn provider from my openbsd client machine.
Did you get it solved? How? Thks Henry |
|
|||
See http://www.daemonforums.org/showthread.php?t=5653 for a solution on OpenBSD 4.9 beta
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Tags |
openvpn |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Cannot set up OpenVPN | guitarscn | OpenBSD Security | 8 | 5th October 2009 05:19 PM |
Problem with php and apache on OpenBSD | co_bofh | OpenBSD General | 10 | 27th July 2008 10:13 PM |
OpenVPN management | bichumo | General software and network | 0 | 15th July 2008 09:05 AM |
OpenVPN - Problem with connections | MME | General software and network | 2 | 26th May 2008 06:42 PM |
openVPN 2.1_rc7 (server) on openBSD 4.3 config examples | s2scott | Guides | 2 | 23rd May 2008 06:16 PM |