|
OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD. |
|
Thread Tools | Display Modes |
|
|||
According to that pkg_info message, you have to create a /etc/hostname.tun0 file
with the following contents: Code:
up !/usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf The second line starts openvpn when the network interfaces are configured, which is very early in the network setup and thus visible for pf. It also means that upon every reboot OpenVPN is started automatically. I don't know how you start it now RE: ifconfig output That output is only meaningful if we also see the routing tables. Instead of route -n show I prefer netstat -rn -f inet. That will skip the IPv6 stuff EDIT: Ok you are posting the routing tables now too
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 1st February 2011 at 10:44 PM. Reason: routing tables remark |
|
|||
I don't start tun0 at all. It's just there when I boot into OpenBSD, and is activated upon OpenVPN's start. I'm pretty sure tun0 is there by default because I have no idea how to create network interfaces.
As for the second line, I don't want to start OpenVPN automatically upon boot. So would it be alright to leave those lines out? Or should I still put up in there? |
|
|||
I would recommend to create that /etc/hostname.tun0 file and reboot and see how that goes first. Then later if everything runs fine, you can look for an alternative way to start it.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Okay, so I just rebooted with the /etc/hostname.tun0 file in place...
ifconfig: Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:xx:xx:xx:xx:86 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::2xx:xxff:fexx:xx86%nfe0 prefixlen 64 scopeid 0x1 inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255 enc0: flags=0<> priority: 0 groups: enc status: active tun0: flags=11<UP,POINTOPOINT> mtu 1500 priority: 0 groups: tun status: down pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200 priority: 0 groups: pflog Code:
Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 192.168.1.1 UGS 9 385 - 8 nfe0 127/8 127.0.0.1 UGRS 0 0 33200 8 lo0 127.0.0.1 127.0.0.1 UH 17 452 33200 4 lo0 192.168.1/24 link#1 UC 1 0 - 4 nfe0 192.168.1.1 00:xx:xx:xx:xx:8c UHLc 1 20 - 4 nfe0 192.168.1.4 127.0.0.1 UGHS 0 0 33200 8 lo0 224/4 127.0.0.1 URS 0 0 33200 8 lo0 And of course as usual the VPN connects but nothing... Last edited by Emile; 1st February 2011 at 11:11 PM. |
|
|||
Well, it seems I've been working on this for some hours and not eaten anything since...I'm going to get some grub and be back in a couple hours or so I guess. Need to exercise my eyes, doctor says (for staring at the computer screen too much)
|
|
|||
I am running out of ideas ...... Only next weekend I have time to see if I can get it running between a Linux box and OpenBSD. If you cannot wait that long you could try to google for an answer or post on the OpenBSD misc mailing list.
BTW it is normal that the IP address of an interface does not show up in the routing table i.e.: Code:
$ ifconfig re0re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:19:db:47:b0:4c priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.222.20 netmask 0xffffff00 broadcast 192.168.222.255 inet6 fe80::219:dbff:fe47:b04c%re0 prefixlen 64 scopeid 0x2 $ netstat -rn -f inet Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 192.168.222.10 UGS 7 27112 - 8 re0 127/8 127.0.0.1 UGRS 0 0 33160 8 lo0 127.0.0.1 127.0.0.1 UH 1 0 33160 4 lo0 192.168.222/24 link#2 UC 1 0 - 4 re0 192.168.222.10 00:08:c7:05:ca:0b UHLc 1 1643 - 4 re0 224/4 127.0.0.1 URS 0 0 33160 8 lo0 Blame the more 2000 spambots that I had to deal with since the 5th of January
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Do you have any ideas how I can route the IPs properly if they are being routed incorrectly as I think you're referring to in a previous post? /etc/hostname.tun0 maybe? But I have doubts about it as it's not even functioning properly at all in the first place...
(I'm not supposed to be on the computer but my significant other is cooking and unaware I am sneaking on here so shhh) |
|
|||
From reading the OpenVPN docs, it becomes clear to me that you need to choose for your local network a different network than the one you are connecting to.
See http://openvpn.net/index.php/open-so...html#numbering But that is already happening. You are on 192.168.1.0/24 while the server is pushing routes to you as client for 10.100.2.0/24: Code:
Tue Feb 1 15:14:00 2011 /sbin/ifconfig tun0 10.100.2.106 netmask 255.255.255.0 mtu 1500 broadcast 10.100.2.255 link0 Tue Feb 1 15:14:00 2011 TUN/TAP device /dev/tun0 opened Tue Feb 1 15:14:02 2011 /sbin/route add -net [VPN IP] 192.168.1.1 -netmask 255.255.255.255 add net [VPN IP]: gateway 192.168.1.1 Tue Feb 1 15:14:02 2011 /sbin/route add -net 0.0.0.0 10.100.2.1 -netmask 128.0.0.0 add net 0.0.0.0: gateway 10.100.2.1 Tue Feb 1 15:14:02 2011 /sbin/route add -net 128.0.0.0 10.100.2.1 -netmask 128.0.0.0 add net 128.0.0.0: gateway 10.100.2.1 Tue Feb 1 15:14:02 2011 /sbin/route add -net 10.100.2.0 10.100.2.1 -netmask 255.255.255.0 add net 10.100.2.0: gateway 10.100.2.1 Tue Feb 1 15:14:02 2011 Initialization Sequence Completed
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 2nd February 2011 at 03:57 AM. |
|
|||
Did you enable forwarding between interfaces?
I have Code:
$ sysctl -a | grep forward net.inet.ip.forwarding=0 net.inet.ip.mforwarding=0 net.inet6.ip6.forwarding=0 net.inet6.ip6.mforwarding=0 To set this edit /etc/sysctl.conf: Code:
# This file contains a list of sysctl options the user wants set at # boot time. See sysctl(3) and sysctl(8) for more information on # the many available variables. # #net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets #net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets #net.inet.ip.multipath=1 # 1=Enable IP multipath routing EDIT: This is only needed on an OpenVPN gateway, and you are a client
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 2nd February 2011 at 03:42 AM. Reason: Warning about forwarding only needed on gateway |
|
|||
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 2nd February 2011 at 03:48 AM. Reason: Add /etc/hostname.tun0 'client.conf' remark |
|
|||
For all the times I've used OpenVPN on OpenBSD, I've always used tun0. But this was like a couple releases ago so it's been a while. Usually I use the interface I am told to use, and in this case the VPN provider gave the configuration with tun0, so I think I should use that but I can try tap.
In my /etc/hostname.tun0 I have: Code:
up !/usr/local/sbin/openvpn --daemon --config /etc/openvpn/client.ovpn Either way, the up command in this file doesn't seem to be working at boot time. Am considering posting this on the misc@ mailing list as I've never used a mailing list before and read upon some of it recently. I am paying for this subscription so I want to get it working ASAP. |
|
|||
You could create a "/etc/hostname.tun0" file with
Code:
up !/sbin/ifconfig tun0 10.100.2.106 netmask 255.255.255.0 mtu 1500 broadcast 10.100.2.255 link0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Well, that did succeed in bringing up the tun0 interface on boot at least:
Code:
tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500 lladdr fe:e1:ba:d1:3f:1a priority: 0 groups: tun status: no carrier inet 10.100.2.106 netmask 0xffffff00 broadcast 10.100.2.255 inet6 fe80::fce1:baff:fed1:3f1a%tun0 prefixlen 64 scopeid 0x4 |
|
|||
One of the devs also says that it looks like there's a routing issue:
Code:
Destination Gateway Flags Refs Use Mtu Prio Iface 0/1 10.100.1.1 UGS 0 0 - 8 tun0 default 192.168.1.1 UGS 3 1313 - 8 nfe0 10.100.1/24 link#6 UC 1 0 - 4 tun0 He hasn't offered a fix though, so I'm not sure what to do at this point. A lot of this networking knowledge is over my head as mine is pretty elementary as far as networking goes. I actually took a new route -n and sent a reply: Code:
$ route -n show Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface 0/1 10.100.1.1 UGS 0 19 - 8 tun0 default 192.168.1.1 UGS 8 5098 - 8 nfe0 10.100.1/24 link#6 UC 1 0 - 4 tun0 10.100.1/24 10.100.1.1 UGS 0 0 - 8 tun0 10.100.1.1 link#6 UHRLc 3 0 - 4 tun0 [vpn ip]/32 192.168.1.1 UGS 0 11 - 8 nfe0 127/8 127.0.0.1 UGRS 0 0 33200 8 lo0 127.0.0.1 127.0.0.1 UH 4 50 33200 4 lo0 128/1 10.100.1.1 UGS 0 0 - 8 tun0 192.168.1/24 link#1 UC 1 0 - 4 nfe0 192.168.1.1 00:xx:xx:xx:xx:8c UHLc 2 241 - 4 nfe0 192.168.1.4 127.0.0.1 UGHS 0 0 33200 8 lo0 224/4 127.0.0.1 URS 0 0 33200 8 lo0 Last edited by Emile; 2nd February 2011 at 06:42 PM. |
|
|||
I have never seen a 0/1 route before If you are willing to experiment, you could delete the default route default 192.168.1.1 with
Code:
$ sudo route delete default After playing use route add default 192.168.1.1 to restore.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Someone suggested me that already but it did nothing.
Is it just that no OpenBSD users use OpenVPN? Or is it just me that has this problem? |
|
|||
I know that Felix Kronlage, the OBSD developer in charge of the OpenVPN port, uses it.
In Belgium in 2006 , when I was assisting in shipping the OpenBSD 4.0 CDs , I have seen him log in to one of his customers machines in Germany with OpenVPN. For a log of recent changes in the OpenVPN port see http://openports.se/net/openvpn.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Here are some logs of a successful connection on another OS if it helps at all:
Before VPN: Code:
$ ifconfig Code:
$ netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.1.1 UGSc 141 0 en0 127 127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 1 24 lo0 169.254 link#4 UCS 0 0 en0 192.168.1 link#4 UCS 3 0 en0 192.168.1.1 0:1f:90:f:88:8c UHLWI 144 74 en0 1116 192.168.1.3 0:24:2c:9c:d2:ed UHLWI 0 60 en0 1179 192.168.1.4 127.0.0.1 UHS 0 0 lo0 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 2 en0 Now after turning on OpenVPN: Code:
$ ifconfig tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 10.100.1.9 --> 10.100.1.9 netmask 0xffffff00 open (pid 375) Code:
$ netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire 0/1 10.100.1.1 UGSc 1 0 tun0 default 192.168.1.1 UGSc 2 0 en0 10.100.1/24 10.100.1.9 UGSc 1 0 tun0 10.100.1.9 10.100.1.9 UH 2 0 tun0 92.241.168.20/32 192.168.1.1 UGSc 1 0 en0 127 127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 2 64 lo0 128.0/1 10.100.1.1 UGSc 1 0 tun0 169.254 link#4 UCS 0 0 en0 192.168.1 link#4 UCS 2 0 en0 192.168.1.1 0:1f:90:f:88:8c UHLWI 2 74 en0 997 192.168.1.3 0:24:2c:9c:d2:ed UHLWI 0 90 en0 1172 192.168.1.4 127.0.0.1 UHS 0 0 lo0 VPN log: Code:
2011-02-02 16:26:46 OpenVPN 2.1.4 i386 [SSL] [LZO2] [PKCS11] built on Dec 9 2010 2011-02-02 16:26:46 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2011-02-02 16:26:46 WARNING: file 'cert.dat' is group or others accessible 2011-02-02 16:26:46 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ] 2011-02-02 16:26:46 Socket Buffers: R=[262140->65536] S=[131070->65536] 2011-02-02 16:26:46 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ] 2011-02-02 16:26:46 Local Options hash (VER=V4): 'bf6006bf' 2011-02-02 16:26:46 Expected Remote Options hash (VER=V4): '3ce6ab7f' 2011-02-02 16:26:46 Attempting to establish TCP connection with [VPN IP]:3074 [nonblock] 2011-02-02 16:26:47 TCP connection established with [VPN IP]:3074 2011-02-02 16:26:47 TCPv4_CLIENT link local: [undef] 2011-02-02 16:26:47 TCPv4_CLIENT link remote: [VPN IP]:3074 2011-02-02 16:26:47 TLS: Initial packet from [VPN IP]:3074, sid=4998116d ab8591a8 2011-02-02 16:26:48 VERIFY OK: depth=1, /C=US/ST=NY/L=New_York/O=example.com/CN=example.com_CA/emailAddress=admin@example.com 2011-02-02 16:26:48 VERIFY OK: nsCertType=SERVER 2011-02-02 16:26:48 VERIFY OK: depth=0, /C=US/ST=NY/L=New_York/O=example.com/CN=server/emailAddress=admin@example.com 2011-02-02 16:26:52 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 256 bit key 2011-02-02 16:26:52 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 2011-02-02 16:26:52 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 256 bit key 2011-02-02 16:26:52 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 2011-02-02 16:26:52 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA 2011-02-02 16:26:52 [server] Peer Connection Initiated with [VPN IP]:3074 2011-02-02 16:26:54 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) 2011-02-02 16:26:55 PUSH: Received control message: 'PUSH_REPLY,route 10.100.1.0 255.255.255.0,redirect-gateway,dhcp-option DNS 10.100.1.1,route-gateway 10.100.1.1,topology subnet,ping 120,ping-restart 360,socket-flags TCP_NODELAY,ifconfig 10.100.1.9 255.255.255.0' 2011-02-02 16:26:55 OPTIONS IMPORT: timers and/or timeouts modified 2011-02-02 16:26:55 OPTIONS IMPORT: --socket-flags option modified 2011-02-02 16:26:55 NOTE: setsockopt TCP_NODELAY=1 failed (No kernel support) 2011-02-02 16:26:55 OPTIONS IMPORT: --ifconfig/up options modified 2011-02-02 16:26:55 OPTIONS IMPORT: route options modified 2011-02-02 16:26:55 OPTIONS IMPORT: route-related options modified 2011-02-02 16:26:55 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2011-02-02 16:26:55 ROUTE default_gateway=192.168.1.1 2011-02-02 16:26:55 TUN/TAP device /dev/tun0 opened 2011-02-02 16:26:55 /sbin/ifconfig tun0 delete ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address 2011-02-02 16:26:55 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure 2011-02-02 16:26:55 /sbin/ifconfig tun0 10.100.1.9 10.100.1.9 netmask 255.255.255.0 mtu 1500 up 2011-02-02 16:26:55 /sbin/route add -net 10.100.1.0 10.100.1.9 255.255.255.0 add net 10.100.1.0: gateway 10.100.1.9 2011-02-02 16:26:57 /sbin/route add -net [VPN IP] 192.168.1.1 255.255.255.255 add net [VPN IP]: gateway 192.168.1.1 2011-02-02 16:26:57 /sbin/route add -net 0.0.0.0 10.100.1.1 128.0.0.0 add net 0.0.0.0: gateway 10.100.1.1 2011-02-02 16:26:57 /sbin/route add -net 128.0.0.0 10.100.1.1 128.0.0.0 add net 128.0.0.0: gateway 10.100.1.1 2011-02-02 16:26:57 /sbin/route add -net 10.100.1.0 10.100.1.1 255.255.255.0 route: writing to routing socket: File exists add net 10.100.1.0: gateway 10.100.1.1: File exists 2011-02-02 16:26:57 Initialization Sequence Completed |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenVPN BSD_Auth | There0 | OpenBSD Installation and Upgrading | 0 | 8th May 2010 09:53 AM |
Cannot set up OpenVPN | guitarscn | OpenBSD Security | 8 | 5th October 2009 05:19 PM |
SSH tunneling vs. OpenVPN | revzalot | OpenBSD Security | 8 | 31st May 2009 06:45 AM |
OpenVPN management | bichumo | General software and network | 0 | 15th July 2008 09:05 AM |
OpenVPN - Problem with connections | MME | General software and network | 2 | 26th May 2008 06:42 PM |