DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th May 2008
MME MME is offline
New User
 
Join Date: May 2008
Posts: 1
Thanked 0 Times in 0 Posts
Default OpenVPN - Problem with connections

Hi,

I've set up OpenVPN on our firewall running FreeBSD 7.0, but I'm having trouble with getting everything to work ok.

My setup looks like this:

Internet --- (1.2.3.4) Firewall (192.168.0.33) --- Internal Network

Clients on the Internet can connect to the firewall without problems, and I can for example ssh to 192.168.0.33 after connecting with openvpn, but I can't reach anything else on my internal network. I have plenty of machines on the internal network but I can't reach any of them, not even with ping. Maybe a routing problem?

Firewall configuration:
Code:
dev tun
local 1.2.3.4
port 1194
proto udp

server 10.10.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt

ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh2048.pem

push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.10"
push "dhcp-option DNS 192.168.0.25"
push "dhcp-option DOMAIN starwars.local"

comp-lzo

keepalive 10 60
ping-timer-rem
persist-tun
persist-key

group nobody
daemon
Client configuration:
Code:
client
remote 1.2.3.4 1194
dev tun

ca ca.crt
cert client.crt
key client.key

comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key

verb 3
Routing info on the client while being connected to the vpn:
Code:
          0.0.0.0          0.0.0.0      192.168.4.1    192.168.4.78       25
          0.0.0.0          0.0.0.0      192.168.4.1    192.168.4.83       20
       10.10.10.1  255.255.255.255       10.10.10.5      10.10.10.6       1
       10.10.10.4  255.255.255.252       10.10.10.6      10.10.10.6       30
       10.10.10.6  255.255.255.255        127.0.0.1       127.0.0.1       30
   10.255.255.255  255.255.255.255       10.10.10.6      10.10.10.6       30
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.0.0    255.255.255.0       10.10.10.5      10.10.10.6       1
      192.168.4.0    255.255.255.0     192.168.4.78    192.168.4.78       25
      192.168.4.0    255.255.255.0     192.168.4.83    192.168.4.83       20
     192.168.4.78  255.255.255.255        127.0.0.1       127.0.0.1       25
     192.168.4.83  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.4.255  255.255.255.255     192.168.4.78    192.168.4.78       25
    192.168.4.255  255.255.255.255     192.168.4.83    192.168.4.83       20
        224.0.0.0        240.0.0.0       10.10.10.6      10.10.10.6       30
        224.0.0.0        240.0.0.0     192.168.4.78    192.168.4.78       25
        224.0.0.0        240.0.0.0     192.168.4.83    192.168.4.83       20
  255.255.255.255  255.255.255.255       10.10.10.6      10.10.10.6       1
  255.255.255.255  255.255.255.255     192.168.4.78    192.168.4.78       1
  255.255.255.255  255.255.255.255     192.168.4.83    192.168.4.83       1
Gateway:       192.168.4.1
Log from the client during connection:
Code:
Mon May 05 13:02:22 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Mon May 05 13:02:22 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon May 05 13:02:22 2008 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon May 05 13:02:22 2008 LZO compression initialized
Mon May 05 13:02:22 2008 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon May 05 13:02:22 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon May 05 13:02:22 2008 Local Options hash (VER=V4): '41690919'
Mon May 05 13:02:22 2008 Expected Remote Options hash (VER=V4): '530fdded'
Mon May 05 13:02:22 2008 UDPv4 link local (bound): [undef]:1194
Mon May 05 13:02:22 2008 UDPv4 link remote: 1.2.3.4:1194
Mon May 05 13:02:22 2008 TLS: Initial packet from 1.2.3.4:1194, sid=4ae4907e 12cd6dc6
Mon May 05 13:02:24 2008 VERIFY OK: depth=1, <HIDDEN>
Mon May 05 13:02:24 2008 VERIFY OK: depth=0, <HIDDEN>
Mon May 05 13:02:25 2008 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon May 05 13:02:25 2008 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon May 05 13:02:25 2008 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon May 05 13:02:25 2008 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon May 05 13:02:25 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon May 05 13:02:25 2008 [SERVER] Peer Connection Initiated with 1.2.3.4:1194
Mon May 05 13:02:27 2008 SENT CONTROL [SERVER]: 'PUSH_REQUEST' (status=1)
Mon May 05 13:02:27 2008 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.10,dhcp-option DNS 192.168.0.25,dhcp-option DOMAIN starwars.local,route 10.10.10.1,ping 10,ping-restart 60,ifconfig 10.10.10.6 10.10.10.5'
Mon May 05 13:02:27 2008 OPTIONS IMPORT: timers and/or timeouts modified
Mon May 05 13:02:27 2008 OPTIONS IMPORT: --ifconfig/up options modified
Mon May 05 13:02:27 2008 OPTIONS IMPORT: route options modified
Mon May 05 13:02:27 2008 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon May 05 13:02:27 2008 TAP-WIN32 device [Anslutning till lokalt nätverk 8] opened: \\.\Global\{3C96F03B-BB81-451A-8090-FF62E86FB252}.tap
Mon May 05 13:02:27 2008 TAP-Win32 Driver Version 8.4 
Mon May 05 13:02:27 2008 TAP-Win32 MTU=1500
Mon May 05 13:02:27 2008 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.10.10.6/255.255.255.252 on interface {3C96F03B-BB81-451A-8090-FF62E86FB252} [DHCP-serv: 10.10.10.5, lease-time: 31536000]
Mon May 05 13:02:27 2008 Successful ARP Flush on interface [4] {3C96F03B-BB81-451A-8090-FF62E86FB252}
Mon May 05 13:02:27 2008 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Mon May 05 13:02:27 2008 Route: Waiting for TUN/TAP interface to come up...
Mon May 05 13:02:28 2008 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Mon May 05 13:02:28 2008 route ADD 192.168.0.0 MASK 255.255.255.0 10.10.10.5
Mon May 05 13:02:28 2008 Route addition via IPAPI succeeded
Mon May 05 13:02:28 2008 route ADD 10.10.10.1 MASK 255.255.255.255 10.10.10.5
Mon May 05 13:02:28 2008 Route addition via IPAPI succeeded
Mon May 05 13:02:28 2008 Initialization Sequence Completed
Help appreciated!
Reply With Quote
  #2   (View Single Post)  
Old 26th May 2008
Kerrnel Kerrnel is offline
New User
 
Join Date: May 2008
Posts: 3
Thanked 0 Times in 0 Posts
Default

net.inet.ip.forwarding: 1
net.inet.ip.redirect: 1

Stupid Q: I presume you've set the box to forward packets from other machines through it?

Also - I can't tell you anymore why I did this in my server.ovpn (note the last line):

push "route 10.8.8.0 255.255.255.0" #route to company network
push "dhcp-option DOMAIN xxx.yyy.zzz" #push the DNS domain suffix
push "dhcp-option DNS 10.8.8.1" #push DNS entries to client
push "dhcp-option WINS 10.8.8.1" #push DNS entries to client
push "route 10.8.7.1" # add route to protected network
Reply With Quote
  #3   (View Single Post)  
Old 26th May 2008
Kerrnel Kerrnel is offline
New User
 
Join Date: May 2008
Posts: 3
Thanked 0 Times in 0 Posts
Default

10.8.7.1 being the tun0 address

lowe:/service/openvpn-client-lion/root 20:40$ ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.8.7.1 -> 10.8.7.2 netmask 0xffffffff
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
openvpn on openbsd problem.... michaelk OpenBSD Security 8 9th February 2011 04:49 AM
pf: Does pf have the ability to src-track created/established connections? gen2ly OpenBSD Security 3 27th February 2009 03:10 PM
Serial connections JMJ_coder General software and network 9 25th July 2008 03:28 PM
Problems with multiple ISP connections ebzzry FreeBSD General 2 1st July 2008 11:32 PM
More tcp connections tad1214 FreeBSD General 8 5th June 2008 03:05 PM


All times are GMT. The time now is 11:33 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick