DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 14th May 2009
michaelk michaelk is offline
New User
 
Join Date: May 2008
Posts: 9
Thanked 0 Times in 0 Posts
Unhappy openvpn on openbsd problem....

Hi Everyone,

When trying to connect to my VPN provider using openvpn (2.1_rc15) on
openbsd (both 4.4 and 4.5) everything works fine (i.e. i receive ip-adress
and correct routing table) except that I can't connect anywhere?!

I can ping my own tun0 ip-adress but seems like all other packets gets blocked.
(I'm not using pf)

The same client conf works fine in freebsd,linux,netbsd and windows so it seems
that I'm missing some special sysctl setting on openbsd?

Any hints what might be causing this?

I tried "tcpdump -i tun0" but all i see is:

arp who-has <default gatway> tell <my tun0 ip>

Thanks in advance,

Michael

Last edited by michaelk; 14th May 2009 at 12:07 PM.
Reply With Quote
  #2   (View Single Post)  
Old 14th May 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,798
Thanked 214 Times in 189 Posts
Default

You might need to turn on packet forwarding, since you are "routing" through the tun(4) interface. It's a very quick test:

# sysctl net.inet.ip.forwarding=1

If that works, make it permanent in /etc/sysctl.conf.
Reply With Quote
  #3   (View Single Post)  
Old 14th May 2009
michaelk michaelk is offline
New User
 
Join Date: May 2008
Posts: 9
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jggimi View Post
You might need to turn on packet forwarding, since you are "routing" through the tun(4) interface. It's a very quick test:

# sysctl net.inet.ip.forwarding=1

If that works, make it permanent in /etc/sysctl.conf.
Thanks for the suggestion...just tested...but unfortunately it did not solve it

I'm on the local machine so forwarding should not be needed.

Any more clues how to troubleshoot this?

Anyone running openvpn successfully on openbsd? (as a client).

//Michael
Reply With Quote
  #4   (View Single Post)  
Old 14th May 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Can you post the output of the following?

$ route show -inet
$ ifconfig -a # or just tun0.

Hopefully we'll know more about your setup this way, it's likely a configuration issue.. posting the output of /etc/mygate in [code][/code] blocks might also be helpful.
Reply With Quote
  #5   (View Single Post)  
Old 14th May 2009
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 800
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by michaelk View Post
Anyone running openvpn successfully on openbsd? (as a client).
Yes
Reply With Quote
  #6   (View Single Post)  
Old 15th May 2009
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

I have an OpenBSD client using openvpn as well, it is a bit dated but I will post.


OpenBSD 4.3 client config

client
dev tun0
dev-type tap

port 5000
proto udp
remote xx.xx.xx.xx
redirect-gateway
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
tls-auth ta.key 1
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
cipher BF-CBC
comp-lzo
verb 4
mute 20

The first 2 bolded lines were the only real difference between this and my Windoz client config, hope it helps.
Reply With Quote
  #7   (View Single Post)  
Old 16th May 2009
michaelk michaelk is offline
New User
 
Join Date: May 2008
Posts: 9
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by BSDfan666 View Post
Can you post the output of the following?

$ route show -inet
$ ifconfig -a # or just tun0.

Hopefully we'll know more about your setup this way, it's likely a configuration issue.. posting the output of /etc/mygate in [code][/code] blocks might also be helpful.

The provider I try to connect to is http://ivacy.com

on freebsd:

Code:
~> Sat May 16 10:33:01 2009 OpenVPN 2.1_rc15 i386-portbld-freebsd7.1 [SSL] [LZO2] built on May  9 2009
Sat May 16 10:33:01 2009 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat May 16 10:33:01 2009 Control Channel Authentication: using 'keys/ivacy-tls.key' as a OpenVPN static key file
Sat May 16 10:33:01 2009 LZO compression initialized
Sat May 16 10:33:01 2009 RESOLVE: NOTE: openvpn.ivacy.com resolves to 2 addresses, choosing one by random
Sat May 16 10:33:01 2009 UDPv4 link local: [undef]
Sat May 16 10:33:01 2009 UDPv4 link remote: 85.249.223.29:1194
Sat May 16 10:33:01 2009 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat May 16 10:33:02 2009 [openvpn.ivacy.com] Peer Connection Initiated with 85.249.223.29:1194
Sat May 16 10:33:04 2009 TUN/TAP device /dev/tun0 opened
Sat May 16 10:33:04 2009 /sbin/ifconfig tun0 1.2.116.141 1.2.116.141 netmask 255.255.252.0 mtu 1500 up
add net 1.2.116.0: gateway 1.2.116.141
Sat May 16 10:33:04 2009 /usr/local/etc/openvpn/ivacy-up.sh tun0 1500 1542 1.2.116.141 255.255.252.0 init
add net 85.249.223.29: gateway 192.168.0.1
delete net 0.0.0.0: gateway 192.168.0.1
add net 0.0.0.0: gateway 1.2.116.1
Sat May 16 10:33:04 2009 WARNING: potential route subnet conflict between local LAN [1.2.116.0/255.255.255.0] and remote VPN [1.0.0.0/255.0.0.0]
add net 1.0.0.0: gateway 1.2.116.1
Sat May 16 10:33:04 2009 Initialization Sequence Completed

~> ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        inet 1.2.116.141 --> 1.2.116.141 netmask 0xfffffc00 
        Opened by PID 11411
~> netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            1.2.116.1          UGS         0        0   tun0
1.0.0.0/8          1.2.116.1          UGS         0        0   tun0
1.2.116.0/22       1.2.116.141        UGS         2        0   tun0
1.2.116.141        1.2.116.141        UH          1        0   tun0
85.249.223.29/32   192.168.0.1        UGS         0        2    le0
127.0.0.1          127.0.0.1          UH          0      244    lo0
192.168.0.0/24     link#1             UC          0        0    le0
192.168.0.1        00:0f:66:c8:90:fd  UHLW        2     2368    le0   1193
192.168.0.102      00:e0:4c:15:0c:1f  UHLW        1      188    le0   1180

> nslookup www.yahoo.se
Server:         1.254.2.2
Address:        1.254.2.2#53

Non-authoritative answer:
www.yahoo.se    canonical name = www.euro.fyeu.b.yahoo.com.
Name:   www.euro.fyeu.b.yahoo.com
Address: 87.248.120.129

~> ping 1.254.2.2
PING 1.254.2.2 (1.254.2.2): 56 data bytes
64 bytes from 1.254.2.2: icmp_seq=0 ttl=63 time=65.528 ms
64 bytes from 1.254.2.2: icmp_seq=1 ttl=63 time=65.315 ms
64 bytes from 1.254.2.2: icmp_seq=2 ttl=63 time=52.479 ms
^C
--- 1.254.2.2 ping statistics ---
4 packets transmitted, 3 packets received, 25.0% packet loss
round-trip min/avg/max/stddev = 52.479/61.107/65.528/6.102 ms
Works great!

The same thing on openbsd:

Code:
openbsd ~ # Sat May 16 10:35:09 2009 OpenVPN 2.1_rc15 i386-unknown-openbsd4.5 [SSL] [LZO1] built on May 12 2009
Sat May 16 10:35:09 2009 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat May 16 10:35:09 2009 Control Channel Authentication: using 'keys/ivacy-tls.key' as a OpenVPN static key file
Sat May 16 10:35:09 2009 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat May 16 10:35:09 2009 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat May 16 10:35:09 2009 LZO compression initialized
Sat May 16 10:35:09 2009 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sat May 16 10:35:09 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat May 16 10:35:09 2009 Local Options hash (VER=V4): '504e774e'
Sat May 16 10:35:09 2009 Expected Remote Options hash (VER=V4): '14168603'
Sat May 16 10:35:09 2009 Socket Buffers: R=[41600->65536] S=[9216->65536]
Sat May 16 10:35:09 2009 UDPv4 link local: [undef]
Sat May 16 10:35:09 2009 UDPv4 link remote: 85.249.223.29:1194
Sat May 16 10:35:09 2009 TLS: Initial packet from 85.249.223.29:1194, sid=a435a05c 7c5e375c
Sat May 16 10:35:09 2009 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat May 16 10:35:10 2009 VERIFY OK: depth=1, /C=RU/ST=MR/L=Moscow/O=ivacy.com/CN=ivacy.com_CA/emailAddress=admin@ivacy.com
Sat May 16 10:35:10 2009 VERIFY OK: nsCertType=SERVER
Sat May 16 10:35:10 2009 VERIFY OK: depth=0, /C=RU/ST=MR/L=Moscow/O=ivacy.com/CN=openvpn.ivacy.com/emailAddress=admin@ivacy.com
Sat May 16 10:35:10 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat May 16 10:35:10 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat May 16 10:35:10 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat May 16 10:35:10 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat May 16 10:35:10 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat May 16 10:35:10 2009 [openvpn.ivacy.com] Peer Connection Initiated with 85.249.223.29:1194
Sat May 16 10:35:12 2009 SENT CONTROL [openvpn.ivacy.com]: 'PUSH_REQUEST' (status=1)
Sat May 16 10:35:12 2009 PUSH: Received control message: 'PUSH_REPLY,route 1.0.0.0 255.0.0.0,dhcp-option DNS 1.254.2.2,dhcp-option DNS 1.254.2.3,dhcp-option DOMAIN vpn,explicit-exit-notify 2,route-gateway 1.2.116.1,topology subnet,ping 10,ping-restart 60,ifconfig 1.2.116.143 255.255.252.0'
Sat May 16 10:35:12 2009 OPTIONS IMPORT: timers and/or timeouts modified
Sat May 16 10:35:12 2009 OPTIONS IMPORT: explicit notify parm(s) modified
Sat May 16 10:35:12 2009 OPTIONS IMPORT: --ifconfig/up options modified
Sat May 16 10:35:12 2009 OPTIONS IMPORT: route options modified
Sat May 16 10:35:12 2009 OPTIONS IMPORT: route-related options modified
Sat May 16 10:35:12 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat May 16 10:35:12 2009 ROUTE default_gateway=192.168.0.1
Sat May 16 10:35:12 2009 /sbin/ifconfig tun0 destroy
ifconfig: SIOCIFDESTROY: Device not configured
Sat May 16 10:35:12 2009 /sbin/ifconfig tun0 create
Sat May 16 10:35:12 2009 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Sat May 16 10:35:12 2009 /sbin/ifconfig tun0 1.2.116.143 netmask 255.255.252.0 mtu 1500 broadcast 1.2.119.255 link0
Sat May 16 10:35:12 2009 TUN/TAP device /dev/tun0 opened
Sat May 16 10:35:12 2009 /etc/openvpn/ivacy-up.sh tun0 1500 1542 1.2.116.143 255.255.252.0 init
Sat May 16 10:35:12 2009 /sbin/route add -net 85.249.223.29 192.168.0.1 -netmask 255.255.255.255
add net 85.249.223.29: gateway 192.168.0.1
Sat May 16 10:35:12 2009 /sbin/route delete -net 0.0.0.0 192.168.0.1 -netmask 0.0.0.0
delete net 0.0.0.0: gateway 192.168.0.1
Sat May 16 10:35:12 2009 /sbin/route add -net 0.0.0.0 1.2.116.1 -netmask 0.0.0.0
add net 0.0.0.0: gateway 1.2.116.1
Sat May 16 10:35:12 2009 WARNING: potential route subnet conflict between local LAN [1.2.116.0/255.255.255.0] and remote VPN [1.0.0.0/255.0.0.0]
Sat May 16 10:35:12 2009 /sbin/route add -net 1.0.0.0 1.2.116.1 -netmask 255.0.0.0
add net 1.0.0.0: gateway 1.2.116.1
Sat May 16 10:35:12 2009 Initialization Sequence Completed

# route show -inet
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            1.2.116.1          UGS        0        0     -     8 tun0
1/8                1.2.116.1          UGS        0        8     -     8 tun0
1.2.116/22         link#4             UC         1        0     -     4 tun0
1.2.116.1          link#4             UHRLc      2        0     -     4 tun0
85.249.223.29/32   192.168.0.1        UGS        1       20     -     8 vic0
loopback           localhost          UGRS       0        0 33204     8 lo0
localhost          localhost          UH         2      314 33204     4 lo0
192.168.0/24       link#1             UC         2        0     -     4 vic0
192.168.0.1        00:0f:66:c8:90:fd  UHLc       2       19     -     4 vic0
192.168.0.102      00:e0:4c:15:0c:1f  UHLc       2      608     -     4 vic0
192.168.0.126      localhost          UGHS       0        0 33204     8 lo0
BASE-ADDRESS.MCAST localhost          URS        0        0 33204     8 lo0

openbsd ~ # ifconfig tun0
tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500
        lladdr 00:bd:a9:7c:44:01
        priority: 0
        groups: egress
        inet 1.2.116.141 netmask 0xfffffc00 broadcast 1.2.119.255
        inet6 fe80::2bd:a9ff:fe7c:4401%tun0 prefixlen 64 scopeid 0x4
        
openbsd ~ # nslookup www.yahoo.com   <<= just hangs!!!


openbsd ~ # cat /etc/resolv.conf
domain vpn
nameserver 1.254.2.2
nameserver 1.254.2.3
lookup file bind
openbsd ~ # ping 1.254.2.2

PING 1.254.2.2 (1.254.2.2): 56 data bytes
ping: sendto: No route to host
ping: wrote 1.254.2.2 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 1.254.2.2 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 1.254.2.2 64 chars, ret=-1
--- 1.254.2.2 ping statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss
Notice that openvpn is linked with lzo1 while freebsd is linked with lzo2

I also compiled a version on openbsd which is linked with lzo2 but unfortunatly
without any luck

Any clues?

Michael
Reply With Quote
  #8   (View Single Post)  
Old 2nd February 2010
xobsdx xobsdx is offline
Real Name: Henry
New User
 
Join Date: Jan 2010
Location: Rio de Janeiro
Posts: 1
Thanked 0 Times in 0 Posts
Default openvpn on openbsd problem. solved?

I'm running into the same problem with connecting to my openvpn provider from my openbsd client machine.

Did you get it solved? How?

Thks

Henry
Reply With Quote
  #9   (View Single Post)  
Old 9th February 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,190
Thanked 182 Times in 149 Posts
Default

See http://www.daemonforums.org/showthread.php?t=5653 for a solution on OpenBSD 4.9 beta
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Tags
openvpn

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot set up OpenVPN guitarscn OpenBSD Security 8 5th October 2009 05:19 PM
Problem with php and apache on OpenBSD co_bofh OpenBSD General 10 27th July 2008 10:13 PM
OpenVPN management bichumo General software and network 0 15th July 2008 09:05 AM
OpenVPN - Problem with connections MME General software and network 2 26th May 2008 06:42 PM
openVPN 2.1_rc7 (server) on openBSD 4.3 config examples s2scott Guides 2 23rd May 2008 06:16 PM


All times are GMT. The time now is 09:02 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick