Solved

How to configure openVPN on linux Debian?

Posted on 2011-02-21
34
2,791 Views
Last Modified: 2012-05-11
Hi,
i have a running Zeroshell router in my company. It is using OpenVPN as the VPN server. I can create LAN to LAN connections between zeroshell servers. But now i would like to configure it from a linux Debian server.

I have installed the openvpn on the Debian.. copied the certificates from my Zeroshell server. The line is up - connected, but can not get packets route through it.
I have no TAP device configured ... or if i try ifconfig - i see just the eth0.

Could somebody help solve this issue?

thanks
Patrik
0
Comment
Question by:Patricck
  • 18
  • 9
  • 6
34 Comments
 
LVL 7

Expert Comment

by:mzalfres
Comment Utility
Hi,

I don't know Zeroshell routers, but I'll try to give you some general hints:
1. To establish openvpn service, you need to create "/etc/openvpn/<something>.conf" file. When openvpn daemon starts, it is seeking *.conf file(s) in /etc/openvpn directory (by default). For each .conf file, separate tunnel can be created.
2. Tap device is configured automatically by openvpn server. All dependencies are also satisfied by installing openvpn from debian package - no worries about additional software. If no tap device is created - means  no tunnel is set up. It may be either because of bad setup (check log files) or because you didn't configure any tunnel at all.

Check your router manual, find what options may be suitable for you (like initial protocol, IP, port, security model) for VPN setup then let me know if it helped. You may want to run your openvpn  daemon with "--log" option to direct output to separate log file (not /var/log/messages) and increase verbosity with "--verb <n>" parameter. <n> should be a number, try something between 1 and 4 - higher - more verbose.

 If not, I'll try to give you  more details when I got some Zeroshell manual for myself :-)
0
 
LVL 3

Author Comment

by:Patricck
Comment Utility
Hi, when i start openvpn, on the linux Debian server it does not start the virtual interface. i have the config file - attached.
But on the Zeroshell server the connection is stated as green - line up, when started.




#============================================================================#
# Specify the Hostname or the IP, the port and the protocol (tcp or udp)     #
# to reach the OpenVPN Server.                                               #
# The Hostname can be a dynamic FQDN such as a DynDNS one.                   #
#============================================================================#

remote xxxx xxxx
proto tcp


#============================================================================#
# You must specify this parameter if you want the Username and Password      #
# request to appear. Comment it if you only use X.509 Authentication.        #
#============================================================================#

#auth-user-pass


#============================================================================#
# You need to specify the file which contains the certificate (PEM format)   #
# of the Certification Authority that signed the OpenVPN server certificate. #
# You can export it by clicking the hyperlink CA on the login page of        #
# ZeroShell.                                                                 #
# Notice that you need to specify this parameter also if you use             #
# "Password Only" Authentication.                                            #
#============================================================================#

ca ca.pem


#============================================================================#
# If you want to use the Client X.509 Authentication you must specify        #
# a client certificate and the related private key in pem format.            #
# You can merge both in the same file.                                       #
#============================================================================#

cert cert.pem
key  key.pem


#============================================================================#
# You should not need to change these settings.                              #
#============================================================================#

ping-timer-rem
client
dev tap0
persist-key
persist-tun
daemon
persist-key
persist-tun
resolv-retry infinite
nobind

Open in new window

0
 
LVL 3

Author Comment

by:Patricck
Comment Utility
Hi,

i have started the logging on the client file,
have attached the log file.


Tue Feb 22 10:20:43 2011 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Tue Feb 22 10:20:43 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Feb 22 10:20:43 2011 WARNING: file 'key.pem' is group or others accessible
Tue Feb 22 10:20:43 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue Feb 22 10:20:43 2011 Control Channel MTU parms [ L:1575 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 22 10:20:43 2011 Data Channel MTU parms [ L:1575 D:1450 EF:43 EB:4 ET:32 EL:0 ]
Tue Feb 22 10:20:43 2011 Local Options hash (VER=V4): '10f35004'
Tue Feb 22 10:20:43 2011 Expected Remote Options hash (VER=V4): 'a917298a'
Tue Feb 22 10:20:43 2011 Attempting to establish TCP connection with IP:PORT [nonblock]
Tue Feb 22 10:20:44 2011 TCP: connect to IP:PORT failed, will try again in 5 seconds: Connection refused
Tue Feb 22 10:20:50 2011 TCP connection established with IP:PORT
Tue Feb 22 10:20:50 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Feb 22 10:20:50 2011 TCPv4_CLIENT link local: [undef]
Tue Feb 22 10:20:50 2011 TCPv4_CLIENT link remote: IP:PORT
Tue Feb 22 10:20:50 2011 TLS: Initial packet from IP:PORT, sid=a3671417 18803f16
Tue Feb 22 10:20:51 2011 VERIFY OK: depth=1, /C=SK/ST=abc/L=abc/O=abc.com/OU=Itslaves_Server/CN=abc.com/emailAddress=abc@eabc.com
Tue Feb 22 10:20:51 2011 VERIFY OK: depth=0, /C=abc/ST=Sabc/O=abc.com/OU=abc.com/CN=IP/emailAddress=abc@abc.com
Tue Feb 22 10:20:52 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 22 10:20:52 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 22 10:20:52 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 22 10:20:52 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 22 10:20:52 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Feb 22 10:20:52 2011 [IP] Peer Connection Initiated with IP:PORT
Tue Feb 22 10:20:53 2011 SENT CONTROL IP]: 'PUSH_REQUEST' (status=1)
Tue Feb 22 10:20:53 2011 PUSH: Received control message: 'PUSH_REPLY,route 192.168.110.0 255.255.255.0'
Tue Feb 22 10:20:53 2011 OPTIONS IMPORT: route options modified
Tue Feb 22 10:20:53 2011 ROUTE default_gateway=10.255.255.1
Tue Feb 22 10:20:53 2011 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Tue Feb 22 10:20:53 2011 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.110.0
Tue Feb 22 10:20:53 2011 Note: Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16)
Tue Feb 22 10:20:53 2011 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Tue Feb 22 10:20:53 2011 Cannot open TUN/TAP dev /dev/tap0: No such file or directory (errno=2)
Tue Feb 22 10:20:53 2011 Exiting

Open in new window

0
 
LVL 3

Author Comment

by:Patricck
Comment Utility
I have followed the manual in the log file
and have put:
remote-cert-tls server
to the config file.

, and now have following log :
Tue Feb 22 11:20:13 2011 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Tue Feb 22 11:20:13 2011 WARNING: file 'key.pem' is group or others accessible
Tue Feb 22 11:20:13 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue Feb 22 11:20:13 2011 Control Channel MTU parms [ L:1575 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 22 11:20:13 2011 Data Channel MTU parms [ L:1575 D:1450 EF:43 EB:4 ET:32 EL:0 ]
Tue Feb 22 11:20:13 2011 Local Options hash (VER=V4): '10f35004'
Tue Feb 22 11:20:13 2011 Expected Remote Options hash (VER=V4): 'a917298a'
Tue Feb 22 11:20:13 2011 Attempting to establish TCP connection with IP:PORT [nonblock]
Tue Feb 22 11:20:14 2011 TCP: connect to IP:PORT failed, will try again in 5 seconds: Connection refused
Tue Feb 22 11:20:20 2011 TCP: connect to IP:PORT failed, will try again in 5 seconds: Connection refused
.
.
.
.


' Replaced by _alias99 (23-Feb-11)

Open in new window

0
 
LVL 7

Expert Comment

by:mzalfres
Comment Utility
replace option "dev tap0" with "dev tun" - no number here. Then try again and post log if still not working.
0
 
LVL 7

Expert Comment

by:mzalfres
Comment Utility
and verify port and IP address at the top of the file - option: remote <IP> <port>
0
 
LVL 3

Author Comment

by:Patricck
Comment Utility
Same error when changing dev tap0 to dev tun
IP and port are ok.
I am running the OPENVPN with the command:

openvpn --config openvpn.conf --verb 3 --log /etc/openvpn/openvpn.log
0
 
LVL 3

Author Comment

by:Patricck
Comment Utility
I have put verb 4 to my config file, and started the openvpn with:

/etc/init.d/openvpn start
and now in my syslog i see this: (attached)

but if i hit ifconfig, there is no tap device.

Feb 22 06:25:08 openvpn[2611]: Connection reset, restarting [0]
Feb 22 06:25:08 openvpn[2611]: SIGUSR1[soft,connection-reset] received, process restarting
Feb 22 06:25:13 openvpn[2611]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Feb 22 06:25:13 openvpn[2611]: Re-using SSL/TLS context
Feb 22 06:25:13 openvpn[2611]: Attempting to establish TCP connection with IP:PORT [nonblock]
Feb 22 06:25:14 openvpn[2611]: TCP connection established with IP:PORT
Feb 22 06:25:14 openvpn[2611]: TCPv4_CLIENT link local: [undef]
Feb 22 06:25:14 openvpn[2611]: TCPv4_CLIENT link remote: IP:PORT
Feb 22 06:25:16 openvpn[2611]: [IP] Peer Connection Initiated with IP:PORT
Feb 22 06:25:17 openvpn[2611]: Preserving previous TUN/TAP instance: tap0
Feb 22 06:25:17 openvpn[2611]: Initialization Sequence Completed
Feb 22 06:25:28 openvpn[2611]: Connection reset, restarting [0]
Feb 22 06:25:28 openvpn[2611]: SIGUSR1[soft,connection-reset] received, process restarting
Feb 22 06:25:33 openvpn[2611]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Feb 22 06:25:33 openvpn[2611]: Re-using SSL/TLS context

'replaced by _alias99 (23-Feb-11)

Open in new window

0
 

Expert Comment

by:HVelloen
Comment Utility
Hi

With the above verb 4 output did you change the tap to tun in the config file? as it seems to still be preserving the tap0 device. Also with the previous client ;log you posted it mentioned errors with the gateway, however I don't see the gateway redirect parameter in the Server config file - and also on the first config you posted why would persist key and persist tun be repeated twice?

Also the Debian server you are setting up are you setting it up as the OpenVPN server or as a client of the existing Zeroshell VPN?

Regards H
0
 
LVL 3

Author Comment

by:Patricck
Comment Utility
Hi, i have these files in my /etc/openvpn
ca.pem
cert.pem
key.pem
openvp.con
update-reslov-conf

In my config file (on debian) i still have dev tun.
My config file:
#============================================================================#
# Specify the Hostname or the IP, the port and the protocol (tcp or udp)     #
# to reach the OpenVPN Server.                                               #
# The Hostname can be a dynamic FQDN such as a DynDNS one.                   #
#============================================================================#

remote IP PORT
proto tcp


#============================================================================#
# You must specify this parameter if you want the Username and Password      #
# request to appear. Comment it if you only use X.509 Authentication.        #
#============================================================================#

#auth-user-pass


#============================================================================#
# You need to specify the file which contains the certificate (PEM format)   #
# of the Certification Authority that signed the OpenVPN server certificate. #
# You can export it by clicking the hyperlink CA on the login page of        #
# ZeroShell.                                                                 #
# Notice that you need to specify this parameter also if you use             #
# "Password Only" Authentication.                                            #
#============================================================================#

ca ca.pem


#============================================================================#
# If you want to use the Client X.509 Authentication you must specify        #
# a client certificate and the related private key in pem format.            #
# You can merge both in the same file.                                       #
#============================================================================#

cert cert.pem
key  key.pem


#============================================================================#
# You should not need to change these settings.                              #
#============================================================================#

ping-timer-rem
client
dev tun
persist-key
persist-tun
daemon
persist-key
persist-tun
resolv-retry infinite
nobind
verb 5
ns-cert-type server

---

when i run it with the command:

i have the log: (attached)

sorry, but the logs what i posted were from today morning.. so dont check that... (from syslog)


Tue Feb 22 14:16:20 2011 us=791089 Current Parameter Settings:
Tue Feb 22 14:16:20 2011 us=791262   config = 'openvpn.conf'
Tue Feb 22 14:16:20 2011 us=791285   mode = 0
Tue Feb 22 14:16:20 2011 us=791308   persist_config = DISABLED
Tue Feb 22 14:16:20 2011 us=791325   persist_mode = 1
Tue Feb 22 14:16:20 2011 us=791342   show_ciphers = DISABLED
Tue Feb 22 14:16:20 2011 us=791358   show_digests = DISABLED
Tue Feb 22 14:16:20 2011 us=791376   show_engines = DISABLED
Tue Feb 22 14:16:20 2011 us=791393   genkey = DISABLED
Tue Feb 22 14:16:20 2011 us=791410   key_pass_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791427   show_tls_ciphers = DISABLED
Tue Feb 22 14:16:20 2011 us=791445 Connection profiles [default]:
Tue Feb 22 14:16:20 2011 us=791463   proto = tcp-client
Tue Feb 22 14:16:20 2011 us=791480   local = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791496   local_port = 0
Tue Feb 22 14:16:20 2011 us=791512   remote = 'IP'
Tue Feb 22 14:16:20 2011 us=791528   remote_port = PORT
Tue Feb 22 14:16:20 2011 us=791544   remote_float = DISABLED
Tue Feb 22 14:16:20 2011 us=791559   bind_defined = DISABLED
Tue Feb 22 14:16:20 2011 us=791575   bind_local = DISABLED
Tue Feb 22 14:16:20 2011 us=791591   connect_retry_seconds = 5
Tue Feb 22 14:16:20 2011 us=791606   connect_timeout = 10
Tue Feb 22 14:16:20 2011 us=791623   connect_retry_max = 0
Tue Feb 22 14:16:20 2011 us=791639   socks_proxy_server = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791655   socks_proxy_port = 0
Tue Feb 22 14:16:20 2011 us=791671   socks_proxy_retry = DISABLED
Tue Feb 22 14:16:20 2011 us=791690 Connection profiles END
Tue Feb 22 14:16:20 2011 us=791706   remote_random = DISABLED
Tue Feb 22 14:16:20 2011 us=791722   ipchange = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791738   dev = 'tun'
Tue Feb 22 14:16:20 2011 us=791754   dev_type = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791769   dev_node = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791785   lladdr = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791800   topology = 1
Tue Feb 22 14:16:20 2011 us=791816   tun_ipv6 = DISABLED
Tue Feb 22 14:16:20 2011 us=791832   ifconfig_local = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791849   ifconfig_remote_netmask = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791865   ifconfig_noexec = DISABLED
Tue Feb 22 14:16:20 2011 us=791880   ifconfig_nowarn = DISABLED
Tue Feb 22 14:16:20 2011 us=791896   shaper = 0
Tue Feb 22 14:16:20 2011 us=791911   tun_mtu = 1500
Tue Feb 22 14:16:20 2011 us=791927   tun_mtu_defined = ENABLED
Tue Feb 22 14:16:20 2011 us=791942   link_mtu = 1500
Tue Feb 22 14:16:20 2011 us=791959   link_mtu_defined = DISABLED
Tue Feb 22 14:16:20 2011 us=791974   tun_mtu_extra = 0
Tue Feb 22 14:16:20 2011 us=791990   tun_mtu_extra_defined = DISABLED
Tue Feb 22 14:16:20 2011 us=792006   fragment = 0
Tue Feb 22 14:16:20 2011 us=792022   mtu_discover_type = -1
Tue Feb 22 14:16:20 2011 us=792049   mtu_test = 0
Tue Feb 22 14:16:20 2011 us=792065   mlock = DISABLED
Tue Feb 22 14:16:20 2011 us=792084   keepalive_ping = 0
Tue Feb 22 14:16:20 2011 us=792100   keepalive_timeout = 0
Tue Feb 22 14:16:20 2011 us=792116   inactivity_timeout = 0
Tue Feb 22 14:16:20 2011 us=792138   ping_send_timeout = 0
Tue Feb 22 14:16:20 2011 us=792161   ping_rec_timeout = 0
Tue Feb 22 14:16:20 2011 us=792177   ping_rec_timeout_action = 0
Tue Feb 22 14:16:20 2011 us=792192   ping_timer_remote = ENABLED
Tue Feb 22 14:16:20 2011 us=792212   remap_sigusr1 = 0
Tue Feb 22 14:16:20 2011 us=792228   explicit_exit_notification = 0
Tue Feb 22 14:16:20 2011 us=792244   persist_tun = ENABLED
Tue Feb 22 14:16:20 2011 us=792259   persist_local_ip = DISABLED
Tue Feb 22 14:16:20 2011 us=792275   persist_remote_ip = DISABLED
Tue Feb 22 14:16:20 2011 us=792290   persist_key = ENABLED
Tue Feb 22 14:16:20 2011 us=792306   mssfix = 1450
Tue Feb 22 14:16:20 2011 us=792322   passtos = DISABLED
Tue Feb 22 14:16:20 2011 us=792338   resolve_retry_seconds = 1000000000
Tue Feb 22 14:16:20 2011 us=792354   username = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792369   groupname = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792384   chroot_dir = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792400   cd_dir = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792430   writepid = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792447   up_script = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792463   down_script = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792479   down_pre = DISABLED
Tue Feb 22 14:16:20 2011 us=792496   up_restart = DISABLED
Tue Feb 22 14:16:20 2011 us=792512   up_delay = DISABLED
Tue Feb 22 14:16:20 2011 us=792528   daemon = ENABLED
Tue Feb 22 14:16:20 2011 us=792543   inetd = 0
Tue Feb 22 14:16:20 2011 us=792559   log = ENABLED
Tue Feb 22 14:16:20 2011 us=792575   suppress_timestamps = DISABLED
Tue Feb 22 14:16:20 2011 us=792591   nice = 0
Tue Feb 22 14:16:20 2011 us=792606   verbosity = 4
Tue Feb 22 14:16:20 2011 us=792625   mute = 0
Tue Feb 22 14:16:20 2011 us=792640   gremlin = 0
Tue Feb 22 14:16:20 2011 us=792656   status_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792672   status_file_version = 1
Tue Feb 22 14:16:20 2011 us=792687   status_file_update_freq = 60
Tue Feb 22 14:16:20 2011 us=792703   occ = ENABLED
Tue Feb 22 14:16:20 2011 us=792719   rcvbuf = 65536
Tue Feb 22 14:16:20 2011 us=792735   sndbuf = 65536
Tue Feb 22 14:16:20 2011 us=792750   sockflags = 0
Tue Feb 22 14:16:20 2011 us=792766   fast_io = DISABLED
Tue Feb 22 14:16:20 2011 us=792781   lzo = 0
Tue Feb 22 14:16:20 2011 us=792797   route_script = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792813   route_default_gateway = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792829   route_default_metric = 0
Tue Feb 22 14:16:20 2011 us=792845   route_noexec = DISABLED
Tue Feb 22 14:16:20 2011 us=792860   route_delay = 0
Tue Feb 22 14:16:20 2011 us=792876   route_delay_window = 30
Tue Feb 22 14:16:20 2011 us=792891   route_delay_defined = DISABLED
Tue Feb 22 14:16:20 2011 us=792908   route_nopull = DISABLED
Tue Feb 22 14:16:20 2011 us=792923   route_gateway_via_dhcp = DISABLED
Tue Feb 22 14:16:20 2011 us=792939   allow_pull_fqdn = DISABLED
Tue Feb 22 14:16:20 2011 us=792955   management_addr = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792971   management_port = 0
Tue Feb 22 14:16:20 2011 us=792987   management_user_pass = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793003   management_log_history_cache = 250
Tue Feb 22 14:16:20 2011 us=793019   management_echo_buffer_size = 100
Tue Feb 22 14:16:20 2011 us=793035   management_write_peer_info_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793051   management_flags = 0
Tue Feb 22 14:16:20 2011 us=793068   shared_secret_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793084   key_direction = 0
Tue Feb 22 14:16:20 2011 us=793100   ciphername_defined = ENABLED
Tue Feb 22 14:16:20 2011 us=793117   ciphername = 'BF-CBC'
ue Feb 22 14:16:20 2011 us=793132   authname_defined = ENABLED
Tue Feb 22 14:16:20 2011 us=793148   authname = 'SHA1'
Tue Feb 22 14:16:20 2011 us=793164   keysize = 0
Tue Feb 22 14:16:20 2011 us=793180   engine = DISABLED
Tue Feb 22 14:16:20 2011 us=793196   replay = ENABLED
Tue Feb 22 14:16:20 2011 us=793213   mute_replay_warnings = DISABLED
Tue Feb 22 14:16:20 2011 us=793229   replay_window = 64
Tue Feb 22 14:16:20 2011 us=793244   replay_time = 15
Tue Feb 22 14:16:20 2011 us=793261   packet_id_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793276   use_iv = ENABLED
Tue Feb 22 14:16:20 2011 us=793292   test_crypto = DISABLED
Tue Feb 22 14:16:20 2011 us=793308   tls_server = DISABLED
Tue Feb 22 14:16:20 2011 us=793324   tls_client = ENABLED
Tue Feb 22 14:16:20 2011 us=793339   key_method = 2
Tue Feb 22 14:16:20 2011 us=793355   ca_file = 'ca.pem'
Tue Feb 22 14:16:20 2011 us=793370   ca_path = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793386   dh_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793401   cert_file = 'cert.pem'
Tue Feb 22 14:16:20 2011 us=793417   priv_key_file = 'key.pem'
Tue Feb 22 14:16:20 2011 us=793433   pkcs12_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793449   cipher_list = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793464   tls_verify = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793480   tls_remote = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793496   crl_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793512   ns_cert_type = 64
Tue Feb 22 14:16:20 2011 us=793544   remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793560   remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793576   remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793591   remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793607   remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793622   remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793637   remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793652   remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793668   remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793683   remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793698   remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793713   remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793728   remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793744   remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793759   remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793774   remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793790   remote_cert_eku = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793806   tls_timeout = 2
Tue Feb 22 14:16:20 2011 us=793821   renegotiate_bytes = 0
Tue Feb 22 14:16:20 2011 us=793837   renegotiate_packets = 0
Tue Feb 22 14:16:20 2011 us=793853   renegotiate_seconds = 3600
Tue Feb 22 14:16:20 2011 us=793868   handshake_window = 60
Tue Feb 22 14:16:20 2011 us=793884   transition_window = 3600
Tue Feb 22 14:16:20 2011 us=793900   single_session = DISABLED
Tue Feb 22 14:16:20 2011 us=793915   tls_exit = DISABLED
Tue Feb 22 14:16:20 2011 us=793930   tls_auth_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793947   pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=793963   pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=793978   pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=793994   pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794009   pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794009   pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794025   pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794040   pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794056   pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794071   pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794086   pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794101   pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794117   pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794132   pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794148   pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794163   pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794178   pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794196   pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794212   pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794228   pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794243   pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794259   pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794275   pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794290   pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794305   pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794321   pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794336   pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794352   pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794368   pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794383   pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794398   pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794414   pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794429   pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794444   pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794460   pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794475   pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794502   pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794518   pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794534   pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794549   pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794569   pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794585   pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794600   pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794616   pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794631   pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794647   pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794662   pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794678   pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794693   pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794709   pkcs11_pin_cache_period = -1
Tue Feb 22 14:16:20 2011 us=794725   pkcs11_id = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=794741   pkcs11_id_management = DISABLED
Tue Feb 22 14:16:20 2011 us=794777   server_network = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794795   server_netmask = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794812   server_bridge_ip = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794829   server_bridge_netmask = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794846   server_bridge_pool_start = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794863   server_bridge_pool_end = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794879   ifconfig_pool_defined = DISABLED
Tue Feb 22 14:16:20 2011 us=794896   ifconfig_pool_start = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794913   ifconfig_pool_end = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794930   ifconfig_pool_netmask = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794945   ifconfig_pool_persist_filename = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=794961   ifconfig_pool_persist_refresh_freq = 600
Tue Feb 22 14:16:20 2011 us=794977   n_bcast_buf = 256
Tue Feb 22 14:16:20 2011 us=794992   tcp_queue_limit = 64
Tue Feb 22 14:16:20 2011 us=795008   real_hash_size = 256
Tue Feb 22 14:16:20 2011 us=795024   virtual_hash_size = 256
Tue Feb 22 14:16:20 2011 us=795040   client_connect_script = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=795056   learn_address_script = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=795071   client_disconnect_script = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=795087   client_config_dir = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=795103   ccd_exclusive = DISABLED
Tue Feb 22 14:16:20 2011 us=795119   tmp_dir = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=795135   push_ifconfig_defined = DISABLED
Tue Feb 22 14:16:20 2011 us=795152   push_ifconfig_local = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=795169   push_ifconfig_remote_netmask = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=795184   enable_c2c = DISABLED
Tue Feb 22 14:16:20 2011 us=795200   duplicate_cn = DISABLED
Tue Feb 22 14:16:20 2011 us=795216   cf_max = 0
Tue Feb 22 14:16:20 2011 us=795232   cf_per = 0
Tue Feb 22 14:16:20 2011 us=795247   max_clients = 1024
Tue Feb 22 14:16:20 2011 us=795263   max_routes_per_client = 256
Tue Feb 22 14:16:20 2011 us=795279   client_cert_not_required = DISABLED
Tue Feb 22 14:16:20 2011 us=795295   username_as_common_name = DISABLED
Tue Feb 22 14:16:20 2011 us=795311   auth_user_pass_verify_script = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=795327   auth_user_pass_verify_script_via_file = DISABLED
Tue Feb 22 14:16:20 2011 us=795342   port_share_host = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=795358   port_share_port = 0
Tue Feb 22 14:16:20 2011 us=795373   client = ENABLED
Tue Feb 22 14:16:20 2011 us=795389   pull = ENABLED
Tue Feb 22 14:16:20 2011 us=795404   auth_user_pass_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=795425 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Tue Feb 22 14:16:20 2011 us=796337 WARNING: file 'key.pem' is group or others accessible
Tue Feb 22 14:16:20 2011 us=797058 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue Feb 22 14:16:21 2011 us=11954 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 22 14:16:21 2011 us=12192 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Feb 22 14:16:21 2011 us=12251 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Feb 22 14:16:21 2011 us=12272 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Feb 22 14:16:21 2011 us=12332 Local Options hash (VER=V4): 'db02a8f8'
Tue Feb 22 14:16:21 2011 us=12378 Expected Remote Options hash (VER=V4): '7e068940'
Tue Feb 22 14:16:21 2011 us=12978 Attempting to establish TCP connection with IP:PORT [nonblock]
Tue Feb 22 14:16:22 2011 us=13303 TCP: connect to IP:PORT failed, will try again in 5 seconds: Connection refused

Open in new window

0
 
LVL 7

Expert Comment

by:mzalfres
Comment Utility
This line indicates, that your remote machine (Zeroshell) is refusing connection on selected IP and port. Something is wrong and I won't help you with that because I don't know your internal network settings:

Tue Feb 22 14:16:22 2011 us=13303 TCP: connect to IP:PORT failed, will try again in 5 seconds: Connection refused - your server is not connecting

Please modify "verb" option - "verb 3" will be enough to debug our problem and will make log much shorter. Everything before "Attempting to establish TCP connection..." is only local settings check.

After TCP connection is established, some additional action should be visible like remote certificate matching, setting TAP interface etc.
0
 
LVL 7

Expert Comment

by:mzalfres
Comment Utility
And double check if port is TCP or UDP (proto tcp or proto udp) at the beginning of config file.
0
 
LVL 3

Author Comment

by:Patricck
Comment Utility
Ok, found an error.
I had an IP configured for the interface. Now i have removed it. So the log seems like this:


Tue Feb 22 15:18:33 2011 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Tue Feb 22 15:18:33 2011 WARNING: file 'key.pem' is group or others accessible
Tue Feb 22 15:18:33 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue Feb 22 15:18:33 2011 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 22 15:18:33 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Feb 22 15:18:33 2011 Local Options hash (VER=V4): 'db02a8f8'
Tue Feb 22 15:18:33 2011 Expected Remote Options hash (VER=V4): '7e068940'
Tue Feb 22 15:18:33 2011 Attempting to establish TCP connection with SERVERIP:PORT [nonblock]
Tue Feb 22 15:18:34 2011 TCP connection established with SERVERIP:PORT
Tue Feb 22 15:18:34 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Feb 22 15:18:34 2011 TCPv4_CLIENT link local: [undef]
Tue Feb 22 15:18:34 2011 TCPv4_CLIENT link remote: SERVERIP:PORT
Tue Feb 22 15:18:34 2011 TLS: Initial packet from SERVERIP:PORT, sid=6a47538a 3b05c2d4
Tue Feb 22 15:18:35 2011 VERIFY OK: depth=1, /C=bc/ST=abc/L=abc/O=abc.com/OU=abc_Server/CN=abc.com$
Tue Feb 22 15:18:35 2011 VERIFY nsCertType ERROR: /C=SK/ST=abc/O=abc.com/OU=abc.com/CN=IP/emailAddr$
Tue Feb 22 15:18:35 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICAT$
Tue Feb 22 15:18:35 2011 TLS Error: TLS object -> incoming plaintext read error
Tue Feb 22 15:18:35 2011 TLS Error: TLS handshake failed
Tue Feb 22 15:18:35 2011 Fatal TLS error (check_tls_errors_co), restarting
Tue Feb 22 15:18:35 2011 TCP/UDP: Closing socket
Tue Feb 22 15:18:35 2011 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 22 15:18:35 2011 Restart pause, 5 second(s)
Tue Feb 22 15:18:40 2011 Re-using SSL/TLS context
Tue Feb 22 15:18:40 2011 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 22 15:18:40 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Feb 22 15:18:40 2011 Local Options hash (VER=V4): 'db02a8f8'
Tue Feb 22 15:18:40 2011 Expected Remote Options hash (VER=V4): '7e068940'
Tue Feb 22 15:18:40 2011 Attempting to establish TCP connection with SERVERIP:PORT [nonblock]
Tue Feb 22 15:18:41 2011 TCP connection established with SERVERIP:PORT
Tue Feb 22 15:18:41 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Feb 22 15:18:41 2011 TCPv4_CLIENT link local: [undef]
Tue Feb 22 15:18:41 2011 TCPv4_CLIENT link remote: SERVERIP:PORT
Tue Feb 22 15:18:42 2011 TLS: Initial packet from SERVERIP:PORT, sid=527a8a25 24d3eb6e
Tue Feb 22 15:18:42 2011 VERIFY OK: depth=1, /C=bc/ST=abc/L=abc/O=abc.com/OU=abc_Server/CN=abc.com$
Tue Feb 22 15:18:42 2011 VERIFY nsCertType ERROR: /C=SK/ST=abc/O=abc.com/OU=abc.com/CN=IP/emailAddr$
Tue Feb 22 15:18:42 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICAT$
Tue Feb 22 15:18:42 2011 TLS Error: TLS object -> incoming plaintext read error
Tue Feb 22 15:18:42 2011 TLS Error: TLS handshake failed
Tue Feb 22 15:18:42 2011 Fatal TLS error (check_tls_errors_co), restarting
Tue Feb 22 15:18:42 2011 TCP/UDP: Closing socket
Tue Feb 22 15:18:42 2011 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 22 15:18:42 2011 Restart pause, 5 second(s)
Tue Feb 22 15:18:47 2011 Re-using SSL/TLS context
Tue Feb 22 15:18:47 2011 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 22 15:18:47 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]

Open in new window

0
 

Expert Comment

by:HVelloen
Comment Utility
Hi

I am not sure how the Zeroshell routers certificates work but by default the certs and keys aren't in the .pem format - could I suggest checking and ensuring that the correct certs and keys are used. Also I recommend our linux users to use the full path to the certs and keys.

Below is an egsample of how my Debian clients configs look:

client
dev tun
proto tcp
remote IP PORT
resolv-retry infinite
nobind
persist-key
persist-tun
float
ca /etc/openvpn/ca.crt
cert /etc/openvpn/CERT.crt
key /etc/openvpn/KEY.key
comp-lzo
verb 3
script-security 5
0
 
LVL 3

Author Comment

by:Patricck
Comment Utility
cool, a bit further...

now certs are ok, but:

Tue Feb 22 16:13:59 2011 us=258414 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Tue Feb 22 16:13:59 2011 us=300827 Bad LZO decompression header byte: 42
Tue Feb 22 16:14:00 2011 us=569523 Bad LZO decompression header byte: 42
Tue Feb 22 16:14:01 2011 us=836925 Bad LZO decompression header byte: 42
Tue Feb 22 16:14:03 2011 us=103580 Bad LZO decompression header byte: 42

still not able to moove packets between the two networks.
What else i have to do?
how to do the routing?
0
 
LVL 7

Expert Comment

by:mzalfres
Comment Utility
Seems that your certificates are just examples, not real ones... (assuming you provide real log file...) If not, there is still problem with certificate authorizing your server. Try remove ns-cert-type server (which is only additional security, but not mandatory)
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 3

Author Comment

by:Patricck
Comment Utility
this is my full log:

Tue Feb 22 16:31:47 2011 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Tue Feb 22 16:31:47 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Feb 22 16:31:47 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Feb 22 16:31:47 2011 WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables
Tue Feb 22 16:31:47 2011 WARNING: file 'key.pem' is group or others accessible
Tue Feb 22 16:31:47 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue Feb 22 16:31:47 2011 LZO compression initialized
Tue Feb 22 16:31:47 2011 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 22 16:31:47 2011 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Feb 22 16:31:47 2011 Local Options hash (VER=V4): '69109d17'
Tue Feb 22 16:31:47 2011 Expected Remote Options hash (VER=V4): 'c0103fa8'
Tue Feb 22 16:31:47 2011 Attempting to establish TCP connection with clientIP:port [nonblock]
Tue Feb 22 16:31:48 2011 TCP connection established with clientIP:port
Tue Feb 22 16:31:48 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Feb 22 16:31:48 2011 TCPv4_CLIENT link local: [undef]
Tue Feb 22 16:31:48 2011 TCPv4_CLIENT link remote: clientIP:port
Tue Feb 22 16:31:49 2011 TLS: Initial packet from clientIP:port, sid=e0847f1a 90542be5
Tue Feb 22 16:31:50 2011 VERIFY OK: depth=1, /C=SK/ST=abc/L=abc/O=abc.com/OU=abc_Server/CN=abc.com/emailAddress=abc@abc.com
Tue Feb 22 16:31:50 2011 VERIFY OK: depth=0, /C=SK/ST=abc/O=abc.com/OU=abc.com/CN=IP/emailAddress=abc@abc.com
Tue Feb 22 16:31:52 2011 WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'
Tue Feb 22 16:31:52 2011 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1544', remote='link-mtu 1575'
Tue Feb 22 16:31:52 2011 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
Tue Feb 22 16:31:52 2011 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Tue Feb 22 16:31:52 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 22 16:31:52 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 22 16:31:52 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 22 16:31:52 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 22 16:31:52 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Feb 22 16:31:52 2011 [IP] Peer Connection Initiated with clientIP:port
Tue Feb 22 16:31:52 2011 Bad LZO decompression header byte: 42
Tue Feb 22 16:31:53 2011 Bad LZO decompression header byte: 42
Tue Feb 22 16:31:53 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Tue Feb 22 16:31:55 2011 Bad LZO decompression header byte: 42
Tue Feb 22 16:31:56 2011 Bad LZO decompression header byte: 42
Tue Feb 22 16:31:57 2011 Bad LZO decompression header byte: 42
Tue Feb 22 16:31:58 2011 Bad LZO decompression header byte: 42
0
 

Expert Comment

by:HVelloen
Comment Utility
Hi

I will think your server isn't using LZO for encryption/compression - check the encryption method used on the server and set the client to use the same type of compression.

The line will be the "comp-lzo" line to edit - just change lzo to whatever the server states - you can also maybe try leaving this line out completely if you don't find the method on the server.

0
 
LVL 3

Author Comment

by:Patricck
Comment Utility
Ok, now i have a lot of:

Tue Feb 22 16:47:23 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Tue Feb 22 16:47:28 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Tue Feb 22 16:47:33 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
at the end...
0
 

Expert Comment

by:HVelloen
Comment Utility
That would be the server trying to setup specific routes for the internal networks so you VPN client knows where to send traffic - check the server for anything relating to Push route or any dhcp options and post em so we can check what is causing the push route loop

but just for interest sake with it as is - can you connect or ping any of the servers behind the VPN server or even the VPN server itself?
0
 
LVL 3

Author Comment

by:Patricck
Comment Utility
Can not.

If i try route - nothing in the routing table - for the VPN
if i hit ifconfig i see just eth0 with the static IP address - no TUN or TAP device
On the zeroshell there is no way to get all the settings, as it is working a bit different. - configs are stored in a database - if i know it correctly.

I have my other networks configured like this:

two zeroshell routers, one is client, one is server. They have virtual interfaces - TAP
there is an IP address configured for the TAP....... server 192.168.2.1 client :  192.168.2.2. and the routing is made through these IPs.

0
 

Expert Comment

by:HVelloen
Comment Utility
Just to make sure then - if your server is using tap then the client must also use tap and not tun - bot server and client must use the same.
0
 
LVL 7

Expert Comment

by:mzalfres
Comment Utility
OK, you made me to read some about zeroshell routers. Now, first question - did you modify default openVPN settings on your router? If yes, can you tell me what have you changed from default? Or, best if you can reset it to back to default? According to zeroshell web page, all you need is to download their config and replace IP address then. But again, it will work only with default settings.
0
 
LVL 3

Author Comment

by:Patricck
Comment Utility
Hi,
i have now TAP devices on both sides, still dont see anything with ifconfig - i can start the TAP device manually. but no connection.
It is not needed to bridge somehow the TAP interface, openvpn client and the ethernet adapter?

Yes, there is a config file on the zeroshell site, what i am using for host to LAN connections (where the LAN side is zeroshell).

Now i would like to create a LAN to LAN connection between the debian server and the zeroshell.
Reason:
with the host to lan config i would need to enter passwd and username everytime it disconnects - and this connection will be used to transfer data between servers (the debian server and on server behind the zeroshell).

I have read about bridging.. etc... it is not necessary to bridge the TAP device with the ETH0 ?
http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html

0
 
LVL 3

Author Comment

by:Patricck
Comment Utility
Shouldnt be a /dev/tap on my debian?

because i dont have anything like that.
I can start the TAP device with the command
ifconfig tap0 promisc up

but it is not starting automatically with the openvpn.

Logs attached.


Wed Feb 23 10:37:38 2011 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Wed Feb 23 10:37:38 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Feb 23 10:37:38 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Feb 23 10:37:38 2011 WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables
Wed Feb 23 10:37:39 2011 WARNING: file 'key.pem' is group or others accessible
Wed Feb 23 10:37:39 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Wed Feb 23 10:37:39 2011 Control Channel MTU parms [ L:1575 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Feb 23 10:37:39 2011 Data Channel MTU parms [ L:1575 D:1450 EF:43 EB:4 ET:32 EL:0 ]
Wed Feb 23 10:37:39 2011 Local Options hash (VER=V4): '10f35004'
Wed Feb 23 10:37:39 2011 Expected Remote Options hash (VER=V4): 'a917298a'
Wed Feb 23 10:37:39 2011 Attempting to establish TCP connection with ServerIP:port [nonblock]
Wed Feb 23 10:37:40 2011 TCP connection established with ServerIP:port
Wed Feb 23 10:37:40 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Feb 23 10:37:40 2011 TCPv4_CLIENT link local: [undef]
Wed Feb 23 10:37:40 2011 TCPv4_CLIENT link remote: ServerIP:port
Wed Feb 23 10:37:41 2011 TLS: Initial packet from ServerIP:port, sid=78e2e6f8 f9215f05
Wed Feb 23 10:37:41 2011 VERIFY OK: depth=1, /C=SK/ST=abc/L=abc/O=abc.com/OU=abc_Server/CN=abc.com/emailAddress=abc@abc.com
Wed Feb 23 10:37:41 2011 VERIFY OK: depth=0, /C=SK/ST=abc/O=abc.com/OU=abc.com/CN=IP/emailAddress=abc@abc.com
Wed Feb 23 10:37:43 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Feb 23 10:37:43 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 23 10:37:43 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Feb 23 10:37:43 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 23 10:37:43 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Feb 23 10:37:43 2011 [IP] Peer Connection Initiated with ServerIP:port
Wed Feb 23 10:37:44 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Wed Feb 23 10:37:49 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Wed Feb 23 10:37:54 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
.
.
.

Open in new window

0
 

Expert Comment

by:HVelloen
Comment Utility
Hi

I don't know if this is in anyway related to what your experiencing, but my one user on Mandriva 2010 was seeing the same thing where tap and tun don't start up with OpenVPN.

What we did for him was purge OpenVPN add some extra and alternate package repositories and reinstalled it - with the different installation sources the problem was resolved as it installed some other dependency packages. Feel free to try and edit your debian apt sources and see if you have any luck getting the Interface strated with OpenVPN.
0
 
LVL 7

Accepted Solution

by:
mzalfres earned 500 total points
Comment Utility
You have come to the point where your machine (PC?) is trying to ask your router for network settings. For some reason, router is not responding, which finally gives you endless requests. The device like tap0 should be created right after, so it don't get created at all. Look into your route manual if there is anything about openVPN version required - your one is quite new. May be too new. Also, verify if there is no firewall or other network obstacle preventing you from getting response from your router. By default debian should not have any firewall enabled, but I don't know  your case.

Normally, you should get something like:

PUSH: Received control message: (...) and network parameters here.
Next, tap device is created, and received settings are applied, which ends tunnel setup process. Looks like either your router is not uderstanding your request or is not sending response or that reponse is blocked somewhere between router and your machine.
0
 
LVL 3

Author Comment

by:Patricck
Comment Utility
Hi,
i have checked the routing table.. on the zeroshell side, there was no push route configured... i have put there:
ifconfig-push 192.168.5.2 --push 'route 192.168.110.0 255.255.255.0'

when i hit ifconfig still dont see the TAP device

The basic idea:
110.x network is on the Zeroshells Eth0 LAN
Zeroshells TAP device should be 192.168.5.1  - this is configured
Debians TAP device should have 192.168.5.2

and now the log shows
Wed Feb 23 12:39:07 2011 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Wed Feb 23 12:39:07 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Feb 23 12:39:07 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Feb 23 12:39:07 2011 WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables
Wed Feb 23 12:39:07 2011 WARNING: file 'key.pem' is group or others accessible
Wed Feb 23 12:39:07 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Wed Feb 23 12:39:08 2011 Control Channel MTU parms [ L:1575 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Feb 23 12:39:08 2011 Data Channel MTU parms [ L:1575 D:1450 EF:43 EB:4 ET:32 EL:0 ]
Wed Feb 23 12:39:08 2011 Local Options hash (VER=V4): '10f35004'
Wed Feb 23 12:39:08 2011 Expected Remote Options hash (VER=V4): 'a917298a'
Wed Feb 23 12:39:08 2011 Attempting to establish TCP connection with ServerIP:PORT [nonblock]
Wed Feb 23 12:39:09 2011 TCP connection established with ServerIP:PORT
Wed Feb 23 12:39:09 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Feb 23 12:39:09 2011 TCPv4_CLIENT link local: [undef]
Wed Feb 23 12:39:09 2011 TCPv4_CLIENT link remote: ServerIP:PORT
Wed Feb 23 12:39:09 2011 TLS: Initial packet from ServerIP:PORT, sid=9f92a96c f8f7ca00
Wed Feb 23 12:39:10 2011 VERIFY OK: depth=1, /C=SK/ST=abc/L=abc/O=abc.com/OU=abc_Server/CN=abc.com/emailAddress=abc@abc.com
Wed Feb 23 12:39:10 2011 VERIFY OK: depth=0, /C=SK/ST=abc/O=abc.com/OU=abc.com/CN=IP/emailAddress=abc@abc.com
Wed Feb 23 12:39:11 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Feb 23 12:39:11 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 23 12:39:11 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Feb 23 12:39:11 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 23 12:39:11 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Feb 23 12:39:11 2011 [IP] Peer Connection Initiated with ServerIP:PORT
Wed Feb 23 12:39:12 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Wed Feb 23 12:39:12 2011 PUSH: Received control message: 'PUSH_REPLY,route 192.168.110.0 255.255.255.0'
Wed Feb 23 12:39:12 2011 OPTIONS IMPORT: route options modified
Wed Feb 23 12:39:12 2011 ROUTE default_gateway=10.255.255.1
Wed Feb 23 12:39:12 2011 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Wed Feb 23 12:39:12 2011 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.110.0
Wed Feb 23 12:39:12 2011 TUN/TAP device tap1 opened
Wed Feb 23 12:39:12 2011 TUN/TAP TX queue length set to 100
Wed Feb 23 12:39:12 2011 Initialization Sequence Completed
Wed Feb 23 12:39:23 2011 Connection reset, restarting [0]
Wed Feb 23 12:39:23 2011 TCP/UDP: Closing socket
Wed Feb 23 12:39:23 2011 SIGUSR1[soft,connection-reset] received, process restarting
Wed Feb 23 12:39:23 2011 Restart pause, 5 second(s)

Open in new window

0
 
LVL 3

Author Comment

by:Patricck
Comment Utility
Ok, i see tha tap device now after running openvpn, by running the command

ifconfig tap1
but no IP assigned to it.
0
 
LVL 7

Expert Comment

by:mzalfres
Comment Utility
You are missing --route-gateway parameter - without that you set up route without gateway - which results in unreachable network. Your pat interface tries to setup ROUTE default_gateway=10.255.255.1
 which is wrong of course. But you are on the way. In general, you are missing some details on zeroshell side.
0
 
LVL 3

Author Comment

by:Patricck
Comment Utility
And how should i configure the --route-gateway ? to what IP?
I have these two lines in my routing table:
10.255.255.1    *               255.255.255.255 UH    0      0        0 eth0
default         10.255.255.1    0.0.0.0         UG    0      0        0 eth0
0
 
LVL 3

Author Comment

by:Patricck
Comment Utility
Hi Guys,

i have managed to resolve the issue. I hade a wrong config in the push rules on the Zeroshell side. I had to add that rule to the client side.


Thank you very much.
Regards
Patrik
0
 
LVL 3

Author Comment

by:Patricck
Comment Utility
for 99% of the help i give you my points mzalfres..
Thanks.

Patrik
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now