Patricck
asked on
How to configure openVPN on linux Debian?
Hi,
i have a running Zeroshell router in my company. It is using OpenVPN as the VPN server. I can create LAN to LAN connections between zeroshell servers. But now i would like to configure it from a linux Debian server.
I have installed the openvpn on the Debian.. copied the certificates from my Zeroshell server. The line is up - connected, but can not get packets route through it.
I have no TAP device configured ... or if i try ifconfig - i see just the eth0.
Could somebody help solve this issue?
thanks
Patrik
i have a running Zeroshell router in my company. It is using OpenVPN as the VPN server. I can create LAN to LAN connections between zeroshell servers. But now i would like to configure it from a linux Debian server.
I have installed the openvpn on the Debian.. copied the certificates from my Zeroshell server. The line is up - connected, but can not get packets route through it.
I have no TAP device configured ... or if i try ifconfig - i see just the eth0.
Could somebody help solve this issue?
thanks
Patrik
ASKER
Hi, when i start openvpn, on the linux Debian server it does not start the virtual interface. i have the config file - attached.
But on the Zeroshell server the connection is stated as green - line up, when started.
But on the Zeroshell server the connection is stated as green - line up, when started.
#============================================================================#
# Specify the Hostname or the IP, the port and the protocol (tcp or udp) #
# to reach the OpenVPN Server. #
# The Hostname can be a dynamic FQDN such as a DynDNS one. #
#============================================================================#
remote xxxx xxxx
proto tcp
#============================================================================#
# You must specify this parameter if you want the Username and Password #
# request to appear. Comment it if you only use X.509 Authentication. #
#============================================================================#
#auth-user-pass
#============================================================================#
# You need to specify the file which contains the certificate (PEM format) #
# of the Certification Authority that signed the OpenVPN server certificate. #
# You can export it by clicking the hyperlink CA on the login page of #
# ZeroShell. #
# Notice that you need to specify this parameter also if you use #
# "Password Only" Authentication. #
#============================================================================#
ca ca.pem
#============================================================================#
# If you want to use the Client X.509 Authentication you must specify #
# a client certificate and the related private key in pem format. #
# You can merge both in the same file. #
#============================================================================#
cert cert.pem
key key.pem
#============================================================================#
# You should not need to change these settings. #
#============================================================================#
ping-timer-rem
client
dev tap0
persist-key
persist-tun
daemon
persist-key
persist-tun
resolv-retry infinite
nobindASKER
Hi,
i have started the logging on the client file,
have attached the log file.
i have started the logging on the client file,
have attached the log file.
Tue Feb 22 10:20:43 2011 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Tue Feb 22 10:20:43 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Feb 22 10:20:43 2011 WARNING: file 'key.pem' is group or others accessible
Tue Feb 22 10:20:43 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue Feb 22 10:20:43 2011 Control Channel MTU parms [ L:1575 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 22 10:20:43 2011 Data Channel MTU parms [ L:1575 D:1450 EF:43 EB:4 ET:32 EL:0 ]
Tue Feb 22 10:20:43 2011 Local Options hash (VER=V4): '10f35004'
Tue Feb 22 10:20:43 2011 Expected Remote Options hash (VER=V4): 'a917298a'
Tue Feb 22 10:20:43 2011 Attempting to establish TCP connection with IP:PORT [nonblock]
Tue Feb 22 10:20:44 2011 TCP: connect to IP:PORT failed, will try again in 5 seconds: Connection refused
Tue Feb 22 10:20:50 2011 TCP connection established with IP:PORT
Tue Feb 22 10:20:50 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Feb 22 10:20:50 2011 TCPv4_CLIENT link local: [undef]
Tue Feb 22 10:20:50 2011 TCPv4_CLIENT link remote: IP:PORT
Tue Feb 22 10:20:50 2011 TLS: Initial packet from IP:PORT, sid=a3671417 18803f16
Tue Feb 22 10:20:51 2011 VERIFY OK: depth=1, /C=SK/ST=abc/L=abc/O=abc.com/OU=Itslaves_Server/CN=abc.com/emailAddress=abc@eabc.com
Tue Feb 22 10:20:51 2011 VERIFY OK: depth=0, /C=abc/ST=Sabc/O=abc.com/OU=abc.com/CN=IP/emailAddress=abc@abc.com
Tue Feb 22 10:20:52 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 22 10:20:52 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 22 10:20:52 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 22 10:20:52 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 22 10:20:52 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Feb 22 10:20:52 2011 [IP] Peer Connection Initiated with IP:PORT
Tue Feb 22 10:20:53 2011 SENT CONTROL IP]: 'PUSH_REQUEST' (status=1)
Tue Feb 22 10:20:53 2011 PUSH: Received control message: 'PUSH_REPLY,route 192.168.110.0 255.255.255.0'
Tue Feb 22 10:20:53 2011 OPTIONS IMPORT: route options modified
Tue Feb 22 10:20:53 2011 ROUTE default_gateway=10.255.255.1
Tue Feb 22 10:20:53 2011 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Tue Feb 22 10:20:53 2011 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.110.0
Tue Feb 22 10:20:53 2011 Note: Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16)
Tue Feb 22 10:20:53 2011 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Tue Feb 22 10:20:53 2011 Cannot open TUN/TAP dev /dev/tap0: No such file or directory (errno=2)
Tue Feb 22 10:20:53 2011 ExitingASKER
I have followed the manual in the log file
and have put:
remote-cert-tls server
to the config file.
, and now have following log :
and have put:
remote-cert-tls server
to the config file.
, and now have following log :
Tue Feb 22 11:20:13 2011 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Tue Feb 22 11:20:13 2011 WARNING: file 'key.pem' is group or others accessible
Tue Feb 22 11:20:13 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue Feb 22 11:20:13 2011 Control Channel MTU parms [ L:1575 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 22 11:20:13 2011 Data Channel MTU parms [ L:1575 D:1450 EF:43 EB:4 ET:32 EL:0 ]
Tue Feb 22 11:20:13 2011 Local Options hash (VER=V4): '10f35004'
Tue Feb 22 11:20:13 2011 Expected Remote Options hash (VER=V4): 'a917298a'
Tue Feb 22 11:20:13 2011 Attempting to establish TCP connection with IP:PORT [nonblock]
Tue Feb 22 11:20:14 2011 TCP: connect to IP:PORT failed, will try again in 5 seconds: Connection refused
Tue Feb 22 11:20:20 2011 TCP: connect to IP:PORT failed, will try again in 5 seconds: Connection refused
.
.
.
.
' Replaced by _alias99 (23-Feb-11)
replace option "dev tap0" with "dev tun" - no number here. Then try again and post log if still not working.
and verify port and IP address at the top of the file - option: remote <IP> <port>
ASKER
Same error when changing dev tap0 to dev tun
IP and port are ok.
I am running the OPENVPN with the command:
openvpn --config openvpn.conf --verb 3 --log /etc/openvpn/openvpn.log
IP and port are ok.
I am running the OPENVPN with the command:
openvpn --config openvpn.conf --verb 3 --log /etc/openvpn/openvpn.log
ASKER
I have put verb 4 to my config file, and started the openvpn with:
/etc/init.d/openvpn start
and now in my syslog i see this: (attached)
but if i hit ifconfig, there is no tap device.
/etc/init.d/openvpn start
and now in my syslog i see this: (attached)
but if i hit ifconfig, there is no tap device.
Feb 22 06:25:08 openvpn[2611]: Connection reset, restarting [0]
Feb 22 06:25:08 openvpn[2611]: SIGUSR1[soft,connection-reset] received, process restarting
Feb 22 06:25:13 openvpn[2611]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 22 06:25:13 openvpn[2611]: Re-using SSL/TLS context
Feb 22 06:25:13 openvpn[2611]: Attempting to establish TCP connection with IP:PORT [nonblock]
Feb 22 06:25:14 openvpn[2611]: TCP connection established with IP:PORT
Feb 22 06:25:14 openvpn[2611]: TCPv4_CLIENT link local: [undef]
Feb 22 06:25:14 openvpn[2611]: TCPv4_CLIENT link remote: IP:PORT
Feb 22 06:25:16 openvpn[2611]: [IP] Peer Connection Initiated with IP:PORT
Feb 22 06:25:17 openvpn[2611]: Preserving previous TUN/TAP instance: tap0
Feb 22 06:25:17 openvpn[2611]: Initialization Sequence Completed
Feb 22 06:25:28 openvpn[2611]: Connection reset, restarting [0]
Feb 22 06:25:28 openvpn[2611]: SIGUSR1[soft,connection-reset] received, process restarting
Feb 22 06:25:33 openvpn[2611]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 22 06:25:33 openvpn[2611]: Re-using SSL/TLS context
'replaced by _alias99 (23-Feb-11)
Hi
With the above verb 4 output did you change the tap to tun in the config file? as it seems to still be preserving the tap0 device. Also with the previous client ;log you posted it mentioned errors with the gateway, however I don't see the gateway redirect parameter in the Server config file - and also on the first config you posted why would persist key and persist tun be repeated twice?
Also the Debian server you are setting up are you setting it up as the OpenVPN server or as a client of the existing Zeroshell VPN?
Regards H
With the above verb 4 output did you change the tap to tun in the config file? as it seems to still be preserving the tap0 device. Also with the previous client ;log you posted it mentioned errors with the gateway, however I don't see the gateway redirect parameter in the Server config file - and also on the first config you posted why would persist key and persist tun be repeated twice?
Also the Debian server you are setting up are you setting it up as the OpenVPN server or as a client of the existing Zeroshell VPN?
Regards H
ASKER
Hi, i have these files in my /etc/openvpn
ca.pem
cert.pem
key.pem
openvp.con
update-reslov-conf
In my config file (on debian) i still have dev tun.
My config file:
#=========================
# Specify the Hostname or the IP, the port and the protocol (tcp or udp) #
# to reach the OpenVPN Server. #
# The Hostname can be a dynamic FQDN such as a DynDNS one. #
#=========================
remote IP PORT
proto tcp
#=========================
# You must specify this parameter if you want the Username and Password #
# request to appear. Comment it if you only use X.509 Authentication. #
#=========================
#auth-user-pass
#=========================
# You need to specify the file which contains the certificate (PEM format) #
# of the Certification Authority that signed the OpenVPN server certificate. #
# You can export it by clicking the hyperlink CA on the login page of #
# ZeroShell. #
# Notice that you need to specify this parameter also if you use #
# "Password Only" Authentication. #
#=========================
ca ca.pem
#=========================
# If you want to use the Client X.509 Authentication you must specify #
# a client certificate and the related private key in pem format. #
# You can merge both in the same file. #
#=========================
cert cert.pem
key key.pem
#=========================
# You should not need to change these settings. #
#=========================
ping-timer-rem
client
dev tun
persist-key
persist-tun
daemon
persist-key
persist-tun
resolv-retry infinite
nobind
verb 5
ns-cert-type server
---
when i run it with the command:
i have the log: (attached)
sorry, but the logs what i posted were from today morning.. so dont check that... (from syslog)
ca.pem
cert.pem
key.pem
openvp.con
update-reslov-conf
In my config file (on debian) i still have dev tun.
My config file:
#=========================
# Specify the Hostname or the IP, the port and the protocol (tcp or udp) #
# to reach the OpenVPN Server. #
# The Hostname can be a dynamic FQDN such as a DynDNS one. #
#=========================
remote IP PORT
proto tcp
#=========================
# You must specify this parameter if you want the Username and Password #
# request to appear. Comment it if you only use X.509 Authentication. #
#=========================
#auth-user-pass
#=========================
# You need to specify the file which contains the certificate (PEM format) #
# of the Certification Authority that signed the OpenVPN server certificate. #
# You can export it by clicking the hyperlink CA on the login page of #
# ZeroShell. #
# Notice that you need to specify this parameter also if you use #
# "Password Only" Authentication. #
#=========================
ca ca.pem
#=========================
# If you want to use the Client X.509 Authentication you must specify #
# a client certificate and the related private key in pem format. #
# You can merge both in the same file. #
#=========================
cert cert.pem
key key.pem
#=========================
# You should not need to change these settings. #
#=========================
ping-timer-rem
client
dev tun
persist-key
persist-tun
daemon
persist-key
persist-tun
resolv-retry infinite
nobind
verb 5
ns-cert-type server
---
when i run it with the command:
i have the log: (attached)
sorry, but the logs what i posted were from today morning.. so dont check that... (from syslog)
Tue Feb 22 14:16:20 2011 us=791089 Current Parameter Settings:
Tue Feb 22 14:16:20 2011 us=791262 config = 'openvpn.conf'
Tue Feb 22 14:16:20 2011 us=791285 mode = 0
Tue Feb 22 14:16:20 2011 us=791308 persist_config = DISABLED
Tue Feb 22 14:16:20 2011 us=791325 persist_mode = 1
Tue Feb 22 14:16:20 2011 us=791342 show_ciphers = DISABLED
Tue Feb 22 14:16:20 2011 us=791358 show_digests = DISABLED
Tue Feb 22 14:16:20 2011 us=791376 show_engines = DISABLED
Tue Feb 22 14:16:20 2011 us=791393 genkey = DISABLED
Tue Feb 22 14:16:20 2011 us=791410 key_pass_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791427 show_tls_ciphers = DISABLED
Tue Feb 22 14:16:20 2011 us=791445 Connection profiles [default]:
Tue Feb 22 14:16:20 2011 us=791463 proto = tcp-client
Tue Feb 22 14:16:20 2011 us=791480 local = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791496 local_port = 0
Tue Feb 22 14:16:20 2011 us=791512 remote = 'IP'
Tue Feb 22 14:16:20 2011 us=791528 remote_port = PORT
Tue Feb 22 14:16:20 2011 us=791544 remote_float = DISABLED
Tue Feb 22 14:16:20 2011 us=791559 bind_defined = DISABLED
Tue Feb 22 14:16:20 2011 us=791575 bind_local = DISABLED
Tue Feb 22 14:16:20 2011 us=791591 connect_retry_seconds = 5
Tue Feb 22 14:16:20 2011 us=791606 connect_timeout = 10
Tue Feb 22 14:16:20 2011 us=791623 connect_retry_max = 0
Tue Feb 22 14:16:20 2011 us=791639 socks_proxy_server = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791655 socks_proxy_port = 0
Tue Feb 22 14:16:20 2011 us=791671 socks_proxy_retry = DISABLED
Tue Feb 22 14:16:20 2011 us=791690 Connection profiles END
Tue Feb 22 14:16:20 2011 us=791706 remote_random = DISABLED
Tue Feb 22 14:16:20 2011 us=791722 ipchange = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791738 dev = 'tun'
Tue Feb 22 14:16:20 2011 us=791754 dev_type = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791769 dev_node = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791785 lladdr = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791800 topology = 1
Tue Feb 22 14:16:20 2011 us=791816 tun_ipv6 = DISABLED
Tue Feb 22 14:16:20 2011 us=791832 ifconfig_local = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791849 ifconfig_remote_netmask = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=791865 ifconfig_noexec = DISABLED
Tue Feb 22 14:16:20 2011 us=791880 ifconfig_nowarn = DISABLED
Tue Feb 22 14:16:20 2011 us=791896 shaper = 0
Tue Feb 22 14:16:20 2011 us=791911 tun_mtu = 1500
Tue Feb 22 14:16:20 2011 us=791927 tun_mtu_defined = ENABLED
Tue Feb 22 14:16:20 2011 us=791942 link_mtu = 1500
Tue Feb 22 14:16:20 2011 us=791959 link_mtu_defined = DISABLED
Tue Feb 22 14:16:20 2011 us=791974 tun_mtu_extra = 0
Tue Feb 22 14:16:20 2011 us=791990 tun_mtu_extra_defined = DISABLED
Tue Feb 22 14:16:20 2011 us=792006 fragment = 0
Tue Feb 22 14:16:20 2011 us=792022 mtu_discover_type = -1
Tue Feb 22 14:16:20 2011 us=792049 mtu_test = 0
Tue Feb 22 14:16:20 2011 us=792065 mlock = DISABLED
Tue Feb 22 14:16:20 2011 us=792084 keepalive_ping = 0
Tue Feb 22 14:16:20 2011 us=792100 keepalive_timeout = 0
Tue Feb 22 14:16:20 2011 us=792116 inactivity_timeout = 0
Tue Feb 22 14:16:20 2011 us=792138 ping_send_timeout = 0
Tue Feb 22 14:16:20 2011 us=792161 ping_rec_timeout = 0
Tue Feb 22 14:16:20 2011 us=792177 ping_rec_timeout_action = 0
Tue Feb 22 14:16:20 2011 us=792192 ping_timer_remote = ENABLED
Tue Feb 22 14:16:20 2011 us=792212 remap_sigusr1 = 0
Tue Feb 22 14:16:20 2011 us=792228 explicit_exit_notification = 0
Tue Feb 22 14:16:20 2011 us=792244 persist_tun = ENABLED
Tue Feb 22 14:16:20 2011 us=792259 persist_local_ip = DISABLED
Tue Feb 22 14:16:20 2011 us=792275 persist_remote_ip = DISABLED
Tue Feb 22 14:16:20 2011 us=792290 persist_key = ENABLED
Tue Feb 22 14:16:20 2011 us=792306 mssfix = 1450
Tue Feb 22 14:16:20 2011 us=792322 passtos = DISABLED
Tue Feb 22 14:16:20 2011 us=792338 resolve_retry_seconds = 1000000000
Tue Feb 22 14:16:20 2011 us=792354 username = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792369 groupname = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792384 chroot_dir = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792400 cd_dir = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792430 writepid = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792447 up_script = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792463 down_script = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792479 down_pre = DISABLED
Tue Feb 22 14:16:20 2011 us=792496 up_restart = DISABLED
Tue Feb 22 14:16:20 2011 us=792512 up_delay = DISABLED
Tue Feb 22 14:16:20 2011 us=792528 daemon = ENABLED
Tue Feb 22 14:16:20 2011 us=792543 inetd = 0
Tue Feb 22 14:16:20 2011 us=792559 log = ENABLED
Tue Feb 22 14:16:20 2011 us=792575 suppress_timestamps = DISABLED
Tue Feb 22 14:16:20 2011 us=792591 nice = 0
Tue Feb 22 14:16:20 2011 us=792606 verbosity = 4
Tue Feb 22 14:16:20 2011 us=792625 mute = 0
Tue Feb 22 14:16:20 2011 us=792640 gremlin = 0
Tue Feb 22 14:16:20 2011 us=792656 status_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792672 status_file_version = 1
Tue Feb 22 14:16:20 2011 us=792687 status_file_update_freq = 60
Tue Feb 22 14:16:20 2011 us=792703 occ = ENABLED
Tue Feb 22 14:16:20 2011 us=792719 rcvbuf = 65536
Tue Feb 22 14:16:20 2011 us=792735 sndbuf = 65536
Tue Feb 22 14:16:20 2011 us=792750 sockflags = 0
Tue Feb 22 14:16:20 2011 us=792766 fast_io = DISABLED
Tue Feb 22 14:16:20 2011 us=792781 lzo = 0
Tue Feb 22 14:16:20 2011 us=792797 route_script = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792813 route_default_gateway = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792829 route_default_metric = 0
Tue Feb 22 14:16:20 2011 us=792845 route_noexec = DISABLED
Tue Feb 22 14:16:20 2011 us=792860 route_delay = 0
Tue Feb 22 14:16:20 2011 us=792876 route_delay_window = 30
Tue Feb 22 14:16:20 2011 us=792891 route_delay_defined = DISABLED
Tue Feb 22 14:16:20 2011 us=792908 route_nopull = DISABLED
Tue Feb 22 14:16:20 2011 us=792923 route_gateway_via_dhcp = DISABLED
Tue Feb 22 14:16:20 2011 us=792939 allow_pull_fqdn = DISABLED
Tue Feb 22 14:16:20 2011 us=792955 management_addr = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=792971 management_port = 0
Tue Feb 22 14:16:20 2011 us=792987 management_user_pass = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793003 management_log_history_cache = 250
Tue Feb 22 14:16:20 2011 us=793019 management_echo_buffer_size = 100
Tue Feb 22 14:16:20 2011 us=793035 management_write_peer_info_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793051 management_flags = 0
Tue Feb 22 14:16:20 2011 us=793068 shared_secret_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793084 key_direction = 0
Tue Feb 22 14:16:20 2011 us=793100 ciphername_defined = ENABLED
Tue Feb 22 14:16:20 2011 us=793117 ciphername = 'BF-CBC'
ue Feb 22 14:16:20 2011 us=793132 authname_defined = ENABLED
Tue Feb 22 14:16:20 2011 us=793148 authname = 'SHA1'
Tue Feb 22 14:16:20 2011 us=793164 keysize = 0
Tue Feb 22 14:16:20 2011 us=793180 engine = DISABLED
Tue Feb 22 14:16:20 2011 us=793196 replay = ENABLED
Tue Feb 22 14:16:20 2011 us=793213 mute_replay_warnings = DISABLED
Tue Feb 22 14:16:20 2011 us=793229 replay_window = 64
Tue Feb 22 14:16:20 2011 us=793244 replay_time = 15
Tue Feb 22 14:16:20 2011 us=793261 packet_id_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793276 use_iv = ENABLED
Tue Feb 22 14:16:20 2011 us=793292 test_crypto = DISABLED
Tue Feb 22 14:16:20 2011 us=793308 tls_server = DISABLED
Tue Feb 22 14:16:20 2011 us=793324 tls_client = ENABLED
Tue Feb 22 14:16:20 2011 us=793339 key_method = 2
Tue Feb 22 14:16:20 2011 us=793355 ca_file = 'ca.pem'
Tue Feb 22 14:16:20 2011 us=793370 ca_path = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793386 dh_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793401 cert_file = 'cert.pem'
Tue Feb 22 14:16:20 2011 us=793417 priv_key_file = 'key.pem'
Tue Feb 22 14:16:20 2011 us=793433 pkcs12_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793449 cipher_list = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793464 tls_verify = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793480 tls_remote = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793496 crl_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793512 ns_cert_type = 64
Tue Feb 22 14:16:20 2011 us=793544 remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793560 remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793576 remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793591 remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793607 remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793622 remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793637 remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793652 remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793668 remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793683 remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793698 remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793713 remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793728 remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793744 remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793759 remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793774 remote_cert_ku[i] = 0
Tue Feb 22 14:16:20 2011 us=793790 remote_cert_eku = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793806 tls_timeout = 2
Tue Feb 22 14:16:20 2011 us=793821 renegotiate_bytes = 0
Tue Feb 22 14:16:20 2011 us=793837 renegotiate_packets = 0
Tue Feb 22 14:16:20 2011 us=793853 renegotiate_seconds = 3600
Tue Feb 22 14:16:20 2011 us=793868 handshake_window = 60
Tue Feb 22 14:16:20 2011 us=793884 transition_window = 3600
Tue Feb 22 14:16:20 2011 us=793900 single_session = DISABLED
Tue Feb 22 14:16:20 2011 us=793915 tls_exit = DISABLED
Tue Feb 22 14:16:20 2011 us=793930 tls_auth_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=793947 pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=793963 pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=793978 pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=793994 pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794009 pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794009 pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794025 pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794040 pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794056 pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794071 pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794086 pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794101 pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794117 pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794132 pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794148 pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794163 pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794178 pkcs11_protected_authentication = DISABLED
Tue Feb 22 14:16:20 2011 us=794196 pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794212 pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794228 pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794243 pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794259 pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794275 pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794290 pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794305 pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794321 pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794336 pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794352 pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794368 pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794383 pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794398 pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794414 pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794429 pkcs11_private_mode = 00000000
Tue Feb 22 14:16:20 2011 us=794444 pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794460 pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794475 pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794502 pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794518 pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794534 pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794549 pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794569 pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794585 pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794600 pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794616 pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794631 pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794647 pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794662 pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794678 pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794693 pkcs11_cert_private = DISABLED
Tue Feb 22 14:16:20 2011 us=794709 pkcs11_pin_cache_period = -1
Tue Feb 22 14:16:20 2011 us=794725 pkcs11_id = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=794741 pkcs11_id_management = DISABLED
Tue Feb 22 14:16:20 2011 us=794777 server_network = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794795 server_netmask = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794812 server_bridge_ip = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794829 server_bridge_netmask = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794846 server_bridge_pool_start = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794863 server_bridge_pool_end = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794879 ifconfig_pool_defined = DISABLED
Tue Feb 22 14:16:20 2011 us=794896 ifconfig_pool_start = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794913 ifconfig_pool_end = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794930 ifconfig_pool_netmask = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=794945 ifconfig_pool_persist_filename = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=794961 ifconfig_pool_persist_refresh_freq = 600
Tue Feb 22 14:16:20 2011 us=794977 n_bcast_buf = 256
Tue Feb 22 14:16:20 2011 us=794992 tcp_queue_limit = 64
Tue Feb 22 14:16:20 2011 us=795008 real_hash_size = 256
Tue Feb 22 14:16:20 2011 us=795024 virtual_hash_size = 256
Tue Feb 22 14:16:20 2011 us=795040 client_connect_script = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=795056 learn_address_script = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=795071 client_disconnect_script = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=795087 client_config_dir = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=795103 ccd_exclusive = DISABLED
Tue Feb 22 14:16:20 2011 us=795119 tmp_dir = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=795135 push_ifconfig_defined = DISABLED
Tue Feb 22 14:16:20 2011 us=795152 push_ifconfig_local = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=795169 push_ifconfig_remote_netmask = 0.0.0.0
Tue Feb 22 14:16:20 2011 us=795184 enable_c2c = DISABLED
Tue Feb 22 14:16:20 2011 us=795200 duplicate_cn = DISABLED
Tue Feb 22 14:16:20 2011 us=795216 cf_max = 0
Tue Feb 22 14:16:20 2011 us=795232 cf_per = 0
Tue Feb 22 14:16:20 2011 us=795247 max_clients = 1024
Tue Feb 22 14:16:20 2011 us=795263 max_routes_per_client = 256
Tue Feb 22 14:16:20 2011 us=795279 client_cert_not_required = DISABLED
Tue Feb 22 14:16:20 2011 us=795295 username_as_common_name = DISABLED
Tue Feb 22 14:16:20 2011 us=795311 auth_user_pass_verify_script = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=795327 auth_user_pass_verify_script_via_file = DISABLED
Tue Feb 22 14:16:20 2011 us=795342 port_share_host = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=795358 port_share_port = 0
Tue Feb 22 14:16:20 2011 us=795373 client = ENABLED
Tue Feb 22 14:16:20 2011 us=795389 pull = ENABLED
Tue Feb 22 14:16:20 2011 us=795404 auth_user_pass_file = '[UNDEF]'
Tue Feb 22 14:16:20 2011 us=795425 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Tue Feb 22 14:16:20 2011 us=796337 WARNING: file 'key.pem' is group or others accessible
Tue Feb 22 14:16:20 2011 us=797058 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue Feb 22 14:16:21 2011 us=11954 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 22 14:16:21 2011 us=12192 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Feb 22 14:16:21 2011 us=12251 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Feb 22 14:16:21 2011 us=12272 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Feb 22 14:16:21 2011 us=12332 Local Options hash (VER=V4): 'db02a8f8'
Tue Feb 22 14:16:21 2011 us=12378 Expected Remote Options hash (VER=V4): '7e068940'
Tue Feb 22 14:16:21 2011 us=12978 Attempting to establish TCP connection with IP:PORT [nonblock]
Tue Feb 22 14:16:22 2011 us=13303 TCP: connect to IP:PORT failed, will try again in 5 seconds: Connection refused
This line indicates, that your remote machine (Zeroshell) is refusing connection on selected IP and port. Something is wrong and I won't help you with that because I don't know your internal network settings:
Tue Feb 22 14:16:22 2011 us=13303 TCP: connect to IP:PORT failed, will try again in 5 seconds: Connection refused - your server is not connecting
Please modify "verb" option - "verb 3" will be enough to debug our problem and will make log much shorter. Everything before "Attempting to establish TCP connection..." is only local settings check.
After TCP connection is established, some additional action should be visible like remote certificate matching, setting TAP interface etc.
Tue Feb 22 14:16:22 2011 us=13303 TCP: connect to IP:PORT failed, will try again in 5 seconds: Connection refused - your server is not connecting
Please modify "verb" option - "verb 3" will be enough to debug our problem and will make log much shorter. Everything before "Attempting to establish TCP connection..." is only local settings check.
After TCP connection is established, some additional action should be visible like remote certificate matching, setting TAP interface etc.
And double check if port is TCP or UDP (proto tcp or proto udp) at the beginning of config file.
ASKER
Ok, found an error.
I had an IP configured for the interface. Now i have removed it. So the log seems like this:
I had an IP configured for the interface. Now i have removed it. So the log seems like this:
Tue Feb 22 15:18:33 2011 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Tue Feb 22 15:18:33 2011 WARNING: file 'key.pem' is group or others accessible
Tue Feb 22 15:18:33 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue Feb 22 15:18:33 2011 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 22 15:18:33 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Feb 22 15:18:33 2011 Local Options hash (VER=V4): 'db02a8f8'
Tue Feb 22 15:18:33 2011 Expected Remote Options hash (VER=V4): '7e068940'
Tue Feb 22 15:18:33 2011 Attempting to establish TCP connection with SERVERIP:PORT [nonblock]
Tue Feb 22 15:18:34 2011 TCP connection established with SERVERIP:PORT
Tue Feb 22 15:18:34 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Feb 22 15:18:34 2011 TCPv4_CLIENT link local: [undef]
Tue Feb 22 15:18:34 2011 TCPv4_CLIENT link remote: SERVERIP:PORT
Tue Feb 22 15:18:34 2011 TLS: Initial packet from SERVERIP:PORT, sid=6a47538a 3b05c2d4
Tue Feb 22 15:18:35 2011 VERIFY OK: depth=1, /C=bc/ST=abc/L=abc/O=abc.com/OU=abc_Server/CN=abc.com$
Tue Feb 22 15:18:35 2011 VERIFY nsCertType ERROR: /C=SK/ST=abc/O=abc.com/OU=abc.com/CN=IP/emailAddr$
Tue Feb 22 15:18:35 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICAT$
Tue Feb 22 15:18:35 2011 TLS Error: TLS object -> incoming plaintext read error
Tue Feb 22 15:18:35 2011 TLS Error: TLS handshake failed
Tue Feb 22 15:18:35 2011 Fatal TLS error (check_tls_errors_co), restarting
Tue Feb 22 15:18:35 2011 TCP/UDP: Closing socket
Tue Feb 22 15:18:35 2011 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 22 15:18:35 2011 Restart pause, 5 second(s)
Tue Feb 22 15:18:40 2011 Re-using SSL/TLS context
Tue Feb 22 15:18:40 2011 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 22 15:18:40 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Feb 22 15:18:40 2011 Local Options hash (VER=V4): 'db02a8f8'
Tue Feb 22 15:18:40 2011 Expected Remote Options hash (VER=V4): '7e068940'
Tue Feb 22 15:18:40 2011 Attempting to establish TCP connection with SERVERIP:PORT [nonblock]
Tue Feb 22 15:18:41 2011 TCP connection established with SERVERIP:PORT
Tue Feb 22 15:18:41 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Feb 22 15:18:41 2011 TCPv4_CLIENT link local: [undef]
Tue Feb 22 15:18:41 2011 TCPv4_CLIENT link remote: SERVERIP:PORT
Tue Feb 22 15:18:42 2011 TLS: Initial packet from SERVERIP:PORT, sid=527a8a25 24d3eb6e
Tue Feb 22 15:18:42 2011 VERIFY OK: depth=1, /C=bc/ST=abc/L=abc/O=abc.com/OU=abc_Server/CN=abc.com$
Tue Feb 22 15:18:42 2011 VERIFY nsCertType ERROR: /C=SK/ST=abc/O=abc.com/OU=abc.com/CN=IP/emailAddr$
Tue Feb 22 15:18:42 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICAT$
Tue Feb 22 15:18:42 2011 TLS Error: TLS object -> incoming plaintext read error
Tue Feb 22 15:18:42 2011 TLS Error: TLS handshake failed
Tue Feb 22 15:18:42 2011 Fatal TLS error (check_tls_errors_co), restarting
Tue Feb 22 15:18:42 2011 TCP/UDP: Closing socket
Tue Feb 22 15:18:42 2011 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 22 15:18:42 2011 Restart pause, 5 second(s)
Tue Feb 22 15:18:47 2011 Re-using SSL/TLS context
Tue Feb 22 15:18:47 2011 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 22 15:18:47 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Hi
I am not sure how the Zeroshell routers certificates work but by default the certs and keys aren't in the .pem format - could I suggest checking and ensuring that the correct certs and keys are used. Also I recommend our linux users to use the full path to the certs and keys.
Below is an egsample of how my Debian clients configs look:
client
dev tun
proto tcp
remote IP PORT
resolv-retry infinite
nobind
persist-key
persist-tun
float
ca /etc/openvpn/ca.crt
cert /etc/openvpn/CERT.crt
key /etc/openvpn/KEY.key
comp-lzo
verb 3
script-security 5
I am not sure how the Zeroshell routers certificates work but by default the certs and keys aren't in the .pem format - could I suggest checking and ensuring that the correct certs and keys are used. Also I recommend our linux users to use the full path to the certs and keys.
Below is an egsample of how my Debian clients configs look:
client
dev tun
proto tcp
remote IP PORT
resolv-retry infinite
nobind
persist-key
persist-tun
float
ca /etc/openvpn/ca.crt
cert /etc/openvpn/CERT.crt
key /etc/openvpn/KEY.key
comp-lzo
verb 3
script-security 5
ASKER
cool, a bit further...
now certs are ok, but:
Tue Feb 22 16:13:59 2011 us=258414 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Tue Feb 22 16:13:59 2011 us=300827 Bad LZO decompression header byte: 42
Tue Feb 22 16:14:00 2011 us=569523 Bad LZO decompression header byte: 42
Tue Feb 22 16:14:01 2011 us=836925 Bad LZO decompression header byte: 42
Tue Feb 22 16:14:03 2011 us=103580 Bad LZO decompression header byte: 42
still not able to moove packets between the two networks.
What else i have to do?
how to do the routing?
now certs are ok, but:
Tue Feb 22 16:13:59 2011 us=258414 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Tue Feb 22 16:13:59 2011 us=300827 Bad LZO decompression header byte: 42
Tue Feb 22 16:14:00 2011 us=569523 Bad LZO decompression header byte: 42
Tue Feb 22 16:14:01 2011 us=836925 Bad LZO decompression header byte: 42
Tue Feb 22 16:14:03 2011 us=103580 Bad LZO decompression header byte: 42
still not able to moove packets between the two networks.
What else i have to do?
how to do the routing?
Seems that your certificates are just examples, not real ones... (assuming you provide real log file...) If not, there is still problem with certificate authorizing your server. Try remove ns-cert-type server (which is only additional security, but not mandatory)
ASKER
this is my full log:
Tue Feb 22 16:31:47 2011 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Tue Feb 22 16:31:47 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Feb 22 16:31:47 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Feb 22 16:31:47 2011 WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables
Tue Feb 22 16:31:47 2011 WARNING: file 'key.pem' is group or others accessible
Tue Feb 22 16:31:47 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue Feb 22 16:31:47 2011 LZO compression initialized
Tue Feb 22 16:31:47 2011 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 22 16:31:47 2011 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Feb 22 16:31:47 2011 Local Options hash (VER=V4): '69109d17'
Tue Feb 22 16:31:47 2011 Expected Remote Options hash (VER=V4): 'c0103fa8'
Tue Feb 22 16:31:47 2011 Attempting to establish TCP connection with clientIP:port [nonblock]
Tue Feb 22 16:31:48 2011 TCP connection established with clientIP:port
Tue Feb 22 16:31:48 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Feb 22 16:31:48 2011 TCPv4_CLIENT link local: [undef]
Tue Feb 22 16:31:48 2011 TCPv4_CLIENT link remote: clientIP:port
Tue Feb 22 16:31:49 2011 TLS: Initial packet from clientIP:port, sid=e0847f1a 90542be5
Tue Feb 22 16:31:50 2011 VERIFY OK: depth=1, /C=SK/ST=abc/L=abc/O=abc.c
Tue Feb 22 16:31:50 2011 VERIFY OK: depth=0, /C=SK/ST=abc/O=abc.com/OU=
Tue Feb 22 16:31:52 2011 WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'
Tue Feb 22 16:31:52 2011 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1544', remote='link-mtu 1575'
Tue Feb 22 16:31:52 2011 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
Tue Feb 22 16:31:52 2011 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Tue Feb 22 16:31:52 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 22 16:31:52 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 22 16:31:52 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 22 16:31:52 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 22 16:31:52 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Feb 22 16:31:52 2011 [IP] Peer Connection Initiated with clientIP:port
Tue Feb 22 16:31:52 2011 Bad LZO decompression header byte: 42
Tue Feb 22 16:31:53 2011 Bad LZO decompression header byte: 42
Tue Feb 22 16:31:53 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Tue Feb 22 16:31:55 2011 Bad LZO decompression header byte: 42
Tue Feb 22 16:31:56 2011 Bad LZO decompression header byte: 42
Tue Feb 22 16:31:57 2011 Bad LZO decompression header byte: 42
Tue Feb 22 16:31:58 2011 Bad LZO decompression header byte: 42
Tue Feb 22 16:31:47 2011 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Tue Feb 22 16:31:47 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Feb 22 16:31:47 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Feb 22 16:31:47 2011 WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables
Tue Feb 22 16:31:47 2011 WARNING: file 'key.pem' is group or others accessible
Tue Feb 22 16:31:47 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue Feb 22 16:31:47 2011 LZO compression initialized
Tue Feb 22 16:31:47 2011 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 22 16:31:47 2011 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Feb 22 16:31:47 2011 Local Options hash (VER=V4): '69109d17'
Tue Feb 22 16:31:47 2011 Expected Remote Options hash (VER=V4): 'c0103fa8'
Tue Feb 22 16:31:47 2011 Attempting to establish TCP connection with clientIP:port [nonblock]
Tue Feb 22 16:31:48 2011 TCP connection established with clientIP:port
Tue Feb 22 16:31:48 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Feb 22 16:31:48 2011 TCPv4_CLIENT link local: [undef]
Tue Feb 22 16:31:48 2011 TCPv4_CLIENT link remote: clientIP:port
Tue Feb 22 16:31:49 2011 TLS: Initial packet from clientIP:port, sid=e0847f1a 90542be5
Tue Feb 22 16:31:50 2011 VERIFY OK: depth=1, /C=SK/ST=abc/L=abc/O=abc.c
Tue Feb 22 16:31:50 2011 VERIFY OK: depth=0, /C=SK/ST=abc/O=abc.com/OU=
Tue Feb 22 16:31:52 2011 WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'
Tue Feb 22 16:31:52 2011 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1544', remote='link-mtu 1575'
Tue Feb 22 16:31:52 2011 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
Tue Feb 22 16:31:52 2011 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Tue Feb 22 16:31:52 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 22 16:31:52 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 22 16:31:52 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 22 16:31:52 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 22 16:31:52 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Feb 22 16:31:52 2011 [IP] Peer Connection Initiated with clientIP:port
Tue Feb 22 16:31:52 2011 Bad LZO decompression header byte: 42
Tue Feb 22 16:31:53 2011 Bad LZO decompression header byte: 42
Tue Feb 22 16:31:53 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Tue Feb 22 16:31:55 2011 Bad LZO decompression header byte: 42
Tue Feb 22 16:31:56 2011 Bad LZO decompression header byte: 42
Tue Feb 22 16:31:57 2011 Bad LZO decompression header byte: 42
Tue Feb 22 16:31:58 2011 Bad LZO decompression header byte: 42
Hi
I will think your server isn't using LZO for encryption/compression - check the encryption method used on the server and set the client to use the same type of compression.
The line will be the "comp-lzo" line to edit - just change lzo to whatever the server states - you can also maybe try leaving this line out completely if you don't find the method on the server.
I will think your server isn't using LZO for encryption/compression - check the encryption method used on the server and set the client to use the same type of compression.
The line will be the "comp-lzo" line to edit - just change lzo to whatever the server states - you can also maybe try leaving this line out completely if you don't find the method on the server.
ASKER
Ok, now i have a lot of:
Tue Feb 22 16:47:23 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Tue Feb 22 16:47:28 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Tue Feb 22 16:47:33 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
at the end...
Tue Feb 22 16:47:23 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Tue Feb 22 16:47:28 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Tue Feb 22 16:47:33 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
at the end...
That would be the server trying to setup specific routes for the internal networks so you VPN client knows where to send traffic - check the server for anything relating to Push route or any dhcp options and post em so we can check what is causing the push route loop
but just for interest sake with it as is - can you connect or ping any of the servers behind the VPN server or even the VPN server itself?
but just for interest sake with it as is - can you connect or ping any of the servers behind the VPN server or even the VPN server itself?
ASKER
Can not.
If i try route - nothing in the routing table - for the VPN
if i hit ifconfig i see just eth0 with the static IP address - no TUN or TAP device
On the zeroshell there is no way to get all the settings, as it is working a bit different. - configs are stored in a database - if i know it correctly.
I have my other networks configured like this:
two zeroshell routers, one is client, one is server. They have virtual interfaces - TAP
there is an IP address configured for the TAP....... server 192.168.2.1 client : 192.168.2.2. and the routing is made through these IPs.
If i try route - nothing in the routing table - for the VPN
if i hit ifconfig i see just eth0 with the static IP address - no TUN or TAP device
On the zeroshell there is no way to get all the settings, as it is working a bit different. - configs are stored in a database - if i know it correctly.
I have my other networks configured like this:
two zeroshell routers, one is client, one is server. They have virtual interfaces - TAP
there is an IP address configured for the TAP....... server 192.168.2.1 client : 192.168.2.2. and the routing is made through these IPs.
Just to make sure then - if your server is using tap then the client must also use tap and not tun - bot server and client must use the same.
OK, you made me to read some about zeroshell routers. Now, first question - did you modify default openVPN settings on your router? If yes, can you tell me what have you changed from default? Or, best if you can reset it to back to default? According to zeroshell web page, all you need is to download their config and replace IP address then. But again, it will work only with default settings.
ASKER
Hi,
i have now TAP devices on both sides, still dont see anything with ifconfig - i can start the TAP device manually. but no connection.
It is not needed to bridge somehow the TAP interface, openvpn client and the ethernet adapter?
Yes, there is a config file on the zeroshell site, what i am using for host to LAN connections (where the LAN side is zeroshell).
Now i would like to create a LAN to LAN connection between the debian server and the zeroshell.
Reason:
with the host to lan config i would need to enter passwd and username everytime it disconnects - and this connection will be used to transfer data between servers (the debian server and on server behind the zeroshell).
I have read about bridging.. etc... it is not necessary to bridge the TAP device with the ETH0 ?
http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html
i have now TAP devices on both sides, still dont see anything with ifconfig - i can start the TAP device manually. but no connection.
It is not needed to bridge somehow the TAP interface, openvpn client and the ethernet adapter?
Yes, there is a config file on the zeroshell site, what i am using for host to LAN connections (where the LAN side is zeroshell).
Now i would like to create a LAN to LAN connection between the debian server and the zeroshell.
Reason:
with the host to lan config i would need to enter passwd and username everytime it disconnects - and this connection will be used to transfer data between servers (the debian server and on server behind the zeroshell).
I have read about bridging.. etc... it is not necessary to bridge the TAP device with the ETH0 ?
http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html
ASKER
Shouldnt be a /dev/tap on my debian?
because i dont have anything like that.
I can start the TAP device with the command
ifconfig tap0 promisc up
but it is not starting automatically with the openvpn.
Logs attached.
because i dont have anything like that.
I can start the TAP device with the command
ifconfig tap0 promisc up
but it is not starting automatically with the openvpn.
Logs attached.
Wed Feb 23 10:37:38 2011 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Wed Feb 23 10:37:38 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Feb 23 10:37:38 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Feb 23 10:37:38 2011 WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables
Wed Feb 23 10:37:39 2011 WARNING: file 'key.pem' is group or others accessible
Wed Feb 23 10:37:39 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Wed Feb 23 10:37:39 2011 Control Channel MTU parms [ L:1575 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Feb 23 10:37:39 2011 Data Channel MTU parms [ L:1575 D:1450 EF:43 EB:4 ET:32 EL:0 ]
Wed Feb 23 10:37:39 2011 Local Options hash (VER=V4): '10f35004'
Wed Feb 23 10:37:39 2011 Expected Remote Options hash (VER=V4): 'a917298a'
Wed Feb 23 10:37:39 2011 Attempting to establish TCP connection with ServerIP:port [nonblock]
Wed Feb 23 10:37:40 2011 TCP connection established with ServerIP:port
Wed Feb 23 10:37:40 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Feb 23 10:37:40 2011 TCPv4_CLIENT link local: [undef]
Wed Feb 23 10:37:40 2011 TCPv4_CLIENT link remote: ServerIP:port
Wed Feb 23 10:37:41 2011 TLS: Initial packet from ServerIP:port, sid=78e2e6f8 f9215f05
Wed Feb 23 10:37:41 2011 VERIFY OK: depth=1, /C=SK/ST=abc/L=abc/O=abc.com/OU=abc_Server/CN=abc.com/emailAddress=abc@abc.com
Wed Feb 23 10:37:41 2011 VERIFY OK: depth=0, /C=SK/ST=abc/O=abc.com/OU=abc.com/CN=IP/emailAddress=abc@abc.com
Wed Feb 23 10:37:43 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Feb 23 10:37:43 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 23 10:37:43 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Feb 23 10:37:43 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 23 10:37:43 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Feb 23 10:37:43 2011 [IP] Peer Connection Initiated with ServerIP:port
Wed Feb 23 10:37:44 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Wed Feb 23 10:37:49 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Wed Feb 23 10:37:54 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
.
.
.
Hi
I don't know if this is in anyway related to what your experiencing, but my one user on Mandriva 2010 was seeing the same thing where tap and tun don't start up with OpenVPN.
What we did for him was purge OpenVPN add some extra and alternate package repositories and reinstalled it - with the different installation sources the problem was resolved as it installed some other dependency packages. Feel free to try and edit your debian apt sources and see if you have any luck getting the Interface strated with OpenVPN.
I don't know if this is in anyway related to what your experiencing, but my one user on Mandriva 2010 was seeing the same thing where tap and tun don't start up with OpenVPN.
What we did for him was purge OpenVPN add some extra and alternate package repositories and reinstalled it - with the different installation sources the problem was resolved as it installed some other dependency packages. Feel free to try and edit your debian apt sources and see if you have any luck getting the Interface strated with OpenVPN.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
i have checked the routing table.. on the zeroshell side, there was no push route configured... i have put there:
ifconfig-push 192.168.5.2 --push 'route 192.168.110.0 255.255.255.0'
when i hit ifconfig still dont see the TAP device
The basic idea:
110.x network is on the Zeroshells Eth0 LAN
Zeroshells TAP device should be 192.168.5.1 - this is configured
Debians TAP device should have 192.168.5.2
and now the log shows
i have checked the routing table.. on the zeroshell side, there was no push route configured... i have put there:
ifconfig-push 192.168.5.2 --push 'route 192.168.110.0 255.255.255.0'
when i hit ifconfig still dont see the TAP device
The basic idea:
110.x network is on the Zeroshells Eth0 LAN
Zeroshells TAP device should be 192.168.5.1 - this is configured
Debians TAP device should have 192.168.5.2
and now the log shows
Wed Feb 23 12:39:07 2011 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Wed Feb 23 12:39:07 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Feb 23 12:39:07 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Feb 23 12:39:07 2011 WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables
Wed Feb 23 12:39:07 2011 WARNING: file 'key.pem' is group or others accessible
Wed Feb 23 12:39:07 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Wed Feb 23 12:39:08 2011 Control Channel MTU parms [ L:1575 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Feb 23 12:39:08 2011 Data Channel MTU parms [ L:1575 D:1450 EF:43 EB:4 ET:32 EL:0 ]
Wed Feb 23 12:39:08 2011 Local Options hash (VER=V4): '10f35004'
Wed Feb 23 12:39:08 2011 Expected Remote Options hash (VER=V4): 'a917298a'
Wed Feb 23 12:39:08 2011 Attempting to establish TCP connection with ServerIP:PORT [nonblock]
Wed Feb 23 12:39:09 2011 TCP connection established with ServerIP:PORT
Wed Feb 23 12:39:09 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Feb 23 12:39:09 2011 TCPv4_CLIENT link local: [undef]
Wed Feb 23 12:39:09 2011 TCPv4_CLIENT link remote: ServerIP:PORT
Wed Feb 23 12:39:09 2011 TLS: Initial packet from ServerIP:PORT, sid=9f92a96c f8f7ca00
Wed Feb 23 12:39:10 2011 VERIFY OK: depth=1, /C=SK/ST=abc/L=abc/O=abc.com/OU=abc_Server/CN=abc.com/emailAddress=abc@abc.com
Wed Feb 23 12:39:10 2011 VERIFY OK: depth=0, /C=SK/ST=abc/O=abc.com/OU=abc.com/CN=IP/emailAddress=abc@abc.com
Wed Feb 23 12:39:11 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Feb 23 12:39:11 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 23 12:39:11 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Feb 23 12:39:11 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 23 12:39:11 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Feb 23 12:39:11 2011 [IP] Peer Connection Initiated with ServerIP:PORT
Wed Feb 23 12:39:12 2011 SENT CONTROL [IP]: 'PUSH_REQUEST' (status=1)
Wed Feb 23 12:39:12 2011 PUSH: Received control message: 'PUSH_REPLY,route 192.168.110.0 255.255.255.0'
Wed Feb 23 12:39:12 2011 OPTIONS IMPORT: route options modified
Wed Feb 23 12:39:12 2011 ROUTE default_gateway=10.255.255.1
Wed Feb 23 12:39:12 2011 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Wed Feb 23 12:39:12 2011 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.110.0
Wed Feb 23 12:39:12 2011 TUN/TAP device tap1 opened
Wed Feb 23 12:39:12 2011 TUN/TAP TX queue length set to 100
Wed Feb 23 12:39:12 2011 Initialization Sequence Completed
Wed Feb 23 12:39:23 2011 Connection reset, restarting [0]
Wed Feb 23 12:39:23 2011 TCP/UDP: Closing socket
Wed Feb 23 12:39:23 2011 SIGUSR1[soft,connection-reset] received, process restarting
Wed Feb 23 12:39:23 2011 Restart pause, 5 second(s)ASKER
Ok, i see tha tap device now after running openvpn, by running the command
ifconfig tap1
but no IP assigned to it.
ifconfig tap1
but no IP assigned to it.
You are missing --route-gateway parameter - without that you set up route without gateway - which results in unreachable network. Your pat interface tries to setup ROUTE default_gateway=10.255.255
which is wrong of course. But you are on the way. In general, you are missing some details on zeroshell side.
which is wrong of course. But you are on the way. In general, you are missing some details on zeroshell side.
ASKER
And how should i configure the --route-gateway ? to what IP?
I have these two lines in my routing table:
10.255.255.1 * 255.255.255.255 UH 0 0 0 eth0
default 10.255.255.1 0.0.0.0 UG 0 0 0 eth0
I have these two lines in my routing table:
10.255.255.1 * 255.255.255.255 UH 0 0 0 eth0
default 10.255.255.1 0.0.0.0 UG 0 0 0 eth0
ASKER
Hi Guys,
i have managed to resolve the issue. I hade a wrong config in the push rules on the Zeroshell side. I had to add that rule to the client side.
Thank you very much.
Regards
Patrik
i have managed to resolve the issue. I hade a wrong config in the push rules on the Zeroshell side. I had to add that rule to the client side.
Thank you very much.
Regards
Patrik
ASKER
for 99% of the help i give you my points mzalfres..
Thanks.
Patrik
Thanks.
Patrik
I don't know Zeroshell routers, but I'll try to give you some general hints:
1. To establish openvpn service, you need to create "/etc/openvpn/<something>.
2. Tap device is configured automatically by openvpn server. All dependencies are also satisfied by installing openvpn from debian package - no worries about additional software. If no tap device is created - means no tunnel is set up. It may be either because of bad setup (check log files) or because you didn't configure any tunnel at all.
Check your router manual, find what options may be suitable for you (like initial protocol, IP, port, security model) for VPN setup then let me know if it helped. You may want to run your openvpn daemon with "--log" option to direct output to separate log file (not /var/log/messages) and increase verbosity with "--verb <n>" parameter. <n> should be a number, try something between 1 and 4 - higher - more verbose.
If not, I'll try to give you more details when I got some Zeroshell manual for myself :-)