This really isn't the place to come for help with OpenVPN. I've gotten OpenVPN to work on OpenBSD using the regular install instructions on the OpenVPN web site, but there's nothing pretty about it.
If all your clients and servers are OpenBSD machines, you can use ipsecctl/ipsec.conf to configure everything, with much less fuss and headache than OpenVPN. Just look at the man pages for both ipsecctl and ipsec.conf. Also, shrew.net is compatible for windows clients. Timo Myyr? [EMAIL PROTECTED] wrote: > Hey, I would appreciate if somebody could help me setup OpenVPN connection. > > Here's the setup: > > Server: 192.168.1.1 > Soekris: sis0: 192.168.1.35: PXE boots from server > sis1: Internet: gets dynamic IP from ISP > sis2: 10.1.1.1: DHCP-server and gateway to LAN > ral0: 172.16.1.1: Wlan interface to be used with OpenVPN > Desktop nfe0: 10.1.1.10 > Laptop wpi0: 172.16.1.10 > > Deskop works nicely with soekris. > > My client is my OpenBSD laptop. > I followed the instructions at: http://www.linux.com/articles/49990 > I changed the IP's on the server and client configs. > The config uses "server-bridge 172.16.1.1 255.255.255.0 172.16.1.100 > 172.16.1.120" > > I authenticated the laptop via SSH and then run and openvpn and it gave > the following: > > Tue Nov 6 20:18:54 2007 OpenVPN 2.0.9 x86_64-unknown-openbsd4.2 [SSL] > [LZO] built on Aug 20 2007 > Tue Nov 6 20:18:54 2007 IMPORTANT: OpenVPN's default port number is now > 1194, based on an official port number assignment by IANA. OpenVPN > 2.0-beta16 and earlier used 5000 as the default port. > Tue Nov 6 20:18:54 2007 Control Channel Authentication: using > '/etc/openvpn/keys/ta.key' as a OpenVPN static key file > Tue Nov 6 20:18:54 2007 Outgoing Control Channel Authentication: Using > 160 bit message hash 'SHA1' for HMAC authentication > Tue Nov 6 20:18:54 2007 Incoming Control Channel Authentication: Using > 160 bit message hash 'SHA1' for HMAC authentication > Tue Nov 6 20:18:54 2007 Control Channel MTU parms [ L:1541 D:166 EF:66 > EB:0 ET:0 EL:0 ] > Tue Nov 6 20:18:54 2007 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 > ET:0 EL:0 ] > Tue Nov 6 20:18:54 2007 Local Options hash (VER=V4): '70f5b3af' > Tue Nov 6 20:18:54 2007 Expected Remote Options hash (VER=V4): 'a2e2498c' > Tue Nov 6 20:18:54 2007 NOTE: chroot will be delayed because of --client, > --pull, or --up-delay > Tue Nov 6 20:18:54 2007 NOTE: UID/GID downgrade will be delayed because > of --client, --pull, or --up-delay > Tue Nov 6 20:18:54 2007 UDPv4 link local: [undef] > Tue Nov 6 20:18:54 2007 UDPv4 link remote: 172.16.1.1:1194 > Tue Nov 6 20:18:54 2007 TLS: Initial packet from 172.16.1.1:1194, > sid=c32cfb6f 891c696c > Tue Nov 6 20:18:54 2007 VERIFY OK: depth=1, > /C=FI/ST=Etela-Karjala/L=Lappeenranta/O=OpenVPN-TEST/CN=WickedBSD/emailAddres > [EMAIL PROTECTED] > Tue Nov 6 20:18:54 2007 VERIFY OK: nsCertType=SERVER > Tue Nov 6 20:18:54 2007 VERIFY OK: depth=0, > /C=FI/ST=Etela-Karjala/O=OpenVPN-TEST/CN=WickedBSD/[EMAIL PROTECTED] > kedbsd.no-ip.com > Tue Nov 6 20:18:55 2007 WARNING: 'dev-type' is used inconsistently, > local='dev-type tun', remote='dev-type tap' > Tue Nov 6 20:18:55 2007 WARNING: 'link-mtu' is used inconsistently, > local='link-mtu 1541', remote='link-mtu 1573' > Tue Nov 6 20:18:55 2007 WARNING: 'tun-mtu' is used inconsistently, > local='tun-mtu 1500', remote='tun-mtu 1532' > Tue Nov 6 20:18:55 2007 Data Channel Encrypt: Cipher 'BF-CBC' initialized > with 128 bit key > Tue Nov 6 20:18:55 2007 Data Channel Encrypt: Using 160 bit message hash > 'SHA1' for HMAC authentication > Tue Nov 6 20:18:55 2007 Data Channel Decrypt: Cipher 'BF-CBC' initialized > with 128 bit key > Tue Nov 6 20:18:55 2007 Data Channel Decrypt: Using 160 bit message hash > 'SHA1' for HMAC authentication > Tue Nov 6 20:18:55 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 > DHE-RSA-AES256-SHA, 1024 bit RSA > Tue Nov 6 20:18:55 2007 [WickedBSD] Peer Connection Initiated with > 172.16.1.1:1194 > Tue Nov 6 20:18:56 2007 SENT CONTROL [WickedBSD]: 'PUSH_REQUEST' > (status=1) > Tue Nov 6 20:18:56 2007 PUSH: Received control message: > 'PUSH_REPLY,redirect-gateway local def1,route-gateway 172.16.1.1,ping > 10,ping-restart 120,ifconfig 172.16.1.100 255.255.255.0' > Tue Nov 6 20:18:56 2007 OPTIONS IMPORT: timers and/or timeouts modified > Tue Nov 6 20:18:56 2007 OPTIONS IMPORT: --ifconfig/up options modified > Tue Nov 6 20:18:56 2007 OPTIONS IMPORT: route options modified > Tue Nov 6 20:18:56 2007 WARNING: Since you are using --dev tun, the > second argument to --ifconfig must be an IP address. You are using > something (255.255.255.0) that looks more like a netmask. (silence this > warning with --ifconfig-nowarn) > Tue Nov 6 20:18:56 2007 WARNING: potential conflict between --remote > address [172.16.1.1] and --ifconfig address pair [172.16.1.100, > 255.255.255.0] -- this is a warning only that is triggered when > local/remote addresses exist within the same /24 subnet as --ifconfig > endpoints. (silence this warning with --ifconfig-nowarn) > Tue Nov 6 20:18:56 2007 /sbin/ifconfig tun0 destroy > Tue Nov 6 20:18:56 2007 /sbin/ifconfig tun0 create > Tue Nov 6 20:18:56 2007 NOTE: Tried to delete pre-existing tun/tap > instance -- No Problem if failure > Tue Nov 6 20:18:56 2007 /sbin/ifconfig tun0 172.16.1.100 255.255.255.0 > mtu 1500 netmask 255.255.255.255 up > Tue Nov 6 20:18:56 2007 TUN/TAP device /dev/tun0 opened > Tue Nov 6 20:18:56 2007 NOTE: unable to redirect default gateway -- > Cannot read current default gateway from system > Tue Nov 6 20:18:56 2007 chroot to '/var/empty' and cd to '/' succeeded > Tue Nov 6 20:18:56 2007 GID set to openvpn > Tue Nov 6 20:18:56 2007 UID set to openvpn > Tue Nov 6 20:18:56 2007 Initialization Sequence Completed > > > After this I tried to ping something on LAN but got no route messages. I > added the default gateway as 172.16.1.1. > Now I tested the connection and I could ping the server and every soekris > interface but not the desktop or the internet. > > I run the tcpdump on the soekris and it seemed to give my google ping > requests but forwarded those to 172.16.1.10 which is the address of my > laptops wlan interface. It should use 172.16.1.100 with VPN AFAIK. > Soekris pf.conf has "pass quick on $vpn_if" rule. > > How to proceed with this to get the OpenVPN to work properly? > > Timo > > -- > Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ -- Those who can, do. Those who can't, sue.
