Re: openvpn client on pf gateway

[krad]

On 4 November 2010 10:15, Samuel Martín Moro  wrote:

> Hi,
>
>
> I'm using a FreeBSD-8.1 (RELEASE, amd64) as gateway for my local network.
> And pf as firewall.
>
>
> I'm renting a dedicated box, running openvpn.
> My gateway is configured as a client of this VPN.
> I modified my pf.conf to provide internet to my local network.
> I configured iptables on the VPN server (debian-5) to accept everything,
> and
> redirect what I needed to.
>
> Everything seems to work... except...
>
> How can I redirect a port through the VPN?
> I mean...
> The problem does not seem to come from the VPN server, as I can access my
> local gateway from an external server, through the iptables redirection.
> But, when I try to access a host behind that gateway, it won't connect...
>
>
> Here's the pf.conf:
>
> ext_if="bge0"
> int_if="bge1"
> vpn_if="tun0"
>
> lc = $int_if:network
>  vpn="10.253.254.1"
>  emma="10.242.42.200"
> alpha="10.42.42.42"
> delta="10.42.42.44"
>   xi="10.42.142.44"
>
> set skip on lo0
> scrub in on $ext_if all fragment reassemble
> scrub in on $vpn_if all fragment reassemble
> INTERNETZ
> nat  on $ext_if from $lc to any -> ($ext_if)
> nat  on $vpn_if from $lc to any -> ($vpn_if)
> rdr  on $ext_if inet proto tcp  from any to ($ext_if) port 1666 ->
> $alpha port 1666
> rdr  on $vpn_if inet proto tcp  from any to ($vpn_if) port 1666 ->
> $alpha port 1666
> rdr  on $ext_if inet proto tcp  from any to ($ext_if) port 1667 ->
> $delta port   22
> rdr  on $vpn_if inet proto tcp  from any to ($vpn_if) port 1667 ->
> $delta port   22
> rdr  on $ext_if inet proto tcp  from any to ($ext_if) port 1668 ->
> $alpha port   22
> rdr  on $vpn_if inet proto tcp  from any to ($vpn_if) port 1668 ->
> $alpha port   22
> rdr  on $ext_if inet proto tcp  from any to ($ext_if) port 1669 ->
> $xiport   22
> rdr  on $vpn_if inet proto tcp  from any to ($vpn_if) port 1669 ->
> $xiport   22
> rdr  on $ext_if inet proto tcp  from any to ($ext_if) port 9418 ->
> $xiport 9418
> rdr  on $vpn_if inet proto tcp  from any to ($vpn_if) port 9418 ->
> $xiport 9418
> pass  in on $ext_if inet proto tcp  from any to $ext_if   port 1664
> pass  in on $vpn_if inet proto tcp  from any to $vpn_if   port 1664
> pass  in on $int_if inet proto tcp  from any to any
> pass  in on $int_if inet proto udp  from any to any
> block in log on $ext_if inet proto icmp from any to $ext_if
> block in log on $vpn_if inet proto icmp from any to $vpn_if
>
> every rules for $ext_if is working as expected
> so I copied them, replacing my external interface by the vpn one
> ssh from internet to the gateway (1664) works.
> but accessing a ssh server behind the gateway (say alpha, 1668) does not...
>
>
> What am I doing wrong?
>
>
>
> Regards,
>
> --
> Samuel Martín Moro
> {EPITECH.} tek5
> CamTrace S.A.S
>  (+033) 1 41 38 37 60
>  1 Allée de la Venelle
>  92150 Suresnes
>  FRANCE
>
> "Nobody wants to say how this works.
>  Maybe nobody knows ..."
>  Xorg.conf(5)
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscr...@freebsd.org"
>


Im not sure if i understand you correctly but are you trying to forward
ports from your colo rented machine to boxes on your LAN via the openvpn
connection?

If you are and this is where the problem is, you probably need to be natting
on the colo boxes vpn interface (tun0). So you will need some iptables
config. Doing this avoids the asymetric routing and natting issue you will
be getting.

Basically if a packet enters your colo box (dst ip A) from client (B), your
coloe box will forward it down the tunnel to host C on a private ip. This
will respond, and create a packet to goto B. However when this packet will
have a public ip as a destination, so when it hits your pf firewall it will
probably get routed out of the default route, and not the vpn interface. As
its not a tcp syn it will most probably be dropped by pf. However if it isnt
it will be natted to the the public ip of your pf box. This is a problem as
this source address isnt the same as the destination address of the initial
packet generated by the client B. Therefore when it actually get to the
client it will just be dropped

Natting on the colo boxes vpn interface sorts all this out for you
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

openvpn client on pf gateway

[Samuel Martín Moro]

Hi,


I'm using a FreeBSD-8.1 (RELEASE, amd64) as gateway for my local network.
And pf as firewall.


I'm renting a dedicated box, running openvpn.
My gateway is configured as a client of this VPN.
I modified my pf.conf to provide internet to my local network.
I configured iptables on the VPN server (debian-5) to accept everything, and
redirect what I needed to.

Everything seems to work... except...

How can I redirect a port through the VPN?
I mean...
The problem does not seem to come from the VPN server, as I can access my
local gateway from an external server, through the iptables redirection.
But, when I try to access a host behind that gateway, it won't connect...


Here's the pf.conf:

ext_if="bge0"
int_if="bge1"
vpn_if="tun0"

lc = $int_if:network
  vpn="10.253.254.1"
 emma="10.242.42.200"
alpha="10.42.42.42"
delta="10.42.42.44"
   xi="10.42.142.44"

set skip on lo0
scrub in on $ext_if all fragment reassemble
scrub in on $vpn_if all fragment reassemble
INTERNETZ
nat  on $ext_if from $lc to any -> ($ext_if)
nat  on $vpn_if from $lc to any -> ($vpn_if)
rdr  on $ext_if inet proto tcp  from any to ($ext_if) port 1666 ->
$alpha port 1666
rdr  on $vpn_if inet proto tcp  from any to ($vpn_if) port 1666 ->
$alpha port 1666
rdr  on $ext_if inet proto tcp  from any to ($ext_if) port 1667 ->
$delta port   22
rdr  on $vpn_if inet proto tcp  from any to ($vpn_if) port 1667 ->
$delta port   22
rdr  on $ext_if inet proto tcp  from any to ($ext_if) port 1668 ->
$alpha port   22
rdr  on $vpn_if inet proto tcp  from any to ($vpn_if) port 1668 ->
$alpha port   22
rdr  on $ext_if inet proto tcp  from any to ($ext_if) port 1669 ->
$xiport   22
rdr  on $vpn_if inet proto tcp  from any to ($vpn_if) port 1669 ->
$xiport   22
rdr  on $ext_if inet proto tcp  from any to ($ext_if) port 9418 ->
$xiport 9418
rdr  on $vpn_if inet proto tcp  from any to ($vpn_if) port 9418 ->
$xiport 9418
pass  in on $ext_if inet proto tcp  from any to $ext_if   port 1664
pass  in on $vpn_if inet proto tcp  from any to $vpn_if   port 1664
pass  in on $int_if inet proto tcp  from any to any
pass  in on $int_if inet proto udp  from any to any
block in log on $ext_if inet proto icmp from any to $ext_if
block in log on $vpn_if inet proto icmp from any to $vpn_if

every rules for $ext_if is working as expected
so I copied them, replacing my external interface by the vpn one
ssh from internet to the gateway (1664) works.
but accessing a ssh server behind the gateway (say alpha, 1668) does not...


What am I doing wrong?



Regards,

-- 
Samuel Martín Moro
{EPITECH.} tek5
CamTrace S.A.S
  (+033) 1 41 38 37 60
  1 Allée de la Venelle
  92150 Suresnes
  FRANCE

"Nobody wants to say how this works.
  Maybe nobody knows ..."
  Xorg.conf(5)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: OpenVPN Client

[Leonardo M . Ramé]

Thanks Drew!, I'll change my home network to test this.

Leonardo.

--- On Sun, 7/26/09, Drew Tomlinson  wrote:

> From: Drew Tomlinson 
> Subject: Re: OpenVPN Client
> To: ""Leonardo M. Ramé"" 
> Cc: freebsd-questions@freebsd.org
> Date: Sunday, July 26, 2009, 9:01 PM
> Leonardo M. Ramé wrote:
> > Well, I opted for deinstalling openvpn and install
> openvpn-devel (2.1). Now it reads my client.ovpn file, and
> it seems to be going a little step further, now it seems to
> be a problem with route add.
> >   
> It's not really a problem with 'route add'.  The
> problem is that a route
> for 192.168.0.0 already exists.
> > I have to mention that the client machine is connected
> to a router using DHCP in the network 192.168.0.xxx. Can
> this be the problem?
> >   
> Yes.
> 
> > This is the new log:
> >
> > Sat Jul 25 16:20:10 2009 OpenVPN 2.1_rc18
> i386-portbld-freebsd7.2 [SSL] [LZO2] [PKCS11] built on Jul
> 25 2009
> > Sat Jul 25 16:20:13 2009 NOTE: OpenVPN 2.1 requires
> '--script-security 2' or higher to call user-defined scripts
> or executables
> > Sat Jul 25 16:20:13 2009 Control Channel
> Authentication: tls-auth using INLINE static key file
> > Sat Jul 25 16:20:13 2009 Outgoing Control Channel
> Authentication: Using 160 bit message hash 'SHA1' for HMAC
> authentication
> > Sat Jul 25 16:20:13 2009 Incoming Control Channel
> Authentication: Using 160 bit message hash 'SHA1' for HMAC
> authentication
> > Sat Jul 25 16:20:13 2009 LZO compression initialized
> > Sat Jul 25 16:20:13 2009 Control Channel MTU parms [
> L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
> > Sat Jul 25 16:20:13 2009 Data Channel MTU parms [
> L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
> > Sat Jul 25 16:20:13 2009 Local Options hash (VER=V4):
> 'ee93268d'
> > Sat Jul 25 16:20:13 2009 Expected Remote Options hash
> (VER=V4): 'bd577cd1'
> > Sat Jul 25 16:20:13 2009 Attempting to establish TCP
> connection with 200.80.219.194:443 [nonblock]
> > Sat Jul 25 16:20:14 2009 TCP connection established
> with 200.80.219.194:443
> > Sat Jul 25 16:20:14 2009 Socket Buffers:
> R=[66608->65536] S=[33304->65536]
> > Sat Jul 25 16:20:14 2009 TCPv4_CLIENT link local:
> [undef]
> > Sat Jul 25 16:20:14 2009 TCPv4_CLIENT link remote:
> 200.80.219.194:443
> > Sat Jul 25 16:20:14 2009 TLS: Initial packet from
> 200.80.219.194:443, sid=f4722bb3 aafe8f23
> > Sat Jul 25 16:20:14 2009 WARNING: this configuration
> may cache passwords in memory -- use the auth-nocache option
> to prevent this
> > Sat Jul 25 16:20:15 2009 VERIFY OK: depth=1,
> /CN=OpenVPN_CA
> > Sat Jul 25 16:20:15 2009 VERIFY OK: nsCertType=SERVER
> > Sat Jul 25 16:20:15 2009 VERIFY OK: depth=0,
> /CN=OpenVPN_Server
> > Sat Jul 25 16:20:15 2009 Data Channel Encrypt: Cipher
> 'BF-CBC' initialized with 128 bit key
> > Sat Jul 25 16:20:15 2009 Data Channel Encrypt: Using
> 160 bit message hash 'SHA1' for HMAC authentication
> > Sat Jul 25 16:20:15 2009 Data Channel Decrypt: Cipher
> 'BF-CBC' initialized with 128 bit key
> > Sat Jul 25 16:20:15 2009 Data Channel Decrypt: Using
> 160 bit message hash 'SHA1' for HMAC authentication
> > Sat Jul 25 16:20:15 2009 Control Channel: TLSv1,
> cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
> > Sat Jul 25 16:20:15 2009 [OpenVPN_Server] Peer
> Connection Initiated with 200.80.219.194:443
> > Sat Jul 25 16:20:16 2009 SENT CONTROL
> [OpenVPN_Server]: 'PUSH_REQUEST' (status=1)
> > Sat Jul 25 16:20:16 2009 PUSH: Received control
> message: 'PUSH_REPLY,route-delay 5
> 30,dhcp-pre-release,dhcp-renew,dhcp-release,redirect-private
> local,redirect-private bypass-dhcp,redirect-private
> bypass-dns,route-metric 101,route 192.168.0.0
> 255.255.255.0,route-gateway 172.16.0.1,topology subnet,ping
> 8,ping-restart 90,socket-flags TCP_NODELAY,ifconfig
> 172.16.0.2 255.255.0.0'
> > Sat Jul 25 16:20:16 2009 Options error: Unrecognized
> option or missing parameter(s) in [PUSH-OPTIONS]:2:
> dhcp-pre-release (2.1_rc18)
> > Sat Jul 25 16:20:16 2009 Options error: Unrecognized
> option or missing parameter(s) in [PUSH-OPTIONS]:3:
> dhcp-renew (2.1_rc18)
> > Sat Jul 25 16:20:16 2009 Options error: Unrecognized
> option or missing parameter(s) in [PUSH-OPTIONS]:4:
> dhcp-release (2.1_rc18)
> > Sat Jul 25 16:20:16 2009 OPTIONS IMPORT: timers and/or
> timeouts modified
> > Sat Jul 25 16:20:16 2009 OPTIONS IMPORT:
> --socket-flags option modified
> > Sat Jul 25 16:20:16 2009 NOTE: setsockopt
> TCP_NODELAY=1 f

Re: OpenVPN Client

[Drew Tomlinson]

Leonardo M. Ramé wrote:
> Well, I opted for deinstalling openvpn and install openvpn-devel (2.1). Now 
> it reads my client.ovpn file, and it seems to be going a little step further, 
> now it seems to be a problem with route add.
>   
It's not really a problem with 'route add'.  The problem is that a route
for 192.168.0.0 already exists.
> I have to mention that the client machine is connected to a router using DHCP 
> in the network 192.168.0.xxx. Can this be the problem?
>   
Yes.

> This is the new log:
>
> Sat Jul 25 16:20:10 2009 OpenVPN 2.1_rc18 i386-portbld-freebsd7.2 [SSL] 
> [LZO2] [PKCS11] built on Jul 25 2009
> Sat Jul 25 16:20:13 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or 
> higher to call user-defined scripts or executables
> Sat Jul 25 16:20:13 2009 Control Channel Authentication: tls-auth using 
> INLINE static key file
> Sat Jul 25 16:20:13 2009 Outgoing Control Channel Authentication: Using 160 
> bit message hash 'SHA1' for HMAC authentication
> Sat Jul 25 16:20:13 2009 Incoming Control Channel Authentication: Using 160 
> bit message hash 'SHA1' for HMAC authentication
> Sat Jul 25 16:20:13 2009 LZO compression initialized
> Sat Jul 25 16:20:13 2009 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 
> ET:0 EL:0 ]
> Sat Jul 25 16:20:13 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 
> ET:0 EL:0 AF:3/1 ]
> Sat Jul 25 16:20:13 2009 Local Options hash (VER=V4): 'ee93268d'
> Sat Jul 25 16:20:13 2009 Expected Remote Options hash (VER=V4): 'bd577cd1'
> Sat Jul 25 16:20:13 2009 Attempting to establish TCP connection with 
> 200.80.219.194:443 [nonblock]
> Sat Jul 25 16:20:14 2009 TCP connection established with 200.80.219.194:443
> Sat Jul 25 16:20:14 2009 Socket Buffers: R=[66608->65536] S=[33304->65536]
> Sat Jul 25 16:20:14 2009 TCPv4_CLIENT link local: [undef]
> Sat Jul 25 16:20:14 2009 TCPv4_CLIENT link remote: 200.80.219.194:443
> Sat Jul 25 16:20:14 2009 TLS: Initial packet from 200.80.219.194:443, 
> sid=f4722bb3 aafe8f23
> Sat Jul 25 16:20:14 2009 WARNING: this configuration may cache passwords in 
> memory -- use the auth-nocache option to prevent this
> Sat Jul 25 16:20:15 2009 VERIFY OK: depth=1, /CN=OpenVPN_CA
> Sat Jul 25 16:20:15 2009 VERIFY OK: nsCertType=SERVER
> Sat Jul 25 16:20:15 2009 VERIFY OK: depth=0, /CN=OpenVPN_Server
> Sat Jul 25 16:20:15 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized 
> with 128 bit key
> Sat Jul 25 16:20:15 2009 Data Channel Encrypt: Using 160 bit message hash 
> 'SHA1' for HMAC authentication
> Sat Jul 25 16:20:15 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized 
> with 128 bit key
> Sat Jul 25 16:20:15 2009 Data Channel Decrypt: Using 160 bit message hash 
> 'SHA1' for HMAC authentication
> Sat Jul 25 16:20:15 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 
> DHE-RSA-AES256-SHA, 1024 bit RSA
> Sat Jul 25 16:20:15 2009 [OpenVPN_Server] Peer Connection Initiated with 
> 200.80.219.194:443
> Sat Jul 25 16:20:16 2009 SENT CONTROL [OpenVPN_Server]: 'PUSH_REQUEST' 
> (status=1)
> Sat Jul 25 16:20:16 2009 PUSH: Received control message: 
> 'PUSH_REPLY,route-delay 5 
> 30,dhcp-pre-release,dhcp-renew,dhcp-release,redirect-private 
> local,redirect-private bypass-dhcp,redirect-private bypass-dns,route-metric 
> 101,route 192.168.0.0 255.255.255.0,route-gateway 172.16.0.1,topology 
> subnet,ping 8,ping-restart 90,socket-flags TCP_NODELAY,ifconfig 172.16.0.2 
> 255.255.0.0'
> Sat Jul 25 16:20:16 2009 Options error: Unrecognized option or missing 
> parameter(s) in [PUSH-OPTIONS]:2: dhcp-pre-release (2.1_rc18)
> Sat Jul 25 16:20:16 2009 Options error: Unrecognized option or missing 
> parameter(s) in [PUSH-OPTIONS]:3: dhcp-renew (2.1_rc18)
> Sat Jul 25 16:20:16 2009 Options error: Unrecognized option or missing 
> parameter(s) in [PUSH-OPTIONS]:4: dhcp-release (2.1_rc18)
> Sat Jul 25 16:20:16 2009 OPTIONS IMPORT: timers and/or timeouts modified
> Sat Jul 25 16:20:16 2009 OPTIONS IMPORT: --socket-flags option modified
> Sat Jul 25 16:20:16 2009 NOTE: setsockopt TCP_NODELAY=1 failed (No kernel 
> support)
> Sat Jul 25 16:20:16 2009 OPTIONS IMPORT: --ifconfig/up options modified
> Sat Jul 25 16:20:16 2009 OPTIONS IMPORT: route options modified
> Sat Jul 25 16:20:16 2009 OPTIONS IMPORT: route-related options modified
> Sat Jul 25 16:20:16 2009 ROUTE default_gateway=192.168.0.1
> Sat Jul 25 16:20:16 2009 TUN/TAP device /dev/tun0 opened
> Sat Jul 25 16:20:16 2009 /sbin/ifconfig tun0 172.16.0.2 172.16.0.2 netmask 
> 255.255.0.0 mtu 1500 up
> Sat Jul 25 16:20:16 2009 /sbin/route add -net 172.16.0.0 172.16.0.2 
> 255.255.0.0
> add net 172.16.0.0: gateway 172.16.0.2
> Sat Jul 25 16:20:21 2009 WARNING: potential route subnet conflict between 
> local LAN [192.168.0.0/255.255.255.0] and remote VPN 
> [192.168.0.0/255.255.255.0]
>   

You can't use the same address space for multiple networks.  In other
words, you can't use 192.168.0.0/24 for both the VPN and your internal
network unless you are bridging the two (i.e., making it one 

Re: OpenVPN Client

[Leonardo M . Ramé]

nt_wait : Interrupted system call (code=4)
Sat Jul 25 16:20:30 2009 TCP/UDP: Closing socket
Sat Jul 25 16:20:30 2009 Closing TUN/TAP interface
Sat Jul 25 16:20:30 2009 SIGINT[hard,] received, process exiting



Leonardo M. Ramé
http://leonardorame.blogspot.com


--- On Sat, 7/25/09, chris scott  wrote:

> From: chris scott 
> Subject: Re: OpenVPN Client
> To: "Leonardo M. Ramé" 
> Cc: freebsd-questions@freebsd.org
> Date: Saturday, July 25, 2009, 1:56 PM
> 2009/7/25 Leonardo M. Ramé 
> 
> >
> > Hi, I'm trying to connect to an OpenVPN server in my
> office. To do this, I
> > installed "OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL]
> [LZO]" from ports,
> > and looking at different tutorials I found it needs a
> config file in
> > /usr/local/etc/openvpn/openvpn.conf. The problem here,
> is that our server
> > provides an "client.ovpn" file containing all the
> connection params needed
> > by a client, in fact, we connect windows machines just
> by installing
> > "OpenVPN_Installer.exe", it configures a TAP device
> and a client that reads
> > the client.ovpn file.
> >
> > Now, in my FreeBSD 7.2 i386 machine, I did this:
> >
> > Created the /usr/local/etc/openvpn/openvpn.conf (the
> port doesn't created
> > it automatically) with this content:
> >
> > remote 200.80.219.194.static.techtelnet.net
> > client
> > proto tcp
> > port 443
> > dev tun
> > ns-cert-type server
> > auth-user-pass
> > auth-retry interact
> > comp-lzo
> > user nobody
> > group nobody
> > verb 3
> > ca /usr/local/etc/openvpn/keys/ca.key
> > cert /usr/local/etc/openvpn/keys/cert.key
> > key /usr/local/etc/openvpn/keys/key.key
> >
> > This contents are extracted from client.ovpn, and
> "ca", "cert" and "key"
> > files were extracted from the same file.
> >
> > I kldload tun, but when I do ifconfig, it doesn't
> shows nothing related to
> > tun or tap.
> >
> > Also, when I do "openvpn
> /usr/local/etc/openvpn/openvpn.conf" the results
> > are this:
> >
> > Sat Jul 25 11:24:09 2009 OpenVPN 2.0.6
> i386-portbld-freebsd7.2 [SSL] [LZO]
> > built on Jul 24 2009
> > Enter Auth Username:nico
> > Enter Auth Password:
> > Sat Jul 25 11:24:13 2009 WARNING: you are using
> user/group/chroot without
> > persist-key/persist-tun -- this may cause restarts to
> fail
> > Sat Jul 25 11:24:13 2009 WARNING: file
> > '/usr/local/etc/openvpn/keys/key.key' is group or
> others accessible
> > Sat Jul 25 11:24:13 2009 LZO compression initialized
> > Sat Jul 25 11:24:13 2009 Control Channel MTU parms [
> L:1544 D:140 EF:40
> > EB:0 ET:0 EL:0 ]
> > Sat Jul 25 11:24:13 2009 Data Channel MTU parms [
> L:1544 D:1450 EF:44
> > EB:135 ET:0 EL:0 AF:3/1 ]
> > Sat Jul 25 11:24:13 2009 Local Options hash (VER=V4):
> '69109d17'
> > Sat Jul 25 11:24:13 2009 Expected Remote Options hash
> (VER=V4): 'c0103fa8'
> > Sat Jul 25 11:24:13 2009 NOTE: UID/GID downgrade will
> be delayed because of
> > --client, --pull, or --up-delay
> > Sat Jul 25 11:24:13 2009 Attempting to establish TCP
> connection with
> > 200.80.219.194:443
> > Sat Jul 25 11:24:13 2009 TCP connection established
> with
> > 200.80.219.194:443
> > Sat Jul 25 11:24:13 2009 TCPv4_CLIENT link local:
> [undef]
> > Sat Jul 25 11:24:13 2009 TCPv4_CLIENT link remote:
> 200.80.219.194:443
> > Sat Jul 25 11:24:13 2009 Connection reset, restarting
> [0]
> > Sat Jul 25 11:24:13 2009 TCP/UDP: Closing socket
> > Sat Jul 25 11:24:13 2009
> SIGUSR1[soft,connection-reset] received, process
> > restarting
> > Sat Jul 25 11:24:13 2009 Restart pause, 5 second(s)
> >
> > In my /etc/rc.conf I have openvpn_if="tun", I don't
> load the tun nor tap
> > interface at boot, I just want to load it with
> kldload.
> >
> > uname -a:
> > FreeBSD inspiron.local 7.2-RELEASE FreeBSD 7.2-RELEASE
> #0: Fri May  1
> > 08:49:13 UTC 2009     
> > r...@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
> >  i386
> >
> > ifconfig:
> > ndis0:
> flags=8843
> metric 0 mtu 1500
> >        ether 00:23:4d:64:d6:7a
> >        inet 192.168.0.100 netmask
> 0xff00 broadcast 192.168.0.255
> >        media: IEEE 802.11 Wireless
> Ethernet autoselect
> >        status: associated
> >        ssid "" channel 1 (2412 Mhz
> 11b)
> >        authmode OPEN privacy OFF
> bmiss 7 scanvalid 60 roaming

Re: OpenVPN Client

[Leonardo M . Ramé]

Thanks, after adding if_tun_load="YES" to my /boot/loader.conf and rebooting, 
this message appears in dmesg:

can't re-use a leaf (if_tun_debug)!
module_register: module if_tun already exists!
Module if_tun failed to register: 17

So I think it is not required to add it to loader.conf.

I replaced tun by tun1 in openvpn.conf, and the result is this:

Sat Jul 25 15:09:46 2009 OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] 
built on Jul 24 2009
Enter Auth Username:nico
Enter Auth Password:
Sat Jul 25 15:09:48 2009 WARNING: file '/usr/local/etc/openvpn/keys/key.key' is 
group or others accessible
Sat Jul 25 15:09:48 2009 LZO compression initialized
Sat Jul 25 15:09:48 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 
ET:0 EL:0 ]
Sat Jul 25 15:09:48 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 
ET:0 EL:0 AF:3/1 ]
Sat Jul 25 15:09:48 2009 Local Options hash (VER=V4): '69109d17'
Sat Jul 25 15:09:48 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'
Sat Jul 25 15:09:48 2009 NOTE: UID/GID downgrade will be delayed because of 
--client, --pull, or --up-delay
Sat Jul 25 15:09:48 2009 Attempting to establish TCP connection with 
200.80.219.194:443
Sat Jul 25 15:09:48 2009 TCP connection established with 200.80.219.194:443
Sat Jul 25 15:09:48 2009 TCPv4_CLIENT link local: [undef]
Sat Jul 25 15:09:48 2009 TCPv4_CLIENT link remote: 200.80.219.194:443
Sat Jul 25 15:09:49 2009 Connection reset, restarting [0]
Sat Jul 25 15:09:49 2009 TCP/UDP: Closing socket
Sat Jul 25 15:09:49 2009 SIGUSR1[soft,connection-reset] received, process 
restarting
Sat Jul 25 15:09:49 2009 Restart pause, 5 second(s)
Sat Jul 25 15:09:50 2009 SIGINT[hard,init_instance] received, process exiting

If I do ifconfig, the tun interface appears in the list:

ndis0: flags=8843 metric 0 mtu 1500
ether 00:23:4d:64:d6:7a
inet 192.168.0.100 netmask 0xff00 broadcast 192.168.0.255
media: IEEE 802.11 Wireless Ethernet autoselect
status: associated
ssid "" channel 1 (2412 Mhz 11b)
authmode OPEN privacy OFF bmiss 7 scanvalid 60 roaming MANUAL
bintval 0
fwe0: flags=8802 metric 0 mtu 1500
options=8
ether 32:4f:c0:e1:55:e1
ch 1 dma -1
fwip0: flags=8802 metric 0 mtu 1500
lladdr 33.4f.c0.0.26.e1.55.e1.a.2.ff.fe.0.0.0.0
lo0: flags=8049 metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
inet6 ::1 prefixlen 128 
inet 127.0.0.1 netmask 0xff00 
tun1: flags=8010 metric 0 mtu 1500

Any hint?

--- On Sat, 7/25/09, chris scott  wrote:

> From: chris scott 
> Subject: Re: OpenVPN Client
> To: "Leonardo M. Ramé" 
> Cc: freebsd-questions@freebsd.org
> Date: Saturday, July 25, 2009, 1:56 PM
> 2009/7/25 Leonardo M. Ramé 
> 
> >
> > Hi, I'm trying to connect to an OpenVPN server in my
> office. To do this, I
> > installed "OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL]
> [LZO]" from ports,
> > and looking at different tutorials I found it needs a
> config file in
> > /usr/local/etc/openvpn/openvpn.conf. The problem here,
> is that our server
> > provides an "client.ovpn" file containing all the
> connection params needed
> > by a client, in fact, we connect windows machines just
> by installing
> > "OpenVPN_Installer.exe", it configures a TAP device
> and a client that reads
> > the client.ovpn file.
> >
> > Now, in my FreeBSD 7.2 i386 machine, I did this:
> >
> > Created the /usr/local/etc/openvpn/openvpn.conf (the
> port doesn't created
> > it automatically) with this content:
> >
> > remote 200.80.219.194.static.techtelnet.net
> > client
> > proto tcp
> > port 443
> > dev tun
> > ns-cert-type server
> > auth-user-pass
> > auth-retry interact
> > comp-lzo
> > user nobody
> > group nobody
> > verb 3
> > ca /usr/local/etc/openvpn/keys/ca.key
> > cert /usr/local/etc/openvpn/keys/cert.key
> > key /usr/local/etc/openvpn/keys/key.key
> >
> > This contents are extracted from client.ovpn, and
> "ca", "cert" and "key"
> > files were extracted from the same file.
> >
> > I kldload tun, but when I do ifconfig, it doesn't
> shows nothing related to
> > tun or tap.
> >
> > Also, when I do "openvpn
> /usr/local/etc/openvpn/openvpn.conf" the results
> > are this:
> >
> > Sat Jul 25 11:24:09 2009 OpenVPN 2.0.6
> i386-portbld-freebsd7.2 [SSL] [LZO]
> > built on Jul 24 2009
> > Enter Auth Username:nico
> > Enter Auth Password:
> > Sat Jul 25 11:24:13 2009 WARNING: you are using
> user/group/chroot without
> > persist-key/persist-tun -- this may cause restarts to

Re: OpenVPN Client

[chris scott]

2009/7/25 Leonardo M. Ramé 

>
> Hi, I'm trying to connect to an OpenVPN server in my office. To do this, I
> installed "OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO]" from ports,
> and looking at different tutorials I found it needs a config file in
> /usr/local/etc/openvpn/openvpn.conf. The problem here, is that our server
> provides an "client.ovpn" file containing all the connection params needed
> by a client, in fact, we connect windows machines just by installing
> "OpenVPN_Installer.exe", it configures a TAP device and a client that reads
> the client.ovpn file.
>
> Now, in my FreeBSD 7.2 i386 machine, I did this:
>
> Created the /usr/local/etc/openvpn/openvpn.conf (the port doesn't created
> it automatically) with this content:
>
> remote 200.80.219.194.static.techtelnet.net
> client
> proto tcp
> port 443
> dev tun
> ns-cert-type server
> auth-user-pass
> auth-retry interact
> comp-lzo
> user nobody
> group nobody
> verb 3
> ca /usr/local/etc/openvpn/keys/ca.key
> cert /usr/local/etc/openvpn/keys/cert.key
> key /usr/local/etc/openvpn/keys/key.key
>
> This contents are extracted from client.ovpn, and "ca", "cert" and "key"
> files were extracted from the same file.
>
> I kldload tun, but when I do ifconfig, it doesn't shows nothing related to
> tun or tap.
>
> Also, when I do "openvpn /usr/local/etc/openvpn/openvpn.conf" the results
> are this:
>
> Sat Jul 25 11:24:09 2009 OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO]
> built on Jul 24 2009
> Enter Auth Username:nico
> Enter Auth Password:
> Sat Jul 25 11:24:13 2009 WARNING: you are using user/group/chroot without
> persist-key/persist-tun -- this may cause restarts to fail
> Sat Jul 25 11:24:13 2009 WARNING: file
> '/usr/local/etc/openvpn/keys/key.key' is group or others accessible
> Sat Jul 25 11:24:13 2009 LZO compression initialized
> Sat Jul 25 11:24:13 2009 Control Channel MTU parms [ L:1544 D:140 EF:40
> EB:0 ET:0 EL:0 ]
> Sat Jul 25 11:24:13 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44
> EB:135 ET:0 EL:0 AF:3/1 ]
> Sat Jul 25 11:24:13 2009 Local Options hash (VER=V4): '69109d17'
> Sat Jul 25 11:24:13 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'
> Sat Jul 25 11:24:13 2009 NOTE: UID/GID downgrade will be delayed because of
> --client, --pull, or --up-delay
> Sat Jul 25 11:24:13 2009 Attempting to establish TCP connection with
> 200.80.219.194:443
> Sat Jul 25 11:24:13 2009 TCP connection established with
> 200.80.219.194:443
> Sat Jul 25 11:24:13 2009 TCPv4_CLIENT link local: [undef]
> Sat Jul 25 11:24:13 2009 TCPv4_CLIENT link remote: 200.80.219.194:443
> Sat Jul 25 11:24:13 2009 Connection reset, restarting [0]
> Sat Jul 25 11:24:13 2009 TCP/UDP: Closing socket
> Sat Jul 25 11:24:13 2009 SIGUSR1[soft,connection-reset] received, process
> restarting
> Sat Jul 25 11:24:13 2009 Restart pause, 5 second(s)
>
> In my /etc/rc.conf I have openvpn_if="tun", I don't load the tun nor tap
> interface at boot, I just want to load it with kldload.
>
> uname -a:
> FreeBSD inspiron.local 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May  1
> 08:49:13 UTC 2009 r...@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
>  i386
>
> ifconfig:
> ndis0: flags=8843 metric 0 mtu 1500
>ether 00:23:4d:64:d6:7a
>inet 192.168.0.100 netmask 0xff00 broadcast 192.168.0.255
>media: IEEE 802.11 Wireless Ethernet autoselect
>status: associated
>ssid "" channel 1 (2412 Mhz 11b)
>authmode OPEN privacy OFF bmiss 7 scanvalid 60 roaming MANUAL
>bintval 0
> fwe0: flags=8802 metric 0 mtu 1500
>options=8
>ether 32:4f:c0:e1:55:e1
>ch 1 dma -1
> fwip0: flags=8802 metric 0 mtu 1500
>lladdr 33.4f.c0.0.26.e1.55.e1.a.2.ff.fe.0.0.0.0
> lo0: flags=8049 metric 0 mtu 16384
>inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
>inet6 ::1 prefixlen 128
>inet 127.0.0.1 netmask 0xff00
>
> Thanks in advance,
> Leonardo M. Ramé
>
>
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscr...@freebsd.org"
>


make sure you have the tap kernel module loaded

kldload /boot/kernel/if_tap.ko

to make sure its there after boot do add
if_tap_load="yes"
to your /boot/loader.conf

When used openvpn i also added

cloned_interfaces="tun1"

to my rc.conf , then  reinitialize the network stack by  running
/etc/netstart


I also set the open vpn client to explicitly use tun1
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: OpenVPN Client

[Bill Campbell]

On Sat, Jul 25, 2009, Leonardo M. Ram? wrote:
>

>Hi, I'm trying to connect to an OpenVPN server in my office. To do this, I
>installed "OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO]" from ports,
>and looking at different tutorials I found it needs a config file in
>/usr/local/etc/openvpn/openvpn.conf. The problem here, is that our server
>provides an "client.ovpn" file containing all the connection params needed
>by a client, in fact, we connect windows machines just by installing
>"OpenVPN_Installer.exe", it configures a TAP device and a client that reads
>the client.ovpn file.

You can probably just ``mv client.ovpn client.conf'' and use that
(along with the other files provided with keys, etc.).  The
Tunnelblick OpenVPN client I use on my Macs recognizes either.

Bill
-- 
INTERNET:   b...@celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:  (206) 236-1676  Mercer Island, WA 98040-0820
Fax:(206) 232-9186  Skype: jwccsllc (206) 855-5792

Freedom from prices is freedom from responsibility. You can simply pass
laws, using the magic wand of government to satisfy your own desires at
unspecified costs to be paid by others. -- Thomas Sowell Aug 2000
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

OpenVPN Client

[Leonardo M . Ramé]

Hi, I'm trying to connect to an OpenVPN server in my office. To do this, I 
installed "OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO]" from ports, and 
looking at different tutorials I found it needs a config file in 
/usr/local/etc/openvpn/openvpn.conf. The problem here, is that our server 
provides an "client.ovpn" file containing all the connection params needed by a 
client, in fact, we connect windows machines just by installing 
"OpenVPN_Installer.exe", it configures a TAP device and a client that reads the 
client.ovpn file.

Now, in my FreeBSD 7.2 i386 machine, I did this:

Created the /usr/local/etc/openvpn/openvpn.conf (the port doesn't created it 
automatically) with this content:

remote 200.80.219.194.static.techtelnet.net
client
proto tcp 
port 443
dev tun 
ns-cert-type server
auth-user-pass
auth-retry interact
comp-lzo
user nobody
group nobody
verb 3
ca /usr/local/etc/openvpn/keys/ca.key
cert /usr/local/etc/openvpn/keys/cert.key
key /usr/local/etc/openvpn/keys/key.key

This contents are extracted from client.ovpn, and "ca", "cert" and "key" files 
were extracted from the same file.

I kldload tun, but when I do ifconfig, it doesn't shows nothing related to tun 
or tap.

Also, when I do "openvpn /usr/local/etc/openvpn/openvpn.conf" the results are 
this:

Sat Jul 25 11:24:09 2009 OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] 
built on Jul 24 2009
Enter Auth Username:nico
Enter Auth Password:
Sat Jul 25 11:24:13 2009 WARNING: you are using user/group/chroot without 
persist-key/persist-tun -- this may cause restarts to fail
Sat Jul 25 11:24:13 2009 WARNING: file '/usr/local/etc/openvpn/keys/key.key' is 
group or others accessible
Sat Jul 25 11:24:13 2009 LZO compression initialized
Sat Jul 25 11:24:13 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 
ET:0 EL:0 ]
Sat Jul 25 11:24:13 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 
ET:0 EL:0 AF:3/1 ]
Sat Jul 25 11:24:13 2009 Local Options hash (VER=V4): '69109d17'
Sat Jul 25 11:24:13 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'
Sat Jul 25 11:24:13 2009 NOTE: UID/GID downgrade will be delayed because of 
--client, --pull, or --up-delay
Sat Jul 25 11:24:13 2009 Attempting to establish TCP connection with 
200.80.219.194:443
Sat Jul 25 11:24:13 2009 TCP connection established with 200.80.219.194:443
Sat Jul 25 11:24:13 2009 TCPv4_CLIENT link local: [undef]
Sat Jul 25 11:24:13 2009 TCPv4_CLIENT link remote: 200.80.219.194:443
Sat Jul 25 11:24:13 2009 Connection reset, restarting [0]
Sat Jul 25 11:24:13 2009 TCP/UDP: Closing socket
Sat Jul 25 11:24:13 2009 SIGUSR1[soft,connection-reset] received, process 
restarting
Sat Jul 25 11:24:13 2009 Restart pause, 5 second(s)

In my /etc/rc.conf I have openvpn_if="tun", I don't load the tun nor tap 
interface at boot, I just want to load it with kldload.

uname -a:
FreeBSD inspiron.local 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May  1 08:49:13 
UTC 2009 r...@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

ifconfig:
ndis0: flags=8843 metric 0 mtu 1500
ether 00:23:4d:64:d6:7a
inet 192.168.0.100 netmask 0xff00 broadcast 192.168.0.255
media: IEEE 802.11 Wireless Ethernet autoselect
status: associated
ssid "" channel 1 (2412 Mhz 11b)
authmode OPEN privacy OFF bmiss 7 scanvalid 60 roaming MANUAL
bintval 0
fwe0: flags=8802 metric 0 mtu 1500
options=8
ether 32:4f:c0:e1:55:e1
ch 1 dma -1
fwip0: flags=8802 metric 0 mtu 1500
lladdr 33.4f.c0.0.26.e1.55.e1.a.2.ff.fe.0.0.0.0
lo0: flags=8049 metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
inet6 ::1 prefixlen 128 
inet 127.0.0.1 netmask 0xff00 

Thanks in advance,
Leonardo M. Ramé



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"