Re: openvpn client on pf gateway
On 4 November 2010 10:15, Samuel Martín Moro wrote: > Hi, > > > I'm using a FreeBSD-8.1 (RELEASE, amd64) as gateway for my local network. > And pf as firewall. > > > I'm renting a dedicated box, running openvpn. > My gateway is configured as a client of this VPN. > I modified my pf.conf to provide internet to my local network. > I configured iptables on the VPN server (debian-5) to accept everything, > and > redirect what I needed to. > > Everything seems to work... except... > > How can I redirect a port through the VPN? > I mean... > The problem does not seem to come from the VPN server, as I can access my > local gateway from an external server, through the iptables redirection. > But, when I try to access a host behind that gateway, it won't connect... > > > Here's the pf.conf: > > ext_if="bge0" > int_if="bge1" > vpn_if="tun0" > > lc = $int_if:network > vpn="10.253.254.1" > emma="10.242.42.200" > alpha="10.42.42.42" > delta="10.42.42.44" > xi="10.42.142.44" > > set skip on lo0 > scrub in on $ext_if all fragment reassemble > scrub in on $vpn_if all fragment reassemble > INTERNETZ > nat on $ext_if from $lc to any -> ($ext_if) > nat on $vpn_if from $lc to any -> ($vpn_if) > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1666 -> > $alpha port 1666 > rdr on $vpn_if inet proto tcp from any to ($vpn_if) port 1666 -> > $alpha port 1666 > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1667 -> > $delta port 22 > rdr on $vpn_if inet proto tcp from any to ($vpn_if) port 1667 -> > $delta port 22 > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1668 -> > $alpha port 22 > rdr on $vpn_if inet proto tcp from any to ($vpn_if) port 1668 -> > $alpha port 22 > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1669 -> > $xiport 22 > rdr on $vpn_if inet proto tcp from any to ($vpn_if) port 1669 -> > $xiport 22 > rdr on $ext_if inet proto tcp from any to ($ext_if) port 9418 -> > $xiport 9418 > rdr on $vpn_if inet proto tcp from any to ($vpn_if) port 9418 -> > $xiport 9418 > pass in on $ext_if inet proto tcp from any to $ext_if port 1664 > pass in on $vpn_if inet proto tcp from any to $vpn_if port 1664 > pass in on $int_if inet proto tcp from any to any > pass in on $int_if inet proto udp from any to any > block in log on $ext_if inet proto icmp from any to $ext_if > block in log on $vpn_if inet proto icmp from any to $vpn_if > > every rules for $ext_if is working as expected > so I copied them, replacing my external interface by the vpn one > ssh from internet to the gateway (1664) works. > but accessing a ssh server behind the gateway (say alpha, 1668) does not... > > > What am I doing wrong? > > > > Regards, > > -- > Samuel Martín Moro > {EPITECH.} tek5 > CamTrace S.A.S > (+033) 1 41 38 37 60 > 1 Allée de la Venelle > 92150 Suresnes > FRANCE > > "Nobody wants to say how this works. > Maybe nobody knows ..." > Xorg.conf(5) > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > Im not sure if i understand you correctly but are you trying to forward ports from your colo rented machine to boxes on your LAN via the openvpn connection? If you are and this is where the problem is, you probably need to be natting on the colo boxes vpn interface (tun0). So you will need some iptables config. Doing this avoids the asymetric routing and natting issue you will be getting. Basically if a packet enters your colo box (dst ip A) from client (B), your coloe box will forward it down the tunnel to host C on a private ip. This will respond, and create a packet to goto B. However when this packet will have a public ip as a destination, so when it hits your pf firewall it will probably get routed out of the default route, and not the vpn interface. As its not a tcp syn it will most probably be dropped by pf. However if it isnt it will be natted to the the public ip of your pf box. This is a problem as this source address isnt the same as the destination address of the initial packet generated by the client B. Therefore when it actually get to the client it will just be dropped Natting on the colo boxes vpn interface sorts all this out for you ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
openvpn client on pf gateway
Hi, I'm using a FreeBSD-8.1 (RELEASE, amd64) as gateway for my local network. And pf as firewall. I'm renting a dedicated box, running openvpn. My gateway is configured as a client of this VPN. I modified my pf.conf to provide internet to my local network. I configured iptables on the VPN server (debian-5) to accept everything, and redirect what I needed to. Everything seems to work... except... How can I redirect a port through the VPN? I mean... The problem does not seem to come from the VPN server, as I can access my local gateway from an external server, through the iptables redirection. But, when I try to access a host behind that gateway, it won't connect... Here's the pf.conf: ext_if="bge0" int_if="bge1" vpn_if="tun0" lc = $int_if:network vpn="10.253.254.1" emma="10.242.42.200" alpha="10.42.42.42" delta="10.42.42.44" xi="10.42.142.44" set skip on lo0 scrub in on $ext_if all fragment reassemble scrub in on $vpn_if all fragment reassemble INTERNETZ nat on $ext_if from $lc to any -> ($ext_if) nat on $vpn_if from $lc to any -> ($vpn_if) rdr on $ext_if inet proto tcp from any to ($ext_if) port 1666 -> $alpha port 1666 rdr on $vpn_if inet proto tcp from any to ($vpn_if) port 1666 -> $alpha port 1666 rdr on $ext_if inet proto tcp from any to ($ext_if) port 1667 -> $delta port 22 rdr on $vpn_if inet proto tcp from any to ($vpn_if) port 1667 -> $delta port 22 rdr on $ext_if inet proto tcp from any to ($ext_if) port 1668 -> $alpha port 22 rdr on $vpn_if inet proto tcp from any to ($vpn_if) port 1668 -> $alpha port 22 rdr on $ext_if inet proto tcp from any to ($ext_if) port 1669 -> $xiport 22 rdr on $vpn_if inet proto tcp from any to ($vpn_if) port 1669 -> $xiport 22 rdr on $ext_if inet proto tcp from any to ($ext_if) port 9418 -> $xiport 9418 rdr on $vpn_if inet proto tcp from any to ($vpn_if) port 9418 -> $xiport 9418 pass in on $ext_if inet proto tcp from any to $ext_if port 1664 pass in on $vpn_if inet proto tcp from any to $vpn_if port 1664 pass in on $int_if inet proto tcp from any to any pass in on $int_if inet proto udp from any to any block in log on $ext_if inet proto icmp from any to $ext_if block in log on $vpn_if inet proto icmp from any to $vpn_if every rules for $ext_if is working as expected so I copied them, replacing my external interface by the vpn one ssh from internet to the gateway (1664) works. but accessing a ssh server behind the gateway (say alpha, 1668) does not... What am I doing wrong? Regards, -- Samuel Martín Moro {EPITECH.} tek5 CamTrace S.A.S (+033) 1 41 38 37 60 1 Allée de la Venelle 92150 Suresnes FRANCE "Nobody wants to say how this works. Maybe nobody knows ..." Xorg.conf(5) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: OpenVPN Client
Thanks Drew!, I'll change my home network to test this. Leonardo. --- On Sun, 7/26/09, Drew Tomlinson wrote: > From: Drew Tomlinson > Subject: Re: OpenVPN Client > To: ""Leonardo M. Ramé"" > Cc: freebsd-questions@freebsd.org > Date: Sunday, July 26, 2009, 9:01 PM > Leonardo M. Ramé wrote: > > Well, I opted for deinstalling openvpn and install > openvpn-devel (2.1). Now it reads my client.ovpn file, and > it seems to be going a little step further, now it seems to > be a problem with route add. > > > It's not really a problem with 'route add'. The > problem is that a route > for 192.168.0.0 already exists. > > I have to mention that the client machine is connected > to a router using DHCP in the network 192.168.0.xxx. Can > this be the problem? > > > Yes. > > > This is the new log: > > > > Sat Jul 25 16:20:10 2009 OpenVPN 2.1_rc18 > i386-portbld-freebsd7.2 [SSL] [LZO2] [PKCS11] built on Jul > 25 2009 > > Sat Jul 25 16:20:13 2009 NOTE: OpenVPN 2.1 requires > '--script-security 2' or higher to call user-defined scripts > or executables > > Sat Jul 25 16:20:13 2009 Control Channel > Authentication: tls-auth using INLINE static key file > > Sat Jul 25 16:20:13 2009 Outgoing Control Channel > Authentication: Using 160 bit message hash 'SHA1' for HMAC > authentication > > Sat Jul 25 16:20:13 2009 Incoming Control Channel > Authentication: Using 160 bit message hash 'SHA1' for HMAC > authentication > > Sat Jul 25 16:20:13 2009 LZO compression initialized > > Sat Jul 25 16:20:13 2009 Control Channel MTU parms [ > L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ] > > Sat Jul 25 16:20:13 2009 Data Channel MTU parms [ > L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] > > Sat Jul 25 16:20:13 2009 Local Options hash (VER=V4): > 'ee93268d' > > Sat Jul 25 16:20:13 2009 Expected Remote Options hash > (VER=V4): 'bd577cd1' > > Sat Jul 25 16:20:13 2009 Attempting to establish TCP > connection with 200.80.219.194:443 [nonblock] > > Sat Jul 25 16:20:14 2009 TCP connection established > with 200.80.219.194:443 > > Sat Jul 25 16:20:14 2009 Socket Buffers: > R=[66608->65536] S=[33304->65536] > > Sat Jul 25 16:20:14 2009 TCPv4_CLIENT link local: > [undef] > > Sat Jul 25 16:20:14 2009 TCPv4_CLIENT link remote: > 200.80.219.194:443 > > Sat Jul 25 16:20:14 2009 TLS: Initial packet from > 200.80.219.194:443, sid=f4722bb3 aafe8f23 > > Sat Jul 25 16:20:14 2009 WARNING: this configuration > may cache passwords in memory -- use the auth-nocache option > to prevent this > > Sat Jul 25 16:20:15 2009 VERIFY OK: depth=1, > /CN=OpenVPN_CA > > Sat Jul 25 16:20:15 2009 VERIFY OK: nsCertType=SERVER > > Sat Jul 25 16:20:15 2009 VERIFY OK: depth=0, > /CN=OpenVPN_Server > > Sat Jul 25 16:20:15 2009 Data Channel Encrypt: Cipher > 'BF-CBC' initialized with 128 bit key > > Sat Jul 25 16:20:15 2009 Data Channel Encrypt: Using > 160 bit message hash 'SHA1' for HMAC authentication > > Sat Jul 25 16:20:15 2009 Data Channel Decrypt: Cipher > 'BF-CBC' initialized with 128 bit key > > Sat Jul 25 16:20:15 2009 Data Channel Decrypt: Using > 160 bit message hash 'SHA1' for HMAC authentication > > Sat Jul 25 16:20:15 2009 Control Channel: TLSv1, > cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA > > Sat Jul 25 16:20:15 2009 [OpenVPN_Server] Peer > Connection Initiated with 200.80.219.194:443 > > Sat Jul 25 16:20:16 2009 SENT CONTROL > [OpenVPN_Server]: 'PUSH_REQUEST' (status=1) > > Sat Jul 25 16:20:16 2009 PUSH: Received control > message: 'PUSH_REPLY,route-delay 5 > 30,dhcp-pre-release,dhcp-renew,dhcp-release,redirect-private > local,redirect-private bypass-dhcp,redirect-private > bypass-dns,route-metric 101,route 192.168.0.0 > 255.255.255.0,route-gateway 172.16.0.1,topology subnet,ping > 8,ping-restart 90,socket-flags TCP_NODELAY,ifconfig > 172.16.0.2 255.255.0.0' > > Sat Jul 25 16:20:16 2009 Options error: Unrecognized > option or missing parameter(s) in [PUSH-OPTIONS]:2: > dhcp-pre-release (2.1_rc18) > > Sat Jul 25 16:20:16 2009 Options error: Unrecognized > option or missing parameter(s) in [PUSH-OPTIONS]:3: > dhcp-renew (2.1_rc18) > > Sat Jul 25 16:20:16 2009 Options error: Unrecognized > option or missing parameter(s) in [PUSH-OPTIONS]:4: > dhcp-release (2.1_rc18) > > Sat Jul 25 16:20:16 2009 OPTIONS IMPORT: timers and/or > timeouts modified > > Sat Jul 25 16:20:16 2009 OPTIONS IMPORT: > --socket-flags option modified > > Sat Jul 25 16:20:16 2009 NOTE: setsockopt > TCP_NODELAY=1 f
Re: OpenVPN Client
Leonardo M. Ramé wrote: > Well, I opted for deinstalling openvpn and install openvpn-devel (2.1). Now > it reads my client.ovpn file, and it seems to be going a little step further, > now it seems to be a problem with route add. > It's not really a problem with 'route add'. The problem is that a route for 192.168.0.0 already exists. > I have to mention that the client machine is connected to a router using DHCP > in the network 192.168.0.xxx. Can this be the problem? > Yes. > This is the new log: > > Sat Jul 25 16:20:10 2009 OpenVPN 2.1_rc18 i386-portbld-freebsd7.2 [SSL] > [LZO2] [PKCS11] built on Jul 25 2009 > Sat Jul 25 16:20:13 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or > higher to call user-defined scripts or executables > Sat Jul 25 16:20:13 2009 Control Channel Authentication: tls-auth using > INLINE static key file > Sat Jul 25 16:20:13 2009 Outgoing Control Channel Authentication: Using 160 > bit message hash 'SHA1' for HMAC authentication > Sat Jul 25 16:20:13 2009 Incoming Control Channel Authentication: Using 160 > bit message hash 'SHA1' for HMAC authentication > Sat Jul 25 16:20:13 2009 LZO compression initialized > Sat Jul 25 16:20:13 2009 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 > ET:0 EL:0 ] > Sat Jul 25 16:20:13 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 > ET:0 EL:0 AF:3/1 ] > Sat Jul 25 16:20:13 2009 Local Options hash (VER=V4): 'ee93268d' > Sat Jul 25 16:20:13 2009 Expected Remote Options hash (VER=V4): 'bd577cd1' > Sat Jul 25 16:20:13 2009 Attempting to establish TCP connection with > 200.80.219.194:443 [nonblock] > Sat Jul 25 16:20:14 2009 TCP connection established with 200.80.219.194:443 > Sat Jul 25 16:20:14 2009 Socket Buffers: R=[66608->65536] S=[33304->65536] > Sat Jul 25 16:20:14 2009 TCPv4_CLIENT link local: [undef] > Sat Jul 25 16:20:14 2009 TCPv4_CLIENT link remote: 200.80.219.194:443 > Sat Jul 25 16:20:14 2009 TLS: Initial packet from 200.80.219.194:443, > sid=f4722bb3 aafe8f23 > Sat Jul 25 16:20:14 2009 WARNING: this configuration may cache passwords in > memory -- use the auth-nocache option to prevent this > Sat Jul 25 16:20:15 2009 VERIFY OK: depth=1, /CN=OpenVPN_CA > Sat Jul 25 16:20:15 2009 VERIFY OK: nsCertType=SERVER > Sat Jul 25 16:20:15 2009 VERIFY OK: depth=0, /CN=OpenVPN_Server > Sat Jul 25 16:20:15 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized > with 128 bit key > Sat Jul 25 16:20:15 2009 Data Channel Encrypt: Using 160 bit message hash > 'SHA1' for HMAC authentication > Sat Jul 25 16:20:15 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized > with 128 bit key > Sat Jul 25 16:20:15 2009 Data Channel Decrypt: Using 160 bit message hash > 'SHA1' for HMAC authentication > Sat Jul 25 16:20:15 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 > DHE-RSA-AES256-SHA, 1024 bit RSA > Sat Jul 25 16:20:15 2009 [OpenVPN_Server] Peer Connection Initiated with > 200.80.219.194:443 > Sat Jul 25 16:20:16 2009 SENT CONTROL [OpenVPN_Server]: 'PUSH_REQUEST' > (status=1) > Sat Jul 25 16:20:16 2009 PUSH: Received control message: > 'PUSH_REPLY,route-delay 5 > 30,dhcp-pre-release,dhcp-renew,dhcp-release,redirect-private > local,redirect-private bypass-dhcp,redirect-private bypass-dns,route-metric > 101,route 192.168.0.0 255.255.255.0,route-gateway 172.16.0.1,topology > subnet,ping 8,ping-restart 90,socket-flags TCP_NODELAY,ifconfig 172.16.0.2 > 255.255.0.0' > Sat Jul 25 16:20:16 2009 Options error: Unrecognized option or missing > parameter(s) in [PUSH-OPTIONS]:2: dhcp-pre-release (2.1_rc18) > Sat Jul 25 16:20:16 2009 Options error: Unrecognized option or missing > parameter(s) in [PUSH-OPTIONS]:3: dhcp-renew (2.1_rc18) > Sat Jul 25 16:20:16 2009 Options error: Unrecognized option or missing > parameter(s) in [PUSH-OPTIONS]:4: dhcp-release (2.1_rc18) > Sat Jul 25 16:20:16 2009 OPTIONS IMPORT: timers and/or timeouts modified > Sat Jul 25 16:20:16 2009 OPTIONS IMPORT: --socket-flags option modified > Sat Jul 25 16:20:16 2009 NOTE: setsockopt TCP_NODELAY=1 failed (No kernel > support) > Sat Jul 25 16:20:16 2009 OPTIONS IMPORT: --ifconfig/up options modified > Sat Jul 25 16:20:16 2009 OPTIONS IMPORT: route options modified > Sat Jul 25 16:20:16 2009 OPTIONS IMPORT: route-related options modified > Sat Jul 25 16:20:16 2009 ROUTE default_gateway=192.168.0.1 > Sat Jul 25 16:20:16 2009 TUN/TAP device /dev/tun0 opened > Sat Jul 25 16:20:16 2009 /sbin/ifconfig tun0 172.16.0.2 172.16.0.2 netmask > 255.255.0.0 mtu 1500 up > Sat Jul 25 16:20:16 2009 /sbin/route add -net 172.16.0.0 172.16.0.2 > 255.255.0.0 > add net 172.16.0.0: gateway 172.16.0.2 > Sat Jul 25 16:20:21 2009 WARNING: potential route subnet conflict between > local LAN [192.168.0.0/255.255.255.0] and remote VPN > [192.168.0.0/255.255.255.0] > You can't use the same address space for multiple networks. In other words, you can't use 192.168.0.0/24 for both the VPN and your internal network unless you are bridging the two (i.e., making it one
Re: OpenVPN Client
nt_wait : Interrupted system call (code=4) Sat Jul 25 16:20:30 2009 TCP/UDP: Closing socket Sat Jul 25 16:20:30 2009 Closing TUN/TAP interface Sat Jul 25 16:20:30 2009 SIGINT[hard,] received, process exiting Leonardo M. Ramé http://leonardorame.blogspot.com --- On Sat, 7/25/09, chris scott wrote: > From: chris scott > Subject: Re: OpenVPN Client > To: "Leonardo M. Ramé" > Cc: freebsd-questions@freebsd.org > Date: Saturday, July 25, 2009, 1:56 PM > 2009/7/25 Leonardo M. Ramé > > > > > Hi, I'm trying to connect to an OpenVPN server in my > office. To do this, I > > installed "OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] > [LZO]" from ports, > > and looking at different tutorials I found it needs a > config file in > > /usr/local/etc/openvpn/openvpn.conf. The problem here, > is that our server > > provides an "client.ovpn" file containing all the > connection params needed > > by a client, in fact, we connect windows machines just > by installing > > "OpenVPN_Installer.exe", it configures a TAP device > and a client that reads > > the client.ovpn file. > > > > Now, in my FreeBSD 7.2 i386 machine, I did this: > > > > Created the /usr/local/etc/openvpn/openvpn.conf (the > port doesn't created > > it automatically) with this content: > > > > remote 200.80.219.194.static.techtelnet.net > > client > > proto tcp > > port 443 > > dev tun > > ns-cert-type server > > auth-user-pass > > auth-retry interact > > comp-lzo > > user nobody > > group nobody > > verb 3 > > ca /usr/local/etc/openvpn/keys/ca.key > > cert /usr/local/etc/openvpn/keys/cert.key > > key /usr/local/etc/openvpn/keys/key.key > > > > This contents are extracted from client.ovpn, and > "ca", "cert" and "key" > > files were extracted from the same file. > > > > I kldload tun, but when I do ifconfig, it doesn't > shows nothing related to > > tun or tap. > > > > Also, when I do "openvpn > /usr/local/etc/openvpn/openvpn.conf" the results > > are this: > > > > Sat Jul 25 11:24:09 2009 OpenVPN 2.0.6 > i386-portbld-freebsd7.2 [SSL] [LZO] > > built on Jul 24 2009 > > Enter Auth Username:nico > > Enter Auth Password: > > Sat Jul 25 11:24:13 2009 WARNING: you are using > user/group/chroot without > > persist-key/persist-tun -- this may cause restarts to > fail > > Sat Jul 25 11:24:13 2009 WARNING: file > > '/usr/local/etc/openvpn/keys/key.key' is group or > others accessible > > Sat Jul 25 11:24:13 2009 LZO compression initialized > > Sat Jul 25 11:24:13 2009 Control Channel MTU parms [ > L:1544 D:140 EF:40 > > EB:0 ET:0 EL:0 ] > > Sat Jul 25 11:24:13 2009 Data Channel MTU parms [ > L:1544 D:1450 EF:44 > > EB:135 ET:0 EL:0 AF:3/1 ] > > Sat Jul 25 11:24:13 2009 Local Options hash (VER=V4): > '69109d17' > > Sat Jul 25 11:24:13 2009 Expected Remote Options hash > (VER=V4): 'c0103fa8' > > Sat Jul 25 11:24:13 2009 NOTE: UID/GID downgrade will > be delayed because of > > --client, --pull, or --up-delay > > Sat Jul 25 11:24:13 2009 Attempting to establish TCP > connection with > > 200.80.219.194:443 > > Sat Jul 25 11:24:13 2009 TCP connection established > with > > 200.80.219.194:443 > > Sat Jul 25 11:24:13 2009 TCPv4_CLIENT link local: > [undef] > > Sat Jul 25 11:24:13 2009 TCPv4_CLIENT link remote: > 200.80.219.194:443 > > Sat Jul 25 11:24:13 2009 Connection reset, restarting > [0] > > Sat Jul 25 11:24:13 2009 TCP/UDP: Closing socket > > Sat Jul 25 11:24:13 2009 > SIGUSR1[soft,connection-reset] received, process > > restarting > > Sat Jul 25 11:24:13 2009 Restart pause, 5 second(s) > > > > In my /etc/rc.conf I have openvpn_if="tun", I don't > load the tun nor tap > > interface at boot, I just want to load it with > kldload. > > > > uname -a: > > FreeBSD inspiron.local 7.2-RELEASE FreeBSD 7.2-RELEASE > #0: Fri May 1 > > 08:49:13 UTC 2009 > > r...@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC > > i386 > > > > ifconfig: > > ndis0: > flags=8843 > metric 0 mtu 1500 > > ether 00:23:4d:64:d6:7a > > inet 192.168.0.100 netmask > 0xff00 broadcast 192.168.0.255 > > media: IEEE 802.11 Wireless > Ethernet autoselect > > status: associated > > ssid "" channel 1 (2412 Mhz > 11b) > > authmode OPEN privacy OFF > bmiss 7 scanvalid 60 roaming
Re: OpenVPN Client
Thanks, after adding if_tun_load="YES" to my /boot/loader.conf and rebooting, this message appears in dmesg: can't re-use a leaf (if_tun_debug)! module_register: module if_tun already exists! Module if_tun failed to register: 17 So I think it is not required to add it to loader.conf. I replaced tun by tun1 in openvpn.conf, and the result is this: Sat Jul 25 15:09:46 2009 OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Jul 24 2009 Enter Auth Username:nico Enter Auth Password: Sat Jul 25 15:09:48 2009 WARNING: file '/usr/local/etc/openvpn/keys/key.key' is group or others accessible Sat Jul 25 15:09:48 2009 LZO compression initialized Sat Jul 25 15:09:48 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ] Sat Jul 25 15:09:48 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Sat Jul 25 15:09:48 2009 Local Options hash (VER=V4): '69109d17' Sat Jul 25 15:09:48 2009 Expected Remote Options hash (VER=V4): 'c0103fa8' Sat Jul 25 15:09:48 2009 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Sat Jul 25 15:09:48 2009 Attempting to establish TCP connection with 200.80.219.194:443 Sat Jul 25 15:09:48 2009 TCP connection established with 200.80.219.194:443 Sat Jul 25 15:09:48 2009 TCPv4_CLIENT link local: [undef] Sat Jul 25 15:09:48 2009 TCPv4_CLIENT link remote: 200.80.219.194:443 Sat Jul 25 15:09:49 2009 Connection reset, restarting [0] Sat Jul 25 15:09:49 2009 TCP/UDP: Closing socket Sat Jul 25 15:09:49 2009 SIGUSR1[soft,connection-reset] received, process restarting Sat Jul 25 15:09:49 2009 Restart pause, 5 second(s) Sat Jul 25 15:09:50 2009 SIGINT[hard,init_instance] received, process exiting If I do ifconfig, the tun interface appears in the list: ndis0: flags=8843 metric 0 mtu 1500 ether 00:23:4d:64:d6:7a inet 192.168.0.100 netmask 0xff00 broadcast 192.168.0.255 media: IEEE 802.11 Wireless Ethernet autoselect status: associated ssid "" channel 1 (2412 Mhz 11b) authmode OPEN privacy OFF bmiss 7 scanvalid 60 roaming MANUAL bintval 0 fwe0: flags=8802 metric 0 mtu 1500 options=8 ether 32:4f:c0:e1:55:e1 ch 1 dma -1 fwip0: flags=8802 metric 0 mtu 1500 lladdr 33.4f.c0.0.26.e1.55.e1.a.2.ff.fe.0.0.0.0 lo0: flags=8049 metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 tun1: flags=8010 metric 0 mtu 1500 Any hint? --- On Sat, 7/25/09, chris scott wrote: > From: chris scott > Subject: Re: OpenVPN Client > To: "Leonardo M. Ramé" > Cc: freebsd-questions@freebsd.org > Date: Saturday, July 25, 2009, 1:56 PM > 2009/7/25 Leonardo M. Ramé > > > > > Hi, I'm trying to connect to an OpenVPN server in my > office. To do this, I > > installed "OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] > [LZO]" from ports, > > and looking at different tutorials I found it needs a > config file in > > /usr/local/etc/openvpn/openvpn.conf. The problem here, > is that our server > > provides an "client.ovpn" file containing all the > connection params needed > > by a client, in fact, we connect windows machines just > by installing > > "OpenVPN_Installer.exe", it configures a TAP device > and a client that reads > > the client.ovpn file. > > > > Now, in my FreeBSD 7.2 i386 machine, I did this: > > > > Created the /usr/local/etc/openvpn/openvpn.conf (the > port doesn't created > > it automatically) with this content: > > > > remote 200.80.219.194.static.techtelnet.net > > client > > proto tcp > > port 443 > > dev tun > > ns-cert-type server > > auth-user-pass > > auth-retry interact > > comp-lzo > > user nobody > > group nobody > > verb 3 > > ca /usr/local/etc/openvpn/keys/ca.key > > cert /usr/local/etc/openvpn/keys/cert.key > > key /usr/local/etc/openvpn/keys/key.key > > > > This contents are extracted from client.ovpn, and > "ca", "cert" and "key" > > files were extracted from the same file. > > > > I kldload tun, but when I do ifconfig, it doesn't > shows nothing related to > > tun or tap. > > > > Also, when I do "openvpn > /usr/local/etc/openvpn/openvpn.conf" the results > > are this: > > > > Sat Jul 25 11:24:09 2009 OpenVPN 2.0.6 > i386-portbld-freebsd7.2 [SSL] [LZO] > > built on Jul 24 2009 > > Enter Auth Username:nico > > Enter Auth Password: > > Sat Jul 25 11:24:13 2009 WARNING: you are using > user/group/chroot without > > persist-key/persist-tun -- this may cause restarts to
Re: OpenVPN Client
2009/7/25 Leonardo M. Ramé > > Hi, I'm trying to connect to an OpenVPN server in my office. To do this, I > installed "OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO]" from ports, > and looking at different tutorials I found it needs a config file in > /usr/local/etc/openvpn/openvpn.conf. The problem here, is that our server > provides an "client.ovpn" file containing all the connection params needed > by a client, in fact, we connect windows machines just by installing > "OpenVPN_Installer.exe", it configures a TAP device and a client that reads > the client.ovpn file. > > Now, in my FreeBSD 7.2 i386 machine, I did this: > > Created the /usr/local/etc/openvpn/openvpn.conf (the port doesn't created > it automatically) with this content: > > remote 200.80.219.194.static.techtelnet.net > client > proto tcp > port 443 > dev tun > ns-cert-type server > auth-user-pass > auth-retry interact > comp-lzo > user nobody > group nobody > verb 3 > ca /usr/local/etc/openvpn/keys/ca.key > cert /usr/local/etc/openvpn/keys/cert.key > key /usr/local/etc/openvpn/keys/key.key > > This contents are extracted from client.ovpn, and "ca", "cert" and "key" > files were extracted from the same file. > > I kldload tun, but when I do ifconfig, it doesn't shows nothing related to > tun or tap. > > Also, when I do "openvpn /usr/local/etc/openvpn/openvpn.conf" the results > are this: > > Sat Jul 25 11:24:09 2009 OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] > built on Jul 24 2009 > Enter Auth Username:nico > Enter Auth Password: > Sat Jul 25 11:24:13 2009 WARNING: you are using user/group/chroot without > persist-key/persist-tun -- this may cause restarts to fail > Sat Jul 25 11:24:13 2009 WARNING: file > '/usr/local/etc/openvpn/keys/key.key' is group or others accessible > Sat Jul 25 11:24:13 2009 LZO compression initialized > Sat Jul 25 11:24:13 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 > EB:0 ET:0 EL:0 ] > Sat Jul 25 11:24:13 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 > EB:135 ET:0 EL:0 AF:3/1 ] > Sat Jul 25 11:24:13 2009 Local Options hash (VER=V4): '69109d17' > Sat Jul 25 11:24:13 2009 Expected Remote Options hash (VER=V4): 'c0103fa8' > Sat Jul 25 11:24:13 2009 NOTE: UID/GID downgrade will be delayed because of > --client, --pull, or --up-delay > Sat Jul 25 11:24:13 2009 Attempting to establish TCP connection with > 200.80.219.194:443 > Sat Jul 25 11:24:13 2009 TCP connection established with > 200.80.219.194:443 > Sat Jul 25 11:24:13 2009 TCPv4_CLIENT link local: [undef] > Sat Jul 25 11:24:13 2009 TCPv4_CLIENT link remote: 200.80.219.194:443 > Sat Jul 25 11:24:13 2009 Connection reset, restarting [0] > Sat Jul 25 11:24:13 2009 TCP/UDP: Closing socket > Sat Jul 25 11:24:13 2009 SIGUSR1[soft,connection-reset] received, process > restarting > Sat Jul 25 11:24:13 2009 Restart pause, 5 second(s) > > In my /etc/rc.conf I have openvpn_if="tun", I don't load the tun nor tap > interface at boot, I just want to load it with kldload. > > uname -a: > FreeBSD inspiron.local 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May 1 > 08:49:13 UTC 2009 r...@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC > i386 > > ifconfig: > ndis0: flags=8843 metric 0 mtu 1500 >ether 00:23:4d:64:d6:7a >inet 192.168.0.100 netmask 0xff00 broadcast 192.168.0.255 >media: IEEE 802.11 Wireless Ethernet autoselect >status: associated >ssid "" channel 1 (2412 Mhz 11b) >authmode OPEN privacy OFF bmiss 7 scanvalid 60 roaming MANUAL >bintval 0 > fwe0: flags=8802 metric 0 mtu 1500 >options=8 >ether 32:4f:c0:e1:55:e1 >ch 1 dma -1 > fwip0: flags=8802 metric 0 mtu 1500 >lladdr 33.4f.c0.0.26.e1.55.e1.a.2.ff.fe.0.0.0.0 > lo0: flags=8049 metric 0 mtu 16384 >inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 >inet6 ::1 prefixlen 128 >inet 127.0.0.1 netmask 0xff00 > > Thanks in advance, > Leonardo M. Ramé > > > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > make sure you have the tap kernel module loaded kldload /boot/kernel/if_tap.ko to make sure its there after boot do add if_tap_load="yes" to your /boot/loader.conf When used openvpn i also added cloned_interfaces="tun1" to my rc.conf , then reinitialize the network stack by running /etc/netstart I also set the open vpn client to explicitly use tun1 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: OpenVPN Client
On Sat, Jul 25, 2009, Leonardo M. Ram? wrote: > >Hi, I'm trying to connect to an OpenVPN server in my office. To do this, I >installed "OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO]" from ports, >and looking at different tutorials I found it needs a config file in >/usr/local/etc/openvpn/openvpn.conf. The problem here, is that our server >provides an "client.ovpn" file containing all the connection params needed >by a client, in fact, we connect windows machines just by installing >"OpenVPN_Installer.exe", it configures a TAP device and a client that reads >the client.ovpn file. You can probably just ``mv client.ovpn client.conf'' and use that (along with the other files provided with keys, etc.). The Tunnelblick OpenVPN client I use on my Macs recognizes either. Bill -- INTERNET: b...@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Skype: jwccsllc (206) 855-5792 Freedom from prices is freedom from responsibility. You can simply pass laws, using the magic wand of government to satisfy your own desires at unspecified costs to be paid by others. -- Thomas Sowell Aug 2000 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
OpenVPN Client
Hi, I'm trying to connect to an OpenVPN server in my office. To do this, I installed "OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO]" from ports, and looking at different tutorials I found it needs a config file in /usr/local/etc/openvpn/openvpn.conf. The problem here, is that our server provides an "client.ovpn" file containing all the connection params needed by a client, in fact, we connect windows machines just by installing "OpenVPN_Installer.exe", it configures a TAP device and a client that reads the client.ovpn file. Now, in my FreeBSD 7.2 i386 machine, I did this: Created the /usr/local/etc/openvpn/openvpn.conf (the port doesn't created it automatically) with this content: remote 200.80.219.194.static.techtelnet.net client proto tcp port 443 dev tun ns-cert-type server auth-user-pass auth-retry interact comp-lzo user nobody group nobody verb 3 ca /usr/local/etc/openvpn/keys/ca.key cert /usr/local/etc/openvpn/keys/cert.key key /usr/local/etc/openvpn/keys/key.key This contents are extracted from client.ovpn, and "ca", "cert" and "key" files were extracted from the same file. I kldload tun, but when I do ifconfig, it doesn't shows nothing related to tun or tap. Also, when I do "openvpn /usr/local/etc/openvpn/openvpn.conf" the results are this: Sat Jul 25 11:24:09 2009 OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Jul 24 2009 Enter Auth Username:nico Enter Auth Password: Sat Jul 25 11:24:13 2009 WARNING: you are using user/group/chroot without persist-key/persist-tun -- this may cause restarts to fail Sat Jul 25 11:24:13 2009 WARNING: file '/usr/local/etc/openvpn/keys/key.key' is group or others accessible Sat Jul 25 11:24:13 2009 LZO compression initialized Sat Jul 25 11:24:13 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ] Sat Jul 25 11:24:13 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Sat Jul 25 11:24:13 2009 Local Options hash (VER=V4): '69109d17' Sat Jul 25 11:24:13 2009 Expected Remote Options hash (VER=V4): 'c0103fa8' Sat Jul 25 11:24:13 2009 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Sat Jul 25 11:24:13 2009 Attempting to establish TCP connection with 200.80.219.194:443 Sat Jul 25 11:24:13 2009 TCP connection established with 200.80.219.194:443 Sat Jul 25 11:24:13 2009 TCPv4_CLIENT link local: [undef] Sat Jul 25 11:24:13 2009 TCPv4_CLIENT link remote: 200.80.219.194:443 Sat Jul 25 11:24:13 2009 Connection reset, restarting [0] Sat Jul 25 11:24:13 2009 TCP/UDP: Closing socket Sat Jul 25 11:24:13 2009 SIGUSR1[soft,connection-reset] received, process restarting Sat Jul 25 11:24:13 2009 Restart pause, 5 second(s) In my /etc/rc.conf I have openvpn_if="tun", I don't load the tun nor tap interface at boot, I just want to load it with kldload. uname -a: FreeBSD inspiron.local 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May 1 08:49:13 UTC 2009 r...@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 ifconfig: ndis0: flags=8843 metric 0 mtu 1500 ether 00:23:4d:64:d6:7a inet 192.168.0.100 netmask 0xff00 broadcast 192.168.0.255 media: IEEE 802.11 Wireless Ethernet autoselect status: associated ssid "" channel 1 (2412 Mhz 11b) authmode OPEN privacy OFF bmiss 7 scanvalid 60 roaming MANUAL bintval 0 fwe0: flags=8802 metric 0 mtu 1500 options=8 ether 32:4f:c0:e1:55:e1 ch 1 dma -1 fwip0: flags=8802 metric 0 mtu 1500 lladdr 33.4f.c0.0.26.e1.55.e1.a.2.ff.fe.0.0.0.0 lo0: flags=8049 metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 Thanks in advance, Leonardo M. Ramé ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"