Hey, I would appreciate if somebody could help me setup OpenVPN connection.
Here's the setup:
Server: 192.168.1.1
Soekris: sis0: 192.168.1.35: PXE boots from server
sis1: Internet: gets dynamic IP from ISP
sis2: 10.1.1.1: DHCP-server and gateway to LAN
ral0: 172.16.1.1: Wlan interface to be used with OpenVPN
Desktop nfe0: 10.1.1.10
Laptop wpi0: 172.16.1.10
Deskop works nicely with soekris.
My client is my OpenBSD laptop.
I followed the instructions at: http://www.linux.com/articles/49990
I changed the IP's on the server and client configs.
The config uses "server-bridge 172.16.1.1 255.255.255.0 172.16.1.100
172.16.1.120"
I authenticated the laptop via SSH and then run and openvpn and it gave
the following:
Tue Nov 6 20:18:54 2007 OpenVPN 2.0.9 x86_64-unknown-openbsd4.2 [SSL]
[LZO] built on Aug 20 2007
Tue Nov 6 20:18:54 2007 IMPORTANT: OpenVPN's default port number is now
1194, based on an official port number assignment by IANA. OpenVPN
2.0-beta16 and earlier used 5000 as the default port.
Tue Nov 6 20:18:54 2007 Control Channel Authentication: using
'/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Tue Nov 6 20:18:54 2007 Outgoing Control Channel Authentication: Using
160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 6 20:18:54 2007 Incoming Control Channel Authentication: Using
160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 6 20:18:54 2007 Control Channel MTU parms [ L:1541 D:166 EF:66
EB:0 ET:0 EL:0 ]
Tue Nov 6 20:18:54 2007 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4
ET:0 EL:0 ]
Tue Nov 6 20:18:54 2007 Local Options hash (VER=V4): '70f5b3af'
Tue Nov 6 20:18:54 2007 Expected Remote Options hash (VER=V4): 'a2e2498c'
Tue Nov 6 20:18:54 2007 NOTE: chroot will be delayed because of --client,
--pull, or --up-delay
Tue Nov 6 20:18:54 2007 NOTE: UID/GID downgrade will be delayed because
of --client, --pull, or --up-delay
Tue Nov 6 20:18:54 2007 UDPv4 link local: [undef]
Tue Nov 6 20:18:54 2007 UDPv4 link remote: 172.16.1.1:1194
Tue Nov 6 20:18:54 2007 TLS: Initial packet from 172.16.1.1:1194,
sid=c32cfb6f 891c696c
Tue Nov 6 20:18:54 2007 VERIFY OK: depth=1,
/C=FI/ST=Etela-Karjala/L=Lappeenranta/O=OpenVPN-TEST/CN=WickedBSD/emailAddres
[EMAIL PROTECTED]
Tue Nov 6 20:18:54 2007 VERIFY OK: nsCertType=SERVER
Tue Nov 6 20:18:54 2007 VERIFY OK: depth=0,
/C=FI/ST=Etela-Karjala/O=OpenVPN-TEST/CN=WickedBSD/[EMAIL PROTECTED]
kedbsd.no-ip.com
Tue Nov 6 20:18:55 2007 WARNING: 'dev-type' is used inconsistently,
local='dev-type tun', remote='dev-type tap'
Tue Nov 6 20:18:55 2007 WARNING: 'link-mtu' is used inconsistently,
local='link-mtu 1541', remote='link-mtu 1573'
Tue Nov 6 20:18:55 2007 WARNING: 'tun-mtu' is used inconsistently,
local='tun-mtu 1500', remote='tun-mtu 1532'
Tue Nov 6 20:18:55 2007 Data Channel Encrypt: Cipher 'BF-CBC' initialized
with 128 bit key
Tue Nov 6 20:18:55 2007 Data Channel Encrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Tue Nov 6 20:18:55 2007 Data Channel Decrypt: Cipher 'BF-CBC' initialized
with 128 bit key
Tue Nov 6 20:18:55 2007 Data Channel Decrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Tue Nov 6 20:18:55 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Nov 6 20:18:55 2007 [WickedBSD] Peer Connection Initiated with
172.16.1.1:1194
Tue Nov 6 20:18:56 2007 SENT CONTROL [WickedBSD]: 'PUSH_REQUEST'
(status=1)
Tue Nov 6 20:18:56 2007 PUSH: Received control message:
'PUSH_REPLY,redirect-gateway local def1,route-gateway 172.16.1.1,ping
10,ping-restart 120,ifconfig 172.16.1.100 255.255.255.0'
Tue Nov 6 20:18:56 2007 OPTIONS IMPORT: timers and/or timeouts modified
Tue Nov 6 20:18:56 2007 OPTIONS IMPORT: --ifconfig/up options modified
Tue Nov 6 20:18:56 2007 OPTIONS IMPORT: route options modified
Tue Nov 6 20:18:56 2007 WARNING: Since you are using --dev tun, the
second argument to --ifconfig must be an IP address. You are using
something (255.255.255.0) that looks more like a netmask. (silence this
warning with --ifconfig-nowarn)
Tue Nov 6 20:18:56 2007 WARNING: potential conflict between --remote
address [172.16.1.1] and --ifconfig address pair [172.16.1.100,
255.255.255.0] -- this is a warning only that is triggered when
local/remote addresses exist within the same /24 subnet as --ifconfig
endpoints. (silence this warning with --ifconfig-nowarn)
Tue Nov 6 20:18:56 2007 /sbin/ifconfig tun0 destroy
Tue Nov 6 20:18:56 2007 /sbin/ifconfig tun0 create
Tue Nov 6 20:18:56 2007 NOTE: Tried to delete pre-existing tun/tap
instance -- No Problem if failure
Tue Nov 6 20:18:56 2007 /sbin/ifconfig tun0 172.16.1.100 255.255.255.0
mtu 1500 netmask 255.255.255.255 up
Tue Nov 6 20:18:56 2007 TUN/TAP device /dev/tun0 opened
Tue Nov 6 20:18:56 2007 NOTE: unable to redirect default gateway --
Cannot read current default gateway from system
Tue Nov 6 20:18:56 2007 chroot to '/var/empty' and cd to '/' succeeded
Tue Nov 6 20:18:56 2007 GID set to openvpn
Tue Nov 6 20:18:56 2007 UID set to openvpn
Tue Nov 6 20:18:56 2007 Initialization Sequence Completed
After this I tried to ping something on LAN but got no route messages. I
added the default gateway as 172.16.1.1.
Now I tested the connection and I could ping the server and every soekris
interface but not the desktop or the internet.
I run the tcpdump on the soekris and it seemed to give my google ping
requests but forwarded those to 172.16.1.10 which is the address of my
laptops wlan interface. It should use 172.16.1.100 with VPN AFAIK.
Soekris pf.conf has "pass quick on $vpn_if" rule.
How to proceed with this to get the OpenVPN to work properly?
Timo
--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
