OpenVPN

Frank,

Your config should be as follows:

remote   194.95.226.***
proto      upd
port        5000
dev         tun

ifconfig   192.168.28.26 192.168.56.xxx (You need to specify the IPs of 
the private interfaces on both ends)
route 192.168.56.xxx 255.255.255.0  # (Normally I would put the routes 
in a route.up file)

user nobody
group nobody (nogroup on Mandrake)

comp-lzo
ping 10
verb 5

My server config is as follows:

Local network interface is 192.168.104.14 and remote is 192.168.113.14

dev tun
ifconfig 192.168.104.14 192.168.113.14
remote 12.148.xxx.xxx
up ./office.up
secret keys/static.key
port 5000
user nobody
group nogroup
comp-lzo
ping 10
verb 5
mute 10




Frank Elsner wrote:

>On Fri, 14 May 2004 07:51:07 EDT Doug Lytle wrote:
>  
>
>>Frank,
>>
>>Show us the conf files for both ends.
>>    
>>
>
>Currently I've only acess to mine, the other looks the same but with other 
>                                   adresses of course.
>
># /usr/local/OpenVPN/etc/eyuphuro.cf
># ---------------------------------- VPN with eyuphuro
>
># daemon	eyuphuro
>local		192.168.28.26
>remote 		194.95.226.***
>proto		udp
>port		5000
>dev		tun0
>ifconfig	10.192.168.28 10.192.168.56
>route		192.168.56.0 255.255.255.0
>disable-occ
>ping 		15
>verb		4
>persist-tun
>persist-local-ip
>persist-remote-ip
>comp-lzo
>
>
>Both systems involved RH 7.3, Kernels 2.4.26/2.4.22, OpenVPN-1.5.0
>
>
>--Frank Elsner
>
>
>
>
>  
>

Dear all,

I have setup openvpn p-t-p connection between tow openvpn gateways and 
running fine when executing connection from the openvpn gateway.
But when I tried to connect to a remote openvpn server thru a client 
behind the openvpn gateway, the connection failed. Here is the diagram:

172.16.0.1 --- 192.168.1.91 (redhat 9.0)<---> 192.168.1.1(freeBSD 4.9) 
--- 192.168.2.1 --- 192.168.2.2 (WindowsXP client)

where 192.168.1.91 (redhat 9.0) and 192.168.1.1 (freeBSD 4.9) are two 
openvpn gateways,
172.16.0.1 is an alias IP address of 192.168.1.91. ( because lack of 
nework card)
192.168.2.1 is a second nework card in the same box of 192.168.1.1 
(freeBSD).
192.168.2.2 (WindowsXP) is a client machine without OpenVPN installed 
and sit behind 192.168.1.1 gateway.

The connection from 192.168.1.1 to 172.16.0.1 usingi ssh works fine:
root@... [2:46am] [/etc/openvpn]# ssh 172.16.0.1
root@... password:

ip forwarding in Redhat is turnned on:
root@... [12:36am] [/etc/openvpn]# cat /proc/sys/net/ipv4/ip_forward
1
ip forwarding in FreeBSD is also turned on:
root@... [2:52am] [/etc/openvpn]# sysctl -a | grep forward
net.inet.ip.forwarding: 1

But login attempt  from 192.168.2.2 (windows xp) to 172.16.0.1 is failed.

What is wrong with the configuration I have in 2 openvpn gateways?

The configuration of OpenVPN in either machine is as follow:
FreeBSD:
=======
/etc/openvpn/server.conf:
remote   192.168.1.91
#proto      upd
port        5000
dev         tun3
 
ifconfig   192.168.2.1 172.16.0.1
up /etc/openvpn/home.up
 
user nobody
group nobody
 
#comp-lzo
ping 10
verb 9

/etc/openvpn/home.up:
#!/bin/bash
route add -net 172.16.0 192.168.1.1 255.255.255.0

result of ifconfig -a in freeBSD:
root@... [2:45am] [/etc/openvpn]# ifconfig -a
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::202:b3ff:febb:a7a5%fxp0 prefixlen 64 scopeid 0x1
        ether 00:02:b3:bb:a7:a5
        media: Ethernet autoselect (10baseT/UTP)
        status: active
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
        inet6 fe80::202:b3ff:fe8a:c348%fxp1 prefixlen 64 scopeid 0x2
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        ether 00:02:b3:8a:c3:48
        media: Ethernet autoselect (10baseT/UTP)
        status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
tun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        inet6 fe80::202:b3ff:febb:a7a5%tun3 prefixlen 64 scopeid 0x8
        inet 192.168.2.1 --> 172.16.0.1 netmask 0xffffffff
        Opened by PID 264

Redhat:
======
/etc/openvpn/server.conf:
remote   192.168.1.1
#proto      upd
port        5000
dev         tun0
 
ifconfig   172.16.0.1 192.168.2.1
up /etc/openvpn/home.up
 
user nobody
group nobody
 
#comp-lzo
ping 10
verb 9

/etc/openvpn/home.up:
#!/bin/bash
route add -net 192.168.2.0 netmask 255.255.255.0 gw $5

result of ipconfig -a in Redhat:
root@... [12:34am] [/etc/openvpn]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:90:27:57:59:8C 
          inet addr:192.168.1.91  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7908 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6289 errors:0 dropped:0 overruns:0 carrier:0
          collisions:2065 txqueuelen:100
          RX bytes:1112845 (1.0 Mb)  TX bytes:1205461 (1.1 Mb)
          Interrupt:11 Base address:0xc400 Memory:e5104000-e5104038
 
eth0:0    Link encap:Ethernet  HWaddr 00:90:27:57:59:8C 
          inet addr:172.16.0.1  Bcast:172.16.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:153 errors:0 dropped:0 overruns:0 frame:0
          TX packets:146 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:15009 (14.6 Kb)  TX bytes:22816 (22.2 Kb)
          Interrupt:11 Base address:0xc400 Memory:e5104000-e5104038
 
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:184 errors:0 dropped:0 overruns:0 frame:0
          TX packets:184 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:112144 (109.5 Kb)  TX bytes:112144 (109.5 Kb)
 
tun0      Link encap:Point-to-Point Protocol 
          inet addr:172.16.0.1  P-t-P:192.168.2.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:153 errors:0 dropped:0 overruns:0 frame:0
          TX packets:146 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:15009 (14.6 Kb)  TX bytes:22816 (22.2 Kb)
 
Thanks
Sam

On Fri, 14 May 2004 09:04:28 EDT Doug Lytle wrote:
> Frank,
> 
> Your config should be as follows:
> 
> remote   194.95.226.***
> proto      upd
> port        5000
> dev         tun
> 
> ifconfig   192.168.28.26 192.168.56.xxx (You need to specify the IPs of 
> the private interfaces on both ends)

I'm surprised, but will test as time permits over the weekend.

Surprised because http://openvpn.sourceforge.net/man.html#lbAR says:

| You can use any address you wish for the tunnel endpoints but make sure
| that they are private addresses (such as those that begin with 10 or
| 192.168) and that they are not part of any existing subnet on the networks of
| either peer. If you use an address that is part of your local subnet for 
| either of the tunnel endpoints, you will get a weird feedback loop.

> route 192.168.56.xxx 255.255.255.0  # (Normally I would put the routes 
> in a route.up file)

Ok, an other way. Should make no difference.

> My server config is as follows:
> 
> Local network interface is 192.168.104.14 and remote is 192.168.113.14
> 
> dev tun
> ifconfig 192.168.104.14 192.168.113.14
> remote 12.148.xxx.xxx

And the networks connected are 192.168.104.0/24 and 192.168.113.0/24 ?

--Frank Elsner

Ping from 192.168.2.2 (the windows xp) machine to 172.16.0.1 works while 
ssh failed.

samwun wrote:

> Dear all,
>
> I have setup openvpn p-t-p connection between tow openvpn gateways and 
> running fine when executing connection from the openvpn gateway.
> But when I tried to connect to a remote openvpn server thru a client 
> behind the openvpn gateway, the connection failed. Here is the diagram:
>
> 172.16.0.1 --- 192.168.1.91 (redhat 9.0)<---> 192.168.1.1(freeBSD 4.9) 
> --- 192.168.2.1 --- 192.168.2.2 (WindowsXP client)
>
> where 192.168.1.91 (redhat 9.0) and 192.168.1.1 (freeBSD 4.9) are two 
> openvpn gateways,
> 172.16.0.1 is an alias IP address of 192.168.1.91. ( because lack of 
> nework card)
> 192.168.2.1 is a second nework card in the same box of 192.168.1.1 
> (freeBSD).
> 192.168.2.2 (WindowsXP) is a client machine without OpenVPN installed 
> and sit behind 192.168.1.1 gateway.
>
> The connection from 192.168.1.1 to 172.16.0.1 usingi ssh works fine:
> root@... [2:46am] [/etc/openvpn]# ssh 172.16.0.1
> root@... password:
>
> ip forwarding in Redhat is turnned on:
> root@... [12:36am] [/etc/openvpn]# cat /proc/sys/net/ipv4/ip_forward
> 1
> ip forwarding in FreeBSD is also turned on:
> root@... [2:52am] [/etc/openvpn]# sysctl -a | grep forward
> net.inet.ip.forwarding: 1
>
> But login attempt  from 192.168.2.2 (windows xp) to 172.16.0.1 is failed.
>
> What is wrong with the configuration I have in 2 openvpn gateways?
>
> The configuration of OpenVPN in either machine is as follow:
> FreeBSD:
> =======
> /etc/openvpn/server.conf:
> remote   192.168.1.91
> #proto      upd
> port        5000
> dev         tun3
>
> ifconfig   192.168.2.1 172.16.0.1
> up /etc/openvpn/home.up
>
> user nobody
> group nobody
>
> #comp-lzo
> ping 10
> verb 9
>
> /etc/openvpn/home.up:
> #!/bin/bash
> route add -net 172.16.0 192.168.1.1 255.255.255.0
>
> result of ifconfig -a in freeBSD:
> root@... [2:45am] [/etc/openvpn]# ifconfig -a
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
>        inet6 fe80::202:b3ff:febb:a7a5%fxp0 prefixlen 64 scopeid 0x1
>        ether 00:02:b3:bb:a7:a5
>        media: Ethernet autoselect (10baseT/UTP)
>        status: active
> fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
>        inet6 fe80::202:b3ff:fe8a:c348%fxp1 prefixlen 64 scopeid 0x2
>        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
>        ether 00:02:b3:8a:c3:48
>        media: Ethernet autoselect (10baseT/UTP)
>        status: active
> lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>        inet6 ::1 prefixlen 128
>        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
>        inet 127.0.0.1 netmask 0xff000000
> ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
> faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
> tun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
>        inet6 fe80::202:b3ff:febb:a7a5%tun3 prefixlen 64 scopeid 0x8
>        inet 192.168.2.1 --> 172.16.0.1 netmask 0xffffffff
>        Opened by PID 264
>
> Redhat:
> ======
> /etc/openvpn/server.conf:
> remote   192.168.1.1
> #proto      upd
> port        5000
> dev         tun0
>
> ifconfig   172.16.0.1 192.168.2.1
> up /etc/openvpn/home.up
>
> user nobody
> group nobody
>
> #comp-lzo
> ping 10
> verb 9
>
> /etc/openvpn/home.up:
> #!/bin/bash
> route add -net 192.168.2.0 netmask 255.255.255.0 gw $5
>
> result of ipconfig -a in Redhat:
> root@... [12:34am] [/etc/openvpn]# ifconfig -a
> eth0      Link encap:Ethernet  HWaddr 00:90:27:57:59:8C          inet 
> addr:192.168.1.91  Bcast:192.168.1.255  Mask:255.255.255.0
>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>          RX packets:7908 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:6289 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:2065 txqueuelen:100
>          RX bytes:1112845 (1.0 Mb)  TX bytes:1205461 (1.1 Mb)
>          Interrupt:11 Base address:0xc400 Memory:e5104000-e5104038
>
> eth0:0    Link encap:Ethernet  HWaddr 00:90:27:57:59:8C          inet 
> addr:172.16.0.1  Bcast:172.16.0.255  Mask:255.255.255.0
>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>          RX packets:153 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:146 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:100
>          RX bytes:15009 (14.6 Kb)  TX bytes:22816 (22.2 Kb)
>          Interrupt:11 Base address:0xc400 Memory:e5104000-e5104038
>
> lo        Link encap:Local Loopback          inet addr:127.0.0.1  
> Mask:255.0.0.0
>          UP LOOPBACK RUNNING  MTU:16436  Metric:1
>          RX packets:184 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:184 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:0
>          RX bytes:112144 (109.5 Kb)  TX bytes:112144 (109.5 Kb)
>
> tun0      Link encap:Point-to-Point Protocol          inet 
> addr:172.16.0.1  P-t-P:192.168.2.1  Mask:255.255.255.255
>          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
>          RX packets:153 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:146 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:100
>          RX bytes:15009 (14.6 Kb)  TX bytes:22816 (22.2 Kb)
>
> Thanks
> Sam
>
>

Correct.

I also have a 2nd network on a tun1.conf with 192.168.119.1 on tun1  
Their entry is:

ifconfig 192.168.104.14 192.168.119.1

Of course, on their end, it's opposite.

Doug

Frank Elsner wrote:

>>dev tun
>>ifconfig 192.168.104.14 192.168.113.14
>>remote 12.148.xxx.xxx
>>    
>>
>
>And the networks connected are 192.168.104.0/24 and 192.168.113.0/24 ?
>
>--Frank Elsner
>
>  
>

Why can a TAP device answer to any kind of request, if it isn't
bridged with any physical interface?

Frank Elsner wrote:

>I'm surprised, but will test as time permits over the weekend.
>
>Surprised because http://openvpn.sourceforge.net/man.html#lbAR says:
>
>| You can use any address you wish for the tunnel endpoints but make sure
>| that they are private addresses (such as those that begin with 10 or
>| 192.168) and that they are not part of any existing subnet on the networks of
>| either peer. If you use an address that is part of your local subnet for 
>| either of the tunnel endpoints, you will get a weird feedback loop.
>  
>
>

This would be correct if you were using tap devices.

Doug

Sttf <vklengh@...> said:

> Why can a TAP device answer to any kind of request, if it isn't
> bridged with any physical interface?

A non-bridged TAP will behave like another ethernet NIC plugged into the
machine which has it's own separate IP and subnet.

James

Doug Lytle <support@...> said:

> Frank Elsner wrote:
> 
> >I'm surprised, but will test as time permits over the weekend.
> >
> >Surprised because http://openvpn.sourceforge.net/man.html#lbAR says:
> >
> >| You can use any address you wish for the tunnel endpoints but make sure
> >| that they are private addresses (such as those that begin with 10 or
> >| 192.168) and that they are not part of any existing subnet on the networks of
> >| either peer. If you use an address that is part of your local subnet for 
> >| either of the tunnel endpoints, you will get a weird feedback loop.
> 
> This would be correct if you were using tap devices.

I probably wrote that snippet before a lot of people started using OpenVPN to
make ethernet bridges.  That statement should be modified because the "not
part of any existing subnet" isn't really true when bridging.

James

> A non-bridged TAP will behave like another ethernet NIC plugged into the
> machine which has it's own separate IP and subnet.

But Why is it answering to network traffic if it is not bridged with any
physical ethernet interface?

Then what is bridging for?

I can't understand. My TAP1 device is not bridged with anything, and my
bridged interfaces answer to pings on its address. Concretly, the ping
answer will have the source MAC of eth0.

Maybe because of creating this virtual device with openvpn --mktun --dev ?

Sttf wrote:

> I can't understand. My TAP1 device is not bridged with anything, and my
> bridged interfaces answer to pings on its address. Concretly, the ping
> answer will have the source MAC of eth0.

If you are running on Linux, then every interface that is up and has an 
IP address will respond to pings for any other IP address on that system 
(i.e. every local IP address).

Hi,
Your configuration seems wrong.


> The configuration of OpenVPN in either machine is as follow:
> FreeBSD:
> =======
> remote   192.168.1.91
> #proto      upd
> port        5000
> dev         tun3
>
> ifconfig   192.168.2.1 172.16.0.1
>

In your ifconfig the IP adresses should be  the tun  addresses of the
endpoints.
As far as I understand 192.168.2.1 is the LAN address of your gateway (as
192.168.2.2. is the WinXP on that same LAN), so the tun address should not
be the same as your LAN address.

The same holds true for the other gateway, in general you need three sets of
addresses, each on different subnets (network address):
1) local and remote - real IPs connecting to the internet, or the WAN (as
seems to be your case)
2) tun addresses - virtual private IPs making the tunnel, which should not
interfere with any of the other network address.
Those are the addresses which are defined on ifconfig.
3) LAN addresses - real private IPs. If not bridging both LANs have to have
subnet addresses.
To enable access to those addresses, they need to be entered in the route
command, using tun endpoint as gateway.

In short, IMHO, you need two  tun addresses, one for each endpoint of the
tunnel, for example
192.168.0.1 and 192.168.0.2

Julio
----- Original Message ----- 
From: "samwun" <samwun@...>
To: <openvpn-users@...>
Sent: Friday, May 14, 2004 1:06 PM
Subject: [Openvpn-users] problem with connecting to private network


> Dear all,
>
> I have setup openvpn p-t-p connection between tow openvpn gateways and
> running fine when executing connection from the openvpn gateway.
> But when I tried to connect to a remote openvpn server thru a client
> behind the openvpn gateway, the connection failed. Here is the diagram:
>
> 172.16.0.1 --- 192.168.1.91 (redhat 9.0)<---> 192.168.1.1(freeBSD 4.9)
> --- 192.168.2.1 --- 192.168.2.2 (WindowsXP client)
>
> where 192.168.1.91 (redhat 9.0) and 192.168.1.1 (freeBSD 4.9) are two
> openvpn gateways,
> 172.16.0.1 is an alias IP address of 192.168.1.91. ( because lack of
> nework card)
> 192.168.2.1 is a second nework card in the same box of 192.168.1.1
> (freeBSD).
> 192.168.2.2 (WindowsXP) is a client machine without OpenVPN installed
> and sit behind 192.168.1.1 gateway.
>
> The connection from 192.168.1.1 to 172.16.0.1 usingi ssh works fine:
> root@... [2:46am] [/etc/openvpn]# ssh 172.16.0.1
> root@... password:
>
> ip forwarding in Redhat is turnned on:
> root@... [12:36am] [/etc/openvpn]# cat /proc/sys/net/ipv4/ip_forward
> 1
> ip forwarding in FreeBSD is also turned on:
> root@... [2:52am] [/etc/openvpn]# sysctl -a | grep forward
> net.inet.ip.forwarding: 1
>
> But login attempt  from 192.168.2.2 (windows xp) to 172.16.0.1 is failed.
>
> What is wrong with the configuration I have in 2 openvpn gateways?
>
> The configuration of OpenVPN in either machine is as follow:
> FreeBSD:
> =======
> /etc/openvpn/server.conf:
> remote   192.168.1.91
> #proto      upd
> port        5000
> dev         tun3
>
> ifconfig   192.168.2.1 172.16.0.1
> up /etc/openvpn/home.up
>
> user nobody
> group nobody
>
> #comp-lzo
> ping 10
> verb 9
>
> /etc/openvpn/home.up:
> #!/bin/bash
> route add -net 172.16.0 192.168.1.1 255.255.255.0
>
> result of ifconfig -a in freeBSD:
> root@... [2:45am] [/etc/openvpn]# ifconfig -a
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
>         inet6 fe80::202:b3ff:febb:a7a5%fxp0 prefixlen 64 scopeid 0x1
>         ether 00:02:b3:bb:a7:a5
>         media: Ethernet autoselect (10baseT/UTP)
>         status: active
> fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
>         inet6 fe80::202:b3ff:fe8a:c348%fxp1 prefixlen 64 scopeid 0x2
>         inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
>         ether 00:02:b3:8a:c3:48
>         media: Ethernet autoselect (10baseT/UTP)
>         status: active
> lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>         inet6 ::1 prefixlen 128
>         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
>         inet 127.0.0.1 netmask 0xff000000
> ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
> faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
> tun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
>         inet6 fe80::202:b3ff:febb:a7a5%tun3 prefixlen 64 scopeid 0x8
>         inet 192.168.2.1 --> 172.16.0.1 netmask 0xffffffff
>         Opened by PID 264
>
> Redhat:
> ======
> /etc/openvpn/server.conf:
> remote   192.168.1.1
> #proto      upd
> port        5000
> dev         tun0
>
> ifconfig   172.16.0.1 192.168.2.1
> up /etc/openvpn/home.up
>
> user nobody
> group nobody
>
> #comp-lzo
> ping 10
> verb 9
>
> /etc/openvpn/home.up:
> #!/bin/bash
> route add -net 192.168.2.0 netmask 255.255.255.0 gw $5
>
> result of ipconfig -a in Redhat:
> root@... [12:34am] [/etc/openvpn]# ifconfig -a
> eth0      Link encap:Ethernet  HWaddr 00:90:27:57:59:8C
>           inet addr:192.168.1.91  Bcast:192.168.1.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:7908 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:6289 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:2065 txqueuelen:100
>           RX bytes:1112845 (1.0 Mb)  TX bytes:1205461 (1.1 Mb)
>           Interrupt:11 Base address:0xc400 Memory:e5104000-e5104038
>
> eth0:0    Link encap:Ethernet  HWaddr 00:90:27:57:59:8C
>           inet addr:172.16.0.1  Bcast:172.16.0.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:153 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:146 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           RX bytes:15009 (14.6 Kb)  TX bytes:22816 (22.2 Kb)
>           Interrupt:11 Base address:0xc400 Memory:e5104000-e5104038
>
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:184 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:184 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:112144 (109.5 Kb)  TX bytes:112144 (109.5 Kb)
>
> tun0      Link encap:Point-to-Point Protocol
>           inet addr:172.16.0.1  P-t-P:192.168.2.1  Mask:255.255.255.255
>           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
>           RX packets:153 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:146 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           RX bytes:15009 (14.6 Kb)  TX bytes:22816 (22.2 Kb)
>
> Thanks
> Sam
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: SourceForge.net Broadband
> Sign-up now for SourceForge Broadband and get the fastest
> 6.0/768 connection for only $19.95/mo for the first 3 months!
> http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>

Hello,

I'm using OpenVPN 1.6.0rc3 on many computers and it works well. The only
problem is that, if linux client machine wants to get address by DHCP.
If i put dhcpcd (dhcp client) line into home.up script like that:

ifconfig tap0 up
dhcpcd -R tap0

dhcpcd is trying to get an IP address from server but server don't see
any request.

If i put only "ifconfig tap0 up" line, and start dhcpcd manually from
console after start of OpenVPN everything is OK.

Is anybody know, why it doesn't work ?

my configs:

server (Linux 2.4.25):

inetd nowait
proto tcp-server
dev tap
ifconfig-noexec
tls-server
up /etc/openvpn/scripts/server.up
dh /etc/openvpn/private/dh1024.pem
ca /etc/openvpn/private/ca.crt
cert /etc/openvpn/private/server.crt
key /etc/openvpn/private/server.key
user nobody
group nobody
ping 15
comp-lzo
verb 3
crl-verify /etc/openvpn/banned.pem

clients (Linux 2.2.25/2.4.26/2.6.4):

dev tap
proto tcp-client
remote <gate IP>
up ./home.up
up-delay
tls-client
ca ca.crt
cert Sebastian_Wasilewski.crt
key Sebastian_Wasilewski.key
port 5000
comp-lzo
ping 15
ping-restart 45
verb 1
connect-retry 20


Thanks for any help.
Sebastian

Take a look at the --route-up script feature.

Try breaking up the home.up script so that

home.up:
  ifconfig tap0 up

route.up:
  dhcpcd -R tap0

Then use --route-delay to delay the route.up script.

Does dhcpcd fork off a daemon and return immediately?  If so, great.  If not,
put an ampersand ('&') on the dhcpcd command line so it doesn't stall the
openvpn event loop.

Another approach would be something like this:

route.up:

  dhcpcd -R tap0

James
 

Emotional Vampire <vampire@...> said:

> Hello,
> 
> I'm using OpenVPN 1.6.0rc3 on many computers and it works well. The only
> problem is that, if linux client machine wants to get address by DHCP.
> If i put dhcpcd (dhcp client) line into home.up script like that:
> 
> ifconfig tap0 up
> dhcpcd -R tap0
> 
> dhcpcd is trying to get an IP address from server but server don't see
> any request.
> 
> If i put only "ifconfig tap0 up" line, and start dhcpcd manually from
> console after start of OpenVPN everything is OK.
> 
> Is anybody know, why it doesn't work ?
> 
> my configs:
> 
> server (Linux 2.4.25):
> 
> inetd nowait
> proto tcp-server
> dev tap
> ifconfig-noexec
> tls-server
> up /etc/openvpn/scripts/server.up
> dh /etc/openvpn/private/dh1024.pem
> ca /etc/openvpn/private/ca.crt
> cert /etc/openvpn/private/server.crt
> key /etc/openvpn/private/server.key
> user nobody
> group nobody
> ping 15
> comp-lzo
> verb 3
> crl-verify /etc/openvpn/banned.pem
> 
> clients (Linux 2.2.25/2.4.26/2.6.4):
> 
> dev tap
> proto tcp-client
> remote <gate IP>
> up ./home.up
> up-delay
> tls-client
> ca ca.crt
> cert Sebastian_Wasilewski.crt
> key Sebastian_Wasilewski.key
> port 5000
> comp-lzo
> ping 15
> ping-restart 45
> verb 1
> connect-retry 20
> 
> 
> Thanks for any help.
> Sebastian
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: SourceForge.net Broadband
> Sign-up now for SourceForge Broadband and get the fastest
> 6.0/768 connection for only $19.95/mo for the first 3 months!
> http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 



--

Julio Maidanik wrote:

>Hi,
>Your configuration seems wrong.
>
>
>  
>
>>The configuration of OpenVPN in either machine is as follow:
>>FreeBSD:
>>=======
>>remote   192.168.1.91
>>#proto      upd
>>port        5000
>>dev         tun3
>>
>>ifconfig   192.168.2.1 172.16.0.1
>>
>>    
>>
>
>In your ifconfig the IP adresses should be  the tun  addresses of the
>endpoints.
>As far as I understand 192.168.2.1 is the LAN address of your gateway (as
>192.168.2.2. is the WinXP on that same LAN), so the tun address should not
>be the same as your LAN address.
>
>The same holds true for the other gateway, in general you need three sets of
>addresses, each on different subnets (network address):
>1) local and remote - real IPs connecting to the internet, or the WAN (as
>seems to be your case)
>2) tun addresses - virtual private IPs making the tunnel, which should not
>interfere with any of the other network address.
>Those are the addresses which are defined on ifconfig.
>3) LAN addresses - real private IPs. If not bridging both LANs have to have
>subnet addresses.
>To enable access to those addresses, they need to be entered in the route
>command, using tun endpoint as gateway.
>
>In short, IMHO, you need two  tun addresses, one for each endpoint of the
>tunnel, for example
>192.168.0.1 and 192.168.0.2
>
>  
>
thanks for your help, I have changed the ifconfig in the server.conf 
according what you described:
in FreeBSD:
==========
remote   192.168.1.91
#proto      upd
port        5000
dev         tun3
 
ifconfig   192.168.0.2 192.168.0.1
up /etc/openvpn/home.up
down /etc/openvpn/home.down
 
user nobody
group nobody
 
#comp-lzo
ping 10
verb 9

In Redhat:
=========
remote   192.168.1.1
#proto      upd
port        5000
dev         tun0
 
ifconfig   192.168.0.1 192.168.0.2
up /etc/openvpn/home.up
down /etc/openvpn/home.down
 
user nobody
group nobody
 
#comp-lzo
ping 10
verb 9

Now,  ping from FreeBSD to Redhat does not receive echo, but Ping from 
Redhat to FreeBSD dose fine.

How can I further investigate this problem?

Sam

>Julio
>----- Original Message ----- 
>From: "samwun" <samwun@...>
>To: <openvpn-users@...>
>Sent: Friday, May 14, 2004 1:06 PM
>Subject: [Openvpn-users] problem with connecting to private network
>
>
>  
>
>>Dear all,
>>
>>I have setup openvpn p-t-p connection between tow openvpn gateways and
>>running fine when executing connection from the openvpn gateway.
>>But when I tried to connect to a remote openvpn server thru a client
>>behind the openvpn gateway, the connection failed. Here is the diagram:
>>
>>172.16.0.1 --- 192.168.1.91 (redhat 9.0)<---> 192.168.1.1(freeBSD 4.9)
>>--- 192.168.2.1 --- 192.168.2.2 (WindowsXP client)
>>
>>where 192.168.1.91 (redhat 9.0) and 192.168.1.1 (freeBSD 4.9) are two
>>openvpn gateways,
>>172.16.0.1 is an alias IP address of 192.168.1.91. ( because lack of
>>nework card)
>>192.168.2.1 is a second nework card in the same box of 192.168.1.1
>>(freeBSD).
>>192.168.2.2 (WindowsXP) is a client machine without OpenVPN installed
>>and sit behind 192.168.1.1 gateway.
>>
>>The connection from 192.168.1.1 to 172.16.0.1 usingi ssh works fine:
>>root@... [2:46am] [/etc/openvpn]# ssh 172.16.0.1
>>root@... password:
>>
>>ip forwarding in Redhat is turnned on:
>>root@... [12:36am] [/etc/openvpn]# cat /proc/sys/net/ipv4/ip_forward
>>1
>>ip forwarding in FreeBSD is also turned on:
>>root@... [2:52am] [/etc/openvpn]# sysctl -a | grep forward
>>net.inet.ip.forwarding: 1
>>
>>But login attempt  from 192.168.2.2 (windows xp) to 172.16.0.1 is failed.
>>
>>What is wrong with the configuration I have in 2 openvpn gateways?
>>
>>The configuration of OpenVPN in either machine is as follow:
>>FreeBSD:
>>=======
>>/etc/openvpn/server.conf:
>>remote   192.168.1.91
>>#proto      upd
>>port        5000
>>dev         tun3
>>
>>ifconfig   192.168.2.1 172.16.0.1
>>up /etc/openvpn/home.up
>>
>>user nobody
>>group nobody
>>
>>#comp-lzo
>>ping 10
>>verb 9
>>
>>/etc/openvpn/home.up:
>>#!/bin/bash
>>route add -net 172.16.0 192.168.1.1 255.255.255.0
>>
>>result of ifconfig -a in freeBSD:
>>root@... [2:45am] [/etc/openvpn]# ifconfig -a
>>fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>>        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
>>        inet6 fe80::202:b3ff:febb:a7a5%fxp0 prefixlen 64 scopeid 0x1
>>        ether 00:02:b3:bb:a7:a5
>>        media: Ethernet autoselect (10baseT/UTP)
>>        status: active
>>fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>>        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
>>        inet6 fe80::202:b3ff:fe8a:c348%fxp1 prefixlen 64 scopeid 0x2
>>        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
>>        ether 00:02:b3:8a:c3:48
>>        media: Ethernet autoselect (10baseT/UTP)
>>        status: active
>>lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
>>lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>>        inet6 ::1 prefixlen 128
>>        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
>>        inet 127.0.0.1 netmask 0xff000000
>>ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
>>sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
>>faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
>>tun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
>>        inet6 fe80::202:b3ff:febb:a7a5%tun3 prefixlen 64 scopeid 0x8
>>        inet 192.168.2.1 --> 172.16.0.1 netmask 0xffffffff
>>        Opened by PID 264
>>
>>Redhat:
>>======
>>/etc/openvpn/server.conf:
>>remote   192.168.1.1
>>#proto      upd
>>port        5000
>>dev         tun0
>>
>>ifconfig   172.16.0.1 192.168.2.1
>>up /etc/openvpn/home.up
>>
>>user nobody
>>group nobody
>>
>>#comp-lzo
>>ping 10
>>verb 9
>>
>>/etc/openvpn/home.up:
>>#!/bin/bash
>>route add -net 192.168.2.0 netmask 255.255.255.0 gw $5
>>
>>result of ipconfig -a in Redhat:
>>root@... [12:34am] [/etc/openvpn]# ifconfig -a
>>eth0      Link encap:Ethernet  HWaddr 00:90:27:57:59:8C
>>          inet addr:192.168.1.91  Bcast:192.168.1.255  Mask:255.255.255.0
>>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>          RX packets:7908 errors:0 dropped:0 overruns:0 frame:0
>>          TX packets:6289 errors:0 dropped:0 overruns:0 carrier:0
>>          collisions:2065 txqueuelen:100
>>          RX bytes:1112845 (1.0 Mb)  TX bytes:1205461 (1.1 Mb)
>>          Interrupt:11 Base address:0xc400 Memory:e5104000-e5104038
>>
>>eth0:0    Link encap:Ethernet  HWaddr 00:90:27:57:59:8C
>>          inet addr:172.16.0.1  Bcast:172.16.0.255  Mask:255.255.255.0
>>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>          RX packets:153 errors:0 dropped:0 overruns:0 frame:0
>>          TX packets:146 errors:0 dropped:0 overruns:0 carrier:0
>>          collisions:0 txqueuelen:100
>>          RX bytes:15009 (14.6 Kb)  TX bytes:22816 (22.2 Kb)
>>          Interrupt:11 Base address:0xc400 Memory:e5104000-e5104038
>>
>>lo        Link encap:Local Loopback
>>          inet addr:127.0.0.1  Mask:255.0.0.0
>>          UP LOOPBACK RUNNING  MTU:16436  Metric:1
>>          RX packets:184 errors:0 dropped:0 overruns:0 frame:0
>>          TX packets:184 errors:0 dropped:0 overruns:0 carrier:0
>>          collisions:0 txqueuelen:0
>>          RX bytes:112144 (109.5 Kb)  TX bytes:112144 (109.5 Kb)
>>
>>tun0      Link encap:Point-to-Point Protocol
>>          inet addr:172.16.0.1  P-t-P:192.168.2.1  Mask:255.255.255.255
>>          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
>>          RX packets:153 errors:0 dropped:0 overruns:0 frame:0
>>          TX packets:146 errors:0 dropped:0 overruns:0 carrier:0
>>          collisions:0 txqueuelen:100
>>          RX bytes:15009 (14.6 Kb)  TX bytes:22816 (22.2 Kb)
>>
>>Thanks
>>Sam
>>
>>
>>    
>>

samwun wrote:

> Julio Maidanik wrote:
>
>> Hi,
>> Your configuration seems wrong.
>>
>>
>>  
>>
>>> The configuration of OpenVPN in either machine is as follow:
>>> FreeBSD:
>>> =======
>>> remote   192.168.1.91
>>> #proto      upd
>>> port        5000
>>> dev         tun3
>>>
>>> ifconfig   192.168.2.1 172.16.0.1
>>>
>>>   
>>
>>
>> In your ifconfig the IP adresses should be  the tun  addresses of the
>> endpoints.
>> As far as I understand 192.168.2.1 is the LAN address of your gateway 
>> (as
>> 192.168.2.2. is the WinXP on that same LAN), so the tun address 
>> should not
>> be the same as your LAN address.
>>
>> The same holds true for the other gateway, in general you need three 
>> sets of
>> addresses, each on different subnets (network address):
>> 1) local and remote - real IPs connecting to the internet, or the WAN 
>> (as
>> seems to be your case)
>> 2) tun addresses - virtual private IPs making the tunnel, which 
>> should not
>> interfere with any of the other network address.
>> Those are the addresses which are defined on ifconfig.
>> 3) LAN addresses - real private IPs. If not bridging both LANs have 
>> to have
>> subnet addresses.
>> To enable access to those addresses, they need to be entered in the 
>> route
>> command, using tun endpoint as gateway.
>>
>> In short, IMHO, you need two  tun addresses, one for each endpoint of 
>> the
>> tunnel, for example
>> 192.168.0.1 and 192.168.0.2
>>
>>  
>>
> thanks for your help, I have changed the ifconfig in the server.conf 
> according what you described:
> in FreeBSD:
> ==========
> remote   192.168.1.91
> #proto      upd
> port        5000
> dev         tun3
>
> ifconfig   192.168.0.2 192.168.0.1
> up /etc/openvpn/home.up
> down /etc/openvpn/home.down
>
> user nobody
> group nobody
>
> #comp-lzo
> ping 10
> verb 9
>
> In Redhat:
> =========
> remote   192.168.1.1
> #proto      upd
> port        5000
> dev         tun0
>
> ifconfig   192.168.0.1 192.168.0.2
> up /etc/openvpn/home.up
> down /etc/openvpn/home.down
>
> user nobody
> group nobody
>
> #comp-lzo
> ping 10
> verb 9
>
> Now,  ping from FreeBSD to Redhat does not receive echo, but Ping from 
> Redhat to FreeBSD dose fine.
>
> How can I further investigate this problem?
>
> Sam
>
Here is result of the ifconfig/netstat in FreeBSD and Redhat:
In FreeBSD:
==========
root@... [2:32pm] [...local/classlib-2.1]# ifconfig -a
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::202:b3ff:febb:a7a5%fxp0 prefixlen 64 scopeid 0x1
        ether 00:02:b3:bb:a7:a5
        media: Ethernet autoselect (10baseT/UTP)
        status: active
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
        inet6 fe80::202:b3ff:fe8a:c348%fxp1 prefixlen 64 scopeid 0x2
        ether 00:02:b3:8a:c3:48
        media: Ethernet autoselect (none)
        status: no carrier
....
tun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        inet6 fe80::202:b3ff:febb:a7a5%tun3 prefixlen 64 scopeid 0x8
        inet 192.168.0.2 --> 192.168.0.1 netmask 0xffffffff
        Opened by PID 265
root@... [2:36pm] [...local/classlib-2.1]# netstat -rn
Routing tables
 
Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.1.254      UGSc        4        0   fxp0
127.0.0.1          127.0.0.1          UH          1       24    lo0
172.16/24          192.168.1.1        UGSc        0        0   fxp0
192.168.0.1        192.168.0.2        UH          0      223   tun3
192.168.1          link#1             UC          4        0   fxp0
192.168.1.1        00:02:b3:bb:a7:a5  UHLW        1        0    lo0
192.168.1.91       00:90:27:57:59:8c  UHLW        4     8770   fxp0   1131
192.168.1.128      00:09:6b:8d:b2:67  UHLW        0      343   fxp0    941
192.168.1.254      00:02:b3:0b:3c:d1  UHLW        5       53   fxp0     72
192.168.2          link#2             UC          0        0   fxp1

In Redhat:
=============
root@... [11:46am] [~]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:90:27:57:59:8C 
          inet addr:192.168.1.91  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:39507 errors:0 dropped:0 overruns:0 frame:0
          TX packets:33214 errors:0 dropped:0 overruns:0 carrier:0
          collisions:7756 txqueuelen:100
          RX bytes:4654082 (4.4 Mb)  TX bytes:5304575 (5.0 Mb)
          Interrupt:11 Base address:0xc400 Memory:e5104000-e5104038
 
eth0:0    Link encap:Ethernet  HWaddr 00:90:27:57:59:8C 
          inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:2936 (2.8 Kb)  TX bytes:2414 (2.3 Kb)
          Interrupt:11 Base address:0xc400 Memory:e5104000-e5104038
.....
tun0      Link encap:Point-to-Point Protocol 
          inet addr:192.168.0.1  P-t-P:192.168.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:2936 (2.8 Kb)  TX bytes:2414 (2.3 Kb)

root@... [11:46am] [~]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt 
Iface
192.168.0.2     0.0.0.0         255.255.255.255 UH        0 0          0 
tun0
192.168.3.0     0.0.0.0         255.255.255.0   U         0 0          0 
eth0
192.168.2.0     192.168.0.2     255.255.255.0   UG        0 0          0 
tun0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 
eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 
eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0 
eth0
0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0 
eth0
0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0 
eth0

Thanks
Sam

>> Julio
>> ----- Original Message ----- From: "samwun" <samwun@...>
>> To: <openvpn-users@...>
>> Sent: Friday, May 14, 2004 1:06 PM
>> Subject: [Openvpn-users] problem with connecting to private network
>>
>>
>>  
>>
>>> Dear all,
>>>
>>> I have setup openvpn p-t-p connection between tow openvpn gateways and
>>> running fine when executing connection from the openvpn gateway.
>>> But when I tried to connect to a remote openvpn server thru a client
>>> behind the openvpn gateway, the connection failed. Here is the diagram:
>>>
>>> 172.16.0.1 --- 192.168.1.91 (redhat 9.0)<---> 192.168.1.1(freeBSD 4.9)
>>> --- 192.168.2.1 --- 192.168.2.2 (WindowsXP client)
>>>
>>> where 192.168.1.91 (redhat 9.0) and 192.168.1.1 (freeBSD 4.9) are two
>>> openvpn gateways,
>>> 172.16.0.1 is an alias IP address of 192.168.1.91. ( because lack of
>>> nework card)
>>> 192.168.2.1 is a second nework card in the same box of 192.168.1.1
>>> (freeBSD).
>>> 192.168.2.2 (WindowsXP) is a client machine without OpenVPN installed
>>> and sit behind 192.168.1.1 gateway.
>>>
>>> The connection from 192.168.1.1 to 172.16.0.1 usingi ssh works fine:
>>> root@... [2:46am] [/etc/openvpn]# ssh 172.16.0.1
>>> root@... password:
>>>
>>> ip forwarding in Redhat is turnned on:
>>> root@... [12:36am] [/etc/openvpn]# cat /proc/sys/net/ipv4/ip_forward
>>> 1
>>> ip forwarding in FreeBSD is also turned on:
>>> root@... [2:52am] [/etc/openvpn]# sysctl -a | grep forward
>>> net.inet.ip.forwarding: 1
>>>
>>> But login attempt  from 192.168.2.2 (windows xp) to 172.16.0.1 is 
>>> failed.
>>>
>>> What is wrong with the configuration I have in 2 openvpn gateways?
>>>
>>> The configuration of OpenVPN in either machine is as follow:
>>> FreeBSD:
>>> =======
>>> /etc/openvpn/server.conf:
>>> remote   192.168.1.91
>>> #proto      upd
>>> port        5000
>>> dev         tun3
>>>
>>> ifconfig   192.168.2.1 172.16.0.1
>>> up /etc/openvpn/home.up
>>>
>>> user nobody
>>> group nobody
>>>
>>> #comp-lzo
>>> ping 10
>>> verb 9
>>>
>>> /etc/openvpn/home.up:
>>> #!/bin/bash
>>> route add -net 172.16.0 192.168.1.1 255.255.255.0
>>>
>>> result of ifconfig -a in freeBSD:
>>> root@... [2:45am] [/etc/openvpn]# ifconfig -a
>>> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>>>        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
>>>        inet6 fe80::202:b3ff:febb:a7a5%fxp0 prefixlen 64 scopeid 0x1
>>>        ether 00:02:b3:bb:a7:a5
>>>        media: Ethernet autoselect (10baseT/UTP)
>>>        status: active
>>> fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>>>        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
>>>        inet6 fe80::202:b3ff:fe8a:c348%fxp1 prefixlen 64 scopeid 0x2
>>>        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
>>>        ether 00:02:b3:8a:c3:48
>>>        media: Ethernet autoselect (10baseT/UTP)
>>>        status: active
>>> lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
>>> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>>>        inet6 ::1 prefixlen 128
>>>        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
>>>        inet 127.0.0.1 netmask 0xff000000
>>> ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
>>> sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
>>> faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
>>> tun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
>>>        inet6 fe80::202:b3ff:febb:a7a5%tun3 prefixlen 64 scopeid 0x8
>>>        inet 192.168.2.1 --> 172.16.0.1 netmask 0xffffffff
>>>        Opened by PID 264
>>>
>>> Redhat:
>>> ======
>>> /etc/openvpn/server.conf:
>>> remote   192.168.1.1
>>> #proto      upd
>>> port        5000
>>> dev         tun0
>>>
>>> ifconfig   172.16.0.1 192.168.2.1
>>> up /etc/openvpn/home.up
>>>
>>> user nobody
>>> group nobody
>>>
>>> #comp-lzo
>>> ping 10
>>> verb 9
>>>
>>> /etc/openvpn/home.up:
>>> #!/bin/bash
>>> route add -net 192.168.2.0 netmask 255.255.255.0 gw $5
>>>
>>> result of ipconfig -a in Redhat:
>>> root@... [12:34am] [/etc/openvpn]# ifconfig -a
>>> eth0      Link encap:Ethernet  HWaddr 00:90:27:57:59:8C
>>>          inet addr:192.168.1.91  Bcast:192.168.1.255  
>>> Mask:255.255.255.0
>>>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>          RX packets:7908 errors:0 dropped:0 overruns:0 frame:0
>>>          TX packets:6289 errors:0 dropped:0 overruns:0 carrier:0
>>>          collisions:2065 txqueuelen:100
>>>          RX bytes:1112845 (1.0 Mb)  TX bytes:1205461 (1.1 Mb)
>>>          Interrupt:11 Base address:0xc400 Memory:e5104000-e5104038
>>>
>>> eth0:0    Link encap:Ethernet  HWaddr 00:90:27:57:59:8C
>>>          inet addr:172.16.0.1  Bcast:172.16.0.255  Mask:255.255.255.0
>>>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>          RX packets:153 errors:0 dropped:0 overruns:0 frame:0
>>>          TX packets:146 errors:0 dropped:0 overruns:0 carrier:0
>>>          collisions:0 txqueuelen:100
>>>          RX bytes:15009 (14.6 Kb)  TX bytes:22816 (22.2 Kb)
>>>          Interrupt:11 Base address:0xc400 Memory:e5104000-e5104038
>>>
>>> lo        Link encap:Local Loopback
>>>          inet addr:127.0.0.1  Mask:255.0.0.0
>>>          UP LOOPBACK RUNNING  MTU:16436  Metric:1
>>>          RX packets:184 errors:0 dropped:0 overruns:0 frame:0
>>>          TX packets:184 errors:0 dropped:0 overruns:0 carrier:0
>>>          collisions:0 txqueuelen:0
>>>          RX bytes:112144 (109.5 Kb)  TX bytes:112144 (109.5 Kb)
>>>
>>> tun0      Link encap:Point-to-Point Protocol
>>>          inet addr:172.16.0.1  P-t-P:192.168.2.1  Mask:255.255.255.255
>>>          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
>>>          RX packets:153 errors:0 dropped:0 overruns:0 frame:0
>>>          TX packets:146 errors:0 dropped:0 overruns:0 carrier:0
>>>          collisions:0 txqueuelen:100
>>>          RX bytes:15009 (14.6 Kb)  TX bytes:22816 (22.2 Kb)
>>>
>>> Thanks
>>> Sam
>>>
>>>

Hi,

What I see from your routing tables is that it does not agree with your
networks layout that you sent on a previous message.

In any case, in my opinion once the VPN is running, routing problems are
quite easy to solve.
Sometimes they do not pass through a firewall, sometimes the routing is not
ok, etc.

You have just to send packets from one endpoint, (i.e. ping) and find out on
the receiving endpoint where did those packets go or  got lost.

You should be able to ping, on a single PC each of its addresses, which
helps to locate the problem.

For example, from RedHat  (to  your FreeBSD):
1) ping 192.168.1.1 (WAN address)
of course this should work, otherwise you wont be able to establish the vpn

2) ping 192.168.0.2 (tun address)
this should also work, otherwise the vpn won´t  be working.
But it is usefull nevertheless to check that it  is ok.

3) ping 192.168.2.1 (LAN address)
this could not work, for example because of routing is not properly defined
in your "up" command, or because firewall  does not enable forwarding of the
packets.

I hope you get the idea, to proceed step by step, from the lower layer to
the upper.

Good luck!
Julio
///////////////////////////////
----- Original Message ----- 
From: "samwun" <samwun@...>
To: "Julio Maidanik" <juliomaidanik@...>;
<openvpn-users@...>
Sent: Saturday, May 15, 2004 12:52 AM
Subject: Re: [Openvpn-users] problem with connecting to private network


> samwun wrote:
>
> > Julio Maidanik wrote:
> >
> >> Hi,
> >> Your configuration seems wrong.
> >>
> >>
> >>
> >>
> >>> The configuration of OpenVPN in either machine is as follow:
> >>> FreeBSD:
> >>> =======
> >>> remote   192.168.1.91
> >>> #proto      upd
> >>> port        5000
> >>> dev         tun3
> >>>
> >>> ifconfig   192.168.2.1 172.16.0.1
> >>>
> >>>
> >>
> >>
> >> In your ifconfig the IP adresses should be  the tun  addresses of the
> >> endpoints.
> >> As far as I understand 192.168.2.1 is the LAN address of your gateway
> >> (as
> >> 192.168.2.2. is the WinXP on that same LAN), so the tun address
> >> should not
> >> be the same as your LAN address.
> >>
> >> The same holds true for the other gateway, in general you need three
> >> sets of
> >> addresses, each on different subnets (network address):
> >> 1) local and remote - real IPs connecting to the internet, or the WAN
> >> (as
> >> seems to be your case)
> >> 2) tun addresses - virtual private IPs making the tunnel, which
> >> should not
> >> interfere with any of the other network address.
> >> Those are the addresses which are defined on ifconfig.
> >> 3) LAN addresses - real private IPs. If not bridging both LANs have
> >> to have
> >> subnet addresses.
> >> To enable access to those addresses, they need to be entered in the
> >> route
> >> command, using tun endpoint as gateway.
> >>
> >> In short, IMHO, you need two  tun addresses, one for each endpoint of
> >> the
> >> tunnel, for example
> >> 192.168.0.1 and 192.168.0.2
> >>
> >>
> >>
> > thanks for your help, I have changed the ifconfig in the server.conf
> > according what you described:
> > in FreeBSD:
> > ==========
> > remote   192.168.1.91
> > #proto      upd
> > port        5000
> > dev         tun3
> >
> > ifconfig   192.168.0.2 192.168.0.1
> > up /etc/openvpn/home.up
> > down /etc/openvpn/home.down
> >
> > user nobody
> > group nobody
> >
> > #comp-lzo
> > ping 10
> > verb 9
> >
> > In Redhat:
> > =========
> > remote   192.168.1.1
> > #proto      upd
> > port        5000
> > dev         tun0
> >
> > ifconfig   192.168.0.1 192.168.0.2
> > up /etc/openvpn/home.up
> > down /etc/openvpn/home.down
> >
> > user nobody
> > group nobody
> >
> > #comp-lzo
> > ping 10
> > verb 9
> >
> > Now,  ping from FreeBSD to Redhat does not receive echo, but Ping from
> > Redhat to FreeBSD dose fine.
> >
> > How can I further investigate this problem?
> >
> > Sam
> >
> Here is result of the ifconfig/netstat in FreeBSD and Redhat:
> In FreeBSD:
> ==========
> root@... [2:32pm] [...local/classlib-2.1]# ifconfig -a
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
>         inet6 fe80::202:b3ff:febb:a7a5%fxp0 prefixlen 64 scopeid 0x1
>         ether 00:02:b3:bb:a7:a5
>         media: Ethernet autoselect (10baseT/UTP)
>         status: active
> fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
>         inet6 fe80::202:b3ff:fe8a:c348%fxp1 prefixlen 64 scopeid 0x2
>         ether 00:02:b3:8a:c3:48
>         media: Ethernet autoselect (none)
>         status: no carrier
> ....
> tun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
>         inet6 fe80::202:b3ff:febb:a7a5%tun3 prefixlen 64 scopeid 0x8
>         inet 192.168.0.2 --> 192.168.0.1 netmask 0xffffffff
>         Opened by PID 265
> root@... [2:36pm] [...local/classlib-2.1]# netstat -rn
> Routing tables
>
> Internet:
> Destination        Gateway            Flags    Refs      Use  Netif Expire
> default            192.168.1.254      UGSc        4        0   fxp0
> 127.0.0.1          127.0.0.1          UH          1       24    lo0
> 172.16/24          192.168.1.1        UGSc        0        0   fxp0
> 192.168.0.1        192.168.0.2        UH          0      223   tun3
> 192.168.1          link#1             UC          4        0   fxp0
> 192.168.1.1        00:02:b3:bb:a7:a5  UHLW        1        0    lo0
> 192.168.1.91       00:90:27:57:59:8c  UHLW        4     8770   fxp0   1131
> 192.168.1.128      00:09:6b:8d:b2:67  UHLW        0      343   fxp0    941
> 192.168.1.254      00:02:b3:0b:3c:d1  UHLW        5       53   fxp0     72
> 192.168.2          link#2             UC          0        0   fxp1
>
> In Redhat:
> =============
> root@... [11:46am] [~]# ifconfig -a
> eth0      Link encap:Ethernet  HWaddr 00:90:27:57:59:8C
>           inet addr:192.168.1.91  Bcast:192.168.1.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:39507 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:33214 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:7756 txqueuelen:100
>           RX bytes:4654082 (4.4 Mb)  TX bytes:5304575 (5.0 Mb)
>           Interrupt:11 Base address:0xc400 Memory:e5104000-e5104038
>
> eth0:0    Link encap:Ethernet  HWaddr 00:90:27:57:59:8C
>           inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:14 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           RX bytes:2936 (2.8 Kb)  TX bytes:2414 (2.3 Kb)
>           Interrupt:11 Base address:0xc400 Memory:e5104000-e5104038
> .....
> tun0      Link encap:Point-to-Point Protocol
>           inet addr:192.168.0.1  P-t-P:192.168.0.2  Mask:255.255.255.255
>           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
>           RX packets:14 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           RX bytes:2936 (2.8 Kb)  TX bytes:2414 (2.3 Kb)
>
> root@... [11:46am] [~]# netstat -rn
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt
> Iface
> 192.168.0.2     0.0.0.0         255.255.255.255 UH        0 0          0
> tun0
> 192.168.3.0     0.0.0.0         255.255.255.0   U         0 0          0
> eth0
> 192.168.2.0     192.168.0.2     255.255.255.0   UG        0 0          0
> tun0
> 192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0
> eth0
> 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0
> eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0
lo
> 0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0
> eth0
> 0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0
> eth0
> 0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0
> eth0
>
> Thanks
> Sam
>

Dear all,

I m a bit confuse with the key used with the certificates in OpenVPN.
In the sample-keys/ directory, there are files tmp-ca.crt, client.crt, 
server.crt, client.key and server.key.
As far as I understanding, each of them is indicated as: (please correct 
me if I am wrong)

tmp-ca.crt --- a Root CA certificate to be used in clients and server 
openvpn. This crt is make sure certificate used in the local enviornment 
is signed by the Root CA.
client.crt --- like a public key, a client's certificate used in a 
client openvpn.
server.crt --- like a public key, a server's certificate used in a 
server openvpn.
client.key -- I m not sure why have a key here.
server.key --- not sure either.

Can anyone please also explain to me why use client.key and server.key 
with tls-server in the "mode server" mode?

Thanks
sam

On Mon, May 17, 2004 at 11:49:12PM +0800, samwun wrote:

> client.key -- I m not sure why have a key here.

The clients private key. Must /never/ leave the client

> server.key --- not sure either.

The servers private key. Must /never/ leave the server.

HTH,
Rainer

Rainer Sokoll wrote:

>On Mon, May 17, 2004 at 11:49:12PM +0800, samwun wrote:
>
>  
>
>>client.key -- I m not sure why have a key here.
>>    
>>
>
>The clients private key. Must /never/ leave the client
>
>  
>
>>server.key --- not sure either.
>>    
>>
>
>The servers private key. Must /never/ leave the server.
>
>HTH,
>Rainer
>
>
>  
>
Thanks for the reply.
Can I use ssh-keygen or openssl to generate the private key and used it 
in client and server respectively?
I saw a command like :  openssl --genkey , is this will generate a 
private key or just a pre-shared key.

Sam.

On Tue, May 18, 2004 at 12:03:23AM +0800, samwun wrote:

> I saw a command like :  openssl --genkey , is this will generate a 
> private key or just a pre-shared key.

I used the scripts from the subdirectory "easy-rsa" that came with the
source. Included is a step-by-step guide.
Very useful at least for me.

Rainer