[Openvpn-users] openvpn iptables and ipfwadm (freesco)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I seem to be having a problem much like a couple of threads I've been
following closely.

I am using udp for the protocol.  On the server side OpenVPN is running
in xinetd using Redhat 8 with 1.5b7 and iptables.  These machines are
not NAT'ed.

On the client side I have tried this with XP and W2k behind a Freesco
firewall running ipfwadm and OpenVPN 1.5b12.  This client machine is
NAT'ed.  I have port 5030 as the connecting port on both sides.  In
freesco I have this port forwarded to the correct IP address on the
client side lan.

On the server side the address range of the lan that I connect to is
128.1.0.0/16 with the bridge setup with an unused ip in this range.  On
the client side the lan address range is 192.168.0.0/24 with the vpn
endpoint setup in the 128.1.0.0/16 range again with an unused ip on the
 128.1.0.0/16 side.  IPTABLES is set just as the one shown in the
readme using both port acceptance and the tap+ packet inspection.

For awhile I thought, much like one of the threads I've been following,
that OpenVPN was dying when run as a daemon or in xinetd.  After
several weeks of troubleshooting this and trying various configurations
I believe it is on the client side, either with ipfwadm needing some
other setting or something with Windows.  I still am not sure though.

When I first start openvpn it will start ok and make a stable
connection. Sometime within 1 to 12 hours it will die-usually in the
shorter time range.  When watching the NIC status I see that OpenVPN is
sending out packets but not receiving any.

As far as restarting goes, sometimes I can restart OpenVPN and it will
come up.  At other times I have to restart the freesco firewall to get
it to come up.  If things really get hosed I need to restart all three.
 I have yet to find a pattern with this.

Below is a restart on the command line that didn't complete the
connection.  The output is from pressing F2 on the command line as
suggested in some of the posts.

verb 2:

Sat Oct 18 13:03:35 2003 7: TAP-Win32 MTU=1500
Sat Oct 18 13:03:35 2003 8: Successful ARP Flush on interface
[100663298] {DF823
495-B930-482A-AA98-926F2867338C}
Sat Oct 18 13:03:35 2003 9: NOTE: could not delete previously set
dynamic IP/net
mask: 169.254.7.55/255.255.0.0 (status=31)
Sat Oct 18 13:03:35 2003 10: Succeeded in adding a temporary IP/netmask
of 128.1
.1.68/255.255.0.0 to interface {DF823495-B930-482A-AA98-926F2867338C}
using the
Win32 IP Helper API
Sat Oct 18 13:03:35 2003 11: Data Channel MTU parms [ L:1576 D:1576
EF:44 EB:0 E
T:32 ]
Sat Oct 18 13:03:35 2003 12: Local Options hash (VER=V3): 'b32a2ff9'
Sat Oct 18 13:03:35 2003 13: Expected Remote Options hash (VER=V3):
'b32a2ff9'
Sat Oct 18 13:03:35 2003 14: UDPv4 link local (bound): [undef]:5030
Sat Oct 18 13:03:35 2003 15: UDPv4 link remote:
my.remote.openvpn.machine:5030
Sat Oct 18 13:03:59 2003 16: Current OpenVPN Statistics:
Sat Oct 18 13:03:59 2003 17:  TUN/TAP read bytes:         2313
Sat Oct 18 13:03:59 2003 18:  TUN/TAP write bytes:           0
Sat Oct 18 13:03:59 2003 19:  TCP/UDP read bytes:            0
Sat Oct 18 13:03:59 2003 20:  TCP/UDP write bytes:        3024
Sat Oct 18 13:03:59 2003 21:  Auth read bytes:               0
Sat Oct 18 13:03:59 2003 22:  TAP-WIN32 driver status: State=AT?C
Err=[(null)/0]
 #O=2 Tx=[22,0] Rx=[0,0] IrpQ=[1,1,16] PktQ=[0,1,64]

Here is F2 on a successful connection after restart the client side
(ipfwadm) firewall and OpenPVN with verb 5:

Sat Oct 18 13:26:14 2003 22: NOTE: could not delete previously set
dynamic IP/ne
tmask: 128.1.201.13/255.255.0.0 (status=31)
Sat Oct 18 13:26:14 2003 23: Succeeded in adding a temporary IP/netmask
of 128.1
.1.68/255.255.0.0 to interface {DF823495-B930-482A-AA98-926F2867338C}
using the
Win32 IP Helper API
Sat Oct 18 13:26:14 2003 24: Data Channel MTU parms [ L:1576 D:1576
EF:44 EB:0 E
T:32 ]
Sat Oct 18 13:26:14 2003 25: Local Options String: 'V3,dev-type
tap,link-mtu 157
6,tun-mtu 1532,proto UDPv4,ifconfig 128.1.0.0 255.255.0.0,cipher
BF-CBC,auth SHA
1,keysize 128,secret'
Sat Oct 18 13:26:14 2003 26: Expected Remote Options String:
'V3,dev-type tap,li
nk-mtu 1576,tun-mtu 1532,proto UDPv4,ifconfig 128.1.0.0
255.255.0.0,cipher BF-CB
C,auth SHA1,keysize 128,secret'
Sat Oct 18 13:26:14 2003 27: Local Options hash (VER=V3): 'b32a2ff9'
Sat Oct 18 13:26:14 2003 28: Expected Remote Options hash (VER=V3):
'b32a2ff9'
Sat Oct 18 13:26:14 2003 29: UDPv4 link local (bound): [undef]:5030
Sat Oct 18 13:26:14 2003 30: UDPv4 link remote:
my.remote.openvpn.machine:5030
WrWrWRSat Oct 18 13:26:14 2003 31: Peer Connection Initiated with
remote my.remote.openvpn.machine:5
030
wrWRwRwrWRwrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwrWRwRwRwRwrWRwRwRwRwRwrWRwRwRwRwrWr
WrWRwrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwR
wRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwR
wRwRwRwRwRwRwRwRwRwRwRwRwRwRwSat Oct 18 13:26:20 2003 32: Current
OpenVPN Statis
tics:
Sat Oct 18 13:26:20 2003 33:  TUN/TAP read bytes:          881
Sat Oct 18 13:26:20 2003 34:  TUN/TAP write bytes:       12700
Sat Oct 18 13:26:20 2003 35:  TCP/UDP read bytes:        17700
Sat Oct 18 13:26:20 2003 36:  TCP/UDP write bytes:        1420
Sat Oct 18 13:26:20 2003 37:  Auth read bytes:           12700
Sat Oct 18 13:26:20 2003 38:  TAP-WIN32 driver status: State=AT?C
Err=[(null)/0]
 #O=2 Tx=[99,0] Rx=[1089,0] IrpQ=[1,1,16] PktQ=[0,2,64]
RwRwRwRwRwRwRwRwRwRwRwRwRwrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRw

I have tried various input, output and forward settings with ipfwadm
but the results always seem to be the same.

Client configuration files:
remote my.remote.openvpn.machine
port 5030
proto udp
dev tap
dev-node tap
ifconfig 128.1.1.68 255.255.0.0
float
secret "c:\program files\openvpn\config\key"
persist-tun
persist-key
ping 15
mssfix
verb 5
mute 10

xinetd config file:
service openvpn
{
        type            = UNLISTED
        port            = 5030
        socket_type     = dgram
        protocol        = udp
        wait            = yes
        user            = root
        server          = /usr/local/sbin/openvpn
        server_args     = --inetd --dev tap30 --secret /etc/openvpn/key
--persist-tun --persist-key --user nobody --float
}

Any ideas on this are appreciated.

Thanks,
John

=====
Happiness is understanding how things work.

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

[Openvpn-users] openvpn iptables and ipfwadm (freesco)

Robust and flexible VPN network tunnelling

[Openvpn-users] openvpn iptables and ipfwadm (freesco)