From: John L. <jli...@ya...> - 2003-10-18 18:46:10
|
I seem to be having a problem much like a couple of threads I've been following closely. I am using udp for the protocol. On the server side OpenVPN is running in xinetd using Redhat 8 with 1.5b7 and iptables. These machines are not NAT'ed. On the client side I have tried this with XP and W2k behind a Freesco firewall running ipfwadm and OpenVPN 1.5b12. This client machine is NAT'ed. I have port 5030 as the connecting port on both sides. In freesco I have this port forwarded to the correct IP address on the client side lan. On the server side the address range of the lan that I connect to is 128.1.0.0/16 with the bridge setup with an unused ip in this range. On the client side the lan address range is 192.168.0.0/24 with the vpn endpoint setup in the 128.1.0.0/16 range again with an unused ip on the 128.1.0.0/16 side. IPTABLES is set just as the one shown in the readme using both port acceptance and the tap+ packet inspection. For awhile I thought, much like one of the threads I've been following, that OpenVPN was dying when run as a daemon or in xinetd. After several weeks of troubleshooting this and trying various configurations I believe it is on the client side, either with ipfwadm needing some other setting or something with Windows. I still am not sure though. When I first start openvpn it will start ok and make a stable connection. Sometime within 1 to 12 hours it will die-usually in the shorter time range. When watching the NIC status I see that OpenVPN is sending out packets but not receiving any. As far as restarting goes, sometimes I can restart OpenVPN and it will come up. At other times I have to restart the freesco firewall to get it to come up. If things really get hosed I need to restart all three. I have yet to find a pattern with this. Below is a restart on the command line that didn't complete the connection. The output is from pressing F2 on the command line as suggested in some of the posts. verb 2: Sat Oct 18 13:03:35 2003 7: TAP-Win32 MTU=1500 Sat Oct 18 13:03:35 2003 8: Successful ARP Flush on interface [100663298] {DF823 495-B930-482A-AA98-926F2867338C} Sat Oct 18 13:03:35 2003 9: NOTE: could not delete previously set dynamic IP/net mask: 169.254.7.55/255.255.0.0 (status=31) Sat Oct 18 13:03:35 2003 10: Succeeded in adding a temporary IP/netmask of 128.1 .1.68/255.255.0.0 to interface {DF823495-B930-482A-AA98-926F2867338C} using the Win32 IP Helper API Sat Oct 18 13:03:35 2003 11: Data Channel MTU parms [ L:1576 D:1576 EF:44 EB:0 E T:32 ] Sat Oct 18 13:03:35 2003 12: Local Options hash (VER=V3): 'b32a2ff9' Sat Oct 18 13:03:35 2003 13: Expected Remote Options hash (VER=V3): 'b32a2ff9' Sat Oct 18 13:03:35 2003 14: UDPv4 link local (bound): [undef]:5030 Sat Oct 18 13:03:35 2003 15: UDPv4 link remote: my.remote.openvpn.machine:5030 Sat Oct 18 13:03:59 2003 16: Current OpenVPN Statistics: Sat Oct 18 13:03:59 2003 17: TUN/TAP read bytes: 2313 Sat Oct 18 13:03:59 2003 18: TUN/TAP write bytes: 0 Sat Oct 18 13:03:59 2003 19: TCP/UDP read bytes: 0 Sat Oct 18 13:03:59 2003 20: TCP/UDP write bytes: 3024 Sat Oct 18 13:03:59 2003 21: Auth read bytes: 0 Sat Oct 18 13:03:59 2003 22: TAP-WIN32 driver status: State=AT?C Err=[(null)/0] #O=2 Tx=[22,0] Rx=[0,0] IrpQ=[1,1,16] PktQ=[0,1,64] Here is F2 on a successful connection after restart the client side (ipfwadm) firewall and OpenPVN with verb 5: Sat Oct 18 13:26:14 2003 22: NOTE: could not delete previously set dynamic IP/ne tmask: 128.1.201.13/255.255.0.0 (status=31) Sat Oct 18 13:26:14 2003 23: Succeeded in adding a temporary IP/netmask of 128.1 .1.68/255.255.0.0 to interface {DF823495-B930-482A-AA98-926F2867338C} using the Win32 IP Helper API Sat Oct 18 13:26:14 2003 24: Data Channel MTU parms [ L:1576 D:1576 EF:44 EB:0 E T:32 ] Sat Oct 18 13:26:14 2003 25: Local Options String: 'V3,dev-type tap,link-mtu 157 6,tun-mtu 1532,proto UDPv4,ifconfig 128.1.0.0 255.255.0.0,cipher BF-CBC,auth SHA 1,keysize 128,secret' Sat Oct 18 13:26:14 2003 26: Expected Remote Options String: 'V3,dev-type tap,li nk-mtu 1576,tun-mtu 1532,proto UDPv4,ifconfig 128.1.0.0 255.255.0.0,cipher BF-CB C,auth SHA1,keysize 128,secret' Sat Oct 18 13:26:14 2003 27: Local Options hash (VER=V3): 'b32a2ff9' Sat Oct 18 13:26:14 2003 28: Expected Remote Options hash (VER=V3): 'b32a2ff9' Sat Oct 18 13:26:14 2003 29: UDPv4 link local (bound): [undef]:5030 Sat Oct 18 13:26:14 2003 30: UDPv4 link remote: my.remote.openvpn.machine:5030 WrWrWRSat Oct 18 13:26:14 2003 31: Peer Connection Initiated with remote my.remote.openvpn.machine:5 030 wrWRwRwrWRwrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwrWRwRwRwRwrWRwRwRwRwRwrWRwRwRwRwrWr WrWRwrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwR wRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwR wRwRwRwRwRwRwRwRwRwRwRwRwRwRwSat Oct 18 13:26:20 2003 32: Current OpenVPN Statis tics: Sat Oct 18 13:26:20 2003 33: TUN/TAP read bytes: 881 Sat Oct 18 13:26:20 2003 34: TUN/TAP write bytes: 12700 Sat Oct 18 13:26:20 2003 35: TCP/UDP read bytes: 17700 Sat Oct 18 13:26:20 2003 36: TCP/UDP write bytes: 1420 Sat Oct 18 13:26:20 2003 37: Auth read bytes: 12700 Sat Oct 18 13:26:20 2003 38: TAP-WIN32 driver status: State=AT?C Err=[(null)/0] #O=2 Tx=[99,0] Rx=[1089,0] IrpQ=[1,1,16] PktQ=[0,2,64] RwRwRwRwRwRwRwRwRwRwRwRwRwrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRw I have tried various input, output and forward settings with ipfwadm but the results always seem to be the same. Client configuration files: remote my.remote.openvpn.machine port 5030 proto udp dev tap dev-node tap ifconfig 128.1.1.68 255.255.0.0 float secret "c:\program files\openvpn\config\key" persist-tun persist-key ping 15 mssfix verb 5 mute 10 xinetd config file: service openvpn { type = UNLISTED port = 5030 socket_type = dgram protocol = udp wait = yes user = root server = /usr/local/sbin/openvpn server_args = --inetd --dev tap30 --secret /etc/openvpn/key --persist-tun --persist-key --user nobody --float } Any ideas on this are appreciated. Thanks, John ===== Happiness is understanding how things work. __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com |