openvpn-users

[Openvpn-users] Client disconnecting

[Christopher <dis...@re...>]

I have 13 clients, of these only 2 are disconnecting, like this.
 
 
Client log:
 
Thu Jun 05 13:10:21 2008 OpenVPN 2.1_rc4 Win32-MinGW [SSL] [LZO2] built on Apr 2
5 2007
Thu Jun 05 13:10:21 2008 WARNING: No server certificate verification method has
been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Jun 05 13:10:21 2008 LZO compression initialized
Thu Jun 05 13:10:21 2008 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:
0 EL:0 ]
Thu Jun 05 13:10:21 2008 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:
32 EL:0 AF:3/1 ]
Thu Jun 05 13:10:21 2008 Local Options hash (VER=V4): '31fdf004'
Thu Jun 05 13:10:21 2008 Expected Remote Options hash (VER=V4): '3e6d1056'
Thu Jun 05 13:10:21 2008 Attempting to establish TCP connection with 68.228.1.24
8:1194
Thu Jun 05 13:10:21 2008 TCP connection established with 68.228.x.x:1194
Thu Jun 05 13:10:21 2008 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Jun 05 13:10:21 2008 TCPv4_CLIENT link local: [undef]
Thu Jun 05 13:10:21 2008 TCPv4_CLIENT link remote: 68.228.x.x:1194
Thu Jun 05 13:10:21 2008 TLS: Initial packet from 68.228.x.x:1194, sid=f336e75
a 8d2785df
Thu Jun 05 13:10:22 2008 VERIFY OK: depth=1, /C=US/ST=LA/L=Lafayette/O=Xxxxx_Com
munications/CN=68.228.x.x/emailAddress=su...@ov...
Thu Jun 05 13:10:22 2008 VERIFY OK: depth=0, /C=US/ST=LA/O=Xxxxx_Communications/
CN=server/emailAddress=su...@ov...
Thu Jun 05 13:10:23 2008 Data Channel Encrypt: Cipher 'BF-CBC' initialized with
128 bit key
Thu Jun 05 13:10:23 2008 Data Channel Encrypt: Using 160 bit message hash 'SHA1'
 for HMAC authentication
Thu Jun 05 13:10:23 2008 Data Channel Decrypt: Cipher 'BF-CBC' initialized with
128 bit key
Thu Jun 05 13:10:23 2008 Data Channel Decrypt: Using 160 bit message hash 'SHA1'
 for HMAC authentication
Thu Jun 05 13:10:23 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES2
56-SHA, 1024 bit RSA
Thu Jun 05 13:10:23 2008 [server] Peer Connection Initiated with 68.228.x.x:11
94
Thu Jun 05 13:10:24 2008 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jun 05 13:10:25 2008 PUSH: Received control message: 'PUSH_REPLY,route 192.1
68.0.0 255.255.255.0,dhcp-option WINS 10.8.0.1,route-gateway 10.8.0.1,ping 10,pi
ng-restart 120,ifconfig 10.8.0.8 255.255.255.0'
Thu Jun 05 13:10:25 2008 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jun 05 13:10:25 2008 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jun 05 13:10:25 2008 OPTIONS IMPORT: route options modified
Thu Jun 05 13:10:25 2008 OPTIONS IMPORT: route-related options modified
Thu Jun 05 13:10:25 2008 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options
 modified
Thu Jun 05 13:10:25 2008 TAP-WIN32 device [Local Area Connection 3] opened: \\.\
Global\{0E5F3521-081A-45EF-A876-14729574D432}.tap
Thu Jun 05 13:10:25 2008 TAP-Win32 Driver Version 9.3
Thu Jun 05 13:10:25 2008 TAP-Win32 MTU=1500
Thu Jun 05 13:10:25 2008 Notified TAP-Win32 driver to set a DHCP IP/netmask of 1
0.8.0.8/255.255.255.0 on interface {0E5F3521-081A-45EF-A876-14729574D432} [DHCP-
serv: 10.8.0.0, lease-time: 31536000]
Thu Jun 05 13:10:25 2008 NOTE: FlushIpNetTable failed on interface [3] {0E5F3521
-081A-45EF-A876-14729574D432} (status=6) : The handle is invalid.
Thu Jun 05 13:10:30 2008 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Thu Jun 05 13:10:30 2008 route ADD 192.168.0.0 MASK 255.255.255.0 10.8.0.1
Thu Jun 05 13:10:30 2008 ROUTE: route addition failed using CreateIpForwardEntry
: Network access is denied.   [status=65 if_index=3]
Thu Jun 05 13:10:30 2008 Route addition via IPAPI failed [adaptive]
Thu Jun 05 13:10:30 2008 Route addition fallback to route.exe
The route addition failed: Network access is denied.
 
Thu Jun 05 13:10:30 2008 Initialization Sequence Completed
Thu Jun 05 13:10:33 2008 Connection reset, restarting [-1]
Thu Jun 05 13:10:33 2008 TCP/UDP: Closing socket
Thu Jun 05 13:10:33 2008 SIGUSR1[soft,connection-reset] received, process restar
ting
Thu Jun 05 13:10:33 2008 Restart pause, 5 second(s)
Thu Jun 05 13:10:38 2008 WARNING: No server certificate verification method has
been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Jun 05 13:10:38 2008 Re-using SSL/TLS context
Thu Jun 05 13:10:38 2008 LZO compression initialized
Thu Jun 05 13:10:38 2008 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:
0 EL:0 ]
Thu Jun 05 13:10:38 2008 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:
32 EL:0 AF:3/1 ]
Thu Jun 05 13:10:38 2008 Local Options hash (VER=V4): '31fdf004'
Thu Jun 05 13:10:38 2008 Expected Remote Options hash (VER=V4): '3e6d1056'
Thu Jun 05 13:10:38 2008 Attempting to establish TCP connection with 68.228.1.24
8:1194
Thu Jun 05 13:10:38 2008 TCP connection established with 68.228.x.x:1194
Thu Jun 05 13:10:38 2008 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Jun 05 13:10:38 2008 TCPv4_CLIENT link local: [undef]
Thu Jun 05 13:10:38 2008 TCPv4_CLIENT link remote: 68.228.x.x:1194
Thu Jun 05 13:10:38 2008 TLS: Initial packet from 68.228.x.x:1194, sid=39eac05
4 fedea4cb
Thu Jun 05 13:10:39 2008 VERIFY OK: depth=1, /C=US/ST=LA/L=Lafayette/O=Xxxxx_Com
munications/CN=68.228.x.x/emailAddress=su...@ov...
Thu Jun 05 13:10:39 2008 VERIFY OK: depth=0, /C=US/ST=LA/O=Xxxxx_Communications/
CN=server/emailAddress=su...@ov...
Thu Jun 05 13:10:40 2008 Data Channel Encrypt: Cipher 'BF-CBC' initialized with
128 bit key
Thu Jun 05 13:10:40 2008 Data Channel Encrypt: Using 160 bit message hash 'SHA1'
 for HMAC authentication
Thu Jun 05 13:10:40 2008 Data Channel Decrypt: Cipher 'BF-CBC' initialized with
128 bit key
Thu Jun 05 13:10:40 2008 Data Channel Decrypt: Using 160 bit message hash 'SHA1'
 for HMAC authentication
Thu Jun 05 13:10:40 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES2
56-SHA, 1024 bit RSA
Thu Jun 05 13:10:40 2008 [server] Peer Connection Initiated with 68.228.x.x:11
94
Thu Jun 05 13:10:41 2008 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jun 05 13:10:41 2008 PUSH: Received control message: 'PUSH_REPLY,route 192.1
68.0.0 255.255.255.0,dhcp-option WINS 10.8.0.1,route-gateway 10.8.0.1,ping 10,pi
ng-restart 120,ifconfig 10.8.0.8 255.255.255.0'
Thu Jun 05 13:10:41 2008 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jun 05 13:10:41 2008 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jun 05 13:10:41 2008 OPTIONS IMPORT: route options modified
Thu Jun 05 13:10:41 2008 OPTIONS IMPORT: route-related options modified
Thu Jun 05 13:10:41 2008 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options
 modified
Thu Jun 05 13:10:41 2008 Preserving previous TUN/TAP instance: Local Area Connec
tion 3
Thu Jun 05 13:10:41 2008 Initialization Sequence Completed
 
It will continue to do this.
 
Client config:
 
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################
 
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
 
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
;dev tun
 
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
 
# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
proto tcp
;proto udp
 
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 68.228.x.x 1194
;remote my-server-2 1194
 
# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random
 
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
 
# Most clients don't need to bind to
# a specific local port number.
nobind
 
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
 
# Try to preserve some state across restarts.
persist-key
persist-tun
 
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
 
# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
 
# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert rayne.crt
key rayne.key
 
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
 
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
 
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
 
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
 
# Set log file verbosity.
verb 3
 
# Silence repeating messages
;mute 20
 
Does anyone know what to do?


__________ Information from ESET NOD32 Antivirus, version of virus signature database 3162 (20080605) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Re: [Openvpn-users] Client disconnecting

[Josh C. <jos...@us...>]

Christopher wrote:
>
> I have 13 clients, of these only 2 are disconnecting, like this…
>
>  
>
>  
>
> Client log:
>
>  
>
> Thu Jun 05 13:10:21 2008 OpenVPN 2.1_rc4 Win32-MinGW [SSL] [LZO2] 
> built on Apr 2
>
> 5 2007
>
[.. cut ..]

> Thu Jun 05 13:10:25 2008 TAP-WIN32 device [Local Area Connection 3] 
> opened: \\.\
>
> Global\{0E5F3521-081A-45EF-A876-14729574D432}.tap
>
> Thu Jun 05 13:10:25 2008 TAP-Win32 Driver Version 9.3
>
> Thu Jun 05 13:10:25 2008 TAP-Win32 MTU=1500
>
> Thu Jun 05 13:10:25 2008 Notified TAP-Win32 driver to set a DHCP 
> IP/netmask of 1
>
> 0.8.0.8/255.255.255.0 on interface 
> {0E5F3521-081A-45EF-A876-14729574D432} [DHCP-
>
> serv: 10.8.0.0, lease-time: 31536000]
>
> Thu Jun 05 13:10:25 2008 NOTE: FlushIpNetTable failed on interface [3] 
> {0E5F3521
>
> -081A-45EF-A876-14729574D432} (status=6) : The handle is invalid.
>
> Thu Jun 05 13:10:30 2008 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
>
> Thu Jun 05 13:10:30 2008 route ADD 192.168.0.0 MASK 255.255.255.0 10.8.0.1
>
> Thu Jun 05 13:10:30 2008 ROUTE: route addition failed using 
> CreateIpForwardEntry
>
> : Network access is denied.   [status=65 if_index=3]
>
> Thu Jun 05 13:10:30 2008 Route addition via IPAPI failed [adaptive]
>
> Thu Jun 05 13:10:30 2008 Route addition fallback to route.exe
>
> The route addition failed: Network access is denied.
>
[.. cut ..]

It looks like the process isn't running as a user with administrator 
privileges since it is unable to set an IP or add routes.  If you're 
using the GUI you will need to start it under an administrator account 
so the OpenVPN process has the necessary rights to configure the 
network.  With Windows Vista when UAC is enabled, even an administrator 
account must right click on the GUI application and select "run as 
administrator" for the process to have the necessary permissions.

-- 
Josh