I discovered that if I place the "ccd-exclusive" configuration, clients don't connect at all, and I have the following log, stating that it cannot authenticate...the file specifified in the log exists and contains the push for the IP:
Wed Jul 4 15:30:03 2007 1.228.254.152:1269 VERIFY OK: depth=1, /C=IT/ST=MI/L=CONCOREZZO/O=MacDue/CN=www.macdueplanet.com/email
Address=info@xxxxxxxxxx
Wed Jul 4 15:30:03 2007 1.228.254.152:1269 VERIFY OK: depth=0, /C=IT/ST=MI/O=MacDue/OU=Vulcano/CN=www.macdueplanet.com/emailAd
dress=info@xxxxxxxxxx
Wed Jul 4 15:30:04 2007 1.228.254.152:1269 TLS Auth Error: --client-config-dir authentication failed for common name 'www.macd
ueplanet.com' file='/iserver/etc/openvpn/ccd/www.macdueplanet.com'
Wed Jul 4 15:30:04 2007 1.228.254.152:1269 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
Wed Jul 4 15:30:04 2007 1.228.254.152:1269 [www.macdueplanet.com] Peer Connection Initiated with 1.228.254.152:1269
Wed Jul 4 15:30:05 2007 1.228.254.152:1269 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jul 4 15:30:05 2007 1.228.254.152:1269 SENT CONTROL [www.macdueplanet.com]: 'AUTH_FAILED' (status=1)
Da: Peter Barwich <pbarwich@xxxxxxxxxxx>
A: Gabriele Bulfon <gbulfon@xxxxxxxxxxx>
Data: 27 giugno 2007 16.14.18 CEST
Oggetto: Re: [Openvpn-users] client-config-dir not working
Wed Jul 4 15:30:03 2007 1.228.254.152:1269 VERIFY OK: depth=1, /C=IT/ST=MI/L=CONCOREZZO/O=MacDue/CN=www.macdueplanet.com/email
Address=info@xxxxxxxxxx
Wed Jul 4 15:30:03 2007 1.228.254.152:1269 VERIFY OK: depth=0, /C=IT/ST=MI/O=MacDue/OU=Vulcano/CN=www.macdueplanet.com/emailAd
dress=info@xxxxxxxxxx
Wed Jul 4 15:30:04 2007 1.228.254.152:1269 TLS Auth Error: --client-config-dir authentication failed for common name 'www.macd
ueplanet.com' file='/iserver/etc/openvpn/ccd/www.macdueplanet.com'
Wed Jul 4 15:30:04 2007 1.228.254.152:1269 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
Wed Jul 4 15:30:04 2007 1.228.254.152:1269 [www.macdueplanet.com] Peer Connection Initiated with 1.228.254.152:1269
Wed Jul 4 15:30:05 2007 1.228.254.152:1269 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jul 4 15:30:05 2007 1.228.254.152:1269 SENT CONTROL [www.macdueplanet.com]: 'AUTH_FAILED' (status=1)
|
|
|
Gabriele Bulfon - Sonicle S.r.l. Tel +39 028246016 Int. 30 - Fax +39 028243880 Via Felice Cavallotti 16 - 20089, Rozzano - Milano - ITALY http://www.sonicle.com |
Da: Peter Barwich <pbarwich@xxxxxxxxxxx>
A: Gabriele Bulfon <gbulfon@xxxxxxxxxxx>
Data: 27 giugno 2007 16.14.18 CEST
Oggetto: Re: [Openvpn-users] client-config-dir not working
Gabriele,
Try the FAQ. (http://openvpn.net/faq.html) and do a manual search for "/30". The permitted pairs of addresses are 05,06; 09,10 etc. moving up by 4 each time, so your pairing of 10,11 is invalid. Also look at the howto (http://openvpn.net/howto.html) with the same search on the page, i.e. "/30" which gives the complete list copied below.
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18] [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38] [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58] [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78] [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98] [101,102] [105,106] [109,110] [113,114] [117,118] [121,122] [125,126] [129,130] [133,134] [137,138] [141,142] [145,146] [149,150] [153,154] [157,158] [161,162] [165,166] [169,170] [173,174] [177,178] [181,182] [185,186] [189,190] [193,194] [197,198] [201,202] [205,206] [209,210] [213,214] [217,218] [221,222] [225,226] [229,230] [233,234] [237,238] [241,242] [245,246] [249,250] [253,254]
But why use dev tun? dev tap is often described as a bridged configuration, and indeed it can be bridged (if your OS supports it; XP does, Win2k doesn't) but it doesn't HAVE to be bridged. If you DON'T bridge you just end up with a dual homed (2 IP addresses) OVPN server. Mine is 192.168.2.50 (LAN) and 10.3.0.1 (VPN). VPN clients get 0.2; 0.3; 0.4 etc, which is nice and manageable and easy to remember. Other LAN machines at the server end get access to all VPN clients by virtue of a fixed route entered into my internet gateway router, which is at 192.168.2.1. The fixed route added is : -
destination IP 10.3.0.0
Subnet Mask 255.255.255.0
Gateway 192.168.2.50
Which allows the router/internet gateway to know to direct packets destined for the VPN, to the VPN server machine, from where OpenVPN knows where the individual client currently is.
I have made no attempt to allow other machines on the CLIENT'S LAN to have access to the VPN machines (though I understand this can be done). In my case the clients could be anywhere and I absolutely do NOT want strange machines getting to my LAN.
A bit more on this odd /30 subnet rule can be found at http://osdir.com/ml/network.openvpn.devel/2004-03/msg00051.html and at http://openvpn.net/relnotes.html.
Also have a look at http://openvpn.net/archive/openvpn-users/2005-09/msg00079.html. This makes it clear that James Yonan himself was unhappy with the /30 subnet approach taken for dev tun type interfaces. It seems that this went further, but the patch download appears to no longer be available. However if you look at the man page for version 2.1 it has have been folded in to that version with the --topology directive. (see http://openvpn.net/man-beta.html and again search for "/30" on the page.)
If you do a search within the ovpn site for "/30 subnet" you'll get hundreds of hits, many of which show people being very confused. If you do the search with "sundman /30 subnet" you get a shorter list, and Sundman, the author of openvpngui, is well informed. The bottom line is that it seems to be a problem with windows, and you should use the address pairs referred to above, then it will 'just work'. But, as mentioned above, so does using dev tap, and it's much more satisfactory to my mind.
Server Config: -
port 5800
proto tcp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.3.0.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"# Tells VPN client where my LAN machines are
client-config-dir client_configs# non default name; a subdirectory of C:\Program Files\OpenVPN\config which avoids the need for this \\ nonsense in windows addresses
push "dhcp-option DNS 10.3.0.1"#I run my own DNS server
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 4
mute 20
Client Config (client's name 'myacer'): -
client
remote <my (fixed) home ip>
float# not sure if this is needed
port 5800
proto tcp-client
dev tap
persist-key
persist-tun #Yes, you use the word 'tun' here, even though it's a tap connection!
ca ca.crt
cert myacer.crt
key myacer.key
ns-cert-type server
# If you have set the TAP-Win32 adapter Media Status property to "Always Connected"
# (which would allow you never to show the network icon in the tray; connected or not)
# then the following directive is useful to force the adaptor to switch either from an
# automatically generated IP (or, if that is disabled in the registry, 0.0.0.0), to the one
# assigned by the vpn server. Without it ovpn may "think" it has connected when it hasn't.
# Also it breaks long term IP leases, should you need to change your server/client IP pool.
dhcp-renew
ping 10 # Probably should be removed, throws minor error in logs And it pulls the directive from the server later anyway
comp-lzo
verb 4
mute 10
Client ccd file named "myacer" (no .abc type extension): -
ifconfig-push 10.3.0.2 255.255.255.0
Typical client connect log: -
Wed Jun 27 14:31:41 2007 us=125346 Current Parameter Settings:
Wed Jun 27 14:31:41 2007 us=125407 config = 'connect to annie.ovpn'
Wed Jun 27 14:31:41 2007 us=125418 mode = 0
Wed Jun 27 14:31:41 2007 us=125428 show_ciphers = DISABLED
Wed Jun 27 14:31:41 2007 us=125438 show_digests = DISABLED
Wed Jun 27 14:31:41 2007 us=125447 show_engines = DISABLED
Wed Jun 27 14:31:41 2007 us=125457 genkey = DISABLED
Wed Jun 27 14:31:41 2007 us=125466 key_pass_file = '[UNDEF]'
Wed Jun 27 14:31:41 2007 us=125476 show_tls_ciphers = DISABLED
Wed Jun 27 14:31:41 2007 us=125485 proto = 2
Wed Jun 27 14:31:41 2007 us=125494 NOTE: --mute triggered...
Wed Jun 27 14:31:41 2007 us=125522 178 variation(s) on previous 10 message(s) suppressed by --mute
Wed Jun 27 14:31:41 2007 us=125535 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Wed Jun 27 14:31:41 2007 us=131235 WARNING: --ping should normally be used with --ping-restart or --ping-exit #[wrong directive in client config file]
Wed Jun 27 14:31:41 2007 us=255457 LZO compression initialized
Wed Jun 27 14:31:41 2007 us=255594 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Jun 27 14:31:41 2007 us=257556 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Jun 27 14:31:41 2007 us=257604 Local Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed Jun 27 14:31:41 2007 us=257618 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Jun 27 14:31:41 2007 us=263561 Local Options hash (VER=V4): '31fdf004'
Wed Jun 27 14:31:41 2007 us=263586 Expected Remote Options hash (VER=V4): '3e6d1056'
Wed Jun 27 14:31:41 2007 us=263611 Attempting to establish TCP connection with <my home ip>:5800
Wed Jun 27 14:31:41 2007 us=269077 TCP connection established with <my home ip>:5800
Wed Jun 27 14:31:41 2007 us=269115 Socket Buffers: R=[8192->8192] S=[32768->32768]
Wed Jun 27 14:31:41 2007 us=269133 TCPv4_CLIENT link local: [undef]
Wed Jun 27 14:31:41 2007 us=269145 TCPv4_CLIENT link remote: <my home ip>:5800
Wed Jun 27 14:31:41 2007 us=273992 TLS: Initial packet from <my home ip>:5800, sid=af372a1c 42cca8e3
Wed Jun 27 14:31:41 2007 us=367044 VERIFY OK: <cert info>
Wed Jun 27 14:31:41 2007 us=368590 VERIFY OK: nsCertType=SERVER
Wed Jun 27 14:31:41 2007 us=368606 VERIFY OK: <cert info>
Wed Jun 27 14:31:42 2007 us=126490 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 27 14:31:42 2007 us=126529 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 27 14:31:42 2007 us=126607 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 27 14:31:42 2007 us=126622 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 27 14:31:42 2007 us=128841 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 27 14:31:42 2007 us=128880 [server] Peer Connection Initiated with <my home ip>:5800
Wed Jun 27 14:31:43 2007 us=225767 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jun 27 14:31:43 2007 us=427804 PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,dhcp-option DNS 10.3.0.1,route-gateway 10.3.0.1,ping 10,ping-restart 120,ifconfig 10.3.0.2 255.255.255.0'
Wed Jun 27 14:31:43 2007 us=427896 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 27 14:31:43 2007 us=427907 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 27 14:31:43 2007 us=427916 OPTIONS IMPORT: route options modified
Wed Jun 27 14:31:43 2007 us=427926 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 27 14:31:43 2007 us=555157 TAP-WIN32 device [VPN] opened: \\.\Global\{B64A94F5-811D-49AE-A709-3FA0404A6FE3}.tap
Wed Jun 27 14:31:43 2007 us=556055 TAP-Win32 Driver Version 8.4
Wed Jun 27 14:31:43 2007 us=556505 TAP-Win32 MTU=1500
Wed Jun 27 14:31:43 2007 us=556901 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.3.0.2/255.255.255.0 on interface {B64A94F5-811D-49AE-A709-3FA0404A6FE3} [DHCP-serv: 10.3.0.0, lease-time: 31536000]
Wed Jun 27 14:31:43 2007 us=556923 DHCP option string: 06040a03 0001
Wed Jun 27 14:31:43 2007 us=559573 Successful ARP Flush on interface [4] {B64A94F5-811D-49AE-A709-3FA0404A6FE3}
Wed Jun 27 14:31:43 2007 us=662327 WARNING: Failed to renew DHCP IP address lease on TAP-Win32 adapter: The system cannot find the file specified. (code=2)
############[A funny one this. I think it's because the adaptor already HAS the 10.3.0.2 address. The connection IS made, and the address IS correct. It's definitely related to the dhcp-renew directive in the client file]#############################
Wed Jun 27 14:31:43 2007 us=672438 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Wed Jun 27 14:31:43 2007 us=672470 Route: Waiting for TUN/TAP interface to come up...
Wed Jun 27 14:31:44 2007 us=781943 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Wed Jun 27 14:31:44 2007 us=781973 Route: Waiting for TUN/TAP interface to come up...
Wed Jun 27 14:31:45 2007 us=881276 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Wed Jun 27 14:31:45 2007 us=881306 Route: Waiting for TUN/TAP interface to come up...
Wed Jun 27 14:31:46 2007 us=981821 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Wed Jun 27 14:31:46 2007 us=981849 Route: Waiting for TUN/TAP interface to come up...
Wed Jun 27 14:31:48 2007 us=116714 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Wed Jun 27 14:31:48 2007 us=116745 Route: Waiting for TUN/TAP interface to come up...
Wed Jun 27 14:31:49 2007 us=65024 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Wed Jun 27 14:31:49 2007 us=65061 route ADD 192.168.2.0 MASK 255.255.255.0 10.3.0.1
Wed Jun 27 14:31:49 2007 us=76721 Route addition via IPAPI succeeded
Wed Jun 27 14:31:49 2007 us=76753 Initialization Sequence Completed
Hope this helps,
Peter
Gabriele Bulfon wrote:Maybe you can point me some other tip.
As you say, I use the tun interface, specify a client-config-dir, place the file as for the Subject CN (client crt for the generated key is [ Subject: C=IT, ST=MI, O=MacDue, CN = cassa1.macdue.eu / emailAddress =info@xxxxxxxxxx ] , so ccd file is cassa1.macdue.eu ) containing "ifconfig-push 10.1.1.10 10.1.1.11", but I still get the IPs in random order. Meaning that if cassa2 comes first, it gets the ifconfig of cassa1.
Where can I investigate more?
Gabriele Bulfon - Sonicle S.r.l.
Tel +39 028246016 Int. 30 - Fax +39 028243880
Via Felice Cavallotti 16 - 20089, Rozzano - Milano - ITALY
http://www.sonicle.com
Da: Peter Barwich <pbarwich@xxxxxxxxxxx>
A: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Data: 23 giugno 2007 17.03.15 CEST
Oggetto: Re: [Openvpn-users] client-config-dir not working
Gabriele
It may just be worth pointing to you and other readers out that Erich's response applies ONLY to the dev tun interface (that you specified in your original config file). For dev tap interfaces the second parameter should be something like 255.255.255.0; the normal netmask for the address you are trying to push. ifconfig-push takes the same parameters as the ifconfig directive you are trying to implement on the client, so see --ifconfig l rn in the man page for openvpn (about 1/6 the way down). It took me a while to figure this out so maybe it'll save someone else time.
Gabriele Bulfon schrieb:Thanks for the reply. What is the meaning of ifconfig-push 10.1.1.7 10.1.1.8 ? Wich of the IP is the assigned IP?One is assignet to the client end the other is the gateway on the server end. IIRC the first is assigned to the client.I remember trying this, but I got some kind of debug on the client saying that the format was not fine, and that I should place the subnet mask after the IP...Not with 2.0, I am not familiar with 2.1.Where do I place the default subnet other than /30?You don't..... from the howto I suggested to read: Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. They must be taken from successive /30 subnets in order to be compatible with Windows clients and the TAP-Win32 driver. Specifically, the last octet in the IP address of each endpoint pair must be taken from this set: cheers Erich
_______________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users