Re: [Openvpn-users] Unexpected WARNINGS

[Jan Just Keijser <janjust@xxxxxxxxx>]

OK you can restore the mtu setting again... can you post the client log
when trying to connect *without* the proxy (127.0.0.1:3128) ?

JJK

Tiger Big wrote:
> Hi ,Jan
> I have tried to avoide using proxy and set tun-mtu to a lower value,
> but still the same result.
>
> BTW, if setting tun-mtu to 1200 in server conf, there will be a
> warning message saying:
>
> "WARNING: normally if you use --mssfix and/or --fragment, you should
> also set --tun-mtu 1500 (currently it is 1200)"
>
> I have no idea with that message.
>
> anyway, I'll try using a linux client to see if all those warnings
> comes out because of the windows platform.
>
> On Dec 7, 2007 6:14 PM, Jan Just Keijser <janjust@xxxxxxxxx> wrote:
>   
>> Hi Tiger Big,
>>
>> hmmm I misread your config file a little bit. I saw
>> tls-client
>> ifconfig <IP> <IP>
>> the first statement is a client/server setup (openvpn 2.x) whereas the
>> second statement is used mostly in point-to-point (openvpn 1.x) setups.
>> However, if you use
>> ifconfig <IP> <NETMASK>
>> which your config file shows then you're fine. Sorry about that.
>>
>> As for the warnings, your client log file shows that you're connecting
>> thru an HTTP proxy - I presume this is intentional; it might be best to
>> reflect this in the openvpn client config file. It should not make much
>> difference but you never know.
>>
>> Finally, try reducing the 'tun-mtu' parameter on both sides (to e.g.
>> 1200) and see if that helps at all.
>>
>> cheers,
>>
>> JJK
>>
>>
>> Tiger Big wrote:
>>     
>>> thanks Jan, but still the same results/warnings.
>>>
>>> one more question, why would you say "config files don't make sense" ?
>>> the only difference between my original conf and your modified version
>>> is the method of how to obtain IP address.
>>>
>>>
>>>
>>> On Dec 6, 2007 5:06 PM, Jan Just Keijser <janjust@xxxxxxxxx> wrote:
>>>
>>>       
>>>> your client and server config files don't make sense. Try this for the
>>>> server config:
>>>>
>>>> local xxx.xxx.org
>>>>
>>>> port 8080
>>>> proto tcp-server
>>>> tls-server
>>>> server 192.168.10.0 255.255.255.0
>>>>
>>>> dev tap0
>>>> cert X509/Server/server.crt
>>>> key X509/Server/server.key
>>>> dh X509/Server/dh1024.pem
>>>> ca X509/CA/ca.crt
>>>>
>>>> keepalive 10 120
>>>> user nobody
>>>> group nobody
>>>> persist-key
>>>> persist-tun
>>>> comp-lzo
>>>> verb 4
>>>> mute 10
>>>>
>>>> and this for the client
>>>>
>>>> local abc
>>>> remote xxx.xxx.org  8080
>>>>
>>>> proto tcp-client
>>>> tls-client
>>>> dev tap
>>>> dev-node tap0
>>>> nobind
>>>> cert D:\\OpenVPN\\easy-rsa\\keys\\Tiger.crt
>>>> key D:\\OpenVPN\\easy-rsa\\keys\\Tiger.key
>>>> ca D:\\OpenVPN\\easy-rsa\\keys\\ca.crt
>>>>
>>>> keepalive 10 120
>>>> comp-lzo
>>>> verb 4
>>>> mute 10
>>>>
>>>> HTH,
>>>>
>>>> JJK
>>>>
>>>>
>>>> Tiger Big wrote:
>>>>
>>>>         
>>>>> Server Configuration (Linux)：
>>>>> −−−−−−−−−−−−−−−−−−
>>>>> local xxx.xxx.org
>>>>> port 8080
>>>>> proto tcp-server
>>>>> tls-server
>>>>> dev tap0
>>>>> cert X509/Server/server.crt
>>>>> key X509/Server/server.key
>>>>> dh X509/Server/dh1024.pem
>>>>> ca X509/CA/ca.crt
>>>>> ifconfig 192.168.10.11 255.255.255.0
>>>>> keepalive 10 120
>>>>> user nobody
>>>>> group nobody
>>>>> persist-key
>>>>> persist-tun
>>>>> comp-lzo
>>>>> verb 4
>>>>> mute 10
>>>>> −−−−−−−−−−−−−−−−−−
>>>>>
>>>>>
>>>>> Client Configuration (WinXP):
>>>>> ------------------------------------------
>>>>> local abc
>>>>> remote xxx.xxx.org  8080
>>>>> proto tcp-client
>>>>> tls-client
>>>>> dev tap
>>>>> dev-node tap0
>>>>> nobind
>>>>> cert D:\\OpenVPN\\easy-rsa\\keys\\Tiger.crt
>>>>> key D:\\OpenVPN\\easy-rsa\\keys\\Tiger.key
>>>>> ca D:\\OpenVPN\\easy-rsa\\keys\\ca.crt
>>>>> ifconfig 192.168.10.11  255.255.255.0
>>>>> keepalive 10 120
>>>>> comp-lzo
>>>>> verb 4
>>>>> mute 10
>>>>> --------------------------------------------
>>>>>
>>>>> Output of Server：
>>>>> −−−−−−−−−−−−−−−−−−−−−−
>>>>> Wed Nov  7 22:46:52 2007 us=395451 OpenVPN 2.0.9 mipsel-unknown-linux
>>>>> [SSL] [LZO] built on Oct  8 2007
>>>>> Wed Nov  7 22:46:53 2007 us=139174 Diffie-Hellman initialized with
>>>>> 1024 bit key
>>>>> Wed Nov  7 22:46:53 2007 us=167393 LZO compression initialized
>>>>> Wed Nov  7 22:46:53 2007 us=177324 Control Channel MTU parms [ L:1576
>>>>> D:140 EF:40 EB:0 ET:0 EL:0 ]
>>>>> Wed Nov  7 22:46:53 2007 us=207122 TUN/TAP device tap0 opened
>>>>> Wed Nov  7 22:46:53 2007 us=209204 TUN/TAP TX queue length set to 100
>>>>> Wed Nov  7 22:46:53 2007 us=211730 /sbin/ifconfig tap0 192.168.10.11
>>>>> netmask 255.255.255.0
>>>>> mtu 1500 broadcast 192.168.10.255
>>>>>
>>>>> Wed Nov  7 22:46:53 2007 us=276813 Data Channel MTU parms [ L:1576
>>>>> D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
>>>>> Wed Nov  7 22:46:53 2007 us=278702 GID set to nobody
>>>>> Wed Nov  7 22:46:53 2007 us=279692 UID set to nobody
>>>>> Wed Nov  7 22:46:53 2007 us=280933 Listening for incoming TCP
>>>>> connection on 123.45.67.89:8080
>>>>>
>>>>> Wed Nov  7 22:47:00 2007 us=344674 TCP connection established with
>>>>> 98.76.54.32:48883
>>>>>
>>>>> Wed Nov  7 22:47:00 2007 us=345622 Socket Buffers: R=[43689->65534]
>>>>> S=[16384->65534]
>>>>> Wed Nov  7 22:47:00 2007 us=346587 TCPv4_SERVER link local (bound):
>>>>> 123.45.67.89:8080
>>>>>
>>>>> Wed Nov  7 22:47:00 2007 us=347462 TCPv4_SERVER link remote:
>>>>> 98.76.54.32:48883
>>>>>
>>>>> Wed Nov  7 22:47:00 2007 us=354161 TLS: Initial packet from
>>>>> 98.76.54.32:48883 sid=2e4d871b 12ba58ca
>>>>>
>>>>> Wed Nov  7 22:47:02 2007 us=930794 VERIFY OK: depth=1,
>>>>> /C=CN/ST=SH/L=SH/O=Company/OU=Building_3_/CN=WR850G/Email=xxx@xxxxxxx
>>>>> <mailto:xxx@xxxxxxx>
>>>>>
>>>>> Wed Nov  7 22:47:02 2007 us=953126 VERIFY OK: depth=0,
>>>>> /C=CN/ST=SH/O=Company/OU=Building_3_/CN=Tiger/Email= xxx@xxxxxxx
>>>>> <mailto:xxx@xxxxxxx>
>>>>>
>>>>> Wed Nov  7 22:47:04 2007 us=189347 Data Channel Encrypt: Cipher
>>>>> 'BF-CBC' initialized with 128 bit key
>>>>> Wed Nov  7 22:47:04 2007 us=192065 Data Channel Encrypt: Using 160 bit
>>>>> message hash 'SHA1' for HMAC authentication
>>>>> Wed Nov  7 22:47:04 2007 us=196237 Data Channel Decrypt: Cipher
>>>>> 'BF-CBC' initialized with 128 bit key
>>>>> Wed Nov  7 22:47:04 2007 us=198498 Data Channel Decrypt: Using 160 bit
>>>>> message hash 'SHA1' for HMAC authentication
>>>>> Wed Nov  7 22:47:04 2007 us=388832 Control Channel: TLSv1, cipher
>>>>> TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
>>>>> Wed Nov  7 22:47:04 2007 us=392021 [Tiger] Peer Connection Initiated
>>>>> with 98.76.54.32:48883
>>>>>
>>>>>           
>>>>         
>>>>> Wed Nov  7 22:47:05 2007 us=629230 Initialization Sequence Completed
>>>>> −−−−−−−−−−−−−−−−−−−−−−
>>>>>
>>>>> Output of Client：
>>>>> -----------------------------------------------------
>>>>> Thu Nov 08 14:46:58 2007 us=24485 Current Parameter Settings:
>>>>> Thu Nov 08 14:46:58 2007 us=24531   config = 'client.ovpn'
>>>>> Thu Nov 08 14:46:58 2007 us=24541   mode = 0
>>>>> Thu Nov 08 14:46:58 2007 us=24552   show_ciphers = DISABLED
>>>>> Thu Nov 08 14:46:58 2007 us=24562   show_digests = DISABLED
>>>>> Thu Nov 08 14:46:58 2007 us=24572   show_engines = DISABLED
>>>>> Thu Nov 08 14:46:58 2007 us=24582   genkey = DISABLED
>>>>> Thu Nov 08 14:46:58 2007 us=24593   key_pass_file = '[UNDEF]'
>>>>> Thu Nov 08 14:46:58 2007 us=24603   show_tls_ciphers = DISABLED
>>>>> Thu Nov 08 14:46:58 2007 us=24614   proto = 2
>>>>> Thu Nov 08 14:46:58 2007 us=24624 NOTE: --mute triggered...
>>>>> Thu Nov 08 14:46:58 2007 us=24651 188 variation(s) on previous 10
>>>>> message(s) suppressed by --mute
>>>>> Thu Nov 08 14:46:58 2007 us=24666 OpenVPN 2.0.9 Win32-MinGW [SSL]
>>>>> [LZO] built on Oct  1 2006
>>>>> Thu Nov 08 14:46:58 2007 us=24748 IMPORTANT: OpenVPN's default port
>>>>> number is now 1194, based on an official port number assignment by
>>>>> IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
>>>>> Thu Nov 08 14:46:58 2007 us=24763 WARNING: No server certificate
>>>>> verification method has been enabled.  See
>>>>> http://openvpn.net/howto.html#mitm for more info.
>>>>> Thu Nov 08 14:46:58 2007 us=26495 LZO compression initialized
>>>>> Thu Nov 08 14:46:58 2007 us=26589 Control Channel MTU parms [ L:1576
>>>>> D:140 EF:40 EB:0 ET:0 EL:0 ]
>>>>> Thu Nov 08 14:46:58 2007 us=46092 TAP-WIN32 device [tap0] opened:
>>>>> \\.\Global\{B45A907D-B030-4F6F-9FE1-001F6C3AEB48}.tap
>>>>> Thu Nov 08 14:46:58 2007 us=46122 TAP-Win32 Driver Version 8.4
>>>>> Thu Nov 08 14:46:58 2007 us=46135 TAP-Win32 MTU=1500
>>>>> Thu Nov 08 14:46:58 2007 us=46156 Notified TAP-Win32 driver to set a
>>>>> DHCP IP/netmask of 192.168.10.11/255.255.255.0
>>>>> on interface
>>>>>
>>>>> {B45A907D-B030-4F6F-9FE1-001F6C3AEB48} [DHCP-serv: 192.168.10.0
>>>>>  lease-time: 31536000]
>>>>>
>>>>> Thu Nov 08 14:46:58 2007 us=53796 Successful ARP Flush on interface
>>>>> [3] {B45A907D-B030-4F6F-9FE1-001F6C3AEB48}
>>>>> Thu Nov 08 14:46:58 2007 us=55539 Data Channel MTU parms [ L:1576
>>>>> D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
>>>>> Thu Nov 08 14:46:58 2007 us=55586 Local Options String: 'V4,dev-type
>>>>> tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,ifconfig
>>>>> 192.168.10.0  255.255.255.0
>>>>> ,comp-lzo,cipher BF-CBC,auth SHA1,keysize
>>>>>
>>>>> 128,key-method 2,tls-client'
>>>>> Thu Nov 08 14:46:58 2007 us=55602 Expected Remote Options String:
>>>>> 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto
>>>>> TCPv4_SERVER,ifconfig 192.168.10.0  255.255.255.0
>>>>> ,comp-lzo,cipher BF-CBC,auth SHA1,keysize
>>>>>
>>>>> 128,key-method 2,tls-server'
>>>>> Thu Nov 08 14:46:58 2007 us=55634 Local Options hash (VER=V4): '1b763cc3'
>>>>> Thu Nov 08 14:46:58 2007 us=55652 Expected Remote Options hash
>>>>> (VER=V4): '2f5a5592'
>>>>> Thu Nov 08 14:46:58 2007 us=55680 Attempting to establish TCP
>>>>> connection with 127.0.0.1:3128
>>>>>
>>>>> Thu Nov 08 14:46:58 2007 us=63009 TCP connection established with
>>>>> 127.0.0.1:3128
>>>>>
>>>>> Thu Nov 08 14:46:58 2007 us=63039 Send to HTTP proxy: 'CONNECT
>>>>> xxx.xxx.org:8080  HTTP/1.0'
>>>>>
>>>>> Thu Nov 08 14:46:59 2007 us=159521 HTTP proxy returned: 'HTTP/1.1 200
>>>>> Connection established'
>>>>> Thu Nov 08 14:47:01 2007 us=158850 Socket Buffers: R=[8192->8192]
>>>>> S=[8192->8192]
>>>>> Thu Nov 08 14:47:01 2007 us=159020 TCPv4_CLIENT link local:
>>>>> 172.24.201.50
>>>>>
>>>>> Thu Nov 08 14:47:01 2007 us=159037 TCPv4_CLIENT link remote:
>>>>> 127.0.0.1:3128
>>>>>
>>>>> Thu Nov 08 14:47:01 2007 us=390961 TLS: Initial packet from
>>>>> 127.0.0.1:3128 , sid=9696962b 6944c74a
>>>>>
>>>>> Thu Nov 08 14:47:03 2007 us=206615 VERIFY OK: depth=1,
>>>>> /C=CN/ST=SH/L=SH/O=Company/OU=Building_3_/CN=WR850G/emailAddress=
>>>>> xxx@xxxxxxx <mailto:xxx@xxxxxxx>
>>>>>
>>>>> Thu Nov 08 14:47:03 2007 us=208774 VERIFY OK: depth=0,
>>>>> /C=CN/ST=SH/O=Company/OU=Building_3_/CN=Server/emailAddress=xxx@xxxxxxx
>>>>> <mailto:xxx@xxxxxxx>
>>>>>
>>>>> Thu Nov 08 14:47:05 2007 us=389449 NOTE: Options consistency check may
>>>>> be skewed by version differences
>>>>> Thu Nov 08 14:47:05 2007 us=389494 WARNING: 'version' is used
>>>>> inconsistently, local='version V4', remote='version V0 UNDEF'
>>>>> Thu Nov 08 14:47:05 2007 us=389513 WARNING: 'dev-type' is present in
>>>>> local config but missing in remote config, local='dev-type tap'
>>>>> Thu Nov 08 14:47:05 2007 us=389531 WARNING: 'link-mtu' is present in
>>>>> local config but missing in remote config, local='link-mtu 1576'
>>>>> Thu Nov 08 14:47:05 2007 us=389549 WARNING: 'tun-mtu' is present in
>>>>> local config but missing in remote config, local='tun-mtu 1532'
>>>>> Thu Nov 08 14:47:05 2007 us=389571 WARNING: 'proto' is present in
>>>>> local config but missing in remote config, local='proto TCPv4_SERVER'
>>>>> Thu Nov 08 14:47:05 2007 us=389607 WARNING: 'ifconfig' is present in
>>>>> local config but missing in remote config, local='ifconfig
>>>>> 192.168.10.0  255.255.255.0 '
>>>>>
>>>>> Thu Nov 08 14:47:05 2007 us=389625 WARNING: 'comp-lzo' is present in
>>>>> local config but missing in remote config, local='comp-lzo'
>>>>> Thu Nov 08 14:47:05 2007 us=389643 WARNING: 'cipher' is present in
>>>>> local config but missing in remote config, local='cipher BF-CBC'
>>>>> Thu Nov 08 14:47:05 2007 us=389659 WARNING: 'auth' is present in local
>>>>> config but missing in remote config, local='auth SHA1'
>>>>> Thu Nov 08 14:47:05 2007 us=389673 NOTE: --mute triggered...
>>>>> Thu Nov 08 14:47:05 2007 us=389977 3 variation(s) on previous 10
>>>>> message(s) suppressed by --mute
>>>>> Thu Nov 08 14:47:05 2007 us=389991 Data Channel Encrypt: Cipher
>>>>> 'BF-CBC' initialized with 128 bit key
>>>>> Thu Nov 08 14:47:05 2007 us=390009 Data Channel Encrypt: Using 160 bit
>>>>> message hash 'SHA1' for HMAC authentication
>>>>> Thu Nov 08 14:47:05 2007 us=390090 Data Channel Decrypt: Cipher
>>>>> 'BF-CBC' initialized with 128 bit key
>>>>> Thu Nov 08 14:47:05 2007 us=390106 Data Channel Decrypt: Using 160 bit
>>>>> message hash 'SHA1' for HMAC authentication
>>>>> Thu Nov 08 14:47:05 2007 us=390453 Control Channel: TLSv1, cipher
>>>>> TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
>>>>> Thu Nov 08 14:47:05 2007 us=390487 [Server] Peer Connection Initiated
>>>>> with 127.0.0.1:3128
>>>>>
>>>>> Thu Nov 08 14:47:06 2007 us=630508 TEST ROUTES: 0/0 succeeded len=-1
>>>>> ret=1 a=0 u/d=up
>>>>> Thu Nov 08 14:47:06 2007 us=630535 Initialization Sequence Completed
>>>>> ----------------------------------------------------------
>>>>>
>>>>>
>>>>> Why there're so many WARNINGS:
>>>>>
>>>>> 1.Both client and server use same version - 2.0.9，why does the client
>>>>> say: "NOTE: Options consistency check may be skewed by version
>>>>> differences"
>>>>> 2.Many options (like 'comp-lzo')  have been enabled in both client and
>>>>> server's configuration, why does client say " WARNING: 'comp-lzo' is
>>>>> present in local config but missing in remote config, local='comp-lzo'"？
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>           
>>     

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users