1 | Date: 2010-02-26 12:05:46 EET |
---|
2 | Sender: dazo |
---|
3 | |
---|
4 | Could you please provide a complete configuration file for client and |
---|
5 | server, and log files with verb set to 4? I'm presuming you are using |
---|
6 | OpenVPN 2.1.0 or 2.1.1, is that correct? |
---|
7 | |
---|
8 | --- |
---|
9 | |
---|
10 | |
---|
11 | Date: 2010-03-12 00:36:03 EET |
---|
12 | Sender: phaoost |
---|
13 | |
---|
14 | I confirm this bug in 2.1.0 and earlier versions (2.1-rc11). The reason is |
---|
15 | that on Linux when you set default route to point-to-point connection, the |
---|
16 | IP address of the default gateway isn't necessary. |
---|
17 | |
---|
18 | Here is how the log looks like: |
---|
19 | warp:~/ovpn238# openvpn --config ovpn238.ovpn |
---|
20 | Fri Mar 12 00:16:58 2010 us=403658 Current Parameter Settings: |
---|
21 | Fri Mar 12 00:16:58 2010 us=404263 config = 'ovpn238.ovpn' |
---|
22 | Fri Mar 12 00:16:58 2010 us=404332 mode = 0 |
---|
23 | Fri Mar 12 00:16:58 2010 us=404380 persist_config = DISABLED |
---|
24 | Fri Mar 12 00:16:58 2010 us=404419 NOTE: --mute triggered... |
---|
25 | Fri Mar 12 00:16:58 2010 us=404500 256 variation(s) on previous 4 |
---|
26 | message(s) suppressed by --mute |
---|
27 | Fri Mar 12 00:16:58 2010 us=404544 OpenVPN 2.1.0 i486-pc-linux-gnu [SSL] |
---|
28 | [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Dec 11 2009 |
---|
29 | Fri Mar 12 00:16:58 2010 us=404906 WARNING: No server certificate |
---|
30 | verification method has been enabled. See |
---|
31 | http://openvpn.net/howto.html#mitm for more info. |
---|
32 | Fri Mar 12 00:16:58 2010 us=404956 NOTE: OpenVPN 2.1 requires |
---|
33 | '--script-security 2' or higher to call user-defined scripts or executables |
---|
34 | Fri Mar 12 00:16:58 2010 us=409174 /usr/bin/openssl-vulnkey -q -b 1024 -m |
---|
35 | <modulus omitted> |
---|
36 | Fri Mar 12 00:16:59 2010 us=156885 Control Channel Authentication: using |
---|
37 | 'ta.key' as a OpenVPN static key file |
---|
38 | Fri Mar 12 00:16:59 2010 us=157050 Outgoing Control Channel |
---|
39 | Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication |
---|
40 | Fri Mar 12 00:16:59 2010 us=157103 Incoming Control Channel |
---|
41 | Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication |
---|
42 | Fri Mar 12 00:16:59 2010 us=157467 Control Channel MTU parms [ L:1545 |
---|
43 | D:166 EF:66 EB:0 ET:0 EL:0 ] |
---|
44 | Fri Mar 12 00:16:59 2010 us=157789 Data Channel MTU parms [ L:1545 D:1450 |
---|
45 | EF:45 EB:4 ET:0 EL:0 ] |
---|
46 | Fri Mar 12 00:16:59 2010 us=157863 Fragmentation MTU parms [ L:1545 D:1300 |
---|
47 | EF:45 EB:4 ET:0 EL:0 ] |
---|
48 | Fri Mar 12 00:16:59 2010 us=157955 Local Options String: 'V4,dev-type |
---|
49 | tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,mtu-dynamic,keydir 1,cipher |
---|
50 | BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' |
---|
51 | Fri Mar 12 00:16:59 2010 us=157996 Expected Remote Options String: |
---|
52 | 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,mtu-dynamic,keydir |
---|
53 | 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' |
---|
54 | Fri Mar 12 00:16:59 2010 us=158106 Local Options hash (VER=V4): '885414e3' |
---|
55 | Fri Mar 12 00:16:59 2010 us=158172 Expected Remote Options hash (VER=V4): |
---|
56 | '8bcc3b84' |
---|
57 | Fri Mar 12 00:16:59 2010 us=158247 Socket Buffers: R=[108544->131072] |
---|
58 | S=[108544->131072] |
---|
59 | Fri Mar 12 00:16:59 2010 us=158297 UDPv4 link local: [undef] |
---|
60 | Fri Mar 12 00:16:59 2010 us=158361 UDPv4 link remote: |
---|
61 | [AF_INET]x.x.x.x:4672 |
---|
62 | Fri Mar 12 00:16:59 2010 us=400999 TLS: Initial packet from |
---|
63 | [AF_INET]x.x.x.x:4672, sid=ccdce634 90e3e447 |
---|
64 | Fri Mar 12 00:17:00 2010 us=576787 VERIFY OK: depth=1, |
---|
65 | /C=US/ST=NA/L=x/O=x/CN=ovpn238/emailAddress=x |
---|
66 | Fri Mar 12 00:17:00 2010 us=578011 VERIFY OK: depth=0, |
---|
67 | /C=US/ST=NA/O=x/CN=ovpn238/emailAddress=x |
---|
68 | Fri Mar 12 00:17:02 2010 us=769948 Data Channel Encrypt: Cipher 'BF-CBC' |
---|
69 | initialized with 128 bit key |
---|
70 | Fri Mar 12 00:17:02 2010 us=770245 NOTE: --mute triggered... |
---|
71 | Fri Mar 12 00:17:02 2010 us=770897 4 variation(s) on previous 4 message(s) |
---|
72 | suppressed by --mute |
---|
73 | Fri Mar 12 00:17:02 2010 us=771100 [ovpn238] Peer Connection Initiated |
---|
74 | with [AF_INET]x.x.x.x:4672 |
---|
75 | Fri Mar 12 00:17:05 2010 us=34780 SENT CONTROL [ovpn238]: 'PUSH_REQUEST' |
---|
76 | (status=1) |
---|
77 | Fri Mar 12 00:17:05 2010 us=270452 PUSH: Received control message: |
---|
78 | 'PUSH_REPLY,route-delay 2,dhcp-option DNS x.x.x.x,dhcp-option DNS |
---|
79 | x.x.x.x,route-metric 1,redirect-gateway def1,route 10.8.7.113,topology |
---|
80 | net30,ping 10,ping-restart 120,ifconfig 10.8.7.118 10.8.7.117' |
---|
81 | Fri Mar 12 00:17:05 2010 us=270837 OPTIONS IMPORT: timers and/or timeouts |
---|
82 | modified |
---|
83 | Fri Mar 12 00:17:05 2010 us=270881 OPTIONS IMPORT: --ifconfig/up options |
---|
84 | modified |
---|
85 | Fri Mar 12 00:17:05 2010 us=270917 NOTE: --mute triggered... |
---|
86 | Fri Mar 12 00:17:05 2010 us=271724 3 variation(s) on previous 4 message(s) |
---|
87 | suppressed by --mute |
---|
88 | Fri Mar 12 00:17:05 2010 us=271768 ROUTE: default_gateway=UNDEF |
---|
89 | Fri Mar 12 00:17:05 2010 us=291679 TUN/TAP device tun0 opened |
---|
90 | Fri Mar 12 00:17:05 2010 us=291820 TUN/TAP TX queue length set to 100 |
---|
91 | Fri Mar 12 00:17:05 2010 us=291931 /sbin/ifconfig tun0 10.8.7.118 |
---|
92 | pointopoint 10.8.7.117 mtu 1500 |
---|
93 | Fri Mar 12 00:17:07 2010 us=426627 NOTE: unable to redirect default |
---|
94 | gateway -- Cannot read current default gateway from system |
---|
95 | Fri Mar 12 00:17:07 2010 us=427232 /sbin/route add -net 10.8.7.113 netmask |
---|
96 | 255.255.255.255 gw 10.8.7.117 metric 1 |
---|
97 | Fri Mar 12 00:17:07 2010 us=429677 Initialization Sequence Completed |
---|
98 | |
---|
99 | However, I need to point out one more thing. For some reasons my ISP has |
---|
100 | two PPP connections: |
---|
101 | ppp0 Link encap:Point-to-Point Protocol |
---|
102 | inet addr:1.8.160.81 P-t-P:93.84.80.34 Mask:255.255.255.255 |
---|
103 | UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 |
---|
104 | RX packets:16578 errors:0 dropped:0 overruns:0 frame:0 |
---|
105 | TX packets:15504 errors:0 dropped:0 overruns:0 carrier:0 |
---|
106 | collisions:0 txqueuelen:3 |
---|
107 | RX bytes:12782306 (12.1 MiB) TX bytes:1255803 (1.1 MiB) |
---|
108 | |
---|
109 | ppp1 Link encap:Point-to-Point Protocol |
---|
110 | inet addr:86.57.254.161 P-t-P:93.84.80.34 Mask:255.255.255.255 |
---|
111 | UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 |
---|
112 | RX packets:336773 errors:0 dropped:0 overruns:0 frame:0 |
---|
113 | TX packets:345265 errors:0 dropped:0 overruns:0 carrier:0 |
---|
114 | collisions:0 txqueuelen:3 |
---|
115 | RX bytes:126402706 (120.5 MiB) TX bytes:45407057 (43.3 MiB) |
---|
116 | |
---|
117 | My default gateway looks like: |
---|
118 | warp:~/ovpn238# ip ro|grep default |
---|
119 | default dev ppp1 scope link |
---|
120 | |
---|
121 | So, the proper way to set the route towards VPN server 1.2.3.4 is: |
---|
122 | ip ro ad to 1.2.3.4/32 via 93.84.80.34 dev ppp1 |
---|
123 | Here 'dev ppp1' is important. In case I'll use 'route add ...', it will |
---|
124 | set ppp0 as a device and it won't work. I have tested it by changing |
---|
125 | default gateway with 'ip ro ch default via 93.84.80.34 dev ppp1' and ran |
---|
126 | openvpn again: |
---|
127 | |
---|
128 | Fri Mar 12 00:29:00 2010 us=273161 [ovpn238] Peer Connection Initiated |
---|
129 | with [AF_INET]x.x.x.x:4672 |
---|
130 | Fri Mar 12 00:29:02 2010 us=686793 SENT CONTROL [ovpn238]: 'PUSH_REQUEST' |
---|
131 | (status=1) |
---|
132 | Fri Mar 12 00:29:02 2010 us=915580 PUSH: Received control message: |
---|
133 | 'PUSH_REPLY,route-delay 2,dhcp-option DNS x.x.x.x,dhcp-option DNS |
---|
134 | x.x.x.x,route-metric 1,redirect-gateway def1,route 10.8.7.113,topology |
---|
135 | net30,ping 10,ping-restart 120,ifconfig 10.8.7.118 10.8.7.117' |
---|
136 | Fri Mar 12 00:29:02 2010 us=915928 OPTIONS IMPORT: timers and/or timeouts |
---|
137 | modified |
---|
138 | Fri Mar 12 00:29:02 2010 us=915969 OPTIONS IMPORT: --ifconfig/up options |
---|
139 | modified |
---|
140 | Fri Mar 12 00:29:02 2010 us=916006 NOTE: --mute triggered... |
---|
141 | Fri Mar 12 00:29:02 2010 us=916856 3 variation(s) on previous 4 message(s) |
---|
142 | suppressed by --mute |
---|
143 | Fri Mar 12 00:29:02 2010 us=916906 ROUTE default_gateway=93.84.80.34 |
---|
144 | Fri Mar 12 00:29:02 2010 us=935956 TUN/TAP device tun0 opened |
---|
145 | Fri Mar 12 00:29:02 2010 us=936100 TUN/TAP TX queue length set to 100 |
---|
146 | Fri Mar 12 00:29:02 2010 us=936210 /sbin/ifconfig tun0 10.8.7.118 |
---|
147 | pointopoint 10.8.7.117 mtu 1500 |
---|
148 | Fri Mar 12 00:29:05 2010 us=146692 /sbin/route add -net x.x.x.x netmask |
---|
149 | 255.255.255.255 gw 93.84.80.34 |
---|
150 | Fri Mar 12 00:29:05 2010 us=149296 /sbin/route add -net 0.0.0.0 netmask |
---|
151 | 128.0.0.0 gw 10.8.7.117 |
---|
152 | Fri Mar 12 00:29:05 2010 us=151905 /sbin/route add -net 128.0.0.0 netmask |
---|
153 | 128.0.0.0 gw 10.8.7.117 |
---|
154 | Fri Mar 12 00:29:05 2010 us=154973 /sbin/route add -net 10.8.7.113 netmask |
---|
155 | 255.255.255.255 gw 10.8.7.117 metric 1 |
---|
156 | Fri Mar 12 00:29:05 2010 us=157478 Initialization Sequence Completed |
---|
157 | |
---|
158 | Following lines I've gotten in routing table: |
---|
159 | 93.84.80.34 dev ppp0 proto kernel scope link src 1.8.160.81 |
---|
160 | 93.84.80.34 dev ppp1 proto kernel scope link src 86.57.254.161 |
---|
161 | x.x.x.x via 93.84.80.34 dev ppp0 (!!!!!) |
---|
162 | 10.8.7.117 dev tun0 proto kernel scope link src 10.8.7.118 |
---|
163 | 10.8.7.113 via 10.8.7.117 dev tun0 metric 1 |
---|
164 | 172.16.17.0/27 dev eth1 proto kernel scope link src 172.16.17.30 |
---|
165 | 0.0.0.0/1 via 10.8.7.117 dev tun0 |
---|
166 | 128.0.0.0/1 via 10.8.7.117 dev tun0 |
---|
167 | default via 93.84.80.34 dev ppp1 |
---|
168 | |
---|
169 | So VPN dropped after timeout, as the route went thorough wrong device |
---|
170 | (ppp0 instead of ppp1). |
---|
171 | Hope this will help |
---|
172 | |
---|
173 | --- |
---|
174 | |
---|
175 | Date: 2010-03-13 13:56:04 EET |
---|
176 | Sender: derrichard |
---|
177 | |
---|
178 | sorry for not responding, during the weekend i'll post a complete |
---|
179 | configuration plus log files. |
---|
180 | currently, i am very busy. |
---|
181 | |
---|
182 | cheers, |
---|
183 | //richard |
---|
184 | |
---|
185 | --- |
---|
186 | |
---|
187 | Date: 2010-04-22 16:08:33 EEST |
---|
188 | Sender: sven-ola |
---|
189 | |
---|
190 | Have a related problem. No default route at all. Server can be reached via |
---|
191 | host route or (that's my current problem) via a default route in a table != |
---|
192 | main aka policy route. Especially when using "push def1" it's not necessary |
---|
193 | AFAICT to search + fiddle with the default route on the client. |
---|
194 | |
---|
195 | --- |
---|
196 | |
---|
197 | Date: 2010-04-22 17:21:23 EEST |
---|
198 | Sender: sven-ola |
---|
199 | |
---|
200 | And a fix (for at least my quirks) is here: |
---|
201 | http://ff-firmware.cvs.sourceforge.net/viewvc/*checkout*/ff-firmware/ff-devel/openvpn.patch |
---|