Changes between Version 6 and Version 7 of HOWTO


Ignore:
Timestamp:
07/25/14 13:38:46 (10 years ago)
Author:
Samuli Seppänen
Comment:

Fixed formatting up to "Configuring OpenVPN to run automatically on system startup"

Legend:

Unmodified
Added
Removed
Modified

  • HOWTO

    v6 v7  
    317317First, make sure the OpenVPN server will be accessible from the internet. That means:
    318318
    319    opening up UDP port 1194 on the firewall (or whatever TCP/UDP port you've configured), or
    320    setting up a port forward rule to forward UDP port 1194 from the firewall/gateway to the machine running the OpenVPN server.
     319 * opening up UDP port 1194 on the firewall (or whatever TCP/UDP port you've configured), or
     320 * setting up a port forward rule to forward UDP port 1194 from the firewall/gateway to the machine running the OpenVPN server.
    321321
    322322Next, make sure that the TUN/TAP interface is not firewalled.
    323323
    324324To simplify troubleshooting, it's best to initially start the OpenVPN server from the command line (or right-click on the .ovpn file on Windows), rather than start it as a daemon or service:
    325 
    326     openvpn [server config file]
    327 
     325{{{
     326openvpn [server config file]
     327}}}
    328328A normal server startup should look like this (output will vary across platforms):
    329 
    330     Sun Feb  6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb  5 2005
    331     Sun Feb  6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key
    332     Sun Feb  6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    333     Sun Feb  6 20:46:38 2005 TUN/TAP device tun1 opened
    334     Sun Feb  6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
    335     Sun Feb  6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
    336     Sun Feb  6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
    337     Sun Feb  6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194
    338     Sun Feb  6 20:46:38 2005 UDPv4 link remote: [undef]
    339     Sun Feb  6 20:46:38 2005 MULTI: multi_init called, r=256 v=256
    340     Sun Feb  6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62
    341     Sun Feb  6 20:46:38 2005 IFCONFIG POOL LIST
    342     Sun Feb  6 20:46:38 2005 Initialization Sequence Completed
    343 
    344 Starting the client
     329{{{
     330Sun Feb  6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb  5 2005
     331Sun Feb  6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key
     332Sun Feb  6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
     333Sun Feb  6 20:46:38 2005 TUN/TAP device tun1 opened
     334Sun Feb  6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
     335Sun Feb  6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
     336Sun Feb  6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
     337Sun Feb  6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194
     338Sun Feb  6 20:46:38 2005 UDPv4 link remote: [undef]
     339Sun Feb  6 20:46:38 2005 MULTI: multi_init called, r=256 v=256
     340Sun Feb  6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62
     341Sun Feb  6 20:46:38 2005 IFCONFIG POOL LIST
     342Sun Feb  6 20:46:38 2005 Initialization Sequence Completed
     343}}}
     344
     345== Starting the client ==
    345346
    346347As in the server configuration, it's best to initially start the OpenVPN server from the command line (or on Windows, by right-clicking on the client.ovpn file), rather than start it as a daemon or service:
    347 
    348     openvpn [client config file]
    349 
    350 A normal client startup on Windows will look similar to the server output above, and should end with the Initialization Sequence Completed message.
    351 
    352 Now, try a ping across the VPN from the client. If you are using routing (i.e. dev tun in the server config file), try:
    353 
    354     ping 10.8.0.1
    355 
    356 If you are using bridging (i.e. dev tap in the server config file), try to ping the IP address of a machine on the server's ethernet subnet.
     348{{{
     349openvpn [client config file]
     350}}}
     351A normal client startup on Windows will look similar to the server output above, and should end with the '''Initialization Sequence Completed''' message.
     352
     353Now, try a ping across the VPN from the client. If you are using routing (i.e. '''dev tun''' in the server config file), try:
     354{{{
     355ping 10.8.0.1
     356}}}
     357If you are using bridging (i.e. '''dev tap''' in the server config file), try to ping the IP address of a machine on the server's ethernet subnet.
    357358
    358359If the ping succeeds, congratulations! You now have a functioning VPN.
    359 Troubleshooting
    360 
    361 If the ping failed or the OpenVPN client initialization failed to complete, here is a checklist of common symptoms and their solutions:
    362 
    363     You get the error message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). This error indicates that the client was unable to establish a network connection with the server.
    364 
    365      
    366 
    367     Solutions:
    368         Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the OpenVPN server.
    369         If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server's gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4.
    370         Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).
    371     You get the error message: Initialization Sequence Completed with errors-- This error can occur on Windows if (a) You don't have the DHCP client service running, or (b) You are using certain third-party personal firewalls on XP SP2.
    372 
    373      
    374 
    375     Solution: Start the DHCP client server and make sure that you are using a personal firewall which is known to work correctly on XP SP2.
    376     You get the Initialization Sequence Completedmessage but the ping test fails -- This usually indicates that a firewall on either server or client is blocking VPN network traffic by filtering on the TUN/TAP interface.
    377 
    378      
    379 
    380     Solution: Disable the client firewall (if one exists) from filtering the TUN/TAP interface on the client. For example on Windows XP SP2, you can do this by going to Windows Security Center -> Windows Firewall -> Advanced and unchecking the box which corresponds to the TAP-Windows adapter (disabling the client firewall from filtering the TUN/TAP adapter is generally reasonable from a security perspective, as you are essentially telling the firewall not to block authenticated VPN traffic). Also make sure that the TUN/TAP interface on the server is not being filtered by a firewall (having said that, note that selective firewalling of the TUN/TAP interface on the server side can confer certain security benefits. See the access policies section below).
    381     The connection stalls on startup when using a proto udpconfiguration, the server log file shows this line:
    382 
    383      
    384 
    385         TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxx
    386 
    387     however the client log does not show an equivalent line.
    388 
    389     Solution: You have a one-way connection from client to server. The server to client direction is blocked by a firewall, usually on the client side. The firewall can either be (a) a personal software firewall running on the client, or (b) the NAT router gateway for the client. Modify the firewall to allow returning UDP packets from the server to reach the client.
    390 
    391 See the FAQ for additional troubleshooting information.
    392 Configuring OpenVPN to run automatically on system startup
     360
     361== Troubleshooting ==
     362
     363If the ping failed or the OpenVPN client initialization failed to complete, here is a checklist of common symptoms and their solutions.
     364
     365 1. You get the error message: '''TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)'''. This error indicates that the client was unable to establish a network connection with the server.
     366  * Solutions:
     367   * Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the OpenVPN server.
     368   * If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server's gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says '''forward UDP port 1194 from my public IP address to 192.168.4.4'''.
     369   * Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).
     370 1. You get the error message: '''Initialization Sequence Completed with errors'''-- This error can occur on Windows if (a) You don't have the DHCP client service running, or (b) You are using certain third-party personal firewalls on XP SP2.
     371  * Solution:
     372   * Start the DHCP client server and make sure that you are using a personal firewall which is known to work correctly on XP SP2.
     373 1. You get the '''Initialization Sequence Completed''' message but the ping test fails -- This usually indicates that a firewall on either server or client is blocking VPN network traffic by filtering on the TUN/TAP interface.
     374  * Solution:
     375   * Disable the client firewall (if one exists) from filtering the TUN/TAP interface on the client. For example on Windows XP SP2, you can do this by going to '''Windows Security Center -> Windows Firewall -> Advanced''' and unchecking the box which corresponds to the TAP-Windows adapter (disabling the client firewall from filtering the TUN/TAP adapter is generally reasonable from a security perspective, as you are essentially telling the firewall not to block authenticated VPN traffic). Also make sure that the TUN/TAP interface on the server is not being filtered by a firewall (having said that, note that selective firewalling of the TUN/TAP interface on the server side can confer certain security benefits. See the access policies section below).
     376 1. The connection stalls on startup when using a proto udpconfiguration, the server log file shows the line ''TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxx'', but the client log does not show an equivalent line.
     377  * Solution:
     378   * You have a one-way connection from client to server. The server to client direction is blocked by a firewall, usually on the client side. The firewall can either be (a) a personal software firewall running on the client, or (b) the NAT router gateway for the client. Modify the firewall to allow returning UDP packets from the server to reach the client.
     379
     380See the [wiki:FAQ FAQ] for additional troubleshooting information.
     381
     382= Configuring OpenVPN to run automatically on system startup =
    393383
    394384The lack of standards in this area means that most OSes have a different way of configuring daemons/services for autostart on boot. The best way to have this functionality configured by default is to install OpenVPN as a package, such as via RPM on Linux or using the Windows installer.