329 | | |
330 | | Sun Feb 6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 5 2005 |
331 | | Sun Feb 6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key |
332 | | Sun Feb 6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] |
333 | | Sun Feb 6 20:46:38 2005 TUN/TAP device tun1 opened |
334 | | Sun Feb 6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 |
335 | | Sun Feb 6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2 |
336 | | Sun Feb 6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ] |
337 | | Sun Feb 6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194 |
338 | | Sun Feb 6 20:46:38 2005 UDPv4 link remote: [undef] |
339 | | Sun Feb 6 20:46:38 2005 MULTI: multi_init called, r=256 v=256 |
340 | | Sun Feb 6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62 |
341 | | Sun Feb 6 20:46:38 2005 IFCONFIG POOL LIST |
342 | | Sun Feb 6 20:46:38 2005 Initialization Sequence Completed |
343 | | |
344 | | Starting the client |
| 329 | {{{ |
| 330 | Sun Feb 6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 5 2005 |
| 331 | Sun Feb 6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key |
| 332 | Sun Feb 6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] |
| 333 | Sun Feb 6 20:46:38 2005 TUN/TAP device tun1 opened |
| 334 | Sun Feb 6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 |
| 335 | Sun Feb 6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2 |
| 336 | Sun Feb 6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ] |
| 337 | Sun Feb 6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194 |
| 338 | Sun Feb 6 20:46:38 2005 UDPv4 link remote: [undef] |
| 339 | Sun Feb 6 20:46:38 2005 MULTI: multi_init called, r=256 v=256 |
| 340 | Sun Feb 6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62 |
| 341 | Sun Feb 6 20:46:38 2005 IFCONFIG POOL LIST |
| 342 | Sun Feb 6 20:46:38 2005 Initialization Sequence Completed |
| 343 | }}} |
| 344 | |
| 345 | == Starting the client == |
347 | | |
348 | | openvpn [client config file] |
349 | | |
350 | | A normal client startup on Windows will look similar to the server output above, and should end with the Initialization Sequence Completed message. |
351 | | |
352 | | Now, try a ping across the VPN from the client. If you are using routing (i.e. dev tun in the server config file), try: |
353 | | |
354 | | ping 10.8.0.1 |
355 | | |
356 | | If you are using bridging (i.e. dev tap in the server config file), try to ping the IP address of a machine on the server's ethernet subnet. |
| 348 | {{{ |
| 349 | openvpn [client config file] |
| 350 | }}} |
| 351 | A normal client startup on Windows will look similar to the server output above, and should end with the '''Initialization Sequence Completed''' message. |
| 352 | |
| 353 | Now, try a ping across the VPN from the client. If you are using routing (i.e. '''dev tun''' in the server config file), try: |
| 354 | {{{ |
| 355 | ping 10.8.0.1 |
| 356 | }}} |
| 357 | If you are using bridging (i.e. '''dev tap''' in the server config file), try to ping the IP address of a machine on the server's ethernet subnet. |
359 | | Troubleshooting |
360 | | |
361 | | If the ping failed or the OpenVPN client initialization failed to complete, here is a checklist of common symptoms and their solutions: |
362 | | |
363 | | You get the error message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). This error indicates that the client was unable to establish a network connection with the server. |
364 | | |
365 | | |
366 | | |
367 | | Solutions: |
368 | | Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the OpenVPN server. |
369 | | If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server's gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4. |
370 | | Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file). |
371 | | You get the error message: Initialization Sequence Completed with errors-- This error can occur on Windows if (a) You don't have the DHCP client service running, or (b) You are using certain third-party personal firewalls on XP SP2. |
372 | | |
373 | | |
374 | | |
375 | | Solution: Start the DHCP client server and make sure that you are using a personal firewall which is known to work correctly on XP SP2. |
376 | | You get the Initialization Sequence Completedmessage but the ping test fails -- This usually indicates that a firewall on either server or client is blocking VPN network traffic by filtering on the TUN/TAP interface. |
377 | | |
378 | | |
379 | | |
380 | | Solution: Disable the client firewall (if one exists) from filtering the TUN/TAP interface on the client. For example on Windows XP SP2, you can do this by going to Windows Security Center -> Windows Firewall -> Advanced and unchecking the box which corresponds to the TAP-Windows adapter (disabling the client firewall from filtering the TUN/TAP adapter is generally reasonable from a security perspective, as you are essentially telling the firewall not to block authenticated VPN traffic). Also make sure that the TUN/TAP interface on the server is not being filtered by a firewall (having said that, note that selective firewalling of the TUN/TAP interface on the server side can confer certain security benefits. See the access policies section below). |
381 | | The connection stalls on startup when using a proto udpconfiguration, the server log file shows this line: |
382 | | |
383 | | |
384 | | |
385 | | TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxx |
386 | | |
387 | | however the client log does not show an equivalent line. |
388 | | |
389 | | Solution: You have a one-way connection from client to server. The server to client direction is blocked by a firewall, usually on the client side. The firewall can either be (a) a personal software firewall running on the client, or (b) the NAT router gateway for the client. Modify the firewall to allow returning UDP packets from the server to reach the client. |
390 | | |
391 | | See the FAQ for additional troubleshooting information. |
392 | | Configuring OpenVPN to run automatically on system startup |
| 360 | |
| 361 | == Troubleshooting == |
| 362 | |
| 363 | If the ping failed or the OpenVPN client initialization failed to complete, here is a checklist of common symptoms and their solutions. |
| 364 | |
| 365 | 1. You get the error message: '''TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)'''. This error indicates that the client was unable to establish a network connection with the server. |
| 366 | * Solutions: |
| 367 | * Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the OpenVPN server. |
| 368 | * If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server's gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says '''forward UDP port 1194 from my public IP address to 192.168.4.4'''. |
| 369 | * Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file). |
| 370 | 1. You get the error message: '''Initialization Sequence Completed with errors'''-- This error can occur on Windows if (a) You don't have the DHCP client service running, or (b) You are using certain third-party personal firewalls on XP SP2. |
| 371 | * Solution: |
| 372 | * Start the DHCP client server and make sure that you are using a personal firewall which is known to work correctly on XP SP2. |
| 373 | 1. You get the '''Initialization Sequence Completed''' message but the ping test fails -- This usually indicates that a firewall on either server or client is blocking VPN network traffic by filtering on the TUN/TAP interface. |
| 374 | * Solution: |
| 375 | * Disable the client firewall (if one exists) from filtering the TUN/TAP interface on the client. For example on Windows XP SP2, you can do this by going to '''Windows Security Center -> Windows Firewall -> Advanced''' and unchecking the box which corresponds to the TAP-Windows adapter (disabling the client firewall from filtering the TUN/TAP adapter is generally reasonable from a security perspective, as you are essentially telling the firewall not to block authenticated VPN traffic). Also make sure that the TUN/TAP interface on the server is not being filtered by a firewall (having said that, note that selective firewalling of the TUN/TAP interface on the server side can confer certain security benefits. See the access policies section below). |
| 376 | 1. The connection stalls on startup when using a proto udpconfiguration, the server log file shows the line ''TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxx'', but the client log does not show an equivalent line. |
| 377 | * Solution: |
| 378 | * You have a one-way connection from client to server. The server to client direction is blocked by a firewall, usually on the client side. The firewall can either be (a) a personal software firewall running on the client, or (b) the NAT router gateway for the client. Modify the firewall to allow returning UDP packets from the server to reach the client. |
| 379 | |
| 380 | See the [wiki:FAQ FAQ] for additional troubleshooting information. |
| 381 | |
| 382 | = Configuring OpenVPN to run automatically on system startup = |