Jan Luehr
2007-08-13 08:35:33 UTC
Hello,
I've some trouble establishing a VPN connection between a server (running
Debian Etch) an a linksys-router (running dd-wrt).
In this scenario, both participants are in a common unsecure network
(192.168.1.0/24). (Wan port on linksys-router, ethernet NIC on Server).
Also both have another interface (linksys: switch-wlan-bridge; server second
nic) runnig in 172.16.0.0/24 - a secure private network.
I'd like to use OpenVPN to connect these private networks on OSI-2.
My server config is:
port 2195
dev tap0 #is bridged with my private nic
ca /etc/ssl/certs/ca.pem
cert /etc/ssl/certs/wlan.pem
key /etc/ssl/certs/wlan.key # This file should be kept secret
dh /etc/ssl/certs/dh1024.pem
client-to-client
keepalive 10 120
persist-key
persist-tun
mode server
tls-server
My client config is:
remote 192.168.1.208
port 2195
dev tap0 #added to the lan/wlan bridge
tun-mtu 1500
fragment 1300
mssfix
tls-client
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/client.crt
key /tmp/openvpn/client.key
ping-restart 60
ping-timer-rem
persist-tun
persist-key
resolv-retry 86400
ping 10
The client logs:
Mon Aug 13 10:09:17 2007 OpenVPN 2.0.7 mipsel-unknown-linux [SSL] [LZO]
[EPOLL] built on Sep 15 2006
Mon Aug 13 10:09:17 2007 WARNING: No server certificate verification method
has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Aug 13 10:09:17 2007 WARNING: file '/tmp/openvpn/client.key' is group or
others accessible
Mon Aug 13 10:09:17 2007 TUN/TAP device tap0 opened
Mon Aug 13 10:09:17 2007 UDPv4 link local (bound): [undef]:2195
Mon Aug 13 10:09:17 2007 UDPv4 link remote: 192.168.1.208:2195
Mon Aug 13 10:09:22 2007 [wlan.schule] Peer Connection Initiated with
192.168.1.208:2195
Mon Aug 13 10:09:23 2007 Initialization Sequence Completed
Mon Aug 13 10:09:32 2007 FRAG_IN error flags=0x2a187bf3: FRAG_TEST not
implemented
##This continues until I hit CTRL+C
Mon Aug 13 10:09:41 2007 event_wait : Interrupted system call (code=4)
Mon Aug 13 10:09:41 2007 SIGINT[hard,] received, process exiting
The server logs:
Mon Aug 13 10:07:35 2007 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL]
built on Jan 21 2007
Mon Aug 13 10:07:35 2007 Diffie-Hellman initialized with 1024 bit key
Mon Aug 13 10:07:35 2007 WARNING: file '/etc/ssl/certs/wlan.key' is group or
others accessible
Mon Aug 13 10:07:35 2007 TLS-Auth MTU parms [ L:1573 D:138 EF:38 EB:0 ET:0
EL:0 ]
Mon Aug 13 10:07:35 2007 TUN/TAP device tap0 opened
Mon Aug 13 10:07:35 2007 Data Channel MTU parms [ L:1573 D:1450 EF:41 EB:4
ET:32 EL:0 ]
Mon Aug 13 10:07:35 2007 UDPv4 link local (bound): [undef]:2195
Mon Aug 13 10:07:35 2007 UDPv4 link remote: [undef]
Mon Aug 13 10:07:35 2007 MULTI: multi_init called, r=256 v=256
Mon Aug 13 10:07:35 2007 Initialization Sequence Completed
Mon Aug 13 10:07:39 2007 MULTI: multi_create_instance called
Mon Aug 13 10:07:39 2007 192.168.1.245:2195 Re-using SSL/TLS context
Mon Aug 13 10:07:39 2007 192.168.1.245:2195 Control Channel MTU parms [ L:1573
D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Aug 13 10:07:39 2007 192.168.1.245:2195 Data Channel MTU parms [ L:1573
D:1450 EF:41 EB:4 ET:32 EL:0 ]
Mon Aug 13 10:07:39 2007 192.168.1.245:2195 Local Options hash
(VER=V4): '0ddbb6e3'
Mon Aug 13 10:07:39 2007 192.168.1.245:2195 Expected Remote Options hash
(VER=V4): '2c50bd2c'
Mon Aug 13 10:07:39 2007 192.168.1.245:2195 TLS: Initial packet from
192.168.1.245:2195, sid=ddf90abd 963887c8
Mon Aug 13 10:07:44 2007 192.168.1.245:2195 VERIFY OK:
depth=1, /C=DE/ST=NRW/L=Koeln/O=XXX/OU=XXX/CN=XXX/emailAddress=***@XXX.de
Mon Aug 13 10:07:44 2007 192.168.1.245:2195 VERIFY OK:
depth=0, /C=DE/ST=NRW/L=Koeln/O=XXX/OU=XXX/CN=ap/emailAddress=***@XXX.de
Mon Aug 13 10:07:44 2007 192.168.1.245:2195 Data Channel Encrypt:
Cipher 'BF-CBC' initialized with 128 bit key
Mon Aug 13 10:07:44 2007 192.168.1.245:2195 Data Channel Encrypt: Using 160
bit message hash 'SHA1' for HMAC authentication
Mon Aug 13 10:07:44 2007 192.168.1.245:2195 Data Channel Decrypt:
Cipher 'BF-CBC' initialized with 128 bit key
Mon Aug 13 10:07:44 2007 192.168.1.245:2195 Data Channel Decrypt: Using 160
bit message hash 'SHA1' for HMAC authentication
Mon Aug 13 10:07:44 2007 192.168.1.245:2195 Control Channel: TLSv1, cipher
TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Mon Aug 13 10:07:44 2007 192.168.1.245:2195 [ap] Peer Connection Initiated
with 192.168.1.245:2195
Mon Aug 13 10:07:44 2007 ap/192.168.1.245:2195 MULTI: no dynamic or static
remote --ifconfig address is available for ap/192.168.1.245:2195
Mon Aug 13 10:07:54 2007 ap192.168.1.245:2195 MULTI: bad source address from
client [7b:f3:64:1e:b4:cb], packet dropped
# this continius until I hit CTRL+C
Do you know what might be wrong here?
Thanks in advance
Keep smiling
yanosz
I've some trouble establishing a VPN connection between a server (running
Debian Etch) an a linksys-router (running dd-wrt).
In this scenario, both participants are in a common unsecure network
(192.168.1.0/24). (Wan port on linksys-router, ethernet NIC on Server).
Also both have another interface (linksys: switch-wlan-bridge; server second
nic) runnig in 172.16.0.0/24 - a secure private network.
I'd like to use OpenVPN to connect these private networks on OSI-2.
My server config is:
port 2195
dev tap0 #is bridged with my private nic
ca /etc/ssl/certs/ca.pem
cert /etc/ssl/certs/wlan.pem
key /etc/ssl/certs/wlan.key # This file should be kept secret
dh /etc/ssl/certs/dh1024.pem
client-to-client
keepalive 10 120
persist-key
persist-tun
mode server
tls-server
My client config is:
remote 192.168.1.208
port 2195
dev tap0 #added to the lan/wlan bridge
tun-mtu 1500
fragment 1300
mssfix
tls-client
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/client.crt
key /tmp/openvpn/client.key
ping-restart 60
ping-timer-rem
persist-tun
persist-key
resolv-retry 86400
ping 10
The client logs:
Mon Aug 13 10:09:17 2007 OpenVPN 2.0.7 mipsel-unknown-linux [SSL] [LZO]
[EPOLL] built on Sep 15 2006
Mon Aug 13 10:09:17 2007 WARNING: No server certificate verification method
has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Aug 13 10:09:17 2007 WARNING: file '/tmp/openvpn/client.key' is group or
others accessible
Mon Aug 13 10:09:17 2007 TUN/TAP device tap0 opened
Mon Aug 13 10:09:17 2007 UDPv4 link local (bound): [undef]:2195
Mon Aug 13 10:09:17 2007 UDPv4 link remote: 192.168.1.208:2195
Mon Aug 13 10:09:22 2007 [wlan.schule] Peer Connection Initiated with
192.168.1.208:2195
Mon Aug 13 10:09:23 2007 Initialization Sequence Completed
Mon Aug 13 10:09:32 2007 FRAG_IN error flags=0x2a187bf3: FRAG_TEST not
implemented
##This continues until I hit CTRL+C
Mon Aug 13 10:09:41 2007 event_wait : Interrupted system call (code=4)
Mon Aug 13 10:09:41 2007 SIGINT[hard,] received, process exiting
The server logs:
Mon Aug 13 10:07:35 2007 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL]
built on Jan 21 2007
Mon Aug 13 10:07:35 2007 Diffie-Hellman initialized with 1024 bit key
Mon Aug 13 10:07:35 2007 WARNING: file '/etc/ssl/certs/wlan.key' is group or
others accessible
Mon Aug 13 10:07:35 2007 TLS-Auth MTU parms [ L:1573 D:138 EF:38 EB:0 ET:0
EL:0 ]
Mon Aug 13 10:07:35 2007 TUN/TAP device tap0 opened
Mon Aug 13 10:07:35 2007 Data Channel MTU parms [ L:1573 D:1450 EF:41 EB:4
ET:32 EL:0 ]
Mon Aug 13 10:07:35 2007 UDPv4 link local (bound): [undef]:2195
Mon Aug 13 10:07:35 2007 UDPv4 link remote: [undef]
Mon Aug 13 10:07:35 2007 MULTI: multi_init called, r=256 v=256
Mon Aug 13 10:07:35 2007 Initialization Sequence Completed
Mon Aug 13 10:07:39 2007 MULTI: multi_create_instance called
Mon Aug 13 10:07:39 2007 192.168.1.245:2195 Re-using SSL/TLS context
Mon Aug 13 10:07:39 2007 192.168.1.245:2195 Control Channel MTU parms [ L:1573
D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Aug 13 10:07:39 2007 192.168.1.245:2195 Data Channel MTU parms [ L:1573
D:1450 EF:41 EB:4 ET:32 EL:0 ]
Mon Aug 13 10:07:39 2007 192.168.1.245:2195 Local Options hash
(VER=V4): '0ddbb6e3'
Mon Aug 13 10:07:39 2007 192.168.1.245:2195 Expected Remote Options hash
(VER=V4): '2c50bd2c'
Mon Aug 13 10:07:39 2007 192.168.1.245:2195 TLS: Initial packet from
192.168.1.245:2195, sid=ddf90abd 963887c8
Mon Aug 13 10:07:44 2007 192.168.1.245:2195 VERIFY OK:
depth=1, /C=DE/ST=NRW/L=Koeln/O=XXX/OU=XXX/CN=XXX/emailAddress=***@XXX.de
Mon Aug 13 10:07:44 2007 192.168.1.245:2195 VERIFY OK:
depth=0, /C=DE/ST=NRW/L=Koeln/O=XXX/OU=XXX/CN=ap/emailAddress=***@XXX.de
Mon Aug 13 10:07:44 2007 192.168.1.245:2195 Data Channel Encrypt:
Cipher 'BF-CBC' initialized with 128 bit key
Mon Aug 13 10:07:44 2007 192.168.1.245:2195 Data Channel Encrypt: Using 160
bit message hash 'SHA1' for HMAC authentication
Mon Aug 13 10:07:44 2007 192.168.1.245:2195 Data Channel Decrypt:
Cipher 'BF-CBC' initialized with 128 bit key
Mon Aug 13 10:07:44 2007 192.168.1.245:2195 Data Channel Decrypt: Using 160
bit message hash 'SHA1' for HMAC authentication
Mon Aug 13 10:07:44 2007 192.168.1.245:2195 Control Channel: TLSv1, cipher
TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Mon Aug 13 10:07:44 2007 192.168.1.245:2195 [ap] Peer Connection Initiated
with 192.168.1.245:2195
Mon Aug 13 10:07:44 2007 ap/192.168.1.245:2195 MULTI: no dynamic or static
remote --ifconfig address is available for ap/192.168.1.245:2195
Mon Aug 13 10:07:54 2007 ap192.168.1.245:2195 MULTI: bad source address from
client [7b:f3:64:1e:b4:cb], packet dropped
# this continius until I hit CTRL+C
Do you know what might be wrong here?
Thanks in advance
Keep smiling
yanosz