Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Openvpn configuration.

  1. #1
    Join Date
    Nov 2008
    Location
    Belem, Para, Amazonia, Brazil
    Posts
    85

    Default Openvpn configuration.

    Hi guys,

    I need help with openvpn. I need it to access some sites that are only
    allowed when I am connected to the net from my university - UFPA -
    (need openvpn to article search, basically). I had followed the instruction
    about having openvpn working in Fedora in the
    UFPA's site, but it is not working in openSUSE 11.1.

    The UFPA's site says to install openvpn and download some files to
    /etc/openvpn/ directory. The content of this directory now is:
    Code:
    linux-8z8e:/etc/openvpn # dir
    total 16
    -rwx------ 1 ednilton 1000 1245 Ago  2  2007 ca.crt
    -rwx------ 1 ednilton 1000  636 Ago  2  2007 ta.key
    -rwx------ 1 root     root 3535 Mai 14 21:23 ufpa.conf
    -rw-r--r-- 1 root     root 3077 Abr 10  2008 UFPAvpn-config.tar.gz
    linux-8z8e:/etc/openvpn #
    Later this, I execute "/etc/init.d/openvpn start" and I get:
    Code:
    linux-8z8e:/etc/openvpn # /etc/init.d/openvpn start
    Starting OpenVPN Enter Auth Username:ednilton@ufpa.br
    Enter Auth Password:
                                         [done]
    linux-8z8e:/etc/openvpn #
    However, when I try connecting the sites I have access at the university,
    I still cannot, and some sites say that my IP is not recognized and show
    my real IP (from ppp0 interface).

    I have noted that when openvpn is running there is a extra network
    interface when I execute "ifconfig". So, when openvpn is not runnig
    a have:
    Code:
    linux-8z8e:/etc/openvpn # ifconfig tap0
    tap0: erro obtendo informaes da interface: %s: dispositivo no encontrado
    
    linux-8z8e:/etc/openvpn #
    When openvpn is running I get:
    Code:
    linux-8z8e:/etc/openvpn # ifconfig tap0
    tap0      Link encap:Ethernet  Endereo de HW 16:69:71:66:A6:2D
              inet end.: 200.17.51.148  Bcast:200.17.51.255  Masc:255.255.255.0
              endereo inet6: fe80::1469:71ff:fe66:a62d/64 Escopo:Link
              UP BROADCASTRUNNING MULTICAST  MTU:1500  Mtrica:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100
              RX bytes:0 (0.0 b)  TX bytes:5182 (5.0 Kb)
    
    linux-8z8e:/etc/openvpn #
    So, there is a IP associated to the new interface "tap0", but I do not know
    how to connect to the net using this IP.

    My internet connection is made via a USB modem for 3G internet.
    I use kppp to this connection. The interface for this is ppp0.
    Code:
    linux-8z8e:/etc/openvpn # ifconfig ppp0
    ppp0      Link encap:Protocolo Ponto-a-Ponto
              inet end.: 189.119.68.165  P-a-P:10.64.64.64  Masc:255.255.255.255
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Mtrica:1
              RX packets:2112 errors:0 dropped:0 overruns:0 frame:0
              TX packets:2189 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:3
              RX bytes:1148887 (1.0 Mb)  TX bytes:320594 (313.0 Kb)
    
    linux-8z8e:/etc/openvpn #
    The ppp0 IP is obtained dynamically.

    I would appreciate any help about this issue. Bye.

  2. #2
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Openvpn configuration.

    Presumably their start script also modified the route table so that access to the university computers goes through tap0. Please show the output of route -n

  3. #3
    Join Date
    Nov 2008
    Location
    Belem, Para, Amazonia, Brazil
    Posts
    85

    Default Re: Openvpn configuration.

    Quote Originally Posted by ken_yap View Post
    Presumably their start script also modified the route table so that access to the university computers goes through tap0. Please show the output of route -n
    Hi,

    Thanks for replying.

    It follows what you asked:
    Code:
    linux-8z8e:/home/ednilton # route -n
    Tabela de Roteamento IP do Kernel
    Destino         Roteador        MscaraGen.    Opes Mtrica Ref   Uso Iface
    10.64.64.64     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
    200.17.51.0     0.0.0.0         255.255.255.0   U     0      0        0 tap0
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
    linux-8z8e:/home/ednilton #

  4. #4
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Openvpn configuration.

    The only route that goes through tap0 is 200.17.51.0/24. Is your destination computer in that subnet? Perhaps they meant to install a few routes for tap0 but only the first one got installed. I don't know your situation, so you have to look at what the scripts do.

  5. #5
    Join Date
    Jul 2008
    Location
    Voorhout, Netherlands
    Posts
    262

    Default Re: Openvpn configuration.

    ken yap wrote:
    > The only route that goes through tap0 is 200.17.51.0/24. Is your
    > destination computer in that subnet? Perhaps they meant to install a few
    > routes for tap0 but only the first one got installed. I don't know your
    > situation, so you have to look at what the scripts do.


    I don't get the usage of VPN to a routeable network

    $nmap -v -sP 200.17.51.0/24

    Starting Nmap 4.75 ( http://nmap.org ) at 2009-05-17 11:35 CEST
    Initiating Ping Scan at 11:35
    Scanning 256 hosts [1 port/host]
    Completed Ping Scan at 11:36, 14.59s elapsed (256 total hosts)
    [..]
    Nmap done: 256 IP addresses (30 hosts up) scanned in 14.78 seconds

    The P does still mean "Private" doesn't it?
    ISTM either the openVPN server pushes the wrong range or the client's
    config is botched.

    Theo

  6. #6
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Openvpn configuration.

    I'm not sure what you are trying to say.

    VPN means the traffic is not going through the Internet directly to reach the hosts, but going through a tunnel, which is what the VPN is. It doesn't imply those hosts are firewalled or not firewalled or anything like that, that's all orthogonal. The addresses at the destination could be public or private addresses. By going through the VPN, you may get extra privileges, because you will appear to be originating from a different address.

    PS: The private in the acronym VPN qualifies the word network, not address. You are setting up an alternate route to the destination, even though it's one that relies on the regular route.

  7. #7
    Join Date
    Jul 2008
    Location
    Voorhout, Netherlands
    Posts
    262

    Default Re: Openvpn configuration.

    ken yap wrote:
    > I'm not sure what you are trying to say.


    I thought it was peculiar that someone would dig a tunnel through a mountain,
    where there already is a 6 lane motorway around to get to the other side.

    > VPN means the traffic is not going through the Internet directly to
    > reach the hosts, but going through a tunnel, which is what the VPN is.
    > It doesn't imply those hosts are firewalled or not firewalled or
    > anything like that, that's all orthogonal. The addresses at the
    > destination could be public or private addresses. By going through the
    > VPN, you may get extra privileges, because you will appear to be
    > originating from a different address.


    That may be a reason, yes.

    > PS: The private in the acronym VPN qualifies the word network, not
    > address. You are setting up an alternate route to the destination, even
    > though it's one that relies on the regular route.


    But creating a VPN to a host that might be exposes to the rest of the Internet
    via other ports still seems "not right" to me.

    Theo

  8. #8
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Openvpn configuration.

    Quote Originally Posted by LittleRedRooster View Post
    I thought it was peculiar that someone would dig a tunnel through a mountain,
    where there already is a 6 lane motorway around to get to the other side.
    Only that it's more like smuggling someone in a van going down the motorway and into the gates of the organisation.

    But creating a VPN to a host that might be exposes to the rest of the Internet
    via other ports still seems "not right" to me.
    Not at all strange. Consider an organisation that has a public webserver where certain content is only available to inside IP addresses; very easy to arrange with Apache directives. Nothing top secret, just services like library catalogues, staff bulletins, that sort of thing. A simple way to allow staff to access these inside services is to require them to authenticate for a VPN tunnel and then they are as if they were inside.

    You could also have other hosts that have only a private address and these would be used when the host has no public face.

    So the decision whether to give a host a public or private address depends on the role it plays, and the VPN works with it either way, nothing says that VPN must only be used for accessing hosts with private addresses.

  9. #9
    Join Date
    Nov 2008
    Location
    Belem, Para, Amazonia, Brazil
    Posts
    85

    Default Re: Openvpn configuration.

    Hi guys,

    Good discussion! Unfortunately, I am not understanding too much, because
    I know nothing about VPN. Sorry about that!
    The only thing I know is that computers inside the university are not
    available for ssh, for example. There is really a hard security role about
    protecting the university net system. The idea is that I could access
    my group main computer (a core 2 quad, used to make our numeric
    computations) via ssh to make numeric computations only using openvpn.

    Well, aboute
    The only route that goes through tap0 is 200.17.51.0/24. Is your destination computer in that subnet? Perhaps they meant to install a few routes for tap0 but only the first one got installed. I don't know your situation, so you have to look at what the scripts do.
    Yes, I am not sure today, but it seems to be a IP from my
    university's net. I will know for sure tomorrow when I go there and
    check on a computer inside it.

    Bye.



  10. #10
    Join Date
    Nov 2008
    Location
    Belem, Para, Amazonia, Brazil
    Posts
    85

    Default Re: Openvpn configuration.

    Hi again,

    Please, see what I get what I get when I run "cat /var/log/messages | grep openvpn":

    Code:
    May 17 02:31:23 linux-8z8e openvpn[5676]: TCP: connect to 200.17.51.100:1194 failed, will try again in 5 seconds: No route to host (errno=113)               
    May 17 11:54:14 linux-8z8e openvpn[4977]: OpenVPN 2.0.9 x86_64-suse-linux [SSL] [LZO] [EPOLL] built on Dec  3 2008                                           
    May 17 11:54:28 linux-8z8e openvpn[4977]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.                                                                                                       
    May 17 11:54:28 linux-8z8e openvpn[4977]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.                                                                                                                                                     
    May 17 11:54:28 linux-8z8e openvpn[4977]: Control Channel Authentication: using 'ta.key' as a OpenVPN static key file                                        
    May 17 11:54:28 linux-8z8e openvpn[4977]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication                 
    May 17 11:54:28 linux-8z8e openvpn[4977]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication                 
    May 17 11:54:28 linux-8z8e openvpn[4977]: LZO compression initialized                                                                                        
    May 17 11:54:28 linux-8z8e openvpn[4977]: Control Channel MTU parms [ L:1576 D:168 EF:68 EB:0 ET:0 EL:0 ]                                                    
    May 17 11:54:29 linux-8z8e openvpn[4977]: Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]                                            
    May 17 11:54:29 linux-8z8e openvpn[4977]: Local Options hash (VER=V4): 'e39a3273'                                                                            
    May 17 11:54:29 linux-8z8e openvpn[4977]: Expected Remote Options hash (VER=V4): '3c14feac'                                                                  
    May 17 11:54:29 linux-8z8e openvpn[4981]: Attempting to establish TCP connection with 200.17.51.100:1194                                                     
    May 17 11:54:29 linux-8z8e openvpn[4981]: TCP connection established with 200.17.51.100:1194                                                                 
    May 17 11:54:29 linux-8z8e openvpn[4981]: TCPv4_CLIENT link local: [undef]                                                                                   
    May 17 11:54:29 linux-8z8e openvpn[4981]: TCPv4_CLIENT link remote: 200.17.51.100:1194                                                                       
    May 17 11:54:31 linux-8z8e openvpn[4981]: TLS: Initial packet from 200.17.51.100:1194, sid=1dac2a70 410fe224                                                 
    May 17 11:54:41 linux-8z8e openvpn[4981]: VERIFY OK: depth=1, /C=BR/ST=Para/L=Belem/O=UFPA/OU=CTIC/CN=vpn.ufpa.br/emailAddress=suporte@ufpa.br               
    May 17 11:54:41 linux-8z8e openvpn[4981]: VERIFY OK: depth=0, /C=BR/ST=Para/L=Belem/O=UFPA/OU=CTIC/CN=vpn.ufpa.br/emailAddress=suporte@ufpa.br               
    May 17 11:54:50 linux-8z8e openvpn[4981]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key                                                 
    May 17 11:54:50 linux-8z8e openvpn[4981]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication                                    
    May 17 11:54:50 linux-8z8e openvpn[4981]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key                                                 
    May 17 11:54:50 linux-8z8e openvpn[4981]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication                                    
    May 17 11:54:50 linux-8z8e openvpn[4981]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA                                        
    May 17 11:54:50 linux-8z8e openvpn[4981]: [vpn.ufpa.br] Peer Connection Initiated with 200.17.51.100:1194                                                    
    May 17 11:54:51 linux-8z8e openvpn[4981]: SENT CONTROL [vpn.ufpa.br]: 'PUSH_REQUEST' (status=1)                                                              
    May 17 11:54:54 linux-8z8e openvpn[4981]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,dhcp-option DNS 10.15.1.14,dhcp-option DNS 10.15.1.3,route-gateway 200.17.51.254,ping 30,ping-restart 360,ifconfig 200.17.51.148 255.255.255.0'                                                                    
    May 17 11:54:54 linux-8z8e openvpn[4981]: OPTIONS IMPORT: timers and/or timeouts modified                                                                    
    May 17 11:54:54 linux-8z8e openvpn[4981]: OPTIONS IMPORT: --ifconfig/up options modified                                                                     
    May 17 11:54:54 linux-8z8e openvpn[4981]: OPTIONS IMPORT: route options modified                                                                             
    May 17 11:54:54 linux-8z8e openvpn[4981]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified                                                   
    May 17 11:54:54 linux-8z8e openvpn[4981]: WARNING: --remote address [200.17.51.100] conflicts with --ifconfig subnet [200.17.51.148, 255.255.255.0] -- local and remote addresses cannot be inside of the --ifconfig subnet. (silence this warning with --ifconfig-nowarn)                                                
    May 17 11:54:54 linux-8z8e openvpn[4981]: TUN/TAP device tap0 opened                                                                                         
    May 17 11:54:54 linux-8z8e openvpn[4981]: /bin/ip link set dev tap0 up mtu 1500                                                                              
    May 17 11:54:54 linux-8z8e openvpn[4981]: /bin/ip addr add dev tap0 200.17.51.148/24 broadcast 200.17.51.255                                                 
    May 17 11:54:54 linux-8z8e openvpn[4981]: NOTE: unable to redirect default gateway -- Cannot read current default gateway from system                        
    May 17 11:54:54 linux-8z8e openvpn[4981]: Initialization Sequence Completed                                                                                  
    May 17 11:54:57 linux-8z8e openvpn[4981]: read TCPv4_CLIENT []: No route to host (code=113)                                                                  
    May 17 11:55:03 linux-8z8e openvpn[4981]: read TCPv4_CLIENT []: No route to host (code=113)                                                                  
    May 17 11:55:12 linux-8z8e openvpn[4981]: read TCPv4_CLIENT []: No route to host (code=113)                                                                  
    May 17 11:55:30 linux-8z8e openvpn[4981]: read TCPv4_CLIENT []: No route to host (code=113)                                                                  
    May 17 11:56:05 linux-8z8e openvpn[4981]: read TCPv4_CLIENT []: No route to host (code=113)                                                                  
    May 17 11:57:16 linux-8z8e openvpn[4981]: read TCPv4_CLIENT []: No route to host (code=113)                                                                  
    May 17 11:59:16 linux-8z8e openvpn[4981]: read TCPv4_CLIENT []: No route to host (code=113)                                                                  
    May 17 12:00:55 linux-8z8e openvpn[4981]: [vpn.ufpa.br] Inactivity timeout (--ping-restart), restarting                                                      
    May 17 12:00:55 linux-8z8e openvpn[4981]: TCP/UDP: Closing socket                                                                                            
    May 17 12:00:55 linux-8z8e openvpn[4981]: SIGUSR1[soft,ping-restart] received, process restarting                                                            
    May 17 12:00:55 linux-8z8e openvpn[4981]: Restart pause, 5 second(s)                                                                                         
    May 17 12:01:00 linux-8z8e openvpn[4981]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.                                                                                                       
    May 17 12:01:00 linux-8z8e openvpn[4981]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.                                                                                                                                                     
    May 17 12:01:00 linux-8z8e openvpn[4981]: Re-using SSL/TLS context                                                                                           
    May 17 12:01:00 linux-8z8e openvpn[4981]: LZO compression initialized                                                                                        
    May 17 12:01:00 linux-8z8e openvpn[4981]: Control Channel MTU parms [ L:1576 D:168 EF:68 EB:0 ET:0 EL:0 ]                                                    
    May 17 12:01:00 linux-8z8e openvpn[4981]: Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]                                            
    May 17 12:01:00 linux-8z8e openvpn[4981]: Local Options hash (VER=V4): 'e39a3273'                                                                            
    May 17 12:01:00 linux-8z8e openvpn[4981]: Expected Remote Options hash (VER=V4): '3c14feac'                                                                  
    May 17 12:01:00 linux-8z8e openvpn[4981]: Attempting to establish TCP connection with 200.17.51.100:1194                                                     
    May 17 12:01:03 linux-8z8e openvpn[4981]: TCP: connect to 200.17.51.100:1194 failed, will try again in 5 seconds: No route to host (errno=113)
    Take a look at the last line. It is repeated so many times. I realize now
    that the problem can be with my 3G connection, that is too slow.
    What do you think?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •