Openvpn configuration.

Hi guys,

I need help with openvpn. I need it to access some sites that are only
allowed when I am connected to the net from my university - UFPA -
(need openvpn to article search, basically). I had followed the instruction
about having openvpn working in Fedora in the
UFPA’s site, but it is not working in openSUSE 11.1.

The UFPA’s site says to install openvpn and download some files to
/etc/openvpn/ directory. The content of this directory now is:


linux-8z8e:/etc/openvpn # dir
total 16
-rwx------ 1 ednilton 1000 1245 Ago  2  2007 ca.crt
-rwx------ 1 ednilton 1000  636 Ago  2  2007 ta.key
-rwx------ 1 root     root 3535 Mai 14 21:23 ufpa.conf
-rw-r--r-- 1 root     root 3077 Abr 10  2008 UFPAvpn-config.tar.gz
linux-8z8e:/etc/openvpn #

Later this, I execute “/etc/init.d/openvpn start” and I get:


linux-8z8e:/etc/openvpn # /etc/init.d/openvpn start
Starting OpenVPN Enter Auth Username:ednilton@ufpa.br
Enter Auth Password:
                                     [done]
linux-8z8e:/etc/openvpn #

However, when I try connecting the sites I have access at the university,
I still cannot, and some sites say that my IP is not recognized and show
my real IP (from ppp0 interface).

I have noted that when openvpn is running there is a extra network
interface when I execute “ifconfig”. So, when openvpn is not runnig
a have:


linux-8z8e:/etc/openvpn # ifconfig tap0
tap0: erro obtendo informações da interface: %s: dispositivo não encontrado

linux-8z8e:/etc/openvpn #

When openvpn is running I get:


linux-8z8e:/etc/openvpn # ifconfig tap0
tap0      Link encap:Ethernet  Endereço de HW 16:69:71:66:A6:2D
          inet end.: 200.17.51.148  Bcast:200.17.51.255  Masc:255.255.255.0
          endereço inet6: fe80::1469:71ff:fe66:a62d/64 Escopo:Link
          UP BROADCASTRUNNING MULTICAST  MTU:1500  Métrica:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:5182 (5.0 Kb)

linux-8z8e:/etc/openvpn #

So, there is a IP associated to the new interface “tap0”, but I do not know
how to connect to the net using this IP.

My internet connection is made via a USB modem for 3G internet.
I use kppp to this connection. The interface for this is ppp0.


linux-8z8e:/etc/openvpn # ifconfig ppp0
ppp0      Link encap:Protocolo Ponto-a-Ponto
          inet end.: 189.119.68.165  P-a-P:10.64.64.64  Masc:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Métrica:1
          RX packets:2112 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2189 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:1148887 (1.0 Mb)  TX bytes:320594 (313.0 Kb)

linux-8z8e:/etc/openvpn #

The ppp0 IP is obtained dynamically.

I would appreciate any help about this issue. Bye.

Presumably their start script also modified the route table so that access to the university computers goes through tap0. Please show the output of route -n

Hi,

Thanks for replying.

It follows what you asked:


linux-8z8e:/home/ednilton # route -n
Tabela de Roteamento IP do Kernel
Destino         Roteador        MáscaraGen.    Opções Métrica Ref   Uso Iface
10.64.64.64     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
200.17.51.0     0.0.0.0         255.255.255.0   U     0      0        0 tap0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
linux-8z8e:/home/ednilton #

The only route that goes through tap0 is 200.17.51.0/24. Is your destination computer in that subnet? Perhaps they meant to install a few routes for tap0 but only the first one got installed. I don’t know your situation, so you have to look at what the scripts do.

ken yap wrote:
> The only route that goes through tap0 is 200.17.51.0/24. Is your
> destination computer in that subnet? Perhaps they meant to install a few
> routes for tap0 but only the first one got installed. I don’t know your
> situation, so you have to look at what the scripts do.

I don’t get the usage of VPN to a routeable network

$nmap -v -sP 200.17.51.0/24

Starting Nmap 4.75 ( http://nmap.org ) at 2009-05-17 11:35 CEST
Initiating Ping Scan at 11:35
Scanning 256 hosts [1 port/host]
Completed Ping Scan at 11:36, 14.59s elapsed (256 total hosts)
…]
Nmap done: 256 IP addresses (30 hosts up) scanned in 14.78 seconds

The P does still mean “Private” doesn’t it?
ISTM either the openVPN server pushes the wrong range or the client’s
config is botched.

Theo

I’m not sure what you are trying to say.

VPN means the traffic is not going through the Internet directly to reach the hosts, but going through a tunnel, which is what the VPN is. It doesn’t imply those hosts are firewalled or not firewalled or anything like that, that’s all orthogonal. The addresses at the destination could be public or private addresses. By going through the VPN, you may get extra privileges, because you will appear to be originating from a different address.

PS: The private in the acronym VPN qualifies the word network, not address. You are setting up an alternate route to the destination, even though it’s one that relies on the regular route.

ken yap wrote:
> I’m not sure what you are trying to say.

I thought it was peculiar that someone would dig a tunnel through a mountain,
where there already is a 6 lane motorway around to get to the other side.

> VPN means the traffic is not going through the Internet directly to
> reach the hosts, but going through a tunnel, which is what the VPN is.
> It doesn’t imply those hosts are firewalled or not firewalled or
> anything like that, that’s all orthogonal. The addresses at the
> destination could be public or private addresses. By going through the
> VPN, you may get extra privileges, because you will appear to be
> originating from a different address.

That may be a reason, yes.

> PS: The private in the acronym VPN qualifies the word network, not
> address. You are setting up an alternate route to the destination, even
> though it’s one that relies on the regular route.

But creating a VPN to a host that might be exposes to the rest of the Internet
via other ports still seems “not right” to me.

Theo

Only that it’s more like smuggling someone in a van going down the motorway and into the gates of the organisation. :slight_smile:

But creating a VPN to a host that might be exposes to the rest of the Internet
via other ports still seems “not right” to me.

Not at all strange. Consider an organisation that has a public webserver where certain content is only available to inside IP addresses; very easy to arrange with Apache directives. Nothing top secret, just services like library catalogues, staff bulletins, that sort of thing. A simple way to allow staff to access these inside services is to require them to authenticate for a VPN tunnel and then they are as if they were inside.

You could also have other hosts that have only a private address and these would be used when the host has no public face.

So the decision whether to give a host a public or private address depends on the role it plays, and the VPN works with it either way, nothing says that VPN must only be used for accessing hosts with private addresses.

[LEFT]Hi guys,

Good discussion! Unfortunately, I am not understanding too much, because
I know nothing about VPN. Sorry about that! :slight_smile:
The only thing I know is that computers inside the university are not
available for ssh, for example. There is really a hard security role about
protecting the university net system. The idea is that I could access
my group main computer (a core 2 quad, used to make our numeric
computations) via ssh to make numeric computations only using openvpn.

Well, aboute

The only route that goes through tap0 is 200.17.51.0/24. Is your destination computer in that subnet? Perhaps they meant to install a few routes for tap0 but only the first one got installed. I don’t know your situation, so you have to look at what the scripts do.
Yes, I am not sure today, but it seems to be a IP from my
university’s net. I will know for sure tomorrow when I go there and
check on a computer inside it.

Bye.

[/LEFT]

Hi again,

Please, see what I get what I get when I run “cat /var/log/messages | grep openvpn”:

May 17 02:31:23 linux-8z8e openvpn[5676]: TCP: connect to 200.17.51.100:1194 failed, will try again in 5 seconds: No route to host (errno=113)               
May 17 11:54:14 linux-8z8e openvpn[4977]: OpenVPN 2.0.9 x86_64-suse-linux [SSL] [LZO] [EPOLL] built on Dec  3 2008                                           
May 17 11:54:28 linux-8z8e openvpn[4977]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.                                                                                                       
May 17 11:54:28 linux-8z8e openvpn[4977]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.                                                                                                                                                     
May 17 11:54:28 linux-8z8e openvpn[4977]: Control Channel Authentication: using 'ta.key' as a OpenVPN static key file                                        
May 17 11:54:28 linux-8z8e openvpn[4977]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication                 
May 17 11:54:28 linux-8z8e openvpn[4977]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication                 
May 17 11:54:28 linux-8z8e openvpn[4977]: LZO compression initialized                                                                                        
May 17 11:54:28 linux-8z8e openvpn[4977]: Control Channel MTU parms  L:1576 D:168 EF:68 EB:0 ET:0 EL:0 ]                                                    
May 17 11:54:29 linux-8z8e openvpn[4977]: Data Channel MTU parms  L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]                                            
May 17 11:54:29 linux-8z8e openvpn[4977]: Local Options hash (VER=V4): 'e39a3273'                                                                            
May 17 11:54:29 linux-8z8e openvpn[4977]: Expected Remote Options hash (VER=V4): '3c14feac'                                                                  
May 17 11:54:29 linux-8z8e openvpn[4981]: Attempting to establish TCP connection with 200.17.51.100:1194                                                     
May 17 11:54:29 linux-8z8e openvpn[4981]: TCP connection established with 200.17.51.100:1194                                                                 
May 17 11:54:29 linux-8z8e openvpn[4981]: TCPv4_CLIENT link local: [undef]                                                                                   
May 17 11:54:29 linux-8z8e openvpn[4981]: TCPv4_CLIENT link remote: 200.17.51.100:1194                                                                       
May 17 11:54:31 linux-8z8e openvpn[4981]: TLS: Initial packet from 200.17.51.100:1194, sid=1dac2a70 410fe224                                                 
May 17 11:54:41 linux-8z8e openvpn[4981]: VERIFY OK: depth=1, /C=BR/ST=Para/L=Belem/O=UFPA/OU=CTIC/CN=vpn.ufpa.br/emailAddress=suporte@ufpa.br               
May 17 11:54:41 linux-8z8e openvpn[4981]: VERIFY OK: depth=0, /C=BR/ST=Para/L=Belem/O=UFPA/OU=CTIC/CN=vpn.ufpa.br/emailAddress=suporte@ufpa.br               
May 17 11:54:50 linux-8z8e openvpn[4981]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key                                                 
May 17 11:54:50 linux-8z8e openvpn[4981]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication                                    
May 17 11:54:50 linux-8z8e openvpn[4981]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key                                                 
May 17 11:54:50 linux-8z8e openvpn[4981]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication                                    
May 17 11:54:50 linux-8z8e openvpn[4981]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA                                        
May 17 11:54:50 linux-8z8e openvpn[4981]: [vpn.ufpa.br] Peer Connection Initiated with 200.17.51.100:1194                                                    
May 17 11:54:51 linux-8z8e openvpn[4981]: SENT CONTROL [vpn.ufpa.br]: 'PUSH_REQUEST' (status=1)                                                              
May 17 11:54:54 linux-8z8e openvpn[4981]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,dhcp-option DNS 10.15.1.14,dhcp-option DNS 10.15.1.3,route-gateway 200.17.51.254,ping 30,ping-restart 360,ifconfig 200.17.51.148 255.255.255.0'                                                                    
May 17 11:54:54 linux-8z8e openvpn[4981]: OPTIONS IMPORT: timers and/or timeouts modified                                                                    
May 17 11:54:54 linux-8z8e openvpn[4981]: OPTIONS IMPORT: --ifconfig/up options modified                                                                     
May 17 11:54:54 linux-8z8e openvpn[4981]: OPTIONS IMPORT: route options modified                                                                             
May 17 11:54:54 linux-8z8e openvpn[4981]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified                                                   
May 17 11:54:54 linux-8z8e openvpn[4981]: WARNING: --remote address [200.17.51.100] conflicts with --ifconfig subnet [200.17.51.148, 255.255.255.0] -- local and remote addresses cannot be inside of the --ifconfig subnet. (silence this warning with --ifconfig-nowarn)                                                
May 17 11:54:54 linux-8z8e openvpn[4981]: TUN/TAP device tap0 opened                                                                                         
May 17 11:54:54 linux-8z8e openvpn[4981]: /bin/ip link set dev tap0 up mtu 1500                                                                              
May 17 11:54:54 linux-8z8e openvpn[4981]: /bin/ip addr add dev tap0 200.17.51.148/24 broadcast 200.17.51.255                                                 
May 17 11:54:54 linux-8z8e openvpn[4981]: NOTE: unable to redirect default gateway -- Cannot read current default gateway from system                        
May 17 11:54:54 linux-8z8e openvpn[4981]: Initialization Sequence Completed                                                                                  
May 17 11:54:57 linux-8z8e openvpn[4981]: read TCPv4_CLIENT ]: No route to host (code=113)                                                                  
May 17 11:55:03 linux-8z8e openvpn[4981]: read TCPv4_CLIENT ]: No route to host (code=113)                                                                  
May 17 11:55:12 linux-8z8e openvpn[4981]: read TCPv4_CLIENT ]: No route to host (code=113)                                                                  
May 17 11:55:30 linux-8z8e openvpn[4981]: read TCPv4_CLIENT ]: No route to host (code=113)                                                                  
May 17 11:56:05 linux-8z8e openvpn[4981]: read TCPv4_CLIENT ]: No route to host (code=113)                                                                  
May 17 11:57:16 linux-8z8e openvpn[4981]: read TCPv4_CLIENT ]: No route to host (code=113)                                                                  
May 17 11:59:16 linux-8z8e openvpn[4981]: read TCPv4_CLIENT ]: No route to host (code=113)                                                                  
May 17 12:00:55 linux-8z8e openvpn[4981]: [vpn.ufpa.br] Inactivity timeout (--ping-restart), restarting                                                      
May 17 12:00:55 linux-8z8e openvpn[4981]: TCP/UDP: Closing socket                                                                                            
May 17 12:00:55 linux-8z8e openvpn[4981]: SIGUSR1[soft,ping-restart] received, process restarting                                                            
May 17 12:00:55 linux-8z8e openvpn[4981]: Restart pause, 5 second(s)                                                                                         
May 17 12:01:00 linux-8z8e openvpn[4981]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.                                                                                                       
May 17 12:01:00 linux-8z8e openvpn[4981]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.                                                                                                                                                     
May 17 12:01:00 linux-8z8e openvpn[4981]: Re-using SSL/TLS context                                                                                           
May 17 12:01:00 linux-8z8e openvpn[4981]: LZO compression initialized                                                                                        
May 17 12:01:00 linux-8z8e openvpn[4981]: Control Channel MTU parms  L:1576 D:168 EF:68 EB:0 ET:0 EL:0 ]                                                    
May 17 12:01:00 linux-8z8e openvpn[4981]: Data Channel MTU parms  L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]                                            
May 17 12:01:00 linux-8z8e openvpn[4981]: Local Options hash (VER=V4): 'e39a3273'                                                                            
May 17 12:01:00 linux-8z8e openvpn[4981]: Expected Remote Options hash (VER=V4): '3c14feac'                                                                  
May 17 12:01:00 linux-8z8e openvpn[4981]: Attempting to establish TCP connection with 200.17.51.100:1194                                                     
May 17 12:01:03 linux-8z8e openvpn[4981]: TCP: connect to 200.17.51.100:1194 failed, will try again in 5 seconds: No route to host (errno=113) 

Take a look at the last line. It is repeated so many times. I realize now
that the problem can be with my 3G connection, that is too slow.
What do you think?

ednso wrote:
> Hi again,
>
> Please, see what I get what I get when I run “cat /var/log/messages |
> grep openvpn”:
…]
> May 17 11:54:54 linux-8z8e openvpn[4981]: WARNING: --remote address [200.17.51.100] conflicts with --ifconfig subnet [200.17.51.148, 255.255.255.0] – local and remote addresses cannot be inside of the --ifconfig subnet. (silence this warning with --ifconfig-nowarn)

This is not right. Having the tunnel addresses inside the range you want to route causes all sorts of mishaps.
Its best to use a range of address for the tunnel that are not likely to be used by users of the tunnel, e.g.
10.$((RANDOM%256)).$((RANDOM%256)).0

> May 17 12:01:03 linux-8z8e openvpn[4981]: TCP: connect to 200.17.51.100:1194 failed, will try again in 5 seconds: No route to host (errno=113)
> --------------------
> Take a look at the last line. It is repeated so many times. I realize
> now
> that the problem can be with my 3G connection, that is too slow.
> What do you think?

This fail state is very similar to problems I have with an openVPN server that I maintain, but I’m sure its for very
different reasons (my server is behind a DSL modem I don’t trust).
A wireless connection has its ups and downs, so seeing disconnects is what you can expect from time to time.

Theo

I see from their use of tap0 that they are setting up an Ethernet tunnel, as opposed to tun0, which would give an IP tunnel. That could have issues with the use of wireless interfaces I think, but I have no practical experience in this aspect.

Hi,

I realized yesterday that my problem posted here is not related to Linux.
Yesterday I had access to my sister laptop, it has Vista Home installed, and
I installed openvpn on it. Unfortunately, I could not connect to the specified
sites that I can when I am in the university. Vista says that there is a not
known connection but it is only local connection.

Well, I am almost sure that the problem is in my 3G internet connection
(actually, I have velocity of 2G internet - that is Brazil, I country that is really a
big mess :). I will talk to UFPA’s net center to try get a solution. If I get
openvpn working, I post back.

Many thanks for helping.

Bye.