Koozali.org: home of the SME Server

how to use openvpn-bridge with Chromebook?

Offline William R H

  • *
  • 23
  • +0/-0
how to use openvpn-bridge with Chromebook?
« on: November 27, 2014, 05:38:31 PM »
[Linux beginner, SME Server 8.1]

Hello - I can connect but not do anything once connected.

I get an ip address on the server network but cannot do anything with it.

One problem I solved myself by switching off Lzo compression as Chromebook does not seem to support it.

Otherwise I am stuck.

From the listings below I seem to have an Ip address, a nameserver address but no gateway. Is that significant?

Any help or ideas gratefully received.

Thanks.

I have munged external addresses as best I could.

Quote
2014-11-27 14:56:07.924479500 OpenVPN 2.3.1 i386-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on May 24 2013
2014-11-27 14:56:07.924482500 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
2014-11-27 14:56:07.931987500 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
2014-11-27 14:56:08.039756500 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
2014-11-27 14:56:08.075654500 Diffie-Hellman initialized with 1024 bit key
2014-11-27 14:56:08.092221500 WARNING: file 'priv/key.pem' is group or others accessible
2014-11-27 14:56:08.100577500 Socket Buffers: R=[110592->131072] S=[110592->131072]
2014-11-27 14:56:08.100578500 TUN/TAP device tap0 opened
2014-11-27 14:56:08.100579500 TUN/TAP TX queue length set to 100
2014-11-27 14:56:08.100742500 nice 5 succeeded
2014-11-27 14:56:08.100752500 chroot to '/etc/openvpn/bridge' and cd to '/' succeeded
2014-11-27 14:56:08.100761500 GID set to nobody
2014-11-27 14:56:08.100768500 UID set to nobody
2014-11-27 14:56:08.100776500 UDPv4 link local (bound): [undef]
2014-11-27 14:56:08.100781500 UDPv4 link remote: [undef]
2014-11-27 14:56:08.100789500 MULTI: multi_init called, r=256 v=256
2014-11-27 14:56:08.153225500 IFCONFIG POOL: base=192.168.3.10 size=21, ipv6=0
2014-11-27 14:56:08.153261500 Initialization Sequence Completed
2014-11-27 14:57:52.024597500 12.34.56.78:56381 TLS: Initial packet from [AF_INET]12.34.56.78:56381, sid=7f4ae132 7ff4c66b
2014-11-27 14:57:54.334330500 12.34.56.78:56381 CRL CHECK OK: C=GB, ST=Lancs, L=Skelmersdale, O=our Lets, OU=Certificate Authority, CN=PHPki Certificate Authority, emailAddress=admin@admin.admin
2014-11-27 14:57:54.334352500 12.34.56.78:56381 VERIFY OK: depth=1, C=GB, ST=Lancs, L=Skelmersdale, O=our Lets, OU=Certificate Authority, CN=PHPki Certificate Authority, emailAddress=admin@admin.admin
2014-11-27 14:57:54.335482500 12.34.56.78:56381 CRL CHECK OK: C=GB, ST=Lancs, L=Skelmersdale, O=Your Lets, O=21232f297a57a5a743894a0e4a801fc3, OU=VPN, CN=chromeboook1, emailAddress=admin@admin.admin
2014-11-27 14:57:54.335501500 12.34.56.78:56381 VERIFY OK: depth=0, C=GB, ST=Lancs, L=Skelmersdale, O=Your Lets, O=21232f297a57a5a743894a0e4a801fc3, OU=VPN, CN=chromeboook1, emailAddress=admin@admin.admin
2014-11-27 14:57:54.544393500 12.34.56.78:56381 WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
2014-11-27 14:57:54.544414500 12.34.56.78:56381 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1573', remote='link-mtu 1541'
2014-11-27 14:57:54.544433500 12.34.56.78:56381 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
2014-11-27 14:57:54.544734500 12.34.56.78:56381 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2014-11-27 14:57:54.544752500 12.34.56.78:56381 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2014-11-27 14:57:54.544864500 12.34.56.78:56381 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2014-11-27 14:57:54.544881500 12.34.56.78:56381 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2014-11-27 14:57:54.612711500 12.34.56.78:56381 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2014-11-27 14:57:54.612764500 12.34.56.78:56381 [chromeboook1] Peer Connection Initiated with [AF_INET]12.34.56.78:56381
2014-11-27 14:57:54.612862500 chromeboook1/12.34.56.78:56381 MULTI_sva: pool returned IPv4=192.168.3.10, IPv6=(Not enabled)
2014-11-27 14:57:55.775771500 chromeboook1/12.34.56.78:56381 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
2014-11-27 14:57:56.882421500 chromeboook1/12.34.56.78:56381 PUSH: Received control message: 'PUSH_REQUEST'
2014-11-27 14:57:56.882444500 chromeboook1/12.34.56.78:56381 send_push_reply(): safe_cap=940
2014-11-27 14:57:56.882489500 chromeboook1/12.34.56.78:56381 SENT CONTROL [chromeboook1]: 'PUSH_REPLY,dhcp-option DOMAIN yourlets.biz,dhcp-option DNS 192.168.3.2,dhcp-option WINS 192.168.3.2,route-gateway 192.168.3.2,ping 10,ping-restart 120,ifconfig 192.168.3.10 255.255.255.0' (status=1)
2014-11-27 14:57:57.122042500 chromeboook1/12.34.56.78:56381 MULTI: Learn: 40:00:40:11:ce:95 -> chromeboook1/12.34.56.78:56381
2014-11-27 14:57:57.153216500 chromeboook1/12.34.56.78:56381 MULTI: Learn: 40:00:40:11:ce:6a -> chromeboook1/12.34.56.78:56381
2014-11-27 14:57:57.153321500 chromeboook1/12.34.56.78:56381 MULTI: Learn: 40:00:40:11:ce:72 -> chromeboook1/12.34.56.78:56381

...lots and lots of similar lines then

2014-11-27 14:58:55.282822500 chromeboook1/12.34.56.78:56381 MULTI: Learn: 40:00:40:11:f7:0d -> chromeboook1/12.34.56.78:56381
2014-11-27 14:58:55.362192500 chromeboook1/12.34.56.78:56381 MULTI: Learn: 40:00:40:11:f6:c9 -> chromeboook1/12.34.56.78:56381
2014-11-27 14:58:55.372897500 chromeboook1/12.34.56.78:56381 MULTI ROUTE: route quota (256) exceeded for chromeboook1/12.34.56.78:56381 (see --max-routes-per-client option)
2014-11-27 14:58:55.372920500 chromeboook1/12.34.56.78:56381 MULTI: Learn FAILED: 40:00:40:11:fa:9e -> chromeboook1/12.34.56.78:56381
2014-11-27 14:58:55.892653500 chromeboook1/12.34.56.78:56381 MULTI ROUTE: route quota (256) exceeded for chromeboook1/12.34.56.78:56381 (see --max-routes-per-client option)
2014-11-27 14:58:55.892673500 chromeboook1/12.34.56.78:56381 MULTI: Learn FAILED: 40:00:40:11:e8:f1 -> chromeboook1/12.34.56.78:56381
2014-11-27 14:58:56.462788500 chromeboook1/12.34.56.78:56381 MULTI ROUTE: route quota (256) exceeded for chromeboook1/12.34.56.78:56381 (see --max-routes-per-client option)

...with lots and lots of similar then when I disconnect the chromebook

2014-11-27 15:21:35.642570500 chromeboook1/12.34.56.78:56381 MULTI ROUTE: route quota (256) exceeded for chromeboook1/12.34.56.78:56381 (see --max-routes-per-client option)
2014-11-27 15:21:35.642616500 chromeboook1/12.34.56.78:56381 MULTI: Learn FAILED: 40:00:40:11:35:39 -> chromeboook1/12.34.56.78:56381
2014-11-27 15:21:36.222876500 chromeboook1/12.34.56.78:56381 MULTI ROUTE: route quota (256) exceeded for chromeboook1/12.34.56.78:56381 (see --max-routes-per-client option)
2014-11-27 15:21:36.222937500 chromeboook1/12.34.56.78:56381 MULTI: Learn FAILED: 40:00:40:01:b3:4c -> chromeboook1/12.34.56.78:56381
2014-11-27 15:23:34.143569500 192.168.3.178:48897 TLS: Initial packet from [AF_INET]192.168.3.178:48897, sid=ef9484e0 0965c642
2014-11-27 15:24:34.261751500 192.168.3.178:48897 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2014-11-27 15:24:34.261801500 192.168.3.178:48897 TLS Error: TLS handshake failed
2014-11-27 15:24:34.261917500 192.168.3.178:48897 SIGUSR1[soft,tls-error] received, client-instance restarting
2014-11-27 15:25:36.424668500 chromeboook1/12.34.56.78:56381 [chromeboook1] Inactivity timeout (--ping-restart), restarting
2014-11-27 15:25:36.424719500 chromeboook1/12.34.56.78:56381 SIGUSR1[soft,ping-restart] received, client-instance restarting


here is what chromebook if config shows me

Quote
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 12.34.56.78  netmask 255.255.255.255  destination 10.64.64.64
        ppp  txqueuelen 3  (Point-to-Point Protocol)
        RX packets 798  bytes 185574 (181.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1443  bytes 241226 (235.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 192.168.3.10  netmask 255.255.255.0  destination 192.168.3.10
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 368  overruns 0  frame 0
        TX packets 1004  bytes 70946 (69.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Here is the chromebook network_diagnostics listing

Quote
Trying to contact https://www.google.com ... (waiting up to 10 seconds)
Trying to contact http://www.google.com ... (waiting up to 10 seconds)
Trying to contact https://www.google.com ... (waiting up to 10 seconds)
FAIL: Got DNS resolution error -- trying to debug nameservers
Entering diag_nameservers
Testing connectivity to nameservers
Entering diag_ping 192.168.3.2
ping: icmp open socket: Operation not permitted
PASS: address 192.168.3.2: ping OK
FAIL: We can reach the nameservers but were not able to resolve hostnames
FAIL: You may be behind a captive portal or there may be a DNS
FAIL: configuration problem
Entering get_device_list
Device list:
ppp0   unknown::   
tun0   unknown::   
wlan0   pci:0034:168c   ath9k
Entering diag_flimflam
PASS: shill is running, pid 1690
Listing of /var/run/shill
total 8
drwxr-xr-x  5 root root 160 Nov 25 18:13 .
drwxr-xr-x 21 root root 540 Nov 27 15:01 ..
drwxr-xr-x  2 root root  60 Nov 27 14:57 certificate_export
-rw-r--r--  1 root root  56 Nov 25 17:51 loaded_profile_list
lrwxrwxrwx  1 root root  62 Nov 25 17:51 log -> /home/root/64f0fc3de7a722b8b56513748c08de25d928e52f/shill_logs
drwx------  2 root root  60 Nov 27 14:57 openvpn_config
-rw-r--r--  1 root root  87 Nov 27 14:57 resolv.conf
drwx------  2 root root  60 Nov 25 17:51 user_profiles
Entering diag_flimflam_dbus
Flimflam Manager:
/0/ActiveProfile /profile/chronos/shill
/1/ArpGateway true
/2/AvailableTechnologies/0 cellular
/2/AvailableTechnologies/1 wifi
/3/CheckPortalList ethernet,wifi,cellular
/5/ConnectionState online
/6/Country
/7/DefaultService /service/59
/8/DefaultTechnology vpn
/9/Devices/0 /device/wlan0
/9/Devices/1 /device/no_netdev_2
/10/DisableWiFiVHT false
/11/EnabledTechnologies/0 cellular
/11/EnabledTechnologies/1 wifi
/12/HostName
/13/IgnoredDNSSearchPaths gateway.2wire.net
/14/LinkMonitorTechnologies wifi
/15/OfflineMode false
/16/PortalCheckInterval 30
/17/PortalURL http://www.gstatic.com/generate_204
/18/Profiles/0 /profile/default
/18/Profiles/1 /profile/chronos/shill
/19/ServiceCompleteList/0 /service/59
/19/ServiceCompleteList/1 /service/147
/19/ServiceCompleteList/2 /service/4
/19/ServiceCompleteList/3 /service/7
/19/ServiceCompleteList/4 /service/8
/19/ServiceCompleteList/5 /service/0
/19/ServiceCompleteList/6 /service/152
/19/ServiceCompleteList/7 /service/148
/19/ServiceCompleteList/8 /service/141
/19/ServiceCompleteList/9 /service/144
/19/ServiceCompleteList/10 /service/142
/19/ServiceCompleteList/11 /service/153
/19/ServiceCompleteList/12 /service/151
/19/ServiceCompleteList/13 /service/1
/20/ServiceWatchList/0 /service/59
/20/ServiceWatchList/1 /service/147
/21/Services/0 /service/59
/21/Services/1 /service/147
/21/Services/2 /service/4
/21/Services/3 /service/152
/21/Services/4 /service/148
/21/Services/5 /service/141
/21/Services/6 /service/144
/21/Services/7 /service/142
/21/Services/8 /service/153
/21/Services/9 /service/151
/22/State online
/24/WakeOnLanEnabled true
Service /service/59
/0/AutoConnect false
/1/CheckPortal auto
/2/Connectable true
/3/ConnectionId 0
/4/DNSAutoFallback false
/6/Diagnostics.Misconnects/0 2014-11-25T20:16:06.175284+0000
/8/Error Unknown
/9/ErrorDetails
/10/GUID
/11/HTTPProxyPort 53783
/12/IPConfig /ipconfig/tun0_19_ip
/13/IsActive true
/14/Name yole
/15/PhysicalTechnology vpn
/16/PortalDetectionFailedPhase
/17/PortalDetectionFailedStatus
/18/PreviousError connect-failed
/19/PreviousErrorSerialNumber 1
/20/Priority 0
/21/Profile /profile/chronos/shill
/22/Provider/0/Host 82.69.35.17
/22/Provider/1/OpenVPN.CACertPEM/0 -----BEGIN CERTIFICATE-----
MIIFODCCBCCg

...munge...

TQGuQjkyWWePklCK7jwed+h32LF
y8FfY0L59lyOC3aMzs9qVsFjKE8OZjpe+BlNAJmbCiQR6i9B60+nP3VN83k=
-----END CERTIFICATE-----

/22/Provider/2/OpenVPN.Pkcs11.ID 001D2226833B6BA4FBDCEF2248F8D6F60C4F3536
/22/Provider/3/OpenVPN.Pkcs11.PIN 111111
/22/Provider/4/OpenVPN.User william
/22/Provider/5/PassphraseRequired false
/22/Provider/6/Type openvpn
/23/ProxyConfig
/24/SaveCredentials true
/25/SavedIP.Address 192.168.3.10
/26/SavedIP.Gateway
/27/SavedIP.Mtu 1500
/28/SavedIP.NameServers 192.168.3.2
/29/SavedIP.PeerAddress
/30/SavedIP.Prefixlen 24
/31/State online
/32/Strength 00
/33/Type vpn
/34/UIData
/35/VPN.Domain
/36/Visible true

guest22

Re: how to use openvpn-bridge with Chromebook?
« Reply #1 on: November 27, 2014, 05:53:28 PM »
Hi and welcome!

Hello - I can connect but not do anything once connected.

I get an ip address on the server network but cannot do anything with it.

One problem I solved myself by switching off Lzo compression as Chromebook does not seem to support it.

Otherwise I am stuck.

From the listings below I seem to have an Ip address, a nameserver address but no gateway. Is that significant?

Can you explain a bit more on your exact setup and what client software (and settings) on the chromebook is being used?
I'm sure with that additional info, some may jump in here.

TIA

guest

Offline William R H

  • *
  • 23
  • +0/-0
Re: how to use openvpn-bridge with Chromebook?
« Reply #2 on: November 27, 2014, 07:08:44 PM »
Thanks - the Chromebook is a locked box. For "private network" I have 3 options
  • l2tp/ipsec + preshared key
  • l2tp/ipsec + user cert
  • open vpn

and I have chosen open vpn

I have my CA cert on the chromebook and my client cert too. All that works - I can establish the connection as you can see.

This was all done following this procedure https://support.google.com/chromebook/answer/1282338?hl=en-GB

I have found these links which may also help but just now my head hurts rather a lot!!

https://docs.google.com/document/d/18TU22gueH5OKYHZVJ5nXuqHnk2GN6nDvfu2Hbrb4YLE/pub
https://code.google.com/p/chromium/issues/detail?id=217624
http://www.ch.cam.ac.uk/computing/openvpn-chromeos

the latest version of chromeOS does allow me to set it up and get it working so maybe I don't need the ONC stuff - but maybe I do...

Lastly - I would probably like to have a choice as to whether I use the VPN for privacy in internet browsing or just for accessing my office LAN resources. In other words mostly it will just be used to access my own LAN. Sometimes I would like to be able to use the VPN to protect my internet access. So I guess I should have two VPNs available on my Chromebook - probable set up by two different ONC files.

 

Offline dmcguire

  • *
  • 32
  • +0/-0
Re: how to use openvpn-bridge with Chromebook?
« Reply #3 on: December 16, 2014, 05:59:39 PM »
Chromebooks can't natively read SMB/CIFS/NFS shares last I tried, so browsing your LAN files is likely not an option here even if your VPN is connected. Assuming the VPN works, you ought to be able to pull http traffic from the LAN side so something like Owncloud or a WebDAV share of some sort might be an option for you depending on your particular requirements.