Koozali.org: home of the SME Server

OpenVPN for Sme 7.0

Offline painkiller

  • **
  • 66
  • +0/-0
Problem with tls key
« Reply #60 on: December 10, 2006, 10:38:05 AM »
I installed your openvpn.
Installing was with no errors.
i added a client key for the server these keys i downloaded and put them in de openvpn/config dir.
I can connect with openvpn gui (the icon stays yellow) the following error i find in the log file of my windows xp client

####
Sun Dec 10 10:31:25 2006 us=558304 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Dec 10 10:31:25 2006 us=558357 TLS Error: TLS handshake failed
Sun Dec 10 10:31:25 2006 us=559674 TCP/UDP: Closing socket
Sun Dec 10 10:31:25 2006 us=560422 SIGUSR1[soft,tls-error] received, process restarting
Sun Dec 10 10:31:25 2006 us=560460 Restart pause, 2 second(s)
Sun Dec 10 10:31:27 2006 us=562564 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Sun Dec 10 10:31:27 2006 us=562631 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 10 10:31:27 2006 us=562651 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 10 10:31:27 2006 us=562711 LZO compression initialized
Sun Dec 10 10:31:27 2006 us=562807 Control Channel MTU parms [ L:1578 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sun Dec 10 10:31:27 2006 us=564544 Data Channel MTU parms [ L:1578 D:1450 EF:46 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Dec 10 10:31:27 2006 us=565147 Fragmentation MTU parms [ L:1578 D:1400 EF:45 EB:135 ET:33 EL:0 AF:3/1 ]
Sun Dec 10 10:31:27 2006 us=565215 Local Options String: 'V4,dev-type tap,link-mtu 1578,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sun Dec 10 10:31:27 2006 us=565232 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1578,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sun Dec 10 10:31:27 2006 us=565269 Local Options hash (VER=V4): 'a257ef04'
Sun Dec 10 10:31:27 2006 us=565294 Expected Remote Options hash (VER=V4): '8f3da10b'
Sun Dec 10 10:31:27 2006 us=565360 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Dec 10 10:31:27 2006 us=566249 UDPv4 link local: [undef]
Sun Dec 10 10:31:27 2006 us=566276 UDPv4 link remote: 86.87.210.220:1194
####
log file of server

#####
Sun Dec 10 00:37:38 2006 MULTI: multi_init called, r=256 v=256
Sun Dec 10 00:37:38 2006 IFCONFIG POOL: base=192.168.1.201 size=50
Sun Dec 10 00:37:38 2006 Initialization Sequence Completed
Sun Dec 10 08:02:45 2006 event_wait : Interrupted system call (code=4)
Sun Dec 10 08:02:45 2006 TCP/UDP: Closing socket
Sun Dec 10 08:02:45 2006 Closing TUN/TAP interface
Sun Dec 10 08:02:45 2006 PLUGIN_CLOSE: /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so
Sun Dec 10 08:02:45 2006 SIGTERM[hard,] received, process exiting
Sun Dec 10 10:27:53 2006 OpenVPN 2.0.7 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006
Sun Dec 10 10:27:53 2006 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so 'login' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Sun Dec 10 10:27:53 2006 Diffie-Hellman initialized with 2048 bit key
Sun Dec 10 10:27:53 2006 WARNING: file 'easy-rsa/keys/bridge/server.key' is group or others accessible
Sun Dec 10 10:27:53 2006 WARNING: file 'easy-rsa/keys/bridge/ta.key' is group or others accessible
Sun Dec 10 10:27:53 2006 Control Channel Authentication: using 'easy-rsa/keys/bridge/ta.key' as a OpenVPN static key file
Sun Dec 10 10:27:53 2006 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 10 10:27:53 2006 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 10 10:27:53 2006 TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sun Dec 10 10:27:53 2006 TUN/TAP device tap0 opened
Sun Dec 10 10:27:53 2006 Data Channel MTU parms [ L:1574 D:1400 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Dec 10 10:27:54 2006 chroot to '/etc/openvpn' and cd to '/' succeeded
Sun Dec 10 10:27:54 2006 GID set to nobody
Sun Dec 10 10:27:54 2006 UID set to nobody
Sun Dec 10 10:27:54 2006 UDPv4 link local (bound): [undef]:1194
Sun Dec 10 10:27:54 2006 UDPv4 link remote: [undef]
Sun Dec 10 10:27:54 2006 MULTI: multi_init called, r=256 v=256
Sun Dec 10 10:27:54 2006 IFCONFIG POOL: base=192.168.1.201 size=50
Sun Dec 10 10:27:54 2006 Initialization Sequence Completed
Sun Dec 10 10:28:32 2006 MULTI: multi_create_instance called
Sun Dec 10 10:28:32 2006 192.168.1.7:1504 Re-using SSL/TLS context
Sun Dec 10 10:28:32 2006 192.168.1.7:1504 LZO compression initialized
Sun Dec 10 10:28:32 2006 192.168.1.7:1504 Control Channel MTU parms [ L:1578 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sun Dec 10 10:28:32 2006 192.168.1.7:1504 Data Channel MTU parms [ L:1578 D:1400 EF:46 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Dec 10 10:28:32 2006 192.168.1.7:1504 Fragmentation MTU parms [ L:1578 D:1400 EF:45 EB:135 ET:33 EL:0 AF:3/1 ]
Sun Dec 10 10:28:32 2006 192.168.1.7:1504 Local Options hash (VER=V4): '8f3da10b'
Sun Dec 10 10:28:32 2006 192.168.1.7:1504 Expected Remote Options hash (VER=V4): 'a257ef04'
Sun Dec 10 10:28:32 2006 192.168.1.7:1504 TLS: Initial packet from 192.168.1.7:1504, sid=25afa51e 66b6cc6a
Sun Dec 10 10:28:33 2006 192.168.1.7:1504 CRL: cannot read: easy-rsa/keys/bridge/crl.pem: Permission denied (errno=13)
Sun Dec 10 10:28:33 2006 192.168.1.7:1504 Exiting
#####
It was a clean install on a sme 7.0
sme server only
port 1194 openen on my router to sme

Can you help me with this
Can you help me with this problem

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
OpenVPN for Sme 7.0
« Reply #61 on: December 10, 2006, 03:28:02 PM »
Can you try to give read acces to everyone on the crl.pem file
Code: [Select]
chmod +r /etc/openvpn/easy-rsa/keys/bridge/crl.pem

Then try again to connect. If it's working, I know where the error comes from and I will release the patch tomorow
C'est la fin du monde !!! :lol:

nazri

OpenVPN for Sme 7.0
« Reply #62 on: June 18, 2007, 07:15:32 AM »
i still have same error..

server log:
Mon Jun 18 12:43:39 2007 WARNING: file 'easy-rsa/keys/bridge/server.key' is group or others accessible
Mon Jun 18 12:43:39 2007 WARNING: file 'easy-rsa/keys/bridge/ta.key' is group or others accessible
Mon Jun 18 12:43:39 2007 Control Channel Authentication: using 'easy-rsa/keys/bridge/ta.key' as a OpenVPN static key file
Mon Jun 18 12:43:39 2007 TUN/TAP device tap0 opened
Mon Jun 18 12:43:39 2007 chroot to '/etc/openvpn' and cd to '/' succeeded
Mon Jun 18 12:43:39 2007 GID set to nobody
Mon Jun 18 12:43:39 2007 UID set to nobody
Mon Jun 18 12:43:39 2007 UDPv4 link local (bound): [undef]:2000
Mon Jun 18 12:43:39 2007 UDPv4 link remote: [undef]
Mon Jun 18 12:43:39 2007 Initialization Sequence Completed
Mon Jun 18 12:58:44 2007 60.52.32.142:1127 Re-using SSL/TLS context
Mon Jun 18 12:58:44 2007 60.52.32.142:1127 LZO compression initialized
Mon Jun 18 12:58:44 2007 60.52.32.142:1127 CRL: cannot read: easy-rsa/keys/bridge/crl.pem: Permission denied (errno=13)
Mon Jun 18 12:58:44 2007 60.52.32.142:1127 Exiting

nazri

OpenVPN for Sme 7.0
« Reply #63 on: June 18, 2007, 07:17:12 AM »
Mon Jun 18 12:43:39 2007 chroot to '/etc/openvpn' and cd to '/' succeeded

i think problem on this? CD to '/'

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
OpenVPN for Sme 7.0
« Reply #64 on: June 18, 2007, 09:36:36 AM »
Quote from: "nazri"
Mon Jun 18 12:43:39 2007 chroot to '/etc/openvpn' and cd to '/' succeeded

i think problem on this? CD to '/'


There's no problem with CD '/'.
First, the daemon is chrooted in /etc/openvpn, so /etc/openvpn becomes the '/' for openvpn, then in the config file, there's a directive to select /etc/openvpn as the current directory, which means '/' for openvpn daemon.

I think you're having some others problem. Try to delete all the certificates and restart from scratch
C'est la fin du monde !!! :lol:

nazri

OpenVPN for Sme 7.0
« Reply #65 on: June 18, 2007, 10:39:56 AM »
already start from scratch.. but still same..

Offline groutley

  • ****
  • 213
  • +0/-0
    • http://www.routley.homeip.net
Re: OpenVPN for Sme 7.0
« Reply #66 on: March 29, 2008, 12:55:37 PM »
Hello,
 was there any resolve to this problem?
I am having the same issue
Code: [Select]
Sat Mar 29 22:51:18 2008 MULTI: multi_create_instance called
Sat Mar 29 22:51:18 2008 124.187.35.13:16667 Re-using SSL/TLS context
Sat Mar 29 22:51:18 2008 124.187.35.13:16667 LZO compression initialized
Sat Mar 29 22:51:18 2008 124.187.35.13:16667 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sat Mar 29 22:51:18 2008 124.187.35.13:16667 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Sat Mar 29 22:51:18 2008 124.187.35.13:16667 Local Options hash (VER=V4): '360696c5'
Sat Mar 29 22:51:18 2008 124.187.35.13:16667 Expected Remote Options hash (VER=V4): '13a273ba'
Sat Mar 29 22:51:18 2008 124.187.35.13:16667 TLS: Initial packet from 124.187.35.13:16667, sid=2a267552 e23b9dbe
Sat Mar 29 22:51:19 2008 124.187.35.13:16667 CRL: cannot read: easy-rsa/keys/bridge/crl.pem: Permission denied (errno=13)
Sat Mar 29 22:51:19 2008 124.187.35.13:16667 Exiting

Appreciate any help, I have deleted and regenerated keys many times but always have no success.