Topic: OpenVpn routing mode

[dede77b]

I'm trying to install OpenVpn in routing mode but Swerts-Knudsen contribs is no more online.

The downloads directory disappear.

Have someone any suggestion on how to install it?

Can I install http://sme.firewall-services.com/spip.php?article4contrib and arrange it to work in routed mode?

Thanx for help

[Franco]

Well, too bad I can't get in touch with you by email. I could send the instructions that way, since there could be a reason why Mr. Knuddy took them down, I don't want to post them here.

[Daniel B.]

Hi.
Unfortunaly, it'll quite hard to turn this contrib into routed mode. Configuring openvpn in routed mode is not too hard, but it'll need it's own tun0 interface, and you'll have to configure the firewall to limit the traffic to/from the VPN, and this is the hardest part.
Is there a particular reason you want routed mode instead of bridge?

[Knuddi]

I have just updated the Howto to fit better with SME7, updated RPMs and placed it on the wiki. I might throw the added modules (the scripts) in a RPM one of these days.

http://wiki.contribs.org/OpenVPN

Enjoy,
Jesper

[crazybob]

I am having problems connecting to a server with openvpn

The configuration is server only with a QoS router handeling dhcp. The router ip is network ip is 192.168.4.1, the server is 192.168.4.2.

server.conf is as follows:
port 1194
dev tap

tls-server

dh dh1024.pem
ca ca.crt
cert server.crt
key server.key

auth-user-pass-verify ./validate.sh via-env
client-disconnect ./logoff.sh

up ./openvpn.up

mode server
duplicate-cn
ifconfig 192.168.100.1 255.255.255.0

ifconfig-pool 192.168.100.100 192.168.100.200 255.255.255.0 # IP range for openvpn client

mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120

push "ping 10"
push "ping-restart 60"

push "dhcp-option DOMAIN doubleoincorporated.com"             # push the DNS domain suffix
push "dhcp-option DNS 192.168.4.1"                   # push DNS entries to openvpn client
push "route 192.168.4.0 255.255.255.0 192.168.100.1" # add route to to protected network

comp-lzo
status-version 2
status openvpn-status.log
verb 3


and openvpn.up is:
route del -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.4.1
route del -net 192.168.100.0 netmask 255.255.255.0 dev tap0
route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.100.1


local networks is

Network 192.168.100.0
Mask      255.255.255.0
Router    192.168.4.1

I have opened port 1194 with your contrib,

port 1194 UDP is forwared from the QoS device to 192.168.4.2

Have I missed anything that could be causing the error "could not read Auth username from stdin" that I see in tle openvpn log on the client.

Here is a snippet of the server message log

Sep  7 14:40:31 server openvpn[15129]: MULTI: multi_create_instance called
Sep  7 14:40:31 server openvpn[15129]: 134.215.197.162:1194 Re-using SSL/TLS context
Sep  7 14:40:31 server openvpn[15129]: 134.215.197.162:1194 LZO compression initialized
Sep  7 14:40:31 server openvpn[15129]: 134.215.197.162:1194 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sep  7 14:40:31 server openvpn[15129]: 134.215.197.162:1194 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Sep  7 14:40:31 server openvpn[15129]: 134.215.197.162:1194 Local Options hash (VER=V4): 'f7df56b8'
Sep  7 14:40:31 server openvpn[15129]: 134.215.197.162:1194 Expected Remote Options hash (VER=V4): 'd79ca330'
Sep  7 14:40:31 server openvpn[15129]: 134.215.197.162:1194 TLS: Initial packet from 134.215.197.162:1194, sid=0414fc33 fae4e00a
Sep  7 14:40:32 server openvpn[15129]: 134.215.197.162:1194 VERIFY OK: depth=1, /C=US/ST=MI/L=BYRONCENTER/O=OpenVPN-TEST/OU=VPN/CN=server/emailAddress=bob@srdpc.com
Sep  7 14:40:32 server openvpn[15129]: 134.215.197.162:1194 VERIFY OK: depth=0, /C=US/ST=MI/O=OpenVPN-TEST/OU=VPN/CN=client/emailAddress=bob@srdpc.com
Sep  7 14:40:32 server openvpn[15129]: 134.215.197.162:1194 TLS Auth Error: Auth Username/Password verification failed for peer
Sep  7 14:40:32 server openvpn[15129]: 134.215.197.162:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sep  7 14:40:32 server openvpn[15129]: 134.215.197.162:1194 [client] Peer Connection Initiated with 134.215.197.162:1194
Sep  7 14:40:33 server openvpn[15129]: 134.215.197.162:1194 PUSH: Received control message: 'PUSH_REQUEST'
Sep  7 14:40:33 server openvpn[15129]: 134.215.197.162:1194 SENT CONTROL [client]: 'AUTH_FAILED' (status=1)
Sep  7 14:40:33 server openvpn[15129]: 134.215.197.162:1194 Delayed exit in 5 seconds
Sep  7 14:40:34 server openvpn[15129]: 134.215.197.162:1194 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
Sep  7 14:40:38 server openvpn[15129]: 134.215.197.162:1194 SIGTERM[soft,delayed-exit] received, client-instance exiting

Thanks for any ideas

Bob

[Knuddi]

It seems as if the client is not passing username and password correctly. Which client are you using? Also check the /var/log/openvpn/logins log to maybe see the reason. As far as I recall then you can not VPN in as admin (UID/GID less than 5000 which is a check)- could also be the reason.

Cheers,
Jesper

[crazybob]

Thanks Jesper,

I think I have found the problem, but I need your help to fix.

This is the contents of my validate_user.pl file

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /downloads/OpenVPN/validate_user.pl
on this server.</p>
</body></html>


Bob
also logoff_user.pl is bad.
I remember getting an error when I tried to use wget per the wiki, so I tried to download them through my browser, and the appeared to download. but I was wrong.

Thanks

Bob

[Knuddi]

Upps - my mistake as the web server thinks it has to execute the Perl files. I have packed thme together in a TGZ file.

Try this:
cd /etc/openvpn
wget http://sme.swerts-knudsen.dk/downloads/OpenVPN/OpenVPN.tgz
tar xzf OpenVPN.tgz
chmod 755 *.pl
chmod 755 *.sh
chmod 700 *.up

And then remove the OpenVPN.tgz file again:
rm OpenVPN.tgz

[crazybob]

Thanks, works great now.

Bob

[soprom]

Would someone be kind enough to briefly describe the difference between routed and bridged openvpn?
It would help users to choose which one to select..

My understanding is:

Bridged:
The vpn handles the remote clients on the same subnet as the LAN like pptp does.

Routed:
The vpn is on a different subnet and we can (must) tell the server to accept this subnet as local.
?why is this used?

Any help is appreciated!
 

[soprom]

Following up on my last post...

Routed vpn will separate networks (server's lan and client's lan). This would be more secure, so to speack.

Bridged vpn will interconnect both lan's and allow traffic between them.

[Knuddi]

soprom,

Your reasons are exactly the way I see it. Routed networks are more secure even though users are authenticated. You can make a decision that some resources are not available for remote users. On the other hand then routed networks also require more setup for the individual resources if you have more than 1 server (SME server) in your network.

[soprom]

difference between routed and bridged openvpn?

From OpenVPN website:

I would recommend using routing unless you need a specific feature which requires bridging, such as:
    * the VPN needs to be able to handle non-IP protocols such as IPX,
    * you are running applications over the VPN which rely on network broadcasts (such as LAN games), or
    * you would like to allow browsing of Windows file shares across the VPN without setting up a Samba or WINS server.