Re: [gentoo-user] openvpn static ip - gentoo-user

From:	Joseph <syscon780@×××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] openvpn static ip
Date:	Thu, 25 Feb 2010 21:13:22
Message-Id:	`20100225210109.GC6860@syscon4.inet`
In Reply to:	Re: [gentoo-user] openvpn static ip by Xavier Parizet

1

On 02/25/10 21:09, Xavier Parizet wrote:

2

[snip]

3

>> Yes, it was a typo :-/ I corrected it:

4

>> cat syscon9

5

>> ifconfig-push  192.168.139.15 255.255.255.0

6

>>

7

>> but from log you can see it still didn't give me what I want, I got IP

8

>> 192.168.139.6 and was asking for: 192.168.139.15

9

>>

10

>> log:

11

>> cat /var/log/openvpn.log

12

>> [SNIP]

13

>

14

>Ok. After re-re-reading the man page, try to add parameter topology

15

>subnet to server config. If it still don't work, then _please_ post the

16

>openvpn.log of the server side.

17

>

18

>--

19

>      Xavier Parizet

20

>YaGB :   http://gentooist.com

21

>GPG  :    C7DC B10E FC21 63BE

22

>B453 D239 F6E6 DF65 1569 91BF

23

>

24

25

I've added: topology subnet to both client and server conf but now when I try to disconnect and connect I'm getting consecutive IP's:

26

192.168.139.2

27

192.168.139.3

28

192.168.139.4

29

...

30

31

cat server.conf

32

port 9000

33

proto udp

34

dev tun

35

mode server

36

ca /usr/share/openvpn/easy-rsa/keys/ca.crt

37

cert /usr/share/openvpn/easy-rsa/keys/server.crt

38

key /usr/share/openvpn/easy-rsa/keys/server.key

39

dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem

40

topology subnet

41

server 192.168.139.0 255.255.255.0

42

client-to-client

43

ifconfig-pool-persist ipp.txt

44

client-config-dir ccd

45

keepalive 10 120

46

tls-auth vpn_my.key 0

47

tun-mtu 1500

48

tun-mtu-extra 32

49

mssfix 1200

50

duplicate-cn

51

comp-lzo

52

max-clients 100

53

persist-key

54

persist-tun

55

status openvpn-status.log

56

log        /var/log/openvpn.log

57

log-append /var/log/openvpn.log

58

verb 3

59

60

cat client_clinic2.conf

61

client

62

dev tun

63

proto udp

64

topology subnet

65

remote 208.38.31.237 9000

66

resolv-retry infinite

67

nobind

68

tun-mtu 1500

69

tun-mtu-extra 32

70

mssfix 1200

71

persist-key

72

persist-tun

73

remote-cert-tls server

74

ca "/etc/openvpn/client_clinic2/ca.crt"

75

cert "/etc/openvpn/client_clinic2/syscon9.crt"

76

key "/etc/openvpn/client_clinic2/syscon9.key"

77

tls-auth "/etc/openvpn/client_clinic2/vpn_my.key" 1

78

comp-lzo

79

log        /var/log/openvpn.log

80

log-append /var/log/openvpn.log

81

verb 3

82

83

84

log file from client:

85

86

cat /var/log/openvpn.log

87

Thu Feb 25 13:50:30 2010 OpenVPN 2.1_rc15 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jan 16 2010

88

Thu Feb 25 13:50:30 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

89

Thu Feb 25 13:50:30 2010 Control Channel Authentication: using '/etc/openvpn/client_clinic2/vpn_my.key' as a OpenVPN static key file

90

Thu Feb 25 13:50:30 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

91

Thu Feb 25 13:50:30 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

92

Thu Feb 25 13:50:30 2010 LZO compression initialized

93

Thu Feb 25 13:50:30 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]

94

Thu Feb 25 13:50:30 2010 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]

95

Thu Feb 25 13:50:30 2010 Local Options hash (VER=V4): 'ec497616'

96

Thu Feb 25 13:50:30 2010 Expected Remote Options hash (VER=V4): '7cd8ed90'

97

Thu Feb 25 13:50:30 2010 Socket Buffers: R=[114688->131072] S=[114688->131072]

98

Thu Feb 25 13:50:30 2010 UDPv4 link local: [undef]

99

Thu Feb 25 13:50:30 2010 UDPv4 link remote: 208.38.31.237:9000

100

Thu Feb 25 13:50:30 2010 TLS: Initial packet from 208.38.31.237:9000, sid=766f3e2f 0cf96857

101

Thu Feb 25 13:50:30 2010 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@××××××.mydomain

102

Thu Feb 25 13:50:30 2010 Validating certificate key usage

103

Thu Feb 25 13:50:30 2010 ++ Certificate has key usage  00a0, expects 00a0

104

Thu Feb 25 13:50:30 2010 VERIFY KU OK

105

Thu Feb 25 13:50:30 2010 Validating certificate extended key usage

106

Thu Feb 25 13:50:30 2010 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

107

Thu Feb 25 13:50:30 2010 VERIFY EKU OK

108

Thu Feb 25 13:50:30 2010 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@××××××.mydomain

109

Thu Feb 25 13:50:31 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

110

Thu Feb 25 13:50:31 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

111

Thu Feb 25 13:50:31 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

112

Thu Feb 25 13:50:31 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

113

Thu Feb 25 13:50:31 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

114

Thu Feb 25 13:50:31 2010 [server] Peer Connection Initiated with 208.38.31.237:9000

115

Thu Feb 25 13:50:32 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

116

Thu Feb 25 13:50:32 2010 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.139.1,topology subnet,ping 10,ping-restart 120,ifconfig 

117

192.168.139.2 255.255.255.0'

118

Thu Feb 25 13:50:32 2010 OPTIONS IMPORT: timers and/or timeouts modified

119

Thu Feb 25 13:50:32 2010 OPTIONS IMPORT: --ifconfig/up options modified

120

Thu Feb 25 13:50:32 2010 OPTIONS IMPORT: route-related options modified

121

Thu Feb 25 13:50:32 2010 TUN/TAP device tun0 opened

122

Thu Feb 25 13:50:32 2010 TUN/TAP TX queue length set to 100

123

Thu Feb 25 13:50:32 2010 /sbin/ifconfig tun0 192.168.139.2 netmask 255.255.255.0 mtu 1500 broadcast 192.168.139.255

124

Thu Feb 25 13:50:32 2010 /etc/openvpn/up.sh tun0 1500 1574 192.168.139.2 255.255.255.0 init

125

Thu Feb 25 13:50:32 2010 Initialization Sequence Completed

126

127

128

log file from server:

129

Thu Feb 25 13:56:12 2010 syscon9/68.148.245.78:55861 [syscon9] Inactivity timeout (--ping-restart), restarting

130

Thu Feb 25 13:56:12 2010 syscon9/68.148.245.78:55861 SIGUSR1[soft,ping-restart] received, client-instance restarting

131

Thu Feb 25 13:56:57 2010 MULTI: multi_create_instance called

132

Thu Feb 25 13:56:57 2010 68.148.245.78:55868 Re-using SSL/TLS context

133

Thu Feb 25 13:56:57 2010 68.148.245.78:55868 LZO compression initialized

134

Thu Feb 25 13:56:57 2010 68.148.245.78:55868 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]

135

Thu Feb 25 13:56:57 2010 68.148.245.78:55868 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]

136

Thu Feb 25 13:56:57 2010 68.148.245.78:55868 Local Options hash (VER=V4): '7cd8ed90'

137

Thu Feb 25 13:56:57 2010 68.148.245.78:55868 Expected Remote Options hash (VER=V4): 'ec497616'

138

Thu Feb 25 13:56:57 2010 68.148.245.78:55868 TLS: Initial packet from 68.148.245.78:55868, sid=57c549f4 702a73f4

139

Thu Feb 25 13:56:58 2010 68.148.245.78:55868 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@××××××.mydomain

140

Thu Feb 25 13:56:58 2010 68.148.245.78:55868 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=syscon9/emailAddress=me@××××××.mydomain

141

Thu Feb 25 13:56:58 2010 68.148.245.78:55868 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

142

Thu Feb 25 13:56:58 2010 68.148.245.78:55868 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

143

Thu Feb 25 13:56:58 2010 68.148.245.78:55868 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

144

Thu Feb 25 13:56:58 2010 68.148.245.78:55868 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

145

Thu Feb 25 13:56:58 2010 68.148.245.78:55868 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

146

Thu Feb 25 13:56:58 2010 68.148.245.78:55868 [syscon9] Peer Connection Initiated with 68.148.245.78:55868

147

Thu Feb 25 13:56:58 2010 syscon9/68.148.245.78:55868 MULTI: Learn: 192.168.139.3 -> syscon9/68.148.245.78:55868

148

Thu Feb 25 13:56:58 2010 syscon9/68.148.245.78:55868 MULTI: primary virtual IP for syscon9/68.148.245.78:55868: 192.168.139.3

149

Thu Feb 25 13:56:59 2010 syscon9/68.148.245.78:55868 PUSH: Received control message: 'PUSH_REQUEST'

150

Thu Feb 25 13:56:59 2010 syscon9/68.148.245.78:55868 SENT CONTROL [syscon9]: 'PUSH_REPLY,route-gateway 192.168.139.1,topology subnet,ping 10,ping-restart 

151

120,ifconfig 192.168.139.3 255.255.255.0' (status=1)

152

Thu Feb 25 13:57:02 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

153

Thu Feb 25 13:57:12 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

154

155

Whey sever log is always showing this message: [ECONNREFUSED]: Connection refused (code=111

156

157

--

158

Joseph

Gentoo Archives: gentoo-user

Replies

1	On 02/25/10 21:09, Xavier Parizet wrote:
2	[snip]
3	>> Yes, it was a typo :-/ I corrected it:
4	>> cat syscon9
5	>> ifconfig-push 192.168.139.15 255.255.255.0
6	>>
7	>> but from log you can see it still didn't give me what I want, I got IP
8	>> 192.168.139.6 and was asking for: 192.168.139.15
9	>>
10	>> log:
11	>> cat /var/log/openvpn.log
12	>> [SNIP]
13	>
14	>Ok. After re-re-reading the man page, try to add parameter topology
15	>subnet to server config. If it still don't work, then _please_ post the
16	>openvpn.log of the server side.
17	>
18	>--
19	> Xavier Parizet
20	>YaGB : http://gentooist.com
21	>GPG : C7DC B10E FC21 63BE
22	>B453 D239 F6E6 DF65 1569 91BF
23	>
24
25	I've added: topology subnet to both client and server conf but now when I try to disconnect and connect I'm getting consecutive IP's:
26	192.168.139.2
27	192.168.139.3
28	192.168.139.4
29	...
30
31	cat server.conf
32	port 9000
33	proto udp
34	dev tun
35	mode server
36	ca /usr/share/openvpn/easy-rsa/keys/ca.crt
37	cert /usr/share/openvpn/easy-rsa/keys/server.crt
38	key /usr/share/openvpn/easy-rsa/keys/server.key
39	dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
40	topology subnet
41	server 192.168.139.0 255.255.255.0
42	client-to-client
43	ifconfig-pool-persist ipp.txt
44	client-config-dir ccd
45	keepalive 10 120
46	tls-auth vpn_my.key 0
47	tun-mtu 1500
48	tun-mtu-extra 32
49	mssfix 1200
50	duplicate-cn
51	comp-lzo
52	max-clients 100
53	persist-key
54	persist-tun
55	status openvpn-status.log
56	log /var/log/openvpn.log
57	log-append /var/log/openvpn.log
58	verb 3
59
60	cat client_clinic2.conf
61	client
62	dev tun
63	proto udp
64	topology subnet
65	remote 208.38.31.237 9000
66	resolv-retry infinite
67	nobind
68	tun-mtu 1500
69	tun-mtu-extra 32
70	mssfix 1200
71	persist-key
72	persist-tun
73	remote-cert-tls server
74	ca "/etc/openvpn/client_clinic2/ca.crt"
75	cert "/etc/openvpn/client_clinic2/syscon9.crt"
76	key "/etc/openvpn/client_clinic2/syscon9.key"
77	tls-auth "/etc/openvpn/client_clinic2/vpn_my.key" 1
78	comp-lzo
79	log /var/log/openvpn.log
80	log-append /var/log/openvpn.log
81	verb 3
82
83
84	log file from client:
85
86	cat /var/log/openvpn.log
87	Thu Feb 25 13:50:30 2010 OpenVPN 2.1_rc15 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jan 16 2010
88	Thu Feb 25 13:50:30 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
89	Thu Feb 25 13:50:30 2010 Control Channel Authentication: using '/etc/openvpn/client_clinic2/vpn_my.key' as a OpenVPN static key file
90	Thu Feb 25 13:50:30 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
91	Thu Feb 25 13:50:30 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
92	Thu Feb 25 13:50:30 2010 LZO compression initialized
93	Thu Feb 25 13:50:30 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
94	Thu Feb 25 13:50:30 2010 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
95	Thu Feb 25 13:50:30 2010 Local Options hash (VER=V4): 'ec497616'
96	Thu Feb 25 13:50:30 2010 Expected Remote Options hash (VER=V4): '7cd8ed90'
97	Thu Feb 25 13:50:30 2010 Socket Buffers: R=[114688->131072] S=[114688->131072]
98	Thu Feb 25 13:50:30 2010 UDPv4 link local: [undef]
99	Thu Feb 25 13:50:30 2010 UDPv4 link remote: 208.38.31.237:9000
100	Thu Feb 25 13:50:30 2010 TLS: Initial packet from 208.38.31.237:9000, sid=766f3e2f 0cf96857
101	Thu Feb 25 13:50:30 2010 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@××××××.mydomain
102	Thu Feb 25 13:50:30 2010 Validating certificate key usage
103	Thu Feb 25 13:50:30 2010 ++ Certificate has key usage 00a0, expects 00a0
104	Thu Feb 25 13:50:30 2010 VERIFY KU OK
105	Thu Feb 25 13:50:30 2010 Validating certificate extended key usage
106	Thu Feb 25 13:50:30 2010 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
107	Thu Feb 25 13:50:30 2010 VERIFY EKU OK
108	Thu Feb 25 13:50:30 2010 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@××××××.mydomain
109	Thu Feb 25 13:50:31 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
110	Thu Feb 25 13:50:31 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
111	Thu Feb 25 13:50:31 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
112	Thu Feb 25 13:50:31 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
113	Thu Feb 25 13:50:31 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
114	Thu Feb 25 13:50:31 2010 [server] Peer Connection Initiated with 208.38.31.237:9000
115	Thu Feb 25 13:50:32 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
116	Thu Feb 25 13:50:32 2010 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.139.1,topology subnet,ping 10,ping-restart 120,ifconfig
117	192.168.139.2 255.255.255.0'
118	Thu Feb 25 13:50:32 2010 OPTIONS IMPORT: timers and/or timeouts modified
119	Thu Feb 25 13:50:32 2010 OPTIONS IMPORT: --ifconfig/up options modified
120	Thu Feb 25 13:50:32 2010 OPTIONS IMPORT: route-related options modified
121	Thu Feb 25 13:50:32 2010 TUN/TAP device tun0 opened
122	Thu Feb 25 13:50:32 2010 TUN/TAP TX queue length set to 100
123	Thu Feb 25 13:50:32 2010 /sbin/ifconfig tun0 192.168.139.2 netmask 255.255.255.0 mtu 1500 broadcast 192.168.139.255
124	Thu Feb 25 13:50:32 2010 /etc/openvpn/up.sh tun0 1500 1574 192.168.139.2 255.255.255.0 init
125	Thu Feb 25 13:50:32 2010 Initialization Sequence Completed
126
127
128	log file from server:
129	Thu Feb 25 13:56:12 2010 syscon9/68.148.245.78:55861 [syscon9] Inactivity timeout (--ping-restart), restarting
130	Thu Feb 25 13:56:12 2010 syscon9/68.148.245.78:55861 SIGUSR1[soft,ping-restart] received, client-instance restarting
131	Thu Feb 25 13:56:57 2010 MULTI: multi_create_instance called
132	Thu Feb 25 13:56:57 2010 68.148.245.78:55868 Re-using SSL/TLS context
133	Thu Feb 25 13:56:57 2010 68.148.245.78:55868 LZO compression initialized
134	Thu Feb 25 13:56:57 2010 68.148.245.78:55868 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
135	Thu Feb 25 13:56:57 2010 68.148.245.78:55868 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
136	Thu Feb 25 13:56:57 2010 68.148.245.78:55868 Local Options hash (VER=V4): '7cd8ed90'
137	Thu Feb 25 13:56:57 2010 68.148.245.78:55868 Expected Remote Options hash (VER=V4): 'ec497616'
138	Thu Feb 25 13:56:57 2010 68.148.245.78:55868 TLS: Initial packet from 68.148.245.78:55868, sid=57c549f4 702a73f4
139	Thu Feb 25 13:56:58 2010 68.148.245.78:55868 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@××××××.mydomain
140	Thu Feb 25 13:56:58 2010 68.148.245.78:55868 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=syscon9/emailAddress=me@××××××.mydomain
141	Thu Feb 25 13:56:58 2010 68.148.245.78:55868 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
142	Thu Feb 25 13:56:58 2010 68.148.245.78:55868 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
143	Thu Feb 25 13:56:58 2010 68.148.245.78:55868 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
144	Thu Feb 25 13:56:58 2010 68.148.245.78:55868 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
145	Thu Feb 25 13:56:58 2010 68.148.245.78:55868 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
146	Thu Feb 25 13:56:58 2010 68.148.245.78:55868 [syscon9] Peer Connection Initiated with 68.148.245.78:55868
147	Thu Feb 25 13:56:58 2010 syscon9/68.148.245.78:55868 MULTI: Learn: 192.168.139.3 -> syscon9/68.148.245.78:55868
148	Thu Feb 25 13:56:58 2010 syscon9/68.148.245.78:55868 MULTI: primary virtual IP for syscon9/68.148.245.78:55868: 192.168.139.3
149	Thu Feb 25 13:56:59 2010 syscon9/68.148.245.78:55868 PUSH: Received control message: 'PUSH_REQUEST'
150	Thu Feb 25 13:56:59 2010 syscon9/68.148.245.78:55868 SENT CONTROL [syscon9]: 'PUSH_REPLY,route-gateway 192.168.139.1,topology subnet,ping 10,ping-restart
151	120,ifconfig 192.168.139.3 255.255.255.0' (status=1)
152	Thu Feb 25 13:57:02 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
153	Thu Feb 25 13:57:12 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
154
155	Whey sever log is always showing this message: [ECONNREFUSED]: Connection refused (code=111
156
157	--
158	Joseph