# [Unsolved] problems setting up openvpn

## mikegpitt

I'm attempting to set up openvpn on a server inside my personal network.  My network is behind a Linksys router, and allows the ipaddresses 192.168.1.100 - 192.168.1.255.  The server is up on the network on eth0 at the ip 192.168.1.100.

I can't seem to be able to configure things correctly.  I tried the more complicated howto on the gentoo wiki "HOWTO Road Warriors with OpenVPN" first, but after that not working I switched to the more simple "HOWTO OpenVPN primer".

HOWTO Road Warriors with OpenVPN:  http://gentoo-wiki.com/HOWTO_Road_Warriors_with_OpenVPN

HOWTO OpenVPN primer:  http://gentoo-wiki.com/HOWTO_OpenVPN_primer

I pretty much followed the guide to the "T", but i can't seem to get things to work.

On the server:

/etc/openvpn/openvpn.conf

```
dev tun

ifconfig 192.168.1.121 192.168.1.120  // IP of the local tun device and its peer

secret /etc/openvpn/mylan-key.txt

comp-lzo

port 1194

user nobody

group nobody

persist-key

persist-tun
```

On the client:

```
remote 192.168.1.100 1194

dev tun

ifconfig 192.168.1.120 192.168.1.121        // IP of the local tun device and its peer

secret /etc/openvpn/mylan/mylan-key.txt

comp-lzo

user nobody

group nobody

route 192.168.1.0 255.255.255.0        // sets up the route to the network behind the VPN server

persist-key

persist-tun

```

And this is what heppens when I run the client:

```
openvpn --config local.conf 

Fri Aug  4 01:54:21 2006 OpenVPN 2.0.6 i686-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Aug  3 2006

Fri Aug  4 01:54:21 2006 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.

Fri Aug  4 01:54:21 2006 LZO compression initialized

Fri Aug  4 01:54:21 2006 WARNING: potential conflict between --remote address [192.168.1.100] and --ifconfig address pair [192.168.1.120, 192.168.1.121] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn)

Fri Aug  4 01:54:21 2006 RESOLVE: Cannot resolve host address: //: [HOST_NOT_FOUND] The specified host is unknown.

Fri Aug  4 01:54:21 2006 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.1.0

Fri Aug  4 01:54:21 2006 TUN/TAP device tun0 opened

Fri Aug  4 01:54:21 2006 /sbin/ip link set dev tun0 up mtu 1500

Fri Aug  4 01:54:21 2006 /sbin/ip addr add dev tun0 local 192.168.1.120 peer 192.168.1.121

Fri Aug  4 01:54:21 2006 GID set to nobody

Fri Aug  4 01:54:21 2006 UID set to nobody

Fri Aug  4 01:54:21 2006 UDPv4 link local (bound): [undef]:1194

Fri Aug  4 01:54:21 2006 UDPv4 link remote: 192.168.1.100:1194

Fri Aug  4 01:54:32 2006 Peer Connection Initiated with 192.168.1.100:1194

Fri Aug  4 01:54:33 2006 Initialization Sequence Completed

```

I am testing this from another machine on the local network, and I initially thought that could be the problem, but I also tried to put the server in the DMZ zone of my router, and connect to it over the internet, but that also hangs at the same place.

Can someone give me a few tips?Last edited by mikegpitt on Fri Aug 04, 2006 9:06 pm; edited 1 time in total

----------

## jpl888

You shouldn't be trying to connect to a vpn server that is on the same subnet as your client. For routing to work successfully your client has to be on a different network.

For example I have a setup like this:-

Client network 192.168.1.0

VPN network 10.8.0.0

Server side network 192.168.2.0

Otherwise than that your setup looks ok and the fact it says "Initialization sequence completed" means your client startup has worked (except for your routing issues of course!)

If you are confused by what I am saying I would suggest you look at www.openvpn.net and the main how to on there. It  is a bit more comprehensive than the ones on the Gentoo Wiki and will give you more background into the whys and where fors.

toodallooo

----------

## mikegpitt

Ok that makes sense... whcih is what I was also thinking may have been true.  I was testing this late last night at home.  This afternoon I'll take my laptop to another location and see how it works.

EDIT:  Also another quick question.  My goal with openvpn is to allow a few people I trust access to the machine over the net.  I'm assuming that once it is working, that I can then put the machine on the net, and have iptables filter out all any traffic on port 22 that isn't comming from inside my network (ie. a 192.168.1.x ip address) and they should be able to connect.  Is this correct?

----------

## jpl888

The only "port" you would need to have open to the internet is "udp 1194" so that the clients can get in on the VPN. Once a VPN client connects it will be as though they are on your network. 

If you are talking about restricting your VPN clients access to port 22, on your server, once in on the VPN, then you would have to write a rule to block that port as during the setup of your VPN you will have allowed all access to and from the tun0 interface.

----------

## mikegpitt

 *jpl888 wrote:*   

> The only "port" you would need to have open to the internet is "udp 1194" so that the clients can get in on the VPN. Once a VPN client connects it will be as though they are on your network. 
> 
> If you are talking about restricting your VPN clients access to port 22, on your server, once in on the VPN, then you would have to write a rule to block that port as during the setup of your VPN you will have allowed all access to and from the tun0 interface.

 Ok it looks like I understood it correctly.  I want to actually have it unrestricted to those on the VPN (I just used port 22 as an example) and restricted to the world.

----------

## mikegpitt

I tested it remotely and it still doesn't work   :Confused: 

The output I get is exactly the same as in my first post, and then it hangs at "Initialization Sequence Completed".

----------

## thoughtform

hey mikeg, don't give up. i spent 6 hours following the roadwarrior guide, got it to connect then realized i didn't want to use the ethernet bridge mode. lol. that guide isn't the best, i've spent a lot of time on openvpn's web site reading their guides and gotten further with more explanation. of course, i was up til 4:30am. I got mine working except for routing beyond the server. I just now added a static route to my linksys router, I'll let you know how it goes and hopefully I can help you once mine is working.

BTW my server is gentoo and my client is my uncle's machine which is XP and offsite. I can post configs, etc.

Persistence is all,

------------------------

2 more hours of work and my client can ping anything on my LAN. i made a mistake in the static route in my router. lol

fatigue is a monster to work with.

let me know if you want help with yours

----------

## thoughtform

ok here's how i got mine working with a Gentoo openvpn server and a windows openvpn client.

linksys router with static route 10.74.0.0/255.255.255.0 dg 192.168.1.111

gentoo - neo 192.168.1.111 behind a linksys NAT router with a static WAN ip

windows - donnie  direct cable connection to internet, dhcp assigned by provider

here's neo's (server) config file

/etc/openvpn/lowmips

neo lowmips # cat local.conf

dev tun

port 1194

server 10.74.0.0 255.255.255.0

ifconfig-pool-persist /etc/openvpn/lowmips/ip_pool

mode server

status /tmp/vpn-lowmips.status

#tls-auth /etc/openvpn/lowmips/secret.key 0

keepalive 10 30

client-to-client

max-clients 100

verb 3

tls-server

dh /etc/openvpn/lowmips/dh1024.pem

ca /etc/openvpn/lowmips/openvpn-ca.crt

cert /etc/openvpn/lowmips/lowmips.crt

key /etc/openvpn/lowmips/lowmips.key

comp-lzo

user openvpn

group openvpn

persist-key

persist-tun

push "route 192.168.1.0 255.255.255.0"

push "redirect-gateway"

neo ifconfig:

neo lowmips # ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0C:29:45:12:7B

          inet addr:192.168.1.111  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:18123 errors:0 dropped:0 overruns:0 frame:0

          TX packets:10062 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:2322083 (2.2 Mb)  TX bytes:1484201 (1.4 Mb)

          Interrupt:9 Base address:0x1080

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:1320 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1320 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:793579 (774.9 Kb)  TX bytes:793579 (774.9 Kb)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.74.0.1  P-t-P:10.74.0.2  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:55 errors:0 dropped:0 overruns:0 frame:0

          TX packets:47 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:4237 (4.1 Kb)  TX bytes:6095 (5.9 Kb)

client donnie's config:

##############################################

# Sample client-side OpenVPN 2.0 config file #

# for connecting to multi-client server.     #

#                                            #

# This configuration can be used by multiple #

# clients, however each client should have   #

# its own cert and key files.                #

#                                            #

# On Windows, you might want to rename this  #

# file so it has a .ovpn extension           #

##############################################

# Specify that we are a client and that we

# will be pulling certain config file directives

# from the server.

client

# Use the same setting as you are using on

# the server.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

;dev tap

dev tun

# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel

# if you have more than one.  On XP SP2,

# you may need to disable the firewall

# for the TAP adapter.

;dev-node MyTap

# Are we connecting to a TCP or

# UDP server?  Use the same setting as

# on the server.

;proto tcp

proto udp

# The hostname/IP and port of the server.

# You can have multiple remote entries

# to load balance between the servers.

remote neo.lowmips.com 1194

;remote my-server-2 1194

# Choose a random host from the remote

# list for load-balancing.  Otherwise

# try hosts in the order specified.

;remote-random

# Keep trying indefinitely to resolve the

# host name of the OpenVPN server.  Very useful

# on machines which are not permanently connected

# to the internet such as laptops.

resolv-retry infinite

# Most clients don't need to bind to

# a specific local port number.

nobind

# Downgrade privileges after initialization (non-Windows only)

;user nobody

;group nobody

# Try to preserve some state across restarts.

persist-key

persist-tun

# If you are connecting through an

# HTTP proxy to reach the actual OpenVPN

# server, put the proxy server/IP and

# port number here.  See the man page

# if your proxy server requires

# authentication.

;http-proxy-retry # retry on connection failures

;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot

# of duplicate packets.  Set this flag

# to silence duplicate packet warnings.

;mute-replay-warnings

# SSL/TLS parms.

# See the server config file for more

# description.  It's best to use

# a separate .crt/.key file pair

# for each client.  A single ca

# file can be used for all clients.

ca lowmips.crt

cert donnie.crt

key donnie.key

# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to "server".  This is an

# important precaution to protect against

# a potential attack discussed here:

#  http://openvpn.net/howto.html#mitm

#

# To use this feature, you will need to generate

# your server certificates with the nsCertType

# field set to "server".  The build-key-server

# script in the easy-rsa folder will do this.

;ns-cert-type server

# If a tls-auth key is used on the server

# then every client must also have the key.

;tls-auth ta.key 1

# Select a cryptographic cipher.

# If the cipher option is used on the server

# then you must also specify it here.

;cipher x

# Enable compression on the VPN link.

# Don't enable this unless it is also

# enabled in the server config file.

comp-lzo

# Set log file verbosity.

verb 3

# Silence repeating messages

mute 20

with this config i can ping from donnie's machine to anything on my LAN and vice-versa.

i used the OpenVPN windows gui and password protected it.

http://openvpn.se/

i hope this helps, feel free to ask me questions  :Smile: 

----------

## mikegpitt

Thanks for the info... I think I actually cracked the problem yesterday.  Two things:

1) I needed to create a new subnet for the tun0 device (I originally put the VPN on teh same subnet as my LAN)

2) Apparently I thought OpenVPN was not finishing its initialization since it just hangs there, but apparently it is suppose to do that... kind of wierd if you ask me.

I need to test my setup remotely (maybe tomorrow) and I'll post back my results.

----------

