# OpenVPN no ping (Routing prolems?)

## Bender007

Hi,

i can connect to my vpn server though internet with no problems but i can't get access to the server (ping, ftp ... doesn't work!)

iptables is emered but no rules are set. and BTW the ips are not up to date  :Very Happy: 

openvpn.conf

```

port 21113

proto tcp

dev tap

ca /etc/openvpn/privnet/ca.crt

cert /etc/openvpn/privnet/server.crt

key /etc/openvpn/privnet/server.key

dh /etc/openvpn/privnet/dh1024.pem

tls-server

tls-auth /etc/openvpn/privnet/ta.key 0

server 192.168.0.0 255.255.255.0

#push "dhcp-option DNS 192.168.0.1"

#push "route-gateway 192.168.0.1"

#ifconfig-pool 192.168.0.20 192.168.0.30 255.255.255.0

ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

user nobody

group nobody

persist-key

persist-tun

status /var/log/openvpn-status.log

verb 4

#client-to-client

```

client.conf (windowsxp)

```

client

dev tap

proto tcp

remote mydns.net

port 21113

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert bender.crt

key bender.key

tls-client

tls-auth ta.key 1

comp-lzo

verb 2

ifconfig-nowarn

```

Server message:

```

Sep 24 19:06:30 zion openvpn[4317]: Current Parameter Settings:

Sep 24 19:06:30 zion openvpn[4317]:   config = '/etc/openvpn/openvpn.conf'

Sep 24 19:06:30 zion openvpn[4317]:   mode = 1

Sep 24 19:06:30 zion openvpn[4317]:   persist_config = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   persist_mode = 1

Sep 24 19:06:30 zion openvpn[4317]:   show_ciphers = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   show_digests = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   show_engines = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   genkey = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   key_pass_file = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   show_tls_ciphers = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   proto = 1

Sep 24 19:06:30 zion openvpn[4317]:   local = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   remote_list = NULL

Sep 24 19:06:30 zion openvpn[4317]:   remote_random = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   local_port = 21113

Sep 24 19:06:30 zion openvpn[4317]:   remote_port = 21113

Sep 24 19:06:30 zion openvpn[4317]:   remote_float = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   ipchange = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   bind_local = ENABLED

Sep 24 19:06:30 zion openvpn[4317]:   dev = 'tap'

Sep 24 19:06:30 zion openvpn[4317]:   dev_type = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   dev_node = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   tun_ipv6 = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   ifconfig_local = '192.168.0.1'

Sep 24 19:06:30 zion openvpn[4317]:   ifconfig_remote_netmask = '255.255.255.0'

Sep 24 19:06:30 zion openvpn[4317]:   ifconfig_noexec = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   ifconfig_nowarn = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   shaper = 0

Sep 24 19:06:30 zion openvpn[4317]:   tun_mtu = 1500

Sep 24 19:06:30 zion openvpn[4317]:   tun_mtu_defined = ENABLED

Sep 24 19:06:30 zion openvpn[4317]:   link_mtu = 1500

Sep 24 19:06:30 zion openvpn[4317]:   link_mtu_defined = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   tun_mtu_extra = 32

Sep 24 19:06:30 zion openvpn[4317]:   tun_mtu_extra_defined = ENABLED

Sep 24 19:06:30 zion openvpn[4317]:   fragment = 0

Sep 24 19:06:30 zion openvpn[4317]:   mtu_discover_type = -1

Sep 24 19:06:30 zion openvpn[4317]:   mtu_test = 0

Sep 24 19:06:30 zion openvpn[4317]:   mlock = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   keepalive_ping = 10

Sep 24 19:06:30 zion openvpn[4317]:   keepalive_timeout = 120

Sep 24 19:06:30 zion openvpn[4317]:   inactivity_timeout = 0

Sep 24 19:06:30 zion openvpn[4317]:   ping_send_timeout = 10

Sep 24 19:06:30 zion openvpn[4317]:   ping_rec_timeout = 240

Sep 24 19:06:30 zion openvpn[4317]:   ping_rec_timeout_action = 2

Sep 24 19:06:30 zion openvpn[4317]:   ping_timer_remote = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   remap_sigusr1 = 0

Sep 24 19:06:30 zion openvpn[4317]:   explicit_exit_notification = 0

Sep 24 19:06:30 zion openvpn[4317]:   persist_tun = ENABLED

Sep 24 19:06:30 zion openvpn[4317]:   persist_local_ip = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   persist_remote_ip = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   persist_key = ENABLED

Sep 24 19:06:30 zion openvpn[4317]:   mssfix = 1450

Sep 24 19:06:30 zion openvpn[4317]:   passtos = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   resolve_retry_seconds = 1000000000

Sep 24 19:06:30 zion openvpn[4317]:   connect_retry_seconds = 5

Sep 24 19:06:30 zion openvpn[4317]:   username = 'nobody'

Sep 24 19:06:30 zion openvpn[4317]:   groupname = 'nobody'

Sep 24 19:06:30 zion openvpn[4317]:   chroot_dir = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   cd_dir = '/etc/openvpn'

Sep 24 19:06:30 zion openvpn[4317]:   writepid = '/var/run/openvpn.pid'

Sep 24 19:06:30 zion openvpn[4317]:   up_script = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   down_script = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   down_pre = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   up_restart = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   up_delay = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   daemon = ENABLED

Sep 24 19:06:30 zion openvpn[4317]:   inetd = 0

Sep 24 19:06:30 zion openvpn[4317]:   log = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   suppress_timestamps = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   nice = 0

Sep 24 19:06:30 zion openvpn[4317]:   verbosity = 4

Sep 24 19:06:30 zion openvpn[4317]:   mute = 0

Sep 24 19:06:30 zion openvpn[4317]:   gremlin = 0

Sep 24 19:06:30 zion openvpn[4317]:   status_file = '/var/log/openvpn-status.log'

Sep 24 19:06:30 zion openvpn[4317]:   status_file_version = 1

Sep 24 19:06:30 zion openvpn[4317]:   status_file_update_freq = 60

Sep 24 19:06:30 zion openvpn[4317]:   occ = ENABLED

Sep 24 19:06:30 zion openvpn[4317]:   rcvbuf = 65536

Sep 24 19:06:30 zion openvpn[4317]:   sndbuf = 65536

Sep 24 19:06:30 zion openvpn[4317]:   socks_proxy_server = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   socks_proxy_port = 0

Sep 24 19:06:30 zion openvpn[4317]:   socks_proxy_retry = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   fast_io = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   comp_lzo = ENABLED

Sep 24 19:06:30 zion openvpn[4317]:   comp_lzo_adaptive = ENABLED

Sep 24 19:06:30 zion openvpn[4317]:   route_script = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   route_default_gateway = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   route_noexec = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   route_delay = 0

Sep 24 19:06:30 zion openvpn[4317]:   route_delay_window = 30

Sep 24 19:06:30 zion openvpn[4317]:   route_delay_defined = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   management_addr = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   management_port = 0

Sep 24 19:06:30 zion openvpn[4317]:   management_user_pass = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   management_log_history_cache = 250

Sep 24 19:06:30 zion openvpn[4317]:   management_echo_buffer_size = 100

Sep 24 19:06:30 zion openvpn[4317]:   management_query_passwords = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   management_hold = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   shared_secret_file = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   key_direction = 1

Sep 24 19:06:30 zion openvpn[4317]:   ciphername_defined = ENABLED

Sep 24 19:06:30 zion openvpn[4317]:   ciphername = 'BF-CBC'

Sep 24 19:06:30 zion openvpn[4317]:   authname_defined = ENABLED

Sep 24 19:06:30 zion openvpn[4317]:   authname = 'SHA1'

Sep 24 19:06:30 zion openvpn[4317]:   keysize = 0

Sep 24 19:06:30 zion openvpn[4317]:   engine = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   replay = ENABLED

Sep 24 19:06:30 zion openvpn[4317]:   mute_replay_warnings = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   replay_window = 0

Sep 24 19:06:30 zion openvpn[4317]:   replay_time = 0

Sep 24 19:06:30 zion openvpn[4317]:   packet_id_file = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   use_iv = ENABLED

Sep 24 19:06:30 zion openvpn[4317]:   test_crypto = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   tls_server = ENABLED

Sep 24 19:06:30 zion openvpn[4317]:   tls_client = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   key_method = 2

Sep 24 19:06:30 zion openvpn[4317]:   ca_file = '/etc/openvpn/privnet/ca.crt'

Sep 24 19:06:30 zion openvpn[4317]:   dh_file = '/etc/openvpn/privnet/dh1024.pem'

Sep 24 19:06:30 zion openvpn[4317]:   cert_file = '/etc/openvpn/privnet/server.crt'

Sep 24 19:06:30 zion openvpn[4317]:   priv_key_file = '/etc/openvpn/privnet/server.key'

Sep 24 19:06:30 zion openvpn[4317]:   pkcs12_file = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   cipher_list = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   tls_verify = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   tls_remote = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   crl_file = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   ns_cert_type = 0

Sep 24 19:06:30 zion openvpn[4317]:   tls_timeout = 2

Sep 24 19:06:30 zion openvpn[4317]:   renegotiate_bytes = 0

Sep 24 19:06:30 zion openvpn[4317]:   renegotiate_packets = 0

Sep 24 19:06:30 zion openvpn[4317]:   renegotiate_seconds = 3600

Sep 24 19:06:30 zion openvpn[4317]:   handshake_window = 60

Sep 24 19:06:30 zion openvpn[4317]:   transition_window = 3600

Sep 24 19:06:30 zion openvpn[4317]:   single_session = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   tls_exit = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   tls_auth_file = '/etc/openvpn/privnet/ta.key'

Sep 24 19:06:30 zion openvpn[4317]:   server_network = 192.168.0.0

Sep 24 19:06:30 zion openvpn[4317]:   server_netmask = 255.255.255.0

Sep 24 19:06:30 zion openvpn[4317]:   server_bridge_ip = 0.0.0.0

Sep 24 19:06:30 zion openvpn[4317]:   server_bridge_netmask = 0.0.0.0

Sep 24 19:06:30 zion openvpn[4317]:   server_bridge_pool_start = 0.0.0.0

Sep 24 19:06:30 zion openvpn[4317]:   server_bridge_pool_end = 0.0.0.0

Sep 24 19:06:30 zion openvpn[4317]:   push_list = 'route-gateway 192.168.0.1,ping 10,ping-restart 120'

Sep 24 19:06:30 zion openvpn[4317]:   ifconfig_pool_defined = ENABLED

Sep 24 19:06:30 zion openvpn[4317]:   ifconfig_pool_start = 192.168.0.2

Sep 24 19:06:30 zion openvpn[4317]:   ifconfig_pool_end = 192.168.0.254

Sep 24 19:06:30 zion openvpn[4317]:   ifconfig_pool_netmask = 255.255.255.0

Sep 24 19:06:30 zion openvpn[4317]:   ifconfig_pool_persist_filename = 'ipp.txt'

Sep 24 19:06:30 zion openvpn[4317]:   ifconfig_pool_persist_refresh_freq = 600

Sep 24 19:06:30 zion openvpn[4317]:   ifconfig_pool_linear = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   n_bcast_buf = 256

Sep 24 19:06:30 zion openvpn[4317]:   tcp_queue_limit = 64

Sep 24 19:06:30 zion openvpn[4317]:   real_hash_size = 256

Sep 24 19:06:30 zion openvpn[4317]:   virtual_hash_size = 256

Sep 24 19:06:30 zion openvpn[4317]:   client_connect_script = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   learn_address_script = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   client_disconnect_script = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   client_config_dir = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   ccd_exclusive = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   tmp_dir = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   push_ifconfig_defined = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   push_ifconfig_local = 0.0.0.0

Sep 24 19:06:30 zion openvpn[4317]:   push_ifconfig_remote_netmask = 0.0.0.0

Sep 24 19:06:30 zion openvpn[4317]:   enable_c2c = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   duplicate_cn = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   cf_max = 0

Sep 24 19:06:30 zion openvpn[4317]:   cf_per = 0

Sep 24 19:06:30 zion openvpn[4317]:   max_clients = 1024

Sep 24 19:06:30 zion openvpn[4317]:   max_routes_per_client = 256

Sep 24 19:06:30 zion openvpn[4317]:   client_cert_not_required = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   username_as_common_name = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   auth_user_pass_verify_script = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]:   auth_user_pass_verify_script_via_file = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   client = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   pull = DISABLED

Sep 24 19:06:30 zion openvpn[4317]:   auth_user_pass_file = '[UNDEF]'

Sep 24 19:06:30 zion openvpn[4317]: OpenVPN 2.0.6 i686-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 24 2007

Sep 24 19:06:30 zion openvpn[4317]: Diffie-Hellman initialized with 1024 bit key

Sep 24 19:06:30 zion openvpn[4317]: Control Channel Authentication: using '/etc/openvpn/privnet/ta.key' as a OpenVPN static key file

Sep 24 19:06:30 zion openvpn[4317]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Sep 24 19:06:30 zion openvpn[4317]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Sep 24 19:06:30 zion openvpn[4317]: TLS-Auth MTU parms [ L:1576 D:168 EF:68 EB:0 ET:0 EL:0 ]

Sep 24 19:06:30 zion udevd-event[4318]: rename_netif: error changing netif name tap0 to netlink/tap0: Invalid argument

Sep 24 19:06:30 zion openvpn[4317]: TUN/TAP device tap0 opened

Sep 24 19:06:30 zion openvpn[4317]: TUN/TAP TX queue length set to 100

Sep 24 19:06:30 zion openvpn[4317]: /sbin/ifconfig tap0 192.168.0.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.0.255

Sep 24 19:06:30 zion openvpn[4317]: Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]

Sep 24 19:06:30 zion openvpn[4322]: GID set to nobody

Sep 24 19:06:30 zion openvpn[4322]: UID set to nobody

Sep 24 19:06:30 zion openvpn[4322]: Listening for incoming TCP connection on [undef]:21113

Sep 24 19:06:30 zion openvpn[4322]: Socket Buffers: R=[87380->131072] S=[16384->131072]

Sep 24 19:06:30 zion openvpn[4322]: TCPv4_SERVER link local (bound): [undef]:21113

Sep 24 19:06:30 zion openvpn[4322]: TCPv4_SERVER link remote: [undef]

Sep 24 19:06:30 zion openvpn[4322]: MULTI: multi_init called, r=256 v=256

Sep 24 19:06:30 zion openvpn[4322]: IFCONFIG POOL: base=192.168.0.2 size=253

Sep 24 19:06:30 zion openvpn[4322]: IFCONFIG POOL LIST

Sep 24 19:06:30 zion openvpn[4322]: bender,192.168.0.2

Sep 24 19:06:30 zion openvpn[4322]: comet,192.168.0.3

Sep 24 19:06:30 zion openvpn[4322]: MULTI: TCP INIT maxclients=1024 maxevents=1028

Sep 24 19:06:30 zion openvpn[4322]: Initialization Sequence Completed

Sep 24 19:06:38 zion openvpn[4322]: MULTI: multi_create_instance called

Sep 24 19:06:38 zion openvpn[4322]: Re-using SSL/TLS context

Sep 24 19:06:38 zion openvpn[4322]: LZO compression initialized

Sep 24 19:06:38 zion openvpn[4322]: Control Channel MTU parms [ L:1576 D:168 EF:68 EB:0 ET:0 EL:0 ]

Sep 24 19:06:38 zion openvpn[4322]: Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]

Sep 24 19:06:38 zion openvpn[4322]: Local Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,t

s-server'

Sep 24 19:06:38 zion openvpn[4322]: Expected Remote Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-

ethod 2,tls-client'

Sep 24 19:06:38 zion openvpn[4322]: Local Options hash (VER=V4): '3c14feac'

Sep 24 19:06:38 zion openvpn[4322]: Expected Remote Options hash (VER=V4): 'e39a3273'

Sep 24 19:06:38 zion openvpn[4322]: TCP connection established with 84.132.202.12:4274

Sep 24 19:06:38 zion openvpn[4322]: Socket Buffers: R=[131072->131072] S=[131072->131072]

Sep 24 19:06:38 zion openvpn[4322]: TCPv4_SERVER link local: [undef]

Sep 24 19:06:38 zion openvpn[4322]: TCPv4_SERVER link remote: 84.132.202.12:4274

Sep 24 19:06:38 zion openvpn[4322]: 84.132.202.12:4274 TLS: Initial packet from 84.132.202.12:4274, sid=f7420747 fbef2d57

Sep 24 19:06:40 zion openvpn[4322]: 84.132.202.12:4274 VERIFY OK: depth=1, /C=DE/ST=NIE/L=Goe/O=ITS/CN=ITS/emailAddress=root@test.info

Sep 24 19:06:40 zion openvpn[4322]: 84.132.202.12:4274 VERIFY OK: depth=0, /C=DE/ST=NIE/L=Goe/O=ITS/CN=comet/emailAddress=root@test.info

Sep 24 19:06:41 zion openvpn[4322]: 84.132.202.12:4274 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

Sep 24 19:06:41 zion openvpn[4322]: 84.132.202.12:4274 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Sep 24 19:06:41 zion openvpn[4322]: 84.132.202.12:4274 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

Sep 24 19:06:41 zion openvpn[4322]: 84.132.202.12:4274 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Sep 24 19:06:41 zion openvpn[4322]: 84.132.202.12:4274 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Sep 24 19:06:41 zion openvpn[4322]: 84.132.202.12:4274 [comet] Peer Connection Initiated with 84.132.202.78:4274

Sep 24 19:06:41 zion tap0: no IPv6 routers present

Sep 24 19:06:42 zion openvpn[4322]: comet/84.132.202.12:4274 PUSH: Received control message: 'PUSH_REQUEST'

Sep 24 19:06:42 zion openvpn[4322]: comet/84.132.202.12:4274 SENT CONTROL [comet]: 'PUSH_REPLY,route-gateway 192.168.0.1,ping 10,ping-restart 120,ifconfig 192.168.0.3 255.255.255.0' (status=1)

Sep 24 19:06:47 zion openvpn[4322]: comet/84.132.202.12:4274 MULTI: Learn: 00:ff:c8:e7:4f:23 -> comet/84.132.202.78:4274

Sep 24 19:08:25 zion ntpd[4982]: Listening on interface #25 tap0, fe80::2ff:55ff:fe93:81ad#123 Enabled

Sep 24 19:08:25 zion ntpd[4982]: Deleting interface #24 tap0, fe80::2ff:c1ff:fed6:a753#123, interface stats: received=0, sent=0, dropped=0, active_time=300 secs

Sep 24 19:10:01 zion cron[4345]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Sep 24 19:12:00 zion openvpn[4322]: comet/84.132.202.12:4274 Connection reset, restarting [-1]

Sep 24 19:12:00 zion openvpn[4322]: comet/84.132.202.12:4274 SIGUSR1[soft,connection-reset] received, client-instance restarting

Sep 24 19:12:00 zion openvpn[4322]: TCP/UDP: Closing socket

```

client error log:

```

Mon Sep 24 19:07:10 2007 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006

Mon Sep 24 19:07:10 2007 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Mon Sep 24 19:07:10 2007 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file

Mon Sep 24 19:07:10 2007 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Sep 24 19:07:10 2007 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Sep 24 19:07:10 2007 LZO compression initialized

Mon Sep 24 19:07:10 2007 Control Channel MTU parms [ L:1576 D:168 EF:68 EB:0 ET:0 EL:0 ]

Mon Sep 24 19:07:10 2007 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]

Mon Sep 24 19:07:10 2007 Local Options hash (VER=V4): 'e39a3273'

Mon Sep 24 19:07:10 2007 Expected Remote Options hash (VER=V4): '3c14feac'

Mon Sep 24 19:07:10 2007 Attempting to establish TCP connection with 80.128.65.112:21113

Mon Sep 24 19:07:10 2007 TCP connection established with 80.128.65.112:21113

Mon Sep 24 19:07:10 2007 TCPv4_CLIENT link local: [undef]

Mon Sep 24 19:07:10 2007 TCPv4_CLIENT link remote: 80.128.65.112:21113

Mon Sep 24 19:07:11 2007 VERIFY OK: depth=1, /C=DE/ST=NIE/L=Goe/O=ITS/CN=ITS/emailAddress=root@test.info

Mon Sep 24 19:07:11 2007 VERIFY OK: depth=0, /C=DE/ST=NIE/L=Goe/O=ITS/CN=server/emailAddress=root@test.info

Mon Sep 24 19:07:13 2007 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

Mon Sep 24 19:07:13 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Sep 24 19:07:13 2007 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

Mon Sep 24 19:07:13 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Sep 24 19:07:13 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Mon Sep 24 19:07:13 2007 [server] Peer Connection Initiated with 80.128.65.112:21113

Mon Sep 24 19:07:14 2007 TAP-WIN32 device [LAN-Verbindung 3] opened: \\.\Global\{C8E74F23-C40F-46B4-8B5C-081664978155}.tap

Mon Sep 24 19:07:14 2007 TAP-Win32 MTU=1500

Mon Sep 24 19:07:14 2007 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.0.3/255.255.255.0 on interface {C8E74F23-C40F-46B4-8B5C-081664978155} [DHCP-serv: 192.168.0.0, lease-time: 31536000]

Mon Sep 24 19:07:14 2007 Successful ARP Flush on interface [131076] {C8E74F23-C40F-46B4-8B5C-081664978155}

Mon Sep 24 19:07:14 2007 WARNING: You have selected '--ip-win32 dynamic', which will not work unless the TAP-Win32 TCP/IP properties are set to 'Obtain an IP address automatically'

Mon Sep 24 19:07:44 2007 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )

```

route show:

```

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.0.0     *               255.255.255.0   U     0      0        0 eth0

192.168.0.0     *               255.255.255.0   U     0      0        0 tap0

loopback        *               255.0.0.0       U     0      0        0 lo

default         .               0.0.0.0         UG    0      0        0 eth0

```

SERVER IPS:

Eth0 : 192.168.0.103 (internet card-> router=(192.168.0.8 ))

Tap0 : 192.168.0.1

The Problem is that the Virtual TAP Device at the XP client get no ip adress. but if i set a static ip same problem no ping(see log).

Is a DHCP Server needed at the linux server to push a IP Adress through VPN to the clients? (If yes which one do you prefer?)

And how can i define the pool range? with <ifconfig-pool 192.168.0.20 192.168.0.30 255.255.255.0> gives me an error message a other pool is set.

BUT the main problem is that i even can't ping my server from the client.

I hope someone could help me i am getting crazy with this stupid problem...  :Sad: Last edited by Bender007 on Tue Sep 25, 2007 1:33 am; edited 1 time in total

----------

## Ankan

The configuration of openvpn left me with less hair than I began with.

I haven't tried to use tap, but I might be able to answer some of your questions.

First off you can't combine the 'server' directive with 'ifconfig-pool', since 'server 10.8.0.0 255.255.255.0' will expand to the following:

```

mode server

tls-server

if dev tun:

    ifconfig 10.8.0.1 10.8.0.2

    ifconfig-pool 10.8.0.4 10.8.0.251

    route 10.8.0.0 255.255.255.0

    if client-to-client:

        push "route 10.8.0.0 255.255.255.0"

    else

        push "route 10.8.0.1"

if dev tap:

    ifconfig 10.8.0.1 255.255.255.0

    ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0

    push "route-gateway 10.8.0.1"

```

So you have actually already set ifconfig-pool.

The reason your setup is not working is that your routes are set to send all traffic to 192.168.0.0/255.255.255.0 via eth0. (Your first route). The next route is set to send those very same packats via tap0. But this will never happen since the first route has already sent them off and this route will be ignored.

You will either have to use a different set of ip-addresses for the vpn-tunnel or use ethernet bridging. I would propose that you try changing the addresses.

Try:

```

server 10.8.0.0 255.255.255.0

```

This range MUST be unused both on the client and the server side. Therefore I suggest you use some obscure private range which is unlikely to be used where a client will be located.

For reference, these are private ranges:

```

        10.0.0.0 - 10.255.255.255

        172.16.0.0 - 172.31.255.255

        192.168.0.0 - 192.168.255.255

```

I don't really know what is required to make it work over a tap-device. But just about that should make it work over a tun device. So you if it doesn't work, you could try changing 'dev tap', to 'dev tun'.

You will not need any DHCP-server, openvpn will push IP-addresses to the client from ifconfig-pool.

Lastly I really urge you to use UDP instead of TCP. Openvpn is built to use UDP but offers the TCP-mode for cases where UDP will not work. There actually are very rare cases where TCP is preferable but if you don't know what you should use: stick with UDP, which is the default. (More information in the openvpn manual.)

Good luck. I hope this will be useful.

----------

## Bender007

Hi 

big thanks for you answer. but same problem, i can't ping any ip...

I've tried another config and i get also a connection. But the ping doesn't work. 

The good thing is the client get an ip adress.

My new setup:

network.local

eth0: 192.168.0.1

tap0: 192.168.1.1

remote client:(XP)

LAN1: 192.168.0.2 GW: 192.168.0.8 (cable router)

tap w32: dhcp

After connect:

TAP device remote client ip 192.168.1.2

With the new configuration the VPN tunnel is fast connected. And the ip is set the routes also.

client.log (before connect):

```

Aktive Routen:

     Netzwerkziel    Netzwerkmaske          Gateway   Schnittstelle  Anzahl

          0.0.0.0          0.0.0.0      192.168.0.8     192.168.0.2       20

        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1

      192.168.0.0    255.255.255.0      192.168.0.2     192.168.0.2       20

      192.168.0.2  255.255.255.255        127.0.0.1       127.0.0.1       20

    192.168.0.255  255.255.255.255      192.168.0.2     192.168.0.2       20

        224.0.0.0        240.0.0.0      192.168.0.2     192.168.0.2       20

  255.255.255.255  255.255.255.255      192.168.0.2           10004       1

  255.255.255.255  255.255.255.255      192.168.0.2           20005       1

  255.255.255.255  255.255.255.255      192.168.0.2     192.168.0.2       1

Standardgateway:       192.168.0.8

```

client.log (after connecting)

```

Aktive Routen:

     Netzwerkziel    Netzwerkmaske          Gateway   Schnittstelle  Anzahl

          0.0.0.0          0.0.0.0      192.168.0.8     192.168.0.2       20

        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1

      192.168.0.0    255.255.255.0      192.168.0.2     192.168.0.2       20

      192.168.0.0    255.255.255.0      192.168.1.1     192.168.1.2       1

      192.168.0.2  255.255.255.255        127.0.0.1       127.0.0.1       20

    192.168.0.255  255.255.255.255      192.168.0.2     192.168.0.2       20

      192.168.1.0    255.255.255.0      192.168.1.2     192.168.1.2       30

      192.168.1.0    255.255.255.0      192.168.1.1     192.168.1.2       1

      192.168.1.2  255.255.255.255        127.0.0.1       127.0.0.1       30

    192.168.1.255  255.255.255.255      192.168.1.2     192.168.1.2       30

        224.0.0.0        240.0.0.0      192.168.0.2     192.168.0.2       20

        224.0.0.0        240.0.0.0      192.168.1.2     192.168.1.2       30

  255.255.255.255  255.255.255.255      192.168.0.2           10004       1

  255.255.255.255  255.255.255.255      192.168.0.2     192.168.0.2       1

  255.255.255.255  255.255.255.255      192.168.1.2     192.168.1.2       1

Standardgateway:       192.168.0.8

```

ipconfig /all (after connecting)

```

Ethernetadapter LAN-Verbindung 5:

        Verbindungsspezifisches DNS-Suffix:

        Beschreibung. . . . . . . . . . . : TAP-Win32 Adapter V8

        Physikalische Adresse . . . . . . : 00-FF-28-E2-BB-F4

        DHCP aktiviert. . . . . . . . . . : Ja

        Autokonfiguration aktiviert . . . : Ja

        IP-Adresse. . . . . . . . . . . . : 192.168.1.2

        Subnetzmaske. . . . . . . . . . . : 255.255.255.0

        Standardgateway . . . . . . . . . :

        DHCP-Server . . . . . . . . . . . : 192.168.1.0

        DNS-Server. . . . . . . . . . . . : 192.168.0.1

```

Server Routing table:

```

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.1.0     *               255.255.255.0   U     0      0        0 tap0

192.168.0.0     *               255.255.255.0   U     0      0        0 eth0

loopback        *               255.0.0.0       U     0      0        0 lo

```

Server openvpn.conf

```

port 21113

dev tap0

tls-server

ca /etc/openvpn/privnet/ca.crt

cert /etc/openvpn/privnet/server.crt

key /etc/openvpn/privnet/server.key

dh /etc/openvpn/privnet/dh1024.pem

tls-auth /etc/openvpn/privnet/ta.key 0

mode server

duplicate-cn

ifconfig 192.168.1.1 255.255.255.0 #vpnserver

ifconfig-pool 192.168.1.2 192.168.1.10 255.255.255.0 #clientiprange

#ifconfig-pool-persist ipp.txt

#server 192.168.1.0 255.255.255.0

push "dhcp-option DNS 192.168.0.1"

push "route-gateway 192.168.1.1"

#mtu-test

#tun-mtu 1500

#tun-mtu-extra 32

mssfix 1450

#ping 10

#ping-restart 120

#push "ping 10"

#push "ping-restart 60"

push "route 192.168.0.0 255.255.255.0 192.168.1.1"

push "route 192.168.1.0 255.255.255.0 192.168.1.1"

comp-lzo

verb 4

status /var/log/openvpn-status.log

client-to-client

```

I think the problem is the routing but iam not a routing pro. Did i have to change the routes on the server?

I can't ping 192.168.1.1 and 192.168.0.1.

----------

## Ankan

I didn't have to add any routes except the default ones added by openvpn (using tun).

It is stated that the following is needed to run several openvpn instances. Might be needed for just one? Most likely this is already set since you get connected to the vpn.

 *Quote:*   

> 
> 
> If you are using Windows, each OpenVPN configuration needs to have its own TAP-Win32 adapter. You can add additional adapters by going to Start Menu -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter.
> 
> 

 

Then there is the issue of firewalls. A vpn-interface will act in the same way as a physical one. So make sure there aren't any firewall blocking the connection. For further instructions read: http://openvpn.net/faq.html#firewall.

Have you tried using a tun device?

There doesn't seem to be much differences when using a routed vpn:

 *Quote:*   

> 
> 
> When you are bridging, you must always use --dev tap  on both ends of the connection. If you are routing you can use either --dev tap or --dev tun, but you must use the same on both ends of the connection. --dev tun tends to be slightly more efficient for the routing case.
> 
> 

 

For a comparison with bridging, which is more advanced since you need to use other tools to set up the bridging, refer to this:

http://openvpn.net/faq.html#bridge1

Edit:

When reading more closely i notice the following at the end of the client log.

 *Quote:*   

> 
> 
> Mon Sep 24 19:07:14 2007 WARNING: You have selected '--ip-win32 dynamic', which will not work unless the TAP-Win32 TCP/IP properties are set to 'Obtain an IP address automatically'
> 
> Mon Sep 24 19:07:44 2007 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv ) 
> ...

 

Is that still present?

If so, try following that link.

----------

## Dagger

Hi,

I've been using OpenVPN for a loooooong time now and never had any bigger issues with it. It's one of the most (if not the most) flexible solution I've seen.

ok lets take a look on your config files:

instead of using

```

mode server

ifconfig 192.168.1.1 255.255.255.0 #vpnserver

ifconfig-pool 192.168.1.2 192.168.1.10 255.255.255.0 #clientiprange

```

I would advise using:

```

server 192.168.1.0 255.255.255.0

```

Additionally its good to have: 

```

ifconfig-pool-persist ipp.txt #client will always get the same IP

client-to-client # client's can "see" each other

```

In a first place I would advise using tunnel more rather than transport. It's much more flexible and doesn't require bridging.

If you are using tunnel more you need to understand, that openvpn creates a 4-IP subnet for each of your clients.

IP addresses are assigned as follow:

sunbet IP

gateway IP

client IP

broadcast IP

That means if you client has IP 192.168.1.1 his gateway should be 192.168.1.2

If you take a look on your client's routes you can see:

```

192.168.1.0    255.255.255.0      192.168.1.2     192.168.1.2       30

192.168.1.0    255.255.255.0      192.168.1.1     192.168.1.2       1 

```

which generally says you have two gateways to the same network, and one of them is your own IP. It just wont work

You also need to inform your client about his gateway.

Let me post you some config which should be a good example for you:

SERVER:

```

local 212.155.xx.xx # IP where your openvpn server will listen on. check for you IP

port 1194

proto udp

dev tun # we want to use tunnel mode

ca ca.crt

cert /path/to/your/cert.crt

key /path/to/your/key.key

dh dh2048.pem # worth generating. If you're not paranoid use 1024. 

ifconfig-pool-persist ipp.txt #clients will always have the same IP - very useful for setting up custom firewall rules customized for each client.

server 192.168.1.0 255.255.255.0 # your VPN subnet

client-to-client # clients wants to see each other

push "route 192.168.5.0 255.255.255.0" # push routes to your IP's on server's network

push "route 192.168.6.0 255.255.255.0" # another random subnet begind your server

#push "dhcp-option DNS 192.168.1.1" # personally I've never seen it working

keepalive 10 120 # really useful

;tls-auth ta.key 0 # _optional_ additional security

cipher AES-256-CBC # if you are paranoid as I am you want 256bit encryption

comp-lzo # compression is always welcome

user nobody # good to run without root privilates

group nobody

persist-key

persist-tun

status openvpn-status.log 2 # good to log connections, so you always know whos connected

verb 3 

#link-mtu 1456

#mssfix 1412  

fragment 1400 # additional mtu fixes to work fine with some random programs. Rsync over ssh didnt want to work for me over vpn without it.

mssfix

```

I didnt add neither duplicate-cn nor push route-gateway 192.168.1.1 for security reasons. It really depends what do you want to use it for.

CLIENT:

```

client

dev tun

proto udp

remote 212.155.xx.xx 1194 # IP of your server

resolv-retry infinite

nobind

user nobody

group nobody

persist-key

persist-tun

ca ca.crt

cert client.crt

key client.key

dh dh2048.pem

keepalive 10 60

ns-cert-type server

;tls-auth ta.key 1

cipher AES-256-CBC

comp-lzo

verb 3

#link-mtu 1456

#mssfix 1412

fragment 1400

mssfix

explicit-exit-notify 3 # we want to inform server when you close your VPN

```

thats it basicly. Give it a try and post your results.

----------

## Bender007

hey dagger

how i have to set my routes? 

thanks for your post. ok i will try your config. but i get it working with the last posted config but it works only one time.. and after i disconnect i can't connect again it stand at this point:

Server log:verb 9

```

Sep 25 16:46:22 zion openvpn[30130]:  event_wait returned 0

Sep 25 16:46:22 zion openvpn[30130]: I/O WAIT status=0x0020

Sep 25 16:46:22 zion openvpn[30130]: MULTI: REAP range 96 -> 112

Sep 25 16:46:22 zion openvpn[30130]: SCHEDULE: schedule_find_least NULL

Sep 25 16:46:22 zion openvpn[30130]: PO_CTL rwflags=0x0001 ev=5 arg=0x080911ec

Sep 25 16:46:22 zion openvpn[30130]: PO_CTL rwflags=0x0001 ev=6 arg=0x080911e8

Sep 25 16:46:22 zion openvpn[30130]: I/O WAIT TR|Tw|SR|Sw [10/0]

```

Client.

```

Tue Sep 25 16:47:22 2007 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006

Tue Sep 25 16:47:22 2007 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Tue Sep 25 16:47:22 2007 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file

Tue Sep 25 16:47:22 2007 LZO compression initialized

Tue Sep 25 16:47:22 2007 UDPv4 link local (bound): [undef]:21113

Tue Sep 25 16:47:22 2007 UDPv4 link remote: 80.128.109.20:21113

```

I get crazy with this damn vpn.. in the hell why it works a time and then not....!!!

----------

## Dagger

lol give a try to the config I posted. You need to probably tune it a bit for your configuration, but I'm sure you will forget about the problem  :Smile: 

----------

## Bender007

Hi Dagger,

thx but its working now. The crazy thing is with UDP the connection works one time, but after a disconnect and reconect... nothing.. then i add proto tcp-server and tcp-client and voila the connection works great!!!! YAHOOOOOO  :Very Happy: 

Dagger big thx for your help and your config but i get it with my 2nd config... I tried your config and i got a working VPN Tunnel.. one time.. but the ping problem didn't solved.

I've tried all tips from openvpn.org... but the solutions didn't work for me.

I posting here my config for all people who have the same problems:

My Network:

OpenVPN Device: tap0: 192.168.1.1

OpenVPN Clients range: 192.168.1.2-192.168.1.10

eth0(server): 192.168.0.1

openvpn.conf (Server):

```

proto tcp-server

port 21113

dev tap0

tls-server

ca /etc/openvpn/privnet/ca.crt

cert /etc/openvpn/privnet/server.crt

key /etc/openvpn/privnet/server.key

dh /etc/openvpn/privnet/dh1024.pem

tls-auth /etc/openvpn/privnet/ta.key 0

mode server

duplicate-cn

ifconfig 192.168.1.1 255.255.255.0 #vpnserver

ifconfig-pool 192.168.1.2 192.168.1.10 255.255.255.0 #clientiprange

push "dhcp-option DNS 192.168.1.1"

push "route-gateway 192.168.1.1"

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

push "route 192.168.0.0 255.255.255.0 192.168.1.1"

push "route 192.168.1.0 255.255.255.0 192.168.1.1"

comp-lzo

verb 9

status /var/log/openvpn-status.log

```

client.ovpn(Client conf):

```

proto tcp-client

client

port 21113

dev tap0

remote mydnsishot.or.net

tls-client

tls-auth ta.key 1

ca ca.crt

cert bender.crt

key bender.key

mtu-test

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

pull

comp-lzo

verb 4

```

All in one the Tunnel works with this config after all i don't know exactly what the problem was. But i think (and please correct me) the clients had problems with the routing table after i add the "push Route" command its works but only with tcp, the udp tunnel works only one time   :Shocked:   .. and what the hell i don't know why!! i have the suspicion that my router is the problem fu* provider router. Do you a favour and use a fritzbox (or something else)...

The only Q i have is if its possible to tweak a little bit the connection? i have a upload of 1MBit and i only get a download from my server with 85KB/s yes it is ok but if its possible to tweak? the requirements are the connection must be encrypted (yes the encryption steals some KB but 40KB/s i think its to much).. mhh ok first of all i try a mitm attack between the server and clients to see if the encryption really works.

THX very much bender   :Smile: 

----------

## Dagger

I'm glad it works for you!

Have you ever try transfer rate on non tunneled, non encrypted connection? I've done some test on my connection and 256bit encryption and tunneling consumes 4-5% of my bandwidth. I've got 16Mb/1Mb adsl at home and it keeps transfer around 110-115 KB/s on tunneled connection.

When it comes to openvpn, I've played with dozens of different vpn solutions and currently i've got it working for around 160 users 24/7 where half of them work from home. Thank to TUN/TAP interface it's so easy and flexible to shape traffic and restrict/permit access to specific services/servers  :Smile: 

----------

## Bender007

Hi Dagger 

wow ok you have much more experience with openvpn (VPN) then i have... First i have the same connection as you. with max 128KB upload. when i connect with VPN and transfer data with proftpd my transfer speed is 90KB/s .. its ok but could be more  :Very Happy:  What is with the MTU option as far as i know my provider T-Online use a MTU of mhh ohh damn i think it was 1490. Could this option optimize my transferspeed?

mhh no at this time i am very lucky get working VPN but i have no idea how i deactivate the encryption (the comp option?). I think i haveto learn a littlebit more about openvpn... At my old server i try to set up a IPSEC/KAME it works fine but i had much trouble with connecting with my clients with a non configured router.. And after 2 weeks i gave up.   :Twisted Evil: 

Oh ok your settings are much more complex then my but good to hear that openvpn is so flexible!!! Mh ok i think i have only to configure the listing device from the service i want to use, right (proftpd, samba thx)?

Can you tell me which option tells the openvpn server the encryption and tunneling?

comp..?

bye bender

----------

