# OpenVPN 2.x TAP mini-HOWTO (linux 2 wifi-linux, wifi-xp)

## cchee

Background

In my attempt to setup OpenVPN for my network, I search through the forum and can't find much information on setting OpenVPN 2.0 using TAP, especially sample configuration file. Most of the HOWTO I found are related to TUN settings. The HOWTO from http://openvpn.sourceforge.net/ was helpful but since I am a newbie to openvpn. It took me a while to figure out how to get thing setup right. In the light of hoping to speed up the adoption of openvpn 2.0 ebuild into gentoo distribution (I love this distribution!!) and also hoping to help out newbie for OpenVPN (like I am) to save time. I have created this mini-HOWTO. Your constructive criticism/suggestion/feedback are most welcome, especially in the light of network security related configuration.

Simplified Server/Client Environment

The system I used for setup OpenVPN server is Gentoo Linux with kernel 2.6.8-r3 (which is gentoo-dev-sources-2.6.8-r3). Later kernel can also be used, the newest one I have used is gentoo-sources-2.6.11-r11. Make sure kernel has TAP/TUN compiled as module or build-in. If compiled as module, make sure you have tun in your /etc/module.autoload.d/kernel-2.6. Linux server/client OpenSSL version is 0.9.7d-r1 or newer version. For  windows client, I used Windows XP with SP2 installed. This setup works regardless you are using wireless or not. In my case, Linux client is wired, and Windows XP client is wireless tablet pc.

OpenVPN server has external static IP in this setup.

Protected network: 10.2.0.0

Protected network DNS: 10.2.0.1 10.2.0.2

Protected network VPN server: 10.2.0.3

Protected network domain: homenetwork.local

Protected network is behind a separate hardware based firewall, e.g. Netscreen or Linksys Cable/DSL Wireless Router

OpenVPN server is resided inside the protected network with UDP port 5000 forwarded from outside (Internet) to the OpenVPN server at the firewall.

OpenVPN virtual network: 10.1.0.0

OpenVPN virtual network server IP: 10.1.0.1 (in this example, I named it gateway)

OpenVPN virtual network client IP range: 10.1.0.2 - 10.1.0.10

OpenVPN client can be anywhere in the Internet or other remote LAN (via wireless or wired) with access to the Internet.

Unlike the typical TUN setup, with this setup, you won't need to manually assign virtual IP address to server/client. All client virtual IP are assigned by the server using the virtual IP range specified in the server configuration (parameter ifconfig-pool). Route table entries for virtual client can be managed from the OpenVPN server configuration (under the parameter push "xxxx"). In addition, no ethernet bridging setup is needed in this setup. IMHO, this really makes the system/network administrator life a lot easier.

Downloads

Update: You can use 2.0 rc6 or newer (latest is the official version 2.0) instead. The differences are in some of the parameter values in the configuration file (sectioned out for you in later instruction.)

VPN Server/Client (Gentoo Linux, of course) - OpenVPN 2.0 ebuild [already in latest portage as stable].

Windows XP Client: http://openvpn.net/download.html

Mac OSX installation, please goto http://openvpn2.darwinports.com, http://www-user.rhrk.uni-kl.de/~nissler/tuntap/

There are a few OpenVPN GUI available, depends on which one you like and you can just google them. Here are a few links I found.

Windows XP OpenVPN GUI: http://www.ipact.com/~huttinger/bb/download.php?id=7, http://www.nilings.se/openvpn/download.html, http://openvpn.se/

Mac OS X OpenVPN GUI: http://mac.softpedia.com/get/Network-Admin/OpenVPN-GUI.shtml

Linux OpenVPN GUI: http://sourceforge.net/projects/openvpnadmin/, http://govpn.clubnix.net/

Installation

Linux VPN Server/Client

These steps are only needed if openvpn 2.0 is not yet official in the portage.

```
vi /etc/make.conf # to uncomment PORTDIR_OVERLAY

mkdir -p /usr/local/portage/net-misc/openvpn

cp ~/openvpn-2.0.ebuild /usr/local/portage/net-misc/openvpn # assuming you downloaded the ebuild in your current user (root) directory

cd /usr/local/portage/net-misc/openvpn

ebuild openvpn-2.0.ebuild digest

```

Before openvpn 2.0 become official in portage

```

ACCEPT_KEYWORDS="~x86" USE="pthreads ssl" emerge -v openvpn # You want to enable pthread for speed

```

After openvpn 2.0 become official in portage

```

USE="examples threads ssl" emerge -v openvpn # You want to enable threads for speed

```

Before openvpn 2.0 become official in portage

```

mkdir -p /etc/openvpn/gateway # you can replace gateway with whatever directory name you want to use

cd # go back to your root home directory

gzip -d < /usr/portage/distfiles/openvpn-2.0.tar.gz | ( cd /root; tar xvfo - )

cd /root/openvpn-2.0

mv easy-rsa ~/

rm -rf /root/openvpn-2.0

rc-update add openvpn default

vi /etc/conf.d/local.start # to add echo 1 > /proc/sys/net/ipv4/ip_forward

vi /etc/conf.d/local.stop # to add echo 0 > /proc/sys/net/ipv4/ip_forward

rc-update add local default

```

After openvpn 2.0 become official in portage

```

mkdir -p /etc/openvpn/gateway

cd # go back to your root home directory

# easy-rsa is available under /usr/share/openvpn/easy-rsa

rc-update add openvpn default

vi /etc/conf.d/local.start # to add echo 1 > /proc/sys/net/ipv4/ip_forward

vi /etc/conf.d/local.stop # to add echo 0 > /proc/sys/net/ipv4/ip_forward

rc-update add local default

```

Windows XP Client

I have the latest SP from Microsoft installed before I start.

Install openvpn-2.0-install.exe

Install OpenVPN GUI [optional]

Configuration

OpenVPN server configuration file (/etc/openvpn/gateway/local.conf)

```
port 1194 # or any other port you want to use

dev tap

tls-server

cd /etc/openvpn/gateway

ca ca.crt

cert gateway.crt

key gateway.key

dh dh2048.pem

tls-auth ta.key 0

mode server

duplicate-cn

ifconfig 10.1.0.1 255.255.255.0 # openvpn gateway

ifconfig-pool 10.1.0.2 10.1.0.11 255.255.255.0 # ip range for openvpn client

push "dhcp-option DNS 10.2.0.1" # push DNS entries to openvpn client

push "dhcp-option DNS 10.2.0.2"

push "route-gateway 10.1.0.1" # push default gateway

mtu-test

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

ping 10

ping-restart 120

push "ping 10"

push "ping-restart 60"

push "route 10.2.0.0 255.255.255.0 10.1.0.1" # add route to to protected network

push "route 10.1.0.0 255.255.255.0 10.1.0.1"

comp-lzo

status openvpn-status.log

verb 4

```

NOTE: If you are using openvpn 2.1 (not yet in the official portage, hopefully soon) You can added the following line to do port sharing. The following line basically tells openvpn to listen to port 443, if the traffic is openvpn traffic, process it. Otherwise forward it to ssl_webserver.mycompany.com to process as https traffic. One great thing about this is you have one less hole in your firewall.

```

port-share ssl_webserver.mycompany.com 443

```

OpenVPN Linux client configuration (/etc/openvpn/client/local.conf)

```
port 1194 # or any other port you want to use

dev tap

remote w.x.y.z # w.x.y.z is external IP of the OpenVPN server

tls-client

cd /etc/openvpn/client

ca ca.crt

cert client.crt

key client.key

tls-auth ta.key 1

mtu-test

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

pull

comp-lzo

verb 4

```

Symbolic linked the configuration files for Gentoo Linux (server/client) [NEW from official openvpn 2.0 ebuild]

```

cd /etc/openvpn

# foreach sub-directory, we create a symbolic link to the local.conf to the current directory since the new init script don't scan for sub-directory

# anymore instead it looks for .conf files. With the sample environment defined above, we have:

ln -s gateway/local.conf gateway.conf

```

Windows XP client configuration (My Document\client.ovpn)

```
port 1194 # or any other port you want to use

dev tap

remote w.x.y.z # w.x.y.z is external IP of the OpenVPN server

tls-client

ca ca.crt

cert client.crt

key client-key.txt

tls-auth ta-key.txt 1

mtu-test

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

pull

comp-lzo

verb 4

```

To generate the ta.key (or ta-key.txt), I use the following command (recommended by HOWTO from OpenVPN) to generate on Linux:

```
openvpn --genkey --secret ta.key
```

 or 

```
openvpn --genkey --secret ta-key.txt
```

Then I basically copy this file to server and all clients machines via secure channel.

To generate the server certificate and key file for /etc/openvpn/gateway, I basically follow the instruction provided by easy-rsa README file. Make sure you specify the purpose of the certificate is Web server when you submit your CSR for your server.

```
cd /root/easy-rsa

vi vars # update the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to appropriate value

. vars

./clean-all

./build-dh   # to generate the dh2048.pem needed by the server configuration

cp /root/openvpn/dh2048.pem /etc/openvpn/gateway

./clean-all

./build-req gateway

cp /root/openvpn/gateway.key /etc/openvpn/gateway

# Send the /root/openvpn/gateway.csr to your CA authority, once it is 

# signed by CA authority, they will send you the certificate. Save this 

# certificate as gateway.crt under /etc/openvpn/gateway.

```

To generate the client certificate and key file for /etc/openvpn/client, it will be similar to the server, except the purpose for your client CSR is User instead of Web Server. Otherwise, you may run into "unroutable" problem. Well, at least that is the case for me.

```

# repeat these steps for each OpenVPN client

# BEGIN

./clean-all

./build-req client

# Copy /root/openvpn/client.key to /etc/openvpn/client on your OpenVPN 

# Linux client via SECURE channel

# For Windows XP, I just save the configuration, certificate and key files 

# under My Document folder

# Send the certificate sign request to your CA authority. 

# END

# Your CA authority should have a CA certificate which you will save it

# under /etc/openvpn/gateway (for server), /etc/openvpn/client (for

# Linux client) and My Document folder for Windows XP client as ca.crt

# in our example. Make sure you use SECURE channel to transfer these

# files.

```

To verify the server certificate is valid, you can use the following:

```
openssl verify -CAfile ca.crt -purpose sslserver gateway.crt
```

To verify the client certiciate(s) is(are) valid, you can use the following:

```
openssl verify -CAfile ca.crt -purpose sslclient client.crt
```

**You also need to make sure your firewall have udp port 1194 (or whatever port you have specified in your server configuration) opened for your OpenVPN server. In addition, depends on what firewall you are using, you may need to make sure network traffic is allowed into your protected network for your OpenVPN client IP range. Since we are not using ethernet bridge, you will need to add route on your protected lan gateway to tell all machines in the protected lan to forward package to your VPN server when the requester IP belongs to the VPN lan.

Once you have all the configuration file in place, do the following on the server or Linux client.

```
/etc/init.d/openvpn start
```

For Windows XP, start OpenVPN GUI and then load the configuration file client.ovpn under My Document.

Testing

Start up the client side and then do a ping on one of the server in the protected network (10.2.0.0). If you can ping, then you are connected and your packet are routed correctly.

Finishing Touch

After you have verified the network connectivity is all well, if you are using Windows client, you will want to turn your openvpn into automatically start as service instead of starting it manually each time you login. To do that just follow the instruction under section Running OpenVPN as a Windows Service in the INSTALL-Win32 provided by http://openvpn.sourceforge.net/INSTALL-win32.html **Make sure you have all your config files, certificates and keys moved to <openvpn installed directory>/config directory if they are not already there.Last edited by cchee on Tue Apr 03, 2007 3:22 pm; edited 27 times in total

----------

## cchee

Troubleshooting

Q: I am getting the following error when I start up openvpn (version 2.0.2)

```
 * Starting openvpn for server ... [ !! ]
```

A: The /etc/init.d/openvpn for version 2.0.2 uses -cd option in line 43

```
 --daemon --cd "${VPNDIR}"
```

replace that line with

```
 --daemon 
```

and make sure your /etc/openvpn/gateway/local.conf (using above example) has

```
cd /etc/openvpn/gateway
```

should fix your problem. For details on how to modify the /etc/init.d/openvpn to accommodate multiple OpenVPN connection setup, check the bug attachment in https://bugs.gentoo.org/show_bug.cgi?id=109363

Q: I keep getting the following error on the server log when my client connected. What's wrong?

```
Oct  7 15:48:25 gateway openvpn[17954]: Administrator/www.xxx.yyy.zz:3510 Bad LZO decompression header byte: 40

Oct  7 15:48:27 gateway openvpn[17954]: Administrator/www.xxx.yyy.zzz:3510 Bad LZO decompression header byte: 255

Oct  7 15:48:28 gateway openvpn[17954]: Administrator/www.xxx.yyy.zzz:3510 Bad LZO decompression header byte: 255

Oct  7 15:48:29 gateway openvpn[17954]: Administrator/www.xxx.yyy.zzz:3510 Bad LZO decompression header byte: 255

Oct  7 15:48:29 gateway openvpn[17954]: Administrator/www.xxx.yyy.zzz:3510 Bad LZO decompression header byte: 40

where www.xxx.yyy.zzz is the IP address from the client
```

A: Check the comp-lzo setting on both server and client configuration. Most likely your client doesn't have comp-lzo while your server expected it.

Q: I keep getting the following error on the server log when my client connected. What's wrong?

```
Oct  7 15:56:24 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073

Oct  7 15:56:26 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073

Oct  7 15:56:29 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073

Oct  7 15:56:31 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073

Oct  7 15:56:33 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073

Oct  7 15:56:35 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073

where www.xxx.yyy.zzz is the IP address from the client
```

A: Make sure both server and client configuration files have "tls-auth ta.key #" either enabled or disabled. Plus you want to make sure the server has 0 for # while the client has 1 for #. You can't have one enabled while the other disabled.

Q: I keep getting the following error on the server log when my client connected. What's wrong?

```
Oct  7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /emailAddress=cchee@xxxxxx.yyyyy.zzz/C=US/ST=NY/L=NOWHERE/O=NOORG/OU=NODEPT/CN=Nobody

Oct  7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Oct  7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS Error: TLS object -> incoming plaintext read error

Oct  7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS Error: TLS handshake failed

Oct  7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS Error: Unroutable control packet received from www.xxx.yyy.zzz:1042 (si=3 op=P_CONTROL_V1)

Oct  7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS Error: Unroutable control packet received from www.xxx.yyy.zzz:1042 (si=3 op=P_CONTROL_V1)

Oct  7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS Error: Unroutable control packet received from www.xxx.yyy.zzz:1042 (si=3 op=P_CONTROL_V1)

where www.xxx.yyy.zzz is the IP address from the client
```

A: Check your client side SSL/TLS certificate. If you are using the server type of the certificate for client, you will get this error. To verify your certificate, type:

```
openssl verify -CAfile ca.crt -purpose sslclient mycert.crt
```

 It should returns OK status without any error at all.

Q:All clients connected with the same virtual IP even though I have specified ifconfig-pool in my OpenVPN server configuration. What do I do?

A: Check your client side certificate to make sure you have the correct setup. If the same client want to use the same certificate for multiple connections, then try to add the following in your server configuration if that fits your need. 

```
duplicate-cn
```

And then restart your OpenVPN service on the server and try to connect to it again. In general, you are NOT recommended to do so since it makes session tracking harder to pin point particular client side certificate during security audit.

Q:VPN client connected to the VPN server ok, but it can't access any other nodes in the protected network. What do I do?

A: There are two options. 

1) In your default gateway, you need to add the route to your protected lan with VPN server as the gateway. Using the sample environment above, you will need to add the following route. 

```
route add -net 10.1.0.0 netmask 255.255.255.240 gw 10.2.0.3
```

Note: Why netmask is 255.255.255.240? Because our VPN client IP range is 0 - 10, netmask is given as 255.255.255.240 (which give us 16 entries [0-15]) Power of 2 is always more efficent for router.

2) Use ethernet bridge.

Q: How do I put an access control list to define who can gain access to my VPN?

A: Using the learn-address directive and a shell script. You can easily manage your access control list via a text file. With the sample environment defined above, your will add the following line in to your local.conf of OpenVPN:

```

learn-address /etc/openvpn/gateway/access-control.sh

```

And shell script /etc/openvpn/gateway/access-control.sh: 

```
#!/bin/bash

case $1 in

        delete)

        exit 0

        ;;

        *)

        whologin=$(grep $3 /etc/openvpn/gateway/access-control.txt)

        if [ -z ${whologin}]; then

                exit 1

        else

                exit 0

        fi

        ;;

esac

```

The format of the access control list file (text) is simply CN for each line: 

```
Good.Guy

Good.Girl
```

Note: With openvpn 2.0 rc6, your access control list file (text) will replace the dot with white space as below:

```
Good Guy

Good Girl
```

Note: With openvpn 2.0 rc17, your access control list file (text) will replace the dot with underscore as below:

```
Good_Guy

Good_Girl
```

Q: After I emerge from the official OpenVPN ebuild in gentoo, my setup broke, can't start openvpn server. What's up?

A: The issue lies within the /etc/init.d/openvpn. The official init script for openvpn in Gentoo has changed slightly. It is expecting the config file to be within the /etc/openvpn not /etc/openvpn/gateway (given the sample environment described in the first post of this topic). So to workaround this, you will need to do two things:

```

cd /etc/openvpn; ln -s /etc/openvpn/gateway/local.conf gateway.conf

```

And then if your local.conf doesn't have cd /etc/openvpn/gateway you will need to add that before any config file loading directive.

```

cd /etc/openvpn/gateway

ca ca.crt

```

Or, if you enjoy typing, you can use absolute path for all files reference in the config file. For example,

```

ca /etc/openvpn/gateway/ca.crt

```

Last edited by cchee on Sat Oct 15, 2005 2:26 pm; edited 15 times in total

----------

## cchee

For those who has Linux as their OpenVPN client, if they want to have the DNS lookup working properly, they will need to add the following into their Linux client configuration (using the above example environment):

```
up /etc/openvpn/client/client.up

down /etc/openvpn/client/client.down
```

where client.up is a shell script with the following content:

```
sed -i \

-e '1,1 i nameserver 10.2.0.1' \

-e '1,1 i nameserver 10.2.0.2' \

-e '1,1 i search homenetwork.local.' /etc/resolv.conf

```

and client.down is another shell script with the following content:

```
sed -i \

-e '/nameserver 10.2.0/d' 

-e '/search homenetwork.local/d' /etc/resolv.conf

```

Make sure you have 

```
chmod 755 client.up client.down
```

And have these scripts under the same directory as the configuration file. Note: Absolute path is needed for client.up in OpenVPN configuration file in order for the up command to work. At least that is the case for my environment.Last edited by cchee on Sat Oct 16, 2004 2:04 am; edited 2 times in total

----------

## cchee

Create your own CA

Easy-RSA comes with OpenVPN. To create your own CA is very easy, just update the vars file accordingly. Then do:

```
. vars

./clean-up

./build-ca
```

You will have the ca.crt and ca.key generated under the KEY_DIR defined in vars.

Create certificate request

```
./build-req laptop
```

You will have the laptop.csr and laptop.key generated under the KEY_DIR defined in vars.

Sign your CSR request(s)

After you have created your CSR for your OpenVPN client, for example, the name of the client is laptop, and you have already generated CA (as described above), and CSR for laptop is under KEY_DIR. Then you will do:

```
./sign-req laptop
```

You will have the laptop.crt generated under the KEY_DIR defined in vars.Last edited by cchee on Sat Nov 06, 2004 7:14 pm; edited 1 time in total

----------

## cchee

Thanks to Vlada Macek in the OpenVPN news group for this great suggestion. To have my openvpn server to check against the CRL on my CA server. I did the following:

Add 

```
crl-verify /etc/openvpn/gateway/ca.crl
```

 to my local.conf on my OpenVPN server (using the example environment above).

Create the following cronjob script, named crl-update.cron, under /etc/openvpn/gateway: 

```
#!/bin/sh

/usr/bin/wget -q http://myca.mynetwork.local/CertEnroll/CA%20Root.crl -O /etc/openvpn/gateway/new-ca.crl

/usr/bin/openssl crl -inform DER -outform PEM -in /etc/openvpn/gateway/new-ca.crl -out /etc/openvpn/gateway/ca.crl

chmod 600 /etc/openvpn/gateway/ca.crl

```

This cronjob script basically retrieves the CA Root CRL from the CA server (MS Windows Server) in my network using wget. Then I use openssl crl to convert the CRL from DER format to PEM format. wget -q option mute any standard output stuff from wget.

Lastly, I create a symbolic link: 

```
ln -s /etc/openvpn/gateway/crl-update.cron .
```

 where . is /etc/cron.hourly to have this cronjob runs every hour.Last edited by cchee on Sat Oct 16, 2004 2:04 am; edited 1 time in total

----------

## cchee

 *cchee wrote:*   

> For those who has Linux as their OpenVPN client, if they want to have the DNS lookup working properly, they will need to add the following into their Linux client configuration (using the above example environment):
> 
> ```
> up /etc/openvpn/client/client.up
> 
> ...

 

Thanks to James Yonan for the hints on environment variables being set by OpenVPN before the up/down command are being invoked. To make the above script even more system admin friendly, we replace the client.up.

With openvpn 2.0 beta11:

```
domain=`echo ${foreign_option_1} | sed -e 's/dhcp-option\.DOMAIN\.//g'`

dns1=`echo ${foreign_option_2} | sed -e 's/dhcp-option\.DNS\.//g'`

dns2=`echo ${foreign_option_3} | sed -e 's/dhcp-option\.DNS\.//g'`

sed -i \

-e "1,1 i nameserver ${dns1}" \

-e "1,1 i nameserver ${dns2}" \

-e "1,1 i search ${domain}." /etc/resolv.conf
```

With openvpn 2.0 rc6 to latest 2.0 stable:

```
domain=`echo ${foreign_option_1} | sed -e 's/dhcp-option DOMAIN //g'`

dns1=`echo ${foreign_option_2} | sed -e 's/dhcp-option DNS //g'`

dns2=`echo ${foreign_option_3} | sed -e 's/dhcp-option DNS //g'`

sed -i \

-e "1,1 i nameserver ${dns1}" \

-e "1,1 i nameserver ${dns2}" \

-e "1,1 i search ${domain}." /etc/resolv.conf
```

And then replace the client.down.

With openvpn 2.0 beta 11:

```
domain=`echo ${foreign_option_1} | sed -e 's/dhcp-option\.DOMAIN\.//g'`

dns1=`echo ${foreign_option_2} | sed -e 's/dhcp-option\.DNS\.//g'`

dns2=`echo ${foreign_option_3} | sed -e 's/dhcp-option\.DNS\.//g'`

sed -i \

-e "/nameserver ${dns1}/d" \

-e "/nameserver ${dns2}/d" \

-e "/search ${domain}./d" /etc/resolv.conf
```

With openvpn 2.0 rc6 to latest 2.0 stable:

```
domain=`echo ${foreign_option_1} | sed -e 's/dhcp-option DOMAIN //g'`

dns1=`echo ${foreign_option_2} | sed -e 's/dhcp-option DNS //g'`

dns2=`echo ${foreign_option_3} | sed -e 's/dhcp-option DNS //g'`

sed -i \

-e "/nameserver ${dns1}/d" \

-e "/nameserver ${dns2}/d" \

-e "/search ${domain}./d" /etc/resolv.conf
```

This way, when you (as being system admin) need to change domain, dns IPs. You don't need to change all the Linux clients' client.up and client.down script manually, all you need to do is update the domain and DNS IP in the server local.conf and it will automagically prepend the correct domain and DNS IPs into the clients' /etc/resolv.conf file.

If none of the above help, goto http://news.gmane.org/gmane.network.openvpn.user and browse through the mailing list archive. Great resource for information!Last edited by cchee on Fri Apr 29, 2005 4:34 am; edited 2 times in total

----------

## nyne

if my ISP assigns a dynamic ip, should that cause any real problems with a setup like this (essentially for encryption/authentication of wireless nodes in a client/server type setup)

I basically have a gentoo box (2.6. :Cool:  with eth1 grabbing an IP from my ISP via DHCP, and eth0(192.168.0.0) being my private lan. hooked to a wireless access point && 5 port 100mbit switch (befw11s4 linksys) 

I'm running iptables, have openvpn installed, and tun/tap compiled into the kernel.. should I be okay with a configuration like this?

----------

## cchee

 *nyne wrote:*   

> if my ISP assigns a dynamic ip, should that cause any real problems with a setup like this (essentially for encryption/authentication of wireless nodes in a client/server type setup)
> 
> I basically have a gentoo box (2.6. with eth1 grabbing an IP from my ISP via DHCP, and eth0(192.168.0.0) being my private lan. hooked to a wireless access point && 5 port 100mbit switch (befw11s4 linksys) 
> 
> I'm running iptables, have openvpn installed, and tun/tap compiled into the kernel.. should I be okay with a configuration like this?

 Are you trying to 

a) access OpenVPN from your home network to external static IP openvpn server? or

b) setup your home OpenVPN server so can you access it from outside (Internet)? or

c) setup OpenVPN between all your wireless nodes and your LAN server so you can "safely" surf the web via your wireless LAN?

----------

## nyne

Essentially I am trying to (C)   setup OpenVPN between all your wireless nodes and your LAN server so you can "safely" surf the web via your wireless LAN?  

----------

## cchee

 *nyne wrote:*   

> Essentially I am trying to (C)   setup OpenVPN between all your wireless nodes and your LAN server so you can "safely" surf the web via your wireless LAN?  

 You need to "push" (from OpenVPN server) the changes of the default gateway for all your OpenVPN client wireless nodes to point to OpenVPN server on your LAN instead of your wireless broadband router (linksys befw11s4). I haven't tested this type of setup myself since my setup is more of (A), but I can't think any reason why you won't be able to do it.

----------

## lokelo

I'm not too familiar with the whole concept of getting a my .csr signed.  Who would I go to for that to be signed for my server?  I see you have how to sign a clients csr file, but would that work for the main server?  Is there a way that I can sign that csr myself?  

Also, you mention to specify the purpose of the certificate.  Does that get specified somewhere when you make the csr file? or done when you actually get it signed?

----------

## cchee

 *lokelo wrote:*   

> I'm not too familiar with the whole concept of getting a my .csr signed.  Who would I go to for that to be signed for my server?  I see you have how to sign a clients csr file, but would that work for the main server?  Is there a way that I can sign that csr myself?  
> 
> Also, you mention to specify the purpose of the certificate.  Does that get specified somewhere when you make the csr file? or done when you actually get it signed?

 Check the README that comes with easy-rsa (which comes with OpenVPN tarball). I used Certificate Server comes with MS Windows Server 2003. In there, when you request to sign a certificate request, they have User and Webserver (plus others) purpose. If you are doing self-sign using Easy RSA, you probably don't need to specify the purpose. Hope this help.

----------

## voice0

Hi cchee!

Today, I have installed a VPN following your Mini-HOWTO. The VPN seems to work, now. However, after connecting client C0 to the server, the server client C0 had the ip address 10.1.0.2 in the subnet 255.255.255.0 which seems to be correct. A ping from the client C0 to the server or from the server to the client C0 works, too. Everything seems to be fine, so far.

After connecting client C1 to the server, the client C1 got the ip address 10.1.0.3 which seems to be fine, too. I tried to ping the server 10.1.0.1 and got a response. The server was able to ping 10.1.0.3, too. Seems to be fine.

The Problem:

Client C0 does not get a ping reply from client C1 nor does C1 get any response from C0, although both clients are able to connect and communicate with the server. The server does not report any errors in the log.

Any idea, why?

[edit]:

I have just added the client-to-client option to my server configuration file. Now, C1 can ping C0 but C0 is still not able to ping C1 O_o

Well, I guess it's a firewall problem, now.

[/edit]

[edit²]

It was a firewall problem and the client-to-client option really does make it work  :Smile: 

[/edit]

Here's my server-configuration:

```

port 5000

dev tap

tls-server

ca ca.crt

cert gateway.crt

key gateway.key

dh dh1024.pem

mode server

duplicate-cn

ifconfig 10.1.0.1 255.255.255.0

ifconfig-pool 10.1.0.2 10.1.0.11 255.255.255.0

push "dhcp-option DNS 10.2.0.1"

push "dhcp-option DNS 10.2.0.2"

push "route-gateway 10.1.0.1"

mtu-test

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

ping 10

ping-restart 120

push "ping 10"

push "ping-restart 60"

push "route 10.2.0.0 255.255.255.0 10.1.0.1"

push "route 10.1.0.0 255.255.255.0 10.1.0.1"

comp-lzo

status openvpn-status.log

verb 4

```

And this is my client configuration (both clients are using this configuration):

```

remote w.x.y.z    # I deleted the ip on purpose ;-)

port 5000

dev tap

tls-client

ca ca.crt

cert client.crt

key client.key

# tls-auth ta.key 1

mtu-test

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

pull

comp-lzo

verb 4

```

----------

## nyne

 *cchee wrote:*   

>  *nyne wrote:*   Essentially I am trying to (C)   setup OpenVPN between all your wireless nodes and your LAN server so you can "safely" surf the web via your wireless LAN?   You need to "push" (from OpenVPN server) the changes of the default gateway for all your OpenVPN client wireless nodes to point to OpenVPN server on your LAN instead of your wireless broadband router (linksys befw11s4). I haven't tested this type of setup myself since my setup is more of (A), but I can't think any reason why you won't be able to do it.

 

the wireless router is only being used as a wireless access point/wired switch. the dhcp server, is sitting on my default gateway/iptables gentoo box.. (which is connected directly to the cable modem)

----------

## cchee

 *lokelo wrote:*   

> I'm not too familiar with the whole concept of getting a my .csr signed.  Who would I go to for that to be signed for my server?  I see you have how to sign a clients csr file, but would that work for the main server?  Is there a way that I can sign that csr myself?  
> 
> Also, you mention to specify the purpose of the certificate.  Does that get specified somewhere when you make the csr file? or done when you actually get it signed?

 Here is another link for good info related to certificate. http://www.oreillynet.com/pub/a/security/2004/10/21/vpns_and_pki.html

----------

## lokelo

Ok, I have my setup working fairly ok now, but I'm still having a little problem.  My client can ping the virtual address of the server, and the server can ping the virtual address of the client, but I can't ping anything past that, including the actual IP or any computers on the remote network.  I've got my setup exactly as the howto describes except that my protected network is 192.168.1.0 and my virtual network is 192.168.2.0.  Any help on this would be appreciated.

----------

## cchee

 *lokelo wrote:*   

> Ok, I have my setup working fairly ok now, but I'm still having a little problem.  My client can ping the virtual address of the server, and the server can ping the virtual address of the client, but I can't ping anything past that, including the actual IP or any computers on the remote network.  I've got my setup exactly as the howto describes except that my protected network is 192.168.1.0 and my virtual network is 192.168.2.0.  Any help on this would be appreciated.

  Check the updated Troubleshooting section of this topic.

----------

## damed92

Firstly, thank you VERY much for this howto. I have OpenVPN working well.

One question:

I have the server set up at Location 1 (L1). It accepts Windows client connections from the internet fine.

What I need to do now is set up Location 2 (L2) to connect to L1 and create a permanant VPN tunnel, so that clients at L1 can get to L2 and clients at L2 can get to L1.  L2 currently has  a Linux firewall set up. My plan is to set up this machine as a Linux client to the server at L1

Basically, what I want to know:

Do I need to create a new conf file on the server using a different port for this connection, or can it use 5000? Keep in mind that I still want Windows clients from the net to get into L1.

Please advise, and thank you again.

----------

## cchee

 *damed92 wrote:*   

> Firstly, thank you VERY much for this howto. I have OpenVPN working well.
> 
> One question:
> 
> I have the server set up at Location 1 (L1). It accepts Windows client connections from the internet fine.
> ...

  L2 VPN server will be one of the VPN client to L1 server at port 5000. L1 VPN server will be one of the VPN client to L2 server at port OTHER than 5000 (e.g. 6000). If you want L1 clients able to access L2. You may need to add 

```
client-to-client
```

  in your local.conf on L1 VPN server. In addition, you need to make sure you have proper route in your routing table on both L1 and L2.

----------

## damed92

 *cchee wrote:*   

> L2 VPN server will be one of the VPN client to L1 server at port 5000. L1 VPN server will be one of the VPN client to L2 server at port OTHER than 5000 (e.g. 6000). If you want L1 clients able to access L2. You may need to add 
> 
> ```
> client-to-client
> ```
> ...

 

Ok, so let me see if I have this straight.

I have to add a second conf file to the directory on L1's server that makes a connection to L2's server (which I need to set up)

L2 needs to be installed in server mode as well, so it can accept a connection from L1 (at a different port than 5000). It will also be a client to the server at L1. So, basically we are creating 2 vpn connections for this (in essence)

If I put both the server configuration (local.conf, as specified above) and the new client.conf (local.conf for clients, as seen above) will the openvpn server at startup automatically read both conf files and create the appropriate connections?

----------

## cchee

 *damed92 wrote:*   

> If I put both the server configuration (local.conf, as specified above) and the new client.conf (local.conf for clients, as seen above) will the openvpn server at startup automatically read both conf files and create the appropriate connections?

 

The openvpn startup script in Gentoo scan each sub-directory under /etc/openvpn and load the local.conf accordingly. So in your setup, you will have /etc/openvpn/L1 and /etc/openvpn/L2 sub-directories.

----------

## damed92

 *cchee wrote:*   

>  *damed92 wrote:*   If I put both the server configuration (local.conf, as specified above) and the new client.conf (local.conf for clients, as seen above) will the openvpn server at startup automatically read both conf files and create the appropriate connections? 
> 
> The openvpn startup script in Gentoo scan each sub-directory under /etc/openvpn and load the local.conf accordingly. So in your setup, you will have /etc/openvpn/L1 and /etc/openvpn/L2 sub-directories.

 

Unfortunatley I am using Redhat on these boxes (not my choice).  Can you possibly point me to the startup script so I can see if I can port it?

----------

## cchee

 *damed92 wrote:*   

> Unfortunatley I am using Redhat on these boxes (not my choice).  Can you possibly point me to the startup script so I can see if I can port it?

 

It could be more involved than you think but this should give you a general idea. You may want to switch to Gentoo.  :Wink: 

```
#!/sbin/runscript

VPNDIR="/etc/openvpn"

depend() {

        need net

}

checktundevice() {

        if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then

                ebegin Detected broken /dev/net/tun symlink, fixing...

                        rm /dev/net/tun

                        ln -s /dev/misc/net/tun /dev/net/tun

                eend $?

        fi

}

start() {

        checktundevice || return 1

        cd $VPNDIR

        for VPN in *

        do

                if [ -d $VPN ] && [ -e $VPN/local.conf ]; then

                        ebegin "Starting openvpn for $VPN"

                                start-stop-daemon --start --pidfile /var/run/openv

pn-$VPN.pid --startas /usr/sbin/openvpn -- --config $VPN/local.conf --writepid /va

r/run/openvpn-$VPN.pid --daemon --cd $VPN

                        eend $?

                else

                        ewarn "Expected $VPNDIR/$VPN to be a directory containing

a local.conf."

                fi

        done

}

stop() {

        cd $VPNDIR

        for VPN in *

        do

                if [ -e /var/run/openvpn-$VPN.pid ]; then

                        ebegin "Stoping openvpn for $VPN"

                                start-stop-daemon --oknodo --stop --pidfile /var/run/openvpn-$VPN.pid

                                rm /var/run/openvpn-$VPN.pid

                        eend 0

                else

                        ewarn "$VPN has no pidfile!"

                fi

        done

        return 0

}

```

----------

## damed92

Ugh. This could be difficult. Would it be possible to have both these functions in one local.conf file? What about if there are 2 conf files in the same directory, but with different names?  There is no way I can change it to gentoo, as these boxes are the internet gateways for 2 locations that work 12 hour shifts, and I'm not going to get a chance to take them offline that long.

----------

## cchee

 *damed92 wrote:*   

> Ugh. This could be difficult. Would it be possible to have both these functions in one local.conf file? What about if there are 2 conf files in the same directory, but with different names?  There is no way I can change it to gentoo, as these boxes are the internet gateways for 2 locations that work 12 hour shifts, and I'm not going to get a chance to take them offline that long.

 You also need to consider the certificate and key files for different VPN link. So separate directories help to prevent confusion. You can use the above "script" and put it as /etc/init.d/openvpn. You may need to replace some gentoo specific function with something similar in the RedHat.

----------

## tdb

FYI OpenVPN was assigned an official port number by IANA recently. It now officially uses port 1194 for both TCP and UDP communications. All versions of OpenVPN starting with 2.0 beta 17 will now default to port 1194 instead of 5000. You can, of course, continue to use port 5000, or any port your want by using  the --port option.

----------

## mariourk

 *Quote:*   

> 
> 
> # Send the /root/openvpn/gateway.csr to your CA authority
> 
> 

 

I have no idea who my CA authority is...   :Confused: 

Can someone explain this to me? Does someone know a good page

that explains this whole encryption-thing in detail?? I realy don't understand this   :Sad: 

----------

## cchee

 *mariourk wrote:*   

>  *Quote:*   
> 
> # Send the /root/openvpn/gateway.csr to your CA authority
> 
>  
> ...

 Here is the educational info: http://en.wikipedia.org/wiki/Certificate_authority

You can be your own CA if you choose to do so. There is a section in this topic (page 1) provides you information on how to sign your own certificate. If you are in coporate settings, check with your system administrator and he can tell you if you have a CA server on your coporate LAN. Hope this help.

----------

## tdb

One thing to keep in mind is that Verisign and Thawte and the like are also CA's, but you don't want to use them for your certificate. The reason why is that by default, OpenVPN will let any two peers connect to each other if both ther certificates are signed by the same CA. So, if you used a certificate from Verisign or Thawte, then anyone else whose certificate was signed by Verisign or Thawte would be allowed to connect too. OpenVPN has several methods to prevent this from happening, incuding HMAC authentication, scripting to check the "common name" and fingerprints of certificates, and even support for accepting a username and password (in 2.0 beta 12 and later) along with (or in lieu of) a certificate.

Bottom line, once you figure out what a CA is, you're going to want to use your own internal CA and not an outside one.

----------

## gpeangel

It seems I'm really close to having openvpn working by following this excellent HOW-TO.  I can start openvpn on the server and client and the logs indicate they are connecting properly.  However, I cannot ping anything.  I believe it's a routing issue that I don't understand enough to sort out.  Is there a route command I need to run on the server and/or client which I've missed?  The one suggested in the HOW-TO troubleshooting section hasn't made a difference.

The details:

Server Config (Linux, static 10.10.10.80 IP address):

```

ca keys/ca.crt

cert keys/server.crt

chroot /usr/local/openvpn

comp-lzo

dev tap

dh keys/dh2048.pem

duplicate-cn

group nobody

ifconfig 10.1.0.1 255.255.255.0 # openvpn gateway   

ifconfig-pool 10.1.0.2 10.1.0.11 255.255.255.0 # ip range for openvpn client

key keys/server.key  # This file should be kept secret

log         /var/log/openvpn/openvpn.log

log-append  /var/log/openvpn/openvpn.log

mode server

mssfix 1450

mtu-test

mute 20

persist-key

persist-tun

ping 10

ping-restart 120

port 5000

push "dhcp-option DNS m.n.o.p"

push "dhcp-option DNS m.n.o.q" # push DNS entries to openvpn client

push "ping 10"

push "ping-restart 60"

push "route 10.1.0.0 255.255.255.0 10.1.0.1"

push "route 10.10.10.0 255.255.255.0 10.1.0.1" # add route to to protected network

push "route-gateway 10.1.0.1" # push default gateway

status /var/log/openvpn/openvpn-status.log

tls-auth keys/ta.key 0

tls-server

tun-mtu 1500

tun-mtu-extra 32

user nobody

verb 6

```

Client Config (Win2K Pro):

```

ca ca.crt

cert client.crt

comp-lzo

dev tap

key client.key

mssfix 1450

mtu-test

mute 10

port 5000

pull

remote w.x.y.z (actual IP removed)

tls-auth ta.key 1

tls-client

tun-mtu 1500

tun-mtu-extra 32

verb 6

```

Before Connecting

On Client

```

C:\>route print

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0        10.5.42.1     10.5.42.141       1

        10.5.42.0    255.255.255.0      10.5.42.141     10.5.42.141       1

      10.5.42.141  255.255.255.255        127.0.0.1       127.0.0.1       1

   10.255.255.255  255.255.255.255      10.5.42.141     10.5.42.141       1

        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1

        224.0.0.0        224.0.0.0      10.5.42.141     10.5.42.141       1

  255.255.255.255  255.255.255.255      10.5.42.141               2       1

Default Gateway:         10.5.42.1

===========================================================================

Persistent Routes:

  None

C:\>ipconfig /all

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : computer-name

        Primary DNS Suffix  . . . . . . . : my.company.com

        Node Type . . . . . . . . . . . . : Hybrid

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No

        DNS Suffix Search List. . . . . . : my.company.com

                                            company.com

Ethernet adapter Local Area Connection 9:

        Media State . . . . . . . . . . . : Cable Disconnected

        Description . . . . . . . . . . . : TAP-Win32 Adapter V8

        Physical Address. . . . . . . . . : 00-FF-89-33-DC-B6

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : company.com

        Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

        Physical Address. . . . . . . . . : 00-08-74-AA-9C-9C

        DHCP Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 10.5.42.141

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 10.5.42.1

        DHCP Server . . . . . . . . . . . : 10.5.10.13

        DNS Servers . . . . . . . . . . . : 10.5.10.10

                                            10.10.10.10

        Primary WINS Server . . . . . . . : 10.5.10.13

        Secondary WINS Server . . . . . . : 10.10.9.13

```

Starting, OpenVPN log on server:

```

...[0] Current Parameter Settings:

...[0]   config = 'myserver.conf'

...[0]   mode = 1

...[0]   persist_config = DISABLED

...[0]   persist_mode = 1

...[0]   show_ciphers = DISABLED

...[0]   show_digests = DISABLED

...[0]   show_engines = DISABLED

...[0]   genkey = DISABLED

...[0]   key_pass_file = '[UNDEF]'

...[0]   show_tls_ciphers = DISABLED

...[0]   proto = 0

...[0]   local = '[UNDEF]'

...[0]   remote_list = NULL

...[0]   remote_random = DISABLED

...[0]   local_port = 5000

...[0]   remote_port = 5000

...[0]   remote_float = DISABLED

...[0]   ipchange = '[UNDEF]'

...[0]   bind_local = ENABLED

...[0] NOTE: --mute triggered...

...[0] 152 variation(s) on previous 20 message(s) suppressed by --mute

...[0] OpenVPN 2.0_beta15 i686-pc-linux-gnu [SSL] [LZO] [PTHREAD] built on Nov 23 2004

...[0] Diffie-Hellman initialized with 2048 bit key

...[0] Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file

...[0] Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

...[0] Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

...[0] TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]

...[0] TUN/TAP device tap0 opened

...[0] TUN/TAP TX queue length set to 100

...[0] /sbin/ifconfig tap0 10.1.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.1.0.255

...[0] Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]

...[0] chroot to '/usr/local/openvpn' and cd to '/' succeeded

...[0] GID set to nobody

...[0] UID set to nobody

...[0] Socket Buffers: R=[109568->131072] S=[109568->131072]

...[0] UDPv4 link local (bound): [undef]:5000

...[0] UDPv4 link remote: [undef]

...[0] MULTI: multi_init called, r=256 v=256

...[0] IFCONFIG POOL: base=10.1.0.2 size=10

...[0] Initialization Sequence Completed

```

After Connecting:

On Server

```

# route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.1.0.0        *               255.255.255.0   U     0      0        0 tap0

10.10.10.0      *               255.255.255.0   U     0      0        0 eth0

loopback        localhost       255.0.0.0       UG    0      0        0 lo

default         10.10.10.1      0.0.0.0         UG    0      0        0 eth0

```

Server log:

```

...[0] MULTI: multi_create_instance called

...[0] a.b.c.d:30964 Re-using SSL/TLS context

...[0] a.b.c.d:30964 LZO compression initialized

...[0] a.b.c.d:30964 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]

...[0] a.b.c.d:30964 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]

...[0] a.b.c.d:30964 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'

...[0] a.b.c.d:30964 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'

...[0] a.b.c.d:30964 Local Options hash (VER=V4): '360696c5'

...[0] a.b.c.d:30964 Expected Remote Options hash (VER=V4): '13a273ba'

...[0] a.b.c.d:30964 UDPv4 READ [42] from a.b.c.d:30964: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0

...[0] a.b.c.d:30964 TLS: Initial packet from a.b.c.d:30964, sid=4076e6c5 a8061fd2

...[0] a.b.c.d:30964 UDPv4 WRITE [54] to a.b.c.d:30964: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0

...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #3 ] [ 0 ]

...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #4 ] [ ] pid=1 DATA len=100

...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #2 ] [ 1 ]

...[0] a.b.c.d:30964 UDPv4 READ [44] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=2 DATA len=2

...[0] a.b.c.d:30964 UDPv4 WRITE [154] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #3 ] [ 2 ] pid=1 DATA len=100

...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #4 ] [ ] pid=2 DATA len=100

...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=3 DATA len=100

...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #6 ] [ ] pid=4 DATA len=100

...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #6 ] [ 1 ]

...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #7 ] [ ] pid=5 DATA len=100

...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #7 ] [ 2 ]

...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #8 ] [ ] pid=6 DATA len=100

...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #8 ] [ 3 ]

...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #9 ] [ ] pid=7 DATA len=100

...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #9 ] [ 4 ]

...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #10 ] [ ] pid=8 DATA len=100

...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #10 ] [ 5 ]

...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #11 ] [ ] pid=9 DATA len=100

...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #11 ] [ 6 ]

...[0] a.b.c.d:30964 NOTE: --mute triggered...

...[0] a.b.c.d:30964 95 variation(s) on previous 20 message(s) suppressed by --mute

...[0] a.b.c.d:30964 VERIFY OK: depth=1, /C=US/ST=CO/L=Centennial/O=Java_Zen/CN=www.myserver.com/emailAddress=webmaster@myserver.com

...[0] a.b.c.d:30964 VERIFY OK: depth=0, /C=US/ST=CO/O=Java_Zen/CN=client/emailAddress=webmaster@myserver.com

...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #58 ] [ 25 ]

...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #61 ] [ ] pid=26 DATA len=100

...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #59 ] [ 26 ]

...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #62 ] [ ] pid=27 DATA len=100

...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #60 ] [ 27 ]

...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #63 ] [ ] pid=28 DATA len=100

...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #61 ] [ 28 ]

...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #64 ] [ ] pid=29 DATA len=100

...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #62 ] [ 29 ]

...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #65 ] [ ] pid=30 DATA len=100

...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #63 ] [ 30 ]

...[0] a.b.c.d:30964 UDPv4 READ [123] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #66 ] [ ] pid=31 DATA len=81

...[0] a.b.c.d:30964 UDPv4 WRITE [113] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #64 ] [ 31 ] pid=34 DATA len=59

...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #68 ] [ ] pid=33 DATA len=100

...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #65 ] [ 33 ]

...[0] a.b.c.d:30964 UDPv4 READ [154] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #67 ] [ 34 ] pid=32 DATA len=100

...[0] a.b.c.d:30964 Replay-window backtrack occurred [1]

...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #66 ] [ 32 ]

...[0] a.b.c.d:30964 UDPv4 READ [142] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #69 ] [ ] pid=34 DATA len=100

...[0] a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #67 ] [ 34 ]

...[0] a.b.c.d:30964 UDPv4 READ [72] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #70 ] [ ] pid=35 DATA len=30

...[0] a.b.c.d:30964 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

...[0] a.b.c.d:30964 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

...[0] a.b.c.d:30964 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

...[0] a.b.c.d:30964 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

...[0] a.b.c.d:30964 UDPv4 WRITE [154] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #68 ] [ 35 ] pid=35 DATA len=100

...[0] a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #69 ] [ ] pid=36 DATA len=100

...[0] a.b.c.d:30964 UDPv4 WRITE [124] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #70 ] [ ] pid=37 DATA len=82

...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #71 ] [ 35 ]

...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #72 ] [ 36 ]

...[0] a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #73 ] [ 37 ]

...[0] a.b.c.d:30964 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

...[0] a.b.c.d:30964 [client] Peer Connection Initiated with a.b.c.d:30964

...[0] client/a.b.c.d:30964 UDPv4 READ [132] from a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #74 ] [ ] pid=36 DATA len=90

...[0] client/a.b.c.d:30964 PUSH: Received control message: 'PUSH_REQUEST'

...[0] client/a.b.c.d:30964 SENT CONTROL [client]: 'PUSH_REPLY,dhcp-option DNS m.n.o.q,dhcp-option DNS m.n.o.p,route-gateway 10.1.0.1,ping 10,ping-restart 60,route 10.10.10.0 255.255.255.0 10.1.0.1,route 10.1.0.0 255.255.255.0 10.1.0.1,ifconfig 10.1.0.2 255.255.255.0' (status=1)

...[0] client/a.b.c.d:30964 UDPv4 WRITE [50] to a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #71 ] [ 36 ]

...[0] client/a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #72 ] [ ] pid=38 DATA len=100

...[0] client/a.b.c.d:30964 UDPv4 WRITE [142] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #73 ] [ ] pid=39 DATA len=100

...[0] client/a.b.c.d:30964 UDPv4 WRITE [140] to a.b.c.d:30964: P_CONTROL_V1 kid=0 pid=[ #74 ] [ ] pid=40 DATA len=98

...[0] client/a.b.c.d:30964 UDPv4 READ [61] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=60

...[0] client/a.b.c.d:30964 UDPv4 WRITE [573] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572

...[0] client/a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #75 ] [ 38 ]

...[0] client/a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #76 ] [ 39 ]

...[0] client/a.b.c.d:30964 UDPv4 READ [50] from a.b.c.d:30964: P_ACK_V1 kid=0 pid=[ #77 ] [ 40 ]

...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76

...[0] client/a.b.c.d:30964 MULTI: Learn: 00:ff:89:33:dc:b6 -> client/a.b.c.d:30964

...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76

...[0] client/a.b.c.d:30964 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.

...[0] client/a.b.c.d:30964 UDPv4 WRITE [61] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=60

...[0] client/a.b.c.d:30964 UDPv4 READ [573] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572

...[0] client/a.b.c.d:30964 UDPv4 READ [573] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572

...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76

...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148

...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148

...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148

...[0] client/a.b.c.d:30964 UDPv4 WRITE [573] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572

...[0] client/a.b.c.d:30964 UDPv4 READ [61] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=60

...[0] client/a.b.c.d:30964 UDPv4 WRITE [573] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572

...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148

...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148

...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148

...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148

...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148

...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148

...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148

...[0] client/a.b.c.d:30964 UDPv4 READ [149] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=148

...[0] client/a.b.c.d:30964 UDPv4 WRITE [61] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=60

...[0] client/a.b.c.d:30964 UDPv4 READ [573] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=572

...[0] client/a.b.c.d:30964 NOTE: --mute triggered...

...[0] client/a.b.c.d:30964 210 variation(s) on previous 20 message(s) suppressed by --mute

...[0] client/a.b.c.d:30964 NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1573,1573] remote->local=[1573,1469]

...[0] client/a.b.c.d:30964 NOTE: This connection is unable to accomodate a UDP packet size of 1573. Consider using --fragment or --mssfix options as a workaround.

...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52

...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52

...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52

...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52

...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76

...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76

...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76

...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76

...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52

...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52

...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52

...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52

...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52

...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52

...[0] client/a.b.c.d:30964 UDPv4 WRITE [253] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=252

...[0] client/a.b.c.d:30964 UDPv4 WRITE [245] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=244

...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52

...[0] client/a.b.c.d:30964 UDPv4 WRITE [53] to a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52

...[0] client/a.b.c.d:30964 UDPv4 READ [53] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=52

...[0] client/a.b.c.d:30964 UDPv4 READ [77] from a.b.c.d:30964: P_DATA_V1 kid=0 DATA len=76

...[0] client/a.b.c.d:30964 NOTE: --mute triggered...

```

On Client

```

C:\>route print

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0        10.5.42.1     10.5.42.141       1

         10.1.0.0    255.255.255.0         10.1.0.2        10.1.0.2       1

         10.1.0.0    255.255.255.0         10.1.0.1        10.1.0.2       1

         10.1.0.2  255.255.255.255        127.0.0.1       127.0.0.1       1

        10.5.42.0    255.255.255.0      10.5.42.141     10.5.42.141       1

      10.5.42.141  255.255.255.255        127.0.0.1       127.0.0.1       1

       10.10.10.0    255.255.255.0         10.1.0.1        10.1.0.2       1

   10.255.255.255  255.255.255.255         10.1.0.2        10.1.0.2       1

   10.255.255.255  255.255.255.255      10.5.42.141     10.5.42.141       1

        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1

        224.0.0.0        224.0.0.0         10.1.0.2        10.1.0.2       1

        224.0.0.0        224.0.0.0      10.5.42.141     10.5.42.141       1

  255.255.255.255  255.255.255.255         10.1.0.2               2       1

Default Gateway:         10.5.42.1

===========================================================================

Persistent Routes:

  None

C:\>ipconfig /all

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : computer-name

        Primary DNS Suffix  . . . . . . . : my.company.com

        Node Type . . . . . . . . . . . . : Hybrid

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No

        DNS Suffix Search List. . . . . . : my.company.com

                                            company.com

Ethernet adapter Local Area Connection 9:

        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : TAP-Win32 Adapter V8

        Physical Address. . . . . . . . . : 00-FF-89-33-DC-B6

        DHCP Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 10.1.0.2

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . :

        DHCP Server . . . . . . . . . . . : 10.1.0.0

        DNS Servers . . . . . . . . . . . : m.n.o.q

                                            m.n.o.p

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : company.com

        Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

        Physical Address. . . . . . . . . : 00-08-74-AA-9C-9C

        DHCP Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 10.5.42.141

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 10.5.42.1

        DHCP Server . . . . . . . . . . . : 10.5.10.13

        DNS Servers . . . . . . . . . . . : 10.5.10.10

                                            10.10.10.10

        Primary WINS Server . . . . . . . : 10.5.10.13

        Secondary WINS Server . . . . . . : 10.10.9.13

```

Client Log:

```

...Current Parameter Settings:

...  config = 'myclient.ovpn'

...  mode = 0

...  show_ciphers = DISABLED

...  show_digests = DISABLED

...  show_engines = DISABLED

...  genkey = DISABLED

...  key_pass_file = '[UNDEF]'

...  show_tls_ciphers = DISABLED

...  proto = 0

...NOTE: --mute triggered...

...173 variation(s) on previous 10 message(s) suppressed by --mute

...OpenVPN 2.0_beta15 Win32-MinGW [SSL] [LZO] built on Oct 28 2004

...Control Channel Authentication: using 'ta.key' as a OpenVPN static key file

...Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

...Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

...LZO compression initialized

...Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]

...Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]

...Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'

...Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'

...Local Options hash (VER=V4): '13a273ba'

...Expected Remote Options hash (VER=V4): '360696c5'

...Socket Buffers: R=[8192->8192] S=[8192->8192]

...UDPv4 link local (bound): [undef]:5000

...UDPv4 link remote: w.x.y.z:5000

...UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0

...UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0

...UDPv4 READ [54] from w.x.y.z:5000: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0

...TLS: Initial packet from w.x.y.z:5000, sid=9a467e55 cbdd7f50

...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #3 ] [ 0 ]

...UDPv4 WRITE [142] to w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #4 ] [ ] pid=1 DATA len=100

...UDPv4 WRITE [44] to w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=2 DATA len=2

...UDPv4 READ [50] from w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #2 ] [ 1 ]

...UDPv4 READ [154] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #3 ] [ 2 ] pid=1 DATA len=100

...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #6 ] [ 1 ]

...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #4 ] [ ] pid=2 DATA len=100

...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #7 ] [ 2 ]

...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=3 DATA len=100

...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #8 ] [ 3 ]

...NOTE: --mute triggered...

...41 variation(s) on previous 10 message(s) suppressed by --mute

...VERIFY OK: depth=1, /C=US/ST=CO/L=Centennial/O=Java_Zen/CN=www.myserver.com/emailAddress=webmaster@myserver.com

...VERIFY OK: depth=0, /C=US/ST=CO/O=Java_Zen/CN=www.myserver.com/emailAddress=webmaster@myserver.com

...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #29 ] [ 24 ]

...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #27 ] [ ] pid=25 DATA len=100

...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #30 ] [ 25 ]

...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #28 ] [ ] pid=26 DATA len=100

...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #31 ] [ 26 ]

...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #29 ] [ ] pid=27 DATA len=100

...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #32 ] [ 27 ]

...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #30 ] [ ] pid=28 DATA len=100

...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #33 ] [ 28 ]

...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #31 ] [ ] pid=29 DATA len=100

...NOTE: --mute triggered...

...78 variation(s) on previous 10 message(s) suppressed by --mute

...Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

...Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

...Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

...Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #73 ] [ 37 ]

...Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

...[www.myserver.com] Peer Connection Initiated with w.x.y.z:5000

...SENT CONTROL [www.myserver.com]: 'PUSH_REQUEST' (status=1)

...NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.

...UDPv4 WRITE [132] to w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #74 ] [ ] pid=36 DATA len=90

...UDPv4 WRITE [61] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=60

...UDPv4 READ [50] from w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #71 ] [ 36 ]

...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #72 ] [ ] pid=38 DATA len=100

...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #75 ] [ 38 ]

...UDPv4 READ [142] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #73 ] [ ] pid=39 DATA len=100

...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #76 ] [ 39 ]

...UDPv4 READ [140] from w.x.y.z:5000: P_CONTROL_V1 kid=0 pid=[ #74 ] [ ] pid=40 DATA len=98

...PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS m.n.o.q,dhcp-option DNS m.n.o.p,route-gateway 10.1.0.1,ping 10,ping-restart 60,route 10.10.10.0 255.255.255.0 10.1.0.1,route 10.1.0.0 255.255.255.0 10.1.0.1,ifconfig 10.1.0.2 255.255.255.0'

...OPTIONS IMPORT: timers and/or timeouts modified

...OPTIONS IMPORT: --ifconfig/up options modified

...OPTIONS IMPORT: route options modified

...OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

...TAP-WIN32 device [Local Area Connection 9] opened: \\.\Global\{8933DCB6-A436-4A37-853C-D1D87ADDC5C6}.tap

...TAP-Win32 Driver Version 8.1 

...TAP-Win32 MTU=1500

...Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.1.0.2/255.255.255.0 on interface {8933DCB6-A436-4A37-853C-D1D87ADDC5C6} [DHCP-serv: 10.1.0.0, lease-time: 31536000]

...DHCP option string: 0608cdab 0341cdab 0241

...Successful ARP Flush on interface [3] {8933DCB6-A436-4A37-853C-D1D87ADDC5C6}

...UDPv4 WRITE [50] to w.x.y.z:5000: P_ACK_V1 kid=0 pid=[ #77 ] [ 40 ]

...TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down

...Route: Waiting for TUN/TAP interface to come up...

...UDPv4 READ [573] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=572

...TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down

...Route: Waiting for TUN/TAP interface to come up...

...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76

...TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up

...route ADD 10.10.10.0 MASK 255.255.255.0 10.1.0.1

...Route addition via IPAPI succeeded

...route ADD 10.1.0.0 MASK 255.255.255.0 10.1.0.1

...Route addition via IPAPI succeeded

...Initialization Sequence Completed

...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76

...UDPv4 WRITE [573] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=572

...UDPv4 READ [61] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=60

...UDPv4 WRITE [573] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=572

...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76

...UDPv4 WRITE [149] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=148

...UDPv4 WRITE [149] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=148

...UDPv4 WRITE [149] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=148

...UDPv4 WRITE [61] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=60

...UDPv4 WRITE [149] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=148

...NOTE: --mute triggered...

...232 variation(s) on previous 10 message(s) suppressed by --mute

...NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1573,1469] remote->local=[1573,1573]

...NOTE: This connection is unable to accomodate a UDP packet size of 1573. Consider using --fragment or --mssfix options as a workaround.

...UDPv4 READ [1573] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=1572

...UDPv4 READ [53] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=52

...UDPv4 WRITE [61] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=60

...UDPv4 WRITE [53] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=52

...UDPv4 READ [53] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=52

...UDPv4 READ [53] from w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=52

...UDPv4 WRITE [53] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=52

...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76

...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76

...UDPv4 WRITE [77] to w.x.y.z:5000: P_DATA_V1 kid=0 DATA len=76

...NOTE: --mute triggered...

```

----------

## tdb

I don't mess around enough with windows to offer you specific answers, but I will say this: don't try to add a bunch of features all at once. Start with the bare basics (no push/pull, no routing instructions, no hmac, no nothing); just get a tunnel up and running between the two machines. Manually assign the ip addresses and routing. Once you get that working, add the other features in one at a time and verify that the connection still works each time. That makes it immensely easier to figure out what in the hundreds of options available is causing the problem. Begin by adding the routing and push/pull commands before adding extra security and encryption.

----------

## tdb

One other thing I did notice; did you change iptables to allow traffic on the new tap0 interface?

----------

## gpeangel

 *tdb wrote:*   

> One other thing I did notice; did you change iptables to allow traffic on the new tap0 interface?

 

That was it!  I figured it was something simple since I was so close.  Enabling tap0 and restarting the firewall resulted in vpn connectivity.

Many thanks!

----------

## tdb

 *gpeangel wrote:*   

> 
> 
> Many thanks!

 

N.P.

----------

## gpeangel

I had to reboot the server (kernel upgrade) an now I cannot connect via OpenVPN.  I went through my notes thinking I missed something in the config that was lost on reboot, but all is as expected.  Both the client and server certs check out with at status of "OK".  I've made sure the tap0 interface is enabled on the firewall:

```

# /etc/init.d/fw-jay start

Starting Jay's Firewall v1.0.3 :

Check of configuration's file : OK

Trying to load iptables modules ...

found internal eth0 on ip:'10.10.10.6', sub:'10.10.10.6/255.255.255.0'

found internal tap0 on ip:'10.1.0.1', sub:'10.1.0.1/255.255.255.0'

found external eth0 on ip:'10.10.10.6'

Check of iptables : OK

...

```

Yet even with the firewall down, I cannot connect.  I think I am missing something, again, in how communications should be routed.

Server:

```

# route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.1.0.0        *               255.255.255.0   U     0      0        0 tap0

10.10.10.0      *               255.255.255.0   U     0      0        0 eth0

loopback        localhost       255.0.0.0       UG    0      0        0 lo

default         10.10.10.1      0.0.0.0         UG    0      0        0 eth0

# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:50:2C:A5:B9:70

          inet addr:10.10.10.6  Bcast:10.10.10.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:18609 errors:0 dropped:0 overruns:0 frame:0

          TX packets:23821 errors:0 dropped:0 overruns:0 carrier:0

          collisions:224 txqueuelen:1000

          RX bytes:2363343 (2.2 Mb)  TX bytes:5087477 (4.8 Mb)

          Interrupt:23 Base address:0x2000

tap0      Link encap:Ethernet  HWaddr 00:FF:8B:A7:0A:B8

          inet addr:10.1.0.1  Bcast:10.1.0.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:0 (0.0 b)  TX bytes:1557 (1.5 Kb)

```

Server Log:

```

...[0] Current Parameter Settings:

...[0]   config = 'server.conf'

...[0]   mode = 1

...[0]   persist_config = DISABLED

...[0]   persist_mode = 1

...[0]   show_ciphers = DISABLED

...[0]   show_digests = DISABLED

...[0]   show_engines = DISABLED

...[0]   genkey = DISABLED

...[0]   key_pass_file = '[UNDEF]'

...[0]   show_tls_ciphers = DISABLED

...[0]   proto = 0

...[0]   local = '[UNDEF]'

...[0]   remote_list = NULL

...[0]   remote_random = DISABLED

...[0]   local_port = 5000

...[0]   remote_port = 5000

...[0]   remote_float = DISABLED

...[0]   ipchange = '[UNDEF]'

...[0]   bind_local = ENABLED

...[0] NOTE: --mute triggered...

...[0] 152 variation(s) on previous 20 message(s) suppressed by --mute

...[0] OpenVPN 2.0_beta15 i686-pc-linux-gnu [SSL] [LZO] [PTHREAD] built on Nov 23 2004

...[0] Diffie-Hellman initialized with 2048 bit key

...[0] Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file

...[0] Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

...[0] Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

...[0] TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]

...[0] TUN/TAP device tap0 opened

...[0] TUN/TAP TX queue length set to 100

...[0] /sbin/ifconfig tap0 10.1.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.1.0.255

...[0] Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]

...[0] chroot to '/usr/local/openvpn' and cd to '/' succeeded

...[0] GID set to nobody

...[0] UID set to nobody

...[0] Socket Buffers: R=[109568->131072] S=[109568->131072]

...[0] UDPv4 link local (bound): [undef]:5000

...[0] UDPv4 link remote: [undef]

...[0] MULTI: multi_init called, r=256 v=256

...[0] IFCONFIG POOL: base=10.1.0.2 size=10

...[0] Initialization Sequence Completed

```

Client Log:

```

... Current Parameter Settings:

...   config = 'client.ovpn'

...   mode = 0

...   show_ciphers = DISABLED

...   show_digests = DISABLED

...   show_engines = DISABLED

...   genkey = DISABLED

...   key_pass_file = '[UNDEF]'

...   show_tls_ciphers = DISABLED

...   proto = 0

... NOTE: --mute triggered...

... 173 variation(s) on previous 10 message(s) suppressed by --mute

... OpenVPN 2.0_beta15 Win32-MinGW [SSL] [LZO] built on Oct 28 2004

... Control Channel Authentication: using 'ta.key' as a OpenVPN static key file

... Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

... Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

... LZO compression initialized

... Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]

... Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]

... Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'

... Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'

... Local Options hash (VER=V4): '13a273ba'

... Expected Remote Options hash (VER=V4): '360696c5'

... Socket Buffers: R=[8192->8192] S=[8192->8192]

... UDPv4 link local (bound): [undef]:5000

... UDPv4 link remote: w.x.y.z:5000

... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0

... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0

... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0

... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0

... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0

... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #6 ] [ ] pid=0 DATA len=0

... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #7 ] [ ] pid=0 DATA len=0

... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #8 ] [ ] pid=0 DATA len=0

... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #9 ] [ ] pid=0 DATA len=0

... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #10 ] [ ] pid=0 DATA len=0

... NOTE: --mute triggered...

... 18 variation(s) on previous 10 message(s) suppressed by --mute

... TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

... TLS Error: TLS handshake failed

... TCP/UDP: Closing socket

... SIGUSR1[soft,tls-error] received, process restarting

... Restart pause, 2 second(s)

```

With verb set to 9...

```

...

... LZO compression initialized

... MTU DYNAMIC mtu=0, flags=1, 0 -> 166

... TLS: tls_session_init: entry

... PID packet_id_init seq_backtrack=64 time_backtrack=15

... PID packet_id_init seq_backtrack=64 time_backtrack=15

... TLS: tls_session_init: new session object, sid=0d9d1e3f 4f16f390

... TLS: tls_session_init: entry

... PID packet_id_init seq_backtrack=64 time_backtrack=15

... PID packet_id_init seq_backtrack=64 time_backtrack=15

... TLS: tls_session_init: new session object, sid=b9d0ffd2 65f6f591

... Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]

... MTU DYNAMIC mtu=1450, flags=2, 1574 -> 1450

... REMOTE_LIST len=1 current=0

... [0] w.x.y.z:5000

... Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]

... Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'

... Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'

... Local Options hash (VER=V4): '13a273ba'

... Expected Remote Options hash (VER=V4): '360696c5'

... Socket Buffers: R=[8192->8192] S=[8192->8192]

... UDPv4 link local (bound): [undef]:5000

... UDPv4 link remote: w.x.y.z:5000

... TIMER: coarse timer wakeup 1 seconds

... TLS: tls_multi_process: i=0 state=S_INITIAL, mysid=0d9d1e3f 4f16f390, stored-sid=00000000 00000000, stored-ip=w.x.y.z:5000

... TLS: tls_process: chg=0 ks=S_INITIAL lame=S_UNDEF to_link->len=0 wakeup=604800

... ACK mark active outgoing ID 0

... TLS: Initial Handshake, sid=0d9d1e3f 4f16f390

... ACK reliable_can_send active=1 current=1 : [1] 0

... ACK reliable_send ID 0 (size=4 to=2)

... Reliable -> TCP/UDP

... ACK reliable_send_timeout 2 [1] 0

... TLS: tls_process: timeout set to 2

... NOTE: --mute triggered...

... 14 variation(s) on previous 10 message(s) suppressed by --mute

... UDPv4 WRITE [42] to w.x.y.z:5000: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=0d9d1e3f 4f16f390 tls_hmac=099c54b8 b0a440a8 c3127cae b5aa1501 374760ce pid=[ #1 / time = (1102104700) Fri Dec 03 13:11:40 2004 ] [ ] pid=0 DATA 

... WIN32 I/O: Socket Send immediate return [42,42]

... UDPv4 write returned 42

... TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=0d9d1e3f 4f16f390, stored-sid=00000000 00000000, stored-ip=w.x.y.z:5000

... TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800

... ACK reliable_can_send active=1 current=0 : [1] 0

... SSL state (connect): before/connect initialization

... SSL state (connect): SSLv3 write client hello A

... ACK reliable_send_timeout 2 [1] 0

... TLS: tls_process: timeout set to 2

... TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=b9d0ffd2 65f6f591, stored-sid=00000000 00000000, stored-ip=[undef]

... NOTE: --mute triggered...

... 45 variation(s) on previous 10 message(s) suppressed by --mute

...

This continues until it times out.

```

The server log never shows any additional entries while the client is attempting to connect.

----------

## tdb

Try stripping your config files down to the bare minimum. Take out all the extra stuff (like key direction, cipher, compression, etc..) and add them back one by one and test until it stops working. One place to start is your tun-mtu setting, the max mtu for any connection is 1500, any bigger then that and it starts splitting the too-big packets into fragments. Lower tun-mtu to 1450 or so, to allow for the overhead that OpenVPN puts into each packet. I'm not a networking expert, and I'm not saying that will fix it, but it is a good place to start. OpenVPN (especially the later 2.0 betas) have very good default settings, especially when it comes to mtu stuff; let OpenVPN take care of that and only add the settings that you really need. An example of this is that you don't need to specify udp, OpenVPN uses it by default.

One other thing, you did add tap0 to your firewall script and make sure to open up udp 5000 on the other interfaces right? Also, keep in mind that 2.0 beta 17 and later use udp port 1194 by default. (it is the new IANA assigned port.)

----------

## gpeangel

 *tdb wrote:*   

> Try stripping your config files down to the bare minimum. Take out all the extra stuff (like key direction, cipher, compression, etc..) and add them back one by one and test until it stops working. One place to start is your tun-mtu setting, the max mtu for any connection is 1500, any bigger then that and it starts splitting the too-big packets into fragments. Lower tun-mtu to 1450 or so, to allow for the overhead that OpenVPN puts into each packet. I'm not a networking expert, and I'm not saying that will fix it, but it is a good place to start. OpenVPN (especially the later 2.0 betas) have very good default settings, especially when it comes to mtu stuff; let OpenVPN take care of that and only add the settings that you really need. An example of this is that you don't need to specify udp, OpenVPN uses it by default.
> 
> One other thing, you did add tap0 to your firewall script and make sure to open up udp 5000 on the other interfaces right? Also, keep in mind that 2.0 beta 17 and later use udp port 1194 by default. (it is the new IANA assigned port.)

 

Good advice, so I followed it.

First I upgraded to 2.0-beta19 and reconfigured the firewall for port 1194.  With a stripped down config on both client and server, I built up what was needed based on log error messages and warnings.  Leaving out all the mtu adjustments in the config files seemed to be the hitch.

I've now been able to restore full connectivity.

Thanks again for the good pointers...

----------

## tdb

Glad I could help.

----------

## mariourk

First of all, thanks for the howto. It really saved me a lot of work to figure this thing out

myself   :Very Happy:  I have OpenVPN running fine now. However, there is still one problem. I hope you can help.

This is my situation:

I have a Gentoo-server at my company. This is the OpenVPN-server.

This Server has 2 network-cards. One is connected to an ADSL-modem and has

10.0.0.150 as IP-address. The other card has 192.168.1.1 as IP-address and connects

the OpenVPn-server to the local network of my company (192.168.1.xxx) so:

```

* 192.168.1.1 --> LAN

* 10.0.0.150  --> ADSL-Modem/internet/WAN (whatever you like to call it :wink: )

* 10.1.0.1    --> Tap0 (OpenVPN server)

```

I have my own Gentoo-server at home, this is the OpenVPN-client. It also has 2

network-cards. One is for internet/ADSL and has 10.0.0.150 as IP-address.

The other one connects the server to my own LAN (192.168.0.xxx) and has

192.168.0.1 as IP-address. so:

```

* 192.168.0.1 --> LAN

* 10.0.0.150  --> WAN

* 10.1.0.xxx  --> Tap0 (OpenVPN client with DHCP assigned IP-address)

```

The problem

I need to access my company's LAN (192.168.1.xxx) from my server.

When I do:

```

ssh 10.1.0.1

```

it works fine. But when I do:

```

ssh 192.168.1.1

```

I get no responce.

What's the real goal here. I need to access one of the windows servers in my

company's LAN from an OpenVPN client. When I have this working, some people

here can access the company's LAN from their home's

So if anyone can tell me what to do??   :Confused: 

The tap-devices are in the FORDWARD-cain and set to accept.

```

Chain FORWARD (policy DROP 1583 packets, 76965 bytes)

 pkts bytes target     prot opt in     out     source

311 39800 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0

```

This is the FORWARD-chain on the OpenVPN-server, ofcource  :Wink: 

Any help is most welcome  :Smile: 

----------

## tdb

First, make sure the gentoo server at your company has firewall rules and routing set up to allow packets on the vpn interface. (I'm assuming it does since you said other people can get to it just fine.)

Second, you need to set up a route telling your home computer where to find the 192.168.x.x network. Your computer doesn't know that 192.168.x.x is on the other side of the vpn tunnel. Try this:

route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.0.1

If that works, then you need to find a way to set that route every time OpenVPN starts. You can do this by a networking init script, or in the OpenVPN config file itself. Check the OpenVPN manpage for details.

----------

## mariourk

I tried to add a route. When I check it, it seems to be there and should work

fine.

```

Chimaera root # route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.5.0     *               255.255.255.0   U     0      0        0 eth2

192.168.1.0     10.1.0.1        255.255.255.0   UG    0      0        0 tap0 #<-- here it is

192.168.0.0     *               255.255.255.0   U     0      0        0 eth0

10.1.0.0        *               255.255.255.0   U     0      0        0 tap0

loopback        localhost       255.0.0.0       UG    0      0        0 lo

default         10.0.0.2        0.0.0.0         UG    1      0        0 eth1

```

But I can't connect to 192.168.1.xxx   :Sad: 

I really don't understand why   :Confused: 

----------

## tdb

Check your netmask on the work machine. 10.x.x.x defaults to 255.0.0.0, and 192.168.x.x defaults to 255.255.255.0. Last time I had issues with routing it was because I had several 10.x.x.x networks with different netmasks. If 10.1.0.x has a 255.255.255.0 on one end, and 255..0.0.0 on the other, it might not work.

Short of that, I'm not sure.

----------

## cchee

FYI, OpenVPN 2.0 RC is out! I will update the mini-howto once the official 2.0 is released.

----------

## Meaulnes

Thank you very much for this how-to. So far it has been amazing. However, I am stuck on a certain point that I am unable to figure out. My situation is this: I am trying to set up a VPN for a PITA client that needs terminal services access to a Win2k server machine. I need to Win2k machine protected by a firewall. After a lot of head pounding, I found this how-to and am so close I can taste it. Here is how this thing is set up:

Client --> Internet --> Linux (OpenVPN / IPTables / NAT) -> Win2k

The linux box has a public IP address on eth0 and a 10.10.10.1 / 255.255.255.0 on eth1. The win2k machine is at 10.10.10.13 and is the only machine on the subnet. The only purpose of the linux box is A. to protect that win2k machine and B. act as a VPN server.

I have the client  connecting and I am seeing no errors in either the client or the server log. However, I am unable to ping the vpn gateway by its private ip, nor can I ping the client machine from the vpn gateway, and I cannot ping the win2k machine (inside the lan) from the client machine. I am not sure what is wrong. I have checked and port forwarding is on:

```
# /etc/sysctl.conf:

# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/sysctl.conf,v 1.3 2002/11/18 19:39:22 azarah Exp $

# Disables packet forwarding

net.ipv4.ip_forward = 1

```

So, to continue, here is my openvpn server config:

```
port 5000

dev tap

tls-server

ca ca.crt

cert gateway.crt

key gateway.key

dh dh2048.pem

tls-auth ta.key 0

mode server

duplicate-cn

ifconfig 10.10.10.1 255.255.255.0 # openvpn gateway

ifconfig-pool 10.10.10.100 10.10.10.200 255.255.255.0 # ip range for openvpn client

push "dhcp-option DNS xxx.xxx.xxx.xxx" # push to client

push "dhcp-option DNS xxx.xxx.xxx.xxx"

push "route-gateway 10.10.10.1" # push default gateway

mtu-test

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

ping 10

ping-restart 120

push "ping 10"

push "ping-restart 60"

push "route 10.10.10.0 255.255.255.0 10.10.10.1" # add route to to protected network

comp-lzo

status openvpn-status.log

verb 4

```

and here is the client config in linux:

```
port 5000

dev tap

remote w.x.y.z # w.x.y.z is external IP of the OpenVPN server

tls-client

ca ca.crt

cert client.crt

key client.key

tls-auth ta.key 1

mtu-test

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

pull

comp-lzo

verb 4

```

I am currently testing from a windows machine, so fo the sake of clarity, here is the windows client config:

```
port 5000

dev tap

remote w.x.y.z # w.x.y.z is external IP of the OpenVPN server

tls-client

ca ca.crt

cert gateway.crt

key gateway.key

tls-auth ta.key 1

mtu-test

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

pull

comp-lzo

verb 4 

```

Lastly, here is my iptables startup script:

```
        PRIVATE=10.10.10.0/24

        # Loopback address

        LOOP=127.0.0.1

        # Delete old iptables rules

        # and temporarily block all traffic.

        $IPTABLES -P OUTPUT DROP

        $IPTABLES -P INPUT DROP

        $IPTABLES -P FORWARD DROP

        $IPTABLES -F

        # Set default policies

        $IPTABLES -P OUTPUT ACCEPT

        $IPTABLES -P INPUT DROP

        $IPTABLES -P FORWARD DROP

        # Prevent external packets from using loopback addr

        $IPTABLES -A INPUT -i eth0 -s $LOOP -j DROP

        $IPTABLES -A FORWARD -i eth0 -s $LOOP -j DROP

        $IPTABLES -A INPUT -i eth0 -d $LOOP -j DROP

        $IPTABLES -A FORWARD -i eth0 -d $LOOP -j DROP

        $IPTABLES -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP

        $IPTABLES -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP

        $IPTABLES -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP

        $IPTABLES -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP

        # Block outgoing NetBios 

        $IPTABLES -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP

        $IPTABLES -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP

        $IPTABLES -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP

        $IPTABLES -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP

        # Check source address validity on packets going out to internet

        $IPTABLES -A FORWARD -s ! $PRIVATE -i eth1 -j DROP

        # Allow local loopback

        $IPTABLES -A INPUT -s $LOOP -j ACCEPT

        $IPTABLES -A INPUT -d $LOOP -j ACCEPT

        # Allow incoming pings (can be disabled)

        $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

        # Allow ssh (can be disabled)

        $IPTABLES -A INPUT -p tcp --dport ssh -j ACCEPT

        # Allow incoming OpenVPN packets

        $IPTABLES -A INPUT -p udp --dport 5000 -j ACCEPT

        # Allow packets from TUN/TAP devices.

        $IPTABLES -A INPUT -i tun+ -j ACCEPT

        $IPTABLES -A FORWARD -i tun+ -j ACCEPT

        $IPTABLES -A INPUT -i tap+ -j ACCEPT

        $IPTABLES -A FORWARD -i tap+ -j ACCEPT

        # Allow packets from private subnets

        $IPTABLES -A INPUT -i eth1 -j ACCEPT

        $IPTABLES -A FORWARD -i eth1 -j ACCEPT

        # Keep state of connections from local machine and private subnets

        $IPTABLES -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT

        $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

        $IPTABLES -A FORWARD -m state --state NEW -o eth0 -j ACCEPT

        $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

        # Masquerade local subnet

        $IPTABLES -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE

```

Any help will be appreciated. And thanks again for this how-to

----------

## Meaulnes

Well I got in to work this morning and figured it out. I was trying to use the same subnet for both the physical and the virtual. B/c of this, my tap0 and eth1 both had the same IP. I moved the virtual network over to a different subnet, and now all seems to be working swimmingly.

----------

## AppleMasher

First this is a great howto its definetly put me on the right track.

Routing Issue (This is the part I am having trouble with)

 *Quote:*   

> Q:VPN client connected to the VPN server ok, but it can't access any other nodes in the protected network. What do I do?
> 
> A: There are two options.
> 
> 1) In your default gateway, you need to add the route to your protected lan with VPN server as the gateway. Using the sample environment above, you will need to add the following route.
> ...

 

Remote Private Network: 10.0.0.0/24

Remote Private VPN Server: 10.0.0.98

Remote Public VPN Server IP: 66.*.*.*

Local Private Network: 10.65.42.0/24

Local Private VPN Client: 10.65.42.22

OpenVPN Network: 10.5.0.0/24

OpenVPN Gateway: 10.5.0.1

So its a fairly typically basic setup to start out with. Right now the only issue i have is i cant seem to get routing correctly to route 10.0.0.0 traffic to my local network, 10.0.0.98 (vpn server) works fine, but 10.0.0.1 (dns server) fails.

```
current client routing table (route -n)

10.0.0.0        10.5.0.1        255.255.255.0   UG    0      0        0 tap0

10.65.42.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0

10.5.0.0        10.5.0.1        255.255.255.0   UG    0      0        0 tap0

10.5.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tap0

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

0.0.0.0         10.65.42.1      0.0.0.0         UG    0      0        0 eth0

```

```
current server routing table (route -n)

10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0

10.5.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tap0

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 eth0

```

I realize i need an additional route command to map the 10.0.0.0 to the local network, just not sure exactly what i should use, and do I need this route command on the local client or the server?

If someone who has this working could just post me their route -n's on both the client and server I believe it would help me a ton.

thanks.

----------

## cchee

You need to add the route at your default gateway/firewall for your 10.0.0.0 network using your VPN server 10.0.0.98 as the "gateway" for 10.5.0.0 traffic.

In your case, your add route command is:

```
route add -net 10.5.0.0 netmask 255.255.255.0 gw 10.0.0.98
```

----------

## AppleMasher

Thanks it all makes sense now.  I just misinterpreted what you said the first time.

----------

## cchee

mini HOWTO updated to include support for openvpn 2.0 rc6.

----------

## whit

Has anyone basically followed this recipe but added bridging?

----------

## cchee

I believe you can find information about bridging in the INSTALL from openvpn or their website and other post in gentoo forum.

----------

## whit

 *cchee wrote:*   

> I believe you can find information about bridging in the INSTALL from openvpn or their website and other post in gentoo forum.

 

Thanks. There's info about bridging out there. What I'm wondering is if anyone has started with this HOWTO, and then added bridging, or whether this HOWTO isn't compatible with a bridged setup - whether it would be best to start elsewhere or from scratch.

The OpenVPN project has lots of healthy activity around it, but that activity has so far produced a bunch of fragmentary documentation rather than - well - the sort of concise-yet-complete instructions that the best of Gentoo's own core documentation has achieved. Sorting through all the different OpenVPN docs and third-party HOWTOs, then figuring out how to combine details from different approaches to get where I need to go (bridged vpn for a dozen remote users mostly on cable modems on different services, mostly on Windows, but also on OS/X and Linux) is puzzling - as you know.

----------

## Teardrop

hi guys

i got a little problem perhaps someone could help me out:

1) if i start openvpn with /etc/init.d/openvpn start i get an file open error with the dh1024.pem. it is something about the path bc when i start openvpn in the patch where the dh.pem is it works.

2) after the initialization of the openvpn server i get the following error when my client tries to log on:

 *Quote:*   

> Mon Jan 24 17:08:30 2005 us=962955 Initialization Sequence Completed
> 
> Mon Jan 24 17:08:40 2005 us=813012 Authenticate/Decrypt packet error: packet HMAC authentication failed
> 
> Mon Jan 24 17:08:40 2005 us=813049 TLS Error: incoming packet authentication failed from 213.3.188.32:13741
> ...

 

i checkt the tls-auth - that should be okay. any idea what i could do?

thx a lot guys

cu Teardrop

----------

## cchee

you can either use absolute path or there is another directive in the config file you can use to specify the base directory for config files.

----------

## Teardrop

thx gonna try that. 

still going after problem #2 bc that is what bothers me atm most! is it perhaps that i didn't specify the purpos (server, client) with my certs? if yes, where can i do that?

any help appreaciated. 

thx Teardrop

UPDATE

1) solved  :Wink: 

2) i narrowed the problem. if i don't use the ta.key/ta-key.txt openvpn works fine. but i would like to use that security option too. any ideas?

finally working. don't know what it really was. made the keys about 1000 times in different ways now its working.

----------

## dashnu

I am testing this with a very minimal setup.  I have gone through your how-to only to end up with a few issues. I have got my server up and running ok with no errors.

```
port 5000

dev tap

tls-server

ca iwfinancial/ca.crt

cert keys/myl.crt

key keys/my.key

dh keys/dh1024.pem

tls-auth keys/ta.key 0

mode server

duplicate-cn

ifconfig 10.1.0.1 255.255.255.0 

ifconfig-pool 10.1.0.2 10.1.0.11 255.255.255.0 # ip range for openvpn client

push "dhcp-option DNS 10.2.0.1" # push DNS entries to openvpn client

push "dhcp-option DNS 10.2.0.2"

push "route-gateway 10.1.0.1" # push default gateway

mtu-test

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

ping 10

ping-restart 120

push "ping 10"

push "ping-restart 60"

push "route 10.2.0.0 255.255.255.0 10.1.0.1" # add route to to protected networkpush "route 10.1.0.0 255.255.255.0 10.1.0.1"

comp-lzo

status openvpn-status.log

verb 4

```

I created and signed all my keys and also checked them with the openssl verify commands. All checks out so I think this is a client side issue.

my client is also a gentoo box.

```
port 5000

dev tap

remote 192.168.1.251

tls-client

ca keys/ca.crt

cert keys/client.crt

key keys/client.key

tls-auth keys/ta.key 1

mtu-test

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

pull

comp-lzo

verb 4

```

As you can see i am tesing this internaly.. when i start openvpn on the client i get this in the logs...

```
Mar  2 12:26:08 laptop openvpn-local[25593]: TLS Error: Unroutable control packet received from 192.168.1.251:5000 (si=3 op=P_CONTROL_V1)

```

and on the server i get the following.

```
Mar  2 12:24:50 dulcinea openvpn-local[7003]: 192.168.1.83:5000 Expected Remote Options hash (VER=V4): '13a273ba'

Mar  2 12:24:50 dulcinea openvpn-local[7003]: 192.168.1.83:5000 TLS: Initial packet from 192.168.1.83:5000, sid=acecdcab ac83e158

Mar  2 12:24:52 dulcinea openvpn-local[7003]: 192.168.1.83:5000 write UDPv4 [ECONNREFUSED|ECONNREFUSED|ECONNREFUSED]: Connection refused (code=111)
```

I created a ta.key and have the same ta.key on each machine. Is this correct ? And I am really confused as to what keys I need to create on the client. So i created the same keys that i did on the server.

any help would be great

----------

## Teardrop

hi 

as you wrote in the config file of your client you need:

- ca.crt

- ta.key

- client.crt

and 

- dh2048.pem (or dh1024.pem)

- client.key

hope that helps, but i am not sure, if you have some routing problems...

cu Teardrop

----------

## dashnu

ok To get this working I tar-ed up my /etc/openvpn/ and all the keys and scped it to the client machine I can now connect.   :Razz:  not sure if this is what i should be doing but ehhhh... I can now ping 10.1.0.1 but i can not resolve any names or anything...

----------

## dashnu

This is my network.

Internet --> Firewall --> switch --> VPN Server

                                                --> 6 other machines on the local net. 192.168.1.x ip range

My firewall box also servers as my internal dns / dhcp / gateway server (i know bad idea) I want to allow name resolution ? I want to be able to ping the ip's of the local net?

What do I need to do ?

I tried to add

```
push "route 192.168.1.0 255.255.255.0"
```

```
push "dhcp-option DNS 192.168.1.1" # push DNS entries to openvpn client

push "dhcp-option DNS 192.168.1.1"

push "route-gateway 192.168.1.1" # push default gateway

```

192.168.1.1 is my dns / dhcp server

I am reading up on openvpn as i type, I am a master of multi tasking :p This is all brand new to me sorry for lame questions.

----------

## Teardrop

you still have to let your firewall on your server route the 10.1.0.2-11 IPs. a good fireall doesn't allow ip-forwarding or nat on different IPs than your internal network. add that rule and you will be good to go.

cu Teardrop

----------

## dashnu

Has anyone had any experience with mac for the client side of this? Is it a pain in the arse? Will it be easy for my users to use? What about windows? I do not have any test machines other than my local linux laptop  :Sad:   Is this a good full vpn soultion or should I look into something more common.  The more I look into this the more difficult it seems to administer.

----------

## Teardrop

if you take openvpn 2.0 windows is no problem at all. i admin 5 laptops like that. mac i don't know. i find macs itself a pain in the a.s  :Wink: 

cu Teardrop

----------

## nepto

Will Cisco VPN client work with this solution?

----------

## petterg

This howto was a great help to make openvpn work on my gentooserver! Thanks a lot!

I was wondering one thing: It seems like a good idea to me to generate one certifcate for each user and put it into the users homedir. Is there any way to generate one certificate for all each user in a usergroup? (I was thinking of using the username as common_name)

----------

## cchee

Troubleshooting section updated to include minor change to access control for 2.0_rc17.

----------

## cchee

Stumbled upon this page, thought Linux user may be interested in this one.

http://www.skynet.ie/~jonathan/blog/index.php?cat=8

----------

## eschoeller

I set everything up according to this how-to (or at least i'm pretty confident that i have)

Anyway, when i try to run the gentoo init script to bring the vpn connection up, it doesnt start.

I see this in the log files:

Apr 27 11:32:04 [openvpn] Options error: --pull cannot be used with --mode server

Apr 27 11:32:04 [openvpn] Use --help for more information.

I take it there is something wrong with my config file, but i have copied it exactly as it was posted in this how-to

Any ideas would be greatly appreciated.

----------

## eschoeller

BTW, I am running the latest 2.0 ebuild provided at the bugzilla link in this how-to

thx

----------

## cchee

 *eschoeller wrote:*   

> I set everything up according to this how-to (or at least i'm pretty confident that i have)
> 
> Anyway, when i try to run the gentoo init script to bring the vpn connection up, it doesnt start.
> 
> I see this in the log files:
> ...

 

When you use mode server, you can't pull in your dhcp-option.

Server push dhcp-option to client.

Client pull dhcp-option from server.

Hope this help.

----------

## cchee

Good news! openvpn 2.0 is in portage ~x86

----------

## dashnu

Do you plan to update this doc for 2.x ?

*edit nm i guess the configs will be the same.. for the most part

----------

## cchee

I did some incremental updates, but I do plan to update the doc a bit to reflect 2.0 official next week. Too busy this week.  :Smile: 

----------

## cchee

Updated HOWTO to reflect official 2.0 release.

Added an addition Q&A in TroubleShooting section related to new /etc/init.d/openvpn script.

----------

## ponzio

hi, i get the "unroutable" error:

```
Tue May 31 14:39:57 2005 us=849037 TLS Error: Unroutable control packet received from x.x.x.x:1024 (si=3 op=P_CONTROL_V1)
```

but the certificate seems ok

```
myhost client # openssl verify -purpose sslclient -CAfile ca.crt client.crt 

    client.crt: OK
```

what it means?

thanks,

marco

----------

## cchee

Check your server side certificate also. In addition, it is possible you may have problem with networking (packet drop) which also causes this type of problem. Last time I had the similar problem and was resolved after I replace the bad cable.

----------

## ponzio

now the client seems to be connected

```
Jun 10 12:44:02 ponzio openvpn-client[31114]: TLS: Initial packet from x.x.x.x:5000, sid=ae79a4ab 8cae93bd

Jun 10 12:44:03 ponzio openvpn-client[31114]: VERIFY OK: depth=1, /C=IT/ST=Italia/L=Milano/O=OpenVPN-test
```

but ifconfig does not show any tun/tap device.

on the server there is an error:

```
Jun 10 12:41:41 test openvpn-test[321]: x.x.x.x:24880 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=IT/ST=Italia/O=OpenVPN-test

Jun 10 12:41:41 test openvpn-test[321]: x.x.x.x:24880 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
```

----------

## cchee

Just notice version 2.0.1 is in portage, the configuration should be the same for official 2.0.

----------

## evol262

Any way to allow multiple connections from the same IP?  My OpenVPN server's behind a router (DMZed), and it works fine if I only have one external client.  Any more than that and it chokes, forbidding new clients from connecting...

Edit:  It seems to classify every connection coming from the same IP as the same client, regardless of how the keys and certs are setup.  Duplicate-cn does not solve this.  Do I just need to have only one client key?  I don't like that...  Doesn't seem to work either >.<.  Any suggestions?  From what I've seen, ccd can't do this, but I really need a way around it.  It seems that all packets appear to be coming from my router, forbidding extra connections 

```
Sep 19 16:28:28 server openvpn[27207]: client2/192.168.1.1:1194 TLS Error: Unroutable control packet received from 192.168.1.1:1194 (si=3 op=P_ACK_V1)

Sep 19 16:28:30 server openvpn[27207]: client2/192.168.1.1:1194 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #36 / time = (1127165452) Mon Sep 19 16:30:52 2005 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Sep 19 16:28:30 server openvpn[27207]: client2/192.168.1.1:1194 TLS Error: incoming packet authentication failed from 192.168.1.1:1194

Sep 19 16:28:30 server openvpn[27207]: client2/192.168.1.1:1194 TLS Error: Unroutable control packet received from 192.168.1.1:1194 (si=3 op=P_ACK_V1)

```

When client 1 is also connected.  If I connect client1 through the local network, I can connect client2 fine.  I cannot get client2 and client3 to connect simulatenously (both external).

Sorry, that should read "client1/192.blah.blah" when client 1 is connected and client 2 is trying to connect through the same IP.

----------

## evol262

-bump-

Any suggestions?  Is there a way to make OpenVPN look up NAT traversal?

----------

## cchee

Updated troubleshooting section to include workaround for openvpn 2.0.2 init script problem. IMHO, init script should define the --cd option, it is way too restrictive especially for people with multiple vpn connections setup. The --cd option should be left to the configuation file instead.

----------

## UberLord

 *cchee wrote:*   

> Updated troubleshooting section to include workaround for openvpn 2.0.2 init script problem. IMHO, init script should define the --cd option, it is way too restrictive especially for people with multiple vpn connections setup. The --cd option should be left to the configuation file instead.

 

You mean that the init script should not define the --cd option?

AFAIK (and I may  be wrong) but the --cd option changes the relative directory. This means that

```
ca cert.perm
```

 relies on cert.pem existing in the /etc/openvpn directory

however 

```
ca /etc/ssl/certs/cert.pem
```

 always works regardless of the --cd option.

Could you explain how the init script setting the option make it more restrictive for multiple connections?

----------

## l0ner

 *evol262 wrote:*   

> -bump-
> 
> Any suggestions?  Is there a way to make OpenVPN look up NAT traversal?

 

Why would you want to do that  :Question: 

I use both site to site, and client/server versions and have never seen a need.

The beautiful thing about OpenVPN is that you need no NAT traversal support, not like IPSEC.

Perhaps there is a different way to solve whatever problem you are having.

-l0ner

----------

## cchee

 *UberLord wrote:*   

>  *cchee wrote:*   Updated troubleshooting section to include workaround for openvpn 2.0.2 init script problem. IMHO, init script should define the --cd option, it is way too restrictive especially for people with multiple vpn connections setup. The --cd option should be left to the configuation file instead. 
> 
> You mean that the init script should not define the --cd option?
> 
> AFAIK (and I may  be wrong) but the --cd option changes the relative directory. This means that
> ...

 

it makes the script only work with one VPN connection setup, i.e. the config file has to be openvpn.conf and it must be under /etc/openvpn. if I want to have multiple VPN connections to different "sites", the init script needs to be modded to fit that need. Or, as some of the developers already suggested in https://bugs.gentoo.org/show_bug.cgi?id=109363, duplicate the /etc/init.d/openvpn to /etc/init.d/openvpn.foo, /etc/init.d/openvpn.bar, etc... My personal preference is not multiple copies of /etc/init.d/openvpn and certificates all over the place in different directories (for the sake of keeping things tidy, I prefer to keep them in the single directory for each "set" of files [anyway this is just personal preference]) but have multiple copies of /etc/init.d/openvpn give us the ability to selectively start and stop specific VPN connection. In the bug note, there is a latest attachment for the modded openvpn init.d script. it looks into /etc/openvpn for *.conf and for each *.conf it will start and stop the openvpn connection. It relies on the individual config file to specify "directory" for files set relative to the corresponding VPN connection (i.e. cd option). IMHO, my preference may not fit your need, so it is really up to individual work habit.

----------

## spunki

how can i add push "ip route add default via 213.157.224.193 dev tap0" in config file local.conf

----------

## cchee

 *spunki wrote:*   

> how can i add push "ip route add default via 213.157.224.193 dev tap0" in config file local.conf

 

Best source, as usual, is read the latest manual that matches the version you have installed.

```

ifconfig-pool 10.254.254.156 10.254.254.199 255.255.255.128

push "dhcp-renew"

push "dhcp-option DOMAIN domain.tld"

push "dhcp-option DNS 10.10.10.5"

push "dhcp-option DNS 10.10.10.9"

push "route-gateway 10.254.254.155"

```

First line, tells openvpn the range of IP addresses to be used for DHCP within the VPN segment.

Second line, tells openvpn to have "client" to renew it's DHCP

Last line, tells openvpn to have "client" to assign 10.254.254.155 as default gateway for all VPN traffic. Mind you you still need to have a rule in your default gateway/firewall on your remote network (server side) to tell other machines in the remote network (server side) which gateway to use for VPN traffic, in case you want to have the ability to remote access to other machines **directly** on the remote network via the VPN.

Hope this help.

----------

## LL0rd

Hi,

I had set up a openvpn server to secure my wlan network. Now I want to use the server to dialin into the LAN (windows xp notebook). That works allready, but: I'm student on a german university. There we have two ways to use the wlan:

1)

NIC ==> (Webauth) ==> Internet

2)

NIC ==> Cisco VPN client ==> VPN NIC ==> Internet

When i go the first way, I can connect to PCs that are in the VPN. But the whole Internet traffic is unencryped. When I go the second way, I can connect to the VPN Network. I also get the IP adress by the dhcp, but I can't connect to the PCs of the VPN network. 

My idea is, that there is a wrong routing table. Can anybody help me?

----------

## d4h0od

first off thanx for a very good howto. Although it hasnt solved all my problems, it still guided me very far and i managed to setup a vpn-server & vpn-client and can ping both ways  :Smile: 

I want to do the following,

i have a gentoo server back home with full access to internet (no firewalls etc) and i want to route all traffic from my client laptop (thats located behind a hotel firewall that i have no control over) through my gentoo-server and use that as a "proxy" for all my traffic, so i can freely connect to any service on any port.

And no its not to download warez/porn  :Wink: 

I'm just a poker-addict and playing at several different sites, but now that im away on a trip for several months im forced to sit behind a firewall that blocks most (if not all) ports that i need open to be able to continue playing  :Sad: 

First of all is it possible for me to route all internet traffic from my hotel computer to my vpn-server and then out on internet? And will the fact that im recieving my client ip-address from the hotel fw via dhcp cause any problems?

Do i need 1 or 2 NIC's on the server and what configuration would i need to perform on the server?

So far i have maneged to setup a vpn-server on the gentoo-server and connecting to it with my laptop (winxp) using ssl certificates so those parts work ok.

This is my lame attemtp to try and illustrate my idea

```

---------------           ---------------          ------------          -----------------

| Client      | <<RESP<<  | Hotel FW    | <<RESP<< | Internet | <<RESP<< | Gentoo server |

|             |           |             |          |          |          |               |

| 192.168.3.x | >>REQ>>   | 192.168.3.x | >>REQ>>  |          | >>REQ>>  | 194.10.180.x  |

---------------           ---------------          ------------          -----------------

                                                     |v    ^^                v|    ^^

                                                     Rv    R^                vR    ^|

                                                     Ev    E^                vE    ^R

                                                     Sv    Q^                vQ    ^E

                                                     Pv    |^<<<<<<<<<<<<<<<<<|    ^S

                                                     |v    \------------------/    ^P

                                                     |v                            ^|

                                                     |v>>>>>>>>>>>>>>>>>>>>>>>>>>>>^|

                                                     \--------------RESP------------/

```

----------

## ethzural

hi guys, before i start on my openvpn, i suppose i need to setup the bridge between eth0 and tap0 first?

however, i had include the bridge(built-in) and tun/tap(module) in the kernel, yet, the /dev/net/tun keep on dissapear each time i reboot the server. so, how am i going to create tap0?

----------

## b1f30

 *cchee wrote:*   

> For those who has Linux as their OpenVPN client, if they want to have the DNS lookup working properly, they will need to add the following into their Linux client configuration (using the above example environment):
> 
> ```
> up /etc/openvpn/client/client.up
> 
> ...

 

I'm trying to get the 'up' and 'down' scripts to work, and I've placed the following two lines in my /etc/openvpn/openvpn.conf:

up /etc/openvpn/client.up

down /etc/openvpn/client.down

chmod'ed the scripts with 755, and openvpn starts up just fine. It adds the nameserver info to /etc/resolv.conf, but when I bring openvpn down, the two new entries still remain in /etc/resolv.conf leaving me to manually edit every time I bring it down. Absolute paths are fine, permissions are set - what the heck am I doing wrong here?

 :evil:

----------

## UberLord

You could always use the p.masked openvpn beta and use it's supplied up and down scripts.

You may also want to emerge resolvconf-gentoo and baselayout-1.12.1 for really good support too  :Smile: 

----------

## julmust

I can't figure out how to enable the clients to reach the entire remote subnet, my setup is this:

OpenVPN running on a server (192.168.0.200) behind firewall.

Client is WinXP.

192.168.0.0/24 - remote subnet

192.168.100.0/24 - virtual subnet

192.168.1.0/24 - client subnet

serverconf (basically set up as in this how to):

```

port 1194

dev tap

tls-server

ca /etc/openvpn/server/ca.crt

cert /etc/openvpn/server/server.crt

key /etc/openvpn/server/server.key

dh /etc/openvpn/server/dh1024.pem

tls-auth /etc/openvpn/server/static.key  0

duplicate-cn

mode server

ifconfig 192.168.100.100 255.255.255.0

ifconfig-pool 192.168.100.101 192.168.100.105 255.255.255.0

push "dhcp-option DNS 192.168.0.1"

push "route-gateway 192.168.100.100"

mtu-test

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

ping 10

ping-restart 120

push "ping 10"

push "ping-restart 60"

push "route 192.168.0.0 255.255.255.0 192.168.100.100"

push "route 192.168.100.0 255.255.255.0 192.168.100.100"

comp-lzo

```

client config:

```

port 1194 # or any other port you want to use

dev tap

remote remote-address #is external IP of the OpenVPN server

tls-client

ca ca.crt

cert client.crt

key client-key.txt

tls-auth static-key.txt 1

mtu-test

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

pull

comp-lzo

verb 4

```

After starting the server the client gets an IP (192.168.100.101), so that seems to be fine. The client can ping the virtual VPN server address 192.168.100.100 and vice versa. From the client I can also reach 192.168.0.200, which is eth0 on the VPN server. Now I want to be able to reach the other clients in the subnet. Been scratching my head all day long about this issue. I guess i need to somehow route traffic from tap0 to eth0 or similar. This is where i need som help..

Output on server side:

```

PC01_server ~ # route -N

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 tap0

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0

PC01_server ~ # cat /proc/sys/net/ipv4/ip_forward

1

```

On client side:

```

c:\>route PRINT

....

192.168.0.0   255.255.255.0  192.168.100.100  192.168.100.101

```

This would mean all traffic to 192.168.0.0/24 would go to gateway 192.168.100.100 via the 192.168.100.101-adapter, right?

As I read in the troubleshooting section of this howto the other option would be to use an ethernet bridge, this i have not tried, and it seems as if that wouldn't be necessary? 

I'm probably overlooking something vital so it would be really great if someone could point me in the right direction!

----------

## UberLord

Have you enabled ip forwarding on the server?

----------

## julmust

I have, and it's enabled in the kernel, iv'e loaded the ip_tables module as well. Do I have to do anything with iptables? 

I've tried various combinations without success.

----------

## UberLord

I've had this problem before, but I cannot remember what exactly I did to fix it.

As you can ping the remote server ip on the remote subnet but not anything else on the subnet then it's simply a routing/forwarding/iptables issue on the server.

One thing I could suggest is that you try the firewall init script I have here

http://dev.gentoo.org/~uberlord/firewall

and configure /etc/conf.d/firewall to read

```

LOCAL_IPV4="192.168.0.0/24 192.168.100.0/24"

FORWARD_INTERFACES=( "tap0 eth0" )
```

If it works, then configure it for the ports you want to open, close and you're set to go. Otherwise, post your problem in a new thread as it's no longer an openvpn issue.

----------

## julmust

What is the recommended way to set the open ports in your firewall script? Since I for the moment only has got ssh access I want to make sure that ssh and other ports are open before I try it..

----------

## UberLord

PORTS_IN="ssh"

or just on the defined local IP's

LOCAL_PORTS_IN="ssh"

Add either numerics, numeric ranges (100:110) or names in /etc/services

----------

## cchee

julmust,

Your gateway/router on your server subnet need to add a rule to tell the rest of the machines (on the same subnet as your server) which "vpn gateway" to use for VPN traffic.

In your case: 

```
192.168.0.0/24 - remote subnet

192.168.100.0/24 - virtual subnet

192.168.1.0/24 - client subnet 
```

You will need to have the router on your remote subnet (192.168.0.0/24) to add a rule to tell the rest of the machines on your remote subnet  how to route the VPN traffic from/to your virtual subnet (192.168.100.0/24) via your VPN server (192.168.0.200) to your client (192.168.100.101).

And as UberLord mentioned, you need to make sure you have ip_forwarding enabled in your VPN server to make it works.

----------

## mmx87

Great tutorial...although you forget to note where easyrsa is located when you use the official portage ebuild of openvpn.  Easyrsa is located in /usr/share/openvpn/easyrsa.  Also, the openvpn init script from the ebuild has changed as well and the configuration file is expected to be found at /etc/openvpn/openvpn.conf.  Just letting everyone know of a few hurdles I had to overcome to get openvpn working.

----------

## cchee

Just a fyi, there is a port to PocketPC underway for OpenVPN. I will update the mini-howto to include PocketPC setup later once I give it a try...  :Smile:  For those who can't wait, you can check it out here:

http://www.ziggurat29.com/OVPNPPCAlpha/OVPNPPCAlpha.htm

----------

## hanj

Hello

I'm having trouble with my OpenVPN configuration, but only when trying to connect from WAN to local network. I also have a DMZ network (wireless) that I'm able to connect to just fine with VPN. I keep receiving the following error on the server when trying to connect on the WAN:

```
Oct  6 23:50:52 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 TLS: new session incoming connection from xxx.xxx.xxx.xxx:50264

Oct  6 23:51:04 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Oct  6 23:51:04 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 TLS Error: TLS handshake failed

Oct  6 23:51:04 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 SIGUSR1[soft,tls-error] received, client-instance restarting

Oct  6 23:51:05 comp openvpn[8844]: MULTI: multi_create_instance called

Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Re-using SSL/TLS context

Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 LZO compression initialized

Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]

Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]

Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'

Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'

Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Local Options hash (VER=V4): '360696c5'

Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 Expected Remote Options hash (VER=V4): '13a273ba'

Oct  6 23:51:05 comp openvpn[8844]: xxx.xxx.xxx.xxx:50264 TLS: Initial packet from xxx.xxx.xxx.xxx:50264, sid=dcb36b41 f3607908
```

This is the error on the client (Windows XP using OpenVPNGUI)

```
Fri Oct 06 23:50:58 2006 us=685483 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Fri Oct 06 23:50:58 2006 us=685538 TLS Error: TLS handshake failed

Fri Oct 06 23:50:58 2006 us=686068 TCP/UDP: Closing socket

Fri Oct 06 23:50:58 2006 us=686483 SIGUSR1[soft,tls-error] received, process restarting

Fri Oct 06 23:50:58 2006 us=686515 Restart pause, 2 second(s)

Fri Oct 06 23:51:00 2006 us=686483 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Fri Oct 06 23:51:00 2006 us=690118 Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file

Fri Oct 06 23:51:00 2006 us=690177 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Oct 06 23:51:00 2006 us=690260 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Oct 06 23:51:00 2006 us=690410 LZO compression initialized

Fri Oct 06 23:51:00 2006 us=690567 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]

Fri Oct 06 23:51:00 2006 us=693216 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]

Fri Oct 06 23:51:00 2006 us=693299 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'

Fri Oct 06 23:51:00 2006 us=693329 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'

Fri Oct 06 23:51:00 2006 us=693390 Local Options hash (VER=V4): '13a273ba'

Fri Oct 06 23:51:00 2006 us=693426 Expected Remote Options hash (VER=V4): '360696c5'

Fri Oct 06 23:51:00 2006 us=693481 Socket Buffers: R=[8192->8192] S=[8192->8192]

Fri Oct 06 23:51:00 2006 us=693535 UDPv4 link local (bound): [undef]:800

Fri Oct 06 23:51:00 2006 us=693568 UDPv4 link remote: xxx.xxx.xxx.xxx:800
```

Now, as I said, when I connect while on the DMZ (172.16.0.0/24) network, everything works fine. My internal network is (10.0.0.0/26). It seems like this might be a NAT or routing issue.. possibly the client is not receiving response. There are no blocks showing in the /var/log/messages, and it should be if it's not allowed. That's why I keep thinking it's a route problem.

Here is my route table on the firewall/vpn server

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.0.0.0        *               255.255.255.192 U     0      0        0 eth0

172.16.0.0      *               255.255.255.0   U     0      0        0 eth2

192.168.0.0     *               255.255.255.0   U     0      0        0 eth1

10.1.0.0        *               255.255.255.0   U     0      0        0 tap0

loopback        *               255.0.0.0       U     0      0        0 lo

default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1
```

eth1 is connected directly to Cisco 800 series DSL modem, eth0 is my internal network and eth2 is my DMZ network.

I'm running my OpenVPN on a non-standard port UDP/800. Here are some interesting pieces of my iptables script

```
$IPT -A INPUT -p udp --dport 800 -d $NATIP -j ACCEPT

$IPT -A OUTPUT -p udp --dport 800 -o eth1 -s 192.168.0.3 -j ACCEPT

$IPT -A OUTPUT -p udp -s 192.168.0.3 --sport 800 -j ACCEPT

$IPT -A INPUT -i tap0 -j ACCEPT

$IPT -A FORWARD -i tap0 -j ACCEPT

$IPT -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE
```

Any help to get this working is greatly appreciated!

thanks

hanji

----------

## cchee

Did you have TCP port 800 open as well? Are you using tap? or tun? Just curious.

----------

## hanj

 *cchee wrote:*   

> Did you have TCP port 800 open as well? Are you using tap? or tun? Just curious.

 

Hello 

Thanks for the reply! I'm still trying to get my head around all of this, so I apologize for my newbness.

I'm not accepting TCP port 800 on my firewall. As far as I knew, this was over UDP only. In fact, my DMZ/Wireless does not accept port 800 TCP.. only UDP and works. I'm not sure what the difference is between tap and tun, but I do have a tap0 interface, so does that mean I'm using tap?

Thanks!

hanji

----------

## cchee

Just curious, do you have to use root access port (i.e. port < 1024)? OpenVPN standard official port is 1194. You may want to try that first. tap0 means you are using tap.

----------

## hanj

 *cchee wrote:*   

> Just curious, do you have to use root access port (i.e. port < 1024)? OpenVPN standard official port is 1194. You may want to try that first. tap0 means you are using tap.

 

Hello, Thanks for replying. Using port 800 isn't a problem, also, my DMZ /w VPN to LAN works.

```

netstat -lnp | grep openvpn

udp        0      0 0.0.0.0:800             0.0.0.0:*                           24957/openvpn
```

Thanks!

hanji

----------

## cchee

Just add an update on how to setup port sharing with OpenVPN 2.1 (can't wait it becomes official in portage!!! Hint! Hint!  :Wink:  )

NOTE: If you are using openvpn 2.1 (not yet in the official portage, hopefully soon) You can added the following line to do port sharing. The following line basically tells openvpn to listen to port 443, if the traffic is openvpn traffic, process it. Otherwise forward it to ssl_webserver.mycompany.com to process as https traffic. One great thing about this is you have one less hole in your firewall.

```

port-share ssl_webserver.mycompany.com 443

```

----------

## Bender007

Hi,

I have a question. Its possible to disconnect afer an idle time of 2 mins?

I am using the "keepalive 10 120" option. It this option the problem? Or exist an other idle parameter?

And what tool can i use to watch open connections an disconnect clients? I tried the management option and Force logoff a user over the GUI but the user connects immediately again. What can i do?

server.conf:

 *Quote:*   

> 
> 
> proto tcp-server
> 
> port 21113
> ...

 

Thx Bender

----------

## snIP3r

 *cchee wrote:*   

> Just add an update on how to setup port sharing with OpenVPN 2.1 (can't wait it becomes official in portage!!! Hint! Hint!  )
> 
> NOTE: If you are using openvpn 2.1 (not yet in the official portage, hopefully soon) You can added the following line to do port sharing. The following line basically tells openvpn to listen to port 443, if the traffic is openvpn traffic, process it. Otherwise forward it to ssl_webserver.mycompany.com to process as https traffic. One great thing about this is you have one less hole in your firewall.
> 
> ```
> ...

 

can you also please tell how to configure apache to make this working?? cause i cannot start both configs (openvpn and apache) with usage of port 443. i also found no example on the web.

thx in advance

snIP3r

----------

## quackyo

I have fiddled around with OpenVPN today..

I'm using OpenVPN server set up as bridge.

When I connect to it I get IP from DHCP (the DHCP in the net my VPN-server is on), but no ping.

after a while the connection times out, and tries reconnecting. After 1-5 minutes it gets reconnected and from then everything is fine.

I thought it was a firewall issue, but after trying to disable firewall in both ends I was stuck.. Until I remembered that I had a Linksys DD-WRT box with VPN-setup that works. I took a look at the setup there and found that the only difference was that my OpenVPN server runs in "mode server" and TLS-server (with certificates), but the Linksys runs with static-key only.

Well, I tried to reconfigure my VPN-server to use static key only and then it worked perfectly.

But I want the TLS-server feature, both for the multiple-client feature and for safety.

Anybody have a clue? I have tried to regenerate all certificates, but that didn't help.

All certificates i built with the easy-rsa scripts that follows openVPN.

----------

## TatooFim

 *damed92 wrote:*   

> Firstly, thank you VERY much for this howto. I have OpenVPN working well.
> 
> One question:
> 
> I have the server set up at Location 1 (L1). It accepts Windows client connections from the internet fine.
> ...

 

Agree thanks

----------

## cchee

 *snIP3r wrote:*   

>  *cchee wrote:*   Just add an update on how to setup port sharing with OpenVPN 2.1 (can't wait it becomes official in portage!!! Hint! Hint!  )
> 
> NOTE: If you are using openvpn 2.1 (not yet in the official portage, hopefully soon) You can added the following line to do port sharing. The following line basically tells openvpn to listen to port 443, if the traffic is openvpn traffic, process it. Otherwise forward it to ssl_webserver.mycompany.com to process as https traffic. One great thing about this is you have one less hole in your firewall.
> 
> ```
> ...

 

snIP3r,

Sorry for really late reply. Have been busy and haven't had a chance to check back here for a while.

Your firewall will port forward 443 traffic to openvpn server with port-share configured. In your openvpn configuration file, you will add the aforementioned line where ssl_webserver.mycompany.com is the hostname or IP address of your webserver. But I don't think you can have both your openvpn and webserver running on the same physical machine. If you have a powerful box and some cpu/memory to spare, try to virtualize your webserver using vmware server or virtual box. Logically, it is still different IP address, but everything runs on one physical box. 

You shouldn't need to change apache configuration file. OpenVPN will detect what kind of traffic it is and then redirect it to apache server if it is webserver request. Hope this help.

----------

## snIP3r

 *cchee wrote:*   

>  *snIP3r wrote:*    *cchee wrote:*   Just add an update on how to setup port sharing with OpenVPN 2.1 (can't wait it becomes official in portage!!! Hint! Hint!  )
> 
> NOTE: If you are using openvpn 2.1 (not yet in the official portage, hopefully soon) You can added the following line to do port sharing. The following line basically tells openvpn to listen to port 443, if the traffic is openvpn traffic, process it. Otherwise forward it to ssl_webserver.mycompany.com to process as https traffic. One great thing about this is you have one less hole in your firewall.
> 
> ```
> ...

 

hi cchee!

thx for your reply - even if its a little late ,)

thx also for the tip. my first thought is to have both on the same machine. but after reading your post here i will try to do as you suggested and put the webserver on another (test-)machine. if this works i can think about further steps... 

i have a powerfull machine and i would like to have the webserver on the same machine than the openvpn server. but this may be difficult to realize - i hope i can do it.

thx for your tip anyway. after the first tests, i will post my results.

thx

snIP3r

----------

