[CentOS] OpenVPN TAP interface problem.

Rafał Radecki radecki.rafal at gmail.com
Wed Aug 22 11:51:01 UTC 2012 

The situation has changed a little bit ;)

Now I am using a routed setup (bridged setup was an old remnant).
My server is:
CentOS release 6.2 (Final)
2.6.32-220.el6.x86_64
openvpn-2.2.1-1.x86_64
My server config file is:
local 1.2.3.4
port 123
proto tcp-server
dev tun0
tls-server
remote-cert-tls client
tls-auth /etc/openvpn/keys/ta.key 0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
;crl-verify /etc/openvpn/keys/crl.pem
server 172.16.1.0 255.255.255.0
;ifconfig-pool-persist /etc/openvpn/ipp.txt
push "route 192.168.0.0 255.255.255.0 172.16.1.1"
push "route 172.17.0.0 255.255.0.0 172.16.1.1"
push "dhcp-option DNS 192.168.0.2"
push "dhcp-option DNS 192.168.0.1"
client-to-client
duplicate-cn
keepalive 10 60
cipher AES-256-CBC   # AES
comp-lzo
max-clients 20
user openvpn
group openvpn
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 4

My client file is:
Ubuntu 12.04.1 LTS
3.2.0-29-generic x86_64
openvpn-2.2.1-8ubuntu1
My client config file is:
remote 1.2.3.4
port 123
dev tun0
proto tcp-client
resolv-retry 120
;persist-key
;persist-tun
remote-cert-tls server
tls-remote server.example.com
tls-client
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client.crt
key /etc/openvpn/keys/client.key
tls-auth /etc/openvpn/keys/ta.key 1
cipher AES-256-CBC
verb 4
log /var/log/openvpn.log
status /var/log/openvpn-status.log
comp-lzo

When I start the openvpn server I get the output in server.log.gz.
Also I get one new interface
20: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN qlen 100
    link/[65534]
    inet 172.16.1.1 peer 172.16.1.2/32 scope global tun0

In iptables I have (default policies DROP, only for OUTPUT ACCEPT):
-A INPUT -s 172.16.1.0/255.255.255.0 -i tun0 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -d 172.16.1.0/255.255.255.0 -o tun0 -j ACCEPT
-A FORWARD -s 172.16.1.0/255.255.255.0 -i tun0 -j ACCEPT

When I start openvpn on client in the logfile (client.log.gz) I have
"Initialization Sequence Completed" but in ip a s:

14: tun0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN qlen
100
    link/none

The DOWN state is the problem as I think, also there is no IP configuration
assigned.

At the same moment on server I have output in server2.log.gz.
There are lines
Peer Connection Initiated with 1.2.3.4:44638
and
Wed Aug 22 13:37:53 2012 us=331639 client/1.2.3.4:44638 MULTI: Learn:
172.16.1.6 -> client/1.2.3.4:44638
Wed Aug 22 13:37:53 2012 us=331648 client/1.2.3.4:44638 MULTI: primary
virtual IP for client/1.2.3.4:44638: 172.16.1.6
But also a line
Wed Aug 22 13:38:07 2012 us=418282 client/1.2.3.4:44638 Connection reset,
restarting [0]

I have no firewall on my client host.

Any suggestions?

Best regards,
Rafał.

2012/8/21 Leon Fauster <leonfauster at googlemail.com>

> Am 21.08.2012 um 16:27 schrieb Rafał Radecki:
> > When I start the tunnel I am not able to ping 1.2.3.4 IP on server, the
> TAP
> > interface is also in DOWN state. I have no firewall configured. My client
> > log file is attached.
> > Should I have an IP addres on my TAP interface?
>
>
>
> What are your goals?
>
> A bridged setup (dev tap) or a routed network (dev tun)?
>
> LF
>
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

More information about the CentOS mailing list