Hi all.
I have an OpenVPN server: 2.2.1-1 x86_64
Server config: port 11223 dev tap proto udp tls-server ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh1024.pem server 1.2.3.3 255.255.255.0 push "route 192.168.0.0 255.255.255.0 1.2.3.4" keepalive 10 60 client-to-client duplicate-cn inactive 600 log /var/log/openvpn.log syslog status /var/log/openvpn-status.log user openvpn group openvpn persist-tun persist-key verb 4 comp-lzo
Server interface: 11: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/ether 56:73:e7:c9:c8:e5 brd ff:ff:ff:ff:ff:ff inet 1.2.3.4/24 brd 1.2.3.255 scope global tap0
Client: 2.2.1-8ubuntu1 x86_64
Client config: remote 1.2.3.3 port 11223 dev tap proto udp resolv-retry infinite #nobind persist-key persist-tun tls-client ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/client.crt key /etc/openvpn/keys/client.key ns-cert-type server comp-lzo verb 4 log /var/log/openvpn.log #syslog status /var/log/openvpn-status.log
After successful start of openvpn service (Tue Aug 21 16:12:24 2012 us=644993 Initialization Sequence Completed in logfile) I have: Client interface: 9: tap0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 100 link/ether 4a:3d:52:dc:51:c3 brd ff:ff:ff:ff:ff:ff
When I start the tunnel I am not able to ping 1.2.3.4 IP on server, the TAP interface is also in DOWN state. I have no firewall configured. My client log file is attached. Should I have an IP addres on my TAP interface?
Thanks for the help ;)
Best regards, Rafal.
Rafał Radecki wrote:
Hi all.
I have an OpenVPN server: 2.2.1-1 x86_64
<snip>
After successful start of openvpn service (Tue Aug 21 16:12:24 2012 us=644993 Initialization Sequence Completed in logfile) I have: Client interface: 9: tap0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 100 link/ether 4a:3d:52:dc:51:c3 brd ff:ff:ff:ff:ff:ff
When I start the tunnel I am not able to ping 1.2.3.4 IP on server, the TAP interface is also in DOWN state. I have no firewall configured. My
client
log file is attached. Should I have an IP addres on my TAP interface?
I know nothing at all about OpenVPN, but the first thing I'd look at is why it's in a DOWN state.
mark
Am 21.08.2012 um 16:27 schrieb Rafał Radecki:
When I start the tunnel I am not able to ping 1.2.3.4 IP on server, the TAP interface is also in DOWN state. I have no firewall configured. My client log file is attached. Should I have an IP addres on my TAP interface?
What are your goals?
A bridged setup (dev tap) or a routed network (dev tun)?
LF
The situation has changed a little bit ;)
Now I am using a routed setup (bridged setup was an old remnant). My server is: CentOS release 6.2 (Final) 2.6.32-220.el6.x86_64 openvpn-2.2.1-1.x86_64 My server config file is: local 1.2.3.4 port 123 proto tcp-server dev tun0 tls-server remote-cert-tls client tls-auth /etc/openvpn/keys/ta.key 0 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key # This file should be kept secret dh /etc/openvpn/keys/dh1024.pem ;crl-verify /etc/openvpn/keys/crl.pem server 172.16.1.0 255.255.255.0 ;ifconfig-pool-persist /etc/openvpn/ipp.txt push "route 192.168.0.0 255.255.255.0 172.16.1.1" push "route 172.17.0.0 255.255.0.0 172.16.1.1" push "dhcp-option DNS 192.168.0.2" push "dhcp-option DNS 192.168.0.1" client-to-client duplicate-cn keepalive 10 60 cipher AES-256-CBC # AES comp-lzo max-clients 20 user openvpn group openvpn persist-key persist-tun status /var/log/openvpn-status.log log /var/log/openvpn.log verb 4
My client file is: Ubuntu 12.04.1 LTS 3.2.0-29-generic x86_64 openvpn-2.2.1-8ubuntu1 My client config file is: remote 1.2.3.4 port 123 dev tun0 proto tcp-client resolv-retry 120 ;persist-key ;persist-tun remote-cert-tls server tls-remote server.example.com tls-client ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/client.crt key /etc/openvpn/keys/client.key tls-auth /etc/openvpn/keys/ta.key 1 cipher AES-256-CBC verb 4 log /var/log/openvpn.log status /var/log/openvpn-status.log comp-lzo
When I start the openvpn server I get the output in server.log.gz. Also I get one new interface 20: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/[65534] inet 172.16.1.1 peer 172.16.1.2/32 scope global tun0
In iptables I have (default policies DROP, only for OUTPUT ACCEPT): -A INPUT -s 172.16.1.0/255.255.255.0 -i tun0 -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -d 172.16.1.0/255.255.255.0 -o tun0 -j ACCEPT -A FORWARD -s 172.16.1.0/255.255.255.0 -i tun0 -j ACCEPT
When I start openvpn on client in the logfile (client.log.gz) I have "Initialization Sequence Completed" but in ip a s:
14: tun0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 100 link/none
The DOWN state is the problem as I think, also there is no IP configuration assigned.
At the same moment on server I have output in server2.log.gz. There are lines Peer Connection Initiated with 1.2.3.4:44638 and Wed Aug 22 13:37:53 2012 us=331639 client/1.2.3.4:44638 MULTI: Learn: 172.16.1.6 -> client/1.2.3.4:44638 Wed Aug 22 13:37:53 2012 us=331648 client/1.2.3.4:44638 MULTI: primary virtual IP for client/1.2.3.4:44638: 172.16.1.6 But also a line Wed Aug 22 13:38:07 2012 us=418282 client/1.2.3.4:44638 Connection reset, restarting [0]
I have no firewall on my client host.
Any suggestions?
Best regards, Rafał.
2012/8/21 Leon Fauster leonfauster@googlemail.com
Am 21.08.2012 um 16:27 schrieb Rafał Radecki:
When I start the tunnel I am not able to ping 1.2.3.4 IP on server, the
TAP
interface is also in DOWN state. I have no firewall configured. My client log file is attached. Should I have an IP addres on my TAP interface?
What are your goals?
A bridged setup (dev tap) or a routed network (dev tun)?
LF
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Leon Fauster -
m.roth@5-cent.us -
Rafał Radecki