routed vpn between two freebsd machines

Frank Mueller - emendis GmbH Frank.Mueller at emendis.de
Wed Sep 21 09:56:04 PDT 2005


10.8.0.1 is your servers IP!
According to the manpage the parameter
"server 10.8.0.0 255.255.255.0"
sets therouter to 10.8.0.1.
Why do you push a route to 192.168.2.0/24 ??? Do you have such a subnet?

Greetz,

Ice

dave schrieb:
> Hello,
>     My apologies if this is a repost i didn't see it go through.
>     I'm trying to set up a routed vpn between two freebsd 5.4 machines.
> Currently they're on the same physical subnet, 192.168.0.x to make testing
> easier and for vpn they're using 10.8.0.x. My first problem, although both
> server and client start, i can only ping the client's ip address 10.8.0.6,
> not the server's of 10.8.0.5, and an IP of 10.8.0.1 is also showing up.
> Eventually i'd like to add windows boxes accessing the vpn via samba and
> remote clients from beyound the firewall, but i'd like to know if my basic
> configuration looks good.
> Any help appreciated.
> Thanks.
> Dave.
> 
> client:
> openvpn.conf:
> client
> dev tun
> proto udp
> remote 192.168.0.3 1194
> resolv-retry infinite
> nobind
> user nobody
> group nobody
> persist-key
> persist-tun
> mute-replay-warnings
> ca keys/ca.crt
> cert keys/client1.crt
> key keys/client1.key
> ns-cert-type server
> tls-auth keys/ta.key 1
> comp-lzo
> status openvpn-status.log
> log         openvpn.log
> verb 3
> mute 20
> 
> server:
> openvpn.conf:
> local 192.168.0.3
> port 1194
> proto udp
> dev tun
> ca keys/ca.crt
> cert keys/vpn.crt
> dh keys/dh2048.pem
> server 10.8.0.0 255.255.255.0
> ifconfig-pool-persist ipp.txt
> push "route 192.168.2.0 255.255.255.0"
> client-to-client
> keepalive 10 120
> comp-lzo
> max-clients 100
> user nobody
> group nobody
> persist-key
> persist-tun
> status openvpn-status.log
> log         openvpn.log
> verb 3
> mute 20
> 
> server:
> OpenVPN CLIENT LIST
> Updated,Fri Sep 16 11:09:42 2005
> Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
> client1,192.168.0.4:53537,75321,75571,Fri Sep 16 08:18:50 2005
> ROUTING TABLE
> Virtual Address,Common Name,Real Address,Last Ref
> 10.8.0.6,client1,192.168.0.4:53537,Fri Sep 16 10:34:37 2005
> GLOBAL STATS
> Max bcast/mcast queue length,0
> END
> 
> server:
> Fri Sep 16 00:10:50 2005 OpenVPN 2.0.2 i386-portbld-freebsd5.4 [SSL] [LZO]
> built on Aug 30 2005
> Fri Sep 16 00:10:50 2005 Diffie-Hellman initialized with 2048 bit key
> Fri Sep 16 00:10:50 2005 Control Channel Authentication: using 'keys/ta.key'
> as a OpenVPN static key file
> Fri Sep 16 00:10:50 2005 Outgoing Control Channel Authentication: Using 160
> bit message hash 'SHA1' for HMAC authentication
> Fri Sep 16 00:10:50 2005 Incoming Control Channel Authentication: Using 160
> bit message hash 'SHA1' for HMAC authentication
> Fri Sep 16 00:10:50 2005 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0
> EL:0 ]
> Fri Sep 16 00:10:50 2005 gw 192.168.0.254
> Fri Sep 16 00:10:50 2005 TUN/TAP device /dev/tun0 opened
> Fri Sep 16 00:10:50 2005 /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500
> netmask 255.255.255.255 up
> Fri Sep 16 00:10:50 2005 /sbin/route add -net 10.8.0.0 10.8.0.2
> 255.255.255.0
> add net 10.8.0.0: gateway 10.8.0.2
> Fri Sep 16 00:10:50 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135
> ET:0 EL:0 AF:3/1 ]
> Fri Sep 16 00:10:50 2005 GID set to nobody
> Fri Sep 16 00:10:50 2005 UID set to nobody
> Fri Sep 16 00:10:50 2005 UDPv4 link local (bound): 192.168.0.3:1194
> Fri Sep 16 00:10:50 2005 UDPv4 link remote: [undef]
> Fri Sep 16 00:10:50 2005 MULTI: multi_init called, r=256 v=256
> Fri Sep 16 00:10:50 2005 IFCONFIG POOL: base=10.8.0.4 size=62
> Fri Sep 16 00:10:50 2005 IFCONFIG POOL LIST
> Fri Sep 16 00:10:50 2005 Initialization Sequence Completed
> Fri Sep 16 08:18:50 2005 MULTI: multi_create_instance called
> Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Re-using SSL/TLS context
> Fri Sep 16 08:18:50 2005 192.168.0.4:53537 LZO compression initialized
> Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Control Channel MTU parms [
> L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
> Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Data Channel MTU parms [ L:1542
> D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
> Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Local Options hash (VER=V4):
> '14168603'
> Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Expected Remote Options hash
> (VER=V4): '504e774e'
> Fri Sep 16 08:18:50 2005 192.168.0.4:53537 TLS: Initial packet from
> 192.168.0.4:53537, sid=c06f4d68 1e59a37e
> Fri Sep 16 08:18:51 2005 192.168.0.4:53537 VERIFY OK: depth=1,
> /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress=
> webmaster at davemehler.com
> Fri Sep 16 08:18:51 2005 192.168.0.4:53537 VERIFY OK: depth=0,
> /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=client1/emailAddress=webmaster at davem
> ehler.com
> Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Data Channel Encrypt: Cipher
> 'BF-CBC' initialized with 128 bit key
> Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Data Channel Encrypt: Using 160
> bit message hash 'SHA1' for HMAC authentication
> Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Data Channel Decrypt: Cipher
> 'BF-CBC' initialized with 128 bit key
> Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Data Channel Decrypt: Using 160
> bit message hash 'SHA1' for HMAC authentication
> Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Control Channel: TLSv1, cipher
> TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
> Fri Sep 16 08:18:51 2005 192.168.0.4:53537 [client1] Peer Connection
> Initiated with 192.168.0.4:53537
> Fri Sep 16 08:18:51 2005 client1/192.168.0.4:53537 MULTI: Learn: 10.8.0.6 ->
> client1/192.168.0.4:53537
> Fri Sep 16 08:18:51 2005 client1/192.168.0.4:53537 MULTI: primary virtual IP
> for client1/192.168.0.4:53537: 10.8.0.6
> Fri Sep 16 08:18:53 2005 client1/192.168.0.4:53537 PUSH: Received control
> message: 'PUSH_REQUEST'
> Fri Sep 16 08:18:53 2005 client1/192.168.0.4:53537 SENT CONTROL [client1]:
> 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route 10.8.0.0
> 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
> (status=1)
> Fri Sep 16 08:18:53 2005 client1/192.168.0.4:53537 Need IPv6 code in
> mroute_extract_addr_from_packet
> Fri Sep 16 08:18:53 2005 client1/192.168.0.4:53537 Need IPv6 code in
> mroute_extract_addr_from_packet
> Fri Sep 16 08:18:56 2005 client1/192.168.0.4:53537 Need IPv6 code in
> mroute_extract_addr_from_packet
> Fri Sep 16 08:19:02 2005 client1/192.168.0.4:53537 Need IPv6 code in
> mroute_extract_addr_from_packet
> Fri Sep 16 09:18:51 2005 client1/192.168.0.4:53537 TLS: soft reset sec=0
> bytes=37851/0 pkts=714/0
> Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 VERIFY OK: depth=1,
> /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress=
> webmaster at davemehler.com
> Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 VERIFY OK: depth=0,
> /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=client1/emailAddress=webmaster at davem
> ehler.com
> Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Data Channel Encrypt:
> Cipher 'BF-CBC' initialized with 128 bit key
> Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Data Channel Encrypt:
> Using 160 bit message hash 'SHA1' for HMAC authentication
> Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Data Channel Decrypt:
> Cipher 'BF-CBC' initialized with 128 bit key
> Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Data Channel Decrypt:
> Using 160 bit message hash 'SHA1' for HMAC authentication
> Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Control Channel: TLSv1,
> cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
> Fri Sep 16 10:18:51 2005 client1/192.168.0.4:53537 TLS: tls_process: killed
> expiring key
> Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 VERIFY OK: depth=1,
> /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress=
> webmaster at davemehler.com
> Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 VERIFY OK: depth=0,
> /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=client1/emailAddress=webmaster at davem
> ehler.com
> Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Data Channel Encrypt:
> Cipher 'BF-CBC' initialized with 128 bit key
> Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Data Channel Encrypt:
> Using 160 bit message hash 'SHA1' for HMAC authentication
> Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Data Channel Decrypt:
> Cipher 'BF-CBC' initialized with 128 bit key
> Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Data Channel Decrypt:
> Using 160 bit message hash 'SHA1' for HMAC authentication
> Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Control Channel: TLSv1,
> cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
> 
> client:
> openvpn-status.log:
> OpenVPN STATISTICS
> Updated,Fri Sep 16 11:19:26 2005
> TUN/TAP read bytes,624
> TUN/TAP write bytes,168
> TCP/UDP read bytes,86618
> TCP/UDP write bytes,86078
> Auth read bytes,17512
> pre-compress bytes,0
> post-compress bytes,0
> pre-decompress bytes,0
> post-decompress bytes,0
> END
> 
> client:
> Fri Sep 16 08:16:05 2005 OpenVPN 2.0.2 i386-portbld-freebsd5.4 [SSL] [LZO]
> built on Sep 16 2005
> Fri Sep 16 08:16:05 2005 IMPORTANT: OpenVPN's default port number is now
> 1194, based on an official port number assignment by IANA.  OpenVPN
> 2.0-beta16 and earlier used 5000 as the default port.
> Fri Sep 16 08:16:05 2005 Control Channel Authentication: using 'keys/ta.key'
> as a OpenVPN static key file
> Fri Sep 16 08:16:05 2005 Outgoing Control Channel Authentication: Using 160
> bit message hash 'SHA1' for HMAC authentication
> Fri Sep 16 08:16:05 2005 Incoming Control Channel Authentication: Using 160
> bit message hash 'SHA1' for HMAC authentication
> Fri Sep 16 08:16:05 2005 LZO compression initialized
> Fri Sep 16 08:16:05 2005 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0
> ET:0 EL:0 ]
> Fri Sep 16 08:16:05 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135
> ET:0 EL:0 AF:3/1 ]
> Fri Sep 16 08:16:05 2005 Local Options hash (VER=V4): '504e774e'
> Fri Sep 16 08:16:05 2005 Expected Remote Options hash (VER=V4): '14168603'
> Fri Sep 16 08:16:05 2005 NOTE: UID/GID downgrade will be delayed because
> of --client, --pull, or --up-delay
> Fri Sep 16 08:16:05 2005 UDPv4 link local: [undef]
> Fri Sep 16 08:16:05 2005 UDPv4 link remote: 192.168.0.3:1194
> Fri Sep 16 08:16:05 2005 TLS: Initial packet from 192.168.0.3:1194,
> sid=c6ba5ec8 98dac724
> Fri Sep 16 08:16:05 2005 VERIFY OK: depth=1,
> /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress=
> webmaster at davemehler.com
> Fri Sep 16 08:16:05 2005 VERIFY OK: nsCertType=SERVER
> Fri Sep 16 08:16:05 2005 VERIFY OK: depth=0,
> /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=vpn/emailAddress=webmaster at davemehle
> r.com
> Fri Sep 16 08:16:06 2005 Data Channel Encrypt: Cipher 'BF-CBC' initialized
> with 128 bit key
> Fri Sep 16 08:16:06 2005 Data Channel Encrypt: Using 160 bit message hash
> 'SHA1' for HMAC authentication
> Fri Sep 16 08:16:06 2005 Data Channel Decrypt: Cipher 'BF-CBC' initialized
> with 128 bit key
> Fri Sep 16 08:16:06 2005 Data Channel Decrypt: Using 160 bit message hash
> 'SHA1' for HMAC authentication
> Fri Sep 16 08:16:06 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3
> DHE-RSA-AES256-SHA, 2048 bit RSA
> Fri Sep 16 08:16:06 2005 [vpn] Peer Connection Initiated with
> 192.168.0.3:1194
> Fri Sep 16 08:16:07 2005 SENT CONTROL [vpn]: 'PUSH_REQUEST' (status=1)
> Fri Sep 16 08:16:07 2005 PUSH: Received control message: 'PUSH_REPLY,route
> 192.168.2.0 255.255.255.0,route 10.8.0.0 255.255.255.0,ping 10,ping-restart
> 120,ifconfig 10.8.0.6 10.8.0.5'
> Fri Sep 16 08:16:07 2005 OPTIONS IMPORT: timers and/or timeouts modified
> Fri Sep 16 08:16:07 2005 OPTIONS IMPORT: --ifconfig/up options modified
> Fri Sep 16 08:16:07 2005 OPTIONS IMPORT: route options modified
> Fri Sep 16 08:16:07 2005 gw 192.168.0.254
> Fri Sep 16 08:16:07 2005 TUN/TAP device /dev/tun0 opened
> Fri Sep 16 08:16:07 2005 /sbin/ifconfig tun0 10.8.0.6 10.8.0.5 mtu 1500
> netmask 255.255.255.255 up
> Fri Sep 16 08:16:07 2005 /sbin/route add -net 192.168.2.0 10.8.0.5
> 255.255.255.0
> add net 192.168.2.0: gateway 10.8.0.5
> Fri Sep 16 08:16:07 2005 /sbin/route add -net 10.8.0.0 10.8.0.5
> 255.255.255.0
> add net 10.8.0.0: gateway 10.8.0.5
> Fri Sep 16 08:16:07 2005 GID set to nobody
> Fri Sep 16 08:16:07 2005 UID set to nobody
> Fri Sep 16 08:16:07 2005 Initialization Sequence Completed
> Fri Sep 16 09:16:05 2005 VERIFY OK: depth=1,
> /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress=
> webmaster at davemehler.com
> Fri Sep 16 09:16:05 2005 VERIFY OK: nsCertType=SERVER
> Fri Sep 16 09:16:05 2005 VERIFY OK: depth=0,
> /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=vpn/emailAddress=webmaster at davemehle
> r.com
> Fri Sep 16 09:16:06 2005 Data Channel Encrypt: Cipher 'BF-CBC' initialized
> with 128 bit key
> Fri Sep 16 09:16:06 2005 Data Channel Encrypt: Using 160 bit message hash
> 'SHA1' for HMAC authentication
> Fri Sep 16 09:16:06 2005 Data Channel Decrypt: Cipher 'BF-CBC' initialized
> with 128 bit key
> Fri Sep 16 09:16:06 2005 Data Channel Decrypt: Using 160 bit message hash
> 'SHA1' for HMAC authentication
> Fri Sep 16 09:16:06 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3
> DHE-RSA-AES256-SHA, 2048 bit RSA
> Fri Sep 16 10:16:06 2005 TLS: soft reset sec=0 bytes=37328/0 pkts=711/0
> Fri Sep 16 10:16:06 2005 VERIFY OK: depth=1,
> /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress=
> webmaster at davemehler.com
> Fri Sep 16 10:16:06 2005 VERIFY OK: nsCertType=SERVER
> Fri Sep 16 10:16:06 2005 VERIFY OK: depth=0,
> /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=vpn/emailAddress=webmaster at davemehle
> r.com
> Fri Sep 16 10:16:07 2005 Data Channel Encrypt: Cipher 'BF-CBC' initialized
> with 128 bit key
> Fri Sep 16 10:16:07 2005 Data Channel Encrypt: Using 160 bit message hash
> 'SHA1' for HMAC authentication
> Fri Sep 16 10:16:07 2005 Data Channel Decrypt: Cipher 'BF-CBC' initialized
> with 128 bit key
> Fri Sep 16 10:16:07 2005 Data Channel Decrypt: Using 160 bit message hash
> 'SHA1' for HMAC authentication
> Fri Sep 16 10:16:07 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3
> DHE-RSA-AES256-SHA, 2048 bit RSA
> Fri Sep 16 11:16:06 2005 TLS: tls_process: killed expiring key
> Fri Sep 16 11:16:07 2005 TLS: soft reset sec=0 bytes=37720/0 pkts=713/0
> Fri Sep 16 11:16:07 2005 VERIFY OK: depth=1,
> /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress=
> webmaster at davemehler.com
> Fri Sep 16 11:16:07 2005 NOTE: --mute triggered...
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

-- 
Frank Mueller
eMail: Frank.Mueller at emendis.de
Mobil: +49.177.6858655
Fax: +49.951.3039342

emendis GmbH
Hofmannstr. 89, 91052 Erlangen, Germany
Fon: +49.9131.817361
Fax: +49.9131.817386

Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger
Sitz Erlangen, Amtsgericht Fuerth HRB 10116


More information about the freebsd-questions mailing list