routed vpn between two freebsd machines

dave dmehler26 at woh.rr.com
Fri Sep 16 17:06:12 PDT 2005 

Hello,
    My apologies if this is a repost i didn't see it go through.
    I'm trying to set up a routed vpn between two freebsd 5.4 machines.
Currently they're on the same physical subnet, 192.168.0.x to make testing
easier and for vpn they're using 10.8.0.x. My first problem, although both
server and client start, i can only ping the client's ip address 10.8.0.6,
not the server's of 10.8.0.5, and an IP of 10.8.0.1 is also showing up.
Eventually i'd like to add windows boxes accessing the vpn via samba and
remote clients from beyound the firewall, but i'd like to know if my basic
configuration looks good.
Any help appreciated.
Thanks.
Dave.

client:
openvpn.conf:
client
dev tun
proto udp
remote 192.168.0.3 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
mute-replay-warnings
ca keys/ca.crt
cert keys/client1.crt
key keys/client1.key
ns-cert-type server
tls-auth keys/ta.key 1
comp-lzo
status openvpn-status.log
log         openvpn.log
verb 3
mute 20

server:
openvpn.conf:
local 192.168.0.3
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/vpn.crt
dh keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.2.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
verb 3
mute 20

server:
OpenVPN CLIENT LIST
Updated,Fri Sep 16 11:09:42 2005
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
client1,192.168.0.4:53537,75321,75571,Fri Sep 16 08:18:50 2005
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,client1,192.168.0.4:53537,Fri Sep 16 10:34:37 2005
GLOBAL STATS
Max bcast/mcast queue length,0
END

server:
Fri Sep 16 00:10:50 2005 OpenVPN 2.0.2 i386-portbld-freebsd5.4 [SSL] [LZO]
built on Aug 30 2005
Fri Sep 16 00:10:50 2005 Diffie-Hellman initialized with 2048 bit key
Fri Sep 16 00:10:50 2005 Control Channel Authentication: using 'keys/ta.key'
as a OpenVPN static key file
Fri Sep 16 00:10:50 2005 Outgoing Control Channel Authentication: Using 160
bit message hash 'SHA1' for HMAC authentication
Fri Sep 16 00:10:50 2005 Incoming Control Channel Authentication: Using 160
bit message hash 'SHA1' for HMAC authentication
Fri Sep 16 00:10:50 2005 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0
EL:0 ]
Fri Sep 16 00:10:50 2005 gw 192.168.0.254
Fri Sep 16 00:10:50 2005 TUN/TAP device /dev/tun0 opened
Fri Sep 16 00:10:50 2005 /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500
netmask 255.255.255.255 up
Fri Sep 16 00:10:50 2005 /sbin/route add -net 10.8.0.0 10.8.0.2
255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2
Fri Sep 16 00:10:50 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135
ET:0 EL:0 AF:3/1 ]
Fri Sep 16 00:10:50 2005 GID set to nobody
Fri Sep 16 00:10:50 2005 UID set to nobody
Fri Sep 16 00:10:50 2005 UDPv4 link local (bound): 192.168.0.3:1194
Fri Sep 16 00:10:50 2005 UDPv4 link remote: [undef]
Fri Sep 16 00:10:50 2005 MULTI: multi_init called, r=256 v=256
Fri Sep 16 00:10:50 2005 IFCONFIG POOL: base=10.8.0.4 size=62
Fri Sep 16 00:10:50 2005 IFCONFIG POOL LIST
Fri Sep 16 00:10:50 2005 Initialization Sequence Completed
Fri Sep 16 08:18:50 2005 MULTI: multi_create_instance called
Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Re-using SSL/TLS context
Fri Sep 16 08:18:50 2005 192.168.0.4:53537 LZO compression initialized
Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Control Channel MTU parms [
L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Data Channel MTU parms [ L:1542
D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Local Options hash (VER=V4):
'14168603'
Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Expected Remote Options hash
(VER=V4): '504e774e'
Fri Sep 16 08:18:50 2005 192.168.0.4:53537 TLS: Initial packet from
192.168.0.4:53537, sid=c06f4d68 1e59a37e
Fri Sep 16 08:18:51 2005 192.168.0.4:53537 VERIFY OK: depth=1,
/C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress=
webmaster at davemehler.com
Fri Sep 16 08:18:51 2005 192.168.0.4:53537 VERIFY OK: depth=0,
/C=US/ST=OH/O=davemehler.com_OpenVPN/CN=client1/emailAddress=webmaster at davem
ehler.com
Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Data Channel Encrypt: Cipher
'BF-CBC' initialized with 128 bit key
Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Data Channel Encrypt: Using 160
bit message hash 'SHA1' for HMAC authentication
Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Data Channel Decrypt: Cipher
'BF-CBC' initialized with 128 bit key
Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Data Channel Decrypt: Using 160
bit message hash 'SHA1' for HMAC authentication
Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Control Channel: TLSv1, cipher
TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Sep 16 08:18:51 2005 192.168.0.4:53537 [client1] Peer Connection
Initiated with 192.168.0.4:53537
Fri Sep 16 08:18:51 2005 client1/192.168.0.4:53537 MULTI: Learn: 10.8.0.6 ->
client1/192.168.0.4:53537
Fri Sep 16 08:18:51 2005 client1/192.168.0.4:53537 MULTI: primary virtual IP
for client1/192.168.0.4:53537: 10.8.0.6
Fri Sep 16 08:18:53 2005 client1/192.168.0.4:53537 PUSH: Received control
message: 'PUSH_REQUEST'
Fri Sep 16 08:18:53 2005 client1/192.168.0.4:53537 SENT CONTROL [client1]:
'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route 10.8.0.0
255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
(status=1)
Fri Sep 16 08:18:53 2005 client1/192.168.0.4:53537 Need IPv6 code in
mroute_extract_addr_from_packet
Fri Sep 16 08:18:53 2005 client1/192.168.0.4:53537 Need IPv6 code in
mroute_extract_addr_from_packet
Fri Sep 16 08:18:56 2005 client1/192.168.0.4:53537 Need IPv6 code in
mroute_extract_addr_from_packet
Fri Sep 16 08:19:02 2005 client1/192.168.0.4:53537 Need IPv6 code in
mroute_extract_addr_from_packet
Fri Sep 16 09:18:51 2005 client1/192.168.0.4:53537 TLS: soft reset sec=0
bytes=37851/0 pkts=714/0
Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 VERIFY OK: depth=1,
/C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress=
webmaster at davemehler.com
Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 VERIFY OK: depth=0,
/C=US/ST=OH/O=davemehler.com_OpenVPN/CN=client1/emailAddress=webmaster at davem
ehler.com
Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Data Channel Encrypt:
Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Data Channel Encrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Data Channel Decrypt:
Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Data Channel Decrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Control Channel: TLSv1,
cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Sep 16 10:18:51 2005 client1/192.168.0.4:53537 TLS: tls_process: killed
expiring key
Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 VERIFY OK: depth=1,
/C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress=
webmaster at davemehler.com
Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 VERIFY OK: depth=0,
/C=US/ST=OH/O=davemehler.com_OpenVPN/CN=client1/emailAddress=webmaster at davem
ehler.com
Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Data Channel Encrypt:
Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Data Channel Encrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Data Channel Decrypt:
Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Data Channel Decrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Control Channel: TLSv1,
cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

client:
openvpn-status.log:
OpenVPN STATISTICS
Updated,Fri Sep 16 11:19:26 2005
TUN/TAP read bytes,624
TUN/TAP write bytes,168
TCP/UDP read bytes,86618
TCP/UDP write bytes,86078
Auth read bytes,17512
pre-compress bytes,0
post-compress bytes,0
pre-decompress bytes,0
post-decompress bytes,0
END

client:
Fri Sep 16 08:16:05 2005 OpenVPN 2.0.2 i386-portbld-freebsd5.4 [SSL] [LZO]
built on Sep 16 2005
Fri Sep 16 08:16:05 2005 IMPORTANT: OpenVPN's default port number is now
1194, based on an official port number assignment by IANA.  OpenVPN
2.0-beta16 and earlier used 5000 as the default port.
Fri Sep 16 08:16:05 2005 Control Channel Authentication: using 'keys/ta.key'
as a OpenVPN static key file
Fri Sep 16 08:16:05 2005 Outgoing Control Channel Authentication: Using 160
bit message hash 'SHA1' for HMAC authentication
Fri Sep 16 08:16:05 2005 Incoming Control Channel Authentication: Using 160
bit message hash 'SHA1' for HMAC authentication
Fri Sep 16 08:16:05 2005 LZO compression initialized
Fri Sep 16 08:16:05 2005 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0
ET:0 EL:0 ]
Fri Sep 16 08:16:05 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135
ET:0 EL:0 AF:3/1 ]
Fri Sep 16 08:16:05 2005 Local Options hash (VER=V4): '504e774e'
Fri Sep 16 08:16:05 2005 Expected Remote Options hash (VER=V4): '14168603'
Fri Sep 16 08:16:05 2005 NOTE: UID/GID downgrade will be delayed because
of --client, --pull, or --up-delay
Fri Sep 16 08:16:05 2005 UDPv4 link local: [undef]
Fri Sep 16 08:16:05 2005 UDPv4 link remote: 192.168.0.3:1194
Fri Sep 16 08:16:05 2005 TLS: Initial packet from 192.168.0.3:1194,
sid=c6ba5ec8 98dac724
Fri Sep 16 08:16:05 2005 VERIFY OK: depth=1,
/C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress=
webmaster at davemehler.com
Fri Sep 16 08:16:05 2005 VERIFY OK: nsCertType=SERVER
Fri Sep 16 08:16:05 2005 VERIFY OK: depth=0,
/C=US/ST=OH/O=davemehler.com_OpenVPN/CN=vpn/emailAddress=webmaster at davemehle
r.com
Fri Sep 16 08:16:06 2005 Data Channel Encrypt: Cipher 'BF-CBC' initialized
with 128 bit key
Fri Sep 16 08:16:06 2005 Data Channel Encrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Fri Sep 16 08:16:06 2005 Data Channel Decrypt: Cipher 'BF-CBC' initialized
with 128 bit key
Fri Sep 16 08:16:06 2005 Data Channel Decrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Fri Sep 16 08:16:06 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Sep 16 08:16:06 2005 [vpn] Peer Connection Initiated with
192.168.0.3:1194
Fri Sep 16 08:16:07 2005 SENT CONTROL [vpn]: 'PUSH_REQUEST' (status=1)
Fri Sep 16 08:16:07 2005 PUSH: Received control message: 'PUSH_REPLY,route
192.168.2.0 255.255.255.0,route 10.8.0.0 255.255.255.0,ping 10,ping-restart
120,ifconfig 10.8.0.6 10.8.0.5'
Fri Sep 16 08:16:07 2005 OPTIONS IMPORT: timers and/or timeouts modified
Fri Sep 16 08:16:07 2005 OPTIONS IMPORT: --ifconfig/up options modified
Fri Sep 16 08:16:07 2005 OPTIONS IMPORT: route options modified
Fri Sep 16 08:16:07 2005 gw 192.168.0.254
Fri Sep 16 08:16:07 2005 TUN/TAP device /dev/tun0 opened
Fri Sep 16 08:16:07 2005 /sbin/ifconfig tun0 10.8.0.6 10.8.0.5 mtu 1500
netmask 255.255.255.255 up
Fri Sep 16 08:16:07 2005 /sbin/route add -net 192.168.2.0 10.8.0.5
255.255.255.0
add net 192.168.2.0: gateway 10.8.0.5
Fri Sep 16 08:16:07 2005 /sbin/route add -net 10.8.0.0 10.8.0.5
255.255.255.0
add net 10.8.0.0: gateway 10.8.0.5
Fri Sep 16 08:16:07 2005 GID set to nobody
Fri Sep 16 08:16:07 2005 UID set to nobody
Fri Sep 16 08:16:07 2005 Initialization Sequence Completed
Fri Sep 16 09:16:05 2005 VERIFY OK: depth=1,
/C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress=
webmaster at davemehler.com
Fri Sep 16 09:16:05 2005 VERIFY OK: nsCertType=SERVER
Fri Sep 16 09:16:05 2005 VERIFY OK: depth=0,
/C=US/ST=OH/O=davemehler.com_OpenVPN/CN=vpn/emailAddress=webmaster at davemehle
r.com
Fri Sep 16 09:16:06 2005 Data Channel Encrypt: Cipher 'BF-CBC' initialized
with 128 bit key
Fri Sep 16 09:16:06 2005 Data Channel Encrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Fri Sep 16 09:16:06 2005 Data Channel Decrypt: Cipher 'BF-CBC' initialized
with 128 bit key
Fri Sep 16 09:16:06 2005 Data Channel Decrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Fri Sep 16 09:16:06 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Sep 16 10:16:06 2005 TLS: soft reset sec=0 bytes=37328/0 pkts=711/0
Fri Sep 16 10:16:06 2005 VERIFY OK: depth=1,
/C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress=
webmaster at davemehler.com
Fri Sep 16 10:16:06 2005 VERIFY OK: nsCertType=SERVER
Fri Sep 16 10:16:06 2005 VERIFY OK: depth=0,
/C=US/ST=OH/O=davemehler.com_OpenVPN/CN=vpn/emailAddress=webmaster at davemehle
r.com
Fri Sep 16 10:16:07 2005 Data Channel Encrypt: Cipher 'BF-CBC' initialized
with 128 bit key
Fri Sep 16 10:16:07 2005 Data Channel Encrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Fri Sep 16 10:16:07 2005 Data Channel Decrypt: Cipher 'BF-CBC' initialized
with 128 bit key
Fri Sep 16 10:16:07 2005 Data Channel Decrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Fri Sep 16 10:16:07 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Sep 16 11:16:06 2005 TLS: tls_process: killed expiring key
Fri Sep 16 11:16:07 2005 TLS: soft reset sec=0 bytes=37720/0 pkts=713/0
Fri Sep 16 11:16:07 2005 VERIFY OK: depth=1,
/C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress=
webmaster at davemehler.com
Fri Sep 16 11:16:07 2005 NOTE: --mute triggered...

More information about the freebsd-questions mailing list