[opensuse] Building VPN network with OpenVPN and OpenSuSE11
Dear my friends, I am building a VPN Network with OpenVPN and OpenSuSE11. These are what I've done: - I downloaded and installed OpenVPN with YaST2. - I copied the file of 'server.conf' like this: " cp -v /usr/share/doc/packages/openvpn/sample-config-files/server.conf /etc/openvpn/server.conf " - I Editted "/etc/openvpn/server.conf". And this is my current configuration: " local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap ca /etc/openvpn/easy-rsa/ca.crt cert /etc/openvpn/easy-rsa/toka-site.crt key /etc/openvpn/easy-rsa/toka-site.key # This file should be kept secret dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 " - " mysussy:/etc/openvpn # cat server.conf local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap ca /etc/openvpn/easy-rsa/ca.crt cert /etc/openvpn/easy-rsa/toka-site.crt key /etc/openvpn/easy-rsa/toka-site.key # This file should be kept secret dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 " - " mysussy:/etc/openvpn # ls README ipp.txt openvpn-startup.sh static-office.conf client.conf loopback-client openvpn-status.log tls-home.conf easy-rsa loopback-server server.conf tls-office.conf firewall.sh office.up server.conf.old xinetd-client-config home.up openvpn-shutdown.sh static-home.conf xinetd-server-config " - this steps also done successfully:" .. ./vars ../clean-all ../build-ca ../build-key-server toka-site ../build-key sussy-MND " The problem is: But my openvpn can not start. mysussy:/etc/openvpn # rcopenvpn start Starting OpenVPN ...........failed Please help me, what is my mistake? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Patrik Hasibuan wrote:
The problem is: But my openvpn can not start. mysussy:/etc/openvpn # rcopenvpn start Starting OpenVPN ...........failed
Please help me, what is my mistake?
Please post the error messages from /var/log/messages. -- /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dear Jessen,
Firstly, thank you very much for your help.
This is the error messages in '/var/log/messages':
"
Oct 28 11:14:58 mysussy openvpn[10195]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008
Oct 28 11:14:58 mysussy openvpn[10195]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Oct 28 11:14:58 mysussy openvpn[10195]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
".
And this is my current 'server.conf':
"
local 219.83.114.179
port 1194
proto tcp
dev tun
dev-node MyTap
ca /usr/share/openvpn/easy-rsa/keys/ca.crt
cert /usr/share/openvpn/easy-rsa/keys/toka-site.crt
key /usr/share/openvpn/easy-rsa/keys/toka-site.key # This file should be kept secret
dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
ns-cert-type server
".
This my dh generation:
"
mysussy:/usr/share/openvpn/easy-rsa # ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.......................................................................................................................................+......+.......................................................+......................................................................................................................................................+.................+.........................................................................+..............................................................................................................+............................+......................+...................+.............+..+......................................................+.........................+.....+..+..........+...........................+.....................+..................................................................................................................................................................+........................
.........................+.........................+...................................................................................................................................+.............+.........................................................+...+.......+.........................................+............................................................+....................+..........................................................................................+.....................................................+.....................+............+...................................+................................................................................................................................................................................+.............+...............+........................+........+................++*++*++*
mysussy:/usr/share/openvpn/easy-rsa #
".
This is my '/usr/share/openvpn/easy-rsa/keys':
mysussy:~ # ls /usr/share/openvpn/easy-rsa/keys
01.pem ca.key index.txt.attr serial sussy-MND.csr toka-site.csr
02.pem dh1024.pem index.txt.attr.old serial.old sussy-MND.key toka-site.key
ca.crt index.txt index.txt.old sussy-MND.crt toka-site.crt
mysussy:~ #
--- On Mon, 10/27/08, Per Jessen
From: Per Jessen
Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Monday, October 27, 2008, 9:24 AM Patrik Hasibuan wrote: The problem is: But my openvpn can not start. mysussy:/etc/openvpn # rcopenvpn start Starting OpenVPN ...........failed
Please help me, what is my mistake?
Please post the error messages from /var/log/messages.
-- /Per Jessen, Zürich
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 28 October 2008 11:23:27 Patrik Hasibuan wrote:
Dear Jessen,
Firstly, thank you very much for your help.
This is the error messages in '/var/log/messages': Oct 28 11:14:58 mysussy openvpn[10195]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file ".
# This file should be kept secret dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
The openvpn daemon cannot open the the dh1024.pem file. Can you verify that this file exists where the conf file reports it to be, and also check the permissions of the file. If it exists, then temporarily change the permissions to 644 on the file and try again. Jon -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dear Jonathan,
Thank you very much for your respond.
I've followed your thread but it does not make anychange.
The file of 'dh1024.pem' exists, here also the '/var/log/messages':
"
mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # ls -l
total 44
-rw-r--r-- 1 root root 3953 Oct 28 11:41 01.pem
-rw-r--r-- 1 root root 1273 Oct 28 11:39 ca.crt
-rw------- 1 root root 891 Oct 28 11:39 ca.key
-rw-r--r-- 1 root root 245 Oct 28 11:42 dh1024.pem
-rw-r--r-- 1 root root 116 Oct 28 11:41 index.txt
-rw-r--r-- 1 root root 21 Oct 28 11:41 index.txt.attr
-rw-r--r-- 1 root root 0 Oct 28 11:36 index.txt.old
-rw-r--r-- 1 root root 3 Oct 28 11:41 serial
-rw-r--r-- 1 root root 3 Oct 28 11:36 serial.old
-rw-r--r-- 1 root root 3953 Oct 28 11:41 toka-site.crt
-rw-r--r-- 1 root root 777 Oct 28 11:40 toka-site.csr
-rw------- 1 root root 887 Oct 28 11:40 toka-site.key
mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # chmod 644 ./dh1024.pem
mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # rcopenvpn start
Starting OpenVPN failed
mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # tail -n 30 /var/log/messages
Oct 28 14:30:53 mysussy kernel: printk: 2 messages suppressed.
Oct 28 14:30:54 mysussy openvpn[8502]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Oct 28 14:30:54 mysussy openvpn[8502]: Cannot open file key file 'static.key': No such file or directory (errno=2)
Oct 28 14:30:54 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Oct 28 14:30:54 mysussy openvpn[8502]: Exiting
Oct 28 14:30:54 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Oct 28 14:30:54 mysussy openvpn[8506]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008
Oct 28 14:30:54 mysussy openvpn[8506]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Oct 28 14:30:54 mysussy openvpn[8506]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 28 14:30:54 mysussy openvpn[8506]: Cannot load certificate file home.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Oct 28 14:30:54 mysussy openvpn[8506]: Exiting
Oct 28 14:30:54 mysussy openvpn[8508]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008
Oct 28 14:30:54 mysussy openvpn[8508]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Oct 28 14:30:54 mysussy openvpn[8508]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Oct 28 14:30:54 mysussy openvpn[8508]: Exiting
Oct 28 14:30:57 mysussy kernel: printk: 2 messages suppressed.
Oct 28 14:30:57 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Oct 28 14:30:57 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Oct 28 14:31:02 mysussy kernel: printk: 2 messages suppressed.
Oct 28 14:31:02 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Oct 28 14:31:02 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Oct 28 14:31:08 mysussy kernel: printk: 3 messages suppressed.
Oct 28 14:31:08 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Oct 28 14:31:08 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Oct 28 14:31:13 mysussy kernel: printk: 2 messages suppressed.
Oct 28 14:31:13 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Oct 28 14:31:13 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Oct 28 14:31:17 mysussy kernel: printk: 2 messages suppressed.
Oct 28 14:31:17 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Oct 28 14:31:17 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
mysussy:/usr/share/openvpn/easy-rsa/2.0/keys #
".
--- On Tue, 10/28/08, Jonathan Ervine
Dear Jessen,
Firstly, thank you very much for your help.
This is the error messages in '/var/log/messages': Oct 28 11:14:58 mysussy openvpn[10195]: Cannot open dh1024.pem for DH parameters: error:02001002:system
From: Jonathan Ervine
Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Tuesday, October 28, 2008, 6:07 AM On Tuesday 28 October 2008 11:23:27 Patrik Hasibuan wrote: library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file ".
# This file should be kept secret dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
The openvpn daemon cannot open the the dh1024.pem file. Can you verify that this file exists where the conf file reports it to be, and also check the permissions of the file. If it exists, then temporarily change the permissions to 644 on the file and try again.
Jon -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 28 October 2008 14:45:28 Patrik Hasibuan wrote:
Dear Jonathan,
Thank you very much for your respond.
No problem.
I've followed your thread but it does not make anychange.
The file of 'dh1024.pem' exists, here also the '/var/log/messages': " mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # ls -l total 44 -rw-r--r-- 1 root root 3953 Oct 28 11:41 01.pem -rw-r--r-- 1 root root 1273 Oct 28 11:39 ca.crt -rw------- 1 root root 891 Oct 28 11:39 ca.key -rw-r--r-- 1 root root 245 Oct 28 11:42 dh1024.pem -rw-r--r-- 1 root root 116 Oct 28 11:41 index.txt -rw-r--r-- 1 root root 21 Oct 28 11:41 index.txt.attr -rw-r--r-- 1 root root 0 Oct 28 11:36 index.txt.old -rw-r--r-- 1 root root 3 Oct 28 11:41 serial -rw-r--r-- 1 root root 3 Oct 28 11:36 serial.old -rw-r--r-- 1 root root 3953 Oct 28 11:41 toka-site.crt -rw-r--r-- 1 root root 777 Oct 28 11:40 toka-site.csr -rw------- 1 root root 887 Oct 28 11:40 toka-site.key
The above is fine.
Starting OpenVPN failed mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # tail -n 30 /var/log/messages Oct 28 14:30:53 mysussy kernel: printk: 2 messages suppressed. Oct 28 14:30:54 mysussy openvpn[8502]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 28 14:30:54 mysussy openvpn[8502]: Cannot open file key file 'static.key': No such file or directory (errno=2) Oct 28 14:30:54 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 28 14:30:54 mysussy openvpn[8502]: Exiting
Here is a problem. It's looking for a file called static.key
Oct 28 14:30:54 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Oct 28 14:30:54 mysussy openvpn[8506]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 28 14:30:54 mysussy openvpn[8506]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 28 14:30:54 mysussy openvpn[8506]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Oct 28 14:30:54 mysussy openvpn[8506]: Cannot load certificate file home.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib Oct 28 14:30:54 mysussy openvpn[8506]: Exiting
Here is another problem, it's looking for a file called home.crt
Oct 28 14:30:54 mysussy openvpn[8508]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 28 14:30:54 mysussy openvpn[8508]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 28 14:30:54 mysussy openvpn[8508]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file Oct 28 14:30:54 mysussy openvpn[8508]: Exiting
Another problem that it can't open dh1024.pem (even though we've verified and confirmed that this file exists) I suspect that the openvpn daemon is not using your config file to start up. Where is your server.conf located? As a test, as root try running: openvpn --config <path to your config file> And see what errors (if any) are produced... Jon -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dear my friend, Jonathan.
Please keep telling me.
Here is where my 'server.conf':
"
mysussy:~ # ls /etc/openvpn/server.conf
/etc/openvpn/server.conf
".
This is the test:
"
mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # openvpn --config /etc/openvpn/server.conf
Tue Oct 28 16:31:45 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008
Tue Oct 28 16:31:45 2008 Note: Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2)
Tue Oct 28 16:31:45 2008 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Tue Oct 28 16:31:45 2008 Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2)
Tue Oct 28 16:31:45 2008 Exiting
mysussy:/usr/share/openvpn/easy-rsa/2.0/keys #
".
This is my "server.conf":
mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # cat /etc/openvpn/server.conf
local 219.83.114.179
port 1194
proto tcp
dev tun
dev-node MyTap
ca /usr/share/openvpn/easy-rsa/2.0/keys/ca.crt
cert /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.crt
key /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.key # This file should be kept secret
dh /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
ns-cert-type server
mysussy:/usr/share/openvpn/easy-rsa/2.0/keys #
--- On Tue, 10/28/08, Jonathan Ervine
From: Jonathan Ervine
Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Tuesday, October 28, 2008, 7:03 AM On Tuesday 28 October 2008 14:45:28 Patrik Hasibuan wrote: Dear Jonathan,
Thank you very much for your respond.
No problem.
I've followed your thread but it does not make anychange.
The file of 'dh1024.pem' exists, here also the '/var/log/messages': " mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # ls -l total 44 -rw-r--r-- 1 root root 3953 Oct 28 11:41 01.pem -rw-r--r-- 1 root root 1273 Oct 28 11:39 ca.crt -rw------- 1 root root 891 Oct 28 11:39 ca.key -rw-r--r-- 1 root root 245 Oct 28 11:42 dh1024.pem -rw-r--r-- 1 root root 116 Oct 28 11:41 index.txt -rw-r--r-- 1 root root 21 Oct 28 11:41 index.txt.attr -rw-r--r-- 1 root root 0 Oct 28 11:36 index.txt.old -rw-r--r-- 1 root root 3 Oct 28 11:41 serial -rw-r--r-- 1 root root 3 Oct 28 11:36 serial.old -rw-r--r-- 1 root root 3953 Oct 28 11:41 toka-site.crt -rw-r--r-- 1 root root 777 Oct 28 11:40 toka-site.csr -rw------- 1 root root 887 Oct 28 11:40 toka-site.key
The above is fine.
Starting OpenVPN
failed mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # tail -n 30 /var/log/messages Oct 28 14:30:53 mysussy kernel: printk: 2 messages suppressed. Oct 28 14:30:54 mysussy openvpn[8502]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 28 14:30:54 mysussy openvpn[8502]: Cannot open file key file 'static.key': No such file or directory (errno=2) Oct 28 14:30:54 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 28 14:30:54 mysussy openvpn[8502]: Exiting
Here is a problem. It's looking for a file called static.key
Oct 28 14:30:54 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Oct 28 14:30:54 mysussy openvpn[8506]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 28 14:30:54 mysussy openvpn[8506]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 28 14:30:54 mysussy openvpn[8506]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Oct 28 14:30:54 mysussy openvpn[8506]: Cannot load certificate file home.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib Oct 28 14:30:54 mysussy openvpn[8506]: Exiting
Here is another problem, it's looking for a file called home.crt
Oct 28 14:30:54 mysussy openvpn[8508]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 28 14:30:54 mysussy openvpn[8508]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 28 14:30:54 mysussy openvpn[8508]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file Oct 28 14:30:54 mysussy openvpn[8508]: Exiting
Another problem that it can't open dh1024.pem (even though we've verified and confirmed that this file exists)
I suspect that the openvpn daemon is not using your config file to start up. Where is your server.conf located? As a test, as root try running: openvpn --config <path to your config file>
And see what errors (if any) are produced...
Jon -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Patrik Hasibuan wrote:
This is the test: " mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # openvpn --config /etc/openvpn/server.conf Tue Oct 28 16:31:45 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Tue Oct 28 16:31:45 2008 Note: Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Note: Attempting fallback to kernel 2.2 TUN/TAP interface Tue Oct 28 16:31:45 2008 Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Exiting mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # ".
It seems to be clearly complaining about "MyTap".
This is my "server.conf": mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # cat /etc/openvpn/server.conf local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap
My VPN server config does not have a "dev-node" entry, I'm not sure what the default is. /Per -- /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 28 October 2008 17:01:26 Per Jessen wrote:
Patrik Hasibuan wrote:
This is the test: " mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # openvpn --config /etc/openvpn/server.conf Tue Oct 28 16:31:45 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Tue Oct 28 16:31:45 2008 Note: Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Note: Attempting fallback to kernel 2.2 TUN/TAP interface Tue Oct 28 16:31:45 2008 Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Exiting mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # ".
It seems to be clearly complaining about "MyTap".
Yep - but no further errors in the messages file about the various SSL files. I'm still of the opinion that the daemon script isn't reading his config file.
This is my "server.conf": mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # cat /etc/openvpn/server.conf local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap
My VPN server config does not have a "dev-node" entry, I'm not sure what the default is.
Same here - I've always used dev tun, it looks like Patrik is trying to set up a VPN with both tun and tap interfaces. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
How should I tell my openvpn that he should use the 'server.conf' which resides in '/etc/openvpn/server.conf'?
--- On Tue, 10/28/08, Jonathan Ervine
From: Jonathan Ervine
Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Tuesday, October 28, 2008, 9:11 AM On Tuesday 28 October 2008 17:01:26 Per Jessen wrote: Patrik Hasibuan wrote:
This is the test: " mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # openvpn --config /etc/openvpn/server.conf Tue Oct 28 16:31:45 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Tue Oct 28 16:31:45 2008 Note: Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Note: Attempting fallback to kernel 2.2 TUN/TAP interface Tue Oct 28 16:31:45 2008 Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Exiting mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # ".
It seems to be clearly complaining about "MyTap".
Yep - but no further errors in the messages file about the various SSL files. I'm still of the opinion that the daemon script isn't reading his config file.
This is my "server.conf": mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # cat /etc/openvpn/server.conf local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap
My VPN server config does not have a "dev-node" entry, I'm not sure what the default is.
Same here - I've always used dev tun, it looks like Patrik is trying to set up a VPN with both tun and tap interfaces. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 28 October 2008 17:28:35 Patrik Hasibuan wrote:
How should I tell my openvpn that he should use the 'server.conf' which resides in '/etc/openvpn/server.conf'?
I'd worry about that after getting the openvpn server to start up without errors from the command line when specifying the config file to use.
/etc/openvpn/server.conf local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap
My VPN server config does not have a
"dev-node" entry, I'm not sure what
the default is.
Same here - I've always used dev tun, it looks like Patrik is trying to set up a VPN with both tun and tap interfaces.
If you remove the dev-node line from your server.conf file (or simply comment it out), can you then get the openvpn server to start? The config file being used by the openvpn daemon script should be specified in the /etc/init.d/openvpn script file. By default this directory is set to /etc/openvpn - I'd check that there isn't a client.conf (or any other .conf file) in there. Jon -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dear Jo,
I checked in the '/etc/init.d/openvpn':
"
....
....
DAEMON="OpenVPN"
openvpn=/usr/sbin/openvpn
confdir=/etc/openvpn
piddir=/var/run/openvpn
....
....
".
So it means my openvpn read the 'server.conf' which resides in '/etc/openvpn/server.conf'.
I've removed the dec in my '/etc/openvpn/server.conf':
"
mysussy:/etc/openvpn # cat server.conf
local 219.83.114.179
port 1194
proto tcp
ca /usr/share/openvpn/easy-rsa/2.0/keys/ca.crt
cert /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.crt
key /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.key # This file should be kept secret
dh /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
ns-cert-type server
mysussy:/etc/openvpn #
".
Here is my '/var/log/messages/', I saw after my openvpn failed to start:
"
mysussy:/etc/openvpn # tail -n 30 /var/log/messages
Oct 30 09:03:34 mysussy openvpn[10361]: Cannot open file key file 'static.key': No such file or directory (errno=2)
Oct 30 09:03:34 mysussy openvpn[10361]: Exiting
Oct 30 09:03:35 mysussy openvpn[10365]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008
Oct 30 09:03:35 mysussy openvpn[10365]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Oct 30 09:03:35 mysussy openvpn[10365]: Cannot open file key file 'static.key': No such file or directory (errno=2)
Oct 30 09:03:35 mysussy openvpn[10365]: Exiting
Oct 30 09:03:35 mysussy openvpn[10369]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008
Oct 30 09:03:35 mysussy openvpn[10369]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Oct 30 09:03:35 mysussy openvpn[10369]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 30 09:03:35 mysussy openvpn[10369]: Cannot load certificate file home.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Oct 30 09:03:35 mysussy openvpn[10369]: Exiting
Oct 30 09:03:35 mysussy openvpn[10374]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008
Oct 30 09:03:35 mysussy openvpn[10374]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Oct 30 09:03:35 mysussy openvpn[10374]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Oct 30 09:03:35 mysussy openvpn[10374]: Exiting
Oct 30 09:03:38 mysussy kernel: printk: 2 messages suppressed.
Oct 30 09:03:38 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Oct 30 09:03:38 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Oct 30 09:03:42 mysussy kernel: printk: 2 messages suppressed.
Oct 30 09:03:42 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Oct 30 09:03:42 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Oct 30 09:03:48 mysussy kernel: printk: 3 messages suppressed.
Oct 30 09:03:48 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Oct 30 09:03:48 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Oct 30 09:03:53 mysussy kernel: printk: 2 messages suppressed.
Oct 30 09:03:53 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Oct 30 09:03:53 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Oct 30 09:03:58 mysussy kernel: printk: 2 messages suppressed.
Oct 30 09:03:58 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Oct 30 09:03:58 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
mysussy:/etc/openvpn #
"
--- On Tue, 10/28/08, Jonathan Ervine
From: Jonathan Ervine
Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Tuesday, October 28, 2008, 9:35 AM On Tuesday 28 October 2008 17:28:35 Patrik Hasibuan wrote: How should I tell my openvpn that he should use the 'server.conf' which resides in '/etc/openvpn/server.conf'?
I'd worry about that after getting the openvpn server to start up without errors from the command line when specifying the config file to use.
/etc/openvpn/server.conf local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap
My VPN server config does not have a
"dev-node" entry, I'm not sure what
the default is.
Same here - I've always used dev tun, it looks like Patrik is trying to set up a VPN with both tun and tap interfaces.
If you remove the dev-node line from your server.conf file (or simply comment it out), can you then get the openvpn server to start? The config file being used by the openvpn daemon script should be specified in the /etc/init.d/openvpn script file. By default this directory is set to /etc/openvpn - I'd check that there isn't a client.conf (or any other .conf file) in there.
Jon -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 30 October 2008 09:12:47 Patrik Hasibuan wrote:
Dear Jo,
I checked in the '/etc/init.d/openvpn': " .... .... DAEMON="OpenVPN" openvpn=/usr/sbin/openvpn confdir=/etc/openvpn piddir=/var/run/openvpn .... .... ". So it means my openvpn read the 'server.conf' which resides in '/etc/openvpn/server.conf'.
I suspect it means it will read _any_ conf file in /etc/openvpn. It's still not reading the conf file you wish it to - see below...
I've removed the dec in my '/etc/openvpn/server.conf': " mysussy:/etc/openvpn # cat server.conf local 219.83.114.179 port 1194 proto tcp ca /usr/share/openvpn/easy-rsa/2.0/keys/ca.crt cert /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.crt key /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.key # This file should be kept secret dh /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 ns-cert-type server mysussy:/etc/openvpn # ".
Here is my '/var/log/messages/', I saw after my openvpn failed to start: " mysussy:/etc/openvpn # tail -n 30 /var/log/messages Oct 30 09:03:34 mysussy openvpn[10361]: Cannot open file key file 'static.key': No such file or directory (errno=2) Oct 30 09:03:34 mysussy openvpn[10361]: Exiting
It's still trying to load static.key which doesn't exist. So it's still reading the wrong conf file. I don't know why, and as per my previous email I'd worry about that after getting openvpn to start up from the command lin by explicitly specifying the conf file you wish to use...
Oct 30 09:03:35 mysussy openvpn[10365]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10365]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10365]: Cannot open file key file 'static.key': No such file or directory (errno=2) Oct 30 09:03:35 mysussy openvpn[10365]: Exiting Oct 30 09:03:35 mysussy openvpn[10369]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10369]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10369]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Oct 30 09:03:35 mysussy openvpn[10369]: Cannot load certificate file home.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib Oct 30 09:03:35 mysussy openvpn[10369]: Exiting Oct 30 09:03:35 mysussy openvpn[10374]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10374]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10374]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file Oct 30 09:03:35 mysussy openvpn[10374]: Exiting
A few more error messages about missing files: home.crt and dh1024.pem. Please run openvpn --config /etc/openvpn/server.conf from a root command line. This will at least tell us that the conf file is sane and works. Then we can worry about getting the daemon to use this file... Jon -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dear Jo,
This is my try:
"
mysussy:~ # ls /etc/openvpn
README loopback-client server.conf xinetd-client-config
client.conf loopback-server server.conf.orig xinetd-server-config
easy-rsa office.up static-home.conf xinetd-server-config.orig
firewall.sh openvpn-shutdown.sh static-office.conf
home.up openvpn-startup.sh tls-home.conf
ipp.txt openvpn-status.log tls-office.conf
mysussy:~ # cd /
mysussy:/ # openvpn --config /etc/openvpn/server.conf
Thu Oct 30 11:23:05 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008
Thu Oct 30 11:23:05 2008 TCP/UDP: Socket bind failed on local address 219.83.114.179:1194: Address already in use
Thu Oct 30 11:23:05 2008 Exiting
mysussy:/ # cd /etc/openvpn
mysussy:/etc/openvpn # openvpn --config /etc/openvpn/server.conf
Thu Oct 30 11:23:20 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008
Thu Oct 30 11:23:21 2008 TCP/UDP: Socket bind failed on local address 219.83.114.179:1194: Address already in use
Thu Oct 30 11:23:21 2008 Exiting
mysussy:/etc/openvpn #
"
'219.83.114.179' is the global-ip number of my outter wlan-card towards the internet gateway of our ISP.
I am confused why the port-number of '1194' has been already occupied whereas the 'openvpn' still can not start. Who/which is using this port-number?
Please advice me.
--- On Thu, 10/30/08, Jonathan Ervine
From: Jonathan Ervine
Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Thursday, October 30, 2008, 2:39 AM On Thursday 30 October 2008 09:12:47 Patrik Hasibuan wrote: Dear Jo,
I checked in the '/etc/init.d/openvpn': " .... .... DAEMON="OpenVPN" openvpn=/usr/sbin/openvpn confdir=/etc/openvpn piddir=/var/run/openvpn .... .... ". So it means my openvpn read the 'server.conf' which resides in '/etc/openvpn/server.conf'.
I suspect it means it will read _any_ conf file in /etc/openvpn. It's still not reading the conf file you wish it to - see below...
I've removed the dec in my '/etc/openvpn/server.conf': " mysussy:/etc/openvpn # cat server.conf local 219.83.114.179 port 1194 proto tcp ca /usr/share/openvpn/easy-rsa/2.0/keys/ca.crt cert /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.crt key /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.key # This file should be kept secret dh /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 ns-cert-type server mysussy:/etc/openvpn # ".
Here is my '/var/log/messages/', I saw after my openvpn failed to start: " mysussy:/etc/openvpn # tail -n 30 /var/log/messages Oct 30 09:03:34 mysussy openvpn[10361]: Cannot open file key file 'static.key': No such file or directory (errno=2) Oct 30 09:03:34 mysussy openvpn[10361]: Exiting
It's still trying to load static.key which doesn't exist. So it's still reading the wrong conf file. I don't know why, and as per my previous email I'd worry about that after getting openvpn to start up from the command lin by explicitly specifying the conf file you wish to use...
Oct 30 09:03:35 mysussy openvpn[10365]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10365]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10365]: Cannot open file key file 'static.key': No such file or directory (errno=2) Oct 30 09:03:35 mysussy openvpn[10365]: Exiting Oct 30 09:03:35 mysussy openvpn[10369]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10369]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10369]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Oct 30 09:03:35 mysussy openvpn[10369]: Cannot load certificate file home.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib Oct 30 09:03:35 mysussy openvpn[10369]: Exiting Oct 30 09:03:35 mysussy openvpn[10374]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10374]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10374]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file Oct 30 09:03:35 mysussy openvpn[10374]: Exiting
A few more error messages about missing files: home.crt and dh1024.pem.
Please run openvpn --config /etc/openvpn/server.conf from a root command line. This will at least tell us that the conf file is sane and works. Then we can worry about getting the daemon to use this file...
Jon -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 30 October 2008 11:29:46 Patrik Hasibuan wrote:
Dear Jo,
This is my try: " mysussy:~ # ls /etc/openvpn README loopback-client server.conf xinetd-client-config client.conf loopback-server server.conf.orig xinetd-server-config easy-rsa office.up static-home.conf xinetd-server-config.orig firewall.sh openvpn-shutdown.sh static-office.conf home.up openvpn-startup.sh tls-home.conf ipp.txt openvpn-status.log tls-office.conf
So there are loads of .conf files in there ... you'll need to reduce this to one (server.conf) at some point.
mysussy:~ # cd / mysussy:/ # openvpn --config /etc/openvpn/server.conf Thu Oct 30 11:23:05 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Thu Oct 30 11:23:05 2008 TCP/UDP: Socket bind failed on local address 219.83.114.179:1194: Address already in use Thu Oct 30 11:23:05 2008 Exiting mysussy:/ # cd /etc/openvpn mysussy:/etc/openvpn # openvpn --config /etc/openvpn/server.conf Thu Oct 30 11:23:20 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Thu Oct 30 11:23:21 2008 TCP/UDP: Socket bind failed on local address 219.83.114.179:1194: Address already in use Thu Oct 30 11:23:21 2008 Exiting mysussy:/etc/openvpn # "
Probably an existing instance of openvpn is holding the port open. netstat -anp | grep 1194 should tell you which process has this port open. Kill the process and start it again from the command line.
'219.83.114.179' is the global-ip number of my outter wlan-card towards the internet gateway of our ISP.
I am confused why the port-number of '1194' has been already occupied whereas the 'openvpn' still can not start. Who/which is using this port-number?
Please advice me.
See above. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dear Jo,
You were absolutely correct. Thank you very much for help. My problem has been solved although I still have problem with its 'TLS Negotiation'.
I spent a whole day to understand the informations you gave to me. I thought you informed me clearly enough so the solution should be not far anymore:
- I just removed all the "conf" file in the "/etc/openvpn/" except 'server.conf';
- 'netstat -anp ....' and kill the service which use '1194';
- no 'dev-node';
- 'dev tun';
And then my openvpn works. Here underbelow of my email, I put the log file.
But the client still can not connect to the openvpn-server. The error message is about TLS problem. I've tried to browse in the internet looking for the solution. It seems many people have the same problem.
What should I do now? What steps should I actually do to make the TLS negotiation works properly?
I put the content of my current 'client.conf' and the '/var/log/messages'.
=========
Here's on the client-side.
=========
sussy-MND:~ # cat /etc/openvpn/client.conf
client
dev tun
proto udp
remote 219.83.114.179 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/cli-MND.crt
key /etc/openvpn/keys/cli-MND.key
ns-cert-type client
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
sussy-MND:~ # rcopenvpn status
Checking for OpenVPN: running
Status written to /var/log/messages
sussy-MND:~ # tail -n 30 /var/log/messages
Nov 1 10:49:56 sussy-MND openvpn[3639]: UDPv4 link local: [undef]
Nov 1 10:49:56 sussy-MND openvpn[3639]: UDPv4 link remote: 219.83.114.179:1194
Nov 1 10:50:56 sussy-MND openvpn[3639]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Nov 1 10:50:56 sussy-MND openvpn[3639]: TLS Error: TLS handshake failed
Nov 1 10:50:56 sussy-MND openvpn[3639]: TCP/UDP: Closing socket
Nov 1 10:50:56 sussy-MND openvpn[3639]: SIGUSR1[soft,tls-error] received, process restarting
Nov 1 10:50:56 sussy-MND openvpn[3639]: Restart pause, 2 second(s)
Nov 1 10:50:59 sussy-MND openvpn[3639]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Nov 1 10:50:59 sussy-MND openvpn[3639]: Re-using SSL/TLS context
Nov 1 10:50:59 sussy-MND openvpn[3639]: LZO compression initialized
Nov 1 10:50:59 sussy-MND openvpn[3639]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Nov 1 10:50:59 sussy-MND openvpn[3639]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Nov 1 10:50:59 sussy-MND openvpn[3639]: Local Options hash (VER=V4): '41690919'
Nov 1 10:50:59 sussy-MND openvpn[3639]: Expected Remote Options hash (VER=V4): '530fdded'
Nov 1 10:50:59 sussy-MND openvpn[3639]: UDPv4 link local: [undef]
Nov 1 10:50:59 sussy-MND openvpn[3639]: UDPv4 link remote: 219.83.114.179:1194
Nov 1 10:51:36 sussy-MND openvpn[3639]: event_wait : Interrupted system call (code=4)
Nov 1 10:51:36 sussy-MND openvpn[3639]: TCP/UDP: Closing socket
Nov 1 10:51:36 sussy-MND openvpn[3639]: SIGTERM[hard,] received, process exiting
Nov 1 10:51:39 sussy-MND openvpn[6381]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008
Nov 1 10:51:39 sussy-MND openvpn[6381]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Nov 1 10:51:39 sussy-MND openvpn[6381]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 1 10:51:39 sussy-MND openvpn[6381]: WARNING: file '/etc/openvpn/keys/cli-MND.key' is group or others accessible
Nov 1 10:51:39 sussy-MND openvpn[6381]: LZO compression initialized
Nov 1 10:51:39 sussy-MND openvpn[6381]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Nov 1 10:51:39 sussy-MND openvpn[6381]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Nov 1 10:51:39 sussy-MND openvpn[6381]: Local Options hash (VER=V4): '41690919'
Nov 1 10:51:39 sussy-MND openvpn[6381]: Expected Remote Options hash (VER=V4): '530fdded'
Nov 1 10:51:39 sussy-MND openvpn[6382]: UDPv4 link local: [undef]
Nov 1 10:51:39 sussy-MND openvpn[6382]: UDPv4 link remote: 219.83.114.179:1194
sussy-MND:~ #
=========
Here's on the server-side.
=========
mysussy:~ # cat /etc/openvpn/server.conf
local 219.83.114.179
port 1194
proto udp
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/toka-site.crt
key /etc/openvpn/easy-rsa/2.0/keys/toka-site.key
dev tun
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
ns-cert-type server
mysussy:~ # tail -n 40 /var/log/messages
Nov 1 10:07:59 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Nov 1 10:08:03 mysussy kernel: printk: 2 messages suppressed.
Nov 1 10:08:03 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Nov 1 10:08:03 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Nov 1 10:08:09 mysussy kernel: printk: 3 messages suppressed.
Nov 1 10:08:09 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Nov 1 10:08:09 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Nov 1 10:08:14 mysussy kernel: printk: 2 messages suppressed.
Nov 1 10:08:14 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Nov 1 10:08:14 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Nov 1 10:08:19 mysussy kernel: printk: 2 messages suppressed.
Nov 1 10:08:19 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Nov 1 10:08:19 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Nov 1 10:08:23 mysussy kernel: printk: 2 messages suppressed.
Nov 1 10:08:23 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Nov 1 10:08:23 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Nov 1 10:08:28 mysussy kernel: printk: 2 messages suppressed.
Nov 1 10:08:28 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Nov 1 10:08:28 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Nov 1 10:08:34 mysussy kernel: printk: 3 messages suppressed.
Nov 1 10:08:34 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Nov 1 10:08:34 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Nov 1 10:08:39 mysussy kernel: printk: 2 messages suppressed.
Nov 1 10:08:39 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Nov 1 10:08:39 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Nov 1 10:08:43 mysussy kernel: printk: 2 messages suppressed.
Nov 1 10:08:43 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Nov 1 10:08:43 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Nov 1 10:08:48 mysussy kernel: printk: 2 messages suppressed.
Nov 1 10:08:48 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Nov 1 10:08:48 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Nov 1 10:08:54 mysussy kernel: printk: 3 messages suppressed.
Nov 1 10:08:54 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Nov 1 10:08:54 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Nov 1 10:08:59 mysussy kernel: printk: 2 messages suppressed.
Nov 1 10:08:59 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Nov 1 10:08:59 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Nov 1 10:09:04 mysussy kernel: printk: 2 messages suppressed.
Nov 1 10:09:04 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Nov 1 10:09:04 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
mysussy:~ # rcopenvpn status
Checking for OpenVPN: running
Status written to /var/log/messages
mysussy:~ #
--- On Thu, 10/30/08, Jonathan Ervine
From: Jonathan Ervine
Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Thursday, October 30, 2008, 3:43 AM On Thursday 30 October 2008 11:29:46 Patrik Hasibuan wrote: Dear Jo,
This is my try: " mysussy:~ # ls /etc/openvpn README loopback-client server.conf xinetd-client-config client.conf loopback-server server.conf.orig xinetd-server-config easy-rsa office.up static-home.conf xinetd-server-config.orig firewall.sh openvpn-shutdown.sh static-office.conf home.up openvpn-startup.sh tls-home.conf ipp.txt openvpn-status.log tls-office.conf
So there are loads of .conf files in there ... you'll need to reduce this to one (server.conf) at some point.
mysussy:~ # cd / mysussy:/ # openvpn --config /etc/openvpn/server.conf Thu Oct 30 11:23:05 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Thu Oct 30 11:23:05 2008 TCP/UDP: Socket bind failed on local address 219.83.114.179:1194: Address already in use Thu Oct 30 11:23:05 2008 Exiting mysussy:/ # cd /etc/openvpn mysussy:/etc/openvpn # openvpn --config /etc/openvpn/server.conf Thu Oct 30 11:23:20 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Thu Oct 30 11:23:21 2008 TCP/UDP: Socket bind failed on local address 219.83.114.179:1194: Address already in use Thu Oct 30 11:23:21 2008 Exiting mysussy:/etc/openvpn # "
Probably an existing instance of openvpn is holding the port open. netstat -anp | grep 1194 should tell you which process has this port open. Kill the process and start it again from the command line.
'219.83.114.179' is the global-ip number of my outter wlan-card towards the internet gateway of our ISP.
I am confused why the port-number of '1194' has been already occupied whereas the 'openvpn' still can not start. Who/which is using this port-number?
Please advice me.
See above. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dear my friends, I am confused about the virtual interface (tun0-00) for the client-side. Why is the virtual-interface(tun0-00) on the server-side visible from 'ifconfig' and the virtual-interface(tun0-00) on the client-side not visible/displayed from 'ifconfig'? Please underbelow: ===== server-side: ----- mysussy:~ # ifconfig eth0 Link encap:Ethernet HWaddr 00:19:D1:3C:A0:30 inet addr:192.168.1.9 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::219:d1ff:fe3c:a030/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1515061 errors:0 dropped:0 overruns:0 frame:0 TX packets:2533595 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:99929181 (95.2 Mb) TX bytes:3658131803 (3488.6 Mb) Memory:30300000-30320000 eth5 Link encap:Ethernet HWaddr 00:50:DA:C4:C7:95 inet addr:219.83.114.179 Bcast:219.83.114.183 Mask:255.255.255.248 inet6 addr: fe80::250:daff:fec4:c795/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:299136 errors:0 dropped:0 overruns:0 frame:0 TX packets:210000 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:352775825 (336.4 Mb) TX bytes:20866755 (19.9 Mb) Interrupt:21 Base address:0x2800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:4387376 errors:0 dropped:0 overruns:0 frame:0 TX packets:4387376 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1814729105 (1730.6 Mb) TX bytes:1814729105 (1730.6 Mb) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) mysussy:~ # ===== client-side ----- sussy-MND:~ # ifconfig dsl0 Link encap:Point-to-Point Protocol inet addr:192.168.11.3 P-t-P:192.168.21.110 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:14049 errors:0 dropped:0 overruns:0 frame:0 TX packets:12576 errors:0 dropped:8 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:8422795 (8.0 Mb) TX bytes:1941219 (1.8 Mb) eth1 Link encap:Ethernet HWaddr 00:19:21:66:02:F5 inet addr:192.161.1.42 Bcast:192.161.1.255 Mask:255.255.255.0 inet6 addr: fe80::219:21ff:fe66:2f5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:90600 errors:0 dropped:0 overruns:0 frame:0 TX packets:25048 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:23090572 (22.0 Mb) TX bytes:3703103 (3.5 Mb) Interrupt:20 Base address:0x6800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:895 errors:0 dropped:0 overruns:0 frame:0 TX packets:895 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:63695 (62.2 Kb) TX bytes:63695 (62.2 Kb) sussy-MND:~ # ===== This is my '*.conf' file: ===== server-side (server.conf): ----- mysussy:~ # mysussy:~ # cat /etc/openvpn/server.conf local 219.83.114.179 port 1194 proto tcp ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/toka-site.crt key /etc/openvpn/easy-rsa/2.0/keys/toka-site.key dev tun dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 ns-cert-type server comp-lzo verb 3 mysussy:~ # ===== client-side (client.conf): ----- sussy-MND:~ # cat /etc/openvpn/client.conf client dev tun proto tcp remote 219.83.114.179 1194 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/cli-MND.crt key /etc/openvpn/keys/cli-MND.key ns-cert-type server comp-lzo verb 3 sussy-MND:~ # ===== If I haven't the 'tun0-00' on my client-side station, how can I have the virtual interface whose ip-address of '10.8.0.2'? And why is connection is always reset? I don't understand. " Nov 1 15:43:44 sussy-MND openvpn[9479]: Connection reset, restarting [0] ". Please tell me my mistake. Thank you very much in advance. ===== This is the '/var/log/messages' on the client-side ----- sussy-MND:~ # tail -n 40 /var/log/messages Nov 1 15:43:03 sussy-MND openvpn[9479]: TCP connection established with 219.83.114.179:1194 Nov 1 15:43:03 sussy-MND openvpn[9479]: TCPv4_CLIENT link local: [undef] Nov 1 15:43:03 sussy-MND openvpn[9479]: TCPv4_CLIENT link remote: 219.83.114.179:1194 Nov 1 15:43:04 sussy-MND openvpn[9479]: TLS: Initial packet from 219.83.114.179:1194, sid=15e7403e 2ed3956a Nov 1 15:43:22 sussy-MND openvpn[9479]: VERIFY OK: depth=1, /C=ID/ST=SU/L=MND/O=MSM-TTN/OU=PT/CN=mysussy/emailAddress=ilham.firdaus@tokatindung.com Nov 1 15:43:22 sussy-MND openvpn[9479]: VERIFY OK: nsCertType=SERVER Nov 1 15:43:22 sussy-MND openvpn[9479]: VERIFY OK: depth=0, /C=ID/ST=SU/L=MND/O=MSM-TTN/OU=PT/CN=mysussy/emailAddress=ilham.firdaus@tokatindung.com Nov 1 15:43:38 sussy-MND openvpn[9479]: event_wait : Interrupted system call (code=4) Nov 1 15:43:38 sussy-MND openvpn[9479]: OpenVPN STATISTICS Nov 1 15:43:38 sussy-MND openvpn[9479]: Updated,Sat Nov 1 15:43:38 2008 Nov 1 15:43:38 sussy-MND openvpn[9479]: TUN/TAP read bytes,0 Nov 1 15:43:38 sussy-MND openvpn[9479]: TUN/TAP write bytes,0 Nov 1 15:43:38 sussy-MND openvpn[9479]: TCP/UDP read bytes,5398 Nov 1 15:43:38 sussy-MND openvpn[9479]: TCP/UDP write bytes,3828 Nov 1 15:43:38 sussy-MND openvpn[9479]: Auth read bytes,0 Nov 1 15:43:38 sussy-MND openvpn[9479]: pre-compress bytes,0 Nov 1 15:43:38 sussy-MND openvpn[9479]: post-compress bytes,0 Nov 1 15:43:38 sussy-MND openvpn[9479]: pre-decompress bytes,0 Nov 1 15:43:38 sussy-MND openvpn[9479]: post-decompress bytes,0 Nov 1 15:43:38 sussy-MND openvpn[9479]: END Nov 1 15:43:44 sussy-MND openvpn[9479]: Connection reset, restarting [0] Nov 1 15:43:44 sussy-MND openvpn[9479]: TCP/UDP: Closing socket Nov 1 15:43:44 sussy-MND openvpn[9479]: SIGUSR1[soft,connection-reset] received, process restarting Nov 1 15:43:44 sussy-MND openvpn[9479]: Restart pause, 5 second(s) Nov 1 15:43:49 sussy-MND openvpn[9479]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Nov 1 15:43:49 sussy-MND openvpn[9479]: Re-using SSL/TLS context Nov 1 15:43:49 sussy-MND openvpn[9479]: LZO compression initialized Nov 1 15:43:49 sussy-MND openvpn[9479]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ] Nov 1 15:43:49 sussy-MND openvpn[9479]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Nov 1 15:43:49 sussy-MND openvpn[9479]: Local Options hash (VER=V4): '69109d17' Nov 1 15:43:49 sussy-MND openvpn[9479]: Expected Remote Options hash (VER=V4): 'c0103fa8' Nov 1 15:43:49 sussy-MND openvpn[9479]: Attempting to establish TCP connection with 219.83.114.179:1194 Nov 1 15:43:50 sussy-MND openvpn[9479]: TCP connection established with 219.83.114.179:1194 Nov 1 15:43:50 sussy-MND openvpn[9479]: TCPv4_CLIENT link local: [undef] Nov 1 15:43:50 sussy-MND openvpn[9479]: TCPv4_CLIENT link remote: 219.83.114.179:1194 Nov 1 15:43:50 sussy-MND openvpn[9479]: TLS: Initial packet from 219.83.114.179:1194, sid=8a938fc2 c9c42384 Nov 1 15:43:51 sussy-MND smartd[3926]: Device: /dev/sda, SMART Usage Attribute: 194 Temperature_Celsius changed from 152 to 148 Nov 1 15:44:07 sussy-MND openvpn[9479]: VERIFY OK: depth=1, /C=ID/ST=SU/L=MND/O=MSM-TTN/OU=PT/CN=mysussy/emailAddress=ilham.firdaus@tokatindung.com Nov 1 15:44:07 sussy-MND openvpn[9479]: VERIFY OK: nsCertType=SERVER Nov 1 15:44:07 sussy-MND openvpn[9479]: VERIFY OK: depth=0, /C=ID/ST=SU/L=MND/O=MSM-TTN/OU=PT/CN=mysussy/emailAddress=ilham.firdaus@tokatindung.com sussy-MND:~ # ===== -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Patrik Hasibuan wrote:
But the client still can not connect to the openvpn-server. The error message is about TLS problem. I've tried to browse in the internet looking for the solution. It seems many people have the same problem.
What should I do now? What steps should I actually do to make the TLS negotiation works properly?
I put the content of my current 'client.conf' and the '/var/log/messages'. ========= Here's on the client-side. ========= sussy-MND:~ # cat /etc/openvpn/client.conf [..] ns-cert-type client ^^^^^^ Have you, sorry to be brute, even bothered to read openvpn's man page? --ns-cert-type client|server Require that peer certificate was signed with an explicit nsCertType des- ignation of "client" or "server".
This is a useful security option for clients, to ensure that the host they connect with is a designated server. See the easy-rsa/build-key-server script for an example of how to gener- ate a certificate with the nsCertType field set to "server". If the server certificate's nsCertType field is set to "server", then the clients can verify this with --ns-cert-type server. This is an important security precaution to protect against a man-in-the- middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --ns-cert- type, --tls-remote, or --tls-verify. Thus ns-sert-type must be 'server' on the clients' side.
========= Here's on the server-side. ========= mysussy:~ # cat /etc/openvpn/server.conf local 219.83.114.179
This *is* the server's external IP address right? To be clear: it must be the address of the WAN (external) interface, so if you're using e.g. a NAT device (e.g. an ADSL modem), you must set the address on the 'inside', e.g. 10.0.0.138.
ns-cert-type server
This doesn't belong in the server's config file.
mysussy:~ # tail -n 40 /var/log/messages Nov 1 10:07:59 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
And you need to wise-up your firewall or your route-table. Theo -- Theo v. Werkhoven, NL (ICBM 52 13 26N , 4 29 47E). A casual stroll through the lunatic asylum shows that faith does not prove anything. Friedrich Nietzsche German philosopher (1844 - 1900) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi Theo.
You solved my problem. Thank you thousand times.....
I really appreciate your help.
Best regards,
Patrik Hasibuan.
--- On Sat, 11/1/08, Theo van Werkhoven
From: Theo van Werkhoven
Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11-->TLS negotiation. To: opensuse@opensuse.org Date: Saturday, November 1, 2008, 9:41 AM Patrik Hasibuan wrote: But the client still can not connect to the openvpn-server. The error message is about TLS problem. I've tried to browse in the internet looking for the solution. It seems many people have the same problem.
What should I do now? What steps should I actually do to make the TLS negotiation works properly?
I put the content of my current 'client.conf' and the '/var/log/messages'. ========= Here's on the client-side. ========= sussy-MND:~ # cat /etc/openvpn/client.conf [..] ns-cert-type client ^^^^^^ Have you, sorry to be brute, even bothered to read openvpn's man page? --ns-cert-type client|server Require that peer certificate was signed with an explicit nsCertType des- ignation of "client" or "server".
This is a useful security option for clients, to ensure that the host they connect with is a designated server.
See the easy-rsa/build-key-server script for an example of how to gener- ate a certificate with the nsCertType field set to "server".
If the server certificate's nsCertType field is set to "server", then the clients can verify this with --ns-cert-type server.
This is an important security precaution to protect against a man-in-the- middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --ns-cert- type, --tls-remote, or --tls-verify.
Thus ns-sert-type must be 'server' on the clients' side.
========= Here's on the server-side. ========= mysussy:~ # cat /etc/openvpn/server.conf local 219.83.114.179
This *is* the server's external IP address right? To be clear: it must be the address of the WAN (external) interface, so if you're using e.g. a NAT device (e.g. an ADSL modem), you must set the address on the 'inside', e.g. 10.0.0.138.
ns-cert-type server
This doesn't belong in the server's config file.
mysussy:~ # tail -n 40 /var/log/messages Nov 1 10:07:59 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
And you need to wise-up your firewall or your route-table.
Theo -- Theo v. Werkhoven, NL (ICBM 52 13 26N , 4 29 47E). A casual stroll through the lunatic asylum shows that faith does not prove anything. Friedrich Nietzsche German philosopher (1844 - 1900) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dear Jo,
Thank you very...very...much for your help. My problems have been solved.
You solved some my problems.....
--- On Thu, 10/30/08, Jonathan Ervine
From: Jonathan Ervine
Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Thursday, October 30, 2008, 3:43 AM On Thursday 30 October 2008 11:29:46 Patrik Hasibuan wrote: Dear Jo,
This is my try: " mysussy:~ # ls /etc/openvpn README loopback-client server.conf xinetd-client-config client.conf loopback-server server.conf.orig xinetd-server-config easy-rsa office.up static-home.conf xinetd-server-config.orig firewall.sh openvpn-shutdown.sh static-office.conf home.up openvpn-startup.sh tls-home.conf ipp.txt openvpn-status.log tls-office.conf
So there are loads of .conf files in there ... you'll need to reduce this to one (server.conf) at some point.
mysussy:~ # cd / mysussy:/ # openvpn --config /etc/openvpn/server.conf Thu Oct 30 11:23:05 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Thu Oct 30 11:23:05 2008 TCP/UDP: Socket bind failed on local address 219.83.114.179:1194: Address already in use Thu Oct 30 11:23:05 2008 Exiting mysussy:/ # cd /etc/openvpn mysussy:/etc/openvpn # openvpn --config /etc/openvpn/server.conf Thu Oct 30 11:23:20 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Thu Oct 30 11:23:21 2008 TCP/UDP: Socket bind failed on local address 219.83.114.179:1194: Address already in use Thu Oct 30 11:23:21 2008 Exiting mysussy:/etc/openvpn # "
Probably an existing instance of openvpn is holding the port open. netstat -anp | grep 1194 should tell you which process has this port open. Kill the process and start it again from the command line.
'219.83.114.179' is the global-ip number of my outter wlan-card towards the internet gateway of our ISP.
I am confused why the port-number of '1194' has been already occupied whereas the 'openvpn' still can not start. Who/which is using this port-number?
Please advice me.
See above. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dear Per,
I checked in the '/etc/init.d/openvpn':
"
.....
.....
DAEMON="OpenVPN"
openvpn=/usr/sbin/openvpn
confdir=/etc/openvpn
piddir=/var/run/openvpn
.....
.....
".
So it means my openvpn read the 'server.conf' which resides in '/etc/openvpn/server.conf'.
I've removed the 'dev tun' and 'dev-node MyTap' in my '/etc/openvpn/server.conf', but my openvpn still can not start:
"
mysussy:/etc/openvpn # cat server.conf
local 219.83.114.179
port 1194
proto tcp
ca /usr/share/openvpn/easy-rsa/2.0/keys/ca.crt
cert /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.crt
key /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.key # This file should be kept secret
dh /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
ns-cert-type server
mysussy:/etc/openvpn #
".
Here is my '/var/log/messages/', I saw once my openvpn failed to start:
"
mysussy:/etc/openvpn # tail -n 30 /var/log/messages
Oct 30 09:03:34 mysussy openvpn[10361]: Cannot open file key file 'static.key': No such file or directory (errno=2)
Oct 30 09:03:34 mysussy openvpn[10361]: Exiting
Oct 30 09:03:35 mysussy openvpn[10365]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008
Oct 30 09:03:35 mysussy openvpn[10365]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Oct 30 09:03:35 mysussy openvpn[10365]: Cannot open file key file 'static.key': No such file or directory (errno=2)
Oct 30 09:03:35 mysussy openvpn[10365]: Exiting
Oct 30 09:03:35 mysussy openvpn[10369]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008
Oct 30 09:03:35 mysussy openvpn[10369]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Oct 30 09:03:35 mysussy openvpn[10369]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 30 09:03:35 mysussy openvpn[10369]: Cannot load certificate file home.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Oct 30 09:03:35 mysussy openvpn[10369]: Exiting
Oct 30 09:03:35 mysussy openvpn[10374]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008
Oct 30 09:03:35 mysussy openvpn[10374]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Oct 30 09:03:35 mysussy openvpn[10374]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Oct 30 09:03:35 mysussy openvpn[10374]: Exiting
Oct 30 09:03:38 mysussy kernel: printk: 2 messages suppressed.
Oct 30 09:03:38 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Oct 30 09:03:38 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Oct 30 09:03:42 mysussy kernel: printk: 2 messages suppressed.
Oct 30 09:03:42 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Oct 30 09:03:42 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Oct 30 09:03:48 mysussy kernel: printk: 3 messages suppressed.
Oct 30 09:03:48 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Oct 30 09:03:48 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Oct 30 09:03:53 mysussy kernel: printk: 2 messages suppressed.
Oct 30 09:03:53 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Oct 30 09:03:53 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
Oct 30 09:03:58 mysussy kernel: printk: 2 messages suppressed.
Oct 30 09:03:58 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0
Oct 30 09:03:58 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
mysussy:/etc/openvpn #
"
Please keep telling me. I'm stucked now. Thank you very much in advance.
--- On Tue, 10/28/08, Per Jessen
From: Per Jessen
Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Tuesday, October 28, 2008, 9:01 AM Patrik Hasibuan wrote: This is the test: " mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # openvpn --config /etc/openvpn/server.conf Tue Oct 28 16:31:45 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Tue Oct 28 16:31:45 2008 Note: Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Note: Attempting fallback to kernel 2.2 TUN/TAP interface Tue Oct 28 16:31:45 2008 Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Exiting mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # ".
It seems to be clearly complaining about "MyTap".
This is my "server.conf": mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # cat /etc/openvpn/server.conf local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap
My VPN server config does not have a "dev-node" entry, I'm not sure what the default is.
/Per
-- /Per Jessen, Zürich
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Jonathan Ervine
-
Patrik Hasibuan
-
Per Jessen
-
Theo van Werkhoven