[opensuse] Building VPN network with OpenVPN and OpenSuSE11

Patrik Hasibuan

27 Oct 2008 27 Oct '08

09:11

Dear my friends, I am building a VPN Network with OpenVPN and OpenSuSE11. These are what I've done: - I downloaded and installed OpenVPN with YaST2. - I copied the file of 'server.conf' like this: " cp -v /usr/share/doc/packages/openvpn/sample-config-files/server.conf /etc/openvpn/server.conf " - I Editted "/etc/openvpn/server.conf". And this is my current configuration: " local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap ca /etc/openvpn/easy-rsa/ca.crt cert /etc/openvpn/easy-rsa/toka-site.crt key /etc/openvpn/easy-rsa/toka-site.key # This file should be kept secret dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 " - " mysussy:/etc/openvpn # cat server.conf local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap ca /etc/openvpn/easy-rsa/ca.crt cert /etc/openvpn/easy-rsa/toka-site.crt key /etc/openvpn/easy-rsa/toka-site.key # This file should be kept secret dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 " - " mysussy:/etc/openvpn # ls README ipp.txt openvpn-startup.sh static-office.conf client.conf loopback-client openvpn-status.log tls-home.conf easy-rsa loopback-server server.conf tls-office.conf firewall.sh office.up server.conf.old xinetd-client-config home.up openvpn-shutdown.sh static-home.conf xinetd-server-config " - this steps also done successfully:" .. ./vars ../clean-all ../build-ca ../build-key-server toka-site ../build-key sussy-MND " The problem is: But my openvpn can not start. mysussy:/etc/openvpn # rcopenvpn start Starting OpenVPN ...........failed Please help me, what is my mistake? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Show replies by date

Per Jessen

27 Oct 27 Oct

09:24

Patrik Hasibuan wrote:

...

The problem is: But my openvpn can not start. mysussy:/etc/openvpn # rcopenvpn start Starting OpenVPN ...........failed

Please help me, what is my mistake?

Please post the error messages from /var/log/messages. -- /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Patrik Hasibuan

28 Oct 28 Oct

03:23

Dear Jessen, Firstly, thank you very much for your help. This is the error messages in '/var/log/messages': " Oct 28 11:14:58 mysussy openvpn[10195]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 28 11:14:58 mysussy openvpn[10195]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 28 11:14:58 mysussy openvpn[10195]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file ". And this is my current 'server.conf': " local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap ca /usr/share/openvpn/easy-rsa/keys/ca.crt cert /usr/share/openvpn/easy-rsa/keys/toka-site.crt key /usr/share/openvpn/easy-rsa/keys/toka-site.key # This file should be kept secret dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 ns-cert-type server ". This my dh generation: " mysussy:/usr/share/openvpn/easy-rsa # ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .......................................................................................................................................+......+.......................................................+......................................................................................................................................................+.................+.........................................................................+..............................................................................................................+............................+......................+...................+.............+..+......................................................+.........................+.....+..+..........+...........................+.....................+..................................................................................................................................................................+........................ .........................+.........................+...................................................................................................................................+.............+.........................................................+...+.......+.........................................+............................................................+....................+..........................................................................................+.....................................................+.....................+............+...................................+................................................................................................................................................................................+.............+...............+........................+........+................++*++*++* mysussy:/usr/share/openvpn/easy-rsa # ". This is my '/usr/share/openvpn/easy-rsa/keys': mysussy:~ # ls /usr/share/openvpn/easy-rsa/keys 01.pem ca.key index.txt.attr serial sussy-MND.csr toka-site.csr 02.pem dh1024.pem index.txt.attr.old serial.old sussy-MND.key toka-site.key ca.crt index.txt index.txt.old sussy-MND.crt toka-site.crt mysussy:~ # --- On Mon, 10/27/08, Per Jessen wrote:

...

From: Per Jessen Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Monday, October 27, 2008, 9:24 AM Patrik Hasibuan wrote:

...
The problem is: But my openvpn can not start. mysussy:/etc/openvpn # rcopenvpn start Starting OpenVPN ...........failed

Please help me, what is my mistake?

Please post the error messages from /var/log/messages.

-- /Per Jessen, Zürich

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jonathan Ervine

06:07

On Tuesday 28 October 2008 11:23:27 Patrik Hasibuan wrote:

...

Dear Jessen,

Firstly, thank you very much for your help.

This is the error messages in '/var/log/messages': Oct 28 11:14:58 mysussy openvpn[10195]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file ".

...

# This file should be kept secret dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem

The openvpn daemon cannot open the the dh1024.pem file. Can you verify that this file exists where the conf file reports it to be, and also check the permissions of the file. If it exists, then temporarily change the permissions to 644 on the file and try again. Jon -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Patrik Hasibuan

06:45

Dear Jonathan, Thank you very much for your respond. I've followed your thread but it does not make anychange. The file of 'dh1024.pem' exists, here also the '/var/log/messages': " mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # ls -l total 44 -rw-r--r-- 1 root root 3953 Oct 28 11:41 01.pem -rw-r--r-- 1 root root 1273 Oct 28 11:39 ca.crt -rw------- 1 root root 891 Oct 28 11:39 ca.key -rw-r--r-- 1 root root 245 Oct 28 11:42 dh1024.pem -rw-r--r-- 1 root root 116 Oct 28 11:41 index.txt -rw-r--r-- 1 root root 21 Oct 28 11:41 index.txt.attr -rw-r--r-- 1 root root 0 Oct 28 11:36 index.txt.old -rw-r--r-- 1 root root 3 Oct 28 11:41 serial -rw-r--r-- 1 root root 3 Oct 28 11:36 serial.old -rw-r--r-- 1 root root 3953 Oct 28 11:41 toka-site.crt -rw-r--r-- 1 root root 777 Oct 28 11:40 toka-site.csr -rw------- 1 root root 887 Oct 28 11:40 toka-site.key mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # chmod 644 ./dh1024.pem mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # rcopenvpn start Starting OpenVPN failed mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # tail -n 30 /var/log/messages Oct 28 14:30:53 mysussy kernel: printk: 2 messages suppressed. Oct 28 14:30:54 mysussy openvpn[8502]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 28 14:30:54 mysussy openvpn[8502]: Cannot open file key file 'static.key': No such file or directory (errno=2) Oct 28 14:30:54 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 28 14:30:54 mysussy openvpn[8502]: Exiting Oct 28 14:30:54 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Oct 28 14:30:54 mysussy openvpn[8506]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 28 14:30:54 mysussy openvpn[8506]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 28 14:30:54 mysussy openvpn[8506]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Oct 28 14:30:54 mysussy openvpn[8506]: Cannot load certificate file home.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib Oct 28 14:30:54 mysussy openvpn[8506]: Exiting Oct 28 14:30:54 mysussy openvpn[8508]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 28 14:30:54 mysussy openvpn[8508]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 28 14:30:54 mysussy openvpn[8508]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file Oct 28 14:30:54 mysussy openvpn[8508]: Exiting Oct 28 14:30:57 mysussy kernel: printk: 2 messages suppressed. Oct 28 14:30:57 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 28 14:30:57 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Oct 28 14:31:02 mysussy kernel: printk: 2 messages suppressed. Oct 28 14:31:02 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 28 14:31:02 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Oct 28 14:31:08 mysussy kernel: printk: 3 messages suppressed. Oct 28 14:31:08 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 28 14:31:08 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Oct 28 14:31:13 mysussy kernel: printk: 2 messages suppressed. Oct 28 14:31:13 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 28 14:31:13 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Oct 28 14:31:17 mysussy kernel: printk: 2 messages suppressed. Oct 28 14:31:17 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 28 14:31:17 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # ". --- On Tue, 10/28/08, Jonathan Ervine wrote:

...

...
Dear Jessen,

Firstly, thank you very much for your help.

This is the error messages in '/var/log/messages': Oct 28 11:14:58 mysussy openvpn[10195]: Cannot open dh1024.pem for DH parameters: error:02001002:system

From: Jonathan Ervine Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Tuesday, October 28, 2008, 6:07 AM On Tuesday 28 October 2008 11:23:27 Patrik Hasibuan wrote: library:fopen:No such

...
file or directory: error:2006D080:BIO routines:BIO_new_file:no such file ".

...
# This file should be kept secret dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem

The openvpn daemon cannot open the the dh1024.pem file. Can you verify that this file exists where the conf file reports it to be, and also check the permissions of the file. If it exists, then temporarily change the permissions to 644 on the file and try again.

Jon -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jonathan Ervine

07:03

On Tuesday 28 October 2008 14:45:28 Patrik Hasibuan wrote:

...

Dear Jonathan,

Thank you very much for your respond.

No problem.

...

I've followed your thread but it does not make anychange.

The file of 'dh1024.pem' exists, here also the '/var/log/messages': " mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # ls -l total 44 -rw-r--r-- 1 root root 3953 Oct 28 11:41 01.pem -rw-r--r-- 1 root root 1273 Oct 28 11:39 ca.crt -rw------- 1 root root 891 Oct 28 11:39 ca.key -rw-r--r-- 1 root root 245 Oct 28 11:42 dh1024.pem -rw-r--r-- 1 root root 116 Oct 28 11:41 index.txt -rw-r--r-- 1 root root 21 Oct 28 11:41 index.txt.attr -rw-r--r-- 1 root root 0 Oct 28 11:36 index.txt.old -rw-r--r-- 1 root root 3 Oct 28 11:41 serial -rw-r--r-- 1 root root 3 Oct 28 11:36 serial.old -rw-r--r-- 1 root root 3953 Oct 28 11:41 toka-site.crt -rw-r--r-- 1 root root 777 Oct 28 11:40 toka-site.csr -rw------- 1 root root 887 Oct 28 11:40 toka-site.key

The above is fine.

...

Starting OpenVPN failed mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # tail -n 30 /var/log/messages Oct 28 14:30:53 mysussy kernel: printk: 2 messages suppressed. Oct 28 14:30:54 mysussy openvpn[8502]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 28 14:30:54 mysussy openvpn[8502]: Cannot open file key file 'static.key': No such file or directory (errno=2) Oct 28 14:30:54 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 28 14:30:54 mysussy openvpn[8502]: Exiting

Here is a problem. It's looking for a file called static.key

...

Oct 28 14:30:54 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Oct 28 14:30:54 mysussy openvpn[8506]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 28 14:30:54 mysussy openvpn[8506]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 28 14:30:54 mysussy openvpn[8506]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Oct 28 14:30:54 mysussy openvpn[8506]: Cannot load certificate file home.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib Oct 28 14:30:54 mysussy openvpn[8506]: Exiting

Here is another problem, it's looking for a file called home.crt

...

Oct 28 14:30:54 mysussy openvpn[8508]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 28 14:30:54 mysussy openvpn[8508]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 28 14:30:54 mysussy openvpn[8508]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file Oct 28 14:30:54 mysussy openvpn[8508]: Exiting

Another problem that it can't open dh1024.pem (even though we've verified and confirmed that this file exists) I suspect that the openvpn daemon is not using your config file to start up. Where is your server.conf located? As a test, as root try running: openvpn --config <path to your config file> And see what errors (if any) are produced... Jon -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Patrik Hasibuan

08:48

Dear my friend, Jonathan. Please keep telling me. Here is where my 'server.conf': " mysussy:~ # ls /etc/openvpn/server.conf /etc/openvpn/server.conf ". This is the test: " mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # openvpn --config /etc/openvpn/server.conf Tue Oct 28 16:31:45 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Tue Oct 28 16:31:45 2008 Note: Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Note: Attempting fallback to kernel 2.2 TUN/TAP interface Tue Oct 28 16:31:45 2008 Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Exiting mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # ". This is my "server.conf": mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # cat /etc/openvpn/server.conf local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap ca /usr/share/openvpn/easy-rsa/2.0/keys/ca.crt cert /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.crt key /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.key # This file should be kept secret dh /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 ns-cert-type server mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # --- On Tue, 10/28/08, Jonathan Ervine wrote:

...

From: Jonathan Ervine Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Tuesday, October 28, 2008, 7:03 AM On Tuesday 28 October 2008 14:45:28 Patrik Hasibuan wrote:

...
Dear Jonathan,

Thank you very much for your respond.

No problem.

...
I've followed your thread but it does not make anychange.

The file of 'dh1024.pem' exists, here also the '/var/log/messages': " mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # ls -l total 44 -rw-r--r-- 1 root root 3953 Oct 28 11:41 01.pem -rw-r--r-- 1 root root 1273 Oct 28 11:39 ca.crt -rw------- 1 root root 891 Oct 28 11:39 ca.key -rw-r--r-- 1 root root 245 Oct 28 11:42 dh1024.pem -rw-r--r-- 1 root root 116 Oct 28 11:41 index.txt -rw-r--r-- 1 root root 21 Oct 28 11:41 index.txt.attr -rw-r--r-- 1 root root 0 Oct 28 11:36 index.txt.old -rw-r--r-- 1 root root 3 Oct 28 11:41 serial -rw-r--r-- 1 root root 3 Oct 28 11:36 serial.old -rw-r--r-- 1 root root 3953 Oct 28 11:41 toka-site.crt -rw-r--r-- 1 root root 777 Oct 28 11:40 toka-site.csr -rw------- 1 root root 887 Oct 28 11:40 toka-site.key

The above is fine.

...
Starting OpenVPN

...
failed mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # tail -n 30 /var/log/messages Oct 28 14:30:53 mysussy kernel: printk: 2 messages suppressed. Oct 28 14:30:54 mysussy openvpn[8502]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 28 14:30:54 mysussy openvpn[8502]: Cannot open file key file 'static.key': No such file or directory (errno=2) Oct 28 14:30:54 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 28 14:30:54 mysussy openvpn[8502]: Exiting

Here is a problem. It's looking for a file called static.key

...
Oct 28 14:30:54 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Oct 28 14:30:54 mysussy openvpn[8506]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 28 14:30:54 mysussy openvpn[8506]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 28 14:30:54 mysussy openvpn[8506]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Oct 28 14:30:54 mysussy openvpn[8506]: Cannot load certificate file home.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib Oct 28 14:30:54 mysussy openvpn[8506]: Exiting

Here is another problem, it's looking for a file called home.crt

...
Oct 28 14:30:54 mysussy openvpn[8508]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 28 14:30:54 mysussy openvpn[8508]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 28 14:30:54 mysussy openvpn[8508]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file Oct 28 14:30:54 mysussy openvpn[8508]: Exiting

Another problem that it can't open dh1024.pem (even though we've verified and confirmed that this file exists)

I suspect that the openvpn daemon is not using your config file to start up. Where is your server.conf located? As a test, as root try running: openvpn --config <path to your config file>

And see what errors (if any) are produced...

Jon -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Per Jessen

09:01

Patrik Hasibuan wrote:

...

This is the test: " mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # openvpn --config /etc/openvpn/server.conf Tue Oct 28 16:31:45 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Tue Oct 28 16:31:45 2008 Note: Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Note: Attempting fallback to kernel 2.2 TUN/TAP interface Tue Oct 28 16:31:45 2008 Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Exiting mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # ".

It seems to be clearly complaining about "MyTap".

...

This is my "server.conf": mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # cat /etc/openvpn/server.conf local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap

My VPN server config does not have a "dev-node" entry, I'm not sure what the default is. /Per -- /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jonathan Ervine

09:11

On Tuesday 28 October 2008 17:01:26 Per Jessen wrote:

...

Patrik Hasibuan wrote:

...
This is the test: " mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # openvpn --config /etc/openvpn/server.conf Tue Oct 28 16:31:45 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Tue Oct 28 16:31:45 2008 Note: Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Note: Attempting fallback to kernel 2.2 TUN/TAP interface Tue Oct 28 16:31:45 2008 Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Exiting mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # ".

It seems to be clearly complaining about "MyTap".

Yep - but no further errors in the messages file about the various SSL files. I'm still of the opinion that the daemon script isn't reading his config file.

...

...
This is my "server.conf": mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # cat /etc/openvpn/server.conf local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap

My VPN server config does not have a "dev-node" entry, I'm not sure what the default is.

Same here - I've always used dev tun, it looks like Patrik is trying to set up a VPN with both tun and tap interfaces. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Patrik Hasibuan

09:28

How should I tell my openvpn that he should use the 'server.conf' which resides in '/etc/openvpn/server.conf'? --- On Tue, 10/28/08, Jonathan Ervine wrote:

...

From: Jonathan Ervine Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Tuesday, October 28, 2008, 9:11 AM On Tuesday 28 October 2008 17:01:26 Per Jessen wrote:

...
Patrik Hasibuan wrote:

...
This is the test: " mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # openvpn --config /etc/openvpn/server.conf Tue Oct 28 16:31:45 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Tue Oct 28 16:31:45 2008 Note: Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Note: Attempting fallback to kernel 2.2 TUN/TAP interface Tue Oct 28 16:31:45 2008 Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Exiting mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # ".

It seems to be clearly complaining about "MyTap".

Yep - but no further errors in the messages file about the various SSL files. I'm still of the opinion that the daemon script isn't reading his config file.

...
...
This is my "server.conf": mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # cat /etc/openvpn/server.conf local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap

My VPN server config does not have a "dev-node" entry, I'm not sure what the default is.

Same here - I've always used dev tun, it looks like Patrik is trying to set up a VPN with both tun and tap interfaces. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jonathan Ervine

09:35

On Tuesday 28 October 2008 17:28:35 Patrik Hasibuan wrote:

...

How should I tell my openvpn that he should use the 'server.conf' which resides in '/etc/openvpn/server.conf'?

I'd worry about that after getting the openvpn server to start up without errors from the command line when specifying the config file to use.

...

...
...
...
/etc/openvpn/server.conf local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap

My VPN server config does not have a

"dev-node" entry, I'm not sure what

...
the default is.

Same here - I've always used dev tun, it looks like Patrik is trying to set up a VPN with both tun and tap interfaces.

If you remove the dev-node line from your server.conf file (or simply comment it out), can you then get the openvpn server to start? The config file being used by the openvpn daemon script should be specified in the /etc/init.d/openvpn script file. By default this directory is set to /etc/openvpn - I'd check that there isn't a client.conf (or any other .conf file) in there. Jon -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Patrik Hasibuan

30 Oct 30 Oct

01:12

Dear Jo, I checked in the '/etc/init.d/openvpn': " .... .... DAEMON="OpenVPN" openvpn=/usr/sbin/openvpn confdir=/etc/openvpn piddir=/var/run/openvpn .... .... ". So it means my openvpn read the 'server.conf' which resides in '/etc/openvpn/server.conf'. I've removed the dec in my '/etc/openvpn/server.conf': " mysussy:/etc/openvpn # cat server.conf local 219.83.114.179 port 1194 proto tcp ca /usr/share/openvpn/easy-rsa/2.0/keys/ca.crt cert /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.crt key /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.key # This file should be kept secret dh /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 ns-cert-type server mysussy:/etc/openvpn # ". Here is my '/var/log/messages/', I saw after my openvpn failed to start: " mysussy:/etc/openvpn # tail -n 30 /var/log/messages Oct 30 09:03:34 mysussy openvpn[10361]: Cannot open file key file 'static.key': No such file or directory (errno=2) Oct 30 09:03:34 mysussy openvpn[10361]: Exiting Oct 30 09:03:35 mysussy openvpn[10365]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10365]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10365]: Cannot open file key file 'static.key': No such file or directory (errno=2) Oct 30 09:03:35 mysussy openvpn[10365]: Exiting Oct 30 09:03:35 mysussy openvpn[10369]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10369]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10369]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Oct 30 09:03:35 mysussy openvpn[10369]: Cannot load certificate file home.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib Oct 30 09:03:35 mysussy openvpn[10369]: Exiting Oct 30 09:03:35 mysussy openvpn[10374]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10374]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10374]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file Oct 30 09:03:35 mysussy openvpn[10374]: Exiting Oct 30 09:03:38 mysussy kernel: printk: 2 messages suppressed. Oct 30 09:03:38 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 30 09:03:38 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Oct 30 09:03:42 mysussy kernel: printk: 2 messages suppressed. Oct 30 09:03:42 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 30 09:03:42 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Oct 30 09:03:48 mysussy kernel: printk: 3 messages suppressed. Oct 30 09:03:48 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 30 09:03:48 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Oct 30 09:03:53 mysussy kernel: printk: 2 messages suppressed. Oct 30 09:03:53 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 30 09:03:53 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Oct 30 09:03:58 mysussy kernel: printk: 2 messages suppressed. Oct 30 09:03:58 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 30 09:03:58 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 mysussy:/etc/openvpn # " --- On Tue, 10/28/08, Jonathan Ervine wrote:

...

From: Jonathan Ervine Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Tuesday, October 28, 2008, 9:35 AM On Tuesday 28 October 2008 17:28:35 Patrik Hasibuan wrote:

...
How should I tell my openvpn that he should use the 'server.conf' which resides in '/etc/openvpn/server.conf'?

I'd worry about that after getting the openvpn server to start up without errors from the command line when specifying the config file to use.

...
...
...
...
/etc/openvpn/server.conf local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap

My VPN server config does not have a

"dev-node" entry, I'm not sure what

...
the default is.

Same here - I've always used dev tun, it looks like Patrik is trying to set up a VPN with both tun and tap interfaces.

If you remove the dev-node line from your server.conf file (or simply comment it out), can you then get the openvpn server to start? The config file being used by the openvpn daemon script should be specified in the /etc/init.d/openvpn script file. By default this directory is set to /etc/openvpn - I'd check that there isn't a client.conf (or any other .conf file) in there.

Jon -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jonathan Ervine

02:39

On Thursday 30 October 2008 09:12:47 Patrik Hasibuan wrote:

...

Dear Jo,

I checked in the '/etc/init.d/openvpn': " .... .... DAEMON="OpenVPN" openvpn=/usr/sbin/openvpn confdir=/etc/openvpn piddir=/var/run/openvpn .... .... ". So it means my openvpn read the 'server.conf' which resides in '/etc/openvpn/server.conf'.

I suspect it means it will read _any_ conf file in /etc/openvpn. It's still not reading the conf file you wish it to - see below...

...

I've removed the dec in my '/etc/openvpn/server.conf': " mysussy:/etc/openvpn # cat server.conf local 219.83.114.179 port 1194 proto tcp ca /usr/share/openvpn/easy-rsa/2.0/keys/ca.crt cert /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.crt key /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.key # This file should be kept secret dh /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 ns-cert-type server mysussy:/etc/openvpn # ".

Here is my '/var/log/messages/', I saw after my openvpn failed to start: " mysussy:/etc/openvpn # tail -n 30 /var/log/messages Oct 30 09:03:34 mysussy openvpn[10361]: Cannot open file key file 'static.key': No such file or directory (errno=2) Oct 30 09:03:34 mysussy openvpn[10361]: Exiting

It's still trying to load static.key which doesn't exist. So it's still reading the wrong conf file. I don't know why, and as per my previous email I'd worry about that after getting openvpn to start up from the command lin by explicitly specifying the conf file you wish to use...

...

Oct 30 09:03:35 mysussy openvpn[10365]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10365]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10365]: Cannot open file key file 'static.key': No such file or directory (errno=2) Oct 30 09:03:35 mysussy openvpn[10365]: Exiting Oct 30 09:03:35 mysussy openvpn[10369]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10369]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10369]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Oct 30 09:03:35 mysussy openvpn[10369]: Cannot load certificate file home.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib Oct 30 09:03:35 mysussy openvpn[10369]: Exiting Oct 30 09:03:35 mysussy openvpn[10374]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10374]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10374]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file Oct 30 09:03:35 mysussy openvpn[10374]: Exiting

A few more error messages about missing files: home.crt and dh1024.pem. Please run openvpn --config /etc/openvpn/server.conf from a root command line. This will at least tell us that the conf file is sane and works. Then we can worry about getting the daemon to use this file... Jon -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Patrik Hasibuan

03:29

Dear Jo, This is my try: " mysussy:~ # ls /etc/openvpn README loopback-client server.conf xinetd-client-config client.conf loopback-server server.conf.orig xinetd-server-config easy-rsa office.up static-home.conf xinetd-server-config.orig firewall.sh openvpn-shutdown.sh static-office.conf home.up openvpn-startup.sh tls-home.conf ipp.txt openvpn-status.log tls-office.conf mysussy:~ # cd / mysussy:/ # openvpn --config /etc/openvpn/server.conf Thu Oct 30 11:23:05 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Thu Oct 30 11:23:05 2008 TCP/UDP: Socket bind failed on local address 219.83.114.179:1194: Address already in use Thu Oct 30 11:23:05 2008 Exiting mysussy:/ # cd /etc/openvpn mysussy:/etc/openvpn # openvpn --config /etc/openvpn/server.conf Thu Oct 30 11:23:20 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Thu Oct 30 11:23:21 2008 TCP/UDP: Socket bind failed on local address 219.83.114.179:1194: Address already in use Thu Oct 30 11:23:21 2008 Exiting mysussy:/etc/openvpn # " '219.83.114.179' is the global-ip number of my outter wlan-card towards the internet gateway of our ISP. I am confused why the port-number of '1194' has been already occupied whereas the 'openvpn' still can not start. Who/which is using this port-number? Please advice me. --- On Thu, 10/30/08, Jonathan Ervine wrote:

...

From: Jonathan Ervine Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Thursday, October 30, 2008, 2:39 AM On Thursday 30 October 2008 09:12:47 Patrik Hasibuan wrote:

...
Dear Jo,

I checked in the '/etc/init.d/openvpn': " .... .... DAEMON="OpenVPN" openvpn=/usr/sbin/openvpn confdir=/etc/openvpn piddir=/var/run/openvpn .... .... ". So it means my openvpn read the 'server.conf' which resides in '/etc/openvpn/server.conf'.

I suspect it means it will read _any_ conf file in /etc/openvpn. It's still not reading the conf file you wish it to - see below...

...
I've removed the dec in my '/etc/openvpn/server.conf': " mysussy:/etc/openvpn # cat server.conf local 219.83.114.179 port 1194 proto tcp ca /usr/share/openvpn/easy-rsa/2.0/keys/ca.crt cert /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.crt key /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.key # This file should be kept secret dh /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 ns-cert-type server mysussy:/etc/openvpn # ".

Here is my '/var/log/messages/', I saw after my openvpn failed to start: " mysussy:/etc/openvpn # tail -n 30 /var/log/messages Oct 30 09:03:34 mysussy openvpn[10361]: Cannot open file key file 'static.key': No such file or directory (errno=2) Oct 30 09:03:34 mysussy openvpn[10361]: Exiting

It's still trying to load static.key which doesn't exist. So it's still reading the wrong conf file. I don't know why, and as per my previous email I'd worry about that after getting openvpn to start up from the command lin by explicitly specifying the conf file you wish to use...

...
Oct 30 09:03:35 mysussy openvpn[10365]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10365]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10365]: Cannot open file key file 'static.key': No such file or directory (errno=2) Oct 30 09:03:35 mysussy openvpn[10365]: Exiting Oct 30 09:03:35 mysussy openvpn[10369]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10369]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10369]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Oct 30 09:03:35 mysussy openvpn[10369]: Cannot load certificate file home.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib Oct 30 09:03:35 mysussy openvpn[10369]: Exiting Oct 30 09:03:35 mysussy openvpn[10374]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10374]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10374]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file Oct 30 09:03:35 mysussy openvpn[10374]: Exiting

A few more error messages about missing files: home.crt and dh1024.pem.

Please run openvpn --config /etc/openvpn/server.conf from a root command line. This will at least tell us that the conf file is sane and works. Then we can worry about getting the daemon to use this file...

Jon -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jonathan Ervine

03:43

On Thursday 30 October 2008 11:29:46 Patrik Hasibuan wrote:

...

Dear Jo,

This is my try: " mysussy:~ # ls /etc/openvpn README loopback-client server.conf xinetd-client-config client.conf loopback-server server.conf.orig xinetd-server-config easy-rsa office.up static-home.conf xinetd-server-config.orig firewall.sh openvpn-shutdown.sh static-office.conf home.up openvpn-startup.sh tls-home.conf ipp.txt openvpn-status.log tls-office.conf

So there are loads of .conf files in there ... you'll need to reduce this to one (server.conf) at some point.

...

mysussy:~ # cd / mysussy:/ # openvpn --config /etc/openvpn/server.conf Thu Oct 30 11:23:05 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Thu Oct 30 11:23:05 2008 TCP/UDP: Socket bind failed on local address 219.83.114.179:1194: Address already in use Thu Oct 30 11:23:05 2008 Exiting mysussy:/ # cd /etc/openvpn mysussy:/etc/openvpn # openvpn --config /etc/openvpn/server.conf Thu Oct 30 11:23:20 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Thu Oct 30 11:23:21 2008 TCP/UDP: Socket bind failed on local address 219.83.114.179:1194: Address already in use Thu Oct 30 11:23:21 2008 Exiting mysussy:/etc/openvpn # "

Probably an existing instance of openvpn is holding the port open. netstat -anp | grep 1194 should tell you which process has this port open. Kill the process and start it again from the command line.

...

'219.83.114.179' is the global-ip number of my outter wlan-card towards the internet gateway of our ISP.

I am confused why the port-number of '1194' has been already occupied whereas the 'openvpn' still can not start. Who/which is using this port-number?

Please advice me.

See above. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Patrik Hasibuan

1 Nov 1 Nov

02:56

New subject: [opensuse] Building VPN network with OpenVPN and OpenSuSE11-->TLS negotiation.

Dear Jo, You were absolutely correct. Thank you very much for help. My problem has been solved although I still have problem with its 'TLS Negotiation'. I spent a whole day to understand the informations you gave to me. I thought you informed me clearly enough so the solution should be not far anymore: - I just removed all the "conf" file in the "/etc/openvpn/" except 'server.conf'; - 'netstat -anp ....' and kill the service which use '1194'; - no 'dev-node'; - 'dev tun'; And then my openvpn works. Here underbelow of my email, I put the log file. But the client still can not connect to the openvpn-server. The error message is about TLS problem. I've tried to browse in the internet looking for the solution. It seems many people have the same problem. What should I do now? What steps should I actually do to make the TLS negotiation works properly? I put the content of my current 'client.conf' and the '/var/log/messages'. ========= Here's on the client-side. ========= sussy-MND:~ # cat /etc/openvpn/client.conf client dev tun proto udp remote 219.83.114.179 1194 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/cli-MND.crt key /etc/openvpn/keys/cli-MND.key ns-cert-type client ;tls-auth ta.key 1 ;cipher x comp-lzo verb 3 sussy-MND:~ # rcopenvpn status Checking for OpenVPN: running Status written to /var/log/messages sussy-MND:~ # tail -n 30 /var/log/messages Nov 1 10:49:56 sussy-MND openvpn[3639]: UDPv4 link local: [undef] Nov 1 10:49:56 sussy-MND openvpn[3639]: UDPv4 link remote: 219.83.114.179:1194 Nov 1 10:50:56 sussy-MND openvpn[3639]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Nov 1 10:50:56 sussy-MND openvpn[3639]: TLS Error: TLS handshake failed Nov 1 10:50:56 sussy-MND openvpn[3639]: TCP/UDP: Closing socket Nov 1 10:50:56 sussy-MND openvpn[3639]: SIGUSR1[soft,tls-error] received, process restarting Nov 1 10:50:56 sussy-MND openvpn[3639]: Restart pause, 2 second(s) Nov 1 10:50:59 sussy-MND openvpn[3639]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Nov 1 10:50:59 sussy-MND openvpn[3639]: Re-using SSL/TLS context Nov 1 10:50:59 sussy-MND openvpn[3639]: LZO compression initialized Nov 1 10:50:59 sussy-MND openvpn[3639]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Nov 1 10:50:59 sussy-MND openvpn[3639]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Nov 1 10:50:59 sussy-MND openvpn[3639]: Local Options hash (VER=V4): '41690919' Nov 1 10:50:59 sussy-MND openvpn[3639]: Expected Remote Options hash (VER=V4): '530fdded' Nov 1 10:50:59 sussy-MND openvpn[3639]: UDPv4 link local: [undef] Nov 1 10:50:59 sussy-MND openvpn[3639]: UDPv4 link remote: 219.83.114.179:1194 Nov 1 10:51:36 sussy-MND openvpn[3639]: event_wait : Interrupted system call (code=4) Nov 1 10:51:36 sussy-MND openvpn[3639]: TCP/UDP: Closing socket Nov 1 10:51:36 sussy-MND openvpn[3639]: SIGTERM[hard,] received, process exiting Nov 1 10:51:39 sussy-MND openvpn[6381]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Nov 1 10:51:39 sussy-MND openvpn[6381]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Nov 1 10:51:39 sussy-MND openvpn[6381]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Nov 1 10:51:39 sussy-MND openvpn[6381]: WARNING: file '/etc/openvpn/keys/cli-MND.key' is group or others accessible Nov 1 10:51:39 sussy-MND openvpn[6381]: LZO compression initialized Nov 1 10:51:39 sussy-MND openvpn[6381]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Nov 1 10:51:39 sussy-MND openvpn[6381]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Nov 1 10:51:39 sussy-MND openvpn[6381]: Local Options hash (VER=V4): '41690919' Nov 1 10:51:39 sussy-MND openvpn[6381]: Expected Remote Options hash (VER=V4): '530fdded' Nov 1 10:51:39 sussy-MND openvpn[6382]: UDPv4 link local: [undef] Nov 1 10:51:39 sussy-MND openvpn[6382]: UDPv4 link remote: 219.83.114.179:1194 sussy-MND:~ # ========= Here's on the server-side. ========= mysussy:~ # cat /etc/openvpn/server.conf local 219.83.114.179 port 1194 proto udp ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/toka-site.crt key /etc/openvpn/easy-rsa/2.0/keys/toka-site.key dev tun dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 ns-cert-type server mysussy:~ # tail -n 40 /var/log/messages Nov 1 10:07:59 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Nov 1 10:08:03 mysussy kernel: printk: 2 messages suppressed. Nov 1 10:08:03 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Nov 1 10:08:03 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Nov 1 10:08:09 mysussy kernel: printk: 3 messages suppressed. Nov 1 10:08:09 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Nov 1 10:08:09 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Nov 1 10:08:14 mysussy kernel: printk: 2 messages suppressed. Nov 1 10:08:14 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Nov 1 10:08:14 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Nov 1 10:08:19 mysussy kernel: printk: 2 messages suppressed. Nov 1 10:08:19 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Nov 1 10:08:19 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Nov 1 10:08:23 mysussy kernel: printk: 2 messages suppressed. Nov 1 10:08:23 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Nov 1 10:08:23 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Nov 1 10:08:28 mysussy kernel: printk: 2 messages suppressed. Nov 1 10:08:28 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Nov 1 10:08:28 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Nov 1 10:08:34 mysussy kernel: printk: 3 messages suppressed. Nov 1 10:08:34 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Nov 1 10:08:34 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Nov 1 10:08:39 mysussy kernel: printk: 2 messages suppressed. Nov 1 10:08:39 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Nov 1 10:08:39 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Nov 1 10:08:43 mysussy kernel: printk: 2 messages suppressed. Nov 1 10:08:43 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Nov 1 10:08:43 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Nov 1 10:08:48 mysussy kernel: printk: 2 messages suppressed. Nov 1 10:08:48 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Nov 1 10:08:48 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Nov 1 10:08:54 mysussy kernel: printk: 3 messages suppressed. Nov 1 10:08:54 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Nov 1 10:08:54 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Nov 1 10:08:59 mysussy kernel: printk: 2 messages suppressed. Nov 1 10:08:59 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Nov 1 10:08:59 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Nov 1 10:09:04 mysussy kernel: printk: 2 messages suppressed. Nov 1 10:09:04 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Nov 1 10:09:04 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 mysussy:~ # rcopenvpn status Checking for OpenVPN: running Status written to /var/log/messages mysussy:~ # --- On Thu, 10/30/08, Jonathan Ervine wrote:

...

From: Jonathan Ervine Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Thursday, October 30, 2008, 3:43 AM On Thursday 30 October 2008 11:29:46 Patrik Hasibuan wrote:

...
Dear Jo,

This is my try: " mysussy:~ # ls /etc/openvpn README loopback-client server.conf xinetd-client-config client.conf loopback-server server.conf.orig xinetd-server-config easy-rsa office.up static-home.conf xinetd-server-config.orig firewall.sh openvpn-shutdown.sh static-office.conf home.up openvpn-startup.sh tls-home.conf ipp.txt openvpn-status.log tls-office.conf

So there are loads of .conf files in there ... you'll need to reduce this to one (server.conf) at some point.

...
mysussy:~ # cd / mysussy:/ # openvpn --config /etc/openvpn/server.conf Thu Oct 30 11:23:05 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Thu Oct 30 11:23:05 2008 TCP/UDP: Socket bind failed on local address 219.83.114.179:1194: Address already in use Thu Oct 30 11:23:05 2008 Exiting mysussy:/ # cd /etc/openvpn mysussy:/etc/openvpn # openvpn --config /etc/openvpn/server.conf Thu Oct 30 11:23:20 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Thu Oct 30 11:23:21 2008 TCP/UDP: Socket bind failed on local address 219.83.114.179:1194: Address already in use Thu Oct 30 11:23:21 2008 Exiting mysussy:/etc/openvpn # "

Probably an existing instance of openvpn is holding the port open. netstat -anp | grep 1194 should tell you which process has this port open. Kill the process and start it again from the command line.

...
'219.83.114.179' is the global-ip number of my outter wlan-card towards the internet gateway of our ISP.

I am confused why the port-number of '1194' has been already occupied whereas the 'openvpn' still can not start. Who/which is using this port-number?

Please advice me.

See above. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Patrik Hasibuan

07:50

New subject: [opensuse] TLS negotiation and client-side virtual-interface.

Dear my friends, I am confused about the virtual interface (tun0-00) for the client-side. Why is the virtual-interface(tun0-00) on the server-side visible from 'ifconfig' and the virtual-interface(tun0-00) on the client-side not visible/displayed from 'ifconfig'? Please underbelow: ===== server-side: ----- mysussy:~ # ifconfig eth0 Link encap:Ethernet HWaddr 00:19:D1:3C:A0:30 inet addr:192.168.1.9 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::219:d1ff:fe3c:a030/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1515061 errors:0 dropped:0 overruns:0 frame:0 TX packets:2533595 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:99929181 (95.2 Mb) TX bytes:3658131803 (3488.6 Mb) Memory:30300000-30320000 eth5 Link encap:Ethernet HWaddr 00:50:DA:C4:C7:95 inet addr:219.83.114.179 Bcast:219.83.114.183 Mask:255.255.255.248 inet6 addr: fe80::250:daff:fec4:c795/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:299136 errors:0 dropped:0 overruns:0 frame:0 TX packets:210000 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:352775825 (336.4 Mb) TX bytes:20866755 (19.9 Mb) Interrupt:21 Base address:0x2800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:4387376 errors:0 dropped:0 overruns:0 frame:0 TX packets:4387376 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1814729105 (1730.6 Mb) TX bytes:1814729105 (1730.6 Mb) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) mysussy:~ # ===== client-side ----- sussy-MND:~ # ifconfig dsl0 Link encap:Point-to-Point Protocol inet addr:192.168.11.3 P-t-P:192.168.21.110 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:14049 errors:0 dropped:0 overruns:0 frame:0 TX packets:12576 errors:0 dropped:8 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:8422795 (8.0 Mb) TX bytes:1941219 (1.8 Mb) eth1 Link encap:Ethernet HWaddr 00:19:21:66:02:F5 inet addr:192.161.1.42 Bcast:192.161.1.255 Mask:255.255.255.0 inet6 addr: fe80::219:21ff:fe66:2f5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:90600 errors:0 dropped:0 overruns:0 frame:0 TX packets:25048 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:23090572 (22.0 Mb) TX bytes:3703103 (3.5 Mb) Interrupt:20 Base address:0x6800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:895 errors:0 dropped:0 overruns:0 frame:0 TX packets:895 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:63695 (62.2 Kb) TX bytes:63695 (62.2 Kb) sussy-MND:~ # ===== This is my '*.conf' file: ===== server-side (server.conf): ----- mysussy:~ # mysussy:~ # cat /etc/openvpn/server.conf local 219.83.114.179 port 1194 proto tcp ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/toka-site.crt key /etc/openvpn/easy-rsa/2.0/keys/toka-site.key dev tun dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 ns-cert-type server comp-lzo verb 3 mysussy:~ # ===== client-side (client.conf): ----- sussy-MND:~ # cat /etc/openvpn/client.conf client dev tun proto tcp remote 219.83.114.179 1194 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/cli-MND.crt key /etc/openvpn/keys/cli-MND.key ns-cert-type server comp-lzo verb 3 sussy-MND:~ # ===== If I haven't the 'tun0-00' on my client-side station, how can I have the virtual interface whose ip-address of '10.8.0.2'? And why is connection is always reset? I don't understand. " Nov 1 15:43:44 sussy-MND openvpn[9479]: Connection reset, restarting [0] ". Please tell me my mistake. Thank you very much in advance. ===== This is the '/var/log/messages' on the client-side ----- sussy-MND:~ # tail -n 40 /var/log/messages Nov 1 15:43:03 sussy-MND openvpn[9479]: TCP connection established with 219.83.114.179:1194 Nov 1 15:43:03 sussy-MND openvpn[9479]: TCPv4_CLIENT link local: [undef] Nov 1 15:43:03 sussy-MND openvpn[9479]: TCPv4_CLIENT link remote: 219.83.114.179:1194 Nov 1 15:43:04 sussy-MND openvpn[9479]: TLS: Initial packet from 219.83.114.179:1194, sid=15e7403e 2ed3956a Nov 1 15:43:22 sussy-MND openvpn[9479]: VERIFY OK: depth=1, /C=ID/ST=SU/L=MND/O=MSM-TTN/OU=PT/CN=mysussy/emailAddress=ilham.firdaus@tokatindung.com Nov 1 15:43:22 sussy-MND openvpn[9479]: VERIFY OK: nsCertType=SERVER Nov 1 15:43:22 sussy-MND openvpn[9479]: VERIFY OK: depth=0, /C=ID/ST=SU/L=MND/O=MSM-TTN/OU=PT/CN=mysussy/emailAddress=ilham.firdaus@tokatindung.com Nov 1 15:43:38 sussy-MND openvpn[9479]: event_wait : Interrupted system call (code=4) Nov 1 15:43:38 sussy-MND openvpn[9479]: OpenVPN STATISTICS Nov 1 15:43:38 sussy-MND openvpn[9479]: Updated,Sat Nov 1 15:43:38 2008 Nov 1 15:43:38 sussy-MND openvpn[9479]: TUN/TAP read bytes,0 Nov 1 15:43:38 sussy-MND openvpn[9479]: TUN/TAP write bytes,0 Nov 1 15:43:38 sussy-MND openvpn[9479]: TCP/UDP read bytes,5398 Nov 1 15:43:38 sussy-MND openvpn[9479]: TCP/UDP write bytes,3828 Nov 1 15:43:38 sussy-MND openvpn[9479]: Auth read bytes,0 Nov 1 15:43:38 sussy-MND openvpn[9479]: pre-compress bytes,0 Nov 1 15:43:38 sussy-MND openvpn[9479]: post-compress bytes,0 Nov 1 15:43:38 sussy-MND openvpn[9479]: pre-decompress bytes,0 Nov 1 15:43:38 sussy-MND openvpn[9479]: post-decompress bytes,0 Nov 1 15:43:38 sussy-MND openvpn[9479]: END Nov 1 15:43:44 sussy-MND openvpn[9479]: Connection reset, restarting [0] Nov 1 15:43:44 sussy-MND openvpn[9479]: TCP/UDP: Closing socket Nov 1 15:43:44 sussy-MND openvpn[9479]: SIGUSR1[soft,connection-reset] received, process restarting Nov 1 15:43:44 sussy-MND openvpn[9479]: Restart pause, 5 second(s) Nov 1 15:43:49 sussy-MND openvpn[9479]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Nov 1 15:43:49 sussy-MND openvpn[9479]: Re-using SSL/TLS context Nov 1 15:43:49 sussy-MND openvpn[9479]: LZO compression initialized Nov 1 15:43:49 sussy-MND openvpn[9479]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ] Nov 1 15:43:49 sussy-MND openvpn[9479]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Nov 1 15:43:49 sussy-MND openvpn[9479]: Local Options hash (VER=V4): '69109d17' Nov 1 15:43:49 sussy-MND openvpn[9479]: Expected Remote Options hash (VER=V4): 'c0103fa8' Nov 1 15:43:49 sussy-MND openvpn[9479]: Attempting to establish TCP connection with 219.83.114.179:1194 Nov 1 15:43:50 sussy-MND openvpn[9479]: TCP connection established with 219.83.114.179:1194 Nov 1 15:43:50 sussy-MND openvpn[9479]: TCPv4_CLIENT link local: [undef] Nov 1 15:43:50 sussy-MND openvpn[9479]: TCPv4_CLIENT link remote: 219.83.114.179:1194 Nov 1 15:43:50 sussy-MND openvpn[9479]: TLS: Initial packet from 219.83.114.179:1194, sid=8a938fc2 c9c42384 Nov 1 15:43:51 sussy-MND smartd[3926]: Device: /dev/sda, SMART Usage Attribute: 194 Temperature_Celsius changed from 152 to 148 Nov 1 15:44:07 sussy-MND openvpn[9479]: VERIFY OK: depth=1, /C=ID/ST=SU/L=MND/O=MSM-TTN/OU=PT/CN=mysussy/emailAddress=ilham.firdaus@tokatindung.com Nov 1 15:44:07 sussy-MND openvpn[9479]: VERIFY OK: nsCertType=SERVER Nov 1 15:44:07 sussy-MND openvpn[9479]: VERIFY OK: depth=0, /C=ID/ST=SU/L=MND/O=MSM-TTN/OU=PT/CN=mysussy/emailAddress=ilham.firdaus@tokatindung.com sussy-MND:~ # ===== -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Theo van Werkhoven

09:41

New subject: [opensuse] Building VPN network with OpenVPN and OpenSuSE11-->TLS negotiation.

Patrik Hasibuan wrote:

...

But the client still can not connect to the openvpn-server. The error message is about TLS problem. I've tried to browse in the internet looking for the solution. It seems many people have the same problem.

What should I do now? What steps should I actually do to make the TLS negotiation works properly?

I put the content of my current 'client.conf' and the '/var/log/messages'. ========= Here's on the client-side. ========= sussy-MND:~ # cat /etc/openvpn/client.conf [..] ns-cert-type client ^^^^^^ Have you, sorry to be brute, even bothered to read openvpn's man page? --ns-cert-type client|server Require that peer certificate was signed with an explicit nsCertType des- ignation of "client" or "server".

This is a useful security option for clients, to ensure that the host they connect with is a designated server. See the easy-rsa/build-key-server script for an example of how to gener- ate a certificate with the nsCertType field set to "server". If the server certificate's nsCertType field is set to "server", then the clients can verify this with --ns-cert-type server. This is an important security precaution to protect against a man-in-the- middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --ns-cert- type, --tls-remote, or --tls-verify. Thus ns-sert-type must be 'server' on the clients' side.

...

========= Here's on the server-side. ========= mysussy:~ # cat /etc/openvpn/server.conf local 219.83.114.179

This *is* the server's external IP address right? To be clear: it must be the address of the WAN (external) interface, so if you're using e.g. a NAT device (e.g. an ADSL modem), you must set the address on the 'inside', e.g. 10.0.0.138.

...

ns-cert-type server

This doesn't belong in the server's config file.

...

mysussy:~ # tail -n 40 /var/log/messages Nov 1 10:07:59 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06

And you need to wise-up your firewall or your route-table. Theo -- Theo v. Werkhoven, NL (ICBM 52 13 26N , 4 29 47E). A casual stroll through the lunatic asylum shows that faith does not prove anything. Friedrich Nietzsche German philosopher (1844 - 1900) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Patrik Hasibuan

5 Nov 5 Nov

00:06

New subject: [opensuse] Building VPN network with OpenVPN and OpenSuSE11-->TLS negotiation.

Hi Theo. You solved my problem. Thank you thousand times..... I really appreciate your help. Best regards, Patrik Hasibuan. --- On Sat, 11/1/08, Theo van Werkhoven wrote:

...

From: Theo van Werkhoven Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11-->TLS negotiation. To: opensuse@opensuse.org Date: Saturday, November 1, 2008, 9:41 AM Patrik Hasibuan wrote:

...
But the client still can not connect to the openvpn-server. The error message is about TLS problem. I've tried to browse in the internet looking for the solution. It seems many people have the same problem.

What should I do now? What steps should I actually do to make the TLS negotiation works properly?

I put the content of my current 'client.conf' and the '/var/log/messages'. ========= Here's on the client-side. ========= sussy-MND:~ # cat /etc/openvpn/client.conf [..] ns-cert-type client ^^^^^^ Have you, sorry to be brute, even bothered to read openvpn's man page? --ns-cert-type client|server Require that peer certificate was signed with an explicit nsCertType des- ignation of "client" or "server".

This is a useful security option for clients, to ensure that the host they connect with is a designated server.

See the easy-rsa/build-key-server script for an example of how to gener- ate a certificate with the nsCertType field set to "server".

If the server certificate's nsCertType field is set to "server", then the clients can verify this with --ns-cert-type server.

This is an important security precaution to protect against a man-in-the- middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --ns-cert- type, --tls-remote, or --tls-verify.

Thus ns-sert-type must be 'server' on the clients' side.

...
========= Here's on the server-side. ========= mysussy:~ # cat /etc/openvpn/server.conf local 219.83.114.179

This *is* the server's external IP address right? To be clear: it must be the address of the WAN (external) interface, so if you're using e.g. a NAT device (e.g. an ADSL modem), you must set the address on the 'inside', e.g. 10.0.0.138.

...
ns-cert-type server

This doesn't belong in the server's config file.

...
mysussy:~ # tail -n 40 /var/log/messages Nov 1 10:07:59 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06

And you need to wise-up your firewall or your route-table.

Theo -- Theo v. Werkhoven, NL (ICBM 52 13 26N , 4 29 47E). A casual stroll through the lunatic asylum shows that faith does not prove anything. Friedrich Nietzsche German philosopher (1844 - 1900) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Patrik Hasibuan

00:03

Dear Jo, Thank you very...very...much for your help. My problems have been solved. You solved some my problems..... --- On Thu, 10/30/08, Jonathan Ervine wrote:

...

From: Jonathan Ervine Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Thursday, October 30, 2008, 3:43 AM On Thursday 30 October 2008 11:29:46 Patrik Hasibuan wrote:

...
Dear Jo,

This is my try: " mysussy:~ # ls /etc/openvpn README loopback-client server.conf xinetd-client-config client.conf loopback-server server.conf.orig xinetd-server-config easy-rsa office.up static-home.conf xinetd-server-config.orig firewall.sh openvpn-shutdown.sh static-office.conf home.up openvpn-startup.sh tls-home.conf ipp.txt openvpn-status.log tls-office.conf

So there are loads of .conf files in there ... you'll need to reduce this to one (server.conf) at some point.

...
mysussy:~ # cd / mysussy:/ # openvpn --config /etc/openvpn/server.conf Thu Oct 30 11:23:05 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Thu Oct 30 11:23:05 2008 TCP/UDP: Socket bind failed on local address 219.83.114.179:1194: Address already in use Thu Oct 30 11:23:05 2008 Exiting mysussy:/ # cd /etc/openvpn mysussy:/etc/openvpn # openvpn --config /etc/openvpn/server.conf Thu Oct 30 11:23:20 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Thu Oct 30 11:23:21 2008 TCP/UDP: Socket bind failed on local address 219.83.114.179:1194: Address already in use Thu Oct 30 11:23:21 2008 Exiting mysussy:/etc/openvpn # "

Probably an existing instance of openvpn is holding the port open. netstat -anp | grep 1194 should tell you which process has this port open. Kill the process and start it again from the command line.

...
'219.83.114.179' is the global-ip number of my outter wlan-card towards the internet gateway of our ISP.

I am confused why the port-number of '1194' has been already occupied whereas the 'openvpn' still can not start. Who/which is using this port-number?

Please advice me.

See above. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Patrik Hasibuan

30 Oct 30 Oct

01:45

Dear Per, I checked in the '/etc/init.d/openvpn': " ..... ..... DAEMON="OpenVPN" openvpn=/usr/sbin/openvpn confdir=/etc/openvpn piddir=/var/run/openvpn ..... ..... ". So it means my openvpn read the 'server.conf' which resides in '/etc/openvpn/server.conf'. I've removed the 'dev tun' and 'dev-node MyTap' in my '/etc/openvpn/server.conf', but my openvpn still can not start: " mysussy:/etc/openvpn # cat server.conf local 219.83.114.179 port 1194 proto tcp ca /usr/share/openvpn/easy-rsa/2.0/keys/ca.crt cert /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.crt key /usr/share/openvpn/easy-rsa/2.0/keys/toka-site.key # This file should be kept secret dh /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 ns-cert-type server mysussy:/etc/openvpn # ". Here is my '/var/log/messages/', I saw once my openvpn failed to start: " mysussy:/etc/openvpn # tail -n 30 /var/log/messages Oct 30 09:03:34 mysussy openvpn[10361]: Cannot open file key file 'static.key': No such file or directory (errno=2) Oct 30 09:03:34 mysussy openvpn[10361]: Exiting Oct 30 09:03:35 mysussy openvpn[10365]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10365]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10365]: Cannot open file key file 'static.key': No such file or directory (errno=2) Oct 30 09:03:35 mysussy openvpn[10365]: Exiting Oct 30 09:03:35 mysussy openvpn[10369]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10369]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10369]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Oct 30 09:03:35 mysussy openvpn[10369]: Cannot load certificate file home.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib Oct 30 09:03:35 mysussy openvpn[10369]: Exiting Oct 30 09:03:35 mysussy openvpn[10374]: OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Oct 30 09:03:35 mysussy openvpn[10374]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Oct 30 09:03:35 mysussy openvpn[10374]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file Oct 30 09:03:35 mysussy openvpn[10374]: Exiting Oct 30 09:03:38 mysussy kernel: printk: 2 messages suppressed. Oct 30 09:03:38 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 30 09:03:38 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Oct 30 09:03:42 mysussy kernel: printk: 2 messages suppressed. Oct 30 09:03:42 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 30 09:03:42 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Oct 30 09:03:48 mysussy kernel: printk: 3 messages suppressed. Oct 30 09:03:48 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 30 09:03:48 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Oct 30 09:03:53 mysussy kernel: printk: 2 messages suppressed. Oct 30 09:03:53 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 30 09:03:53 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 Oct 30 09:03:58 mysussy kernel: printk: 2 messages suppressed. Oct 30 09:03:58 mysussy kernel: martian source 192.168.30.32 from 192.168.30.32, on dev eth0 Oct 30 09:03:58 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06 mysussy:/etc/openvpn # " Please keep telling me. I'm stucked now. Thank you very much in advance. --- On Tue, 10/28/08, Per Jessen wrote:

...

From: Per Jessen Subject: Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11 To: opensuse@opensuse.org Date: Tuesday, October 28, 2008, 9:01 AM Patrik Hasibuan wrote:

...
This is the test: " mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # openvpn --config /etc/openvpn/server.conf Tue Oct 28 16:31:45 2008 OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO] [EPOLL] built on Jun 7 2008 Tue Oct 28 16:31:45 2008 Note: Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Note: Attempting fallback to kernel 2.2 TUN/TAP interface Tue Oct 28 16:31:45 2008 Cannot open TUN/TAP dev MyTap: No such file or directory (errno=2) Tue Oct 28 16:31:45 2008 Exiting mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # ".

It seems to be clearly complaining about "MyTap".

...
This is my "server.conf": mysussy:/usr/share/openvpn/easy-rsa/2.0/keys # cat /etc/openvpn/server.conf local 219.83.114.179 port 1194 proto tcp dev tun dev-node MyTap

My VPN server config does not have a "dev-node" entry, I'm not sure what the default is.

/Per

-- /Per Jessen, Zürich

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

5652

Age (days ago)

5661

Last active (days ago)

List overview

Download

20 comments

4 participants

participants (4)

Jonathan Ervine
Patrik Hasibuan
Per Jessen
Theo van Werkhoven