[juneau-lug] OpenVPN continued...
- From: "Kevin Elliott" <woolsherpahat@xxxxxxxxx>
- To: juneau-lug@xxxxxxxxxxxxx
- Date: Mon, 17 Jul 2006 19:26:07 -0800
Hello all.
I've still been working on my OpenVPN setup we talked about last
meeting. Still no luck. Sorry, it's taken so long to post my
updates. I've been really busy with work. Anyways...
I have a router/firewall for my network that runs OpenBSD. It does
the standard packet filtering and NAT stuff. It also has a wireless
segment, which until this project has been left unencrypted and has
worked fine.
What I'm trying to do is to setup up a VPN over the wireless
connection to provide some added security. I've been following the
HOWTO at www.openvpn.net with varying degrees of success.
Right now, get my client to initialize the tunnel and bring up the
interface but no traffic is able to pass through it. I'm not quite
sure what I did to break it but maybe I can post some configuration
files and someone else might understand what I did wrong.
Anyways, I hope that explanation of what I'm trying to accomplish
makes sense. If it doesn't, feel free to ask any questions.
Here's what my ifconfig output looks like:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
ath0: flags=8963<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:0b:6b:37:a4:20
media: IEEE802.11 autoselect mode 11b hostap
status: active
ieee80211: nwid elliott chan 11 bssid 00:0b:6b:37:a4:20
inet 192.168.101.254 netmask 0xffffff00 broadcast 192.168.101.255
inet6 fe80::20b:6bff:fe37:a420%ath0 prefixlen 64 scopeid 0x1
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c6:4d:ec
groups: egress
media: Ethernet autoselect (10baseT)
status: active
inet6 fe80::200:24ff:fec6:4dec%sis0 prefixlen 64 scopeid 0x2
inet xxx.xxx.xxx.xxx netmask 0xfffff800 broadcast 24.237.96.255
sis1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c6:4d:ed
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.100.254 netmask 0xffffff00 broadcast 192.168.100.255
inet6 fe80::200:24ff:fec6:4ded%sis1 prefixlen 64 scopeid 0x3
sis2: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c6:4d:ee
media: Ethernet autoselect (none)
status: no carrier
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 1460
enc0: flags=0<> mtu 1536
bridge0: flags=41<UP,RUNNING> mtu 1500
groups: bridge
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
groups: tun
inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
You can see the VPN interface (tun0), the actual wireless card (ath0)
and the bridge interface (bridge0) which is supposedly connecting
them.
Here's my hostname.tun0, bridgename.bridge0 and hostname.ath0 respectively.
$ cat /etc/hostname.tun0
link0 up
$ cat /etc/bridgename.bridge0
add ath0
add tun0
up
$ cat /etc/hostname.ath0
inet 192.168.101.254 255.255.255.0 NONE media autoselect mediaopt
hostap mode 11b nwid elliott chan 11
Here's the full output from the VPN server:
Jul 17 07:06:39 soekris openvpn[15192]: OpenVPN 2.0.6
i386-unknown-openbsd3.9 [SSL] [LZO] built on Apr 30 2006
Jul 17 07:06:40 soekris openvpn[15192]: Diffie-Hellman initialized
with 1024 bit key
Jul 17 07:06:40 soekris openvpn[15192]: Control Channel
Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static
key file
Jul 17 07:06:40 soekris openvpn[15192]: Outgoing Control Channel
Authentication: Using 160 bit message hash 'SHA1' for HMAC
authentication
Jul 17 07:06:40 soekris openvpn[15192]: Incoming Control Channel
Authentication: Using 160 bit message hash 'SHA1' for HMAC
authentication
Jul 17 07:06:40 soekris openvpn[15192]: TLS-Auth MTU parms [ L:1541
D:166 EF:66 EB:0 ET:0 EL:0 ]
Jul 17 07:06:40 soekris openvpn[15192]: gw xx.xxx.xx.x
Jul 17 07:06:40 soekris openvpn[15192]: /sbin/ifconfig tun0 destroy
Jul 17 07:06:40 soekris openvpn[15192]: /sbin/ifconfig tun0 create
Jul 17 07:06:40 soekris openvpn[15192]: NOTE: Tried to delete
pre-existing tun/tap instance -- No Problem if failure
Jul 17 07:06:40 soekris openvpn[15192]: /sbin/ifconfig tun0 10.8.0.1
10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Jul 17 07:06:40 soekris openvpn[15192]: TUN/TAP device /dev/tun0 opened
Jul 17 07:06:40 soekris openvpn[15192]: /sbin/route add -net 10.8.0.0
10.8.0.2 -netmask 255.255.255.0
Jul 17 07:06:40 soekris openvpn[15192]: Data Channel MTU parms [
L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Jul 17 07:06:40 soekris openvpn[8642]: chroot to '/var/empty' and cd
to '/' succeeded
Jul 17 07:06:40 soekris openvpn[8642]: GID set to nobody
Jul 17 07:06:40 soekris openvpn[8642]: UID set to nobody
Jul 17 07:06:40 soekris openvpn[8642]: UDPv4 link local (bound):
192.168.101.254:1194
Jul 17 07:06:40 soekris openvpn[8642]: UDPv4 link remote: [undef]
Jul 17 07:06:40 soekris openvpn[8642]: MULTI: multi_init called, r=256 v=256
Jul 17 07:06:40 soekris openvpn[8642]: IFCONFIG POOL: base=10.8.0.4 size=62
Jul 17 07:06:40 soekris openvpn[8642]: IFCONFIG POOL LIST
Jul 17 07:06:40 soekris openvpn[8642]: Kevin_s_iBook,10.8.0.4
Jul 17 07:06:40 soekris openvpn[8642]: Initialization Sequence Completed
and here's what it looks like from the client side:
Mon Jul 17 19:10:27 2006 OpenVPN 2.0.2 powerpc-apple-darwin8.2.0 [SSL]
[LZO] built on Aug 30 2005
Mon Jul 17 19:10:27 2006 IMPORTANT: OpenVPN's default port number is
now 1194, based on an official port number assignment by IANA.
OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Jul 17 19:10:27 2006 WARNING: file '/etc/openvpn/keys/client1.key'
is group or others accessible
Mon Jul 17 19:10:27 2006 WARNING: file '/etc/openvpn/keys/ta.key' is
group or others accessible
Mon Jul 17 19:10:27 2006 Control Channel Authentication: using
'/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Mon Jul 17 19:10:27 2006 Outgoing Control Channel Authentication:
Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 17 19:10:27 2006 Incoming Control Channel Authentication:
Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 17 19:10:27 2006 Control Channel MTU parms [ L:1541 D:166
EF:66 EB:0 ET:0 EL:0 ]
Mon Jul 17 19:10:27 2006 Data Channel MTU parms [ L:1541 D:1450 EF:41
EB:4 ET:0 EL:0 ]
Mon Jul 17 19:10:27 2006 Local Options hash (VER=V4): '70f5b3af'
Mon Jul 17 19:10:27 2006 Expected Remote Options hash (VER=V4): 'a2e2498c'
Mon Jul 17 19:10:27 2006 NOTE: chroot will be delayed because of
--client, --pull, or --up-delay
Mon Jul 17 19:10:27 2006 NOTE: UID/GID downgrade will be delayed
because of --client, --pull, or --up-delay
Mon Jul 17 19:10:27 2006 UDPv4 link local: [undef]
Mon Jul 17 19:10:27 2006 UDPv4 link remote: 192.168.101.254:1194
Mon Jul 17 19:10:27 2006 TLS: Initial packet from
192.168.101.254:1194, sid=298593eb 02a100a0
Mon Jul 17 19:10:28 2006 VERIFY OK: depth=1,
/C=US/ST=AK/L=JUNEAU/O=OpenVPN_Local/CN=Kevin_Elliott/emailAddress=kelliott@xxxxxxxxxxxxx
Mon Jul 17 19:10:28 2006 VERIFY OK: nsCertType=SERVER
Mon Jul 17 19:10:28 2006 VERIFY OK: depth=0,
/C=US/ST=AK/O=OpenVPN_Local/CN=Kevin_Elliott/emailAddress=kelliott@xxxxxxxxxxxxx
Mon Jul 17 19:10:29 2006 Data Channel Encrypt: Cipher 'BF-CBC'
initialized with 128 bit key
Mon Jul 17 19:10:29 2006 Data Channel Encrypt: Using 160 bit message
hash 'SHA1' for HMAC authentication
Mon Jul 17 19:10:29 2006 Data Channel Decrypt: Cipher 'BF-CBC'
initialized with 128 bit key
Mon Jul 17 19:10:29 2006 Data Channel Decrypt: Using 160 bit message
hash 'SHA1' for HMAC authentication
Mon Jul 17 19:10:29 2006 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Jul 17 19:10:29 2006 [Kevin_Elliott] Peer Connection Initiated
with 192.168.101.254:1194
Mon Jul 17 19:10:30 2006 SENT CONTROL [Kevin_Elliott]: 'PUSH_REQUEST' (status=1)
Mon Jul 17 19:10:30 2006 PUSH: Received control message:
'PUSH_REPLY,redirect-gateway,route 10.8.0.0 255.255.255.0,ping
10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Mon Jul 17 19:10:30 2006 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jul 17 19:10:30 2006 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jul 17 19:10:30 2006 OPTIONS IMPORT: route options modified
Mon Jul 17 19:10:30 2006 gw 192.168.100.254
Mon Jul 17 19:10:30 2006 TUN/TAP device /dev/tun0 opened
Mon Jul 17 19:10:30 2006 /sbin/ifconfig tun0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
Mon Jul 17 19:10:30 2006 NOTE: Tried to delete pre-existing tun/tap
instance -- No Problem if failure
Mon Jul 17 19:10:30 2006 /sbin/ifconfig tun0 10.8.0.6 10.8.0.5 mtu
1500 netmask 255.255.255.255 up
Mon Jul 17 19:10:30 2006 /sbin/route add -net 192.168.101.254
192.168.100.254 255.255.255.255
add net 192.168.101.254: gateway 192.168.100.254
Mon Jul 17 19:10:30 2006 /sbin/route delete -net 0.0.0.0 192.168.100.254 0.0.0.0
delete net 0.0.0.0: gateway 192.168.100.254
Mon Jul 17 19:10:30 2006 /sbin/route add -net 0.0.0.0 10.8.0.5 0.0.0.0
add net 0.0.0.0: gateway 10.8.0.5
Mon Jul 17 19:10:30 2006 /sbin/route add -net 10.8.0.0 10.8.0.5 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.5
Mon Jul 17 19:10:30 2006 chroot to '/var/empty' and cd to '/' succeeded
Mon Jul 17 19:10:30 2006 GID set to nobody
Mon Jul 17 19:10:30 2006 UID set to nobody
Mon Jul 17 19:10:30 2006 Initialization Sequence Completed
and here's the OpenVPN server config file:
daemon openvpn
writepid /var/openvpn/pid
status /var/openvpn/status 10
local 192.168.101.254
port 1194
proto udp
dev tun0
client-to-client
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/openvpn/ipp.txt
push "redirect-gateway"
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
cipher BF-CBC # Blowfish (default)
max-clients 5
user nobody
group nobody
persist-key
persist-tun
verb 3
mute 20
chroot /var/empty
and likewise the client config:
client
dev tun0
proto udp
remote 192.168.101.254 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
mute-replay-warnings
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client1.crt
key /etc/openvpn/keys/client1.key
ns-cert-type server
tls-auth /etc/openvpn/keys/ta.key 1
cipher BF-CBC
verb 3
mute 20
chroot /var/empty
and here's pf.conf:
#MACROS
wan_if="sis0"
lan_if="sis1"
wlan_if="ath0"
vpn_if="tun0"
priv_networks="{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }"
#OPTIONS
set block-policy drop
set optimization normal
#NORMALIZE PACKETS
scrub all
#NETWORK ADDRESS TRANSLATION / REDIRECTION
nat on $wan_if from !($wan_if) to any -> ($wan_if)
rdr on $wan_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $wan_if proto tcp from any to any port 6881:6889 ->
192.168.100.2 port 6881:6889
#IN/OUTBOUND DEFAULTS
block all
block in quick on $wan_if inet from $priv_networks to any
#PASS VPN TRAFFIC
pass in quick on $wlan_if proto udp from any to $wlan_if port 1194 keep state
#PASS SSHD TRAFFIC
#pass in log on $wan_if proto tcp from any to $wan_if port 22 keep state
#PASS WAN/LAN TRAFFIC
pass quick on { lo0 $lan_if $vpn_if }
pass out on $wan_if proto tcp all modulate state flags S/SA
pass out on $wan_if proto { udp, icmp } all keep state
#PASS ACTIVE FTP TRAFFIC
pass in on $wan_if inet proto tcp from port 20 to ($wan_if) user proxy
flags S/SA keep state
#PASS BITTORENT
pass in on $wan_if proto tcp from any to 192.168.100.2 port 6881:6889 keep state
#ANTI-SPOOFING
antispoof quick for { $wan_if $lan_if $wlan_if }
I tried using tcpdump to see if anything traffic was passing over tun0
but there wasn't anything. Well, I would appreicate any suggestions.
Right now, I'm going to bed. Good night.
~Kevin Elliott
------------------------------------
The Juneau Linux Users Group -- http://www.juneau-lug.org
This is the Juneau-LUG mailing list.
To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx with the
word unsubscribe in the subject header.
Other related posts: