openvpn - urgent help requested!
Timothy Murphy
gayleard at eircom.net
Fri Apr 10 20:45:20 UTC 2009
Andrew Parker wrote:
>> Just to follow up on myself - I'm in Italy now,
>> and everything works fine _except_ VPN.
>> I can ssh into my home server, get IMAP email from it,
>> and generally interact with it as I do at home,
>>
>> If I ssh into my home server, ifconfig gives:
>> --------------------------------------------
>> tun0 Link encap:UNSPEC HWaddr
>> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>> inet addr:192.168.5.1 P-t-P:192.168.5.2 Mask:255.255.255.255
>> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
>> RX packets:9 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:100
>> RX bytes:756 (756.0 b) TX bytes:1008 (1008.0 b)
>> --------------------------------------------
>> while ifconfig on my laptop gives
>> --------------------------------------------
>> tun0 Link encap:UNSPEC HWaddr
>> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>> inet addr:192.168.5.6 P-t-P:192.168.5.5 Mask:255.255.255.255
>> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
>> RX packets:3 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:100
>> RX bytes:336 (336.0 b) TX bytes:252 (252.0 b)
>> --------------------------------------------
>> As I point out, the P-t-P addresses are different -
>> I don't know if that is significant.
> this is normal.
> > What do your routes look like? What are your configs, and how do you
> start openvpn?
My server.conf and client.conf are:
--------------------------------------------
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 192.168.5.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
--------------------------------------------
dev tun
proto udp
remote www.gayleard.com 1194
resolv-retry infinite
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/mary.crt
key /etc/openvpn/keys/mary.key
ns-cert-type server
comp-lzo
verb 3
--------------------------------------------
"route -n" on server and client give:
--------------------------------------------
Destination Gateway Genmask Flags Metric Ref Iface
192.168.5.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.5.0 192.168.5.2 255.255.255.0 UG 0 0 0 tun0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
--------------------------------------------
Destination Gateway Genmask Flags Metric Ref Iface
192.168.5.1 192.168.5.5 255.255.255.255 UGH 0 0 0 tun0
192.168.5.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 2 0 0 eth1
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
--------------------------------------------
I start openvpn on both machines with "sudo service openvpn restart".
The server is running Centos-5.3, the client Fedora-10.
I don't see anything in /var/log/messages on either machine
to suggest that anything is wrong.
> do you have a firewall running?
I do have shorewall running on the server.
But I have a rule to allow udp packets in and out through port 1194:
--------------------------------------------
ACCEPT net $FW udp 1194 # OpenVPN
ACCEPT $FW net udp 1194 # OpenVPN
--------------------------------------------
I have a pinhole on my ADSL modem at home allowing these packets through.
As I said earlier, openvpn did work on a previous visit.
That was with a different server, running Fedora-9.
But I'm pretty sure I have not altered the modem.
As always, any and all enlightenment gratefully received.
--
Timothy Murphy
e-mail: gayleard /at/ eircom.net
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College Dublin
More information about the fedora-list
mailing list