Need help configuring your VPN? Just post here and you'll get that help.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
stevouwill
- OpenVpn Newbie
- Posts: 6
- Joined: Tue Apr 25, 2017 1:27 pm
Post
by stevouwill » Tue Apr 25, 2017 1:41 pm
Hi, I am facing on a problem since a few days. I have configured my openvpn server and client. when I launch my openvpn client I can connect very well on openvpn server then I received from my client a virtual IP address which is 10.8.0.5 with gateway 10.8.0.6 and from my server I also received this IP Address 10.8.0.1 with virtual gateway 10.8.0.2. But the problem is that I can't ping a remote LAN (192.168.10.10/24). After checking log file from my server I saw that they are a problem with a route way.
Code: Select all
Tue Apr 25 16:36:36 2017 OpenVPN 2.4.1 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 3 2017
Tue Apr 25 16:36:36 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Tue Apr 25 16:36:36 2017 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Tue Apr 25 16:36:36 2017 Diffie-Hellman initialized with 2048 bit key
Tue Apr 25 16:36:36 2017 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Tue Apr 25 16:36:36 2017 ECDH curve secp384r1 added
Tue Apr 25 16:36:36 2017 ROUTE: default_gateway=UNDEF
Tue Apr 25 16:36:36 2017 TUN/TAP device tun1 opened
Tue Apr 25 16:36:36 2017 TUN/TAP TX queue length set to 100
Tue Apr 25 16:36:36 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Apr 25 16:36:36 2017 /sbin/ip link set dev tun1 up mtu 1500
Tue Apr 25 16:36:36 2017 /sbin/ip addr add dev tun1 local 10.8.0.1 peer 10.8.0.2
Tue Apr 25 16:36:36 2017 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
RTNETLINK answers: File exists
Tue Apr 25 16:36:36 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Tue Apr 25 16:36:36 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Apr 25 16:36:36 2017 TCP/UDP: Socket bind failed on local address [AF_INET][undef]:1194: Address already in use
Tue Apr 25 16:36:36 2017 Exiting due to fatal error
Tue Apr 25 16:36:36 2017 Closing TUN/TAP interface
Tue Apr 25 16:36:36 2017 /sbin/ip addr del dev tun1 local 10.8.0.1 peer 10.8.0.2
I have tried to add this iptables rule without success
Code: Select all
iptables --flush
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens33 -j MASQUERADE
iptable save
systemctl -f enable openvpn@server.service
iptables --flush
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens33 -j MASQUERADE
service iptables save
iptables -A INPUT -i ens34 -j ACCEPT
iptables -A FORWARD -i ens34 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -o ens33 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o ens33 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
please I need your help for solving this issue
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Tue Apr 25, 2017 2:00 pm
This:
stevouwill wrote:Tue Apr 25 16:36:36 2017 OpenVPN 2.4.1 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 3 2017
Tue Apr 25 16:36:36 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Tue Apr 25 16:36:36 2017 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Tue Apr 25 16:36:36 2017 Diffie-Hellman initialized with 2048 bit key
Tue Apr 25 16:36:36 2017 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Tue Apr 25 16:36:36 2017 ECDH curve secp384r1 added
Tue Apr 25 16:36:36 2017 ROUTE: default_gateway=UNDEF
Tue Apr 25 16:36:36 2017 TUN/TAP device tun1 opened
Tue Apr 25 16:36:36 2017 TUN/TAP TX queue length set to 100
Tue Apr 25 16:36:36 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Apr 25 16:36:36 2017 /sbin/ip link set dev tun1 up mtu 1500
Tue Apr 25 16:36:36 2017 /sbin/ip addr add dev tun1 local 10.8.0.1 peer 10.8.0.2
Tue Apr 25 16:36:36 2017 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
RTNETLINK answers: File exists
Tue Apr 25 16:36:36 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Tue Apr 25 16:36:36 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Apr 25 16:36:36 2017 TCP/UDP: Socket bind failed on local address [AF_INET][undef]:1194: Address already in use
Tue Apr 25 16:36:36 2017 Exiting due to fatal error
Tue Apr 25 16:36:36 2017 Closing TUN/TAP interface
Tue Apr 25 16:36:36 2017 /sbin/ip addr del dev tun1 local 10.8.0.1 peer 10.8.0.2
means you have started the same openvpn server twice ..
Last edited by
TinCanTech on Tue Apr 25, 2017 2:11 pm, edited 1 time in total.
-
stevouwill
- OpenVpn Newbie
- Posts: 6
- Joined: Tue Apr 25, 2017 1:27 pm
Post
by stevouwill » Tue Apr 25, 2017 2:03 pm
this is my server.conf
- port 1194
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/testclient.crt
key /etc/openvpn/testclient.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.10.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.124.254.4"
push "dhcp-option DNS 10.124.254.5"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
and my client.opvn
- client
dev tun
proto udp
remote 10.124.218.142 1194
resolv-retry infinite
nobind
persist-key
persist-tun
#comp-lzo
verb 3
ca ca.crt
cert testclient.crt
key testclient.key
auth-user-pass
remote-cert-tls server
cipher AES-256-CBC
verb 3
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Tue Apr 25, 2017 2:20 pm
This:
- Re: Unable to ping a virtual gateway both from server and from cleint
in relation to gateway 10.8.0.2 and 10.8.0.6 is normal, those gateways are not ping-able address by design.
This:
stevouwill wrote:the problem is that I can't ping a remote LAN (192.168.10.10/24).
should work either by setting up correct routing or using iptables nat as you have done. Ensure you specify the correct output interface.
-
stevouwill
- OpenVpn Newbie
- Posts: 6
- Joined: Tue Apr 25, 2017 1:27 pm
Post
by stevouwill » Tue Apr 25, 2017 2:40 pm
Thanks for your support TinCanTech, my different interfaces are ens33 (it is the interface related to the external network), ens34 ( it is the interface related to the LAN), tun0(it is the virtual interface for tuneling).
the iptables rules that I applied was
iptables --flush
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens33 -j MASQUERADE
service iptables save
iptables -A INPUT -i ens34 -j ACCEPT
iptables -A FORWARD -i ens34 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -o ens33 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o ens33 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
but I don"t know why in the server log file we always have the error "Linux route add command failed: external program exited with error status: 2
"