Server-Client Config openwrt-router

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
ssdnvv
OpenVpn Newbie
Posts: 19
Joined: Wed May 22, 2013 10:31 am

Re: Server-Client Config openwrt-router

Post by ssdnvv » Fri Jun 19, 2015 2:15 am

Sry for spamming, please forget the previous post. I c/p a wrong ta.key - shame on me...

again
Server config:

Code: Select all

tls-server

port 443
proto udp
dev tap

ca /etc/ssl/openvpn/ca.crt
cert /etc/ssl/openvpn/myHostname.crt
key /etc/ssl/openvpn/myHostname.key
dh /etc/ssl/openvpn/dh2048.pem
tls-auth /etc/ssl/openvpn/ta.key 0

cipher AES-256-CBC
comp-lzo
ifconfig-pool-persist /var/log/ipp.txt
status /etc/openvpn/openvpn-status.log
log /etc/openvpn/openvpn.log
verb 4
mute 20
keepalive 10 120
persist-key
persist-tun

server-bridge 192.168.84.2 255.255.255.0 192.168.84.47 192.168.84.49
push dhcp-option DNS 192.168.84.2
push redirect-gateway def1
client-to-client
Client config:

Code: Select all

client

dev tap
proto udp
remote 	myHostname 443
resolv-retry infinite
nobind

persist-key
persist-tun 

mute-replay-warnings

ca ca.crt
cert MD1.crt
key MD1.key
tls-auth ta.key 1

remote-cert-tls server
cipher AES-256-CBC
verb 4
mute 20

keepalive 10 120

comp-lzo
Server log:

Code: Select all

Fri Jun 19 04:02:08 2015 us=931054 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May  7 2015
Fri Jun 19 04:02:08 2015 us=931405 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.08
Fri Jun 19 04:02:08 2015 us=931952 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Fri Jun 19 04:02:09 2015 us=314272 Diffie-Hellman initialized with 2048 bit key
Fri Jun 19 04:02:09 2015 us=318739 Control Channel Authentication: using '/etc/ssl/openvpn/ta.key' as a OpenVPN static key file
Fri Jun 19 04:02:09 2015 us=319046 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 19 04:02:09 2015 us=319265 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 19 04:02:09 2015 us=319523 TLS-Auth MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Jun 19 04:02:09 2015 us=319779 Socket Buffers: R=[163840->131072] S=[163840->131072]
Fri Jun 19 04:02:09 2015 us=343087 TUN/TAP device tap0 opened
Fri Jun 19 04:02:09 2015 us=343358 TUN/TAP TX queue length set to 100
Fri Jun 19 04:02:09 2015 us=343793 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Jun 19 04:02:09 2015 us=343986 UDPv4 link local (bound): [undef]
Fri Jun 19 04:02:09 2015 us=344158 UDPv4 link remote: [undef]
Fri Jun 19 04:02:09 2015 us=344332 MULTI: multi_init called, r=256 v=256
Fri Jun 19 04:02:09 2015 us=344624 IFCONFIG POOL: base=192.168.84.47 size=3, ipv6=0
Fri Jun 19 04:02:09 2015 us=344832 ifconfig_pool_read(), in='MD1,192.168.84.47', TODO: IPv6
Fri Jun 19 04:02:09 2015 us=345009 succeeded -> ifconfig_pool_set()
Fri Jun 19 04:02:09 2015 us=345183 IFCONFIG POOL LIST
Fri Jun 19 04:02:09 2015 us=345406 MD1,192.168.84.47
Fri Jun 19 04:02:09 2015 us=345790 Initialization Sequence Completed
Fri Jun 19 04:02:30 2015 us=608 MULTI: multi_create_instance called
Fri Jun 19 04:02:30 2015 us=1098 80.187.101.87:16033 Re-using SSL/TLS context
Fri Jun 19 04:02:30 2015 us=1379 80.187.101.87:16033 LZO compression initialized
Fri Jun 19 04:02:30 2015 us=2442 80.187.101.87:16033 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Jun 19 04:02:30 2015 us=2727 80.187.101.87:16033 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Jun 19 04:02:30 2015 us=3133 80.187.101.87:16033 TLS: Initial packet from [AF_INET]myMobileIP:16033, sid=a314d335 093917e7
Fri Jun 19 04:02:33 2015 us=976964 myMobileIP:16033 VERIFY OK: depth=1, CN=myHostname
Fri Jun 19 04:02:33 2015 us=981528 myMobileIP:16033 VERIFY OK: depth=0, CN=MD1
Fri Jun 19 04:02:35 2015 us=197641 myMobileIP:16033 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Jun 19 04:02:35 2015 us=198328 myMobileIP:16033 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 19 04:02:35 2015 us=202377 myMobileIP:16033 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Jun 19 04:02:35 2015 us=202812 myMobileIP:16033 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 19 04:02:35 2015 us=394725 myMobileIP:16033 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Jun 19 04:02:35 2015 us=395173 myMobileIP:16033 [MD1] Peer Connection Initiated with [AF_INET]myMobileIP:16033
Fri Jun 19 04:02:35 2015 us=395548 MD1/myMobileIP:16033 MULTI_sva: pool returned IPv4=192.168.84.47, IPv6=(Not enabled)
Fri Jun 19 04:02:38 2015 us=34671 MD1/myMobileIP:16033 PUSH: Received control message: 'PUSH_REQUEST'
Fri Jun 19 04:02:38 2015 us=34923 MD1/myMobileIP:16033 send_push_reply(): safe_cap=940
Fri Jun 19 04:02:38 2015 us=35414 MD1/myMobileIP:16033 SENT CONTROL [MD1]: 'PUSH_REPLY,dhcp-option DNS 192.168.84.2,redirect-gateway def1,route-gateway 192.168.84.2,ping 10,ping-restart 120,ifconfig 192.168.84.47 255.255.255.0' (status=1)
Fri Jun 19 04:02:38 2015 us=316525 MD1/myMobileIP:16033 MULTI: Learn: 00:ff:6d:da:b7:c2 -> MD1/myMobileIP:16033
Client log:

Code: Select all

Fri Jun 19 04:02:30 2015 us=661365 Current Parameter Settings:
Fri Jun 19 04:02:30 2015 us=661365   config = 'Arbeit (auskommentiert).ovpn'
Fri Jun 19 04:02:30 2015 us=661365   mode = 0
Fri Jun 19 04:02:30 2015 us=661365   show_ciphers = DISABLED
Fri Jun 19 04:02:30 2015 us=661365   show_digests = DISABLED
Fri Jun 19 04:02:30 2015 us=661365   show_engines = DISABLED
Fri Jun 19 04:02:30 2015 us=661365   genkey = DISABLED
Fri Jun 19 04:02:30 2015 us=661365   key_pass_file = '[UNDEF]'
Fri Jun 19 04:02:30 2015 us=661365   show_tls_ciphers = DISABLED
Fri Jun 19 04:02:30 2015 us=661365 Connection profiles [default]:
Fri Jun 19 04:02:30 2015 us=661365   proto = udp
Fri Jun 19 04:02:30 2015 us=661365   local = '[UNDEF]'
Fri Jun 19 04:02:30 2015 us=661365   local_port = 0
Fri Jun 19 04:02:30 2015 us=661365   remote = 'myHostname'
Fri Jun 19 04:02:30 2015 us=661365   remote_port = 443
Fri Jun 19 04:02:30 2015 us=661365   remote_float = DISABLED
Fri Jun 19 04:02:30 2015 us=661365   bind_defined = DISABLED
Fri Jun 19 04:02:30 2015 us=661365   bind_local = DISABLED
Fri Jun 19 04:02:30 2015 us=661365   connect_retry_seconds = 5
Fri Jun 19 04:02:30 2015 us=661365   connect_timeout = 10
Fri Jun 19 04:02:30 2015 us=661365 NOTE: --mute triggered...
Fri Jun 19 04:02:30 2015 us=661365 265 variation(s) on previous 20 message(s) suppressed by --mute
Fri Jun 19 04:02:30 2015 us=661365 OpenVPN 2.3.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jun  8 2015
Fri Jun 19 04:02:30 2015 us=661365 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08
Enter Management Password:
Fri Jun 19 04:02:30 2015 us=662365 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Jun 19 04:02:30 2015 us=662365 Need hold release from management interface, waiting...
Fri Jun 19 04:02:31 2015 us=160393 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Jun 19 04:02:31 2015 us=260399 MANAGEMENT: CMD 'state on'
Fri Jun 19 04:02:31 2015 us=260399 MANAGEMENT: CMD 'log all on'
Fri Jun 19 04:02:31 2015 us=274400 MANAGEMENT: CMD 'hold off'
Fri Jun 19 04:02:31 2015 us=275400 MANAGEMENT: CMD 'hold release'
Fri Jun 19 04:02:31 2015 us=373405 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Fri Jun 19 04:02:31 2015 us=373405 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 19 04:02:31 2015 us=373405 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 19 04:02:31 2015 us=373405 LZO compression initialized
Fri Jun 19 04:02:31 2015 us=373405 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:3 ]
Fri Jun 19 04:02:31 2015 us=374405 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jun 19 04:02:31 2015 us=374405 MANAGEMENT: >STATE:1434679351,RESOLVE,,,
Fri Jun 19 04:02:32 2015 us=340461 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:143 ET:32 EL:3 AF:3/1 ]
Fri Jun 19 04:02:32 2015 us=340461 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Fri Jun 19 04:02:32 2015 us=340461 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Fri Jun 19 04:02:32 2015 us=340461 Local Options hash (VER=V4): '48527533'
Fri Jun 19 04:02:32 2015 us=340461 Expected Remote Options hash (VER=V4): '44bd8b5e'
Fri Jun 19 04:02:32 2015 us=340461 UDPv4 link local: [undef]
Fri Jun 19 04:02:32 2015 us=340461 UDPv4 link remote: [AF_INET]myServerIP:443
Fri Jun 19 04:02:32 2015 us=340461 MANAGEMENT: >STATE:1434679352,WAIT,,,
Fri Jun 19 04:02:32 2015 us=696481 MANAGEMENT: >STATE:1434679352,AUTH,,,
Fri Jun 19 04:02:32 2015 us=696481 TLS: Initial packet from [AF_INET]myServerIP:443, sid=7ed2a4fe 259be66f
Fri Jun 19 04:02:35 2015 us=119620 VERIFY OK: depth=1, CN=myHostname
Fri Jun 19 04:02:35 2015 us=120620 Validating certificate key usage
Fri Jun 19 04:02:35 2015 us=120620 ++ Certificate has key usage  00a0, expects 00a0
Fri Jun 19 04:02:35 2015 us=120620 VERIFY KU OK
Fri Jun 19 04:02:35 2015 us=120620 Validating certificate extended key usage
Fri Jun 19 04:02:35 2015 us=120620 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Jun 19 04:02:35 2015 us=120620 VERIFY EKU OK
Fri Jun 19 04:02:35 2015 us=120620 VERIFY OK: depth=0, CN=myHostname
Fri Jun 19 04:02:37 2015 us=918780 NOTE: Options consistency check may be skewed by version differences
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tap'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1590'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1532'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'keydir' is present in local config but missing in remote config, local='keydir 0'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher AES-256-CBC'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 256'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'tls-auth' is present in local config but missing in remote config, local='tls-auth'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'tls-server' is present in local config but missing in remote config, local='tls-server'
Fri Jun 19 04:02:37 2015 us=918780 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Jun 19 04:02:37 2015 us=918780 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 19 04:02:37 2015 us=918780 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Jun 19 04:02:37 2015 us=918780 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 19 04:02:37 2015 us=918780 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Jun 19 04:02:37 2015 us=918780 [myHostname] Peer Connection Initiated with [AF_INET]myServerIP:443
Fri Jun 19 04:02:39 2015 us=117848 MANAGEMENT: >STATE:1434679359,GET_CONFIG,,,
Fri Jun 19 04:02:40 2015 us=316917 SENT CONTROL [myHostname]: 'PUSH_REQUEST' (status=1)
Fri Jun 19 04:02:40 2015 us=733941 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.84.2,redirect-gateway def1,route-gateway 192.168.84.2,ping 10,ping-restart 120,ifconfig 192.168.84.47 255.255.255.0'
Fri Jun 19 04:02:40 2015 us=733941 OPTIONS IMPORT: timers and/or timeouts modified
Fri Jun 19 04:02:40 2015 us=733941 OPTIONS IMPORT: --ifconfig/up options modified
Fri Jun 19 04:02:40 2015 us=733941 OPTIONS IMPORT: route options modified
Fri Jun 19 04:02:40 2015 us=733941 OPTIONS IMPORT: route-related options modified
Fri Jun 19 04:02:40 2015 us=733941 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Jun 19 04:02:40 2015 us=745941 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Jun 19 04:02:40 2015 us=745941 MANAGEMENT: >STATE:1434679360,ASSIGN_IP,,192.168.84.47,
Fri Jun 19 04:02:40 2015 us=745941 open_tun, tt->ipv6=0
Fri Jun 19 04:02:40 2015 us=746941 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{6DDAB7C2-A589-43D6-96DA-63CC0B7432EA}.tap
Fri Jun 19 04:02:40 2015 us=746941 TAP-Windows Driver Version 9.21 
Fri Jun 19 04:02:40 2015 us=746941 TAP-Windows MTU=1500
Fri Jun 19 04:02:40 2015 us=748942 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.84.47/255.255.255.0 on interface {6DDAB7C2-A589-43D6-96DA-63CC0B7432EA} [DHCP-serv: 192.168.84.0, lease-time: 31536000]
Fri Jun 19 04:02:40 2015 us=748942 DHCP option string: 0604c0a8 5402
Fri Jun 19 04:02:40 2015 us=748942 Successful ARP Flush on interface [30] {6DDAB7C2-A589-43D6-96DA-63CC0B7432EA}
Fri Jun 19 04:02:45 2015 us=48187 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Fri Jun 19 04:02:45 2015 us=48187 C:\Windows\system32\route.exe ADD myServerIP MASK 255.255.255.255 192.168.43.1
Fri Jun 19 04:02:45 2015 us=50188 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Fri Jun 19 04:02:45 2015 us=50188 Route addition via IPAPI succeeded [adaptive]
Fri Jun 19 04:02:45 2015 us=50188 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.84.2
Fri Jun 19 04:02:45 2015 us=52188 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Fri Jun 19 04:02:45 2015 us=52188 Route addition via IPAPI succeeded [adaptive]
Fri Jun 19 04:02:45 2015 us=52188 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.84.2
Fri Jun 19 04:02:45 2015 us=53188 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Fri Jun 19 04:02:45 2015 us=53188 Route addition via IPAPI succeeded [adaptive]
Fri Jun 19 04:02:45 2015 us=53188 Initialization Sequence Completed
Fri Jun 19 04:02:45 2015 us=53188 MANAGEMENT: >STATE:1434679365,CONNECTED,SUCCESS,192.168.84.47,myServerIP
Top
ssdnvv
OpenVpn Newbie
Posts: 19
Joined: Wed May 22, 2013 10:31 am

Re: Server-Client Config openwrt-router

Post by ssdnvv » Fri Jun 19, 2015 2:33 am

As I set verb4, I got some funny "Warnings":

Code: Select all

Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tap'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1590'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1532'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'keydir' is present in local config but missing in remote config, local='keydir 0'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher AES-256-CBC'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 256'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'tls-auth' is present in local config but missing in remote config, local='tls-auth'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'tls-server' is present in local config but missing in remote config, local='tls-server'
[/color]
Do they tell my anything at all? And if so - what do they tell me?
Because they are simply not true (except the first one).
Top
User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Server-Client Config openwrt-router

Post by Traffic » Fri Jun 19, 2015 10:32 am

ssdnvv wrote:Sry for spamming, please forget the previous post
Don't worry about it .. at least your posts are suitably detailed 8-)

This is interesting:
ssdnvv wrote:Server log:
Code:
Fri Jun 19 04:02:08 2015 us=931054 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May 7 2015
Fri Jun 19 04:02:08 2015 us=931405 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.08
ssdnvv wrote:Client log:
Code:
...
Fri Jun 19 04:02:30 2015 us=661365 OpenVPN 2.3.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jun 8 2015
Fri Jun 19 04:02:30 2015 us=661365 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08
which then throws this:
ssdnvv wrote:Client log:
Code:
...
Fri Jun 19 04:02:37 2015 us=918780 NOTE: Options consistency check may be skewed by version differences
Fri Jun 19 04:02:37 2015 us=918780 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
On the face of it .. this suggests a bug in your server side software: OpenVPN 2.3.6 mips-openwrt-linux-gnu - If you read that other thread you will understand this is OpenWRT .. not true OpenVPN :geek:

I suggest you try running in tunnel-mode --dev tun not bridge-mode --dev tap to see if it is a related problem (if possible).
Top
ssdnvv
OpenVpn Newbie
Posts: 19
Joined: Wed May 22, 2013 10:31 am

Re: Server-Client Config openwrt-router

Post by ssdnvv » Tue Jun 23, 2015 11:17 pm

Well, that tells me, that the openvpn client is not uptodate. Just like the openwrt-version - by now, openssl is released in version 1.0.2c/1.0.1o
The openwrt-version is compiled against its buildroot - so the given version is absolutely correct (based on openvpn version 2.3.6 source). Within this version there are two ways to use openVPN - the way, that is presented in wiki.openwrt.org with custom syntax and commands (using the autostart-options via predefined scripts). Otherwise you can use it the "true openVPN"(as you call it)-way by using syntax

Code: Select all

openvpn "/path/to/your/config/file".ovpn
I never would have found out if there hadn't been (for a reason I will perhaps never know) a bug in my enviroment, that prevents openvpn from loading the openwrt-custom config-file. That way I had to digg way deeper into howtos...

But you are right - I will have to build my own packages as the given version is not what I want. Unfortunately my skills in linux/building packages are novice-like, so I have to walk some roads to reach my goals...

TUN-mode works just as well as TAP-mode:
Server-config:

Code: Select all

tls-server

port 443
proto udp
dev tun

ca /etc/ssl/openvpn/ca.crt
cert /etc/ssl/openvpn/my-Hostname.crt
key /etc/ssl/openvpn/my-Hostname.key
dh /etc/ssl/openvpn/dh2048.pem
tls-auth /etc/ssl/openvpn/ta.key 0

cipher AES-256-CBC
comp-lzo adaptive
ifconfig-pool-persist /etc/openvpn/ipp-TUN.txt
status /etc/openvpn/TUN-status.log
log /etc/openvpn/TUN.log
verb 4
mute 20
keepalive 10 120
persist-key
persist-tun

server 11.0.1.0 255.255.255.0
push redirect-gateway
client-to-client
Client-config:

Code: Select all

client

dev tun
proto udp
remote 	my-Hostname 443
resolv-retry infinite
nobind

persist-key
persist-tun 

mute-replay-warnings

ca ca.crt
cert MD1.crt
key MD1.key
tls-auth ta.key 1

remote-cert-tls server
cipher AES-256-CBC
verb 4
mute 20

keepalive 10 120

comp-lzo
Server-log:

Code: Select all

Wed Jun 24 01:04:16 2015 us=236405 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May  7 2015
Wed Jun 24 01:04:16 2015 us=236760 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.08
Wed Jun 24 01:04:16 2015 us=649816 Diffie-Hellman initialized with 2048 bit key
Wed Jun 24 01:04:16 2015 us=654035 Control Channel Authentication: using '/etc/ssl/openvpn/ta.key' as a OpenVPN static key file
Wed Jun 24 01:04:16 2015 us=654316 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 24 01:04:16 2015 us=654536 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 24 01:04:16 2015 us=654796 TLS-Auth MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Jun 24 01:04:16 2015 us=655060 Socket Buffers: R=[163840->131072] S=[163840->131072]
Wed Jun 24 01:04:16 2015 us=658745 TUN/TAP device tun0 opened
Wed Jun 24 01:04:16 2015 us=659023 TUN/TAP TX queue length set to 100
Wed Jun 24 01:04:16 2015 us=659230 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Jun 24 01:04:16 2015 us=659553 /sbin/ifconfig tun0 11.0.1.1 pointopoint 11.0.1.2 mtu 1500
Wed Jun 24 01:04:16 2015 us=675941 /sbin/route add -net 11.0.1.0 netmask 255.255.255.0 gw 11.0.1.2
Wed Jun 24 01:04:16 2015 us=692073 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 24 01:04:16 2015 us=692348 UDPv4 link local (bound): [undef]
Wed Jun 24 01:04:16 2015 us=692527 UDPv4 link remote: [undef]
Wed Jun 24 01:04:16 2015 us=692702 MULTI: multi_init called, r=256 v=256
Wed Jun 24 01:04:16 2015 us=693022 IFCONFIG POOL: base=11.0.1.4 size=62, ipv6=0
Wed Jun 24 01:04:16 2015 us=693254 ifconfig_pool_read(), in='MD1,11.0.1.4', TODO: IPv6
Wed Jun 24 01:04:16 2015 us=693434 succeeded -> ifconfig_pool_set()
Wed Jun 24 01:04:16 2015 us=693612 IFCONFIG POOL LIST
Wed Jun 24 01:04:16 2015 us=693788 MD1,11.0.1.4
Wed Jun 24 01:04:16 2015 us=694179 Initialization Sequence Completed
Wed Jun 24 01:06:36 2015 us=503641 MULTI: multi_create_instance called
Wed Jun 24 01:06:36 2015 us=504153 my-mobile-IP Re-using SSL/TLS context
Wed Jun 24 01:06:36 2015 us=504465 my-mobile-IP LZO compression initialized
Wed Jun 24 01:06:36 2015 us=505564 my-mobile-IP Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Jun 24 01:06:36 2015 us=505846 my-mobile-IP Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 24 01:06:36 2015 us=506252 my-mobile-IP TLS: Initial packet from [AF_INET]my-mobile-IP, sid=1870213b b9f2f7c0
Wed Jun 24 01:06:38 2015 us=379715 my-mobile-IP VERIFY OK: depth=1, CN=my-Hostname
Wed Jun 24 01:06:38 2015 us=383771 my-mobile-IP VERIFY OK: depth=0, CN=MD1
Wed Jun 24 01:06:39 2015 us=54193 my-mobile-IP Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Jun 24 01:06:39 2015 us=54483 my-mobile-IP Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 24 01:06:39 2015 us=54698 my-mobile-IP Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Jun 24 01:06:39 2015 us=54915 my-mobile-IP Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 24 01:06:39 2015 us=150856 my-mobile-IP Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Jun 24 01:06:39 2015 us=151239 my-mobile-IP [MD1] Peer Connection Initiated with [AF_INET]my-mobile-IP
Wed Jun 24 01:06:39 2015 us=151611 MD1/my-mobile-IP MULTI_sva: pool returned IPv4=11.0.1.6, IPv6=(Not enabled)
Wed Jun 24 01:06:39 2015 us=152246 MD1/my-mobile-IP MULTI: Learn: 11.0.1.6 -> MD1/my-mobile-IP
Wed Jun 24 01:06:39 2015 us=152506 MD1/my-mobile-IP MULTI: primary virtual IP for MD1/my-mobile-IP: 11.0.1.6
Wed Jun 24 01:06:41 2015 us=462207 MD1/my-mobile-IP PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun 24 01:06:41 2015 us=462470 MD1/my-mobile-IP send_push_reply(): safe_cap=940
Wed Jun 24 01:06:41 2015 us=463038 MD1/my-mobile-IP SENT CONTROL [MD1]: 'PUSH_REPLY,redirect-gateway,route 11.0.1.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 11.0.1.6 11.0.1.5' (status=1)
Client-log:

Code: Select all

Wed Jun 24 01:06:37 2015 us=494288 Current Parameter Settings:
Wed Jun 24 01:06:37 2015 us=495288   config = 'Arbeit MD1 - TUN - rg.ovpn'
Wed Jun 24 01:06:37 2015 us=495288   mode = 0
Wed Jun 24 01:06:37 2015 us=495288   show_ciphers = DISABLED
Wed Jun 24 01:06:37 2015 us=495288   show_digests = DISABLED
Wed Jun 24 01:06:37 2015 us=495288   show_engines = DISABLED
Wed Jun 24 01:06:37 2015 us=495288   genkey = DISABLED
Wed Jun 24 01:06:37 2015 us=495288   key_pass_file = '[UNDEF]'
Wed Jun 24 01:06:37 2015 us=495288   show_tls_ciphers = DISABLED
Wed Jun 24 01:06:37 2015 us=495288 Connection profiles [default]:
Wed Jun 24 01:06:37 2015 us=495288   proto = udp
Wed Jun 24 01:06:37 2015 us=495288   local = '[UNDEF]'
Wed Jun 24 01:06:37 2015 us=495288   local_port = 0
Wed Jun 24 01:06:37 2015 us=495288   remote = 'my-Hostname'
Wed Jun 24 01:06:37 2015 us=495288   remote_port = 443
Wed Jun 24 01:06:37 2015 us=495288   remote_float = DISABLED
Wed Jun 24 01:06:37 2015 us=495288   bind_defined = DISABLED
Wed Jun 24 01:06:37 2015 us=495288   bind_local = DISABLED
Wed Jun 24 01:06:37 2015 us=495288   connect_retry_seconds = 5
Wed Jun 24 01:06:37 2015 us=495288   connect_timeout = 10
Wed Jun 24 01:06:37 2015 us=495288 NOTE: --mute triggered...
Wed Jun 24 01:06:37 2015 us=495288 265 variation(s) on previous 20 message(s) suppressed by --mute
Wed Jun 24 01:06:37 2015 us=495288 OpenVPN 2.3.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jun  8 2015
Wed Jun 24 01:06:37 2015 us=495288 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08
Enter Management Password:
Wed Jun 24 01:06:37 2015 us=495288 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Wed Jun 24 01:06:37 2015 us=495288 Need hold release from management interface, waiting...
Wed Jun 24 01:06:37 2015 us=981316 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Wed Jun 24 01:06:38 2015 us=81321 MANAGEMENT: CMD 'state on'
Wed Jun 24 01:06:38 2015 us=81321 MANAGEMENT: CMD 'log all on'
Wed Jun 24 01:06:38 2015 us=95322 MANAGEMENT: CMD 'hold off'
Wed Jun 24 01:06:38 2015 us=96322 MANAGEMENT: CMD 'hold release'
Wed Jun 24 01:06:38 2015 us=194328 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Wed Jun 24 01:06:38 2015 us=194328 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 24 01:06:38 2015 us=194328 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 24 01:06:38 2015 us=194328 LZO compression initialized
Wed Jun 24 01:06:38 2015 us=194328 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:3 ]
Wed Jun 24 01:06:38 2015 us=194328 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Jun 24 01:06:38 2015 us=194328 MANAGEMENT: >STATE:1435100798,RESOLVE,,,
Wed Jun 24 01:06:38 2015 us=307334 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
Wed Jun 24 01:06:38 2015 us=307334 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Wed Jun 24 01:06:38 2015 us=307334 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Wed Jun 24 01:06:38 2015 us=307334 Local Options hash (VER=V4): '9e7066d2'
Wed Jun 24 01:06:38 2015 us=307334 Expected Remote Options hash (VER=V4): '162b04de'
Wed Jun 24 01:06:38 2015 us=307334 UDPv4 link local: [undef]
Wed Jun 24 01:06:38 2015 us=307334 UDPv4 link remote: [AF_INET]my-Server-IP:443
Wed Jun 24 01:06:38 2015 us=307334 MANAGEMENT: >STATE:1435100798,WAIT,,,
Wed Jun 24 01:06:38 2015 us=406340 MANAGEMENT: >STATE:1435100798,AUTH,,,
Wed Jun 24 01:06:38 2015 us=406340 TLS: Initial packet from [AF_INET]my-Server-IP:443, sid=3b70a19b 12de11c8
Wed Jun 24 01:06:39 2015 us=588407 VERIFY OK: depth=1, CN=my-Hostname
Wed Jun 24 01:06:39 2015 us=588407 Validating certificate key usage
Wed Jun 24 01:06:39 2015 us=588407 ++ Certificate has key usage  00a0, expects 00a0
Wed Jun 24 01:06:39 2015 us=588407 VERIFY KU OK
Wed Jun 24 01:06:39 2015 us=588407 Validating certificate extended key usage
Wed Jun 24 01:06:39 2015 us=588407 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jun 24 01:06:39 2015 us=588407 VERIFY EKU OK
Wed Jun 24 01:06:39 2015 us=588407 VERIFY OK: depth=0, CN=my-Hostname
Wed Jun 24 01:06:40 2015 us=956486 NOTE: Options consistency check may be skewed by version differences
Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1558'
Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'keydir' is present in local config but missing in remote config, local='keydir 0'
Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher AES-256-CBC'
Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 256'
Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'tls-auth' is present in local config but missing in remote config, local='tls-auth'
Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'tls-server' is present in local config but missing in remote config, local='tls-server'
Wed Jun 24 01:06:40 2015 us=956486 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Jun 24 01:06:40 2015 us=956486 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 24 01:06:40 2015 us=956486 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Jun 24 01:06:40 2015 us=956486 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 24 01:06:40 2015 us=956486 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Jun 24 01:06:40 2015 us=957486 [my-Hostname] Peer Connection Initiated with [AF_INET]my-Server-IP:443
Wed Jun 24 01:06:42 2015 us=102551 MANAGEMENT: >STATE:1435100802,GET_CONFIG,,,
Wed Jun 24 01:06:43 2015 us=247617 SENT CONTROL [my-Hostname]: 'PUSH_REQUEST' (status=1)
Wed Jun 24 01:06:43 2015 us=366624 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,route 11.0.1.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 11.0.1.6 11.0.1.5'
Wed Jun 24 01:06:43 2015 us=366624 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 24 01:06:43 2015 us=366624 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 24 01:06:43 2015 us=366624 OPTIONS IMPORT: route options modified
Wed Jun 24 01:06:43 2015 us=378624 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Jun 24 01:06:43 2015 us=378624 MANAGEMENT: >STATE:1435100803,ASSIGN_IP,,11.0.1.6,
Wed Jun 24 01:06:43 2015 us=378624 open_tun, tt->ipv6=0
Wed Jun 24 01:06:43 2015 us=379624 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{6DDAB7C2-A589-43D6-96DA-63CC0B7432EA}.tap
Wed Jun 24 01:06:43 2015 us=379624 TAP-Windows Driver Version 9.21 
Wed Jun 24 01:06:43 2015 us=379624 TAP-Windows MTU=1500
Wed Jun 24 01:06:43 2015 us=380624 Notified TAP-Windows driver to set a DHCP IP/netmask of 11.0.1.6/255.255.255.252 on interface {6DDAB7C2-A589-43D6-96DA-63CC0B7432EA} [DHCP-serv: 11.0.1.5, lease-time: 31536000]
Wed Jun 24 01:06:43 2015 us=381624 Successful ARP Flush on interface [27] {6DDAB7C2-A589-43D6-96DA-63CC0B7432EA}
Wed Jun 24 01:06:48 2015 us=575921 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Jun 24 01:06:48 2015 us=575921 C:\Windows\system32\route.exe ADD my-Server-IP MASK 255.255.255.255 192.168.43.1
Wed Jun 24 01:06:48 2015 us=577922 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Wed Jun 24 01:06:48 2015 us=577922 Route addition via IPAPI succeeded [adaptive]
Wed Jun 24 01:06:48 2015 us=577922 C:\Windows\system32\route.exe DELETE 0.0.0.0 MASK 0.0.0.0 192.168.43.1
Wed Jun 24 01:06:48 2015 us=579922 Route deletion via IPAPI succeeded [adaptive]
Wed Jun 24 01:06:48 2015 us=579922 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 11.0.1.5
Wed Jun 24 01:06:48 2015 us=580922 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Wed Jun 24 01:06:48 2015 us=580922 Route addition via IPAPI succeeded [adaptive]
Wed Jun 24 01:06:48 2015 us=580922 MANAGEMENT: >STATE:1435100808,ADD_ROUTES,,,
Wed Jun 24 01:06:48 2015 us=580922 C:\Windows\system32\route.exe ADD 11.0.1.0 MASK 255.255.255.0 11.0.1.5
Wed Jun 24 01:06:48 2015 us=582922 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Wed Jun 24 01:06:48 2015 us=582922 Route addition via IPAPI succeeded [adaptive]
Wed Jun 24 01:06:48 2015 us=582922 Initialization Sequence Completed
Wed Jun 24 01:06:48 2015 us=582922 MANAGEMENT: >STATE:1435100808,CONNECTED,SUCCESS,11.0.1.6,my-Server-IP
Wed Jun 24 01:07:00 2015 us=104581 TCP/UDP: Closing socket
Wed Jun 24 01:07:00 2015 us=105581 C:\Windows\system32\route.exe DELETE 11.0.1.0 MASK 255.255.255.0 11.0.1.5
Wed Jun 24 01:07:00 2015 us=106581 Route deletion via IPAPI succeeded [adaptive]
Wed Jun 24 01:07:00 2015 us=106581 C:\Windows\system32\route.exe DELETE my-Server-IP MASK 255.255.255.255 192.168.43.1
Wed Jun 24 01:07:00 2015 us=108581 Route deletion via IPAPI succeeded [adaptive]
Wed Jun 24 01:07:00 2015 us=108581 C:\Windows\system32\route.exe DELETE 0.0.0.0 MASK 0.0.0.0 11.0.1.5
Wed Jun 24 01:07:00 2015 us=110581 Route deletion via IPAPI succeeded [adaptive]
Wed Jun 24 01:07:00 2015 us=110581 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 192.168.43.1
Wed Jun 24 01:07:00 2015 us=111581 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Wed Jun 24 01:07:00 2015 us=111581 Route addition via IPAPI succeeded [adaptive]
Wed Jun 24 01:07:00 2015 us=111581 Closing TUN/TAP interface
Wed Jun 24 01:07:00 2015 us=111581 SIGTERM[hard,] received, process exiting
Wed Jun 24 01:07:00 2015 us=111581 MANAGEMENT: >STATE:1435100820,EXITING,SIGTERM,,
Top
ssdnvv
OpenVpn Newbie
Posts: 19
Joined: Wed May 22, 2013 10:31 am

Re: Server-Client Config openwrt-router

Post by ssdnvv » Wed Jun 24, 2015 12:23 am

So this WARNINGS persist.

Code: Select all

{0.} Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
{1.} Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
{2.} Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1558'
{3.} Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
{4.} Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
{5.} Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'keydir' is present in local config but missing in remote config, local='keydir 0'
{6.} Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher AES-256-CBC'
{7.} Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
{8.} Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 256'
{9.} Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'tls-auth' is present in local config but missing in remote config, local='tls-auth'
{10.} Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
{11.} Wed Jun 24 01:06:40 2015 us=956486 WARNING: 'tls-server' is present in local config but missing in remote config, local='tls-server'
In order to hunt them down:
0. Has already been discussed.
1./4./5./6./11. 'dev-type tun'/'comp-lzo'/'keydir'/'cipher'/'tls-server' have each been defined both in server- and client-config.
2./3./8./10. 'link-mtu'/'tun-mtu'/'keysize'/'key-method' have been defined neither in server- nor client-config. 'key-method' is defined equally in both default configurations as 'key-method 2'.
7./9. According to openvpn manual "In static-key encryption mode, the HMAC key is included in the key file generated by --genkey" I use this option neither in server- nor client-config, I use 'tls-auth' instead.

So for all warnings the question: Why do these messages appear herein? Or did I understand you wrong and you intended to tell me the problem lies within the different versions respectively within the fact "true" local openvpn cannot define the version of the remote openwrt-openvpn?
Top
ssdnvv
OpenVpn Newbie
Posts: 19
Joined: Wed May 22, 2013 10:31 am

Re: Server-Client Config openwrt-router

Post by ssdnvv » Wed Jun 24, 2015 1:18 am

Windows connection succeeds, but Android connection fails, I get the message
"OpenVPN server certificate verification failed: PolarSSL: SSL read error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed"
Server and client configs are the same as above.
Server log:

Code: Select all

Wed Jun 24 01:04:16 2015 us=236405 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May  7 2015
Wed Jun 24 01:04:16 2015 us=236760 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.08
Wed Jun 24 01:04:16 2015 us=649816 Diffie-Hellman initialized with 2048 bit key
Wed Jun 24 01:04:16 2015 us=654035 Control Channel Authentication: using '/etc/ssl/openvpn/ta.key' as a OpenVPN static key file
Wed Jun 24 01:04:16 2015 us=654316 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 24 01:04:16 2015 us=654536 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 24 01:04:16 2015 us=654796 TLS-Auth MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Jun 24 01:04:16 2015 us=655060 Socket Buffers: R=[163840->131072] S=[163840->131072]
Wed Jun 24 01:04:16 2015 us=658745 TUN/TAP device tun0 opened
Wed Jun 24 01:04:16 2015 us=659023 TUN/TAP TX queue length set to 100
Wed Jun 24 01:04:16 2015 us=659230 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Jun 24 01:04:16 2015 us=659553 /sbin/ifconfig tun0 11.0.1.1 pointopoint 11.0.1.2 mtu 1500
Wed Jun 24 01:04:16 2015 us=675941 /sbin/route add -net 11.0.1.0 netmask 255.255.255.0 gw 11.0.1.2
Wed Jun 24 01:04:16 2015 us=692073 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 24 01:04:16 2015 us=692348 UDPv4 link local (bound): [undef]
Wed Jun 24 01:04:16 2015 us=692527 UDPv4 link remote: [undef]
Wed Jun 24 01:04:16 2015 us=692702 MULTI: multi_init called, r=256 v=256
Wed Jun 24 01:04:16 2015 us=693022 IFCONFIG POOL: base=11.0.1.4 size=62, ipv6=0
Wed Jun 24 01:04:16 2015 us=693254 ifconfig_pool_read(), in='MD1,11.0.1.4', TODO: IPv6
Wed Jun 24 01:04:16 2015 us=693434 succeeded -> ifconfig_pool_set()
Wed Jun 24 01:04:16 2015 us=693612 IFCONFIG POOL LIST
Wed Jun 24 01:04:16 2015 us=693788 MD1,11.0.1.4
Wed Jun 24 01:04:16 2015 us=694179 Initialization Sequence Completed
Wed Jun 24 02:32:37 2015 us=866665 MULTI: multi_create_instance called
Wed Jun 24 02:32:37 2015 us=867150 my-mobile-IP Re-using SSL/TLS context
Wed Jun 24 02:32:37 2015 us=867379 my-mobile-IP LZO compression initialized
Wed Jun 24 02:32:37 2015 us=868171 my-mobile-IP Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Jun 24 02:32:37 2015 us=868915 my-mobile-IP Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 24 02:32:37 2015 us=869306 my-mobile-IP TLS: Initial packet from [AF_INET]my-mobile-IP, sid=f63c0e97 e8d1d7ec
Wed Jun 24 02:33:37 2015 us=748389 my-mobile-IP TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jun 24 02:33:37 2015 us=748656 my-mobile-IP TLS Error: TLS handshake failed
Wed Jun 24 02:33:37 2015 us=749426 my-mobile-IP SIGUSR1[soft,tls-error] received, client-instance restarting
Client log:
Image Image Image
Unfortunately I cannot c&p the logfile of openvpn connect-app. How can this be done?
Top
User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Server-Client Config openwrt-router

Post by Traffic » Wed Jun 24, 2015 10:05 am

What version of openwrt are you using AA/BB/CC ?
Top
ssdnvv
OpenVpn Newbie
Posts: 19
Joined: Wed May 22, 2013 10:31 am

Re: Server-Client Config openwrt-router

Post by ssdnvv » Wed Jun 24, 2015 8:13 pm

I'm running CC (rc-1).
Top
ssdnvv
OpenVpn Newbie
Posts: 19
Joined: Wed May 22, 2013 10:31 am

Re: Server-Client Config openwrt-router

Post by ssdnvv » Thu Jun 25, 2015 1:32 am

I tried again (rebuild every cert/key/etc...) and inlined them into the client config - and suddenly it works:

Server-config:

Code: Select all

tls-server

port 443
proto udp
dev tun

ca /etc/ssl/openvpn/ca.crt
cert /etc/ssl/openvpn/my-Hostname.crt
key /etc/ssl/openvpn/my-Hostname.key
dh /etc/ssl/openvpn/dh2048.pem
tls-auth /etc/ssl/openvpn/ta.key 0

cipher AES-256-CBC
comp-lzo adaptive
ifconfig-pool-persist /etc/openvpn/ipp-TUN.txt
status /etc/openvpn/TUN-status.log
log /etc/openvpn/TUN.log
verb 4
mute 20
keepalive 10 120
persist-key
persist-tun

server 11.0.1.0 255.255.255.0
push redirect-gateway
client-to-client
Client-config:

Code: Select all

client

dev tun
proto udp
remote 	my-Hostname 443
resolv-retry infinite
nobind

persist-key
persist-tun 

mute-replay-warnings

key-direction 1

<ca>
-----BEGIN CERTIFICATE-----
[ca.cert]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[client.cert]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[client.key]
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
[ta.key]
-----END OpenVPN Static key V1-----
</tls-auth>

remote-cert-tls server
cipher AES-256-CBC
verb 4
mute 20

keepalive 10 120

comp-lzo
Server-log:

Code: Select all

Thu Jun 25 02:07:36 2015 us=69184 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May  7 2015
Thu Jun 25 02:07:36 2015 us=69649 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.08
Thu Jun 25 02:07:36 2015 us=431772 Diffie-Hellman initialized with 2048 bit key
Thu Jun 25 02:07:36 2015 us=437447 Control Channel Authentication: using '/etc/ssl/openvpn/ta.key' as a OpenVPN static key file
Thu Jun 25 02:07:36 2015 us=437736 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 25 02:07:36 2015 us=437940 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 25 02:07:36 2015 us=438192 TLS-Auth MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Jun 25 02:07:36 2015 us=438443 Socket Buffers: R=[163840->131072] S=[163840->131072]
Thu Jun 25 02:07:36 2015 us=442344 TUN/TAP device tun0 opened
Thu Jun 25 02:07:36 2015 us=442624 TUN/TAP TX queue length set to 100
Thu Jun 25 02:07:36 2015 us=442829 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jun 25 02:07:36 2015 us=443150 /sbin/ifconfig tun0 11.0.1.1 pointopoint 11.0.1.2 mtu 1500
Thu Jun 25 02:07:36 2015 us=456400 /sbin/route add -net 11.0.1.0 netmask 255.255.255.0 gw 11.0.1.2
Thu Jun 25 02:07:36 2015 us=472191 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Jun 25 02:07:36 2015 us=472473 UDPv4 link local (bound): [undef]
Thu Jun 25 02:07:36 2015 us=472656 UDPv4 link remote: [undef]
Thu Jun 25 02:07:36 2015 us=472828 MULTI: multi_init called, r=256 v=256
Thu Jun 25 02:07:36 2015 us=473245 IFCONFIG POOL: base=11.0.1.4 size=62, ipv6=0
Thu Jun 25 02:07:36 2015 us=473500 ifconfig_pool_read(), in='MD1,11.0.1.4', TODO: IPv6
Thu Jun 25 02:07:36 2015 us=473678 succeeded -> ifconfig_pool_set()
Thu Jun 25 02:07:36 2015 us=473846 ifconfig_pool_read(), in='MD5,11.0.1.8', TODO: IPv6
Thu Jun 25 02:07:36 2015 us=474016 succeeded -> ifconfig_pool_set()
Thu Jun 25 02:07:36 2015 us=474188 ifconfig_pool_read(), in='MD4,11.0.1.12', TODO: IPv6
Thu Jun 25 02:07:36 2015 us=474356 succeeded -> ifconfig_pool_set()
Thu Jun 25 02:07:36 2015 us=474529 IFCONFIG POOL LIST
Thu Jun 25 02:07:36 2015 us=474702 MD1,11.0.1.4
Thu Jun 25 02:07:36 2015 us=474868 MD5,11.0.1.8
Thu Jun 25 02:07:36 2015 us=475032 MD4,11.0.1.12
Thu Jun 25 02:07:36 2015 us=475390 Initialization Sequence Completed
Thu Jun 25 02:10:07 2015 us=834733 MULTI: multi_create_instance called
Thu Jun 25 02:10:07 2015 us=835261 my-mobile-IP:22642 Re-using SSL/TLS context
Thu Jun 25 02:10:07 2015 us=835572 my-mobile-IP:22642 LZO compression initialized
Thu Jun 25 02:10:07 2015 us=836779 my-mobile-IP:22642 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Jun 25 02:10:07 2015 us=837071 my-mobile-IP:22642 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Jun 25 02:10:07 2015 us=837474 my-mobile-IP:22642 TLS: Initial packet from [AF_INET]my-mobile-IP:22642, sid=9c61cd31 6a17d75b
Thu Jun 25 02:10:09 2015 us=782472 my-mobile-IP:22642 VERIFY OK: depth=1, C=DE, L=KH, O=Patrick&Isa, OU=Wohnung, CN=my-Hostname, name=my-Hostname, emailAddress=webmaster@patrick-wagner.de
Thu Jun 25 02:10:09 2015 us=787164 my-mobile-IP:22642 VERIFY OK: depth=0, C=DE, L=KH, O=Patrick&Isa, OU=Wohnung, CN=MD4, name=MD4, emailAddress=webmaster@patrick-wagner.de
Thu Jun 25 02:10:10 2015 us=283348 my-mobile-IP:22642 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Jun 25 02:10:10 2015 us=283629 my-mobile-IP:22642 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 25 02:10:10 2015 us=283831 my-mobile-IP:22642 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Jun 25 02:10:10 2015 us=284038 my-mobile-IP:22642 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 25 02:10:10 2015 us=370472 my-mobile-IP:22642 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Jun 25 02:10:10 2015 us=370864 my-mobile-IP:22642 [MD4] Peer Connection Initiated with [AF_INET]my-mobile-IP:22642
Thu Jun 25 02:10:10 2015 us=371316 MD4/my-mobile-IP:22642 MULTI_sva: pool returned IPv4=11.0.1.14, IPv6=(Not enabled)
Thu Jun 25 02:10:10 2015 us=371960 MD4/my-mobile-IP:22642 MULTI: Learn: 11.0.1.14 -> MD4/my-mobile-IP:22642
Thu Jun 25 02:10:10 2015 us=372173 MD4/my-mobile-IP:22642 MULTI: primary virtual IP for MD4/my-mobile-IP:22642: 11.0.1.14
Thu Jun 25 02:10:10 2015 us=377181 MD4/my-mobile-IP:22642 PUSH: Received control message: 'PUSH_REQUEST'
Thu Jun 25 02:10:10 2015 us=377415 MD4/my-mobile-IP:22642 send_push_reply(): safe_cap=940
Thu Jun 25 02:10:10 2015 us=377892 MD4/my-mobile-IP:22642 SENT CONTROL [MD4]: 'PUSH_REPLY,redirect-gateway,route 11.0.1.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 11.0.1.14 11.0.1.13' (status=1)
Thu Jun 25 02:10:26 2015 us=496373 MD4/my-mobile-IP:22642 MULTI: bad source address from client [10.207.9.114], packet dropped
Thu Jun 25 02:10:26 2015 us=745941 MD4/my-mobile-IP:22642 MULTI: bad source address from client [10.207.9.114], packet dropped
Thu Jun 25 02:10:27 2015 us=285821 MD4/my-mobile-IP:22642 MULTI: bad source address from client [10.207.9.114], packet dropped
Thu Jun 25 02:10:28 2015 us=366021 MD4/my-mobile-IP:22642 MULTI: bad source address from client [10.207.9.114], packet dropped
Thu Jun 25 02:10:30 2015 us=536175 MD4/my-mobile-IP:22642 MULTI: bad source address from client [10.207.9.114], packet dropped
Thu Jun 25 02:10:34 2015 us=677522 MD4/my-mobile-IP:22642 MULTI: bad source address from client [10.207.9.114], packet dropped
Thu Jun 25 02:10:34 2015 us=846423 MD4/my-mobile-IP:22642 MULTI: bad source address from client [10.207.9.114], packet dropped
Thu Jun 25 02:10:37 2015 us=554828 MD4/my-mobile-IP:22642 IP packet with unknown IP version=2 seen
Client-log:
I'll hand this in as soon as I know how to export the log-file.
Top
User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Server-Client Config openwrt-router

Post by Traffic » Thu Jun 25, 2015 10:47 am

Just so you know ..

I have replicated this problem and believe it is an OpenWRT Bug.

Server:
  • Hostname OpenWrt-CC
    Model Intel(R) Pentium(R) 4 CPU 3.20GHz
    Firmware Version OpenWrt Chaos Calmer 15.05-rc2 / LuCI Master (git-15.146.54948-a497fba)
    Kernel Version 3.18.14

    OpenVPN 2.3.6 i486-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun
    3 2015
    Thu Jun 25 11:19:37 2015 us=423380 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.08
Client:
  • OpenVPN 2.3_git Release 2.3.7 [git:master/60fd44e501f20024+] i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Jun 8 2015
    Thu Jun 25 11:21:54 2015 us=192136 library versions: OpenSSL 1.0.2c 12 Jun 2015, LZO 2.09
Server log:
Thu Jun 25 11:40:03 2015 us=484204 OpenVPN 2.3.6 i486-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 3 2015
Thu Jun 25 11:40:03 2015 us=484343 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.08
Thu Jun 25 11:40:03 2015 us=612788 Diffie-Hellman initialized with 2048 bit key
Thu Jun 25 11:40:03 2015 us=614843 Control Channel Authentication: using '/etc/openvpn/tuns_36323u/PKI/ta.key' as a OpenVPN static key file
Thu Jun 25 11:40:03 2015 us=614994 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 25 11:40:03 2015 us=615089 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 25 11:40:03 2015 us=615199 TLS-Auth MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Jun 25 11:40:03 2015 us=615373 Socket Buffers: R=[163840->131072] S=[163840->131072]
Thu Jun 25 11:40:03 2015 us=625764 TUN/TAP device tun36 opened
Thu Jun 25 11:40:03 2015 us=625962 TUN/TAP TX queue length set to 100
Thu Jun 25 11:40:03 2015 us=626077 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jun 25 11:40:03 2015 us=626531 /sbin/ifconfig tun36 10.36.3.1 netmask 255.255.255.0 mtu 1500 broadcast 10.36.3.255
Thu Jun 25 11:40:03 2015 us=682257 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Thu Jun 25 11:40:03 2015 us=682432 UDPv4 link local (bound): [undef]
Thu Jun 25 11:40:03 2015 us=682482 UDPv4 link remote: [undef]
Thu Jun 25 11:40:03 2015 us=682563 MULTI: multi_init called, r=256 v=256
Thu Jun 25 11:40:03 2015 us=682782 IFCONFIG POOL: base=10.36.3.2 size=252, ipv6=0
Thu Jun 25 11:40:03 2015 us=682940 Initialization Sequence Completed
Thu Jun 25 11:40:14 2015 us=978461 MULTI: multi_create_instance called
Thu Jun 25 11:40:14 2015 us=978850 ???.???.???.199:54565 Re-using SSL/TLS context
Thu Jun 25 11:40:14 2015 us=980120 ???.???.???.199:54565 Control Channel MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Jun 25 11:40:14 2015 us=980231 ???.???.???.199:54565 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Thu Jun 25 11:40:14 2015 us=980387 ???.???.???.199:54565 TLS: Initial packet from [AF_INET]???.???.???.199:54565, sid=8d028093 87e98b7f
Thu Jun 25 11:40:15 2015 us=341748 ???.???.???.199:54565 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funstone, OU=MyOrganizationalUnit, CN=owrt-cc-serv01, name=owrt-cc-serv01, emailAddress=me@myhost.mydomain
Thu Jun 25 11:40:15 2015 us=343620 ???.???.???.199:54565 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funstone, OU=MyOrganizationalUnit, CN=owrt-cc-clnt01, name=owrt-cc-clnt01, emailAddress=me@myhost.mydomain
Thu Jun 25 11:40:15 2015 us=458593 ???.???.???.199:54565 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jun 25 11:40:15 2015 us=458708 ???.???.???.199:54565 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 25 11:40:15 2015 us=458794 ???.???.???.199:54565 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jun 25 11:40:15 2015 us=458844 ???.???.???.199:54565 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 25 11:40:15 2015 us=474302 ???.???.???.199:54565 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Jun 25 11:40:15 2015 us=474781 ???.???.???.199:54565 [owrt-cc-clnt01] Peer Connection Initiated with [AF_INET]???.???.???.199:54565
Thu Jun 25 11:40:15 2015 us=474960 owrt-cc-clnt01/???.???.???.199:54565 MULTI_sva: pool returned IPv4=10.36.3.2, IPv6=(Not enabled)
Thu Jun 25 11:40:15 2015 us=475132 owrt-cc-clnt01/???.???.???.199:54565 MULTI: Learn: 10.36.3.2 -> owrt-cc-clnt01/???.???.???.199:54565
Thu Jun 25 11:40:15 2015 us=475209 owrt-cc-clnt01/???.???.???.199:54565 MULTI: primary virtual IP for owrt-cc-clnt01/???.???.???.199:54565: 10.36.3.2
Thu Jun 25 11:40:17 2015 us=684973 owrt-cc-clnt01/???.???.???.199:54565 PUSH: Received control message: 'PUSH_REQUEST'
Thu Jun 25 11:40:17 2015 us=685124 owrt-cc-clnt01/???.???.???.199:54565 send_push_reply(): safe_cap=940
Thu Jun 25 11:40:17 2015 us=685235 owrt-cc-clnt01/???.???.???.199:54565 SENT CONTROL [owrt-cc-clnt01]: 'PUSH_REPLY,topology subnet,route-gateway 10.36.3.1,topology subnet,ping 10,ping-restart 30,ifconfig 10.36.3.2 255.255.255.0' (status=1)
All in order ..


Client log:
Thu Jun 25 11:40:15 2015 us=710871 OpenVPN 2.3_git 20150608 Release 2.3.7 [git:master/60fd44e501f20024+] i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Jun 8 2015
Thu Jun 25 11:40:15 2015 us=711082 library versions: OpenSSL 1.0.2c 12 Jun 2015, LZO 2.09
Thu Jun 25 11:40:15 2015 us=731802 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:36323
Thu Jun 25 11:40:15 2015 us=741241 Control Channel Authentication: using '/etc/openvpn/tunc_36323u/PKI/ta.key' as a OpenVPN static key file
Thu Jun 25 11:40:15 2015 us=741472 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 25 11:40:15 2015 us=741546 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 25 11:40:15 2015 us=742808 Control Channel MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:3 ]
Thu Jun 25 11:40:15 2015 us=743939 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:392 ET:0 EL:3 ]
Thu Jun 25 11:40:15 2015 us=744127 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu Jun 25 11:40:15 2015 us=744385 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu Jun 25 11:40:15 2015 us=744478 TCP/UDP: Preserving recently used remote address: [AF_INET]???.???.???.23:36323
Thu Jun 25 11:40:15 2015 us=744640 Socket Buffers: R=[163840->131072] S=[163840->131072]
Thu Jun 25 11:40:15 2015 us=744719 UDP link local: (not bound)
Thu Jun 25 11:40:15 2015 us=744788 UDP link remote: [AF_INET]???.???.???.23:36323
Thu Jun 25 11:40:15 2015 us=752676 TLS: Initial packet from [AF_INET]???.???.???.23:36323, sid=e08f32f4 d32dd583
Thu Jun 25 11:40:15 2015 us=942366 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funstone, OU=MyOrganizationalUnit, CN=owrt-cc-serv01, name=owrt-cc-serv01, emailAddress=me@myhost.mydomain
Thu Jun 25 11:40:15 2015 us=943283 Validating certificate key usage
Thu Jun 25 11:40:15 2015 us=943397 ++ Certificate has key usage 00a0, expects 00a0
Thu Jun 25 11:40:15 2015 us=943531 VERIFY KU OK
Thu Jun 25 11:40:15 2015 us=943611 Validating certificate extended key usage
Thu Jun 25 11:40:15 2015 us=943682 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Jun 25 11:40:15 2015 us=943962 VERIFY EKU OK
Thu Jun 25 11:40:15 2015 us=944032 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funstone, OU=MyOrganizationalUnit, CN=owrt-cc-serv01, name=owrt-cc-serv01, emailAddress=me@myhost.mydomain
Thu Jun 25 11:40:16 2015 us=231323 NOTE: Options consistency check may be skewed by version differences
Thu Jun 25 11:40:16 2015 us=236558 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
Thu Jun 25 11:40:16 2015 us=236715 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
Thu Jun 25 11:40:16 2015 us=236800 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1541'
Thu Jun 25 11:40:16 2015 us=236872 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
Thu Jun 25 11:40:16 2015 us=236941 WARNING: 'keydir' is present in local config but missing in remote config, local='keydir 0'
Thu Jun 25 11:40:16 2015 us=237010 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
Thu Jun 25 11:40:16 2015 us=237079 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
Thu Jun 25 11:40:16 2015 us=237148 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 128'
Thu Jun 25 11:40:16 2015 us=237217 WARNING: 'tls-auth' is present in local config but missing in remote config, local='tls-auth'
Thu Jun 25 11:40:16 2015 us=242631 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
Thu Jun 25 11:40:16 2015 us=242830 WARNING: 'tls-server' is present in local config but missing in remote config, local='tls-server'
Thu Jun 25 11:40:16 2015 us=243306 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jun 25 11:40:16 2015 us=243414 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 25 11:40:16 2015 us=243521 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jun 25 11:40:16 2015 us=243590 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 25 11:40:16 2015 us=243843 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Jun 25 11:40:16 2015 us=244607 [owrt-cc-serv01] Peer Connection Initiated with [AF_INET]???.???.???.23:36323
Thu Jun 25 11:40:18 2015 us=453862 SENT CONTROL [owrt-cc-serv01]: 'PUSH_REQUEST' (status=1)
Thu Jun 25 11:40:18 2015 us=459118 PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 10.36.3.1,topology subnet,ping 10,ping-restart 30,ifconfig 10.36.3.2 255.255.255.0'
Thu Jun 25 11:40:18 2015 us=459969 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jun 25 11:40:18 2015 us=460155 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jun 25 11:40:18 2015 us=460243 OPTIONS IMPORT: route-related options modified
Thu Jun 25 11:40:18 2015 us=468264 TUN/TAP device tun36 opened
Thu Jun 25 11:40:18 2015 us=468507 TUN/TAP TX queue length set to 100
Thu Jun 25 11:40:18 2015 us=468622 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jun 25 11:40:18 2015 us=468741 /usr/bin/ifconfig tun36 10.36.3.2 netmask 255.255.255.0 mtu 1500 broadcast 10.36.3.255
Thu Jun 25 11:40:18 2015 us=531630 Initialization Sequence Completed
This error is not present in either OpenWRT-AA or BB ...
Top
ssdnvv
OpenVpn Newbie
Posts: 19
Joined: Wed May 22, 2013 10:31 am

Re: Server-Client Config openwrt-router

Post by ssdnvv » Fri Jul 03, 2015 9:21 am

Thanks for verifying it.
Do you know how to file a bug?
Top
User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Server-Client Config openwrt-router

Post by Traffic » Fri Jul 03, 2015 9:49 am

This is the bug system for OpenWRT:
https://dev.openwrt.org/timeline

I reported this to the #openwrt IRC channel on freenode but nobody commented ...

You should check openwrt open tickets and report it if necessary.
Top
Post Reply

Return to “Configuration”