Stuck at a step during configuring openvpn

[ilovegrolsc]

So i have a centos5 vps and i'm installing openvpn on it. I'm a noob at linux and servers but after reading a few tutorials i come up with the following. Black is my bash commands, blue is output, red is my thoughts. Lol.

# -Uvh http://download.fedora.redhat.com/pub/e ... noarch.rpm

(seems to be the newest version of openvpn afaik.)

Retrieving http://download.fedora.redhat.com/pub/e ... noarch.rpm
warning: /var/tmp/rpm-xfer.pAhLcO: Header V3 DSA signature: NOKEY, key ID 217521f6
Preparing... ########################################### [100%]
1:epel-release ########################################### [100%]

# yum install openvpn

Loaded plugins: fastestmirror
Determining fastest mirrors
* addons: centos.mirror.transip.nl
* base: ftp.nluug.nl
* epel: ftp.nluug.nl
* extras: ftp.nluug.nl
* updates: mirror.denit.net
addons | 951 B 00:00
addons/primary | 204 B 00:00
base | 2.1 kB 00:00
base/primary_db | 2.1 MB 00:00
epel | 3.7 kB 00:00
epel/primary_db | 3.4 MB 00:00
extras | 2.1 kB 00:00
extras/primary_db | 246 kB 00:00
n2 | 951 B 00:00
n2/primary | 2.9 kB 00:00
n2 17/17
updates | 1.9 kB 00:00
updates/primary_db | 1.0 MB 00:00
Excluding Packages in global exclude list
Finished
Setting up Install Process
Resolving Dependencies
There are unfinished transactions remaining. You might consider running yum-complete-transaction first to finish them.
The program yum-complete-transaction is found in the yum-utils package.
--> Running transaction check
---> Package openvpn.x86_64 0:2.1.1-2.el5 set to be updated
--> Processing Dependency: liblzo2.so.2()(64bit) for package: openvpn
--> Processing Dependency: libpkcs11-helper.so.1()(64bit) for package: openvpn
--> Running transaction check
---> Package lzo.x86_64 0:2.02-2.el5.1 set to be updated
---> Package pkcs11-helper.x86_64 0:1.07-2.el5.1 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
openvpn x86_64 2.1.1-2.el5 epel 380 k
Installing for dependencies:
lzo x86_64 2.02-2.el5.1 epel 57 k
pkcs11-helper x86_64 1.07-2.el5.1 epel 54 k

Transaction Summary
================================================================================
Install 3 Package(s)
Upgrade 0 Package(s)

Total download size: 491 k
Is this ok [y/N]: y
Downloading Packages:
(1/3): pkcs11-helper-1.07-2.el5.1.x86_64.rpm | 54 kB 00:00
(2/3): lzo-2.02-2.el5.1.x86_64.rpm | 57 kB 00:00
(3/3): openvpn-2.1.1-2.el5.x86_64.rpm | 380 kB 00:00
--------------------------------------------------------------------------------
Total 27 kB/s | 491 kB 00:18
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 217521f6
epel/gpgkey | 1.7 kB 00:00
Importing GPG key 0x217521F6 "Fedora EPEL <epel@fedoraproject.org>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : pkcs11-helper 1/3
Installing : lzo 2/3
Installing : openvpn 3/3

Installed:
openvpn.x86_64 0:2.1.1-2.el5

Dependency Installed:
lzo.x86_64 0:2.02-2.el5.1 pkcs11-helper.x86_64 0:1.07-2.el5.1

Complete!

# find / -name 'easy-rsa' -type d

/usr/share/openvpn/easy-rsa

# cp -r /usr/share/openvpn/easy-rsa/ /etc/openvpn/
# cd /etc/openvpn/easy-rsa
# vi vars

Here is the problem. When i vi into vars, the file is empty.

The tutorials all say i should then:

then scroll down to the bottom, edit as you like.

export KEY_COUNTRY=AU
export KEY_PROVINCE=VIC
export KEY_CITY=MELBOURNE
export KEY_ORG=”THROXVPN”
export KEY_EMAIL=”name@email.com”

#. ./vars (note a space between . . )
#./clean-all

But i can't scroll in that file, its empty and useless... Could anyone please help? I have no idea where i'm going wrong. Thanks for your time and help!

[ilovegrolsc]

Ok i think i have this solved,

i did

#cd /etc/openvpn/easy-rsa
#li -1

1.0
2.0

then

#cd 2.0
#li -1

Makefile
README
build-ca
build-dh
build-inter
build-key
build-key-pass
build-key-pkcs12
build-key-server
build-req
build-req-pass
clean-all
inherit-inter
list-crl
openssl-0.9.6.cnf
openssl.cnf
pkitool
revoke-full
sign-req
vars
whichopensslcnf

So basically i thought the vars file was in /easy-rsa/ but actually i have 2 more directories there, 1.0 and 2.0. I don't know why there are two directories here. As you can see the problem was i am linux noob. Moderators please keep this thread open as i will post more if i run into further troubles thanks.

then i just

#vi /etc/openvpn/easy-rsa/2.0/vars

bobs your uncle.

[ilovegrolsc]

Have run into a big problem:

-bash-3.2# service openvpn start

Starting openvpn: [FAILED]

After following these instructions the the letter,

http://library.linode.com/networking/openvpn/centos-5

I had no problems creating all of the necessary keys and the CA, transfered them to where they should be (some in /etc/openvpn and some to my local computer) but the service just won't start running on the linode. I think it might be a problem with my server.conf and client.conf files which i copied from

/usr/share/doc/openvpn-2.1.1/sample-config-files/

to /etc/openvpn

I made no changes to the sample server.conf file. I made these changes to client.conf: (changes in yellow)

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 11.11.11.111 11944 (just put in ip of the linux server)

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key

(changed cert and key name to match what i had generated in earlier step).

Can someone please help? I've searched many posts about centos + openvpn and i don't feel like i can fix this by googling alone. I've tried connecting to the openvpn channel on irc freenode but although it is full of people everyone is idle.

I'm not sure if this is a hint or could help but i read someone did this command when there were problems so i did it also:

openvpn --dev tun0

Sat Dec 4 05:15:29 2010 OpenVPN 2.1.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPO LL] [PKCS11] built on Jan 26 2010
Sat Dec 4 05:15:29 2010 IMPORTANT: OpenVPN's default port number is now 1194, b ased on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earl ier used 5000 as the default port.
Sat Dec 4 05:15:29 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig her to call user-defined scripts or executables
Sat Dec 4 05:15:29 2010 ******* WARNING *******: all encryption and authenticat ion features disabled -- all data will be tunnelled as cleartext
Sat Dec 4 05:15:29 2010 TCP/UDP: Socket bind failed on local address [undef]:11 94: Address already in use
Sat Dec 4 05:15:29 2010 Exiting

Thanks for your time in looking at this... hopefully she'll be working soon! I should mention that straight after i installed openvpn on the server (but before generating any keys or moving any conf files to /etc/openvpn), i was able to start the openvpn service. Also, if i delete server.conf and client.conf in /etc/openvpn then the service will start.

Very lastly, if i delete client.conf BUT keep server.conf in /etc/openvpn then the service will start. Perhaps i'm not supposed to have client.conf in /etc/openvpn at all?

[ilovegrolsc]

Just tried to connect:


Sat Dec 04 06:55:06 2010 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010
Sat Dec 04 06:55:06 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Dec 04 06:55:06 2010 LZO compression initialized
Sat Dec 04 06:55:06 2010 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Dec 04 06:55:06 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Dec 04 06:55:06 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Dec 04 06:55:06 2010 Local Options hash (VER=V4): '41690919'
Sat Dec 04 06:55:06 2010 Expected Remote Options hash (VER=V4): '530fdded'
Sat Dec 04 06:55:06 2010 UDPv4 link local: [undef]
Sat Dec 04 06:55:06 2010 UDPv4 link remote: 111.11.11.11:1194
Sat Dec 04 06:55:06 2010 TLS: Initial packet from 111.11.11.11:1194, sid=c9e207d0 7bd874c7
Sat Dec 04 06:55:06 2010 VERIFY OK: depth=1, /C=NL/ST=ZUID/L=ROTTERDAM/O=TEST/CN=mydomain-ca/emailAddress=whitelines2@hotmail.com
Sat Dec 04 06:55:06 2010 VERIFY OK: nsCertType=SERVER
Sat Dec 04 06:55:06 2010 VERIFY OK: depth=0, /C=NL/ST=ZUID/L=ROTTERDAM/O=TEST/CN=test/emailAddress=whitelines2@hotmail.com
Sat Dec 04 06:55:06 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Dec 04 06:55:06 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Dec 04 06:55:06 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Dec 04 06:55:06 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Dec 04 06:55:06 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Dec 04 06:55:06 2010 [test] Peer Connection Initiated with 111.11.11.11:1194
Sat Dec 04 06:55:08 2010 SENT CONTROL [test]: 'PUSH_REQUEST' (status=1)
Sat Dec 04 06:55:08 2010 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Sat Dec 04 06:55:08 2010 OPTIONS IMPORT: timers and/or timeouts modified
Sat Dec 04 06:55:08 2010 OPTIONS IMPORT: --ifconfig/up options modified
Sat Dec 04 06:55:08 2010 OPTIONS IMPORT: route options modified
Sat Dec 04 06:55:08 2010 ROUTE default_gateway=192.168.1.254
Sat Dec 04 06:55:08 2010 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{D02F9AC5-482B-4D7E-A00E-4CAAECA380B2}.tap
Sat Dec 04 06:55:08 2010 TAP-Win32 Driver Version 9.7
Sat Dec 04 06:55:08 2010 TAP-Win32 MTU=1500
Sat Dec 04 06:55:08 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {D02F9AC5-482B-4D7E-A00E-4CAAECA380B2} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Sat Dec 04 06:55:08 2010 Successful ARP Flush on interface [18] {D02F9AC5-482B-4D7E-A00E-4CAAECA380B2}
Sat Dec 04 06:55:14 2010 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Sat Dec 04 06:55:14 2010 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Sat Dec 04 06:55:14 2010 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sat Dec 04 06:55:14 2010 Route addition via IPAPI succeeded [adaptive]
Sat Dec 04 06:55:14 2010 Initialization Sequence Completed

It looks like it was successful, it assigns me ip 10.8.0.6. However if i visit a web page with my browser to check my ip, the ip hasn't changed from that of my local computer. So i guess my network traffic isn't being routed through the vpn.

[ilovegrolsc]

Added this to server.conf:

push "redirect-gateway def1" (read this will force make all my network traffic go through the vpn)

and

service iptables stop (incase some firewall rule is messing things up)

Now if i connect to the vpn then once again it assigns me ip address, i can ping 10.0.8.1 but from my windows client machine i cannot use the internet... like if i browse to a website it can't connect.

I also tried this again:

-bash-3.2# openvpn --dev tun0

Sat Dec 4 08:10:25 2010 OpenVPN 2.1.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Jan 26 2010
Sat Dec 4 08:10:25 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Dec 4 08:10:25 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Dec 4 08:10:25 2010 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
Sat Dec 4 08:10:25 2010 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use
Sat Dec 4 08:10:25 2010 Exiting

I'm guessing there are some network routing issues here? And i'm curious why it says all encrypt and authentication features disabled... i feel like i'm getting closer though. Hope i won't be only one posting in this thread

[ilovegrolsc]

-bash-3.2# ifconfig

eth0 Link encap:Ethernet HWaddr 00:16:3E:4C:49:07
inet addr:111.11.11.11 Bcast:111.11.11.111 Mask:255.255.255.0
inet6 addr: 2a02:348:39:5710::1/48 Scope:Global
inet6 addr: fe80::216:3eff:fe4c:4907/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:444631 errors:0 dropped:0 overruns:0 frame:0
TX packets:69147 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:44243717 (42.1 MiB) TX bytes:12530324 (11.9 MiB)
Interrupt:9

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1480 errors:0 dropped:0 overruns:0 frame:0
TX packets:1480 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:68096 (66.5 KiB) TX bytes:68096 (66.5 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:505 errors:0 dropped:0 overruns:0 frame:0
TX packets:587 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:210991 (206.0 KiB) TX bytes:18784 (18.3 KiB)

[ilovegrolsc]

-bash-3.2# ps aux|grep openvpn

root 6083 0.0 0.6 41568 3284 ? S 08:53 0:00 openvpn server.conf
root 8903 0.0 0.1 6136 608 pts/1 S+ 19:23 0:00 grep openvpn

[ilovegrolsc]

Log from most recent connect:


Sun Dec 05 06:58:29 2010 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010
Sun Dec 05 06:58:29 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Dec 05 06:58:29 2010 LZO compression initialized
Sun Dec 05 06:58:29 2010 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Dec 05 06:58:29 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Dec 05 06:58:29 2010 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Dec 05 06:58:29 2010 Local Options hash (VER=V4): '22188c5b'
Sun Dec 05 06:58:29 2010 Expected Remote Options hash (VER=V4): 'a8f55717'
Sun Dec 05 06:58:29 2010 UDPv4 link local: [undef]
Sun Dec 05 06:58:29 2010 UDPv4 link remote: 178.18.87.16:1194
Sun Dec 05 06:58:29 2010 TLS: Initial packet from 178.18.87.16:1194, sid=19dd0b62 bba1cde6
Sun Dec 05 06:58:30 2010 VERIFY OK: depth=1, /C=NL/ST=ZUIDHA/L=SCHIEDAM/O=TESTT/CN=mydomain-ca/emailAddress=whitelines2@hotmail.com
Sun Dec 05 06:58:30 2010 VERIFY OK: nsCertType=SERVER
Sun Dec 05 06:58:30 2010 VERIFY OK: depth=0, /C=NL/ST=ZUIDHA/L=SCHIEDAM/O=TESTT/CN=server/emailAddress=whitelines2@hotmail.com
Sun Dec 05 06:58:30 2010 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Dec 05 06:58:30 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 05 06:58:30 2010 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Dec 05 06:58:30 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 05 06:58:30 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sun Dec 05 06:58:30 2010 [server] Peer Connection Initiated with 178.18.87.16:1194
Sun Dec 05 06:58:32 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Dec 05 06:58:32 2010 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Sun Dec 05 06:58:32 2010 OPTIONS IMPORT: timers and/or timeouts modified
Sun Dec 05 06:58:32 2010 OPTIONS IMPORT: --ifconfig/up options modified
Sun Dec 05 06:58:32 2010 OPTIONS IMPORT: route options modified
Sun Dec 05 06:58:32 2010 ROUTE default_gateway=192.168.1.254
Sun Dec 05 06:58:32 2010 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{D02F9AC5-482B-4D7E-A00E-4CAAECA380B2}.tap
Sun Dec 05 06:58:32 2010 TAP-Win32 Driver Version 9.7
Sun Dec 05 06:58:32 2010 TAP-Win32 MTU=1500
Sun Dec 05 06:58:32 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {D02F9AC5-482B-4D7E-A00E-4CAAECA380B2} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Sun Dec 05 06:58:32 2010 Successful ARP Flush on interface [18] {D02F9AC5-482B-4D7E-A00E-4CAAECA380B2}
Sun Dec 05 06:58:37 2010 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Sun Dec 05 06:58:37 2010 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Sun Dec 05 06:58:37 2010 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sun Dec 05 06:58:37 2010 Route addition via IPAPI succeeded [adaptive]
Sun Dec 05 06:58:37 2010 Initialization Sequence Completed

[gladiatr72]

Hello,

I'm going to go out on a limb and suggest straight-away that you haven't configured a NAT rule on your openvpn server for your tun0 device.

Also, do you really want all internet traffic to pass through your openvpn server? While it is functional, unless you really need to appear to be connecting from the server network, it's not terribly efficient.

Regards,
Stephen