Lost hope using ccd option

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
pwg3n
OpenVpn Newbie
Posts: 14
Joined: Mon Apr 04, 2011 3:17 pm

Lost hope using ccd option

Post by pwg3n » Mon Apr 04, 2011 3:33 pm

Hi everyone.

First of all I'd like to thank you for your time reading this.

I've got a huge problem setting up fixed IP addresses for my clients. I've seen that there's a option using ccd directory, but this is not working for me. I mean, it's totally ignored by the client who's connecting.

Here's my config:
port 1194
proto udp
dev tun
ca /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt
cert /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.crt
key /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.key
dh /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/dh1024.pem
client-config-dir /etc/openvpn/ccd
server 10.2.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.1.1.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 2.2.2.2"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
Some explanations:

10.1.1.0/24 is my internal_subnet (LAN clients)

10.2.0.0/24 is my openvpn_subnet (external clients)

A static route is added for openvpn_subnet users to connect to internal_subnet users.

THE PROBLEM:

I've created user1 and a file inside: /etc/openvpn/ccd/
ls -l /etc/openvpn/ccd/
total 8
-rwxrwxrwx 1 root root 34 2011-04-04 11:01 user1
Gave all the possible permissions.

Inside that file I set up a fixed IP range:
cat /etc/openvpn/ccd/user1
ifconfig-push 10.2.0.50 10.2.0.50
But, everytime user1 connects, VPN server doesn't give a ... about this ccd option and sets up a IP looking at this option:
server 10.2.0.0 255.255.255.0
The only IP users are receiving is this:
10.2.0.6
Here's the log:
Mon Apr 4 11:13:25 2011 82.1.1.1:20898 LZO compression initialized
Mon Apr 4 11:13:25 2011 82.1.1.1:20898 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Apr 4 11:13:25 2011 82.1.1.1:20898 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Apr 4 11:13:25 2011 82.1.1.1:20898 Local Options hash (VER=V4): '530fdded'
Mon Apr 4 11:13:25 2011 82.1.1.1:20898 Expected Remote Options hash (VER=V4): '41690919'
Mon Apr 4 11:13:25 2011 82.1.1.1:20898 TLS: Initial packet from 82.111.111.111:20898, sid=21b4eec3 58c53cb6
Mon Apr 4 11:13:29 2011 82.1.1.1:20898 VERIFY OK: depth=1, /C=RO/ST=RO/L=City/O=Company/OU=RO/CN=gw/emailAddress=administrator@domainexample.ro
Mon Apr 4 11:13:29 2011 82.1.1.1:20898 VERIFY OK: depth=0, /C=RO/ST=RO/L=City/O=Company/OU=Company/CN=user1/emailAddress=administrator@domainexample.ro
Mon Apr 4 11:13:30 2011 82.1.1.1:20898 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Apr 4 11:13:30 2011 82.1.1.1:20898 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 4 11:13:30 2011 82.1.1.1:20898 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Apr 4 11:13:30 2011 82.1.1.1:20898 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 4 11:13:31 2011 82.1.1.1:20898 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 4 11:13:31 2011 82.1.1.1:20898 [user1] Peer Connection Initiated with 82.1.1.1:20898
Mon Apr 4 11:13:31 2011 user1/82.1.1.1:20898 MULTI: Learn: 10.2.0.6 -> user1/82.1.1.1:20898
Mon Apr 4 11:13:31 2011 user1/82.1.1.1:20898 MULTI: primary virtual IP for user1/82.1.1.1:20898: 10.2.0.6
Mon Apr 4 11:13:33 2011 user1/82.1.1.1:20898 PUSH: Received control message: 'PUSH_REQUEST'
Mon Apr 4 11:13:33 2011 user1/82.1.1.1:20898 SENT CONTROL [user1]: 'PUSH_REPLY,route 10.1.1.0 255.255.255.0,redirect-gateway def1,dhcp-option DNS 213.154.124.1,route 10.2.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.2.0.6 10.2.0.5' (status=1)
Mon Apr 4 11:18:01 2011 user1/82.1.1.1:20898 [user1] Inactivity timeout (--ping-restart), restarting
Mon Apr 4 11:18:01 2011 user1/82.1.1.1:20898 SIGUSR1[soft,ping-restart] received, client-instance restarting

Any idea what I am missing about this?

PS: Don't worry about the external IP's. Changed this only in this document.


THANKS A LOT people!
Last edited by pwg3n on Tue Apr 05, 2011 6:44 am, edited 3 times in total.

george
Forum Team
Posts: 117
Joined: Tue Jun 09, 2009 4:25 pm
Location: St. Louis, MO USA

Re: Lost hope using ccd option

Post by george » Mon Apr 04, 2011 6:54 pm

Your ifconfig-push statement is causing it not to work. They need to be successive pairs using a 30 bit subnet mask, in your case the line should read:

Code: Select all

ifconfig-push 10.2.0.49 10.2.0.50
Here's a more detailed explanation:

http://openvpn.net/index.php/open-sourc ... tml#policy

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Lost hope using ccd option

Post by maikcat » Tue Apr 05, 2011 6:41 am

hi there,

dont forget to restore ccd's permissions...


michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

pwg3n
OpenVpn Newbie
Posts: 14
Joined: Mon Apr 04, 2011 3:17 pm

Re: Lost hope using ccd option

Post by pwg3n » Tue Apr 05, 2011 6:45 am

Tried that. The only IP clients are receiving is 10.2.0.6 :(
george wrote:Your ifconfig-push statement is causing it not to work. They need to be successive pairs using a 30 bit subnet mask, in your case the line should read:

Code: Select all

ifconfig-push 10.2.0.49 10.2.0.50
Here's a more detailed explanation:

http://openvpn.net/index.php/open-sourc ... tml#policy

pwg3n
OpenVpn Newbie
Posts: 14
Joined: Mon Apr 04, 2011 3:17 pm

Re: Lost hope using ccd option

Post by pwg3n » Tue Apr 05, 2011 6:49 am

Sorry, what do you mean by "restore" permissions for ccd?

What permissions do you have for that folder?
maikcat wrote:hi there,

dont forget to restore ccd's permissions...


michael.
Last edited by pwg3n on Tue Apr 05, 2011 7:14 am, edited 1 time in total.

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Lost hope using ccd option

Post by maikcat » Tue Apr 05, 2011 7:13 am

hi there,

ccd files must have 644 permisions not 777..

i noticed this

/C=RO/ST=RO/L=City/O=Company/OU=RO/CN=gw/emailAddress=administrator@domainexample.ro

CN=gw...

try rename the user1 file to gw

michael
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

pwg3n
OpenVpn Newbie
Posts: 14
Joined: Mon Apr 04, 2011 3:17 pm

Re: Lost hope using ccd option

Post by pwg3n » Tue Apr 05, 2011 7:15 am

gw is the machine hostname

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Lost hope using ccd option

Post by maikcat » Tue Apr 05, 2011 7:40 am

can you please try after renaming the ccd file to gw?

michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: Lost hope using ccd option

Post by janjust » Tue Apr 05, 2011 9:02 am

for debugging, try adding

Code: Select all

verb 5
ccd-exclusive
to the server config and restart; only the client 'user1' will now be allowed to connect.

Next, use the following IPs in the ccd-file

Code: Select all

ifconfig-push 10.2.0.50 10.2.0.49

(Note the order! the HOWTO mentions it backwards, which is wrong)


In the server log you should now see that it is picking up the 'ccd' file ; if it is not, then the client is not allowed access.
Once it works, remove the 'ccd-exclusive' to allow other clients to connect again.

pwg3n
OpenVpn Newbie
Posts: 14
Joined: Mon Apr 04, 2011 3:17 pm

Re: Lost hope using ccd option

Post by pwg3n » Tue Apr 05, 2011 9:15 am

Hah!

You guys were right. Thank you so much!

Restarted the server and put the /30 ranges in the ccd file and now it's working ok, but having another problem: for the 10.3.0.0/24 clients, cannot ping the LAN (10.1.1.0/24) even if the config file has the bold routes added:
port 1194
proto udp
dev tun
ca /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt
cert /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.crt
key /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.key
dh /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/dh1024.pem
client-config-dir /etc/openvpn/ccd
server 10.2.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.1.1.0 255.255.255.0"
route 10.2.0.0 255.255.255.0
route 10.3.0.0 255.255.255.0

push "redirect-gateway def1"
push "dhcp-option DNS 213.154.124.1"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3

pwg3n
OpenVpn Newbie
Posts: 14
Joined: Mon Apr 04, 2011 3:17 pm

Re: Lost hope using ccd option

Post by pwg3n » Tue Apr 05, 2011 9:18 am

This makes sense janjust, thank you.
janjust wrote:for debugging, try adding

Code: Select all

verb 5
ccd-exclusive
to the server config and restart; only the client 'user1' will now be allowed to connect.

Next, use the following IPs in the ccd-file

Code: Select all

ifconfig-push 10.2.0.50 10.2.0.49

(Note the order! the HOWTO mentions it backwards, which is wrong)


In the server log you should now see that it is picking up the 'ccd' file ; if it is not, then the client is not allowed access.
Once it works, remove the 'ccd-exclusive' to allow other clients to connect again.

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: Lost hope using ccd option

Post by janjust » Tue Apr 05, 2011 9:20 am

which clients are the '10.3.0.0/24' clients? where do they connect from?
Also, if a VPN client connects, it receives an address in the 10.2.0.0/24 space - if the 10.3/24 clients are LAN clients on the server side, do they know that 10.2/24 is "behind" the openvpn server ?

pwg3n
OpenVpn Newbie
Posts: 14
Joined: Mon Apr 04, 2011 3:17 pm

Re: Lost hope using ccd option

Post by pwg3n » Tue Apr 05, 2011 9:23 am

Both 10.2.0.0/24 and 10.3.0.0/24 need to ping 10.1.1.1 witch is the default gateway.

Both need to connect to 10.1.1.x servers in the LAN subnet.

10.2.0.0/24 and 10.3.0.0/24 are the classes for two type of guests.
janjust wrote:which clients are the '10.3.0.0/24' clients? where do they connect from?
Also, if a VPN client connects, it receives an address in the 10.2.0.0/24 space - if the 10.3/24 clients are LAN clients on the server side, do they know that 10.2/24 is "behind" the openvpn server ?

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Lost hope using ccd option

Post by maikcat » Tue Apr 05, 2011 9:45 am

although i missed a few posts,i try to catch up..

first remove this:

route 10.2.0.0 255.255.255.0

second

this : route 10.3.0.0 255.255.255.0

are you using iroute statement inside ccd file?

>10.2.0.0/24 and 10.3.0.0/24 are the classes for two type of guests.

i dont quite understand this...


ps: for the record,how did you solve the ccd problem you had?
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: Lost hope using ccd option

Post by janjust » Tue Apr 05, 2011 9:49 am

so the 10.3/24 clients are VPN clients? it will be hard to integrate them into your existing server setup.
Try using 10.0.2/24 and 10.0.3/24 instead. Update your server config to

Code: Select all

server 10.0.2.0 255.255.254.0
so that the 10.0.3/24 clients become part of the same VPN.

pwg3n
OpenVpn Newbie
Posts: 14
Joined: Mon Apr 04, 2011 3:17 pm

Re: Lost hope using ccd option

Post by pwg3n » Tue Apr 05, 2011 10:03 am

Both 10.0.2.0/24 and 10.0.3.0/24 are VPN clients. They both must reach 10.1.1.0/24 LAN network, having 10.1.1.1 as a LAN gateway.

10.0.2.0/24 and 10.0.3.0/24 must have access to servers like 10.1.1.5 or 10.1.1.50 for instance.


maikcat, solved the issue by adding the correct /30 entries to the ccd file.

For instance, for user1:
cat /etc/openvpn/ccd/user1
ifconfig-push 10.3.0.1 10.3.0.2
For user2:
cat /etc/openvpn/ccd/user2
ifconfig-push 10.2.0.1 10.2.0.2

Took the ranges from here:

Code: Select all

[  1,  2] [  5,  6] [  9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: Lost hope using ccd option

Post by janjust » Tue Apr 05, 2011 10:06 am

note my use of
10.0.2.0
and
10.0.3.0
instead of '10.[23].0' : check the order of the 0's !

pwg3n
OpenVpn Newbie
Posts: 14
Joined: Mon Apr 04, 2011 3:17 pm

Re: Lost hope using ccd option

Post by pwg3n » Tue Apr 05, 2011 10:10 am

Thank you janjust. This made the 10.3.0.0 network access ok to 10.1.1.1, but cannot ping 10.1.1.1 from 10.2.0.0 network.
janjust wrote:so the 10.3/24 clients are VPN clients? it will be hard to integrate them into your existing server setup.
Try using 10.0.2/24 and 10.0.3/24 instead. Update your server config to

Code: Select all

server 10.0.2.0 255.255.254.0
so that the 10.0.3/24 clients become part of the same VPN.

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: Lost hope using ccd option

Post by janjust » Tue Apr 05, 2011 10:12 am

did you update the ccd-file as well? what is the IP address assigned to the client? it should become '10.0.2.50'.

pwg3n
OpenVpn Newbie
Posts: 14
Joined: Mon Apr 04, 2011 3:17 pm

Re: Lost hope using ccd option

Post by pwg3n » Tue Apr 05, 2011 10:21 am

Did that.
I don't know what's happening.

3=11
2=10

254=111 111 10

So, this mask should match all these two VPN users classes.

Don't understand.

Conf now:
port 1194
proto udp
dev tun
ca /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt
cert /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.crt
key /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.key
dh /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/dh1024.pem
client-config-dir /etc/openvpn/ccd
server 10.0.2.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 10.1.1.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 213.154.124.1"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
janjust wrote:did you update the ccd-file as well? what is the IP address assigned to the client? it should become '10.0.2.50'.
Last edited by pwg3n on Tue Apr 05, 2011 10:24 am, edited 1 time in total.

Post Reply