simple roadwarrior with open-wrt server and Win 7 client

[fcxpress]

Hello everybody,

I'm trying without success to get OpenVPN working with openWRT Backfire (10.03.1-rc4, r24045) as a server side and openvpn-2.2-RC2 on Windows 7 on the client side.
As of now, I have only got one signle roadwarrior client PC and I don't intend to add any more in short term, so I wanted to keep it simple by using just a shared secret key, no PKI/CA/cert setup.
Configs and logs below.
On the Windows 7 host, when I try to ping the other end on the tunnel (open-WRT tun0 interface) it fails.
Though, when performing a tcpdump on the tun0 interface of the open-WRT router, I can see ICMP recho-requests comming in from the client and ICMP echo-replie going out the to client.
But when taking a capture with wireshark on the client, I can only see the request going out but no response comming back.

Any idea why on the client the process restars regularly and why on the server I have got 'write to TUN/TAP : Invalid argument (code=22)' error message ? I've been checking comp-lzo parameters several times and it looks correct to me.

Any suggestion is welcome!

Many thanks in advance,
fcxpress

Open-WRTServer config:

Code: Select all

local my.dyndns.org
ifconfig 172.17.34.1 172.17.34.2
proto udp
port 18233
dev tun
secret /etc/openvpn/static.key
keepalive 10 60
ping-timer-rem
persist-key
persist-tun
verb 3
comp-lzo no
script-security 3 system

Win 7 client config:

Code: Select all

remote my.dyndns.org 18233
ifconfig 172.17.34.2 172.17.34.1
proto udp
dev tun
secret 'C:\Program Files\OpenVPN\config\openvpn-egate.key'
keepalive 10 60
ping-timer-rem
persist-key
persist-tun
comp-lzo no
script-security 3 system
verb 3

Server log output:

Code: Select all

root@egate:~# openvpn /etc/openvpn/server.cfg
Thu Apr 14 09:00:06 2011 OpenVPN 2.1.3 mips-openwrt-linux [SSL] [LZO2] built on Oct 28 2010
Thu Apr 14 09:00:06 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Apr 14 09:00:06 2011 NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion
Thu Apr 14 09:00:06 2011 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Apr 14 09:00:06 2011 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 14 09:00:06 2011 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Apr 14 09:00:06 2011 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 14 09:00:06 2011 LZO compression initialized
Thu Apr 14 09:00:06 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]
Thu Apr 14 09:00:06 2011 TUN/TAP device tun0 opened
Thu Apr 14 09:00:06 2011 TUN/TAP TX queue length set to 100
Thu Apr 14 09:00:06 2011 /sbin/ifconfig tun0 172.17.34.1 pointopoint 172.17.34.2 mtu 1500
Thu Apr 14 09:00:06 2011 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Apr 14 09:00:06 2011 UDPv4 link local (bound): xxx.xxx.xxx.xxx:18233
Thu Apr 14 09:00:06 2011 UDPv4 link remote: [undef]
Thu Apr 14 09:01:54 2011 Peer Connection Initiated with yyy.yyy.yyy.yyy:59654
Thu Apr 14 09:01:54 2011 Replay-window backtrack occurred [2]
Thu Apr 14 09:01:55 2011 Initialization Sequence Completed
Thu Apr 14 09:02:03 2011 write to TUN/TAP : Invalid argument (code=22)
Thu Apr 14 09:02:12 2011 write to TUN/TAP : Invalid argument (code=22)
Thu Apr 14 09:02:23 2011 write to TUN/TAP : Invalid argument (code=22)
Thu Apr 14 09:02:33 2011 write to TUN/TAP : Invalid argument (code=22)
^CThu Apr 14 09:02:36 2011 event_wait : Interrupted system call (code=4)
Thu Apr 14 09:02:36 2011 TCP/UDP: Closing socket
Thu Apr 14 09:02:36 2011 Closing TUN/TAP interface
Thu Apr 14 09:02:36 2011 /sbin/ifconfig tun0 0.0.0.0
Thu Apr 14 09:02:37 2011 SIGINT[hard,] received, process exiting

Client log:

Code: Select all

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>openvpn "c:\program files\openvpn\config\openvpn-egate.ovpn"

Thu Apr 14 09:01:55 2011 OpenVPN 2.2-RC2 Win32-MSVC++ [SSL] [LZO2] built on Mar
25 2011
Thu Apr 14 09:01:55 2011 NOTE: the current --script-security setting may allow t
his configuration to call user-defined scripts
Thu Apr 14 09:01:55 2011 NOTE: --script-security method='system' is deprecated d
ue to the fact that passed parameters will be subject to shell expansion
Thu Apr 14 09:01:55 2011 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bi
t key
Thu Apr 14 09:01:55 2011 Static Encrypt: Using 160 bit message hash 'SHA1' for H
MAC authentication
Thu Apr 14 09:01:55 2011 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bi
t key
Thu Apr 14 09:01:55 2011 Static Decrypt: Using 160 bit message hash 'SHA1' for H
MAC authentication
Thu Apr 14 09:01:55 2011 LZO compression initialized
Thu Apr 14 09:01:55 2011 Socket Buffers: R=[8192->8192] S=[64512->64512]
Thu Apr 14 09:01:55 2011 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{70EF6051
-2443-41B1-9C3E-3C06037A6024}.tap
Thu Apr 14 09:01:55 2011 TAP-Win32 Driver Version 9.8
Thu Apr 14 09:01:55 2011 TAP-Win32 MTU=1500
Thu Apr 14 09:01:55 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 1
72.17.34.2/255.255.255.252 on interface {70EF6051-2443-41B1-9C3E-3C06037A6024} [
DHCP-serv: 172.17.34.1, lease-time: 31536000]
Thu Apr 14 09:01:55 2011 Successful ARP Flush on interface [15] {70EF6051-2443-4
1B1-9C3E-3C06037A6024}
Thu Apr 14 09:01:55 2011 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:
0 EL:0 AF:3/1 ]
Thu Apr 14 09:01:55 2011 Local Options hash (VER=V4): '10b7d053'
Thu Apr 14 09:01:55 2011 Expected Remote Options hash (VER=V4): '2b159319'
Thu Apr 14 09:01:55 2011 UDPv4 link local (bound): [undef]:1194
Thu Apr 14 09:01:55 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:18233
Thu Apr 14 09:02:55 2011 Inactivity timeout (--ping-restart), restarting
Thu Apr 14 09:02:55 2011 TCP/UDP: Closing socket
Thu Apr 14 09:02:55 2011 SIGUSR1[soft,ping-restart] received, process restarting

Thu Apr 14 09:02:55 2011 Restart pause, 2 second(s)
Thu Apr 14 09:02:57 2011 NOTE: the current --script-security setting may allow t
his configuration to call user-defined scripts
Thu Apr 14 09:02:57 2011 NOTE: --script-security method='system' is deprecated d
ue to the fact that passed parameters will be subject to shell expansion
Thu Apr 14 09:02:57 2011 Re-using pre-shared static key
Thu Apr 14 09:02:57 2011 LZO compression initialized
Thu Apr 14 09:02:57 2011 Socket Buffers: R=[8192->8192] S=[64512->64512]
Thu Apr 14 09:02:57 2011 Preserving previous TUN/TAP instance: OpenVPN
Thu Apr 14 09:02:57 2011 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:
0 EL:0 AF:3/1 ]
Thu Apr 14 09:02:57 2011 Local Options hash (VER=V4): '10b7d053'
Thu Apr 14 09:02:57 2011 Expected Remote Options hash (VER=V4): '2b159319'
Thu Apr 14 09:02:57 2011 UDPv4 link local (bound): [undef]:1194
Thu Apr 14 09:02:57 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:18233
Thu Apr 14 09:03:57 2011 Inactivity timeout (--ping-restart), restarting
Thu Apr 14 09:03:57 2011 TCP/UDP: Closing socket
Thu Apr 14 09:03:57 2011 SIGUSR1[soft,ping-restart] received, process restarting

Thu Apr 14 09:03:57 2011 Restart pause, 2 second(s)
Thu Apr 14 09:03:59 2011 NOTE: the current --script-security setting may allow t
his configuration to call user-defined scripts
Thu Apr 14 09:03:59 2011 NOTE: --script-security method='system' is deprecated d
ue to the fact that passed parameters will be subject to shell expansion
Thu Apr 14 09:03:59 2011 Re-using pre-shared static key
Thu Apr 14 09:03:59 2011 LZO compression initialized
Thu Apr 14 09:03:59 2011 Socket Buffers: R=[8192->8192] S=[64512->64512]
Thu Apr 14 09:03:59 2011 Preserving previous TUN/TAP instance: OpenVPN
Thu Apr 14 09:03:59 2011 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:
0 EL:0 AF:3/1 ]
Thu Apr 14 09:03:59 2011 Local Options hash (VER=V4): '10b7d053'
Thu Apr 14 09:03:59 2011 Expected Remote Options hash (VER=V4): '2b159319'
Thu Apr 14 09:03:59 2011 UDPv4 link local (bound): [undef]:1194
Thu Apr 14 09:03:59 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:18233
Thu Apr 14 09:04:59 2011 Inactivity timeout (--ping-restart), restarting
Thu Apr 14 09:04:59 2011 TCP/UDP: Closing socket
Thu Apr 14 09:04:59 2011 SIGUSR1[soft,ping-restart] received, process restarting

Thu Apr 14 09:04:59 2011 Restart pause, 2 second(s)
Thu Apr 14 09:05:01 2011 NOTE: the current --script-security setting may allow t
his configuration to call user-defined scripts
Thu Apr 14 09:05:01 2011 NOTE: --script-security method='system' is deprecated d
ue to the fact that passed parameters will be subject to shell expansion
Thu Apr 14 09:05:01 2011 Re-using pre-shared static key
Thu Apr 14 09:05:01 2011 LZO compression initialized
Thu Apr 14 09:05:01 2011 Socket Buffers: R=[8192->8192] S=[64512->64512]
Thu Apr 14 09:05:01 2011 Preserving previous TUN/TAP instance: OpenVPN
Thu Apr 14 09:05:01 2011 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:
0 EL:0 AF:3/1 ]
Thu Apr 14 09:05:01 2011 Local Options hash (VER=V4): '10b7d053'
Thu Apr 14 09:05:01 2011 Expected Remote Options hash (VER=V4): '2b159319'
Thu Apr 14 09:05:01 2011 UDPv4 link local (bound): [undef]:1194
Thu Apr 14 09:05:01 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:18233
Thu Apr 14 09:06:01 2011 Inactivity timeout (--ping-restart), restarting
Thu Apr 14 09:06:01 2011 TCP/UDP: Closing socket
Thu Apr 14 09:06:01 2011 SIGUSR1[soft,ping-restart] received, process restarting

Thu Apr 14 09:06:01 2011 Restart pause, 2 second(s)
Thu Apr 14 09:06:03 2011 NOTE: the current --script-security setting may allow t
his configuration to call user-defined scripts
Thu Apr 14 09:06:03 2011 NOTE: --script-security method='system' is deprecated d
ue to the fact that passed parameters will be subject to shell expansion
Thu Apr 14 09:06:03 2011 Re-using pre-shared static key
Thu Apr 14 09:06:03 2011 LZO compression initialized
Thu Apr 14 09:06:03 2011 Socket Buffers: R=[8192->8192] S=[64512->64512]
Thu Apr 14 09:06:03 2011 Preserving previous TUN/TAP instance: OpenVPN
Thu Apr 14 09:06:03 2011 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:
0 EL:0 AF:3/1 ]
Thu Apr 14 09:06:03 2011 Local Options hash (VER=V4): '10b7d053'
Thu Apr 14 09:06:03 2011 Expected Remote Options hash (VER=V4): '2b159319'
Thu Apr 14 09:06:03 2011 UDPv4 link local (bound): [undef]:1194
Thu Apr 14 09:06:03 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:18233
Thu Apr 14 09:07:04 2011 Inactivity timeout (--ping-restart), restarting
Thu Apr 14 09:07:04 2011 TCP/UDP: Closing socket
Thu Apr 14 09:07:04 2011 SIGUSR1[soft,ping-restart] received, process restarting

Thu Apr 14 09:07:04 2011 Restart pause, 2 second(s)
Thu Apr 14 09:07:06 2011 NOTE: the current --script-security setting may allow t
his configuration to call user-defined scripts
Thu Apr 14 09:07:06 2011 NOTE: --script-security method='system' is deprecated d
ue to the fact that passed parameters will be subject to shell expansion
Thu Apr 14 09:07:06 2011 Re-using pre-shared static key
Thu Apr 14 09:07:06 2011 LZO compression initialized
Thu Apr 14 09:07:06 2011 Socket Buffers: R=[8192->8192] S=[64512->64512]
Thu Apr 14 09:07:06 2011 Preserving previous TUN/TAP instance: OpenVPN
Thu Apr 14 09:07:06 2011 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:
0 EL:0 AF:3/1 ]
Thu Apr 14 09:07:06 2011 Local Options hash (VER=V4): '10b7d053'
Thu Apr 14 09:07:06 2011 Expected Remote Options hash (VER=V4): '2b159319'
Thu Apr 14 09:07:06 2011 UDPv4 link local (bound): [undef]:1194
Thu Apr 14 09:07:06 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:18233
Thu Apr 14 09:08:06 2011 Inactivity timeout (--ping-restart), restarting
Thu Apr 14 09:08:06 2011 TCP/UDP: Closing socket
Thu Apr 14 09:08:06 2011 SIGUSR1[soft,ping-restart] received, process restarting

Thu Apr 14 09:08:06 2011 Restart pause, 2 second(s)
Thu Apr 14 09:08:08 2011 NOTE: the current --script-security setting may allow t
his configuration to call user-defined scripts
Thu Apr 14 09:08:08 2011 NOTE: --script-security method='system' is deprecated d
ue to the fact that passed parameters will be subject to shell expansion
Thu Apr 14 09:08:08 2011 Re-using pre-shared static key
Thu Apr 14 09:08:08 2011 LZO compression initialized
Thu Apr 14 09:08:08 2011 Socket Buffers: R=[8192->8192] S=[64512->64512]
Thu Apr 14 09:08:08 2011 Preserving previous TUN/TAP instance: OpenVPN
Thu Apr 14 09:08:08 2011 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:
0 EL:0 AF:3/1 ]
Thu Apr 14 09:08:08 2011 Local Options hash (VER=V4): '10b7d053'
Thu Apr 14 09:08:08 2011 Expected Remote Options hash (VER=V4): '2b159319'
Thu Apr 14 09:08:08 2011 UDPv4 link local (bound): [undef]:1194
Thu Apr 14 09:08:08 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:18233

[janjust]

this is an odd problem - debian users have reported similar issues but they were usually fixed by adding

Code: Select all

comp-lzo no

, which you have. For debugging, can you try removing the

Code: Select all

keep-alive 10 60

line? the (code=22) error worries me, but it seems to happen every time the server wants to send a keep-alive message to the client - that's why I want to try it without it.

[fcxpress]

JanJust,

That's also what I thought given that I get this message every 10s which matches with the keepalive delay.
Tried your suggestion but problem remains: I still get the same error message in the server log.

Here are the logs:

server

Code: Select all

root@egate:~# !open
openvpn /etc/openvpn/server.cfg
Thu Apr 14 11:02:39 2011 OpenVPN 2.1.3 mips-openwrt-linux [SSL] [LZO2] built on Oct 28 2010
Thu Apr 14 11:02:39 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Apr 14 11:02:39 2011 NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion
Thu Apr 14 11:02:39 2011 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Apr 14 11:02:39 2011 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 14 11:02:39 2011 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Apr 14 11:02:39 2011 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 14 11:02:39 2011 LZO compression initialized
Thu Apr 14 11:02:39 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]
Thu Apr 14 11:02:39 2011 TUN/TAP device tun0 opened
Thu Apr 14 11:02:39 2011 TUN/TAP TX queue length set to 100
Thu Apr 14 11:02:39 2011 /sbin/ifconfig tun0 172.17.34.1 pointopoint 172.17.34.2 mtu 1500
Thu Apr 14 11:02:40 2011 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Apr 14 11:02:40 2011 UDPv4 link local (bound): 85.26.78.93:18233
Thu Apr 14 11:02:40 2011 UDPv4 link remote: [undef]
Thu Apr 14 11:02:46 2011 Peer Connection Initiated with 194.7.114.248:29085
Thu Apr 14 11:02:46 2011 Initialization Sequence Completed
Thu Apr 14 11:02:46 2011 Replay-window backtrack occurred [3]
Thu Apr 14 11:02:54 2011 write to TUN/TAP : Invalid argument (code=22)
Thu Apr 14 11:03:05 2011 write to TUN/TAP : Invalid argument (code=22)
Thu Apr 14 11:03:15 2011 write to TUN/TAP : Invalid argument (code=22)
^CThu Apr 14 11:03:21 2011 event_wait : Interrupted system call (code=4)
Thu Apr 14 11:03:21 2011 TCP/UDP: Closing socket
Thu Apr 14 11:03:21 2011 Closing TUN/TAP interface
Thu Apr 14 11:03:21 2011 /sbin/ifconfig tun0 0.0.0.0
Thu Apr 14 11:03:21 2011 SIGINT[hard,] received, process exiting

root@egate:~#

client (launched in an admin-privileged cmd.exe)

Code: Select all

C:\Windows\system32>openvpn "c:\program files\openvpn\config\openvpn-egate.ovpn"

Thu Apr 14 11:02:46 2011 OpenVPN 2.2-RC2 Win32-MSVC++ [SSL] [LZO2] built on Mar
25 2011
Thu Apr 14 11:02:46 2011 NOTE: the current --script-security setting may allow t
his configuration to call user-defined scripts
Thu Apr 14 11:02:46 2011 NOTE: --script-security method='system' is deprecated d
ue to the fact that passed parameters will be subject to shell expansion
Thu Apr 14 11:02:46 2011 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bi
t key
Thu Apr 14 11:02:46 2011 Static Encrypt: Using 160 bit message hash 'SHA1' for H
MAC authentication
Thu Apr 14 11:02:46 2011 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bi
t key
Thu Apr 14 11:02:46 2011 Static Decrypt: Using 160 bit message hash 'SHA1' for H
MAC authentication
Thu Apr 14 11:02:46 2011 LZO compression initialized
Thu Apr 14 11:02:46 2011 Socket Buffers: R=[8192->8192] S=[64512->64512]
Thu Apr 14 11:02:46 2011 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{70EF6051
-2443-41B1-9C3E-3C06037A6024}.tap
Thu Apr 14 11:02:46 2011 TAP-Win32 Driver Version 9.8
Thu Apr 14 11:02:46 2011 TAP-Win32 MTU=1500
Thu Apr 14 11:02:46 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 1
72.17.34.2/255.255.255.252 on interface {70EF6051-2443-41B1-9C3E-3C06037A6024} [
DHCP-serv: 172.17.34.1, lease-time: 31536000]
Thu Apr 14 11:02:46 2011 Successful ARP Flush on interface [15] {70EF6051-2443-4
1B1-9C3E-3C06037A6024}
Thu Apr 14 11:02:46 2011 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:
0 EL:0 AF:3/1 ]
Thu Apr 14 11:02:46 2011 Local Options hash (VER=V4): '10b7d053'
Thu Apr 14 11:02:46 2011 Expected Remote Options hash (VER=V4): '2b159319'
Thu Apr 14 11:02:46 2011 UDPv4 link local (bound): [undef]:1194
Thu Apr 14 11:02:46 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:18233

C:\Windows\system32>

[janjust]

all I can find on the message

write to TUN/TAP : Invalid argument (code=22)

is related to 'comp-lzo' settings ; can you try the simplest setup possible, e.g.

Code: Select all

local my.dyndns.org
ifconfig 172.17.34.1 172.17.34.2
proto udp
port 18233
dev tun
secret /etc/openvpn/static.key
verb 5

(and similar on the client side) to see if it makes a difference? I don't expect it to, but I just want to make sure.

[fcxpress]

OK, I found what the problem was: corporate firewall which my PC is behind, didn't handle NAT traversal properly on port UDP 18233. I switched both client and server to port UDP 4500 (usually used by IPSEC NAT-T) and it worked.

Anyway, error message remains.

Code: Select all

write to TUN/TAP : Invalid argument (code=22)

Also I can't manage to get the routes pushed to my Win 7 roadwarrior PC but DHCP options work great.

Server config

Code: Select all

local my.dyndns.org
ifconfig 172.17.34.1 172.17.34.2
proto udp
port 4500
dev tun
secret /etc/openvpn/static.key
#keepalive 10 60
ping-timer-rem
persist-key
persist-tun
verb 3
comp-lzo no
script-security 3
push "redirect-gateway def1"
push "dhcp-option DNS 172.17.35.1"
push "dhcp-option WINS 172.17.35.3"

Win 7 roadwarrior client config:

Code: Select all

remote my.dyndns.org 4500
ifconfig 172.17.34.2 172.17.34.1
proto udp
dev tun
secret 'C:\Program Files\OpenVPN\config\openvpn-egate.key'
ping-timer-rem
persist-key
persist-tun
script-security 3
verb 3
nobind
route-delay 5
route-method exe

Also small remark regarding to this route-push thing. Is that possible to keep the host (/32) route to my.dyndns.org IP towards the LAN default GW so that I don't cut the tunnel itself ?

By doing this manually it works perfeclty!

Code: Select all

route add [i]my.dyndns.org_IP[/i] mask 255.255.255.255 [i]LAN_Gateway_IP[/i]
route delete 0.0.0.0 mask 0.0.0.0 [i]LAN_Gateway_IP[/i]
route add 0.0.0.0 mask 0.0.0.0 172.17.34.1

Now next step is to get the routes pushed...

Kind Regards,
FC

[janjust]

The pushing and pulling of information is normally done in client/server mode ; the way you have set it up nothing is pulled by default. Use the option

Code: Select all

pull

on the client side to pull in information (I am surprised that the DNS/WINS settings *are* pulled).

Also, the client should automatically create a direct /32 link to the remote endpoint, but again, this may happen only in client/server mode. You can automate this using

Code: Select all

allow-pull-fqdn
route my.dyndns.org 255.255.255.255 net_gateway

In order to get rid of the 'code=22' errors you can try switching to 'tcp' mode (but this is not really recommended).

[fcxpress]

Hello,

Changed completely my config and switched to a client/server mode as suggested.
It works much better now, thanks for this advise !
As a netw engineer, I know that TCP over TCP is a very bad idea.
But I now get other errors/warning which I suppose are of lower importance.

Code: Select all

client1/xxx.xxx.xxx.xxx:60931 Need IPv6 code in mroute_extract_addr_from_packet

where xxx.xxx.xxx.xxx is the public IP address of the corporate FW I'm behing of.
I must mention that I have IPv6 SixXs tunnel running on the openwrt router with aiccu demon and radvd for IPv6 on my LAN.
Didn't search yet how to configure TAP-Win32 for IPv6, nor tun0 interface on the openWRT but I suppose it's possible just like I did with the LAN.
I also get warning like this one on both client and server side but there are fewer of them

Code: Select all

client1/xxx.xxx.xxx.xxx:60931 Replay-window backtrack occurred [1]

I suppose this is due to some UDP packets that got lost or something like that.
That appart, everything now works fine and looks good to me.

server config:

Code: Select all

tls-server
port 4500
proto udp
dev tun
ca /etc/easy-rsa/keys/ca.crt
cert /etc/easy-rsa/keys/server.crt
key /etc/easy-rsa/keys/server.key
dh /etc/easy-rsa/keys/dh1024.pem

server 172.17.34.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 172.17.35.1"
push "dhcp-option WINS 172.17.35.3"
push "dhcp-option DOMAIN lan"

persist-key
persist-tun

verb 3
keepalive 10 120
log-append /var/log/openvpn/openvpn.log

Client config

Code: Select all

tls-client
remote my.dyndns.org 4500
resolv-retry infinite
proto udp
dev tun
ca 'C:\Program Files\OpenVPN\config\ca.crt'
cert 'C:\Program Files\OpenVPN\config\client1.crt'
key 'C:\Program Files\OpenVPN\config\client1.key'
dh 'C:\Program Files\OpenVPN\config\dh1024.pem'
keepalive 10 60
ping-timer-rem
persist-key
persist-tun
script-security 3
verb 3
nobind
pull
route-delay 5
route-method exe

Server output:

Code: Select all

root@egate:~# openvpn /etc/openvpn/server2.cfg
Tue Apr 19 08:49:33 2011 Warning: Error redirecting stdout/stderr to --log file: /var/log/openvpn/openvpn.log: No such file or directory (errno=2)
Tue Apr 19 08:49:33 2011 OpenVPN 2.1.3 mips-openwrt-linux [SSL] [LZO2] built on Oct 28 2010
Tue Apr 19 08:49:33 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Apr 19 08:49:33 2011 Diffie-Hellman initialized with 1024 bit key
Tue Apr 19 08:49:33 2011 TLS-Auth MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Apr 19 08:49:33 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]
Tue Apr 19 08:49:33 2011 TUN/TAP device tun0 opened
Tue Apr 19 08:49:33 2011 TUN/TAP TX queue length set to 100
Tue Apr 19 08:49:33 2011 /sbin/ifconfig tun0 172.17.34.1 pointopoint 172.17.34.2 mtu 1500
Tue Apr 19 08:49:33 2011 /sbin/route add -net 172.17.34.0 netmask 255.255.255.0 gw 172.17.34.2
Tue Apr 19 08:49:33 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Tue Apr 19 08:49:33 2011 UDPv4 link local (bound): [undef]:4500
Tue Apr 19 08:49:33 2011 UDPv4 link remote: [undef]
Tue Apr 19 08:49:33 2011 MULTI: multi_init called, r=256 v=256
Tue Apr 19 08:49:33 2011 IFCONFIG POOL: base=172.17.34.4 size=62
Tue Apr 19 08:49:33 2011 Initialization Sequence Completed
Tue Apr 19 08:49:44 2011 MULTI: multi_create_instance called
Tue Apr 19 08:49:44 2011 xxx.xxx.xxx.xxx:60931 Re-using SSL/TLS context
Tue Apr 19 08:49:44 2011 xxx.xxx.xxx.xxx:60931 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Apr 19 08:49:44 2011 xxx.xxx.xxx.xxx:60931 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Tue Apr 19 08:49:44 2011 xxx.xxx.xxx.xxx:60931 TLS: Initial packet from xxx.xxx.xxx.xxx:60931, sid=25806dbf c740123e
Tue Apr 19 08:49:45 2011 xxx.xxx.xxx.xxx:60931 VERIFY OK: depth=1, /C=BE/ST=Lg/L=Liege/O=myname.com/CN=egate.myname.com/emailAddress=myname@myname.com
Tue Apr 19 08:49:45 2011 xxx.xxx.xxx.xxx:60931 VERIFY OK: depth=0, /C=BE/ST=Lg/L=Liege/O=myname.com/CN=client1/emailAddress=myname@myname.com
Tue Apr 19 08:49:45 2011 xxx.xxx.xxx.xxx:60931 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 19 08:49:45 2011 xxx.xxx.xxx.xxx:60931 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 19 08:49:45 2011 xxx.xxx.xxx.xxx:60931 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 19 08:49:45 2011 xxx.xxx.xxx.xxx:60931 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 19 08:49:45 2011 xxx.xxx.xxx.xxx:60931 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Apr 19 08:49:45 2011 xxx.xxx.xxx.xxx:60931 [client1] Peer Connection Initiated with xxx.xxx.xxx.xxx:60931
Tue Apr 19 08:49:45 2011 client1/xxx.xxx.xxx.xxx:60931 MULTI: Learn: 172.17.34.6 -> client1/xxx.xxx.xxx.xxx:60931
Tue Apr 19 08:49:45 2011 client1/xxx.xxx.xxx.xxx:60931 MULTI: primary virtual IP for client1/xxx.xxx.xxx.xxx:60931: 172.17.34.6
Tue Apr 19 08:49:47 2011 client1/xxx.xxx.xxx.xxx:60931 PUSH: Received control message: 'PUSH_REQUEST'
Tue Apr 19 08:49:47 2011 client1/xxx.xxx.xxx.xxx:60931 SENT CONTROL [client1]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 172.17.35.1,dhcp-option WINS 172.17.35.3,dhcp-option DOMAIN lan,route 172.17.34.1,topology net30,ping 10,ping-restart 120,ifconfig 172.17.34.6 172.17.34.5' (status=1)
Tue Apr 19 08:49:47 2011 client1/xxx.xxx.xxx.xxx:60931 Need IPv6 code in mroute_extract_addr_from_packet
Tue Apr 19 08:49:47 2011 client1/xxx.xxx.xxx.xxx:60931 Need IPv6 code in mroute_extract_addr_from_packet
Tue Apr 19 08:49:47 2011 client1/xxx.xxx.xxx.xxx:60931 Need IPv6 code in mroute_extract_addr_from_packet
Tue Apr 19 08:49:47 2011 client1/xxx.xxx.xxx.xxx:60931 Need IPv6 code in mroute_extract_addr_from_packet
Tue Apr 19 08:49:47 2011 client1/xxx.xxx.xxx.xxx:60931 Need IPv6 code in mroute_extract_addr_from_packet
Tue Apr 19 08:49:47 2011 client1/xxx.xxx.xxx.xxx:60931 Need IPv6 code in mroute_extract_addr_from_packet
...

[janjust]

the message

client1/xxx.xxx.xxx.xxx:60931 Need IPv6 code in mroute_extract_addr_from_packet

is caused by IPv6 traffic entering the tunnel, which OpenVPN does fully support yet; you'd need to upgrade to the upcoming openvpn 2.2 release to enable IPv6 (--tun-ipv6 IIRC).

The message

client1/xxx.xxx.xxx.xxx:60931 Replay-window backtrack occurred [1]

occurs due to a bad connection - if the connection between a client and the vpn server is bad (e.g. bad wireless) then this message can occur; the connection will remain intact, it's just the performance which will degrade.