OpenVPN Client not working after installing - Help

[urs]

I think I have the same problem phall has. My client-version is:
OpenVPN 2.1.3 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Mar 11 2011
There ist no firewall installed.

Error-messages are:

Code: Select all

Wed May 18 16:22:01 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.1.3)
Wed May 18 16:22:01 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.1.3)
Wed May 18 16:22:01 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.1.3)
Wed May 18 16:22:01 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:15: register-dns (2.1.3)

Regards,
Urs

[janjust]

actually , those warnings are due to the fact that they're only useful on Windows clients; on Linux clients this warning message is printed and the options are ignored.

For your case, urs, first try to get IP routing working (can you ping the VPN server) , then go for DNS lookups.

[urs]

In my case the server-ping works. But a ping on 8.8.8.8 still doesn't.

[janjust]

and if you use a windows client a 'ping 8.8.8.8' does work? do you have some sort of masquerading/NATting on the VPN server?

[urs]

I didn't change the server-configuration. It is:

VPN-Topology: Layer 3 (routing/NAT)
Routing: Yes, using NAT
Should client Internet traffic be routed through the VPN?: YES
Should clients be allowed to access network services on the VPN gateway IP address?: YES
DNS-Setting: Have clients use the same DNS servers as the Access Server host

Thanks,
Urs

[phall472]

Hello Janjust

I tried adding:
nameserver 208.98.0.8
nameserver 208.98.0.7

to /etc/resolv.conf using vi editor and saving the file :wq

Then I activated OpenVPN: openvpn --config client.ovpn

Then I opened FireFox and tried to go to http://www.google.com

All it did was attempt to connect and in the status bar it said "Looking for google.com" .

I waited 5 minutes. Finally I closed the browser and deactivated OpenVPN and again tried browsing http://www.google.com and it responded immediately with the website.

Here is the resolv.conf:

; generated by /sbin/dhclient-script
search cgocable.net
nameserver 24.226.1.93
nameserver 24.226.10.193
nameserver 24.226.10.194
nameserver 24.226.1.94
nameserver 208.98.0.8
nameserver 208.98.0.7

I hope this helps

Thank you

[janjust]

phall472: looks like something is still wrong with your DNS setup; after connecting the client, do the following:

Code: Select all

traceroute -n 8.8.8.8
nslookup www.google.com 8.8.8.8
nslookup www.google.com 208.98.0.8

and post the output here.

[phall472]

Hi Janjust

For your info I'm located in the ET time zone of North America and therefore I'm about 6 hours behind you. Right now it is just after 9:00 AM.

Here is the output from those commands:

[root@????????????????????]# traceroute -n 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 40 byte packets
1 5.5.12.1 28.190 ms 28.395 ms 28.535 ms
2 70.39.84.129 28.569 ms 28.783 ms 29.002 ms
3 10.0.0.5 28.474 ms 28.608 ms 28.752 ms
4 77.67.77.161 28.701 ms 50.172 ms 50.188 ms
5 89.149.185.38 56.631 ms 56.650 ms 213.200.81.121 68.767 ms
6 72.14.219.89 61.008 ms 52.641 ms 52.490 ms
7 216.239.46.250 66.195 ms 216.239.46.248 53.417 ms 216.239.46.250 77.015 ms
8 64.233.175.219 66.126 ms 61.792 ms 64.233.175.111 58.433 ms
9 216.239.49.145 69.446 ms 72.14.232.25 73.760 ms 70.437 ms
10 8.8.8.8 68.032 ms 70.766 ms 65.445 ms
[root@????????????????????]#
[root@????????????????????]# nslookup www.google.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
www.google.com canonical name = www.l.google.com.
Name: www.l.google.com
Address: 74.125.95.105
Name: www.l.google.com
Address: 74.125.95.106
Name: www.l.google.com
Address: 74.125.95.99
Name: www.l.google.com
Address: 74.125.95.147
Name: www.l.google.com
Address: 74.125.95.103
Name: www.l.google.com
Address: 74.125.95.104

[root@????????????????????]#
[root@????????????????????]# nslookup www.google.com 208.98.0.8
Server: 208.98.0.8
Address: 208.98.0.8#53

Non-authoritative answer:
www.google.com canonical name = www.l.google.com.
Name: www.l.google.com
Address: 74.125.225.84
Name: www.l.google.com
Address: 74.125.225.80
Name: www.l.google.com
Address: 74.125.225.81
Name: www.l.google.com
Address: 74.125.225.82
Name: www.l.google.com
Address: 74.125.225.83

[root@????????????????????]#

Thank you

[janjust]

OK, the output shows your DNS is working

Replace your /etc/resolv.conf file with

Code: Select all

nameserver 208.98.0.8
nameserver 208.98.0.7

then try to connect again.

[phall472]

Hi Janjust

I did the following:

(1) I edited resolv..conf with only

; generated by /sbin/dhclient-script
nameserver 208.98.0.8
nameserver 208.98.0.7

(2) I tried to connect to openvpn --config client.ovpn and typed my user name and password.

(3) It failed to connect:
[root@????????????????????]# vi /etc/resolv.conf
[root@????????????????????]# openvpn --config client.ovpn
Thu May 19 05:58:05 2011 OpenVPN 2.1.4 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Apr 24 2011
Enter Auth Username:phall212
Enter Auth Password:
Thu May 19 05:58:24 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu May 19 05:58:24 2011 Control Channel Authentication: tls-auth using INLINE static key file
Thu May 19 05:58:24 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 19 05:58:24 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 19 05:58:24 2011 LZO compression initialized
Thu May 19 05:58:24 2011 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu May 19 05:58:24 2011 Socket Buffers: R=[129024->200000] S=[129024->200000]
Thu May 19 05:58:50 2011 RESOLVE: Cannot resolve host address: vpn4.?????????: [TRY_AGAIN] A temporary error occurred on an authoritative name server.
Thu May 19 05:58:50 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu May 19 05:58:50 2011 Local Options hash (VER=V4): '504e774e'
Thu May 19 05:58:50 2011 Expected Remote Options hash (VER=V4): '14168603'
Thu May 19 05:59:45 2011 RESOLVE: Cannot resolve host address: vpn4.??????????: [TRY_AGAIN] A temporary error occurred on an authoritative name server.
Thu May 19 05:59:45 2011 TCP/UDP: Closing socket
Thu May 19 05:59:45 2011 SIGUSR1[soft,init_instance] received, process restarting
Thu May 19 05:59:45 2011 Restart pause, 1 second(s)
Thu May 19 05:59:46 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu May 19 05:59:46 2011 Control Channel Authentication: tls-auth using INLINE static key file
Thu May 19 05:59:46 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 19 05:59:46 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 19 05:59:46 2011 LZO compression initialized
Thu May 19 05:59:46 2011 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
Thu May 19 05:59:46 2011 Socket Buffers: R=[87380->200000] S=[16384->200000]
Thu May 19 06:00:26 2011 RESOLVE: Cannot resolve host address: vpn4.?????????: [TRY_AGAIN] A temporary error occurred on an authoritative name server.
Thu May 19 06:00:26 2011 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Thu May 19 06:00:26 2011 Local Options hash (VER=V4): 'ee93268d'
Thu May 19 06:00:26 2011 Expected Remote Options hash (VER=V4): 'bd577cd1'
Thu May 19 06:01:06 2011 RESOLVE: signal received during DNS resolution attempt
Thu May 19 06:01:06 2011 TCP/UDP: Closing socket
Thu May 19 06:01:06 2011 SIGINT[hard,init_instance] received, process exiting
[root@???????????????????]#

(4) I final Ctrl-C and had to re-edit resolv.conf to connect to any web site when I was NOT using OpenVPN

resolve.conf
; generated by /sbin/dhclient-script
search cogocable.net
nameserver 24.226.1.93
nameserver 24.226.10.193
nameserver 24.226.10.194
nameserver 24.226.1.94
nameserver 208.98.0.8
nameserver 208.98.0.7


Hope this helps

Thank you

[phall472]

Hello Janjust

I have to go out for 2 hours.

I will check when I get back.

Thank you

[urs]

Hi Jan,
ping 8.8.8.8 with openVPN on Windows works fine.

What do you think about the posted server-configuration?
But is it really possible that the problem is on the server,
when the Windows connection works fine?

Regards,
Urs

[urs]

Hi Jan, hi phall,
I found out what the problem was in my case.

In Ubuntu you can select the network you want to use in the right upper korner.
In my case I can select Auto-Ethernet or Auto eth0 when I'm connected to the
VPN-server. When I select Auto eth0 everything works. I hope this is the same
problem you have phall.

Best regards,
Urs

[urs]

Hi,
one more thing. Make a deep refresh (Ctrl + F5) in the Browser
after connecting to the VPN.

Regards,
Urs

[janjust]

@phall472 : oh I see where you went wrong :

1) use the "default" resolv.conf
2) connect the openvpn client
3) *NOW* modify the resolv.conf file to the nameservers I mentioned (remember, this is for testing purposes only!)
4) try to connect to http://www.whatismyip.com

[phall472]

Hello Janjust

It works. I'm using OpenVPN right now.

What Is My IP Address - WhatIsMyIP.com
Your IP Address Is: 204.188.231.130

Now how would I automate that. Or would it have to be a manual copy which would not be too bad for what I need it for.

Any suggestions.

Also do you have any idea why it is this way?

Thank you

[janjust]

excellent, now all that is left is to automate this

the reason why it works on Windows is that the openvpn client receives the new DNS server settings from the openvpn server *after* it connects; the openvpn client then pushes out the new DNS server setting to the tap-win32 adapter using DHCP.
On Linux the tap/tun device is not configured using DHCP , hence you need some other mechanism of updating the /etc/resolv.conf file *after* the VPN is established.
The Gnome NetworkManager-openvpn plugin can do this for you, if you're using a version that is new enough; my laptop uses NetworkManager-openvpn 0.8, but on CentOS 5 you're stuck with 0.7 ; AFAIK 0.7 can also be configured to reroute all traffic via the VPN and to pick up the DNS settings, but I cannot make screenshots of how to do it.

Your first step is to install NetworkManager-openvpn

Code: Select all

yum install NetworkManager-openvpn

then (right-)click on the NetworkManager icon in the task bar and select 'Edit Connections'. A window will appear, choose the tab 'VPN' and click 'New' or 'Add' (I forget which). You can then create a new VPN connection of type 'OpenVPN' and you can will in all the details. Do *NOT* choose 'Import' as you cannot import an .ovpn file into this version of NetworkManager.
What did your client .ovpn file look like? didn't you have the certificate and key inline? you will need to extract the certificates and keys for the NetworkManager plugin.