From School To Home Server (VMs)

[ovpn2ac]

Hello

On my home pc, i have 2 ubuntus running on Vmware workstation both using bridged connection.

On one, i have OpenVpn Access Server running which works great.
I am able to go to my dyndns domain from school and get the client and get connected to my home pc.

The other ubuntu has the community version of openvpn installed and i am trying to get the same results.
I have mysql-server and pam_mysql for authentication. <- did not add it on the newly created VM
I believe my configuration is wrong and needs correcting.
I made sure that the ports were forwarded on my home router

So, i restarted with a new VM and reconfigured everything.

Once connection was established from the school PC, i was able to surf the net.
But i noticed sites were still blocked (not the case when i was using AS).

I did an ipconfig, there was no default gateway assigned to the Windows TAP adapter.
I tried adding push "redirect-gateway def1" to the server config.
After doing that, i was not able to surf the net at all.

New Server Config

Code: Select all

local 192.168.0.192
port 443
proto tcp

dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem

server-bridge 10.10.10.1 255.255.255.0 10.10.10.10 10.10.10.10.10.14

client-to-client
keepalive 10 120

tls-auth ta.key 0

comp-lzo

max-clients 5
user nobody
group nogroup

persist-key
persist-tun

status status/server1.log
log-append /var/log/openvpn/server1.log
verb 5

New Client Config

Code: Select all

pull
client
dev tap
proto tcp
port 443

remote *.dyndns-ip.com

key client1.key
cert client1.crt
ca ca.crt

tls-auth ta.key 1

resolv-retry infinite

nobind

comp-lzo
verb 5

up.sh

Code: Select all

#!/bin/sh
#This is /etc/openvpn/up.sh

BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV

down.sh

Code: Select all

#!/bin/sh
#This is/etc/openvpn/down.sh


BR=$1
DEV=$2


/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

Client Log
http://pastebin.com/q5fsYad6

/Etc/network/interfaces

Code: Select all

auto lo
iface lo inet loopback

auto br0
iface br0 inet static
        address 192.168.0.192
        network 192.168.0.0
        netmask 255.255.255.0
        broadcast 192.168.0.255
        gateway 192.168.0.1
        bridge_ports eth0
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 br0
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 br0
root@ubuntu:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 1671 packets, 198K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  352 58603 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 1651 packets, 277K bytes)
 pkts bytes target     prot opt in     out     source               destination 

[janjust]

if it works with OpenVPN AS then what client config file are you using for that? also, what is the openvpn AS config file? it's more or less the same as a community version config file.

My blind guess is that you need to use

Code: Select all

proto tcp

as running openvpn on udp port 443 is kinda unusual.

[ovpn2ac]

how can i view the config files for the AS, in which directory are they located.
i checked usr/local/openvpn_as, what filename am i looking for
i have 1194 udp/443 tcp forwarded for the AS version and 1194 tcp/443 udp forwarded for the community version

[ovpn2ac]

well.. i tried opening the .opvn client config on the school pc... it says access denied?

[ovpn2ac]

new problem occured when i rebooted ubuntu and restart openvpn

Code: Select all

/etc/init.d/openvpn start
* Starting virtual private network daemon(s)...  *   Autostarting VPN 'openvpn-udp' [fail]                                   

Code: Select all

Mon Jun 20 07:33:20 2011 Initialization Sequence Completed
Mon Jun 20 07:48:08 2011 event_wait : Interrupted system call (code=4)
Mon Jun 20 07:48:08 2011 TCP/UDP: Closing socket
Mon Jun 20 07:48:08 2011 Closing TUN/TAP interface
Mon Jun 20 07:48:08 2011 PLUGIN_CLOSE: ./openvpn-auth-pam.so
Mon Jun 20 07:48:08 2011 SIGTERM[hard,] received, process exiting

[janjust]

you're going to have to post more info (extended log files, latest config files etc); there's no way to determine why openvpn refuses to start based on what you're posting.

[ovpn2ac]

-snip

[janjust]

the warning message

event_wait : Interrupted system call (code=4)

after 4 minutes = 240 seconds = 2 * 120 keepalive timeout suggests the ping-restart (from keepalive) kicked in ; try commenting out the 'keepalive'

#keepalive 10 120

and try again.

as for the reason why you cannot open the .ovpn file - that's a windows / openvpn access server issue .

[ovpn2ac]

commented it out..
the log still shows the same error


by the way... with my setup, will a tun config work?

[ovpn2ac]

Progress!
I'm able to connect to the OpenVpn Server on my home PC from school
But a new problem occurred
Updated the original post with details

[janjust]

by the way... with my setup, will a tun config work?

yes that should work but it's an entirely different setup.

Once connection was established from the school PC, i was able to surf the net.
But i noticed sites were still blocked (not the case when i was using AS).

I did an ipconfig, there was no default gateway assigned to the Windows TAP adapter.
I tried adding push "redirect-gateway def1" to the server config.
After doing that, i was not able to surf the net at all.

what does 'I was able to surf the net' mean? what happens if you go to http://www.whatismyip.com? which IP is shown? If that shows the VPN server address then the VPN is functioning correctly; if some sites are not accessible then that's not OpenVPN's fault.

[ovpn2ac]

it shows
202.1*.9*.***
how can i fix this
the tap adapter shows 10.10.10.10
but no default gateway

[janjust]

try adding

Code: Select all

route-gateway 10.10.10.1
push "redirect-gateway def1"

to the server config, then restart both server and client.

[ovpn2ac]

it didnt work

couldnt ping 10.10.10.1 from client
couldnt ping 10.10.10.10 from server
tried tracert to server, says Unable to resolve target system name
tried adding
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
didnt work either

Current Server Config -> http://pastebin.com/hB9z5aEM

Current Client Config -> http://pastebin.com/i1iP3AJu

Server Log -> http://pastebin.com/CX4PX2yA

Server Status ->http://pastebin.com/b8SJX4gw

Client Log ->http://pastebin.com/w9X20Qyb

/etc/rc.local

Code: Select all

iptables -A INPUT -i tap+ -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.10.10.1/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.10.10.1/24 -o br0 -j SNAT --to 192.168.0.192

Code: Select all

Fri Jun 24 09:42:09 2011 us=156000 ROUTE default_gateway=192.168.164.254
Fri Jun 24 09:42:15 2011 us=31000 C:\WINDOWS\system32\route.exe ADD *.*.*.* MASK 255.255.255.255 192.168.164.254

Why is it using my school's default gateway

[janjust]

hmmm my bad, that should have been

Code: Select all

push "route-gateway 10.10.10.1"

(i.e. I forgot the push) ;

Fri Jun 24 09:42:09 2011 us=156000 ROUTE default_gateway=192.168.164.254
Fri Jun 24 09:42:15 2011 us=31000 C:\WINDOWS\system32\route.exe ADD *.*.*.* MASK 255.255.255.255 192.168.164.254

Why is it using my school's default gateway

this is the route to the VPN server itself, which much always go via your school's gateway. this is normal.

please change the server config and reconnect.

[ovpn2ac]

didnt work.. couldnt ping..

i tried adding(with double forward slash too) to client config

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

it says couldnt find directory

i was also thinking about adding to client config
route 192.168.0.1(or is it 10.10.10.1) 255.255.255.0 net_gateway
or
route 192.168.0.1(or is it 10.10.10.1) 255.255.255.0 vpn_gateway

[ovpn2ac]

anyone has any ideas?

[ovpn2ac]

i also tried creating the file /etc/openvpn/client-configs/client1

in client1 i have
iroute 192.168.164.0(school's subnet) 255.255.255.0
push "route 10.10.10.1 255.255.255.0 vpn_gateway"
doesnt work too