Can't get OpenVPN started

[a2jagger]

Hi I am a complete novice with this and have been setting everything up based on information I have found in the "Fedora Bible, 2011 Edition" and from the howto section on openvpn.net. Everything seemed to be tracking with creating certificates and keys and when I got to the server.conf I left it as it was in the sample file with 2 changes (changed "server1" to "cimsdeu"):

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/cimsdeu.crt
key /etc/openvpn/easy-rsa/2.0/keys/cimsdeu.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

here are the command lines for this portion:

[root@Ismaros sample-config-files]# cp server.conf /etc/openvpn/
[root@Ismaros sample-config-files]# vi /etc/openvpn/server.conf
[root@Ismaros sample-config-files]# service openvpn start
Starting openvpn: [FAILED]

Next I went and made sure that port 1194 was open. I am not sure but I feel like there is something with the IP addresses in the server.conf that is part of the problem (I am just as much of a novice on networking so I may be way off but when I pull up my router settings it gives me 192.168.1.0 which doesn't seem to have much in common with the sample server addresses).

After opening the port I typed "# system-config-firewall" in the terminal and got the following messages:

[root@Ismaros sample-config-files]# system-config-firewall

(system-config-firewall:7211): GVFS-RemoteVolumeMonitor-WARNING **: cannot connect to the session bus: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

(system-config-firewall:7211): GVFS-RemoteVolumeMonitor-WARNING **: cannot connect to the session bus: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

(system-config-firewall:7211): GVFS-RemoteVolumeMonitor-WARNING **: cannot connect to the session bus: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

Next I ran the server configuration and got the following:

[root@Ismaros sample-config-files]# openvpn server.conf
Thu Aug 4 12:52:36 2011 OpenVPN 2.1.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Jan 5 2010
Thu Aug 4 12:52:36 2011 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Thu Aug 4 12:52:36 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Aug 4 12:52:36 2011 Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Thu Aug 4 12:52:36 2011 Exiting
[root@Ismaros sample-config-files]#

I have been through the two books I have and the howto pieces on the web and am only just now starting to look through the forums but if anyone has any ideas I would greatly appreciate it. Thanks.
Andy

[Mimiko]

Hello.

Cannot open dh1024.pem for DH parameters

The file does not exists or does not have sufficient privileges. Pay attention to steps when generating sequrity keys and don't use sample key file.

[a2jagger]

Thanks the only sample file that I did not change to any significant degree was the one I had posted. I did generate a new pem file

[root@Ismaros 2.0]# ./build-ca
Generating a 1024 bit RSA private key
............++++++
....++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [SC]:SC
Locality Name (eg, city) [MountPleasant]:MountPleasant
Organization Name (eg, company) [Ulysses-Group]:Ulysses-Group
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Ulysses-Group CA]:cimsdeu
Name []:
Email Address [alewis@theulyssesgroup.com]:alewis@theulyssesgroup.com
[root@Ismaros 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...............................+..+............................+.........+.................+..........................+..............................................+................+...........................................................................................+..........++*++*++*

After it was complete I ran ls -al to verify that the files had been created and am not sure why it stated that it could not locate it or that the file did not exist in the earlier posted material.

[root@Ismaros var]# cd /etc/openvpn/easy-rsa/2.0/keys
[root@Ismaros keys]# ls -al
total 76
drwx------. 2 root root 4096 Aug 3 23:21 .
drwxr-xr-x. 3 root root 4096 Aug 3 22:42 ..
-rw-r--r--. 1 root root 4039 Aug 3 23:09 01.pem
-rw-r--r--. 1 root root 3945 Aug 3 23:21 02.pem
-rw-r--r--. 1 root root 1318 Aug 3 22:49 ca.crt
-rw-------. 1 root root 916 Aug 3 22:49 ca.key
-rw-r--r--. 1 root root 4039 Aug 3 23:09 cimsdeu.crt
-rw-r--r--. 1 root root 757 Aug 3 23:09 cimsdeu.csr
-rw-------. 1 root root 916 Aug 3 23:09 cimsdeu.key
-rw-r--r--. 1 root root 245 Aug 3 22:50 dh1024.pem
-rw-r--r--. 1 root root 274 Aug 3 23:21 index.txt
-rw-r--r--. 1 root root 21 Aug 3 23:21 index.txt.attr
-rw-r--r--. 1 root root 21 Aug 3 23:09 index.txt.attr.old
-rw-r--r--. 1 root root 134 Aug 3 23:09 index.txt.old
-rw-r--r--. 1 root root 3 Aug 3 23:21 serial
-rw-r--r--. 1 root root 3 Aug 3 23:09 serial.old
-rw-r--r--. 1 root root 3945 Aug 3 23:21 testclient1.crt
-rw-r--r--. 1 root root 773 Aug 3 23:21 testclient1.csr
-rw-------. 1 root root 916 Aug 3 23:21 testclient1.key
[root@Ismaros keys]#

[Mimiko]

Your are trying to run OpenVPN as deamon already. Look in init.d/openvpn script for command line option gived to OpenVPN on starting like:

--cd dir
Change directory to dir prior to reading any files such as configuration files, key files, scripts, etc. dir should be an absolute path, with a leading "/", and without any references to the current directory such as "." or "..".

This option is useful when you are running OpenVPN in --daemon mode, and you want to consolidate all of your OpenVPN control files in one location.

May be because of this parameter, files are not found.

[janjust]

the easy-rsa/2.0/keys directory has restricted access - consider copying the files ca.crt, server.{crt,key} and dh1024.pem to a separate directory.
is openvpn running as root or is the option 'user nobody' used?

[maikcat]

hi there,

i suggest to turn off the firewall for testing
also disable -or- set selinux to permisive mode instead of enforcing
also copy keys & conf to /etc/openvpn and start openvpn as root.

Michael.

[a2jagger]

Thanks very much everyone. I will take these one at a time today and post the results tonight. I appreciate the help.

[a2jagger]

Thanks guys I was able to get the server configuration file working, but I have yet to be able to connect to any other system. I have a Mac running VMWare with a Fedora 14 server. I also have a Windows XP machine connected to the same router that I cannot ping. I also tried to connect to another Linux VM on the Mac with no luck. This stuff is really daunting and I feel like I am getting more and more lost with every step I take. I have bought several books and read the howtos but they all seem to talk about trouble shooting from the perspective of "ping the machine, you should see this" if you don't see that then what then? Anyway I appreciate some of the earlier suggestions.

[Mimiko]

What did you done to get working?

Afterwards, try and if you come in something partical problem, you can ask.