OpenVPN connects BUT ...

[junaidnaseer]

Hi all,

I am not sure if this the right place to ask this question or not. Anyways, here goes.

• I have a dual boot system with

  Windows XP SP3

  and a

  SuSE Linux Enterprise 11 SP1.

  I have OpenVPN (version 2 and above, that comes by default in the official repos or the latest exe package for windows) installed on both, to access the Wifi all over the campus.
  
  The following is the configuration file, provided by the Computer Center here at the university.
  

client
dev tun
proto udp
remote rzvpn3.vpn.uni-kiel.de 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
tls-remote rzvpn3.vpn.uni-kiel.de
<ca>
-----BEGIN CERTIFICATE-----
MIIDnzCCAoegAwIBAgIBJjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJERTEc
MBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2Vj
IFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENB
IDIwHhcNOTkwNzA5MTIxMTAwWhcNMTkwNzA5MjM1OTAwWjBxMQswCQYDVQQGEwJE
RTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxl
U2VjIFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290
IENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrC6M14IspFLEU
ha88EOQ5bzVdSq7d6mGNlUn0b2SjGmBmpKlAIoTZ1KXleJMOaAGtuU1cOs7TuKhC
QN/Po7qCWWqSG6wcmtoIKyUn+WkjR/Hg6yx6m/UTAtB+NHzCnjwAWav12gz1Mjwr
rFDa1sPeg5TKqAyZMg4ISFZbavva4VhYAUlfckE8FQYBjl2tqriTtM2e66foai1S
NNs671x1Udrb8zH57nGYMsRUFUQM+ZtV7a3fGAigo4aKSe5TBY8ZTNXeWHmb0moc
QqvF1afPaA+W5OFhmHZhyJF81j4A4pFQh+GdCuatl9Idxjp9y7zaAzTVjlsB9WoH
txa2bkp/AgMBAAGjQjBAMB0GA1UdDgQWBBQxw3kbuvVT1xfgiXotF2wKsyudMzAP
BgNVHRMECDAGAQH/AgEFMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOC
AQEAlGRZrTlk5ynrE/5aw4sTV8gEJPB0d8Bg42f76Ymmg7+Wgnxu1MM9756Abrsp
tJh6sTtU6zkXR34ajgv8HzFZMQSyzhfzLMdiNlXiItiJVbSYSKpk+tYcNthEeFpa
IzpXl/V6ME+un2pMSyuOoAPjPuCp1NJ70rOo4nI8rZ7/gFnkm0W09juwzTkZmDLl
6iFhkOQxIY40sfcvNUqFENrnijchvllj4PKFiDFT1FQUhXB59C4Gdyd1Lx+4ivn+
xbrYNuSD7Odlt79jWvNGr4GUN9RBjNYj1h7P9WgbRGOiWrqnNVmh5XAFmw4jV5mU
Cm26OWMohpLzGITY+9HPBVZkVw==
-----END CERTIFICATE-----
</ca>
auth-user-pass
comp-lzo
verb 3



The OpenVPN works fine on Windows, with this conf file. No problems.

But on the Linux side, at first I couldn't even get it to connect (my mistake ! but in my defense even the computer center guys didn't have an idea, about what was wrong).
I had to modify the file slightly, to get it to connect at least, as shown below.

client
dev tun
proto udp
remote rzvpn3.vpn.uni-kiel.de 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
tls-remote rzvpn3.vpn.uni-kiel.de
ca /etc/openvpn/rootca.pem
auth-user-pass
comp-lzo
verb 3




where

rootcap.pem

is given below:

-----BEGIN CERTIFICATE-----
MIIDnzCCAoegAwIBAgIBJjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJERTEc
MBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2Vj
IFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENB
IDIwHhcNOTkwNzA5MTIxMTAwWhcNMTkwNzA5MjM1OTAwWjBxMQswCQYDVQQGEwJE
RTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxl
U2VjIFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290
IENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrC6M14IspFLEU
ha88EOQ5bzVdSq7d6mGNlUn0b2SjGmBmpKlAIoTZ1KXleJMOaAGtuU1cOs7TuKhC
QN/Po7qCWWqSG6wcmtoIKyUn+WkjR/Hg6yx6m/UTAtB+NHzCnjwAWav12gz1Mjwr
rFDa1sPeg5TKqAyZMg4ISFZbavva4VhYAUlfckE8FQYBjl2tqriTtM2e66foai1S
NNs671x1Udrb8zH57nGYMsRUFUQM+ZtV7a3fGAigo4aKSe5TBY8ZTNXeWHmb0moc
QqvF1afPaA+W5OFhmHZhyJF81j4A4pFQh+GdCuatl9Idxjp9y7zaAzTVjlsB9WoH
txa2bkp/AgMBAAGjQjBAMB0GA1UdDgQWBBQxw3kbuvVT1xfgiXotF2wKsyudMzAP
BgNVHRMECDAGAQH/AgEFMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOC
AQEAlGRZrTlk5ynrE/5aw4sTV8gEJPB0d8Bg42f76Ymmg7+Wgnxu1MM9756Abrsp
tJh6sTtU6zkXR34ajgv8HzFZMQSyzhfzLMdiNlXiItiJVbSYSKpk+tYcNthEeFpa
IzpXl/V6ME+un2pMSyuOoAPjPuCp1NJ70rOo4nI8rZ7/gFnkm0W09juwzTkZmDLl
6iFhkOQxIY40sfcvNUqFENrnijchvllj4PKFiDFT1FQUhXB59C4Gdyd1Lx+4ivn+
xbrYNuSD7Odlt79jWvNGr4GUN9RBjNYj1h7P9WgbRGOiWrqnNVmh5XAFmw4jV5mU
Cm26OWMohpLzGITY+9HPBVZkVw==
-----END CERTIFICATE-----


Now, I can get the openvpn to connect, either through the

terminal

or through the

NetworkManager

program in SLED 11 SP1.

When, I connect through the terminal, the openvpn asks for my username and password at the prompt and then does nothing, just shows a busy prompt (I'm assuming, that terminal gets busy with running the openvpn and stays there).

If I connect through the NetworkManager icon down in the taskbar, the icon on the WiFi connection changes to show that a "lock" is there now, over the WiFi. (I'm assuming, the secure openvpn connection is successfully made over the unsecure wifi)

BUT, no I still get no network access. The firefox, evolution, anything else doesn'T work.

I would post the log file here also, but I get a warning at the terminal that log file cannot be accessed (permission denied) or something. (sorry ! a rather newbie at linux !)

I am a student here at the university, so I have only access on the user side (client). Therefore, I can't post the server conf files, I guess. (I am not sure, if there is some smart method to remotely get the server configurations !)

Sorry for making it soooo long. Just trying to give out as much info as possible.

[junaidnaseer]

oh and just one more thing in that 2nd configuration file, I posted. I also had to change the device from tun to tap.

in the first 3 lines of the 2nd conf file ...

that is instead of

dev tun

I now have

dev tap

Sorry, I sort of overlooked that.

Thanks in anticipation ...

[Mimiko]

Hello.

You definately must try to resolve the problem with the campus adminitrators.

First, from terminal, start the openvpn with sudo privileges. And yes, after connection, the terminal will be blocked ntil Ctrl-C is pressed to send stop command. But you can start another terminal to verify connection: Alt-F2.
Logs are very important here.

Do not change dev tun to dev dap if the administrators does not say this. "dev" must be same on client and server.

After connection show routing table you have and iptable to see if traffic is permited.

[janjust]

When, I connect through the terminal, the openvpn asks for my username and password at the prompt and then does nothing, just shows a busy prompt (I'm assuming, that terminal gets busy with running the openvpn and stays there).

this is normal behaviour.

open a second terminal window and run

Code: Select all

ip addr show
ip route show

this should show you the assigned IP addresses and the routing table - what happens if you ping the VPN server IP? what happens if you ping 8.8.8.8 ?

As Mimiko said, do NOT change 'dev tun' to 'dev tap' .

[junaidnaseer]

OK ... I reverted back to the dev tun ,as it was mentioned in the original configuration file. Don't know, why I changed that in the first place !

Here are the output of the two commands you told me to check:

###################################################################

junaid@tf-junaid:~> ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet 127.0.0.2/8 brd 127.255.255.255 scope host secondary lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:26:82:d1:e8:02 brd ff:ff:ff:ff:ff:ff
inet 172.16.22.224/16 brd 172.16.255.255 scope global eth1
inet6 fe80::226:82ff:fed1:e802/64 scope link
valid_lft forever preferred_lft forever
3: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether d8:d3:85:36:6a:98 brd ff:ff:ff:ff:ff:ff
4: pan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
link/ether b6:72:dd:2d:a3:5e brd ff:ff:ff:ff:ff:ff
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/[65534]
inet 134.245.16.124 peer 255.255.255.0/32 scope global tun0

###################################################################

junaid@tf-junaid:~> ip route show
255.255.255.0 dev tun0 proto kernel scope link src 134.245.16.124
172.16.0.0/16 dev eth1 proto kernel scope link src 172.16.22.224 metric 2
127.0.0.0/8 dev lo scope link
default via 172.16.21.250 dev eth1 proto static
junaid@tf-junaid:~>

###################################################################

And, also I found out how to get the log file. But should I post it here ! It's a big file ? hmmm ! I posted it in pastebin with the title "junaid openvpn connected on suse linux11 sp1 but no internet"

Here is the link:

http://pastebin.com/rPxYmbjF

[junaidnaseer]

oh ... and ping 8.8.8.8 gives "destination unreachable" ...

cheers ...

[janjust]

your openvpn client is too old for the server:

Tue Aug 9 11:30:07 2011 us=600567 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: topology (2.0.9)

this means the openvpn client received an option (topology subnet) it did not understand

Also, I noticed you're receiving a public IP via the tunnel - that's possible, but it sure is not common.

[junaidnaseer]

dang !

now I have to wait till novell decides to update their openvpn package in sled 11 sp1 ...

thanks a lot you guys, janjust and others ...
much appreciated ...