Wrong preconfigurated TUN-Device?

Mysterion01 · Post by **Mysterion01** » Wed Aug 24, 2011 1:20 pm

Hi all,

my VPS Provider uses Linux-vServer for virtualization so they had to create a TUN-Device for me that I can use for OpenVPN. But I think there is a bad configuration in the ifconfig and route settings. My Provider said I have to configurate my server.conf like the on in this Tutorial: http://linux-vserver.org/Frequently_Ask ... a_guest.3F

ifconfig says

tun1459-90 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.1.89 P-t-P:10.0.1.90 Mask:255.255.255.255
UP POINTOPOINT NOARP MULTICAST MTU:1500 Metric:1
RX packets:433 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:22806 (22.8 KB) TX bytes:372 (372.0 B)

Okay, thats the preconfigurated Tun-Dev. Now lets take a look at the preconfigurated routes:

10.0.1.90 * 255.255.255.255 UH 0 0 0 tun1459-90
10.0.1.86 * 255.255.255.255 UH 0 0 0 *
10.0.1.88 10.0.1.90 255.255.255.252 UG 0 0 0 tun1459-90
10.0.1.84 * 255.255.255.252 UG 0 0 0 *
[...]

According to the Tutorial, I have to use this Option in my server.conf (right?)

server 10.0.1.88 255.255.255.252

But when I try to start OpenVPN, I'm getting this error message:

Options error: --server directive when used with --dev tun must define a subnet of 255.255.255.248 (/29) or lower
Use --help for more information.

Is it a bad route configuration by my provider?

Post by **Mimiko** » Wed Aug 24, 2011 1:26 pm

Use:

Code: Select all

server 10.0.1.88 255.255.255.248

Mysterion01 · Post by **Mysterion01** » Wed Aug 24, 2011 1:46 pm

Hi,

now it starts. I also can connect from my client to the server, but when I try to ping the servers IP from the client (or vice versa) it says that the destination is unreachable

Post by **Mimiko** » Wed Aug 24, 2011 1:57 pm

Show OpenVPN server's and client's config files. Show routes on both end with VPN connected. Which version of OpenVPN server you are using?

Mysterion01 · Post by **Mysterion01** » Wed Aug 24, 2011 2:16 pm

client.conf:

route-method exe
route-delay 2
client
dev tun
proto udp
remote xxxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3

client routes while connected to vpn-server:

Code: Select all

Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0      192.168.2.1    192.168.2.113     20
        10.0.1.89  255.255.255.255        10.0.1.93        10.0.1.94     31
        10.0.1.92  255.255.255.252   Auf Verbindung         10.0.1.94    286
        10.0.1.94  255.255.255.255   Auf Verbindung         10.0.1.94    286
        10.0.1.95  255.255.255.255   Auf Verbindung         10.0.1.94    286
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    306
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    306
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
      192.168.2.0    255.255.255.0   Auf Verbindung     192.168.2.113    276
    192.168.2.113  255.255.255.255   Auf Verbindung     192.168.2.113    276
    192.168.2.255  255.255.255.255   Auf Verbindung     192.168.2.113    276
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    306
        224.0.0.0        240.0.0.0   Auf Verbindung     192.168.2.113    276
        224.0.0.0        240.0.0.0   Auf Verbindung         10.0.1.94    286
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
  255.255.255.255  255.255.255.255   Auf Verbindung     192.168.2.113    276
  255.255.255.255  255.255.255.255   Auf Verbindung         10.0.1.94    286

server.conf (Server Version OpenVPN 2.1):

ifconfig-noexec
;push "redirect-gateway"
;push "dhcp-option DNS 10.0.1.1"
port 1194
proto udp
dev tun1459-90
ca ca.crt
cert server.crt
key secret.file # This file should be kept secret
dh dh1024.pem
server 10.0.1.88 255.255.255.248
keepalive 10 60
comp-lzo
persist-key
;persist-tun
status openvpn-status.log
verb 4

server routes while a client is connected:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.1.90       *               255.255.255.255 UH    0      0        0 tun1459-90
10.0.1.86       *               255.255.255.255 UH    0      0        0 *
10.0.1.88       10.0.1.90       255.255.255.252 UG    0      0        0 tun1459-90
10.0.1.84       *               255.255.255.252 UG    0      0        0 *
195.x.x.x     *               255.255.255.0   U     0      0        0 eth0
91.x.x.x    *               255.255.255.0   U     0      0        0 eth0
default         xx.xxxx.nl.alvo 0.0.0.0         UG    0      0        0 eth0

Post by **Mimiko** » Thu Aug 25, 2011 5:32 am

Oh, I see. The mask confugured on tun device is 252. Then in your server config must be:

Code: Select all

topology subnet
server 10.0.1.88 255.255.255.252

Also read this thread: topic8538.html, especialy page 4 for external links.

Post by **janjust** » Thu Aug 25, 2011 7:45 am

almost correct, mimiko

the server is configured using

server 10.0.1.88 255.255.255.248

when subnetting rules for 255.255.255.248 are applied this boils down to a subnet which

* starts at 10.0.1.80
*ends at 10.0.1.96
* provides 14 address

the server is configured at a boundary address - I'd suggest to change the server line to

Code: Select all

server 10.0.1.80 255.255.255.248

as I am getting the impression that OpenVPN did something funny to the network masks . There should have been a server rout

Code: Select all

10.0.1.88       10.0.1.90       255.255.255.248 UG    0      0        0 tun1459-90

(note the .248!)

Post by **Mimiko** » Thu Aug 25, 2011 7:52 am

Thanks junjust. I also thought about using 248 mask correctly, but as I understood - the IP and mask 252 of TUN adapter was set by admins prior, so it can't be changed by user.

Mysterion01 · Post by **Mysterion01** » Thu Aug 25, 2011 6:13 pm

It works now!

This is my server.conf

ifconfig-noexec
push "redirect-gateway"
;push "dhcp-option DNS 10.0.1.1"
port 1194
proto udp
dev tun1459-90
ca /etc/openvpn/examples/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/examples/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/examples/easy-rsa/2.0/keys/server.key # This file should be kept secret
dh /etc/openvpn/examples/easy-rsa/2.0/keys/dh1024.pem
topology subnet
server 10.0.1.88 255.255.255.248
keepalive 10 60
comp-lzo
persist-key
;persist-tun
status openvpn-status.log
verb 4

Thanks for your help!

OpenVPN Support Forum

Wrong preconfigurated TUN-Device?

Wrong preconfigurated TUN-Device?

Re: Wrong preconfigurated TUN-Device?

Re: Wrong preconfigurated TUN-Device?

Re: Wrong preconfigurated TUN-Device?

Re: Wrong preconfigurated TUN-Device?

Re: Wrong preconfigurated TUN-Device?

Re: Wrong preconfigurated TUN-Device?

Re: Wrong preconfigurated TUN-Device?

Re: Wrong preconfigurated TUN-Device?