openvpn on Centos 5.5

[hohoangluan]

Hi All.
Before i've already config openvpn on Debian, It's ok. Now i try to config openvpn on Centos V5.5 in vmware but when i connect to server it's openvpn guide is hang.
I've already disable firewall (/etc/init.d/iptables stop) and Selinux = disabled

Code: Select all

        server IP :172.22.0.11
        client IP: 172.22.0.15
    

Server.conf

Code: Select all

dev tun
proto udp
port 1194

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.0.8.0 255.255.255.0
persist-tun
persist-key

verb 3
comp-lzo

client.conf

Code: Select all

dev tun
proto udp
client
remote 172.22.0.11 1194

ca "C:\\Program Files\\OpenVPN\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\keys\\home.crt"
key "C:\\Program Files\\OpenVPN\\keys\\home.key"
dh "C:\\Program Files\\OpenVPN\\keys\\dh1024.pem"

comp-lzo
verb 3

log file server

Code: Select all

Fri Oct  7 22:23:44 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Oct  7 2011
Fri Oct  7 22:23:44 2011 WARNING: --keepalive option is missing from server config
Fri Oct  7 22:23:44 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Oct  7 22:23:44 2011 Diffie-Hellman initialized with 1024 bit key
Fri Oct  7 22:23:44 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Oct  7 22:23:44 2011 Socket Buffers: R=[110592->131072] S=[110592->131072]
Fri Oct  7 22:23:44 2011 ROUTE default_gateway=172.22.0.2
Fri Oct  7 22:23:44 2011 TUN/TAP device tun0 opened
Fri Oct  7 22:23:44 2011 TUN/TAP TX queue length set to 100
Fri Oct  7 22:23:44 2011 /sbin/ifconfig tun0 10.0.8.1 pointopoint 10.0.8.2 mtu 1500
Fri Oct  7 22:23:44 2011 /sbin/route add -net 10.0.8.0 netmask 255.255.255.0 gw 10.0.8.2
Fri Oct  7 22:23:44 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Oct  7 22:23:44 2011 UDPv4 link local (bound): [undef]:1194
Fri Oct  7 22:23:44 2011 UDPv4 link remote: [undef]
Fri Oct  7 22:23:44 2011 MULTI: multi_init called, r=256 v=256
Fri Oct  7 22:23:44 2011 IFCONFIG POOL: base=10.0.8.4 size=62
Fri Oct  7 22:23:44 2011 Initialization Sequence Completed
Fri Oct  7 22:24:31 2011 event_wait : Interrupted system call (code=4)
Fri Oct  7 22:24:31 2011 TCP/UDP: Closing socket
Fri Oct  7 22:24:31 2011 /sbin/route del -net 10.0.8.0 netmask 255.255.255.0
Fri Oct  7 22:24:31 2011 Closing TUN/TAP interface
Fri Oct  7 22:24:31 2011 /sbin/ifconfig tun0 0.0.0.0
Fri Oct  7 22:24:31 2011 SIGINT[hard,] received, process exiting

log file Client

Code: Select all

Fri Oct 07 15:11:11 2011 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Fri Oct 07 15:11:11 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Oct 07 15:11:11 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Oct 07 15:11:11 2011 LZO compression initialized
Fri Oct 07 15:11:11 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Oct 07 15:11:11 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Oct 07 15:11:11 2011 Local Options hash (VER=V4): '41690919'
Fri Oct 07 15:11:11 2011 Expected Remote Options hash (VER=V4): '530fdded'
Fri Oct 07 15:11:11 2011 UDPv4 link local (bound): [undef]:1194
Fri Oct 07 15:11:11 2011 UDPv4 link remote: 172.22.0.11:1194
Fri Oct 07 15:12:11 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 07 15:12:11 2011 TLS Error: TLS handshake failed
Fri Oct 07 15:12:11 2011 TCP/UDP: Closing socket
Fri Oct 07 15:12:11 2011 SIGUSR1[soft,tls-error] received, process restarting
Fri Oct 07 15:12:11 2011 Restart pause, 2 second(s)
Fri Oct 07 15:12:13 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Oct 07 15:12:13 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Oct 07 15:12:13 2011 LZO compression initialized
Fri Oct 07 15:12:13 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Oct 07 15:12:13 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Oct 07 15:12:13 2011 Local Options hash (VER=V4): '41690919'
Fri Oct 07 15:12:13 2011 Expected Remote Options hash (VER=V4): '530fdded'
Fri Oct 07 15:12:13 2011 UDPv4 link local (bound): [undef]:1194
Fri Oct 07 15:12:13 2011 UDPv4 link remote: 172.22.0.11:1194
Fri Oct 07 15:13:13 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 07 15:13:13 2011 TLS Error: TLS handshake failed
Fri Oct 07 15:13:13 2011 TCP/UDP: Closing socket
Fri Oct 07 15:13:13 2011 SIGUSR1[soft,tls-error] received, process restarting
Fri Oct 07 15:13:13 2011 Restart pause, 2 second(s)
Fri Oct 07 15:13:15 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Oct 07 15:13:15 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Oct 07 15:13:15 2011 LZO compression initialized
Fri Oct 07 15:13:15 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Oct 07 15:13:15 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Oct 07 15:13:15 2011 Local Options hash (VER=V4): '41690919'
Fri Oct 07 15:13:15 2011 Expected Remote Options hash (VER=V4): '530fdded'
Fri Oct 07 15:13:15 2011 UDPv4 link local (bound): [undef]:1194
Fri Oct 07 15:13:15 2011 UDPv4 link remote: 172.22.0.11:1194
Fri Oct 07 15:14:15 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 07 15:14:15 2011 TLS Error: TLS handshake failed
Fri Oct 07 15:14:15 2011 TCP/UDP: Closing socket

[maikcat]

your config misses ifconfig (or server) directive..

Michael.

[hohoangluan]

sorry i missing that option. i've already edited

[Mimiko]

Before i've already config openvpn on Debian, It's ok. Now i try to config openvpn on Centos V5.5 in vmware but when i connect to server it's openvpn guide is hang.

OpenVPN guide is hanging? Your write strange things.

On vmware you installed OpenVPN server or client?

[hohoangluan]

Hi there.
On VMWARE 6.0, i install openvpn server on centos 5.5 server and another Virtual Machine(Insall win XP) i installed open vpn guide.

[Mimiko]

Fri Oct 7 22:23:44 2011 Initialization Sequence Completed
Fri Oct 7 22:24:31 2011 event_wait : Interrupted system call (code=4)

Did you resolved this issue? TheOpenVPN server is closed immediately. How a client can connect?

[hohoangluan]

Hi there.
I've already connect to Server.
But i have a question. when use openvpn on centos, we must to disabled iptables,right. and if disable iptables, how can i nat lan to wan?
Thank you

[Mimiko]

You don't need to disable iptables, just configure it with write rules. Iptables is commonly disabled when there is need to see if some rule blocks connections.

[hohoangluan]

hi mimiko.
When i disabled iptable , i can connect. and i enabled iptables, i can not connect to vpn server

[hohoangluan]

and this is the log client when i enabled iptables

Code: Select all

d Oct 12 22:15:58 2011 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Wed Oct 12 22:15:58 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Oct 12 22:15:58 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Oct 12 22:15:58 2011 LZO compression initialized
Wed Oct 12 22:15:58 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Oct 12 22:15:58 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Oct 12 22:15:58 2011 Local Options hash (VER=V4): '41690919'
Wed Oct 12 22:15:58 2011 Expected Remote Options hash (VER=V4): '530fdded'
Wed Oct 12 22:15:58 2011 UDPv4 link local (bound): [undef]:1194
Wed Oct 12 22:15:58 2011 UDPv4 link remote: 172.22.0.11:1194
Wed Oct 12 22:16:58 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Oct 12 22:16:58 2011 TLS Error: TLS handshake failed
Wed Oct 12 22:16:58 2011 TCP/UDP: Closing socket
Wed Oct 12 22:16:58 2011 SIGUSR1[soft,tls-error] received, process restarting
Wed Oct 12 22:16:58 2011 Restart pause, 2 second(s)
Wed Oct 12 22:17:00 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Oct 12 22:17:00 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Oct 12 22:17:00 2011 Re-using SSL/TLS context
Wed Oct 12 22:17:00 2011 LZO compression initialized
Wed Oct 12 22:17:00 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Oct 12 22:17:00 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Oct 12 22:17:00 2011 Local Options hash (VER=V4): '41690919'
Wed Oct 12 22:17:00 2011 Expected Remote Options hash (VER=V4): '530fdded'
Wed Oct 12 22:17:00 2011 UDPv4 link local (bound): [undef]:1194
Wed Oct 12 22:17:00 2011 UDPv4 link remote: 172.22.0.11:1194
Wed Oct 12 22:18:01 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Oct 12 22:18:01 2011 TLS Error: TLS handshake failed
Wed Oct 12 22:18:01 2011 TCP/UDP: Closing socket
Wed Oct 12 22:18:01 2011 SIGUSR1[soft,tls-error] received, process restarting
Wed Oct 12 22:18:01 2011 Restart pause, 2 second(s)

[maikcat]

please post the output of

iptables -L -v

iptables -L -v -t nat

Michael.

[hohoangluan]

Hi All.
I don't make anything on iptables. And this is iptables output

+ iptables -L -v

Code: Select all

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  567 78656 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 401 packets, 148K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   11   796 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp any 
    0     0 ACCEPT     esp  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     ah   --  any    any     anywhere             anywhere            
  182 34193 ACCEPT     udp  --  any    any     anywhere             224.0.0.251         udp dpt:mdns 
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:ipp 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ipp 
  260 29506 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    2   104 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh 
  112 14057 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited 

+ iptables -L -v -t nat

Code: Select all

Chain PREROUTING (policy ACCEPT 4 packets, 312 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

[Mimiko]

It's obvious that chain RH-Firewall-1-INPUT does not have any rule to allow incomming connection to OpenVPN port. Add this rule.

[maikcat]

you also need to create rules so traffic to and from tun interface is allowed...

Michael.

[hohoangluan]

iptables -L -v

Code: Select all

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  143 17369 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 3 packets, 210 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp any 
    0     0 ACCEPT     esp  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     ah   --  any    any     anywhere             anywhere            
    9   999 ACCEPT     udp  --  any    any     anywhere             224.0.0.251         udp dpt:mdns 
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:ipp 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ipp 
    3   381 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh 
  131 15989 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited 

iptables -L -v -t nat

Code: Select all

Chain PREROUTING (policy ACCEPT 10 packets, 1343 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

[hohoangluan]

Hi all.
I've got to allow openvpn. I know what's problem. Because the rules lost, when i restart iptables services. Thank you for your support......

[maikcat]

AFAIK

check /etc/sysconfig/iptables file...

Michael.