I have installed a openvpn server on a Centos 5 server using a script.
It went all quite automatic, and while logging on using a windows client everything
works quite well. The windowsclient is set up form the downloadable client from
this web site, and the only thing I had to do was to copy over certificates/config files.
For Windows clients this has worked quite well.
I then desided that I also want to have my Linux Mint client logged on to the openvpn
server, but this did not work. I used the client example file from this web site on the Linux
client. http://openvpn.net/index.php/open-sourc ... l#examples
Here is the config file from my server:
local 11.11.11.11
port 443
proto tcp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 0
tun-mtu 1500
Could this config file work for a Linux client as well or is it "something special" that
makes it applicable for windows clients only ?
By the way, what does this mean: push "redirect-gateway def1"
(It looks like that the Linux client does not accept it ??)
One of my main ideas was to try to learn a little bit about OpenVPN so I would be
thankfull if somone left a few words ..
When the Linux client log on, it looks like that the certificates and etc is accepted,
but then when the client tryes to set up routes and dns (?) something goes wrong..
Configuration of Linux client.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Configuration of Linux client.
that's a server config and any client can work with it; for an initial setup I would recommend to not useCould this config file work for a Linux client as well or is it "something special" that
makes it applicable for windows clients only ?
Simply use 'verb 3' instead.ifconfig-pool-persist
verb 0
use 'verb 3' in the client config and show the connection log when the client is connecting. The Linux client will accept 'redirect-gateway' but it might ignore the linesBy the way, what does this mean: push "redirect-gateway def1"
(It looks like that the Linux client does not accept it ??)
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
-
arne22
- OpenVpn Newbie
- Posts: 8
- Joined: Sun Mar 18, 2012 10:59 pm
Re: Configuration of Linux client.
Thanks for your reply Mr Jan Just !
I had this on my first line of the client configuration file:
push "redirect-gateway def1"
I guess this does not give sence at all, neither for Linux or for Windows clients.
So I took it away and then it logged on.
Then it also appeared to be the case (I'm rather new to this, so I did not know that) that
the resolv.conf file had to be edited, as the "push/pull" for the Linux client will not
configure the dns resolving function.
One thing I wonedred about was: My client does not have a "pull", how can that be ?
I now understand the the "cient" statement maintants the same function.
I still does not understand if the "redirect-gateway def1" statement is "translated"
to route information/configuration at the server or at the client. (I guess that
"def 1" refere to a "internal part" of the of the openvpn server or client and that this is
not a reference to a configuration file ?
And then one major thing I have been thinking about.
When testing with a Socks5 client against a Socks server, I noticed that "the tunnel"
was "leaking" dns information in clear text parrallell to the encrypted tunnel.
I wondered if this were the case for OpenVPN as well sp I tested with TCPView on the
Windows client and with iptraf on the Linux client. It looks like there is no leakage
of dns datas parrallell to or outside the encrypted tunnel for OpenVPN. I guess this
is right ?
If this is right and if you should use the dns server of your ISP the dns requests
will not go directely from your PC to the dns server, but rather trough the encrypted
OpenVPN tunnel and "back" to your ISP's "local" dns server. Is this right ?
If this is right it might then be a good idea to run a dns proxy server at the
OpenVPN termination server, so that the dns resolvment via the OpenVPN server
can go faster. (As it also has its own dns server.) Is this right ?
By the way I am impressed about how well OpenVPN works, and the performance
even though I use it in "TCP mode". (Due to some diffcult outgoing firewalls.)
Best reg Arne
I had this on my first line of the client configuration file:
push "redirect-gateway def1"
I guess this does not give sence at all, neither for Linux or for Windows clients.
So I took it away and then it logged on.
Then it also appeared to be the case (I'm rather new to this, so I did not know that) that
the resolv.conf file had to be edited, as the "push/pull" for the Linux client will not
configure the dns resolving function.
One thing I wonedred about was: My client does not have a "pull", how can that be ?
I now understand the the "cient" statement maintants the same function.
I still does not understand if the "redirect-gateway def1" statement is "translated"
to route information/configuration at the server or at the client. (I guess that
"def 1" refere to a "internal part" of the of the openvpn server or client and that this is
not a reference to a configuration file ?
And then one major thing I have been thinking about.
When testing with a Socks5 client against a Socks server, I noticed that "the tunnel"
was "leaking" dns information in clear text parrallell to the encrypted tunnel.
I wondered if this were the case for OpenVPN as well sp I tested with TCPView on the
Windows client and with iptraf on the Linux client. It looks like there is no leakage
of dns datas parrallell to or outside the encrypted tunnel for OpenVPN. I guess this
is right ?
If this is right and if you should use the dns server of your ISP the dns requests
will not go directely from your PC to the dns server, but rather trough the encrypted
OpenVPN tunnel and "back" to your ISP's "local" dns server. Is this right ?
If this is right it might then be a good idea to run a dns proxy server at the
OpenVPN termination server, so that the dns resolvment via the OpenVPN server
can go faster. (As it also has its own dns server.) Is this right ?
By the way I am impressed about how well OpenVPN works, and the performance
even though I use it in "TCP mode". (Due to some diffcult outgoing firewalls.)
Best reg Arne
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Configuration of Linux client.
there's also a plugin for OpenVPN to do just that - it depends a bit on your linux distro but the general name is 'update-resolv-conf'Then it also appeared to be the case (I'm rather new to this, so I did not know that) that
the resolv.conf file had to be edited, as the "push/pull" for the Linux client will not
configure the dns resolving function.
yep this is explained somewhere in the lengthy man page.One thing I wonedred about was: My client does not have a "pull", how can that be ?
I now understand the the "client" statement maintants the same function.
'redirect-gateway def1' is handled by the client ; the 'def1' part means that two new /1 routes are added to overrule the existing default gateway; without the 'def1' the original default GW route is deleted first , with /1 it is not. Again, this is explained in the man pageI still does not understand if the "redirect-gateway def1" statement is "translated"
to route information/configuration at the server or at the client. (I guess that
"def 1" refere to a "internal part" of the of the openvpn server or client and that this is
not a reference to a configuration file ?
If your apps can handle socks5 then they can also handle 'resolve dns remotely' ; this works for (at least) putty, ThunderBird, Firefox, Seamonkey and a few others. I use this trick quite a lot.When testing with a Socks5 client against a Socks server, I noticed that "the tunnel"
was "leaking" dns information in clear text parrallell to the encrypted tunnel.
yep; alternatively you can use one of google's DNS servers (4.4.4.4 or 8.8.8.8)f this is right and if you should use the dns server of your ISP the dns requests
will not go directely from your PC to the dns server, but rather trough the encrypted
OpenVPN tunnel and "back" to your ISP's "local" dns server. Is this right ?
-
arne22
- OpenVpn Newbie
- Posts: 8
- Joined: Sun Mar 18, 2012 10:59 pm
Re: Configuration of Linux client.
Thanks a lot. It all works ok now.
I'm really imprssed of how OpenVPN works. In many ways it works like a reinvention of Internet.
It coldn't be bether.
I'm really imprssed of how OpenVPN works. In many ways it works like a reinvention of Internet.
It coldn't be bether.