WARNING: Failed running command (--up/--down): external prog

[dsoft]

Hallo,
after reading several similar discussions, I realize my problem is different somehow, so I write this new post.

My config file for the kvpnc on ubuntu client is :

Code: Select all

#Festlegen als was fungiert wird
tls-client
pull
# Methode festlegen tun oder tap
dev tap
# Protokoll auswaehlen udp oder tcp
proto udp
# IP/Name und Port des Servers
remote 80.*.*.* 1194
# Auflösen des Hostnames des Servers (wegen nicht permanent mit dem Internet verbundenen Rechnern)
resolv-retry infinite
# Localen Port festlegen oder freigeben
nobind
# Verbindung immer gleich halten
persist-key
persist-tun
#zu verwendende Zertifikate und Schlüssel
ca /home/lrohr/Desktop/vpn/ca.crt
cert /home/lrohr/Desktop/vpn/client.crt
key /home/lrohr/Desktop/vpn/client.key
# Verschlüsselung
cipher AES-256-CBC
# Komprimiernug
comp-lzo
# Authentifizierungsmethode
auth SHA1
# "Gesprächigkeit" des Tunnels
verb 3
# Silence repeating messages
mute 20

on the ubuntu server side (different pc of course) the config file looks like this (took comments out for readability)

Code: Select all

;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca ./easy-rsa2/keys/ca.crt
cert ./easy-rsa2/keys/server.crt
key ./easy-rsa2/keys/server.key  # This file should be kept secret
dh ./easy-rsa2/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;push "route 192.168.10.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
;client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
;max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
;log-append  openvpn.log
verb 5
;mute 20

I can start the server and when I'm trying to connect with kvpnc I always get a

Code: Select all

debug: Wallet disabled or not available, reading passwords from config file.
debug: openvpn: /usr/sbin/openvpn
debug: Support for TUN/TAP found (compiled into kernel or kernel module already loaded).
debug: No default interface found, using "lo".
debug: No IP for default interface found, using "127.0.0.1".
info: Trying to connect to server "80.*.*.*" with ... 
debug: Setting DNS_UPDATE "NO".
debug: Starting Openvpn management handler...
debug: [openvpn] Tue Dec 20 11:51:20 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
debug: [openvpn] Tue Dec 20 11:51:20 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
debug: [openvpn] 
debug: [openvpn] Tue Dec 20 11:51:24 2011 WARNING: External program may not be called unless '--script-security 2' or higher is enabled. Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier. See --help text or man page for detailed info.
error: OpenvpnManagementHandler: The remote host closed the connection
debug: [openvpn] Tue Dec 20 11:51:24 2011 WARNING: Failed running command (--up/--down): external program fork failed
debug: [openvpn] 

so I tried the "--script-security 3 system" to write in the server.conf, but the server then doesn't restart.
Maybe I just didn't get it right where to put the "--script-security 3 system" option, but I also couldn't find out by reading other posts in this forum or elsewhere.

So I hope you can help me finding the error I made.

Thanks so far

[janjust]

looks like the kvpnc *client* wants to start a program, so you'll need to add the line

Code: Select all

script-security 3 system

to the client configuration.

[maikcat]

also there are inconsistencies to your configs,check them out.

server has tun client has tap...

Michael.

[dsoft]

Ok thank you both for your help, seems like the problem is getting better but still not gone =)

I fixed my configs, so both now use tun and both use the same cipher encryption.

to the client.ovpn I added

Code: Select all

--script-security 3 system

I still get the warning, I also tried it without the "--" with the same result.
Anyhow I checked the log file of the openvpn.log and found this :

Code: Select all

Wed Dec 21 11:20:27 2011 us=79446 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Dec 21 11:20:27 2011 us=363672 109.*.*.*:55589 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Dec 21 11:20:27 2011 us=363689 109.*.*.*:55589 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 21 11:20:27 2011 us=363701 109.*.*.*:55589 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Dec 21 11:20:27 2011 us=363713 109.*.*.*:55589 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 21 11:20:27 2011 us=448365 109.*.*.*:55589 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec 21 11:20:27 2011 us=448390 109.*.*.*:55589 [client] Peer Connection Initiated with 109.*.*.*:55589
Wed Dec 21 11:20:27 2011 us=448558 MULTI: new connection by client 'client' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Wed Dec 21 11:20:27 2011 us=448601 MULTI: Learn: 10.8.0.6 -> client/109.*.*.*:55589
Wed Dec 21 11:20:27 2011 us=448626 MULTI: primary virtual IP for client/109.*.*.*:55589: 10.8.0.6
Wed Dec 21 11:20:28 2011 us=989358 client/109.*.*.*:55589 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec 21 11:20:28 2011 us=989456 client/109.*.*.*:55589 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Wed Dec 21 11:20:30 2011 us=231393 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

If the problem is somehow connected to kvpnc, I don't have to use it. If I should try something else, please let me know what and probable how =). The client.ovpn file should be used for a windows client on a different PC which I can't test, since I'm only having ubuntu pcs here.

Thank you so far

[janjust]

normally you use

--script-security 3 system

as a commandline parameter and

script-security 3 system

inside a configuration file.

As for the (server?) connection log: the server sends a push line with the address for the client , and after that the client simply stops responding. Check the client side log to see what happens when the PUSH line is received from the server.

[maikcat]

is there any chance that your clients lan ip range is 192.168.2.0?

Michael.

[dsoft]

Hallo again,
my lan ip is 192.168.1.x

I'm now using openvpn as client connection as well to get better log messages. so here is what I get

Fri Dec 23 09:46:23 2011 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Fri Dec 23 09:46:23 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 23 09:46:23 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Dec 23 09:46:23 2011 [192.168.2.112] Peer Connection Initiated with [AF_INET]80.153.49.175:1194
Fri Dec 23 09:46:25 2011 SENT CONTROL [192.168.2.112]: 'PUSH_REQUEST' (status=1)
Fri Dec 23 09:46:25 2011 PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Fri Dec 23 09:46:25 2011 OPTIONS IMPORT: timers and/or timeouts modified
Fri Dec 23 09:46:25 2011 OPTIONS IMPORT: --ifconfig/up options modified
Fri Dec 23 09:46:25 2011 OPTIONS IMPORT: route options modified
Fri Dec 23 09:46:25 2011 ROUTE default_gateway=192.168.1.1
Fri Dec 23 09:46:25 2011 Note: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Fri Dec 23 09:46:25 2011 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Fri Dec 23 09:46:25 2011 Cannot allocate TUN/TAP dev dynamically
Fri Dec 23 09:46:25 2011 Exiting

Can it be a router problem? I have a wlan rooter at my lan and a rooter in front of the server, but I already configured the portforwarding ,,,

Thank you for your help

[janjust]

Fri Dec 23 09:46:25 2011 Note: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Fri Dec 23 09:46:25 2011 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Fri Dec 23 09:46:25 2011 Cannot allocate TUN/TAP dev dynamically

you need to *start* openvpn with root privileges - please verify that you did so.

[maikcat]

can you post *complete* client logs?

Michael.

[NeoSovereign]

I am having a similar problem. I have added the "script-security 3 system" line to my client.ovpn file, although I cannot even get the server to start on my ubuntu workstation, so I have little doubt the ammended file will cause a successful connection. when I run "/etc/openvpn$ sudo openvpn server.conf" it returns the following:

Code: Select all

Mon Aug 13 21:17:39 2012 OpenVPN 2.2.1 i686-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 30 2012
Mon Aug 13 21:17:39 2012 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Mon Aug 13 21:17:39 2012 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Mon Aug 13 21:17:39 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Aug 13 21:17:39 2012 Diffie-Hellman initialized with 1024 bit key
Mon Aug 13 21:17:39 2012 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Aug 13 21:17:39 2012 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Aug 13 21:17:39 2012 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Aug 13 21:17:39 2012 TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Aug 13 21:17:39 2012 Socket Buffers: R=[163840->131072] S=[163840->131072]
Mon Aug 13 21:17:39 2012 TUN/TAP device tap0 opened
Mon Aug 13 21:17:39 2012 TUN/TAP TX queue length set to 100
Mon Aug 13 21:17:39 2012 /etc/openvpn/up.sh br0 tap0 1500 tap0 1500 1574   init
Mon Aug 13 21:17:39 2012 WARNING: External program may not be called unless '--script-security 2' or higher is enabled.  Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier.  See --help text or man page for detailed info.
Mon Aug 13 21:17:39 2012 WARNING: Failed running command (--up/--down): external program fork failed
Mon Aug 13 21:17:39 2012 Exiting

I'm guessing that the up.sh is causing me troubles since the "init" after the line containing what looks to be a call to that is the last message before the failure messages.

Thanks!