What is going on with my config? Errors but tunnel up.

flw · Post by **flw** » Mon Dec 07, 2009 9:08 pm

Hi folks,
In spite of the excellent documentation available, I don't seem to be able to configure OpenVPN correctly, but it seems to work a little bit. By "work a little bit" I mean that I get an error when starting OpenVPN on the server

Code: Select all

[root@CentOS openvpn]# service openvpn restart
Shutting down openvpn:                                     [  OK  ]
Starting openvpn:                                          [FAILED]

Looking at openvpn.log, and snipping out what appears to be the source of the failure message,

Code: Select all

Mon Dec  7 12:23:04 2009 us=110039 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use
Mon Dec  7 12:23:04 2009 us=110057 Exiting

but, my client seems to be happy connecting (I get the yellow then green screens in the OpenVPN GUI, and a "connected" message). Furthermore, I can get access to the disk shares on the CentOS server, but I cannot ping or otherwise see any other machines in the CentOS subnet (192.168.52.0).

I'm sure my mistake is blindingly simple, but I just can't find it.
SERVER: CentOS 5.3, running OpenVPN 2.0.9
** server.config

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem

server 192.168.54.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.52.0 255.255.255.0"

client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log

log         openvpn.log
verb 6
mute 20

CLIENT: Windoze XP-SP2, running OpenVPN 2.1_rc22
** client.ovpn

Code: Select all

client
remote-cert-tls server
proto udp
dev tun   
dev-node VPN-Tap
remote xx.yy.zz.aaa 1194
resolv-retry infinite
nobind
persist-key
persist-tun
float
 
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 4

The CentOS server (and OpenVPN server) reside in my home subnet behind a firewall that port-forwards port 1194 traffic to the CentOS server. My objective is to use OpenVPN to get access to my entire home subnet - all computers and printers. At minimum, I want access to disk shares, but if I could run XP's remote desktop, that would be ideal.

I have disabled the CentOS firewall (via the administrative GUI), and attempted to configure iptables using the commands:

Code: Select all

# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT

 # Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT

 # Allow TAP interface connections to OpenVPN server
iptables -A INPUT -i tap+ -j ACCEPT

 # Allow TAP interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tap+ -j ACCEPT

As I said, this seems pretty simple and straightforward, but I can't even ping other machines through the tunnel. Can anyone help?
Q1: What is the "socket bind failed" error about, and how do I eliminate it?
Q2: How can I use the tunnel to get access to disk shares on other machines (besides the CentOS server)?
Q3: Is there a way to run Remote Desktop over an OpenVPN tunnel?

Thanks in advance!

Post by **Douglas** » Mon Dec 07, 2009 11:49 pm

flw wrote:Hi folks,
In spite of the excellent documentation available, I don't seem to be able to configure OpenVPN correctly, but it seems to work a little bit. By "work a little bit" I mean that I get an error when starting OpenVPN on the server
Code: Select all
[root@CentOS openvpn]# service openvpn restart
Shutting down openvpn:                                     [  OK  ]
Starting openvpn:                                          [FAILED]
Looking at openvpn.log, and snipping out what appears to be the source of the failure message,
Code: Select all
Mon Dec  7 12:23:04 2009 us=110039 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use
Mon Dec  7 12:23:04 2009 us=110057 Exiting
but, my client seems to be happy connecting (I get the yellow then green screens in the OpenVPN GUI, and a "connected" message). Furthermore, I can get access to the disk shares on the CentOS server, but I cannot ping or otherwise see any other machines in the CentOS subnet (192.168.52.0).

I'm sure my mistake is blindingly simple, but I just can't find it.
SERVER: CentOS 5.3, running OpenVPN 2.0.9
** server.config
Code: Select all
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem

server 192.168.54.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.52.0 255.255.255.0"

client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log

log         openvpn.log
verb 6
mute 20
CLIENT: Windoze XP-SP2, running OpenVPN 2.1_rc22
** client.ovpn
Code: Select all
client
remote-cert-tls server
proto udp
dev tun   
dev-node VPN-Tap
remote xx.yy.zz.aaa 1194
resolv-retry infinite
nobind
persist-key
persist-tun
float
 
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 4
The CentOS server (and OpenVPN server) reside in my home subnet behind a firewall that port-forwards port 1194 traffic to the CentOS server. My objective is to use OpenVPN to get access to my entire home subnet - all computers and printers. At minimum, I want access to disk shares, but if I could run XP's remote desktop, that would be ideal.

I have disabled the CentOS firewall (via the administrative GUI), and attempted to configure iptables using the commands:
Code: Select all
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT

 # Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT

 # Allow TAP interface connections to OpenVPN server
iptables -A INPUT -i tap+ -j ACCEPT

 # Allow TAP interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tap+ -j ACCEPT
As I said, this seems pretty simple and straightforward, but I can't even ping other machines through the tunnel. Can anyone help?
Q1: What is the "socket bind failed" error about, and how do I eliminate it?
Q2: How can I use the tunnel to get access to disk shares on other machines (besides the CentOS server)?
Q3: Is there a way to run Remote Desktop over an OpenVPN tunnel?

Thanks in advance!

Q1: It means that it failed to bind!

In other words, something else is using port 1194. When you stop openvpn, check ps to make sure it actually is dead.
Q2: I'm not sure I understand that - can you explain? Do you mean you want to mount shares from machine A B and C locally?
Q3: Why not? You can connect clients to the VPN and enable FreeNX/RDP/VNC and then just connect to the VPN IP.

flw · Post by **flw** » Tue Dec 08, 2009 12:24 am

Q1: It means that it failed to bind! In other words, something else is using port 1194. When you stop openvpn, check ps to make sure it actually is dead.
Q2: I'm not sure I understand that - can you explain? Do you mean you want to mount shares from machine A B and C locally?
Q3: Why not? You can connect clients to the VPN and enable FreeNX/RDP/VNC and then just connect to the VPN IP.

Q1: Doing a "service openvpn stop" returns an "[ Ok ]" flag, but you are correct, openvpn is still in the ps list. Doing a "kill -9 pid" makes it go away, however, the next time I reboot or otherwise try to start up openvpn, I get the "socket bind error" again.

Q2: Yes, I have several machines in the local subnet, all of which have mountable shares. I want my road-warrior laptop to be able to vpn into the local subnet and see (and connect to) any or all of the shares.

Q3: Ok, once I get the vpn working properly, perhaps remote desktop will work as well.

Thanks!

Post by **Douglas** » Tue Dec 08, 2009 2:15 am

flw wrote:
Q1: Doing a "service openvpn stop" returns an "[ Ok ]" flag, but you are correct, openvpn is still in the ps list. Doing a "kill -9 pid" makes it go away, however, the next time I reboot or otherwise try to start up openvpn, I get the "socket bind error" again.

Q2: Yes, I have several machines in the local subnet, all of which have mountable shares. I want my road-warrior laptop to be able to vpn into the local subnet and see (and connect to) any or all of the shares.

Q3: Ok, once I get the vpn working properly, perhaps remote desktop will work as well.

Thanks!

Q1: I hate using the yum install for OpenVPN, always do by source and do a start via my rc.local file.. now.. paste me: `chkconfig --list | grep openvpn`
Q2: Sounds like that'd work just fine.
Q3: Yessir.

flw · Post by **flw** » Tue Dec 15, 2009 5:28 am

Ok, tunnel seems to be up and happy (according to the log files everything is up) and the XP GUI has the screens turn a happy shade of green, but I still cannot ping remote machines on the subnet through the tunnel. Furthermore, I cannot see (or mount) remote disk shares, and XP remote desktop management does not work. Troubleshooting advice is desired here.

Running wireshark on each of the end nodes shows that the originating pings (from outside the VPN subnet) are routed towards the tunnel (as I would expect). Within the VPN subnet, however, no ping traffic is seen from the originating box, which leads me to believe that the VPN and/or firewall is swallowing all the traffic. If I originate pings from a machine on the VPN subnet aimed towards the road-warrior VPN client, all works well, and the pings are echoed back. Again, the wireshark traces show the traffic being routed through the VPN.

I would appreciate any ideas for specific tests or configs to try. Thanks.

Post by **Douglas** » Thu Dec 17, 2009 3:32 am

flw wrote:Ok, tunnel seems to be up and happy (according to the log files everything is up) and the XP GUI has the screens turn a happy shade of green, but I still cannot ping remote machines on the subnet through the tunnel. Furthermore, I cannot see (or mount) remote disk shares, and XP remote desktop management does not work. Troubleshooting advice is desired here.

Running wireshark on each of the end nodes shows that the originating pings (from outside the VPN subnet) are routed towards the tunnel (as I would expect). Within the VPN subnet, however, no ping traffic is seen from the originating box, which leads me to believe that the VPN and/or firewall is swallowing all the traffic. If I originate pings from a machine on the VPN subnet aimed towards the road-warrior VPN client, all works well, and the pings are echoed back. Again, the wireshark traces show the traffic being routed through the VPN.

I would appreciate any ideas for specific tests or configs to try. Thanks.

I'll pass this along to a few folks to see what they have in mind to help you.

Post by **krzee** » Mon Dec 21, 2009 2:05 am

flw wrote: Running wireshark on each of the end nodes shows that the originating pings (from outside the VPN subnet) are routed towards the tunnel (as I would expect). Within the VPN subnet, however, no ping traffic is seen from the originating box, which leads me to believe that the VPN and/or firewall is swallowing all the traffic. If I originate pings from a machine on the VPN subnet aimed towards the road-warrior VPN client, all works well, and the pings are echoed back.

We know it has a route because it receives ping replies... so it is your firewall.
If 1 side can ping the other but not visa versa, FIREWALL!

flw · Post by **flw** » Wed Dec 23, 2009 4:52 am

taking krzee at face value, here are my firewall configuration files and results - I'm still clueless as to what is wrong.

Firewall config from the [Firewall command box on the DD-WRT web console]

Code: Select all

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.58.0/24 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT

looking at the DD-WRT .rc_firewall, we find:

Code: Select all

root@DD-WRT58:/tmp# more .rc_firewall
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.58.0/24 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPTroot@DD-WRT58:/tmp#

And looking at the dump of the iptables config shows:

Code: Select all

root@DD-WRT58:/tmp# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp dpt:1194
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1194
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     0    --  192.168.66.0/24      anywhere
ACCEPT     0    --  192.168.58.0/24      anywhere
ACCEPT     0    --  anywhere             anywhere
ACCEPT     0    --  anywhere             anywhere
ACCEPT     0    --  anywhere             anywhere
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/S
YN TCPMSS clamp to PMTU
lan2wan    0    --  anywhere             anywhere
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTAB
LISHED
ACCEPT     tcp  --  anywhere             Dell2Core.DD-WRT58  tcp dpt:3389
ACCEPT     udp  --  anywhere             Dell2Core.DD-WRT58  udp dpt:3389
TRIGGER    0    --  anywhere             anywhere            TRIGGER type:in mat
ch:0 relate:0
trigger_out  0    --  anywhere             anywhere
ACCEPT     0    --  anywhere             anywhere            state NEW

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain advgrp_1 (0 references)
target     prot opt source               destination

Chain advgrp_10 (0 references)
target     prot opt source               destination

Chain advgrp_2 (0 references)
target     prot opt source               destination

Chain advgrp_3 (0 references)
target     prot opt source               destination

Chain advgrp_4 (0 references)
target     prot opt source               destination

Chain advgrp_5 (0 references)
target     prot opt source               destination

Chain advgrp_6 (0 references)
target     prot opt source               destination

Chain advgrp_7 (0 references)
target     prot opt source               destination

Chain advgrp_8 (0 references)
target     prot opt source               destination

Chain advgrp_9 (0 references)
target     prot opt source               destination

Chain grp_1 (0 references)
target     prot opt source               destination

Chain grp_10 (0 references)
target     prot opt source               destination

Chain grp_2 (0 references)
target     prot opt source               destination

Chain grp_3 (0 references)
target     prot opt source               destination

Chain grp_4 (0 references)
target     prot opt source               destination

Chain grp_5 (0 references)
target     prot opt source               destination

Chain grp_6 (0 references)
target     prot opt source               destination

Chain grp_7 (0 references)
target     prot opt source               destination

Chain grp_8 (0 references)
target     prot opt source               destination

Chain grp_9 (0 references)
target     prot opt source               destination

Chain lan2wan (1 references)
target     prot opt source               destination

Chain logaccept (0 references)
target     prot opt source               destination
LOG        0    --  anywhere             anywhere            state NEW LOG level
 warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT     0    --  anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        0    --  anywhere             anywhere            state NEW LOG level
 warning tcp-sequence tcp-options ip-options prefix `DROP '
LOG        0    --  anywhere             anywhere            state INVALID LOG l
evel warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP       0    --  anywhere             anywhere

Chain logreject (0 references)
target     prot opt source               destination
LOG        0    --  anywhere             anywhere            LOG level warning t
cp-sequence tcp-options ip-options prefix `WEBDROP '
REJECT     tcp  --  anywhere             anywhere            tcp reject-with tcp
-reset

Chain trigger_out (1 references)
target     prot opt source               destination
root@DD-WRT58:/tmp#

I am really looking forward to figuring out what doesn't work here, and fixing it! I really want to get remote desktop working along with getting access to the local hard drives while being a road warrior! Thanks for all help.

OpenVPN Support Forum

What is going on with my config? Errors but tunnel up.

What is going on with my config? Errors but tunnel up.

Re: What is going on with my config? Errors but tunnel up.

Re: What is going on with my config? Errors but tunnel up.

Re: What is going on with my config? Errors but tunnel up.

Re: What is going on with my config? Errors but tunnel up.

Re: What is going on with my config? Errors but tunnel up.

Re: What is going on with my config? Errors but tunnel up.

Re: What is going on with my config? Errors but tunnel up.