Config - newbe question

[sorcerer]

Hello,
Dear All, I quite new in openVpn, I have tried to several times but without success. I have set up server, but I cant start it up. I have aleredy check server.conf file it looks like that:

Code: Select all

port 1194
proto tcp-server
dev tap0
ca keys/echo2/ca.crt
cert keys/echo2/echo1.crt
key keys/echo2/echo1.key
dh keys/echo2/dh2048.pem
server-bridge 192.168.0.100 255.255.255.0 192.168.0.150 192.168.0.199 #@@ br0 eth0
crl-verify keys/echo2/crl.pem
tls-auth servers/EchoServer/ta.key 0
cipher BF-CBC
user nobody
group nogroup
status servers/EchoServer/logs/openvpn-status.log
log-append servers/EchoServer/logs/openvpn.log
verb 2
mute 20
max-clients 100
management 127.0.0.1 10001
keepalive 10 120
[color=#BF4040]client-config-dir /etc/openvpn/servers/EchoServer/ccd[/color]
client-to-client
duplicate-cn
comp-lzo
persist-key
#persist-tun
ccd-exclusive
up servers/EchoServer/bin/EchoServer.up
plugin /usr/lib/openvpn/openvpn-down-root.so "/etc/openvpn/servers/EchoServer/bin/EchoServer.down-root"

Why it have clinet-conf-dir linked to empty file ?
where I have second client file i /clients/serve/clinet and looks like that:

Code: Select all

client
proto tcp-client
dev tap
ca ca.crt
dh dh2048.pem
cert echo1client.crt
key echo1client.key
remote 192.168.0.100 1194
tls-auth ta.key 1
cipher BF-CBC
user nobody
group nogroup
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
float
resolv-retry infinite
nobind
route 192.168.0.0 255.255.255.0
script-security 3 system

Finally i am getting error, log:

Code: Select all

Wed Apr  2 22:15:31 2014 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 19 2013
Wed Apr  2 22:15:31 2014 WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail
Wed Apr  2 22:15:31 2014 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Wed Apr  2 22:15:31 2014 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Wed Apr  2 22:15:31 2014 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Wed Apr  2 22:15:31 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Apr  2 22:15:31 2014 WARNING: file 'keys/echo2/echo1.key' is group or others accessible
Wed Apr  2 22:15:31 2014 WARNING: file 'servers/EchoServer/ta.key' is group or others accessible
Wed Apr  2 22:15:31 2014 Control Channel Authentication: using 'servers/EchoServer/ta.key' as a OpenVPN static key file
Wed Apr  2 22:15:31 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr  2 22:15:31 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr  2 22:15:31 2014 TLS-Auth MTU parms [ L:1576 D:168 EF:68 EB:0 ET:0 EL:0 ]
Wed Apr  2 22:15:31 2014 TUN/TAP device tap0 opened
Wed Apr  2 22:15:31 2014 servers/EchoServer/bin/EchoServer.up tap0 1500 1576   init
Wed Apr  2 22:15:31 2014 WARNING: External program may not be called unless '--script-security 2' or higher is enabled.  Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier.  See --help text or man page for detailed info.
Wed Apr  2 22:15:31 2014 WARNING: Failed running command (--up/--down): external program fork failed
Wed Apr  2 22:15:31 2014 Exiting

Please advise ....

[maikcat]

ok here we go...

server-bridge 192.168.0.100 255.255.255.0 192.168.0.150 192.168.0.199

you are using bridging setup ok so far

up servers/EchoServer/bin/EchoServer.up

this is a script to create your br0 interface right?

Why it have clinet-conf-dir linked to empty file ?

client-config-dir as dir applies points to a DIRECTORY not file

WARNING: Failed running command (--up/--down): external program fork failed

can you post the contents of servers/EchoServer/bin/EchoServer.up script and permissions used?

Michael.

[sorcerer]

EchoServer.up

Code: Select all

#!/bin/bash

/usr/share/webmin/openvpn/br_scripts/bridge_start --setbr br=br0 eth=eth0 tap=tap0 ip=192.168.0.100 netmask=255.255.255.0 > /dev/null

##### add your commands below #####
route add default gw 192.168.0.1

Code: Select all

-rwxr-xr-x 1 rootuser rootuser 216 kwi  2 21:50 EchoServer.up

Thank you in advance for your answers

[sorcerer]

ok here we go...

Why it have clinet-conf-dir linked to empty file ?

client-config-dir as dir applies points to a DIRECTORY not file



Michael.

That's true but there is only empty file, and file with filled up configuration is in the other dir

[maikcat]

for testing you can build your bridge before openvpn is up then start openvpn daemon,

also add to your config

Code: Select all

script-security 2

That's true but there is only empty file, and file with filled up configuration is in the other dir

i am not sure i understand that...

you MUST create the folder used in your client-config-dir directive then place there your ccd file...

Michael.

[sorcerer]

after adding "script-security 2" to server.conf i am getting that:

Code: Select all

Sun Apr  6 17:17:02 2014 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 19 2013
Sun Apr  6 17:17:02 2014 WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail
Sun Apr  6 17:17:02 2014 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Sun Apr  6 17:17:02 2014 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Sun Apr  6 17:17:02 2014 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sun Apr  6 17:17:02 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Apr  6 17:17:02 2014 WARNING: file 'keys/echo2/echo1.key' is group or others accessible
Sun Apr  6 17:17:02 2014 WARNING: file 'servers/EchoServer/ta.key' is group or others accessible
Sun Apr  6 17:17:02 2014 Control Channel Authentication: using 'servers/EchoServer/ta.key' as a OpenVPN static key file
Sun Apr  6 17:17:02 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr  6 17:17:02 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr  6 17:17:02 2014 TLS-Auth MTU parms [ L:1576 D:168 EF:68 EB:0 ET:0 EL:0 ]
Sun Apr  6 17:17:02 2014 TUN/TAP device tap0 opened
Sun Apr  6 17:17:02 2014 servers/EchoServer/bin/EchoServer.up tap0 1500 1576   init
/usr/share/webmin/openvpn/br_scripts/bridge_start: line 39: brctl: command not found
/usr/share/webmin/openvpn/br_scripts/bridge_start: line 99: brctl: command not found
SIOCADDRT: File exists
Sun Apr  6 17:17:02 2014 WARNING: Failed running command (--up/--down): external program exited with error status: 7
Sun Apr  6 17:17:02 2014 Exiting

[maikcat]

/usr/share/webmin/openvpn/br_scripts/bridge_start: line 99: brctl: command not found

do you have bridge-utils package installed?

brctl MUST exist in your system in order to create br0.

also why dont you use the bridge-up script found in openvpn.net site?

Michael.

[sorcerer]

Code: Select all

Wed Apr  9 17:21:07 2014 Initialization Sequence Completed

Michael, thank for your help.

[maikcat]

you welcome

closing topic.

Michael.