Hi all,
* I have problems connecting to machines behind the VPN server using a bridged VPN. My OpenVPN-Clients should be able to connect to and to work with all machines behind the OpenVPN server.
* On the client: connection establishes as expected, ping to OpenVPN server works fine, ping to any other server in the same 192.168.1.x net fails with "Destination host unreachable".
* On the server: ping to VPN client using its VPN IP-address 192.168.1.200 works fine, ping to any other server in the 192.168.1.x net also works
* I disabled SELinux and Firewall for testing purposes, but the client still can't reach any other server except for the OpenVPN machine
* On the server: IPForwarding is enabled.
OpenVPN Server (CentOS 6.2 64bit, OpenVPN 2.2.1, eth0 = 192.168.1.47)
ifconfig
br0 Link encap:Ethernet HWaddr 00:0C:29:64:2F:62
inet addr:192.168.1.47 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe64:2f62/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:24 errors:0 dropped:0 overruns:0 frame:0
TX packets:47 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1634 (1.5 KiB) TX bytes:3628 (3.5 KiB)
eth0 Link encap:Ethernet HWaddr 00:0C:29:64:2F:62
inet addr:192.168.1.47 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe64:2f62/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1075 errors:0 dropped:0 overruns:0 frame:0
TX packets:503 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:185047 (180.7 KiB) TX bytes:53473 (52.2 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2026 (1.9 KiB) TX bytes:2026 (1.9 KiB)
tap0 Link encap:Ethernet HWaddr 0E:C7:B4:30:B7:93
inet6 addr: fe80::cc7:b4ff:fe30:b793/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:446 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:63974 (62.4 KiB) TX bytes:924 (924.0 b)
cat ./bridge-start.sh
#!/bin/bash
br="br0"
tap="tap0"
eth="eth0"
eth_ip="192.168.1.47"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"
openvpn --mktun --dev $tap
brctl addbr $br
brctl addif $br $eth
brctl addif $br $tap
ifconfig $tap 0.0.0.0 promisc up
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
cat server.conf
port 1194
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
cipher AES-256-CBC
server-bridge 192.168.1.47 255.255.255.0 192.168.1.200 192.168.1.230
keepalive 10 60
push "route 192.168.1.0 255.255.255.0"
comp-lzo
persist-key
persist-tun
user openvpn
group openvpn
daemon
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
syslog
verb 7
cat /etc/sysctl.conf
net.ipv4.ip_forward = 1
cat /var/log/messages
May 7 16:41:35 192.168.1.47 kernel: Bridge firewalling registered
May 7 16:41:35 192.168.1.47 kernel: device eth0 entered promiscuous mode
May 7 16:41:35 192.168.1.47 kernel: device tap0 entered promiscuous mode
May 7 16:41:35 192.168.1.47 kernel: New device tap0 does not support netpoll
May 7 16:41:35 192.168.1.47 kernel: Disabling netpoll for br0
May 7 16:41:35 192.168.1.47 kernel: br0: port 2(tap0) entering learning state
May 7 16:41:35 192.168.1.47 kernel: br0: port 1(eth0) entering learning state
May 7 16:41:39 192.168.1.47 ntpd[1399]: Listening on interface #6 tap0, fe80::cc7:b4ff:fe30:b793#123 Enabled
May 7 16:41:50 192.168.1.47 kernel: br0: port 2(tap0) entering forwarding state
May 7 16:41:50 192.168.1.47 kernel: br0: port 1(eth0) entering forwarding state
cat /var/log/openvpn-status.log
OpenVPN CLIENT LIST
Updated,Mon May 7 16:47:59 2012
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
theclient,yyy.yyy.yyy.yyy:22930,61134,39246,Mon May 7 16:32:54 2012
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
00:ff:81:6c:90:59,theclient,yyy.yyy.yyy.yyy:22930,Mon May 7 16:32:57 2012
GLOBAL STATS
Max bcast/mcast queue length,1
END
cat /var/log/openvpn.log
Mon May 7 16:58:38 2012 us=172834 Current Parameter Settings:
Mon May 7 16:58:38 2012 us=172927 config = 'server.conf'
Mon May 7 16:58:38 2012 us=172938 mode = 1
Mon May 7 16:58:38 2012 us=172946 persist_config = DISABLED
Mon May 7 16:58:38 2012 us=172954 persist_mode = 1
Mon May 7 16:58:38 2012 us=172962 show_ciphers = DISABLED
Mon May 7 16:58:38 2012 us=172969 show_digests = DISABLED
Mon May 7 16:58:38 2012 us=172976 show_engines = DISABLED
Mon May 7 16:58:38 2012 us=172984 genkey = DISABLED
Mon May 7 16:58:38 2012 us=172991 key_pass_file = '[UNDEF]'
Mon May 7 16:58:38 2012 us=172999 show_tls_ciphers = DISABLED
Mon May 7 16:58:38 2012 us=173006 Connection profiles [default]:
Mon May 7 16:58:38 2012 us=173015 proto = udp
Mon May 7 16:58:38 2012 us=173022 local = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173030 local_port = 1194
Mon May 7 16:58:38 2012 us=173037 remote = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173045 remote_port = 1194
Mon May 7 16:58:38 2012 us=173053 remote_float = DISABLED
Mon May 7 16:58:38 2012 us=173060 bind_defined = DISABLED
Mon May 7 16:58:38 2012 us=173067 bind_local = ENABLED
Mon May 7 16:58:38 2012 us=173075 connect_retry_seconds = 5
Mon May 7 16:58:38 2012 us=173082 connect_timeout = 10
Mon May 7 16:58:38 2012 us=173090 connect_retry_max = 0
Mon May 7 16:58:38 2012 us=173097 socks_proxy_server = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173105 socks_proxy_port = 0
Mon May 7 16:58:38 2012 us=173112 socks_proxy_retry = DISABLED
Mon May 7 16:58:38 2012 us=173123 Connection profiles END
Mon May 7 16:58:38 2012 us=173132 remote_random = DISABLED
Mon May 7 16:58:38 2012 us=173140 ipchange = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173147 dev = 'tap0'
Mon May 7 16:58:38 2012 us=173155 dev_type = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173162 dev_node = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173170 lladdr = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173177 topology = 1
Mon May 7 16:58:38 2012 us=173185 tun_ipv6 = DISABLED
Mon May 7 16:58:38 2012 us=173192 ifconfig_local = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173199 ifconfig_remote_netmask = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173207 ifconfig_noexec = DISABLED
Mon May 7 16:58:38 2012 us=173214 ifconfig_nowarn = DISABLED
Mon May 7 16:58:38 2012 us=173222 shaper = 0
Mon May 7 16:58:38 2012 us=173229 tun_mtu = 1500
Mon May 7 16:58:38 2012 us=173237 tun_mtu_defined = ENABLED
Mon May 7 16:58:38 2012 us=173244 link_mtu = 1500
Mon May 7 16:58:38 2012 us=173252 link_mtu_defined = DISABLED
Mon May 7 16:58:38 2012 us=173259 tun_mtu_extra = 32
Mon May 7 16:58:38 2012 us=173267 tun_mtu_extra_defined = ENABLED
Mon May 7 16:58:38 2012 us=173274 fragment = 0
Mon May 7 16:58:38 2012 us=173282 mtu_discover_type = -1
Mon May 7 16:58:38 2012 us=173289 mtu_test = 0
Mon May 7 16:58:38 2012 us=173297 mlock = DISABLED
Mon May 7 16:58:38 2012 us=173304 keepalive_ping = 10
Mon May 7 16:58:38 2012 us=173312 keepalive_timeout = 60
Mon May 7 16:58:38 2012 us=173319 inactivity_timeout = 0
Mon May 7 16:58:38 2012 us=173327 ping_send_timeout = 10
Mon May 7 16:58:38 2012 us=173334 ping_rec_timeout = 120
Mon May 7 16:58:38 2012 us=173341 ping_rec_timeout_action = 2
Mon May 7 16:58:38 2012 us=173349 ping_timer_remote = DISABLED
Mon May 7 16:58:38 2012 us=173356 remap_sigusr1 = 0
Mon May 7 16:58:38 2012 us=173364 explicit_exit_notification = 0
Mon May 7 16:58:38 2012 us=173371 persist_tun = ENABLED
Mon May 7 16:58:38 2012 us=173379 persist_local_ip = DISABLED
Mon May 7 16:58:38 2012 us=173386 persist_remote_ip = DISABLED
Mon May 7 16:58:38 2012 us=173394 persist_key = ENABLED
Mon May 7 16:58:38 2012 us=173401 mssfix = 1450
Mon May 7 16:58:38 2012 us=173409 passtos = DISABLED
Mon May 7 16:58:38 2012 us=173416 resolve_retry_seconds = 1000000000
Mon May 7 16:58:38 2012 us=173424 username = 'openvpn'
Mon May 7 16:58:38 2012 us=173431 groupname = 'openvpn'
Mon May 7 16:58:38 2012 us=173438 chroot_dir = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173446 cd_dir = '/etc/openvpn'
Mon May 7 16:58:38 2012 us=173458 selinux_context = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173467 writepid = '/var/run/openvpn/server.pid'
Mon May 7 16:58:38 2012 us=173474 up_script = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173482 down_script = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173490 down_pre = DISABLED
Mon May 7 16:58:38 2012 us=173497 up_restart = DISABLED
Mon May 7 16:58:38 2012 us=173505 up_delay = DISABLED
Mon May 7 16:58:38 2012 us=173512 daemon = ENABLED
Mon May 7 16:58:38 2012 us=173520 inetd = 0
Mon May 7 16:58:38 2012 us=173527 log = ENABLED
Mon May 7 16:58:38 2012 us=173534 suppress_timestamps = DISABLED
Mon May 7 16:58:38 2012 us=173542 nice = 0
Mon May 7 16:58:38 2012 us=173549 verbosity = 5
Mon May 7 16:58:38 2012 us=173557 mute = 0
Mon May 7 16:58:38 2012 us=173564 gremlin = 0
Mon May 7 16:58:38 2012 us=173572 status_file = '/var/log/openvpn-status.log'
Mon May 7 16:58:38 2012 us=173580 status_file_version = 1
Mon May 7 16:58:38 2012 us=173587 status_file_update_freq = 60
Mon May 7 16:58:38 2012 us=173595 occ = ENABLED
Mon May 7 16:58:38 2012 us=173602 rcvbuf = 65536
Mon May 7 16:58:38 2012 us=173610 sndbuf = 65536
Mon May 7 16:58:38 2012 us=173618 sockflags = 0
Mon May 7 16:58:38 2012 us=173625 fast_io = DISABLED
Mon May 7 16:58:38 2012 us=173633 lzo = 7
Mon May 7 16:58:38 2012 us=173668 route_script = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173678 route_default_gateway = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173688 route_default_metric = 0
Mon May 7 16:58:38 2012 us=173696 route_noexec = DISABLED
Mon May 7 16:58:38 2012 us=173704 route_delay = 0
Mon May 7 16:58:38 2012 us=173711 route_delay_window = 30
Mon May 7 16:58:38 2012 us=173719 route_delay_defined = DISABLED
Mon May 7 16:58:38 2012 us=173727 route_nopull = DISABLED
Mon May 7 16:58:38 2012 us=173734 route_gateway_via_dhcp = DISABLED
Mon May 7 16:58:38 2012 us=173742 max_routes = 100
Mon May 7 16:58:38 2012 us=173750 allow_pull_fqdn = DISABLED
Mon May 7 16:58:38 2012 us=173757 management_addr = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173765 management_port = 0
Mon May 7 16:58:38 2012 us=173772 management_user_pass = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173780 management_log_history_cache = 250
Mon May 7 16:58:38 2012 us=173787 management_echo_buffer_size = 100
Mon May 7 16:58:38 2012 us=173795 management_write_peer_info_file = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173803 management_client_user = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173810 management_client_group = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173818 management_flags = 0
Mon May 7 16:58:38 2012 us=173825 shared_secret_file = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173833 key_direction = 0
Mon May 7 16:58:38 2012 us=173841 ciphername_defined = ENABLED
Mon May 7 16:58:38 2012 us=173848 ciphername = 'AES-256-CBC'
Mon May 7 16:58:38 2012 us=173856 authname_defined = ENABLED
Mon May 7 16:58:38 2012 us=173863 authname = 'SHA1'
Mon May 7 16:58:38 2012 us=173870 prng_hash = 'SHA1'
Mon May 7 16:58:38 2012 us=173878 prng_nonce_secret_len = 16
Mon May 7 16:58:38 2012 us=173885 keysize = 0
Mon May 7 16:58:38 2012 us=173893 engine = DISABLED
Mon May 7 16:58:38 2012 us=173900 replay = ENABLED
Mon May 7 16:58:38 2012 us=173908 mute_replay_warnings = DISABLED
Mon May 7 16:58:38 2012 us=173915 replay_window = 64
Mon May 7 16:58:38 2012 us=173923 replay_time = 15
Mon May 7 16:58:38 2012 us=173930 packet_id_file = '[UNDEF]'
Mon May 7 16:58:38 2012 us=173938 use_iv = ENABLED
Mon May 7 16:58:38 2012 us=173945 test_crypto = DISABLED
Mon May 7 16:58:38 2012 us=173953 tls_server = ENABLED
Mon May 7 16:58:38 2012 us=173960 tls_client = DISABLED
Mon May 7 16:58:38 2012 us=173977 key_method = 2
Mon May 7 16:58:38 2012 us=173989 ca_file = '/etc/openvpn/easy-rsa/2.0/keys/ca.crt'
Mon May 7 16:58:38 2012 us=173997 ca_path = '[UNDEF]'
Mon May 7 16:58:38 2012 us=174004 dh_file = '/etc/openvpn/easy-rsa/2.0/keys/dh2048.pem'
Mon May 7 16:58:38 2012 us=174017 cert_file = '/etc/openvpn/easy-rsa/2.0/keys/server.crt'
Mon May 7 16:58:38 2012 us=174026 priv_key_file = '/etc/openvpn/easy-rsa/2.0/keys/server.key'
Mon May 7 16:58:38 2012 us=174033 pkcs12_file = '[UNDEF]'
Mon May 7 16:58:38 2012 us=174041 cipher_list = '[UNDEF]'
Mon May 7 16:58:38 2012 us=174048 tls_verify = '[UNDEF]'
Mon May 7 16:58:38 2012 us=174056 tls_export_cert = '[UNDEF]'
Mon May 7 16:58:38 2012 us=174063 tls_remote = '[UNDEF]'
Mon May 7 16:58:38 2012 us=174071 crl_file = '[UNDEF]'
Mon May 7 16:58:38 2012 us=174078 ns_cert_type = 0
Mon May 7 16:58:38 2012 us=174086 remote_cert_ku = 0
Mon May 7 16:58:38 2012 us=174205 remote_cert_eku = '[UNDEF]'
Mon May 7 16:58:38 2012 us=174213 tls_timeout = 2
Mon May 7 16:58:38 2012 us=174220 renegotiate_bytes = 0
Mon May 7 16:58:38 2012 us=174228 renegotiate_packets = 0
Mon May 7 16:58:38 2012 us=174236 renegotiate_seconds = 3600
Mon May 7 16:58:38 2012 us=174243 handshake_window = 60
Mon May 7 16:58:38 2012 us=174251 transition_window = 3600
Mon May 7 16:58:38 2012 us=174258 single_session = DISABLED
Mon May 7 16:58:38 2012 us=174265 push_peer_info = DISABLED
Mon May 7 16:58:38 2012 us=174273 tls_exit = DISABLED
Mon May 7 16:58:38 2012 us=174280 tls_auth_file = '[UNDEF]'
Mon May 7 16:58:38 2012 us=174288 pkcs11_protected_authentication = DISABLED
Mon May 7 16:58:38 2012 us=174408 pkcs11_private_mode = 00000000
Mon May 7 16:58:38 2012 us=174532 pkcs11_cert_private = DISABLED
Mon May 7 16:58:38 2012 us=174673 pkcs11_pin_cache_period = -1
Mon May 7 16:58:38 2012 us=174680 pkcs11_id = '[UNDEF]'
Mon May 7 16:58:38 2012 us=174688 pkcs11_id_management = DISABLED
Mon May 7 16:58:38 2012 us=174697 server_network = 0.0.0.0
Mon May 7 16:58:38 2012 us=174705 server_netmask = 0.0.0.0
Mon May 7 16:58:38 2012 us=174713 server_bridge_ip = 192.168.1.47
Mon May 7 16:58:38 2012 us=174721 server_bridge_netmask = 255.255.255.0
Mon May 7 16:58:38 2012 us=174730 server_bridge_pool_start = 192.168.1.200
Mon May 7 16:58:38 2012 us=174738 server_bridge_pool_end = 192.168.1.230
Mon May 7 16:58:38 2012 us=174746 push_entry = 'route 192.168.1.0 255.255.255.0'
Mon May 7 16:58:38 2012 us=174753 push_entry = 'route-gateway 192.168.1.47'
Mon May 7 16:58:38 2012 us=174761 push_entry = 'ping 10'
Mon May 7 16:58:38 2012 us=174768 push_entry = 'ping-restart 60'
Mon May 7 16:58:38 2012 us=174776 ifconfig_pool_defined = ENABLED
Mon May 7 16:58:38 2012 us=174784 ifconfig_pool_start = 192.168.1.200
Mon May 7 16:58:38 2012 us=174792 ifconfig_pool_end = 192.168.1.230
Mon May 7 16:58:38 2012 us=174801 ifconfig_pool_netmask = 255.255.255.0
Mon May 7 16:58:38 2012 us=174808 ifconfig_pool_persist_filename = '[UNDEF]'
Mon May 7 16:58:38 2012 us=174816 ifconfig_pool_persist_refresh_freq = 600
Mon May 7 16:58:38 2012 us=174823 n_bcast_buf = 256
Mon May 7 16:58:38 2012 us=174831 tcp_queue_limit = 64
Mon May 7 16:58:38 2012 us=174838 real_hash_size = 256
Mon May 7 16:58:38 2012 us=174846 virtual_hash_size = 256
Mon May 7 16:58:38 2012 us=174854 client_connect_script = '[UNDEF]'
Mon May 7 16:58:38 2012 us=174861 learn_address_script = '[UNDEF]'
Mon May 7 16:58:38 2012 us=174869 client_disconnect_script = '[UNDEF]'
Mon May 7 16:58:38 2012 us=174876 client_config_dir = '[UNDEF]'
Mon May 7 16:58:38 2012 us=174884 ccd_exclusive = DISABLED
Mon May 7 16:58:38 2012 us=174892 tmp_dir = '/tmp'
Mon May 7 16:58:38 2012 us=174899 push_ifconfig_defined = DISABLED
Mon May 7 16:58:38 2012 us=174908 push_ifconfig_local = 0.0.0.0
Mon May 7 16:58:38 2012 us=174916 push_ifconfig_remote_netmask = 0.0.0.0
Mon May 7 16:58:38 2012 us=174923 enable_c2c = DISABLED
Mon May 7 16:58:38 2012 us=174931 duplicate_cn = DISABLED
Mon May 7 16:58:38 2012 us=174938 cf_max = 0
Mon May 7 16:58:38 2012 us=174946 cf_per = 0
Mon May 7 16:58:38 2012 us=174954 max_clients = 1024
Mon May 7 16:58:38 2012 us=174961 max_routes_per_client = 256
Mon May 7 16:58:38 2012 us=174973 auth_user_pass_verify_script = '[UNDEF]'
Mon May 7 16:58:38 2012 us=174981 auth_user_pass_verify_script_via_file = DISABLED
Mon May 7 16:58:38 2012 us=174989 ssl_flags = 0
Mon May 7 16:58:38 2012 us=174997 port_share_host = '[UNDEF]'
Mon May 7 16:58:38 2012 us=175004 port_share_port = 0
Mon May 7 16:58:38 2012 us=175012 client = DISABLED
Mon May 7 16:58:38 2012 us=175019 pull = DISABLED
Mon May 7 16:58:38 2012 us=175027 auth_user_pass_file = '[UNDEF]'
Mon May 7 16:58:38 2012 us=175040 OpenVPN 2.2.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 12 2011
Mon May 7 16:58:38 2012 us=175132 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Mon May 7 16:58:38 2012 us=175417 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Mon May 7 16:58:38 2012 us=175434 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon May 7 16:58:38 2012 us=188722 Diffie-Hellman initialized with 2048 bit key
Mon May 7 16:58:38 2012 us=189371 TLS-Auth MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon May 7 16:58:38 2012 us=189493 Socket Buffers: R=[124928->131072] S=[124928->131072]
Mon May 7 16:58:38 2012 us=190396 TUN/TAP device tap0 opened
Mon May 7 16:58:38 2012 us=190428 TUN/TAP TX queue length set to 100
Mon May 7 16:58:38 2012 us=190469 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Mon May 7 16:58:38 2012 us=195276 GID set to openvpn
Mon May 7 16:58:38 2012 us=195326 UID set to openvpn
Mon May 7 16:58:38 2012 us=195352 UDPv4 link local (bound): [undef]:1194
Mon May 7 16:58:38 2012 us=195362 UDPv4 link remote: [undef]
Mon May 7 16:58:38 2012 us=195374 MULTI: multi_init called, r=256 v=256
Mon May 7 16:58:38 2012 us=195437 IFCONFIG POOL: base=192.168.1.200 size=31
Mon May 7 16:58:38 2012 us=195471 Initialization Sequence Completed
Mon May 7 16:58:47 2012 us=370969 MULTI: multi_create_instance called
Mon May 7 16:58:47 2012 us=371044 yyy.yyy.yyy.yyy:23323 Re-using SSL/TLS context
Mon May 7 16:58:47 2012 us=371084 yyy.yyy.yyy.yyy:23323 LZO compression initialized
Mon May 7 16:58:47 2012 us=371233 yyy.yyy.yyy.yyy:23323 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon May 7 16:58:47 2012 us=371251 yyy.yyy.yyy.yyy:23323 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Mon May 7 16:58:47 2012 us=371280 yyy.yyy.yyy.yyy:23323 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Mon May 7 16:58:47 2012 us=371289 yyy.yyy.yyy.yyy:23323 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Mon May 7 16:58:47 2012 us=371310 yyy.yyy.yyy.yyy:23323 Local Options hash (VER=V4): '1a6d5c5d'
Mon May 7 16:58:47 2012 us=371323 yyy.yyy.yyy.yyy:23323 Expected Remote Options hash (VER=V4): 'c6c7c21a'
RMon May 7 16:58:47 2012 us=371421 yyy.yyy.yyy.yyy:23323 TLS: Initial packet from yyy.yyy.yyy.yyy:23323, sid=3475d622 7100906d
Mon May 7 16:58:47 2012 us=735873 yyy.yyy.yyy.yyy:23323 VERIFY OK: depth=1, /C=...
Mon May 7 16:58:47 2012 us=736084 yyy.yyy.yyy.yyy:23323 VERIFY OK: depth=0, /C=...
Mon May 7 16:58:47 2012 us=853392 yyy.yyy.yyy.yyy:23323 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon May 7 16:58:47 2012 us=853413 yyy.yyy.yyy.yyy:23323 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon May 7 16:58:47 2012 us=872244 yyy.yyy.yyy.yyy:23323 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon May 7 16:58:47 2012 us=872270 yyy.yyy.yyy.yyy:23323 [theclient] Peer Connection Initiated with yyy.yyy.yyy.yyy:23323
RMon May 7 16:58:50 2012 us=250174 theclient/yyy.yyy.yyy.yyy:23323 PUSH: Received control message: 'PUSH_REQUEST'
Mon May 7 16:58:50 2012 us=250229 theclient/yyy.yyy.yyy.yyy:23323 SENT CONTROL [theclient]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route-gateway 192.168.1.47,ping 10,ping-restart 60,ifconfig 192.168.1.200 255.255.255.0' (status=1)
Mon May 7 16:58:50 2012 us=286274 theclient/yyy.yyy.yyy.yyy:23323 MULTI: Learn: 00:ff:81:6c:90:59 -> theclient/yyy.yyy.yyy.yyy:23323
netstat -nat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:38800 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.47:22 192.168.1.20:54449 ESTABLISHED
tcp 0 0 192.168.1.47:22 192.168.1.20:54374 ESTABLISHED
tcp 0 0 :::111 :::* LISTEN
tcp 0 0 :::60211 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 ::1:631 :::* LISTEN
tcp 0 0 ::1:25 :::* LISTEN
tcp 0 0 :::5672 :::* LISTEN
netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 br0
Client (Windows 7, Admin Permissions, OpenVPN GUI 1.0.3, original IP: 192.168.60.190, VPN-IP: 192.168.1.200):
client.ovpn
client
dev tap
proto udp
remote xxx.xxx.xxx.xxx
port 1194
nobind
ca "C:/Program Files (x86)/OpenVPN/config/ca.crt"
cert "C:/Program Files (x86)/OpenVPN/config/client.crt"
key "C:/Program Files (x86)/OpenVPN/config/client.key"
comp-lzo
verb 6
cipher AES-256-CBC
Client Log:
Mon May 07 16:32:54 2012 us=608000 Current Parameter Settings:
Mon May 07 16:32:54 2012 us=608000 config = 'client.ovpn'
Mon May 07 16:32:54 2012 us=608000 mode = 0
Mon May 07 16:32:54 2012 us=608000 show_ciphers = DISABLED
Mon May 07 16:32:54 2012 us=608000 show_digests = DISABLED
Mon May 07 16:32:54 2012 us=608000 show_engines = DISABLED
Mon May 07 16:32:54 2012 us=608000 genkey = DISABLED
Mon May 07 16:32:54 2012 us=608000 key_pass_file = '[UNDEF]'
Mon May 07 16:32:54 2012 us=608000 show_tls_ciphers = DISABLED
Mon May 07 16:32:54 2012 us=608000 Connection profiles [default]:
Mon May 07 16:32:54 2012 us=608000 proto = udp
Mon May 07 16:32:54 2012 us=608000 local = '[UNDEF]'
Mon May 07 16:32:54 2012 us=608000 local_port = 0
Mon May 07 16:32:54 2012 us=608000 remote = 'xxx.xxx.xxx.xxx'
Mon May 07 16:32:54 2012 us=608000 remote_port = 1194
Mon May 07 16:32:54 2012 us=608000 remote_float = DISABLED
Mon May 07 16:32:54 2012 us=608000 bind_defined = DISABLED
Mon May 07 16:32:54 2012 us=608000 bind_local = DISABLED
Mon May 07 16:32:54 2012 us=608000 connect_retry_seconds = 5
Mon May 07 16:32:54 2012 us=608000 connect_timeout = 10
Mon May 07 16:32:54 2012 us=608000 connect_retry_max = 0
Mon May 07 16:32:54 2012 us=608000 socks_proxy_server = '[UNDEF]'
Mon May 07 16:32:54 2012 us=608000 socks_proxy_port = 0
Mon May 07 16:32:54 2012 us=608000 socks_proxy_retry = DISABLED
Mon May 07 16:32:54 2012 us=608000 Connection profiles END
Mon May 07 16:32:54 2012 us=608000 remote_random = DISABLED
Mon May 07 16:32:54 2012 us=608000 ipchange = '[UNDEF]'
Mon May 07 16:32:54 2012 us=608000 dev = 'tap'
Mon May 07 16:32:54 2012 us=608000 dev_type = '[UNDEF]'
Mon May 07 16:32:54 2012 us=608000 dev_node = '[UNDEF]'
Mon May 07 16:32:54 2012 us=608000 lladdr = '[UNDEF]'
Mon May 07 16:32:54 2012 us=608000 topology = 1
Mon May 07 16:32:54 2012 us=608000 tun_ipv6 = DISABLED
Mon May 07 16:32:54 2012 us=608000 ifconfig_local = '[UNDEF]'
Mon May 07 16:32:54 2012 us=608000 ifconfig_remote_netmask = '[UNDEF]'
Mon May 07 16:32:54 2012 us=608000 ifconfig_noexec = DISABLED
Mon May 07 16:32:54 2012 us=608000 ifconfig_nowarn = DISABLED
Mon May 07 16:32:54 2012 us=608000 shaper = 0
Mon May 07 16:32:54 2012 us=608000 tun_mtu = 1500
Mon May 07 16:32:54 2012 us=608000 tun_mtu_defined = ENABLED
Mon May 07 16:32:54 2012 us=608000 link_mtu = 1500
Mon May 07 16:32:54 2012 us=608000 link_mtu_defined = DISABLED
Mon May 07 16:32:54 2012 us=608000 tun_mtu_extra = 32
Mon May 07 16:32:54 2012 us=608000 tun_mtu_extra_defined = ENABLED
Mon May 07 16:32:54 2012 us=608000 fragment = 0
Mon May 07 16:32:54 2012 us=608000 mtu_discover_type = -1
Mon May 07 16:32:54 2012 us=608000 mtu_test = 0
Mon May 07 16:32:54 2012 us=608000 mlock = DISABLED
Mon May 07 16:32:54 2012 us=608000 keepalive_ping = 0
Mon May 07 16:32:54 2012 us=608000 keepalive_timeout = 0
Mon May 07 16:32:54 2012 us=608000 inactivity_timeout = 0
Mon May 07 16:32:54 2012 us=608000 ping_send_timeout = 0
Mon May 07 16:32:54 2012 us=608000 ping_rec_timeout = 0
Mon May 07 16:32:54 2012 us=608000 ping_rec_timeout_action = 0
Mon May 07 16:32:54 2012 us=608000 ping_timer_remote = DISABLED
Mon May 07 16:32:54 2012 us=608000 remap_sigusr1 = 0
Mon May 07 16:32:54 2012 us=608000 explicit_exit_notification = 0
Mon May 07 16:32:54 2012 us=608000 persist_tun = DISABLED
Mon May 07 16:32:54 2012 us=608000 persist_local_ip = DISABLED
Mon May 07 16:32:54 2012 us=608000 persist_remote_ip = DISABLED
Mon May 07 16:32:54 2012 us=608000 persist_key = DISABLED
Mon May 07 16:32:54 2012 us=608000 mssfix = 1450
Mon May 07 16:32:54 2012 us=608000 resolve_retry_seconds = 1000000000
Mon May 07 16:32:54 2012 us=608000 username = '[UNDEF]'
Mon May 07 16:32:54 2012 us=608000 groupname = '[UNDEF]'
Mon May 07 16:32:54 2012 us=608000 chroot_dir = '[UNDEF]'
Mon May 07 16:32:54 2012 us=608000 cd_dir = '[UNDEF]'
Mon May 07 16:32:54 2012 us=608000 writepid = '[UNDEF]'
Mon May 07 16:32:54 2012 us=857000 up_script = '[UNDEF]'
Mon May 07 16:32:54 2012 us=857000 down_script = '[UNDEF]'
Mon May 07 16:32:54 2012 us=857000 down_pre = DISABLED
Mon May 07 16:32:54 2012 us=857000 up_restart = DISABLED
Mon May 07 16:32:54 2012 us=857000 up_delay = DISABLED
Mon May 07 16:32:54 2012 us=857000 daemon = DISABLED
Mon May 07 16:32:54 2012 us=857000 inetd = 0
Mon May 07 16:32:54 2012 us=857000 log = DISABLED
Mon May 07 16:32:54 2012 us=857000 suppress_timestamps = DISABLED
Mon May 07 16:32:54 2012 us=857000 nice = 0
Mon May 07 16:32:54 2012 us=857000 verbosity = 6
Mon May 07 16:32:54 2012 us=857000 mute = 0
Mon May 07 16:32:54 2012 us=857000 gremlin = 0
Mon May 07 16:32:54 2012 us=857000 status_file = '[UNDEF]'
Mon May 07 16:32:54 2012 us=857000 status_file_version = 1
Mon May 07 16:32:54 2012 us=857000 status_file_update_freq = 60
Mon May 07 16:32:54 2012 us=857000 occ = ENABLED
Mon May 07 16:32:54 2012 us=857000 rcvbuf = 0
Mon May 07 16:32:54 2012 us=857000 sndbuf = 0
Mon May 07 16:32:54 2012 us=857000 sockflags = 0
Mon May 07 16:32:54 2012 us=857000 fast_io = DISABLED
Mon May 07 16:32:54 2012 us=857000 lzo = 7
Mon May 07 16:32:54 2012 us=857000 route_script = '[UNDEF]'
Mon May 07 16:32:54 2012 us=857000 route_default_gateway = '[UNDEF]'
Mon May 07 16:32:54 2012 us=857000 route_default_metric = 0
Mon May 07 16:32:54 2012 us=857000 route_noexec = DISABLED
Mon May 07 16:32:54 2012 us=857000 route_delay = 5
Mon May 07 16:32:54 2012 us=857000 route_delay_window = 30
Mon May 07 16:32:54 2012 us=857000 route_delay_defined = ENABLED
Mon May 07 16:32:54 2012 us=857000 route_nopull = DISABLED
Mon May 07 16:32:54 2012 us=857000 route_gateway_via_dhcp = DISABLED
Mon May 07 16:32:54 2012 us=857000 max_routes = 100
Mon May 07 16:32:54 2012 us=857000 allow_pull_fqdn = DISABLED
Mon May 07 16:32:54 2012 us=857000 management_addr = '[UNDEF]'
Mon May 07 16:32:54 2012 us=857000 management_port = 0
Mon May 07 16:32:54 2012 us=873000 management_user_pass = '[UNDEF]'
Mon May 07 16:32:54 2012 us=873000 management_log_history_cache = 250
Mon May 07 16:32:54 2012 us=873000 management_echo_buffer_size = 100
Mon May 07 16:32:54 2012 us=873000 management_write_peer_info_file = '[UNDEF]'
Mon May 07 16:32:54 2012 us=873000 management_client_user = '[UNDEF]'
Mon May 07 16:32:54 2012 us=873000 management_client_group = '[UNDEF]'
Mon May 07 16:32:54 2012 us=873000 management_flags = 0
Mon May 07 16:32:54 2012 us=873000 shared_secret_file = '[UNDEF]'
Mon May 07 16:32:54 2012 us=873000 key_direction = 0
Mon May 07 16:32:54 2012 us=873000 ciphername_defined = ENABLED
Mon May 07 16:32:54 2012 us=873000 ciphername = 'AES-256-CBC'
Mon May 07 16:32:54 2012 us=873000 authname_defined = ENABLED
Mon May 07 16:32:54 2012 us=873000 authname = 'SHA1'
Mon May 07 16:32:54 2012 us=873000 prng_hash = 'SHA1'
Mon May 07 16:32:54 2012 us=873000 prng_nonce_secret_len = 16
Mon May 07 16:32:54 2012 us=873000 keysize = 0
Mon May 07 16:32:54 2012 us=873000 engine = DISABLED
Mon May 07 16:32:54 2012 us=873000 replay = ENABLED
Mon May 07 16:32:54 2012 us=873000 mute_replay_warnings = DISABLED
Mon May 07 16:32:54 2012 us=873000 replay_window = 64
Mon May 07 16:32:54 2012 us=873000 replay_time = 15
Mon May 07 16:32:54 2012 us=873000 packet_id_file = '[UNDEF]'
Mon May 07 16:32:54 2012 us=873000 use_iv = ENABLED
Mon May 07 16:32:54 2012 us=873000 test_crypto = DISABLED
Mon May 07 16:32:54 2012 us=873000 tls_server = DISABLED
Mon May 07 16:32:54 2012 us=873000 tls_client = ENABLED
Mon May 07 16:32:54 2012 us=873000 key_method = 2
Mon May 07 16:32:54 2012 us=873000 ca_file = 'C:/Program Files (x86)/OpenVPN/config/ca.crt'
Mon May 07 16:32:54 2012 us=873000 ca_path = '[UNDEF]'
Mon May 07 16:32:54 2012 us=873000 dh_file = '[UNDEF]'
Mon May 07 16:32:54 2012 us=873000 cert_file = 'C:/Program Files (x86)/OpenVPN/config/theclient.crt'
Mon May 07 16:32:54 2012 us=873000 priv_key_file = 'C:/Program Files (x86)/OpenVPN/config/theclient.key'
Mon May 07 16:32:54 2012 us=889000 pkcs12_file = '[UNDEF]'
Mon May 07 16:32:54 2012 us=889000 cryptoapi_cert = '[UNDEF]'
Mon May 07 16:32:54 2012 us=889000 cipher_list = '[UNDEF]'
Mon May 07 16:32:54 2012 us=889000 tls_verify = '[UNDEF]'
Mon May 07 16:32:54 2012 us=889000 tls_export_cert = '[UNDEF]'
Mon May 07 16:32:54 2012 us=889000 tls_remote = '[UNDEF]'
Mon May 07 16:32:54 2012 us=889000 crl_file = '[UNDEF]'
Mon May 07 16:32:54 2012 us=889000 ns_cert_type = 0
Mon May 07 16:32:54 2012 us=889000 remote_cert_ku = 0
Mon May 07 16:32:54 2012 us=889000 remote_cert_eku = '[UNDEF]'
Mon May 07 16:32:54 2012 us=889000 tls_timeout = 2
Mon May 07 16:32:54 2012 us=889000 renegotiate_bytes = 0
Mon May 07 16:32:54 2012 us=889000 renegotiate_packets = 0
Mon May 07 16:32:54 2012 us=889000 renegotiate_seconds = 3600
Mon May 07 16:32:54 2012 us=889000 handshake_window = 60
Mon May 07 16:32:54 2012 us=889000 transition_window = 3600
Mon May 07 16:32:54 2012 us=889000 single_session = DISABLED
Mon May 07 16:32:54 2012 us=904000 push_peer_info = DISABLED
Mon May 07 16:32:54 2012 us=904000 tls_exit = DISABLED
Mon May 07 16:32:54 2012 us=904000 tls_auth_file = '[UNDEF]'
Mon May 07 16:32:54 2012 us=904000 pkcs11_protected_authentication = DISABLED
Mon May 07 16:32:54 2012 us=920000 pkcs11_private_mode = 00000000
Mon May 07 16:32:54 2012 us=935000 pkcs11_cert_private = DISABLED
Mon May 07 16:32:54 2012 us=935000 pkcs11_pin_cache_period = -1
Mon May 07 16:32:54 2012 us=935000 pkcs11_id = '[UNDEF]'
Mon May 07 16:32:54 2012 us=935000 pkcs11_id_management = DISABLED
Mon May 07 16:32:54 2012 us=935000 server_network = 0.0.0.0
Mon May 07 16:32:54 2012 us=935000 server_netmask = 0.0.0.0
Mon May 07 16:32:54 2012 us=935000 server_bridge_ip = 0.0.0.0
Mon May 07 16:32:54 2012 us=935000 server_bridge_netmask = 0.0.0.0
Mon May 07 16:32:54 2012 us=935000 server_bridge_pool_start = 0.0.0.0
Mon May 07 16:32:54 2012 us=935000 server_bridge_pool_end = 0.0.0.0
Mon May 07 16:32:54 2012 us=935000 ifconfig_pool_defined = DISABLED
Mon May 07 16:32:54 2012 us=935000 ifconfig_pool_start = 0.0.0.0
Mon May 07 16:32:54 2012 us=935000 ifconfig_pool_end = 0.0.0.0
Mon May 07 16:32:54 2012 us=935000 ifconfig_pool_netmask = 0.0.0.0
Mon May 07 16:32:54 2012 us=935000 ifconfig_pool_persist_filename = '[UNDEF]'
Mon May 07 16:32:54 2012 us=935000 ifconfig_pool_persist_refresh_freq = 600
Mon May 07 16:32:54 2012 us=935000 n_bcast_buf = 256
Mon May 07 16:32:54 2012 us=935000 tcp_queue_limit = 64
Mon May 07 16:32:54 2012 us=935000 real_hash_size = 256
Mon May 07 16:32:54 2012 us=935000 virtual_hash_size = 256
Mon May 07 16:32:54 2012 us=951000 client_connect_script = '[UNDEF]'
Mon May 07 16:32:54 2012 us=951000 learn_address_script = '[UNDEF]'
Mon May 07 16:32:54 2012 us=951000 client_disconnect_script = '[UNDEF]'
Mon May 07 16:32:54 2012 us=951000 client_config_dir = '[UNDEF]'
Mon May 07 16:32:54 2012 us=951000 ccd_exclusive = DISABLED
Mon May 07 16:32:54 2012 us=951000 tmp_dir = 'C:\Temp\'
Mon May 07 16:32:54 2012 us=951000 push_ifconfig_defined = DISABLED
Mon May 07 16:32:54 2012 us=951000 push_ifconfig_local = 0.0.0.0
Mon May 07 16:32:54 2012 us=951000 push_ifconfig_remote_netmask = 0.0.0.0
Mon May 07 16:32:54 2012 us=951000 enable_c2c = DISABLED
Mon May 07 16:32:54 2012 us=951000 duplicate_cn = DISABLED
Mon May 07 16:32:54 2012 us=951000 cf_max = 0
Mon May 07 16:32:54 2012 us=951000 cf_per = 0
Mon May 07 16:32:54 2012 us=951000 max_clients = 1024
Mon May 07 16:32:54 2012 us=951000 max_routes_per_client = 256
Mon May 07 16:32:54 2012 us=951000 auth_user_pass_verify_script = '[UNDEF]'
Mon May 07 16:32:54 2012 us=951000 auth_user_pass_verify_script_via_file = DISABLED
Mon May 07 16:32:54 2012 us=951000 ssl_flags = 0
Mon May 07 16:32:54 2012 us=951000 client = ENABLED
Mon May 07 16:32:54 2012 us=951000 pull = ENABLED
Mon May 07 16:32:54 2012 us=951000 auth_user_pass_file = '[UNDEF]'
Mon May 07 16:32:54 2012 us=951000 show_net_up = DISABLED
Mon May 07 16:32:54 2012 us=951000 route_method = 0
Mon May 07 16:32:54 2012 us=951000 ip_win32_defined = DISABLED
Mon May 07 16:32:54 2012 us=951000 ip_win32_type = 3
Mon May 07 16:32:54 2012 us=951000 dhcp_masq_offset = 0
Mon May 07 16:32:54 2012 us=951000 dhcp_lease_time = 31536000
Mon May 07 16:32:54 2012 us=951000 tap_sleep = 0
Mon May 07 16:32:54 2012 us=951000 dhcp_options = DISABLED
Mon May 07 16:32:54 2012 us=951000 dhcp_renew = DISABLED
Mon May 07 16:32:54 2012 us=951000 dhcp_pre_release = DISABLED
Mon May 07 16:32:54 2012 us=967000 dhcp_release = DISABLED
Mon May 07 16:32:54 2012 us=967000 domain = '[UNDEF]'
Mon May 07 16:32:54 2012 us=967000 netbios_scope = '[UNDEF]'
Mon May 07 16:32:54 2012 us=967000 netbios_node_type = 0
Mon May 07 16:32:54 2012 us=967000 disable_nbt = DISABLED
Mon May 07 16:32:54 2012 us=967000 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Mon May 07 16:32:54 2012 us=967000 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon May 07 16:32:54 2012 us=967000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon May 07 16:32:55 2012 us=76000 LZO compression initialized
Mon May 07 16:32:55 2012 us=76000 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon May 07 16:32:55 2012 us=76000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon May 07 16:32:55 2012 us=91000 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Mon May 07 16:32:55 2012 us=91000 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Mon May 07 16:32:55 2012 us=91000 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Mon May 07 16:32:55 2012 us=91000 Local Options hash (VER=V4): 'c6c7c21a'
Mon May 07 16:32:55 2012 us=91000 Expected Remote Options hash (VER=V4): '1a6d5c5d'
Mon May 07 16:32:55 2012 us=91000 UDPv4 link local: [undef]
...
Mon May 07 16:32:55 2012 us=123000 TLS: Initial packet from xxx.xxx.xxx.xxx:1194, sid=f47734c3 cfc4234a
...
Mon May 07 16:32:55 2012 us=263000 VERIFY OK: depth=1, /C=...
Mon May 07 16:32:55 2012 us=263000 VERIFY OK: depth=0, /C=...
...
Mon May 07 16:32:55 2012 us=591000 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon May 07 16:32:55 2012 us=591000 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon May 07 16:32:55 2012 us=591000 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon May 07 16:32:55 2012 us=591000 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon May 07 16:32:55 2012 us=591000 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon May 07 16:32:55 2012 us=591000 [192.168.1.47] Peer Connection Initiated with xxx.xxx.xxx.xxx:1194
Mon May 07 16:32:57 2012 us=634000 SENT CONTROL [192.168.1.47]: 'PUSH_REQUEST' (status=1)
...
Mon May 07 16:32:57 2012 us=650000 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route-gateway 192.168.1.47,ping 10,ping-restart 60,ifconfig 192.168.1.200 255.255.255.0'
Mon May 07 16:32:57 2012 us=650000 OPTIONS IMPORT: timers and/or timeouts modified
Mon May 07 16:32:57 2012 us=650000 OPTIONS IMPORT: --ifconfig/up options modified
Mon May 07 16:32:57 2012 us=650000 OPTIONS IMPORT: route options modified
Mon May 07 16:32:57 2012 us=650000 OPTIONS IMPORT: route-related options modified
Mon May 07 16:32:57 2012 us=650000 ROUTE default_gateway=192.168.60.254
Mon May 07 16:32:57 2012 us=650000 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{816C9059-A6FC-4C9E-B763-8462ADF61F54}.tap
Mon May 07 16:32:57 2012 us=650000 TAP-Win32 Driver Version 9.9
Mon May 07 16:32:57 2012 us=650000 TAP-Win32 MTU=1500
Mon May 07 16:32:57 2012 us=650000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.1.200/255.255.255.0 on interface {816C9059-A6FC-4C9E-B763-8462ADF61F54} [DHCP-serv: 192.168.1.0, lease-time: 31536000]
Mon May 07 16:32:57 2012 us=650000 Successful ARP Flush on interface [18] {816C9059-A6FC-4C9E-B763-8462ADF61F54}
...
Mon May 07 16:32:57 2012 us=650000 TUN READ [42]
Mon May 07 16:32:57 2012 us=650000 UDPv4 WRITE [85] to ...
...
Mon May 07 16:33:02 2012 us=34000 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Mon May 07 16:33:02 2012 us=34000 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 192.168.1.47
Mon May 07 16:33:02 2012 us=34000 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Mon May 07 16:33:02 2012 us=34000 Route addition via IPAPI succeeded [adaptive]
Mon May 07 16:33:02 2012 us=34000 Initialization Sequence Completed
...
Client ipconfig
Ethernet adapter OpenVPN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
Physical Address. . . . . . . . . : 00-FF-81-6C-90-59
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b094:9d9d:1f4d:af5a%18(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.200(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Montag, 7. Mai 2012 16:32:57
Lease Expires . . . . . . . . . . : Dienstag, 7. Mai 2013 16:32:57
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.1.0
DHCPv6 IAID . . . . . . . . . . . : 419495809
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-9E-9D-57-18-03-73-DD-B3-51
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
Physical Address. . . . . . . . . : 18-03-73-DD-B3-51
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.60.190(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.60.254
DNS Servers . . . . . . . . . . . : 192.168.60.49
NetBIOS over Tcpip. . . . . . . . : Enabled
Client netstat -rn
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.60.254 192.168.60.190 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.200 286
192.168.1.0 255.255.255.0 192.168.1.47 192.168.1.200 30
192.168.1.200 255.255.255.255 On-link 192.168.1.200 286
192.168.1.255 255.255.255.255 On-link 192.168.1.200 286
192.168.56.0 255.255.255.0 On-link 192.168.56.1 276
192.168.56.1 255.255.255.255 On-link 192.168.56.1 276
192.168.56.255 255.255.255.255 On-link 192.168.56.1 276
192.168.60.0 255.255.255.0 On-link 192.168.60.190 266
192.168.60.190 255.255.255.255 On-link 192.168.60.190 266
192.168.60.255 255.255.255.255 On-link 192.168.60.190 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.56.1 276
224.0.0.0 240.0.0.0 On-link 192.168.60.190 266
224.0.0.0 240.0.0.0 On-link 192.168.1.200 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.56.1 276
255.255.255.255 255.255.255.255 On-link 192.168.60.190 266
255.255.255.255 255.255.255.255 On-link 192.168.1.200 286
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.60.254 Default
===========================================================================
"Destination hosts unreachable" in bridged OpenVPN
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Mon May 07, 2012 2:07 pm
- Mimiko
- Forum Team
- Posts: 1564
- Joined: Wed Sep 22, 2010 3:18 am
Re: "Destination hosts unreachable" in bridged OpenVPN
Remove this line:
from your server's config.push "route 192.168.1.0 255.255.255.0"
-
- OpenVpn Newbie
- Posts: 1
- Joined: Sat Aug 25, 2012 12:01 am
Re: "Destination hosts unreachable" in bridged OpenVPN
I had the exact same issue and was flustered trying to figure out the resolution and finally resolved it. Thought I might share it with you. You would need to add the following rule on your openvpn server.
If you running in bridge mode (tap):
iptables -t nat -I POSTROUTING -i tap+ -o eth0 -s 192.168.99.0/24 -j MASQUERADE
where 192.168.99.0/24 is the network which is running openvpn and other devices/systems.
OR
if you are running in routing mode (tun):
iptables -t nat -I POSTROUTING -o eth0 -s 192.168.200.0/24 -j MASQUERADE
where 192.168.200.0/24 is the network on which the VPN clients are.
this resolved my communication to other systems on the openvpn network. These rules will lost upon reboot of the openvpn server, you need to save them - service iptables save (on CentOS/Redhat)
If you running in bridge mode (tap):
iptables -t nat -I POSTROUTING -i tap+ -o eth0 -s 192.168.99.0/24 -j MASQUERADE
where 192.168.99.0/24 is the network which is running openvpn and other devices/systems.
OR
if you are running in routing mode (tun):
iptables -t nat -I POSTROUTING -o eth0 -s 192.168.200.0/24 -j MASQUERADE
where 192.168.200.0/24 is the network on which the VPN clients are.
this resolved my communication to other systems on the openvpn network. These rules will lost upon reboot of the openvpn server, you need to save them - service iptables save (on CentOS/Redhat)
-
- OpenVpn Newbie
- Posts: 1
- Joined: Mon Jun 08, 2015 6:57 pm
Re: "Destination hosts unreachable" in bridged OpenVPN
Sorry for bringing back an old topic but I'm having this exact problem and have tried everything I could find to no avail.
Pretty much I can get connected but then can't ping anything internally. Also bridged using tap obviously.
Probably have extra routes I don't need because of all the different testing I tried.
Server.conf
iptables
Pretty much I can get connected but then can't ping anything internally. Also bridged using tap obviously.
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.3.2.20 10.3.2.1 255.255.255.255 UGH 0 0 0 eth0
10.3.3.192 10.3.2.20 255.255.255.192 UG 0 0 0 br0
10.3.2.0 0.0.0.0 255.255.254.0 U 0 0 0 br0
10.3.2.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 10.3.2.1 0.0.0.0 UG 0 0 0 br0
Server.conf
Code: Select all
local 10.3.2.20
port 1194
proto udp
dev tap0
;dev tun
;dev-node tap-bridge
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh2048.pem
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so login
;server-bridge 10.0.0.26 255.255.255.0 10.0.0.200 10.0.0.250
ifconfig-pool-persist ipp.txt
server-bridge 10.3.2.20 255.255.254.0 10.3.3.200 10.3.3.250
server-bridge
push "route 10.3.2.0 255.255.254.0"
;push "route x.x.x.0 255.255.255.0"
;push "route x.x.x.0 255.255.255.0"
;push "route x.x.x.x/24"
;push "route x.x.x.0 255.255.255.0"
;push "route x.x.x.x/29"
;push "route x.x.x.0 255.255.255.0"
push "route 10.22.0.0 255.255.255.0"
;push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.3.2.14"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 10.3.2.12"
;client-to-client
keepalive 60 120
cipher AES-128-CBC # AES
comp-lzo
max-clients 30
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 4
mute 10
Code: Select all
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 10.3.5.0/24 0.0.0.0/0
2 MASQUERADE all -- 10.3.2.0/23 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination