tap configuration conncection timeout (wsaetimedout)

[McDexter]

Hi, i cant find any tap related posts so here is one...

My OpenVPN server is behind firewall. I've redirected 1194 port, and created tun configuration. It works really nice - i can connect from remote client and have access to vpn server.

I decided to run tap conf. Server stats but client can't connect. I get WSAETIMEDOUT message.

Here is my config:

Code: Select all

;local 192.168.0.2
port 1194
proto tcp
dev tap
dev-node tap-bridge
;dev tun
;dev-node MyTap
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
;server 192.168.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
server-bridge 192.168.0.2 255.255.255.0 192.168.0.200 192.168.0.254
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;push "route 192.168.0.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
;log         openvpn.log
;log-append  openvpn.log
verb 6
;mute 20

I also run Ethernet bridge on Linux

Code: Select all

br="br0"
tap="tap0"
eth="eth0"
eth_ip="192.168.0.2"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"

ifconfig

Code: Select all

br0       Link encap:Ethernet  HWaddr 00:0C:29:E6:D4:12
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fee6:d412/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7767 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4132 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:622087 (607.5 Kb)  TX bytes:2804811 (2.6 Mb)

eth0      Link encap:Ethernet  HWaddr 00:0C:29:E6:D4:12
          inet6 addr: fe80::20c:29ff:fee6:d412/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:11524 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8230 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1437988 (1.3 Mb)  TX bytes:5262926 (5.0 Mb)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1631 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1631 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:770935 (752.8 Kb)  TX bytes:770935 (752.8 Kb)

tap0      Link encap:Ethernet  HWaddr BA:EC:7A:09:68:63
          UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

iptables -vnL

Code: Select all

Chain INPUT (policy ACCEPT 159 packets, 50649 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0
 3506  305K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 3673 packets, 2651K bytes)
 pkts bytes target     prot opt in     out     source               destination

Please help what's wrong

[maikcat]

hi there,

use

dev tap0

instead of

dev tap

on your server config

Michael.

[McDexter]

tap0 gives no change.. client still gets wsaetimedout

[maikcat]

try to telnet to openvpn server port,its tcp based so it should respond...

try it from your lan & from internet...

maybe your router blocks traffic?

Michael.

[maikcat]

can you post logs?

Michael.

[McDexter]

As I wrote, port was redirected on firewall, and tun config is working fine.
I double check and I can telnet from external ip and I also can see it in logs server logs:

Code: Select all

Jan 29 12:42:34 vpn openvpn[10091]: TCPv4_SERVER link remote: xxx.xxx.xxx.xxx:1220

I'm pretty sure the problem is not firewall related... I can't see other explanation

When I try to connect to tap server I don't see any connection requests in vpn logs.
The last thing is:

Code: Select all

Initialization Sequence Completed
Jan 29 12:48:47 vpn openvpn[10975]: ..done

This would mean that there is something wrong with openvpn setup, or maybe routing or nics ?

[McDexter]

Maybe I should add that I use OpenSuse and i run server by /etc/init.d/openvpn start

[maikcat]

use verb 3 on your config and try to start openvpn by

openvpn --config /etc/openvpn/yourconfig.conf

paste the output here..

Michael.

[McDexter]

Code: Select all

openvpn --config /etc/openvpn/server.conf
Tue Jan 29 13:11:48 2013 OpenVPN 2.2.2 x86_64-suse-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Dec 14 2011
Tue Jan 29 13:11:48 2013 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Tue Jan 29 13:11:48 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Jan 29 13:11:48 2013 Diffie-Hellman initialized with 1024 bit key
Tue Jan 29 13:11:48 2013 TLS-Auth MTU parms [ L:1592 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Jan 29 13:11:48 2013 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Jan 29 13:11:48 2013 Note: Cannot open TUN/TAP dev tap-bridge: No such file or directory (errno=2)
Tue Jan 29 13:11:48 2013 Data Channel MTU parms [ L:1592 D:1450 EF:60 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Jan 29 13:11:48 2013 Listening for incoming TCP connection on [undef]:1194
Tue Jan 29 13:11:48 2013 TCPv4_SERVER link local (bound): [undef]:1194
Tue Jan 29 13:11:48 2013 TCPv4_SERVER link remote: [undef]
Tue Jan 29 13:11:48 2013 MULTI: multi_init called, r=256 v=256
Tue Jan 29 13:11:48 2013 IFCONFIG POOL: base=192.168.0.200 size=55
Tue Jan 29 13:11:48 2013 IFCONFIG POOL LIST
Tue Jan 29 13:11:48 2013 MULTI: TCP INIT maxclients=1024 maxevents=1028
Tue Jan 29 13:11:48 2013 Initialization Sequence Completed

The error: Cannot open TUN/TAP dev tap-bridge: No such file or directory (errno=2) disappears after commenting out the: dev-node tap-bridge in config.
Client still has timedout

[maikcat]

client config/log??

Michael.

[McDexter]

While startting openvpn: /var/log/messages:

Code: Select all

Jan 29 13:23:03 vpn kernel: [10076.030274] br0: port 2(tap0) entered forwarding state
Jan 29 13:23:03 vpn kernel: [10076.030339] br0: port 2(tap0) entered forwarding state

Client verb 4:

Code: Select all

Tue Jan 29 13:24:34 2013 us=625000 OpenVPN 2.3.0 i686-w64-mingw32 [SSL (OpenSSL)
] [LZO] [PKCS11] [eurephia] [IPv6] built on Jan  8 2013
Tue Jan 29 13:24:34 2013 us=640625 NOTE: OpenVPN 2.1 requires '--script-security
 2' or higher to call user-defined scripts or executables
Tue Jan 29 13:24:34 2013 us=796875 LZO compression initialized
Tue Jan 29 13:24:34 2013 us=796875 Control Channel MTU parms [ L:1592 D:140 EF:4
0 EB:0 ET:0 EL:0 ]
Tue Jan 29 13:24:34 2013 us=796875 Socket Buffers: R=[8192->8192] S=[8192->8192]

Tue Jan 29 13:24:34 2013 us=796875 Data Channel MTU parms [ L:1592 D:1450 EF:60
EB:135 ET:32 EL:0 AF:3/1 ]
Tue Jan 29 13:24:34 2013 us=796875 Local Options String: 'V4,dev-type tap,link-m
tu 1592,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA1,ke
ysize 128,key-method 2,tls-client'
Tue Jan 29 13:24:34 2013 us=796875 Expected Remote Options String: 'V4,dev-type
tap,link-mtu 1592,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,au
th SHA1,keysize 128,key-method 2,tls-server'
Tue Jan 29 13:24:34 2013 us=796875 Local Options hash (VER=V4): '39ac68d4'
Tue Jan 29 13:24:34 2013 us=796875 Expected Remote Options hash (VER=V4): 'de0eb
dfe'
Tue Jan 29 13:24:34 2013 us=796875 Attempting to establish TCP connection with [
AF_INET]xxx.xxx.xxx.xxx:1194
Tue Jan 29 13:24:55 2013 us=828125 TCP: connect to [AF_INET]xxx.xxx.xxx.xxx:1194 f
ailed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Tue Jan 29 13:25:24 2013 us=375000 TCP: connect to [AF_INET]xxx.xxx.xxx.xxx:1194 f
ailed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)

[McDexter]

There is something wrong with bridge.

I open brigde with: script

Code: Select all

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.0.2"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

When bridge is open than I can't connect to any service on the server (also smtp is unaccessible)

[maikcat]

try to use this directives:

ifconfig br0 down
ifconfig eth0 down
openvpn --mktun --dev tap0
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 tap0
ifconfig eth0 promisc 0.0.0.0 up
ifconfig tap0 promisc 0.0.0.0 up
ifconfig br0 192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255
route add default gw 192.168.0.x <--your default gateway

also post the output of

brctl show

Michael.

[maikcat]

your problem seems to be that you are setting ip to your eth0 int...

you should assign ip to your br0 AFTER you bridge eth & tap..

Michael.

[McDexter]

Code: Select all

brctl show
bridge name     bridge id       STP enabled     interfaces
br0     8000.000c29e6d412  no    eth0
                           tap0

With Your script the client can connect to bridge vpn Thank you

I know that this is another problem.... but happens the same thing as on tun setup... I think to write a new topic for that because I cant find answers in forum.
The point is that I can ping only vpn gateway. I cant ping nothing else behind it.. From within LAN I can ping client from vpn gateway but not from any other machine

The below setup seems not to work:

Code: Select all

route 192.168.0.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option DNS 192.168.0.3"

[maikcat]

use

redirect-gateway def1

also remove

route 192.168.0.0 255.255.255.0

did you enable ip forwarding?

Michael.

[McDexter]

I did changes but unfortunately still can't access lan network

Code: Select all

 cat /proc/sys/net/ipv4/ip_forward
1

Client

Code: Select all

client
dev tap
proto tcp
remote xx.xxxxxxxxx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca C:\\VPN\\ca.crt
cert C:\\VPN\\fm027l.crt
key C:\\VPN\\fm027l.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 1
route-method exe
mssfix 1200
route-delay 2

Server once again (updated)

Code: Select all

port 1194
proto tcp
dev tap0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.0.2 255.255.255.0 192.168.0.230 192.168.0.250
push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.0.3"
client-to-client
keepalive 10 120
cipher AES-128-CBC   # AES
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Code: Select all

 iptables -vnL
Chain INPUT (policy ACCEPT 91618 packets, 20M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 934 packets, 128K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 80936 packets, 34M bytes)
 pkts bytes target     prot opt in     out     source               destination

[McDexter]

I found a solution

My OpenVPN is on VMware ESX serwer. I had to enable Promiscuous Mode on NIC in vSphere. After that pings started to work instanlty without any restart.
Now I'll try to test tun setup once again..

maikcat you helped alot! Thank You!