Page 1 of 1
tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 10:11 am
by McDexter
Hi, i cant find any tap related posts so here is one...
My OpenVPN server is behind firewall. I've redirected 1194 port, and created tun configuration. It works really nice - i can connect from remote client and have access to vpn server.
I decided to run tap conf. Server stats but client can't connect. I get WSAETIMEDOUT message.
Here is my config:
Code: Select all
;local 192.168.0.2
port 1194
proto tcp
dev tap
dev-node tap-bridge
;dev tun
;dev-node MyTap
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
;server 192.168.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
server-bridge 192.168.0.2 255.255.255.0 192.168.0.200 192.168.0.254
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;push "route 192.168.0.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 6
;mute 20
I also run Ethernet bridge on Linux
Code: Select all
br="br0"
tap="tap0"
eth="eth0"
eth_ip="192.168.0.2"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"
ifconfig
Code: Select all
br0 Link encap:Ethernet HWaddr 00:0C:29:E6:D4:12
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee6:d412/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7767 errors:0 dropped:0 overruns:0 frame:0
TX packets:4132 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:622087 (607.5 Kb) TX bytes:2804811 (2.6 Mb)
eth0 Link encap:Ethernet HWaddr 00:0C:29:E6:D4:12
inet6 addr: fe80::20c:29ff:fee6:d412/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:11524 errors:0 dropped:0 overruns:0 frame:0
TX packets:8230 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1437988 (1.3 Mb) TX bytes:5262926 (5.0 Mb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1631 errors:0 dropped:0 overruns:0 frame:0
TX packets:1631 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:770935 (752.8 Kb) TX bytes:770935 (752.8 Kb)
tap0 Link encap:Ethernet HWaddr BA:EC:7A:09:68:63
UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
iptables -vnL
Code: Select all
Chain INPUT (policy ACCEPT 159 packets, 50649 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tap0 * 0.0.0.0/0 0.0.0.0/0
3506 305K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3673 packets, 2651K bytes)
pkts bytes target prot opt in out source destination
Please help what's wrong
Re: tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 10:47 am
by maikcat
hi there,
use
dev tap0
instead of
dev tap
on your server config
Michael.
Re: tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 11:06 am
by McDexter
tap0 gives no change.. client still gets wsaetimedout
Re: tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 11:39 am
by maikcat
try to telnet to openvpn server port,its tcp based so it should respond...
try it from your lan & from internet...
maybe your router blocks traffic?
Michael.
Re: tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 11:40 am
by maikcat
can you post logs?
Michael.
Re: tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 11:49 am
by McDexter
As I wrote, port was redirected on firewall, and tun config is working fine.
I double check and I can telnet from external ip and I also can see it in logs server logs:
Code: Select all
Jan 29 12:42:34 vpn openvpn[10091]: TCPv4_SERVER link remote: xxx.xxx.xxx.xxx:1220
I'm pretty sure the problem is not firewall related... I can't see other explanation
When I try to connect to tap server I don't see any connection requests in vpn logs.
The last thing is:
Code: Select all
Initialization Sequence Completed
Jan 29 12:48:47 vpn openvpn[10975]: ..done
This would mean that there is something wrong with openvpn setup, or maybe routing or nics ?
Re: tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 11:53 am
by McDexter
Maybe I should add that I use OpenSuse and i run server by /etc/init.d/openvpn start
Re: tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 12:03 pm
by maikcat
use verb 3 on your config and try to start openvpn by
openvpn --config /etc/openvpn/yourconfig.conf
paste the output here..
Michael.
Re: tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 12:12 pm
by McDexter
Code: Select all
openvpn --config /etc/openvpn/server.conf
Tue Jan 29 13:11:48 2013 OpenVPN 2.2.2 x86_64-suse-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Dec 14 2011
Tue Jan 29 13:11:48 2013 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Tue Jan 29 13:11:48 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Jan 29 13:11:48 2013 Diffie-Hellman initialized with 1024 bit key
Tue Jan 29 13:11:48 2013 TLS-Auth MTU parms [ L:1592 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Jan 29 13:11:48 2013 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Jan 29 13:11:48 2013 Note: Cannot open TUN/TAP dev tap-bridge: No such file or directory (errno=2)
Tue Jan 29 13:11:48 2013 Data Channel MTU parms [ L:1592 D:1450 EF:60 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Jan 29 13:11:48 2013 Listening for incoming TCP connection on [undef]:1194
Tue Jan 29 13:11:48 2013 TCPv4_SERVER link local (bound): [undef]:1194
Tue Jan 29 13:11:48 2013 TCPv4_SERVER link remote: [undef]
Tue Jan 29 13:11:48 2013 MULTI: multi_init called, r=256 v=256
Tue Jan 29 13:11:48 2013 IFCONFIG POOL: base=192.168.0.200 size=55
Tue Jan 29 13:11:48 2013 IFCONFIG POOL LIST
Tue Jan 29 13:11:48 2013 MULTI: TCP INIT maxclients=1024 maxevents=1028
Tue Jan 29 13:11:48 2013 Initialization Sequence Completed
The error:
Cannot open TUN/TAP dev tap-bridge: No such file or directory (errno=2) disappears after commenting out the:
dev-node tap-bridge in config.
Client still has timedout
Re: tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 12:20 pm
by maikcat
client config/log??
Michael.
Re: tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 12:27 pm
by McDexter
While startting openvpn: /var/log/messages:
Code: Select all
Jan 29 13:23:03 vpn kernel: [10076.030274] br0: port 2(tap0) entered forwarding state
Jan 29 13:23:03 vpn kernel: [10076.030339] br0: port 2(tap0) entered forwarding state
Client verb 4:
Code: Select all
Tue Jan 29 13:24:34 2013 us=625000 OpenVPN 2.3.0 i686-w64-mingw32 [SSL (OpenSSL)
] [LZO] [PKCS11] [eurephia] [IPv6] built on Jan 8 2013
Tue Jan 29 13:24:34 2013 us=640625 NOTE: OpenVPN 2.1 requires '--script-security
2' or higher to call user-defined scripts or executables
Tue Jan 29 13:24:34 2013 us=796875 LZO compression initialized
Tue Jan 29 13:24:34 2013 us=796875 Control Channel MTU parms [ L:1592 D:140 EF:4
0 EB:0 ET:0 EL:0 ]
Tue Jan 29 13:24:34 2013 us=796875 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Jan 29 13:24:34 2013 us=796875 Data Channel MTU parms [ L:1592 D:1450 EF:60
EB:135 ET:32 EL:0 AF:3/1 ]
Tue Jan 29 13:24:34 2013 us=796875 Local Options String: 'V4,dev-type tap,link-m
tu 1592,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA1,ke
ysize 128,key-method 2,tls-client'
Tue Jan 29 13:24:34 2013 us=796875 Expected Remote Options String: 'V4,dev-type
tap,link-mtu 1592,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,au
th SHA1,keysize 128,key-method 2,tls-server'
Tue Jan 29 13:24:34 2013 us=796875 Local Options hash (VER=V4): '39ac68d4'
Tue Jan 29 13:24:34 2013 us=796875 Expected Remote Options hash (VER=V4): 'de0eb
dfe'
Tue Jan 29 13:24:34 2013 us=796875 Attempting to establish TCP connection with [
AF_INET]xxx.xxx.xxx.xxx:1194
Tue Jan 29 13:24:55 2013 us=828125 TCP: connect to [AF_INET]xxx.xxx.xxx.xxx:1194 f
ailed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Tue Jan 29 13:25:24 2013 us=375000 TCP: connect to [AF_INET]xxx.xxx.xxx.xxx:1194 f
ailed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Re: tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 12:33 pm
by McDexter
There is something wrong with bridge.
I open brigde with: script
Code: Select all
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.0.2"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT
When bridge is open than I can't connect to any service on the server (also smtp is unaccessible)
Re: tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 12:50 pm
by maikcat
try to use this directives:
ifconfig br0 down
ifconfig eth0 down
openvpn --mktun --dev tap0
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 tap0
ifconfig eth0 promisc 0.0.0.0 up
ifconfig tap0 promisc 0.0.0.0 up
ifconfig br0 192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255
route add default gw 192.168.0.x <--your default gateway
also post the output of
brctl show
Michael.
Re: tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 12:53 pm
by maikcat
your problem seems to be that you are setting ip to your eth0 int...
you should assign ip to your br0 AFTER you bridge eth & tap..
Michael.
Re: tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 1:13 pm
by McDexter
Code: Select all
brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000c29e6d412 no eth0
tap0
With Your script the client can connect to bridge vpn
Thank you
I know that this is another problem.... but happens the same thing as on tun setup... I think to write a new topic for that because I cant find answers in forum.
The point is that I can ping only vpn gateway. I cant ping nothing else behind it.. From within LAN I can ping client from vpn gateway but not from any other machine
The below setup seems not to work:
Code: Select all
route 192.168.0.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option DNS 192.168.0.3"
Re: tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 1:24 pm
by maikcat
use
redirect-gateway def1
also remove
route 192.168.0.0 255.255.255.0
did you enable ip forwarding?
Michael.
Re: tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 1:44 pm
by McDexter
I did changes but unfortunately still can't access lan network
Code: Select all
cat /proc/sys/net/ipv4/ip_forward
1
Client
Code: Select all
client
dev tap
proto tcp
remote xx.xxxxxxxxx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca C:\\VPN\\ca.crt
cert C:\\VPN\\fm027l.crt
key C:\\VPN\\fm027l.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 1
route-method exe
mssfix 1200
route-delay 2
Server once again (updated)
Code: Select all
port 1194
proto tcp
dev tap0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.0.2 255.255.255.0 192.168.0.230 192.168.0.250
push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.0.3"
client-to-client
keepalive 10 120
cipher AES-128-CBC # AES
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Code: Select all
iptables -vnL
Chain INPUT (policy ACCEPT 91618 packets, 20M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 934 packets, 128K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 80936 packets, 34M bytes)
pkts bytes target prot opt in out source destination
Re: tap configuration conncection timeout (wsaetimedout)
Posted: Tue Jan 29, 2013 2:00 pm
by McDexter
I found a solution
My OpenVPN is on VMware ESX serwer. I had to enable Promiscuous Mode on NIC in vSphere. After that pings started to work instanlty without any restart.
Now I'll try to test tun setup once again..
maikcat you helped alot! Thank You!