OpenVPN Support Forum

Hi everyone

To start, I'll say that I'm a bit new in this VPN thing, and my problem is probably a stupid question, and easy to solve, but anyway, I'm here to learn, so I'll go on.

My university offers a VPN service to access de local net, and I'd like to use this service to create what I read is called 'tunnel' and thus gain access, via ssh, to the computer in my office, so I can work from home (or really from anywhere).

Thing is, from my university web, they give certain instructions in order to connect via VPN. The instructions may be a bit simple, and there are no solutions for possible problems, buuut...

The first thing they're saying is that I need to download two files: one config file, and one certificate.

And then, once the VPN is installed in my laptop, I have to enter the following command (I'm using Ubuntu 12.04):

'openvpn --config <config_file> --ca <certificate_file>'

Obviously, where it says 'config file' and 'certificate file' I substitute the path and the name of the files (although, just to make things easier, I go inside the directory where this files are, and I simply write the files' names).

Well, once I enter the previous command, I get the following output:

Fri Apr 26 21:10:47 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Fri Apr 26 21:10:47 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Apr 26 21:10:47 2013 LZO compression initialized
Fri Apr 26 21:10:47 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Apr 26 21:10:47 2013 Socket Buffers: R=[229376->131072] S=[229376->131072]
Fri Apr 26 21:10:47 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Apr 26 21:10:47 2013 Local Options hash (VER=V4): '41690919'
Fri Apr 26 21:10:47 2013 Expected Remote Options hash (VER=V4): '530fdded'
Fri Apr 26 21:10:47 2013 UDPv4 link local: [undef]
Fri Apr 26 21:10:47 2013 UDPv4 link remote: [AF_INET]130.206.31.230:1194
Fri Apr 26 21:10:47 2013 TLS: Initial packet from [AF_INET]130.206.31.230:1194, sid=a0bbf5f9 e6845359
Fri Apr 26 21:10:48 2013 VERIFY OK: depth=2, /CN=UIB_CA/ST=IB/C=ES/emailAddress=xcti@uib.es/O=Universitat_de_les_Illes_Balears/OU=CTI_Centre_de_Tecnologies_de_la_Informaci_xC3_xB3
Fri Apr 26 21:10:48 2013 VERIFY OK: depth=1, /CN=UIB_Network_CA/ST=IB/C=ES/emailAddress=xcti@uib.es/O=UIB/OU=CTI_Area_de_Xarxes_i_Comunicacions
Fri Apr 26 21:10:48 2013 Validating certificate key usage
Fri Apr 26 21:10:48 2013 ++ Certificate has key usage 00a0, expects 00a0
Fri Apr 26 21:10:48 2013 VERIFY KU OK
Fri Apr 26 21:10:48 2013 Validating certificate extended key usage
Fri Apr 26 21:10:48 2013 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Apr 26 21:10:48 2013 VERIFY EKU OK
Fri Apr 26 21:10:48 2013 VERIFY X509NAME OK: /CN=sonvich.uib.es/O=UIB/C=ES
Fri Apr 26 21:10:48 2013 VERIFY OK: depth=0, /CN=sonvich.uib.es/O=UIB/C=ES
Fri Apr 26 21:10:48 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 26 21:10:48 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 26 21:10:48 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 26 21:10:48 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 26 21:10:48 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Apr 26 21:10:48 2013 [sonvich.uib.es] Peer Connection Initiated with [AF_INET]130.206.31.230:1194
Fri Apr 26 21:10:50 2013 SENT CONTROL [sonvich.uib.es]: 'PUSH_REQUEST' (status=1)
Fri Apr 26 21:10:50 2013 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.150.0.13,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 130.206.33.1,ping 10,ping-restart 60,ifconfig 10.150.98.6 255.255.0.0'
Fri Apr 26 21:10:50 2013 OPTIONS IMPORT: timers and/or timeouts modified
Fri Apr 26 21:10:50 2013 OPTIONS IMPORT: --ifconfig/up options modified
Fri Apr 26 21:10:50 2013 OPTIONS IMPORT: route options modified
Fri Apr 26 21:10:50 2013 OPTIONS IMPORT: route-related options modified
Fri Apr 26 21:10:50 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Apr 26 21:10:50 2013 ROUTE default_gateway=192.168.1.1
Fri Apr 26 21:10:50 2013 Note: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Fri Apr 26 21:10:50 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Apr 26 21:10:50 2013 /sbin/ifconfig 10.150.98.6 netmask 255.255.0.0 mtu 1500 broadcast 10.150.255.255
SIOCSIFADDR: Permission denied
: ERROR while getting interface flags: No such device
SIOCSIFNETMASK: Permission denied
SIOCSIFMTU: Operation not permitted
SIOCSIFBRDADDR: Permission denied
: ERROR while getting interface flags: No such device
Fri Apr 26 21:10:50 2013 Linux ifconfig failed: external program exited with error status: 255
Fri Apr 26 21:10:50 2013 Exiting


And it goes back to the prompt.

And, to say truth, I'm as lost as an octopus in a garage (as we say in Spain), because I don't have any idea about where the problem could be...

EDIT: Sorry I wrote it in Spanish! I dont know why but my head messed up and made me think this was a Spanish forum!!! xD

openvpn needs to run as 'root' . either use
sudo openvpn ....

or use something like NetworkManager, which comes with most Linux distro's

My fault. Wasn't executing it as superuser. But, anyway, it keeps on failing. Now, it gets to the point where it says "initialization sequence completed", and then, when I try to ssh my office's laptop, it says "ssh: connect to host xxxxxxxxxxx port 22: Connection timed out". And I think that, if the vpn connection is working, it should connect as it does in the local lan (and I know it works from the inside). I don't really know where is the problem... :S

Sun Apr 28 13:31:06 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Sun Apr 28 13:31:06 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Apr 28 13:31:06 2013 LZO compression initialized
Sun Apr 28 13:31:06 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Apr 28 13:31:06 2013 Socket Buffers: R=[229376->131072] S=[229376->131072]
Sun Apr 28 13:31:06 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Apr 28 13:31:06 2013 Local Options hash (VER=V4): '41690919'
Sun Apr 28 13:31:06 2013 Expected Remote Options hash (VER=V4): '530fdded'
Sun Apr 28 13:31:06 2013 UDPv4 link local: [undef]
Sun Apr 28 13:31:06 2013 UDPv4 link remote: [AF_INET]130.206.31.230:1194
Sun Apr 28 13:31:06 2013 TLS: Initial packet from [AF_INET]130.206.31.230:1194, sid=5945c56c 6de60c9e
Sun Apr 28 13:31:07 2013 VERIFY OK: depth=2, /CN=UIB_CA/ST=IB/C=ES/emailAddress=xcti@uib.es/O=Universitat_de_les_Illes_Balears/OU=CTI_Centre_de_Tecnologies_de_la_Informaci_xC3_xB3
Sun Apr 28 13:31:07 2013 VERIFY OK: depth=1, /CN=UIB_Network_CA/ST=IB/C=ES/emailAddress=xcti@uib.es/O=UIB/OU=CTI_Area_de_Xarxes_i_Comunicacions
Sun Apr 28 13:31:07 2013 Validating certificate key usage
Sun Apr 28 13:31:07 2013 ++ Certificate has key usage 00a0, expects 00a0
Sun Apr 28 13:31:07 2013 VERIFY KU OK
Sun Apr 28 13:31:07 2013 Validating certificate extended key usage
Sun Apr 28 13:31:07 2013 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Apr 28 13:31:07 2013 VERIFY EKU OK
Sun Apr 28 13:31:07 2013 VERIFY X509NAME OK: /CN=sonvich.uib.es/O=UIB/C=ES
Sun Apr 28 13:31:07 2013 VERIFY OK: depth=0, /CN=sonvich.uib.es/O=UIB/C=ES
Sun Apr 28 13:31:07 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Apr 28 13:31:07 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr 28 13:31:07 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Apr 28 13:31:07 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr 28 13:31:07 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Apr 28 13:31:07 2013 [sonvich.uib.es] Peer Connection Initiated with [AF_INET]130.206.31.230:1194
Sun Apr 28 13:31:10 2013 SENT CONTROL [sonvich.uib.es]: 'PUSH_REQUEST' (status=1)
Sun Apr 28 13:31:10 2013 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.150.0.13,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 130.206.33.1,ping 10,ping-restart 60,ifconfig 10.150.98.6 255.255.0.0'
Sun Apr 28 13:31:10 2013 OPTIONS IMPORT: timers and/or timeouts modified
Sun Apr 28 13:31:10 2013 OPTIONS IMPORT: --ifconfig/up options modified
Sun Apr 28 13:31:10 2013 OPTIONS IMPORT: route options modified
Sun Apr 28 13:31:10 2013 OPTIONS IMPORT: route-related options modified
Sun Apr 28 13:31:10 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Apr 28 13:31:10 2013 ROUTE default_gateway=192.168.1.1
Sun Apr 28 13:31:10 2013 TUN/TAP device tun0 opened
Sun Apr 28 13:31:10 2013 TUN/TAP TX queue length set to 100
Sun Apr 28 13:31:10 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Apr 28 13:31:10 2013 /sbin/ifconfig tun0 10.150.98.6 netmask 255.255.0.0 mtu 1500 broadcast 10.150.255.255
Sun Apr 28 13:31:12 2013 /sbin/route add -net 130.206.31.230 netmask 255.255.255.255 gw 192.168.1.1
Sun Apr 28 13:31:12 2013 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.150.0.13
Sun Apr 28 13:31:12 2013 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.150.0.13
Sun Apr 28 13:31:12 2013 Initialization Sequence Completed

^CSun Apr 28 13:35:12 2013 event_wait : Interrupted system call (code=4)
Sun Apr 28 13:35:12 2013 TCP/UDP: Closing socket
Sun Apr 28 13:35:12 2013 /sbin/route del -net 130.206.31.230 netmask 255.255.255.255
Sun Apr 28 13:35:12 2013 /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Sun Apr 28 13:35:12 2013 /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Sun Apr 28 13:35:12 2013 Closing TUN/TAP interface
Sun Apr 28 13:35:12 2013 /sbin/ifconfig tun0 0.0.0.0
Sun Apr 28 13:35:12 2013 SIGINT[hard,] received, process exiting

^CSun Apr 28 13:35:12 2013 event_wait : Interrupted system call (code=4)

this suggests you typed ctrl+c.


After the VPN connection comes up, try pinging the remote end of the VPN connection, e.g. from the client (10.150.98.6 ) ping the server (10.150.98.1) ; without your exact config files (esp server side) it's impossible to tell what is going on.

After getting the "initialization sequence completed", when I ping the 10.150.98.1, all packets are lost.

I have to add that, when the "Initialization seq..." message comes up, my internet connection goes party and leaves me alone. But, when I type ctrl+c to end the process, my connection magically comes back.

By "exact config files" do you mean my ovpn.ovpn file (it seems a configuration one)?

yes, esp server side config - I suspect that your subnets are chosen wrongly.

This is what's inside my config file:

client

;dev tap
dev tun

topology subnet
;dev-node MyTap
;proto tcp
proto udp
route-method exe
route-delay 2
remote samola.uib.es 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings

ca uib_ca.pem
;cert client.crt
;key client.key
reneg-sec 14400

remote-cert-tls server
tls-remote sonvich.uib.es

;ns-cert-type server

;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3

# Silence repeating messages
;mute 20
auth-user-pass
auth-nocache

that's the *client* config file - I was looking for the server side file.
Alternatively, set and reconnect and post the log - I should be able to see which subnets the server is pushing.

I supposed you meant that...the problem is that I don't have the server side configuration file...

Anyway, I talked with the guys who manage the VPN server in my university, and they finally gave me a solution. I don't know what they exactly did, but I finally got my ssh conection to my office's computer, so I can work from home anytime I need it.

But, still, I have the problem with the internet connexion. I manage to connect to the computer in my office via ssh, so it means that I'm on the web, but when I try to open an internet browser, it seems as I don't have any connexion at all...

you'll need to talk to the server admins again - seems like a routing issue.

You were right. I talked to the admins, and they finally solved it. It seems I'm the only one in the whole campus using the VPN service, and they didn't know there was any kind of problem... xD Hilarious! Anyway, thank you very much! ;D