I tried setting up an OpenVPN 2.1 server in my Fritz!Box with Freetz-1.2.
It seems I have configured the routes, bridge or whatever wrong, maybe I misunderstood something.
The point is:
The connection to the server is established successfully, but I can't get any network traffic through the tunnel.
All I want is to send all network traffic of the client through the VPN.
A Wireshark capture shows that the server is answering to a "Who has 192.168.200.1?" gateway-ARP request with the lan MAC address.
On the other hand the server sends the ARP Request for the client "Who has 192.168.200.100?" with the tap0's MAC address, but also with IP 192.168.200.1.
So the client gets all over confused reporting the duplicate use of IP 192.168.200.1 with the servers MACs of lan and tap0:
6f:70:a6 - client VPN
6f:49 - server lan/eth0
39:da:af - server tap0
Here is the arp cache of the server:
Code: Select all
root@fritz:/var/mod/root# arp
? (192.168.200.100) at <incomplete> on tap0
? (192.168.200.100) at xx:xx:xx:6F:70:A6 [ether] on lan
The routing table of the server seems ok:
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.180.1 * 255.255.255.255 UH 2 0 0 dsl
192.168.180.2 * 255.255.255.255 UH 2 0 0 dsl
192.168.178.0 * 255.255.255.0 U 0 0 0 lan
192.168.200.0 * 255.255.255.0 U 0 0 0 tap0
169.254.0.0 * 255.255.0.0 U 0 0 0 lan
default * 0.0.0.0 U 2 0 0 dsl
Code: Select all
bridge name bridge id STP enabled interfaces
lan 8000.001c4a136f49 no eth0
tap0
tiwlan0
usbrndis
wdsdw0
wdsdw1
wdsdw2
wdsdw3
wdsup0
Here is the server config:
Code: Select all
# OpenVPN 2.1 Config, Sun Jul 14 16:23:21 CEST 2013
proto udp
dev tap0
#Helperline for rc.openvpn to add tap0 to lan bridge
ca /tmp/flash/openvpn/ca.crt
cert /tmp/flash/openvpn/box.crt
key /tmp/flash/openvpn/box.key
dh /tmp/flash/openvpn/dh.pem
tls-server
tls-auth /tmp/flash/openvpn/static.key 0
port 1194
ifconfig 192.168.200.1 255.255.255.0
push "route-gateway 192.168.200.1"
max-clients 10
mode server
ifconfig-pool 192.168.200.100 192.168.200.110
push "route 192.168.200.1"
route 192.168.200.0 255.255.255.0
push "dhcp-option DNS 192.168.200.1"
tun-mtu 1500
mssfix
verb 3
daemon
cipher AES-256-CBC
keepalive 10 120
status /var/log/openvpn.log
chroot /tmp/openvpn
user openvpn
group openvpn
persist-tun
persist-key
push "redirect-gateway def1"
ifconfig of server:
Code: Select all
eth0 Link encap:Ethernet HWaddr xx:xx:xx:13:6F:49
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:313802 errors:0 dropped:0 overruns:0 frame:0
TX packets:84166 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:30146480 (28.7 MiB) TX bytes:73211812 (69.8 MiB)
lan Link encap:Ethernet HWaddr xx:xx:xx:13:6F:49
inet addr:192.168.178.1 Bcast:192.168.178.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:887574 errors:0 dropped:0 overruns:0 frame:0
TX packets:380977 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:200991017 (191.6 MiB) TX bytes:162238977 (154.7 MiB)
lan:0 Link encap:Ethernet HWaddr xx:xx:xx:13:6F:49
inet addr:169.254.1.1 Bcast:169.254.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
tap0 Link encap:Ethernet HWaddr xx:xx:xx:39:da:af
inet addr:192.168.200.1 Bcast:192.168.200.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:230 errors:0 dropped:0 overruns:0 frame:0
TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:38745 (37.8 KiB) TX bytes:10569 (10.3 KiB)
client config:
Code: Select all
client
dev tap0
remote openvpnserver.ip.com 1194
;remote 192.168.178.1 1194
proto udp
;auth-user-pass
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
tls-auth "C:\\Program Files\\OpenVPN\\config\\static.key" 1
cert "C:\\Program Files\\OpenVPN\\config\\client01.crt"
key "C:\\Program Files\\OpenVPN\\config\\client01.key"
cipher AES-256-CBC
verb 3
resolv-retry infinite
ns-cert-type server
nobind
tun-mtu 1500
persist-key
persist-tun
Code: Select all
Interface: 192.168.200.100 --- 0x1b
Internet Address Physical Address Type
192.168.200.1 xx-xx-xx-39-da-af dynamic
192.168.200.255 ff-ff-ff-ff-ff-ff static
...
Code: Select all
Interface: 192.168.200.100 --- 0x1b
Internet Address Physical Address Type
192.168.200.1 xx-xx-xx-13-6f-49 dynamic
192.168.200.255 ff-ff-ff-ff-ff-ff static
...
client ipconfig /all:
Code: Select all
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : xx-xx-xx-6F-70-A6
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a01d:a24d:f322:d64b%27(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.200.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, July 14, 2013 16:55:25
Lease Expires . . . . . . . . . . : Monday, July 14, 2014 16:55:25
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.200.0
DHCPv6 IAID . . . . . . . . . . . : 469827351
DHCPv6 Client DUID. . . . . . . . : xxxxxxxxxxxxxxxxxxxxxx
DNS Servers . . . . . . . . . . . : 192.168.200.1
NetBIOS over Tcpip. . . . . . . . : Enabled
client routing table:
Code: Select all
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 xx.xx.16.1 xx.xx.17.22 25
0.0.0.0 128.0.0.0 192.168.200.1 192.168.200.100 30
xx.xx.16.0 255.255.240.0 On-link xx.xx.17.22 281
xx.xx.17.22 255.255.255.255 On-link xx.xx.17.22 281
xx.xx.31.255 255.255.255.255 On-link xx.xx.17.22 281
xx.xx.193.8 255.255.255.255 xx.xx.16.1 xx.xx.17.22 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 192.168.200.1 192.168.200.100 30
192.168.200.0 255.255.255.0 On-link 192.168.200.100 286
192.168.200.1 255.255.255.255 192.168.200.1 192.168.200.100 30
192.168.200.100 255.255.255.255 On-link 192.168.200.100 286
192.168.200.255 255.255.255.255 On-link 192.168.200.100 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link xx.xx.17.22 281
224.0.0.0 240.0.0.0 On-link 192.168.200.100 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link xx.xx.17.22 281
255.255.255.255 255.255.255.255 On-link 192.168.200.100 286
Code: Select all
Sun Jul 14 16:54:44 2013 OpenVPN 2.3.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Jan 8 2013
Sun Jul 14 16:54:44 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Jul 14 16:54:44 2013 Need hold release from management interface, waiting...
Sun Jul 14 16:54:45 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Jul 14 16:54:45 2013 MANAGEMENT: CMD 'state on'
Sun Jul 14 16:54:45 2013 MANAGEMENT: CMD 'log all on'
Sun Jul 14 16:54:45 2013 MANAGEMENT: CMD 'hold off'
Sun Jul 14 16:54:45 2013 MANAGEMENT: CMD 'hold release'
Sun Jul 14 16:54:45 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Jul 14 16:54:45 2013 Control Channel Authentication: using 'C:\Program Files\OpenVPN\config\static.key' as a OpenVPN static key file
Sun Jul 14 16:54:45 2013 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jul 14 16:54:45 2013 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jul 14 16:54:45 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jul 14 16:54:45 2013 MANAGEMENT: >STATE:1373813685,RESOLVE,,,
Sun Jul 14 16:54:45 2013 UDPv4 link local: [undef]
Sun Jul 14 16:54:45 2013 UDPv4 link remote: [AF_INET]xxx.xxx.193.8:1194
Sun Jul 14 16:54:45 2013 MANAGEMENT: >STATE:1373813685,WAIT,,,
Sun Jul 14 16:54:45 2013 MANAGEMENT: >STATE:1373813685,AUTH,,,
Sun Jul 14 16:54:45 2013 TLS: Initial packet from [AF_INET]xxx.xxx.193.8:1194, sid=39a9e0b2 415c4a0a
Sun Jul 14 16:55:08 2013 VERIFY OK: depth=1, C=DE, ST=BY, L=xx, O=none, OU=changeme, CN=ca, name=ca, emailAddress=none
Sun Jul 14 16:55:08 2013 VERIFY OK: nsCertType=SERVER
Sun Jul 14 16:55:08 2013 VERIFY OK: depth=0, C=DE, ST=BY, L=xx, O=none, OU=changeme, CN=fritzbox, name=fritzbox, emailAddress=none
Sun Jul 14 16:55:23 2013 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Jul 14 16:55:23 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jul 14 16:55:23 2013 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Jul 14 16:55:23 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jul 14 16:55:23 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Sun Jul 14 16:55:23 2013 [fritzbox] Peer Connection Initiated with [AF_INET]xxx.xxx.193.8:1194
Sun Jul 14 16:55:24 2013 MANAGEMENT: >STATE:1373813724,GET_CONFIG,,,
Sun Jul 14 16:55:25 2013 SENT CONTROL [fritzbox]: 'PUSH_REQUEST' (status=1)
Sun Jul 14 16:55:25 2013 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.200.1,route 192.168.200.1,dhcp-option DNS 192.168.200.1,redirect-gateway def1,ping 10,ping-restart 120,ifconfig 192.168.200.100 255.255.255.0'
Sun Jul 14 16:55:25 2013 OPTIONS IMPORT: timers and/or timeouts modified
Sun Jul 14 16:55:25 2013 OPTIONS IMPORT: --ifconfig/up options modified
Sun Jul 14 16:55:25 2013 OPTIONS IMPORT: route options modified
Sun Jul 14 16:55:25 2013 OPTIONS IMPORT: route-related options modified
Sun Jul 14 16:55:25 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jul 14 16:55:25 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Jul 14 16:55:25 2013 MANAGEMENT: >STATE:1373813725,ASSIGN_IP,,192.168.200.100,
Sun Jul 14 16:55:25 2013 open_tun, tt->ipv6=0
Sun Jul 14 16:55:25 2013 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{176F70A6-B9C7-4B4E-B283-45228EE20D6B}.tap
Sun Jul 14 16:55:25 2013 TAP-Windows Driver Version 9.9
Sun Jul 14 16:55:25 2013 Notified TAP-Windows driver to s
Sun Jul 14 16:55:25 2013 Successful ARP Flush on interface [27] {176F70A6-B9C7-4B4E-B283-45228EE20D6B}
Sun Jul 14 16:55:30 2013 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Sun Jul 14 16:55:30 2013 C:\Windows\system32\route.exe ADD xxx.xxx.193.8 MASK 255.255.255.255 xxx.xxx.16.1
Sun Jul 14 16:55:30 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Sun Jul 14 16:55:30 2013 Route addition via IPAPI succeeded [adaptive]
Sun Jul 14 16:55:30 2013 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.200.1
Sun Jul 14 16:55:30 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sun Jul 14 16:55:30 2013 Route addition via IPAPI succeeded [adaptive]
Sun Jul 14 16:55:30 2013 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.200.1
Sun Jul 14 16:55:30 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sun Jul 14 16:55:30 2013 Route addition via IPAPI succeeded [adaptive]
Sun Jul 14 16:55:30 2013 MANAGEMENT: >STATE:1373813730,ADD_ROUTES,,,
Sun Jul 14 16:55:30 2013 C:\Windows\system32\route.exe ADD 192.168.200.1 MASK 255.255.255.255 192.et a DHCó@¾UÏÂ
Sun Jul 14 16:55:25 2013 Successful ARP Flush on interface [27] {176F70A6-B9C7-4B4E-B283-45228EE20D6B}
Sun Jul 14 16:55:30 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sun Jul 14 16:55:30 2013 Route addition via IPAPI succeeded [adaptive]
Sun Jul 14 16:55:30 2013 Initialization Sequence Completed
Sun Jul 14 16:55:30 2013 MANAGEMENT: >STATE:1373813730,CONNECTED,SUCCESS,192.168.200.100,xxx.xxx.193.8
I'm pretty desperate as I have been working on this for weeks, but still it doesn't want to work.
All help and suggestions are welcome
Greetings,
light73