OpenVPN Support Forum

I'm a newbie to Linux, using a cook by numbers recipie for configuration found at
https://help.ubuntu.com/community/OpenVPN

Everything went OK until I tried to start the VPN server. I'm using Ubuntu 9.04 Server.
Here's my server.conf:
mode server
tls-server

local 192.168.1.10 ## ip/hostname of server
port 1194 ## default openvpn port
proto udp

#bridging directive
dev tap0 ## If you need multiple tap devices, add them here
up "etc/openvpn/up.sh br0"
down "etc/openvpn/down.sh br0"

persist-key
persist-tun

#cetificates and encryption
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret

cipher BF-CBC # Blowfish (default)
comp-lzo

#DHCP information
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.10 255.255.255.0 192.168.1.100 192.168.1.110
push "dhcp-option DNS 64.59.144.90"
push "dhcp-option DOMAIN shaw.ca"
max-clients 10 ## set this to the max number of clients that should be connected at one time

#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3

Please add the following directive and post the output of info.log.

log info.log

Thanks!

Regards,
Stephen

info.log:
Sat Dec 25 20:39:45 2010 OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Mar 9 2009
Sat Dec 25 20:39:45 2010 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Sat Dec 25 20:39:45 2010 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sat Dec 25 20:39:45 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Dec 25 20:39:45 2010 Diffie-Hellman initialized with 1024 bit key
Sat Dec 25 20:39:45 2010 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Sat Dec 25 20:39:47 2010 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Sat Dec 25 20:39:47 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Dec 25 20:39:47 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Dec 25 20:39:47 2010 TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sat Dec 25 20:39:47 2010 TUN/TAP device tap0 opened
Sat Dec 25 20:39:47 2010 TUN/TAP TX queue length set to 100
Sat Dec 25 20:39:47 2010 etc/openvpn/up.sh br0 tap0 1500 1574 init
Sat Dec 25 20:39:47 2010 script failed: could not execute external program
Sat Dec 25 20:39:47 2010 Exiting

up.sh:
#!/bin/sh

BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV

down.sh:
#!/bin/sh

BR=$1
DEV=$2

/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

As you mentioned you're newbie to Linux ... ... my 2 cents
1. Check if you have installed brctl (should under the package: bridge-utils)
2. Check if the up.sh & down.sh are executable files (ubuntu should have made it already, just in case)

I did make up.sh and down.sh executable.

According to http://www.faqs.org/docs/Linux-HOWTO/BR ... THE-BRIDGE, if "...your bridge-utilities have been correctly built and your kernel and bridge-module are OK, then issuing a brctl should show a small command synopsis..." which it does.

Sat Dec 25 20:39:47 2010 etc/openvpn/up.sh br0 tap0 1500 1574 init

One problem is that you need to fully qualify the path to your script with the up and down directive.

"/etc/openvpn/up.sh" rather than "etc/openvpn/up.sh"

Also make sure that the up and down scripts are executable by user nobody or group nobody.

Regards,
Stephen

Good catch, Stephen on noticing the leading "/" was missing in the path to the scripts. I missed that several times.

I also did cd /etc/openvpn
sudo chmod 755 up.sh
sudo chmod 755 down.sh

The VPN server starts now. Thanks also to cakemaker for the help.