Page 1 of 1
Static Key Setup & Routing
Posted: Tue Dec 21, 2010 6:37 am
by jmancuso
Hello, I am having a problem creating a static key OpenVPN setup. My 2 servers are HOST_A and HOST_B. I need to be able to route between 2 subnets (NET_A and NET_B). Could someone let me know what I'm doing wrong?
NETA: 10.1.0.0/16
NETB: 10.0.0.0/16
HOST_A:
IP: 10.1.0.3
Netmask: 255.255.255.0
Gateway: 10.1.0.1
Gateway External IP: XXX.XXX.XXX.XXX
HOST_B:
IP: 10.0.10.22
Netmask: 255.255.255.0
Default Gateway: 10.0.10.1
Gateway External IP: YYY.YYY.YYY.YYY
------
My VPN seems to get created properly. At least, I get no error indications in the logs. From HOST_B, I can ping 10.1.0.3 and it gets properly routed over the VPN and I'm able to get ICMP packets back. From HOST_A, I can ping 10.0.10.22 successfully as well.
But, I cannot ping any other IP in the networks. For example, I cannot ping 10.1.0.1 from HOST_B. And I cannot ping 10.0.10.1 from HOST_A.
I have IP forwarding enabled on both sides.
Code: Select all
root@HOSTA:/etc/openvpn# cat /proc/sys/net/ipv4/ip_forward
1
Code: Select all
root@HOSTB:/etc/openvpn# cat /proc/sys/net/ipv4/ip_forward
1
What follows is my ifconfig output and my openvpn configs.
==============================================================
IFCONFIG
Code: Select all
root@HOSTA:/etc/openvpn# ifconfig -a
br0 Link encap:Ethernet HWaddr 00:00:0a:01:00:03
inet addr:10.1.0.3 Bcast:10.1.0.255 Mask:255.255.255.0
inet6 addr: fe80::200:aff:fe01:3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:355113 errors:0 dropped:0 overruns:0 frame:0
TX packets:116127 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:98469778 (98.4 MB) TX bytes:13819505 (13.8 MB)
eth0 Link encap:Ethernet HWaddr 00:00:0a:01:00:03
inet6 addr: fe80::200:aff:fe01:3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:355113 errors:0 dropped:0 overruns:0 frame:0
TX packets:116128 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:98470162 (98.4 MB) TX bytes:13819575 (13.8 MB)
Interrupt:10 Base address:0xc000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:504 (504.0 B) TX bytes:504 (504.0 B)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.0.1 P-t-P:192.168.1.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
root@HOSTA:/etc/openvpn# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.1.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
0.0.0.0 10.1.0.1 0.0.0.0 UG 0 0 0 br0
Code: Select all
root@HOSTB:~# ifconfig -a
br0 Link encap:Ethernet HWaddr 00:00:0a:00:0a:22
inet addr:10.0.10.22 Bcast:10.0.10.255 Mask:255.255.255.0
inet6 addr: fe80::200:aff:fe00:a22/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10914266 errors:0 dropped:0 overruns:0 frame:0
TX packets:126549 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:577512263 (577.5 MB) TX bytes:16115525 (16.1 MB)
eth1 Link encap:Ethernet HWaddr 00:00:0a:00:0a:22
inet6 addr: fe80::200:aff:fe00:a22/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10958231 errors:0 dropped:0 overruns:0 frame:0
TX packets:126550 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:597667097 (597.6 MB) TX bytes:16115595 (16.1 MB)
Interrupt:10 Base address:0x4000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:31 errors:0 dropped:0 overruns:0 frame:0
TX packets:31 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3596 (3.5 KB) TX bytes:3596 (3.5 KB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.1.1 P-t-P:192.168.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
root@HOSTB:~# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.0.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
10.1.0.0 192.168.0.1 255.255.0.0 UG 0 0 0 tun0
0.0.0.0 10.0.10.1 0.0.0.0 UG 0 0 0 br0
==============================================================
OPENVPN CONFIG
Code: Select all
root@HOSTA:/etc/openvpn# cat /etc/openvpn/server.conf
dev tun0
remote YYY.YYY.YYY.YYY
ifconfig 192.168.0.1 192.168.1.1
secret /etc/openvpn/static.key
daemon
comp-lzo
proto udp
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
ping-restart 60
ping 20
route 10.0.10.0 255.255.0.0
Code: Select all
root@HOSTB:~# cat /etc/openvpn/server.conf
dev tun0
remote XXX.XXX.XXX.XXX
ifconfig 192.168.1.1 192.168.0.1
secret /etc/openvpn/static.key
daemon
comp-lzo
proto udp
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
ping-restart 60
ping 20
route 10.1.0.0 255.255.0.0
Re: Static Key Setup & Routing
Posted: Wed Dec 22, 2010 3:32 am
by jmancuso
Bump.
If there is any other extra info that I'm lacking, please let me know.
Re: Static Key Setup & Routing
Posted: Thu Dec 23, 2010 7:24 am
by cakemaker
sorry I have not read thru your message, just your question recall my memory about a faq.
network connect in two directions, does your other computer knows how to route back those packets?
Re: Static Key Setup & Routing
Posted: Thu Dec 23, 2010 12:07 pm
by gladiatr72
Cakemaker is correct. You have no network routes.
I would solve this with the following:
HOSTA:
push "route 10.1.0.0 255.255.0.0"
or
route 10.1.0.0 255.255.0.0 vpn_gateway
HOSTB:
push "route 10.0.0.0 255.255.0.0"
route 10.0.0.0 255.255.0.0 vpn_gateway
Note: I have always used the method of pushing routes from their point of origin. I think the syntax for the local route directive is correct. If you choose to go that route, you may have to noodle with it a bit.
Regards,
Stephen
Re: Static Key Setup & Routing
Posted: Thu Dec 23, 2010 11:39 pm
by jmancuso
Thanks for the responses.
I fiddled with the push route syntax, but was unable to see any new route table entries after restarting OpenVPN. I tried many different combinations, and cannot get it to work.
Here are my most recent configs and route entries. (I have sanitized the output to mask the external IP addresses.)
I really appreciate your help and I hope you can take a look at this and give me other clues.
HOSTA
Code: Select all
root@HOSTA:~# cat /etc/openvpn/server.conf
dev tun0
remote YYY.YYY.YYY.YYY
ifconfig 192.168.0.1 192.168.1.1
secret /etc/openvpn/static.key
daemon
comp-lzo
proto udp
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
ping-restart 60
ping 20
push "route 10.1.0.0 255.255.0.0"
route 10.0.0.0 255.255.0.0 vpn_gateway
root@HOSTA:~#
root@HOSTA:~# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.1.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
10.0.0.0 192.168.1.1 255.255.0.0 UG 0 0 0 tun0
0.0.0.0 10.1.0.1 0.0.0.0 UG 0 0 0 br0
HOSTB
Code: Select all
root@HOSTB:~# cat /etc/openvpn/server.conf
dev tun0
remote XXX.XXX.XXX.XXX
ifconfig 192.168.1.1 192.168.0.1
secret /etc/openvpn/static.key
daemon
comp-lzo
proto udp
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
ping-restart 60
ping 20
push "route 10.0.0.0 255.255.0.0"
route 10.1.0.0 255.255.0.0 vpn_gateway
root@HOSTB:~#
root@HOSTB:~# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.0.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
10.1.0.0 192.168.0.1 255.255.0.0 UG 0 0 0 tun0
0.0.0.0 10.0.10.1 0.0.0.0 UG 0 0 0 br0
Re: Static Key Setup & Routing
Posted: Thu Dec 23, 2010 11:54 pm
by jmancuso
Here are the logs:
HOSTA
Code: Select all
Thu Dec 23 15:42:17 2010 event_wait : Interrupted system call (code=4)
Thu Dec 23 15:42:17 2010 TCP/UDP: Closing socket
Thu Dec 23 15:42:17 2010 Closing TUN/TAP interface
Thu Dec 23 15:42:17 2010 /sbin/ifconfig tun0 0.0.0.0
SIOCSIFADDR: Permission denied
SIOCSIFFLAGS: Permission denied
Thu Dec 23 15:42:17 2010 Linux ip addr del failed: external program exited with error status: 255
Thu Dec 23 15:42:17 2010 SIGTERM[hard,] received, process exiting
Thu Dec 23 15:42:18 2010 OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
Thu Dec 23 15:42:18 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Dec 23 15:42:18 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Dec 23 15:42:18 2010 /usr/sbin/openvpn-vulnkey -q /etc/openvpn/static.key
Thu Dec 23 15:42:18 2010 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Dec 23 15:42:18 2010 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 23 15:42:18 2010 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Dec 23 15:42:18 2010 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 23 15:42:18 2010 LZO compression initialized
Thu Dec 23 15:42:18 2010 ROUTE default_gateway=10.1.0.1
Thu Dec 23 15:42:18 2010 TUN/TAP device tun0 opened
Thu Dec 23 15:42:18 2010 TUN/TAP TX queue length set to 100
Thu Dec 23 15:42:18 2010 /sbin/ifconfig tun0 192.168.0.1 pointopoint 192.168.1.1 mtu 1500
Thu Dec 23 15:42:18 2010 /sbin/route add -net 10.0.0.0 netmask 255.255.0.0 gw 192.168.1.1
Thu Dec 23 15:42:18 2010 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Dec 23 15:42:18 2010 Local Options hash (VER=V4): 'aed3f7b0'
Thu Dec 23 15:42:18 2010 Expected Remote Options hash (VER=V4): '97131b42'
Thu Dec 23 15:42:18 2010 GID set to nogroup
Thu Dec 23 15:42:18 2010 UID set to nobody
Thu Dec 23 15:42:18 2010 Socket Buffers: R=[124928->131072] S=[124928->131072]
Thu Dec 23 15:42:18 2010 UDPv4 link local (bound): [undef]
Thu Dec 23 15:42:18 2010 UDPv4 link remote: [AF_INET]YYY.YYY.YYY.YYY:1194
Thu Dec 23 15:42:28 2010 Peer Connection Initiated with [AF_INET]YYY.YYY.YYY.YYY:1194
Thu Dec 23 15:42:29 2010 Initialization Sequence Completed
HOSTB
Code: Select all
Thu Dec 23 15:41:06 2010 event_wait : Interrupted system call (code=4)
Thu Dec 23 15:41:06 2010 /sbin/ifconfig tun0 0.0.0.0
SIOCSIFADDR: Permission denied
SIOCSIFFLAGS: Permission denied
Thu Dec 23 15:41:06 2010 Linux ip addr del failed: external program exited with error status: 255
Thu Dec 23 15:41:06 2010 SIGTERM[hard,] received, process exiting
Thu Dec 23 15:41:07 2010 OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
Thu Dec 23 15:41:07 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Dec 23 15:41:07 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Dec 23 15:41:07 2010 /usr/sbin/openvpn-vulnkey -q /etc/openvpn/static.key
Thu Dec 23 15:41:07 2010 LZO compression initialized
Thu Dec 23 15:41:07 2010 TUN/TAP device tun0 opened
Thu Dec 23 15:41:07 2010 /sbin/ifconfig tun0 192.168.1.1 pointopoint 192.168.0.1 mtu 1500
Thu Dec 23 15:41:07 2010 GID set to nogroup
Thu Dec 23 15:41:07 2010 UID set to nobody
Thu Dec 23 15:41:07 2010 UDPv4 link local (bound): [undef]
Thu Dec 23 15:41:07 2010 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Thu Dec 23 15:41:17 2010 Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
Thu Dec 23 15:41:18 2010 Initialization Sequence Completed
Re: Static Key Setup & Routing
Posted: Fri Dec 24, 2010 10:53 pm
by jmancuso
Bump. Still VPN-less. Would appreciate some more help.
Happy Holidays.
Re: Static Key Setup & Routing
Posted: Fri Dec 24, 2010 11:08 pm
by jmancuso
FYI, I should mention that both HOSTA and HOSTB are virtual machines running on kvm (Linux/Ubuntu). If my aforementioned configs look OK, is it possible that I've made a mistake in the underlying networking configuration.
Here are my /etc/network/interfaces files from both machines:
HOSTA:
Code: Select all
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto br0
iface br0 inet static
address 10.1.0.3
netmask 255.255.255.0
gateway 10.1.0.1
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
HOSTB:
Code: Select all
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto br0
iface br0 inet static
address 10.0.10.22
netmask 255.255.255.0
gateway 10.0.10.1
bridge_ports eth1
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
iface eth1 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
Re: Static Key Setup & Routing
Posted: Sun Dec 26, 2010 2:09 am
by jmancuso
After some more probing, I narrowed down the problem even more.
It seems that I am able to ping/connect to other hosts in the VPN network, from any host except the VPN server.
For instance, from HOSTA I am not able to ping any other host in NETB, except HOSTB. However, from any other host in NETA, I am able to ping any host in NETB.
Weird.
Re: Static Key Setup & Routing
Posted: Mon Dec 27, 2010 6:11 pm
by gladiatr72
Hello again,
Ok. The virtualization host might be playing a part in this. I am a virtualbox user which might just mean that I suck and am lazy, but because of this I haven't gotten into some of the more nuts-and-bolts vm environments that are available.
First, though, deactivate iptables on HOSTB.
Test your connections to NETB.
If you're still having no luck, verify that your vm host isn't firewalling your bridged connections (layer 2 firewalling)
# /sbin/sysctl -a |grep 'bridge-nf'
If either bridge-nf-call-iptables or bridge-nf-call-arptables are set, unset them from the command line:
/sbin/sysctl -w net.bridge.bridge-nf-call-iptables = 0
/sbin/sysctl -w net.bridge.bridge-nf-call-arptables = 0
Let me know where that leaves you if anywhere.
-Stephen