openvpn client error

[hohoangluan]

Hello everyone. I'm newbie. I hope to recieve the help from everyone.
I config openVPN for ubuntu server 9.0....... with the file server.conf and client.conf below
- File server.conf

Code: Select all

dev tun

proto tcp

port 1194

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/server.crt

key /etc/openvpn/keys/server.key

dh /etc/openvpn/keys/dh1024.pem

user nobody

group nogroup

server 10.8.0.0 255.255.255.0

persist-key

persist-tun

#status openvpn-status.log

#verb 3

client-to-client

push "redirect-gateway def1"

#log-append /var/log/openvpn

comp-lzo 

#My first connections were a little slow so I disabled compression with this:

#comp-lzo

- File sample.ovpn

Code: Select all

dev tun

client

proto tcp

remote 192.168.232.195 1194

resolv-retry infinite

nobind

user nobody

group nogroup

# Try to preserve some state across restarts.

persist-key

persist-tun

comp-lzo

ca "C:\\Program Files\\OpenVPN\\config\\keys\\ca.crt"

cert "C:\\Program Files\\OpenVPN\\config\\keys\\client.crt"

key "C:\\Program Files\\OpenVPN\\config\\keys\\client.key"

# Set log file verbosity.

verb 3

And Then i connect to the server,it show me the certificate not yet valid and check time system.

who has seen this error, plz help me solve this. Thank you.

[maikcat]

hi there,

when you generated your certs ,was the time/date correct?

is the time/date correct on your pc?

cheers,

michael.

ps:if you double click on the .crt file from the windows you open it,browse through the
fields and check the valid from - to field..

[hohoangluan]

Thanks for your answer. I did it. But i have another problem about routing with my private network. This is my network

Code: Select all

echo 1 >/proc/sys/net/ipv4/ip_forward
iptables -t NAT -A POSTROUTING -s 10.0.8.0/24 -o eth0 -j MASQUERADE

server.conf
push "route 172.22.0.0 255.255.255.0"

i can ping 172.22.1.1 and 10.8.0.1 but i can ping to private network Ex: 172.22.1.3-10. Plz help me about route

[krzee]

http://www.secure-computing.net/wiki/in ... PN/Routing

[maikcat]

does vpn server has static route to 172.22.0.0/24 network?

cheers,

michael.

ps:why you use nat fo your vpn users?

[hohoangluan]

yes. i have static route to 172.22.0.0/24 on server ubuntu
route add -net 172.22.0.0 netmask 255.255.255.0 gw 192.168.1.1
i don't know gw right or wrong.

[maikcat]

good day,

in your schematic you dont write anything about the device which is located
on bottom and connects the 172.22.0.0/24..is it a router? with what ip ?

>route add -net 172.22.0.0 netmask 255.255.255.0 gw 192.168.1.1
your static route routes the traffic for 172.22.0.0 net to your wan interface of the vpn server..?

this should point to the device on the bottom of your diagram..

cheers,

michael.

ps:i assume the "cloud" is the internet..right?

[hohoangluan]

Sorry i forget i setup the openVPN on VMware.
LAN(172.22.0.2/24)---->eth1(172.22.0.1/24)server(eth0(192.168.1.1/24))------>PC(192.168.1.2/24)
I have already VPN connected to server with tun(10.0.3.1/24)
How can i config server to VPN client access to my LAN network.

[maikcat]

ok,
lets overview..

your lan is 172.22.0.0/24 network
you have a vmware server with ip 172.22.0.2/24

your openvpn server (which is a VM) has:
lan ip 172.22.0.1/24 (eth1)
wan ip 192.168.1.1/24 (eth0)
tun ip (vpn interface) 10.0.3.1/24

*in the diagram you had entered that lan ip of the vpn is 172.22.1.1/24

so far so good..

why are you using NAT on eth0?
if you have ip routing enabled this should works...
have you got firewall enabled?

>i can ping 172.22.1.1 and 10.8.0.1 but i can ping to private network Ex: 172.22.1.3-10. Plz help me about route

you confusing me...
the ip of server is 172.22.1.1 or 172.22.0.1 ???

michael.

[hohoangluan]

i already designed new diagram"


server.conf

Code: Select all

dev tun

proto tcp

port 1194

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/server.crt

key /etc/openvpn/keys/server.key

dh /etc/openvpn/keys/dh1024.pem

user nobody

group nogroup

server 10.0.3.0 255.255.255.0
push "route 172.22.0.0 255.255.255.0"
persist-key

persist-tun

#status openvpn-status.log

#verb 3

client-to-client

push "redirect-gateway def1"

#log-append /var/log/openvpn

comp-lzo 

#My first connections were a little slow so I disabled compression with this:

#comp-lzo

client.ovpn

Code: Select all

dev tun

client

proto tcp

remote 192.18.1.1 1194

resolv-retry infinite

nobind

user nobody

group nogroup

# Try to preserve some state across restarts.

persist-key

persist-tun

comp-lzo

ca "C:\\Program Files\\OpenVPN\\config\\keys\\ca.crt"

cert "C:\\Program Files\\OpenVPN\\config\\keys\\client.crt"

key "C:\\Program Files\\OpenVPN\\config\\keys\\client.key"

# Set log file verbosity.

verb 3

Iptables

Code: Select all

echo 1 >/proc/sys/net/ipv4/ip_forwarding

i have successfull connect to vpn server. I can ping both (eth0,eth1) of vpn server. But i can't ping to LAN network 172.22.0.2.......Plx help to about route

[maikcat]

hi there,

if you can ping the lan ip of the vpn server (172.22.0.1)through the tunnel then your
server conf is ok..(ip routing etc)

to be able to access your lan ips you must:

1)setup your clients routing so they know where to route packets for the 10.0.3.0/24 subnet
to do this you have 2 options..1)set the default gateway of your lan pcs pointing to the lan of your vpn server or set up a static route for the 10.0.3.0 subnet pointing to the lan of your vpn server.

2)disable any firewall on your clients (or set it up properly..)

ps:i assume that you dont have any type of firewall enabled on your server..

cheers,

michael.

[krzee]

if you go to the link i gave you above you will see a section named "ROUTES TO ADD OUTSIDE OF OPENVPN"
it even has this link http://www.secure-computing.net/wiki/index.php/Graph of the issue
which looks a lot like your diagram