Page 1 of 1
openvpn client error
Posted: Wed Jan 26, 2011 3:11 pm
by hohoangluan
Hello everyone. I'm newbie. I hope to recieve the help from everyone.
I config openVPN for ubuntu server 9.0....... with the file server.conf and client.conf below
- File server.conf
Code: Select all
dev tun
proto tcp
port 1194
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
#status openvpn-status.log
#verb 3
client-to-client
push "redirect-gateway def1"
#log-append /var/log/openvpn
comp-lzo
#My first connections were a little slow so I disabled compression with this:
#comp-lzo
- File sample.ovpn
Code: Select all
dev tun
client
proto tcp
remote 192.168.232.195 1194
resolv-retry infinite
nobind
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
comp-lzo
ca "C:\\Program Files\\OpenVPN\\config\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\keys\\client.crt"
key "C:\\Program Files\\OpenVPN\\config\\keys\\client.key"
# Set log file verbosity.
verb 3
And Then i connect to the server,it show me the certificate not yet valid and check time system.
who has seen this error, plz help me solve this. Thank you.
Re: openvpn client error
Posted: Thu Jan 27, 2011 8:39 am
by maikcat
hi there,
when you generated your certs ,was the time/date correct?
is the time/date correct on your pc?
cheers,
michael.
ps:if you double click on the .crt file from the windows you open it,browse through the
fields and check the valid from - to field..
Re: openvpn client error
Posted: Thu Jan 27, 2011 10:22 am
by hohoangluan
Thanks for your answer. I did it. But i have another problem about routing with my private network. This is my network
Code: Select all
echo 1 >/proc/sys/net/ipv4/ip_forward
iptables -t NAT -A POSTROUTING -s 10.0.8.0/24 -o eth0 -j MASQUERADE
server.conf
push "route 172.22.0.0 255.255.255.0"
i can ping 172.22.1.1 and 10.8.0.1 but i can ping to private network Ex: 172.22.1.3-10. Plz help me about route
Re: openvpn client error
Posted: Thu Jan 27, 2011 11:12 am
by krzee
Re: openvpn client error
Posted: Thu Jan 27, 2011 2:00 pm
by maikcat
does vpn server has static route to 172.22.0.0/24 network?
cheers,
michael.
ps:why you use nat fo your vpn users?
Re: openvpn client error
Posted: Thu Jan 27, 2011 3:11 pm
by hohoangluan
yes. i have static route to 172.22.0.0/24 on server ubuntu
route add -net 172.22.0.0 netmask 255.255.255.0 gw 192.168.1.1
i don't know gw right or wrong.
Re: openvpn client error
Posted: Fri Jan 28, 2011 8:08 am
by maikcat
good day,
in your schematic you dont write anything about the device which is located
on bottom and connects the 172.22.0.0/24..is it a router? with what ip ?
>route add -net 172.22.0.0 netmask 255.255.255.0 gw 192.168.1.1
your static route routes the traffic for 172.22.0.0 net to your wan interface of the vpn server..?
this should point to the device on the bottom of your diagram..
cheers,
michael.
ps:i assume the "cloud" is the internet..right?
Re: openvpn client error
Posted: Fri Jan 28, 2011 9:19 am
by hohoangluan
Sorry i forget i setup the openVPN on VMware.
LAN(172.22.0.2/24)---->eth1(172.22.0.1/24)server(eth0(192.168.1.1/24))------>PC(192.168.1.2/24)
I have already VPN connected to server with tun(10.0.3.1/24)
How can i config server to VPN client access to my LAN network.
Re: openvpn client error
Posted: Fri Jan 28, 2011 9:28 am
by maikcat
ok,
lets overview..
your lan is 172.22.0.0/24 network
you have a vmware server with ip 172.22.0.2/24
your openvpn server (which is a VM) has:
lan ip 172.22.0.1/24 (eth1)
wan ip 192.168.1.1/24 (eth0)
tun ip (vpn interface) 10.0.3.1/24
*in the diagram you had entered that lan ip of the vpn is 172.22.1.1/24
so far so good..
why are you using NAT on eth0?
if you have ip routing enabled this should works...
have you got firewall enabled?
>i can ping 172.22.1.1 and 10.8.0.1 but i can ping to private network Ex: 172.22.1.3-10. Plz help me about route
you confusing me...
the ip of server is 172.22.1.1 or 172.22.0.1 ???
michael.
Re: openvpn client error
Posted: Sat Jan 29, 2011 4:22 pm
by hohoangluan
i already designed new diagram"
server.conf
Code: Select all
dev tun
proto tcp
port 1194
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
user nobody
group nogroup
server 10.0.3.0 255.255.255.0
push "route 172.22.0.0 255.255.255.0"
persist-key
persist-tun
#status openvpn-status.log
#verb 3
client-to-client
push "redirect-gateway def1"
#log-append /var/log/openvpn
comp-lzo
#My first connections were a little slow so I disabled compression with this:
#comp-lzo
client.ovpn
Code: Select all
dev tun
client
proto tcp
remote 192.18.1.1 1194
resolv-retry infinite
nobind
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
comp-lzo
ca "C:\\Program Files\\OpenVPN\\config\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\keys\\client.crt"
key "C:\\Program Files\\OpenVPN\\config\\keys\\client.key"
# Set log file verbosity.
verb 3
Iptables
Code: Select all
echo 1 >/proc/sys/net/ipv4/ip_forwarding
i have successfull connect to vpn server. I can ping both (eth0,eth1) of vpn server. But i can't ping to LAN network 172.22.0.2.......Plx help to about route
Re: openvpn client error
Posted: Mon Jan 31, 2011 7:25 am
by maikcat
hi there,
if you can ping the lan ip of the vpn server (172.22.0.1)through the tunnel then your
server conf is ok..(ip routing etc)
to be able to access your lan ips you must:
1)setup your clients routing so they know where to route packets for the 10.0.3.0/24 subnet
to do this you have 2 options..1)set the default gateway of your lan pcs pointing to the lan of your vpn server or set up a static route for the 10.0.3.0 subnet pointing to the lan of your vpn server.
2)disable any firewall on your clients (or set it up properly..)
ps:i assume that you dont have any type of firewall enabled on your server..
cheers,
michael.
Re: openvpn client error
Posted: Thu Feb 03, 2011 5:17 am
by krzee
if you go to the link i gave you above you will see a section named "ROUTES TO ADD OUTSIDE OF OPENVPN"
it even has this link
http://www.secure-computing.net/wiki/index.php/Graph of the issue
which looks a lot like your diagram