Page 1 of 2
Lost hope using ccd option
Posted: Mon Apr 04, 2011 3:33 pm
by pwg3n
Hi everyone.
First of all I'd like to thank you for your time reading this.
I've got a huge problem setting up fixed IP addresses for my clients. I've seen that there's a option using ccd directory, but this is not working for me. I mean, it's totally ignored by the client who's connecting.
Here's my config:
port 1194
proto udp
dev tun
ca /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt
cert /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.crt
key /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.key
dh /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/dh1024.pem
client-config-dir /etc/openvpn/ccd
server 10.2.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.1.1.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 2.2.2.2"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
Some explanations:
10.1.1.0/24 is my internal_subnet (LAN clients)
10.2.0.0/24 is my openvpn_subnet (external clients)
A static route is added for openvpn_subnet users to connect to internal_subnet users.
THE PROBLEM:
I've created user1 and a file inside: /etc/openvpn/ccd/
ls -l /etc/openvpn/ccd/
total 8
-rwxrwxrwx 1 root root 34 2011-04-04 11:01 user1
Gave all the possible permissions.
Inside that file I set up a fixed IP range:
cat /etc/openvpn/ccd/user1
ifconfig-push 10.2.0.50 10.2.0.50
But, everytime user1 connects, VPN server doesn't give a ... about this ccd option and sets up a IP looking at this option:
server 10.2.0.0 255.255.255.0
The only IP users are receiving is this:
10.2.0.6
Here's the log:
Mon Apr 4 11:13:25 2011 82.1.1.1:20898 LZO compression initialized
Mon Apr 4 11:13:25 2011 82.1.1.1:20898 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Apr 4 11:13:25 2011 82.1.1.1:20898 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Apr 4 11:13:25 2011 82.1.1.1:20898 Local Options hash (VER=V4): '530fdded'
Mon Apr 4 11:13:25 2011 82.1.1.1:20898 Expected Remote Options hash (VER=V4): '41690919'
Mon Apr 4 11:13:25 2011 82.1.1.1:20898 TLS: Initial packet from 82.111.111.111:20898, sid=21b4eec3 58c53cb6
Mon Apr 4 11:13:29 2011 82.1.1.1:20898 VERIFY OK: depth=1, /C=RO/ST=RO/L=City/O=Company/OU=RO/CN=gw/emailAddress=
administrator@domainexample.ro
Mon Apr 4 11:13:29 2011 82.1.1.1:20898 VERIFY OK: depth=0, /C=RO/ST=RO/L=City/O=Company/OU=Company/CN=user1/emailAddress=
administrator@domainexample.ro
Mon Apr 4 11:13:30 2011 82.1.1.1:20898 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Apr 4 11:13:30 2011 82.1.1.1:20898 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 4 11:13:30 2011 82.1.1.1:20898 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Apr 4 11:13:30 2011 82.1.1.1:20898 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 4 11:13:31 2011 82.1.1.1:20898 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 4 11:13:31 2011 82.1.1.1:20898 [user1] Peer Connection Initiated with 82.1.1.1:20898
Mon Apr 4 11:13:31 2011 user1/82.1.1.1:20898 MULTI: Learn: 10.2.0.6 -> user1/82.1.1.1:20898
Mon Apr 4 11:13:31 2011 user1/82.1.1.1:20898 MULTI: primary virtual IP for user1/82.1.1.1:20898: 10.2.0.6
Mon Apr 4 11:13:33 2011 user1/82.1.1.1:20898 PUSH: Received control message: 'PUSH_REQUEST'
Mon Apr 4 11:13:33 2011 user1/82.1.1.1:20898 SENT CONTROL [user1]: 'PUSH_REPLY,route 10.1.1.0 255.255.255.0,redirect-gateway def1,dhcp-option DNS 213.154.124.1,route 10.2.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.2.0.6 10.2.0.5' (status=1)
Mon Apr 4 11:18:01 2011 user1/82.1.1.1:20898 [user1] Inactivity timeout (--ping-restart), restarting
Mon Apr 4 11:18:01 2011 user1/82.1.1.1:20898 SIGUSR1[soft,ping-restart] received, client-instance restarting
Any idea what I am missing about this?
PS: Don't worry about the external IP's. Changed this only in this document.
THANKS A LOT people!
Re: Lost hope using ccd option
Posted: Mon Apr 04, 2011 6:54 pm
by george
Your ifconfig-push statement is causing it not to work. They need to be successive pairs using a 30 bit subnet mask, in your case the line should read:
Here's a more detailed explanation:
http://openvpn.net/index.php/open-sourc ... tml#policy
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 6:41 am
by maikcat
hi there,
dont forget to restore ccd's permissions...
michael.
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 6:45 am
by pwg3n
Tried that. The only IP clients are receiving is 10.2.0.6
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 6:49 am
by pwg3n
Sorry, what do you mean by "restore" permissions for ccd?
What permissions do you have for that folder?
maikcat wrote:hi there,
dont forget to restore ccd's permissions...
michael.
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 7:13 am
by maikcat
hi there,
ccd files must have 644 permisions not 777..
i noticed this
/C=RO/ST=RO/L=City/O=Company/OU=RO/CN=gw/emailAddress=
administrator@domainexample.ro
CN=gw...
try rename the user1 file to gw
michael
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 7:15 am
by pwg3n
gw is the machine hostname
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 7:40 am
by maikcat
can you please try after renaming the ccd file to gw?
michael.
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 9:02 am
by janjust
for debugging, try adding
to the server config and restart; only the client 'user1' will now be allowed to connect.
Next, use the following IPs in the ccd-file
(Note the order! the HOWTO mentions it backwards, which is wrong)
In the server log you should now see that it is picking up the 'ccd' file ; if it is not, then the client is not allowed access.
Once it works, remove the 'ccd-exclusive' to allow other clients to connect again.
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 9:15 am
by pwg3n
Hah!
You guys were right. Thank you so much!
Restarted the server and put the /30 ranges in the ccd file and now it's working ok, but having another problem: for the 10.3.0.0/24 clients, cannot ping the LAN (10.1.1.0/24) even if the config file has the bold routes added:
port 1194
proto udp
dev tun
ca /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt
cert /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.crt
key /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.key
dh /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/dh1024.pem
client-config-dir /etc/openvpn/ccd
server 10.2.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.1.1.0 255.255.255.0"
route 10.2.0.0 255.255.255.0
route 10.3.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 213.154.124.1"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 9:18 am
by pwg3n
This makes sense janjust, thank you.
janjust wrote:for debugging, try adding
to the server config and restart; only the client 'user1' will now be allowed to connect.
Next, use the following IPs in the ccd-file
(Note the order! the HOWTO mentions it backwards, which is wrong)
In the server log you should now see that it is picking up the 'ccd' file ; if it is not, then the client is not allowed access.
Once it works, remove the 'ccd-exclusive' to allow other clients to connect again.
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 9:20 am
by janjust
which clients are the '10.3.0.0/24' clients? where do they connect from?
Also, if a VPN client connects, it receives an address in the 10.2.0.0/24 space - if the 10.3/24 clients are LAN clients on the server side, do they know that 10.2/24 is "behind" the openvpn server ?
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 9:23 am
by pwg3n
Both 10.2.0.0/24 and 10.3.0.0/24 need to ping 10.1.1.1 witch is the default gateway.
Both need to connect to 10.1.1.x servers in the LAN subnet.
10.2.0.0/24 and 10.3.0.0/24 are the classes for two type of guests.
janjust wrote:which clients are the '10.3.0.0/24' clients? where do they connect from?
Also, if a VPN client connects, it receives an address in the 10.2.0.0/24 space - if the 10.3/24 clients are LAN clients on the server side, do they know that 10.2/24 is "behind" the openvpn server ?
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 9:45 am
by maikcat
although i missed a few posts,i try to catch up..
first remove this:
route 10.2.0.0 255.255.255.0
second
this : route 10.3.0.0 255.255.255.0
are you using iroute statement inside ccd file?
>10.2.0.0/24 and 10.3.0.0/24 are the classes for two type of guests.
i dont quite understand this...
ps: for the record,how did you solve the ccd problem you had?
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 9:49 am
by janjust
so the 10.3/24 clients are VPN clients? it will be hard to integrate them into your existing server setup.
Try using 10.0.2/24 and 10.0.3/24 instead. Update your server config to
so that the 10.0.3/24 clients become part of the same VPN.
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 10:03 am
by pwg3n
Both 10.0.2.0/24 and 10.0.3.0/24 are VPN clients. They both must reach 10.1.1.0/24 LAN network, having 10.1.1.1 as a LAN gateway.
10.0.2.0/24 and 10.0.3.0/24 must have access to servers like 10.1.1.5 or 10.1.1.50 for instance.
maikcat, solved the issue by adding the correct /30 entries to the ccd file.
For instance, for user1:
cat /etc/openvpn/ccd/user1
ifconfig-push 10.3.0.1 10.3.0.2
For user2:
cat /etc/openvpn/ccd/user2
ifconfig-push 10.2.0.1 10.2.0.2
Took the ranges from here:
Code: Select all
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 10:06 am
by janjust
note my use of
10.0.2.0
and
10.0.3.0
instead of '10.[23].0' : check the order of the 0's !
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 10:10 am
by pwg3n
Thank you janjust. This made the 10.3.0.0 network access ok to 10.1.1.1, but cannot ping 10.1.1.1 from 10.2.0.0 network.
janjust wrote:so the 10.3/24 clients are VPN clients? it will be hard to integrate them into your existing server setup.
Try using 10.0.2/24 and 10.0.3/24 instead. Update your server config to
so that the 10.0.3/24 clients become part of the same VPN.
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 10:12 am
by janjust
did you update the ccd-file as well? what is the IP address assigned to the client? it should become '10.0.2.50'.
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 10:21 am
by pwg3n
Did that.
I don't know what's happening.
3=11
2=10
254=111 111 10
So, this mask should match all these two VPN users classes.
Don't understand.
Conf now:
port 1194
proto udp
dev tun
ca /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt
cert /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.crt
key /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.key
dh /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/dh1024.pem
client-config-dir /etc/openvpn/ccd
server 10.0.2.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 10.1.1.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 213.154.124.1"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
janjust wrote:did you update the ccd-file as well? what is the IP address assigned to the client? it should become '10.0.2.50'.