Page 1 of 1
ubuntu server 10.10 and Openvpn
Posted: Fri Apr 29, 2011 1:52 am
by machine
Hopefully someone here can make sense of this.
This is a clean install of openvpn on a ubuntu 10.10 server. I am trying to set up a multi-client vpn for samba shares. I only want the clients to see the server not each other. And would prefer to not have to run multiple daemons to accomplish this.
ifconfig
Code: Select all
eth0 Link encap:Ethernet HWaddr 00:11:09:2d:01:d5
inet addr:192.168.1.139 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::211:9ff:fe2d:1d5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:117837 errors:0 dropped:0 overruns:0 frame:0
TX packets:57853 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:69828955 (69.8 MB) TX bytes:6385148 (6.3 MB)
Interrupt:22
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:960 (960.0 B) TX bytes:960 (960.0 B)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Server.conf
Code: Select all
local 192.168.1.139
port 1193
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20
Client.conf
Code: Select all
dev tun
;dev-node MyTap
proto udp
remote myvpn.myvpn.com 1193
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert PORTABLE1.crt
key PORTABLE1.key
ns-cert-type server
tls-auth ta.key 1
cipher BF-CBC
comp-lzo
verb 3
;mute 20
I am relatively new to all of this. So bare with me.
Re: ubuntu server 10.10 and Openvpn
Posted: Fri Apr 29, 2011 8:08 am
by janjust
looks alright at first glance; what happens when a client connects? can the client ping the VPN server IP (10.8.0.1)? Is there a firewall on the server blocking traffic on the server? which samba share do you wish to access? on the VPN server as well , or elsewhere on the server side LAN
Re: ubuntu server 10.10 and Openvpn
Posted: Fri Apr 29, 2011 9:25 am
by maikcat
hi there,
please also post smb.conf,iptables -L output and openvpn server logs.
Michael.
Re: ubuntu server 10.10 and Openvpn
Posted: Fri Apr 29, 2011 1:34 pm
by machine
Thank you for the responses, here are the files maikcat requested.
smb.conf
Code: Select all
# Samba config file created using SWAT
# from UNKNOWN (10.8.0.6)
# Date: 2011/04/16 17:16:03
[global]
netbios name = bjvpn
server string = %h server (Samba, Ubuntu)
workgroup = WORKGROUP
map to guest = bad user
obey pam restrictions = yes
pam password change = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = yes
security = user
hosts allow = 127.0.0. 192.168.1. 10.8.0.
hosts deny = 0.0.0.0/0
interfaces = 127.0.0.1/8 192.168.1.100/24 10.8.0.0/24
bind interfaces only = yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = no
usershare allow guests = yes
panic action = /usr/share/samba/panic-action %d
[test]
path = /home/mike/test
valid users = mike
read only = no
guest ok = yes
[Music]
comment = Music Folder
path = /srv/samba/Music
write list = mike
browsable = yes
guest ok = yes
read only = yes
create mask = 0755
iptables -L
Code: Select all
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere state INVALID
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT all -- BASE-ADDRESS.MCAST.NET/4 anywhere
ACCEPT all -- anywhere BASE-ADDRESS.MCAST.NET/4
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW ALLOW] '
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere state INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere state NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:22004
ACCEPT udp -- anywhere anywhere udp dpt:22004
ACCEPT tcp -- anywhere anywhere tcp dpt:1193
ACCEPT udp -- anywhere anywhere udp dpt:1193
ACCEPT udp -- anywhere anywhere multiport dports netbios-ns,netbios-dgm /* 'dapp_Samba' */
ACCEPT tcp -- anywhere anywhere multiport dports netbios-ssn,microsoft-ds /* 'dapp_Samba' */
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix `[UFW LIMIT BLOCK] '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
Server logs
Code: Select all
Fri Apr 29 08:27:31 2011 us=269176 Current Parameter Settings:
Fri Apr 29 08:27:31 2011 us=269340 config = '/etc/openvpn/server.conf'
Fri Apr 29 08:27:31 2011 us=269366 mode = 1
Fri Apr 29 08:27:31 2011 us=269387 persist_config = DISABLED
Fri Apr 29 08:27:31 2011 us=269408 persist_mode = 1
Fri Apr 29 08:27:31 2011 us=269427 show_ciphers = DISABLED
Fri Apr 29 08:27:31 2011 us=269447 show_digests = DISABLED
Fri Apr 29 08:27:31 2011 us=269467 show_engines = DISABLED
Fri Apr 29 08:27:31 2011 us=269486 genkey = DISABLED
Fri Apr 29 08:27:31 2011 us=269506 key_pass_file = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=269526 show_tls_ciphers = DISABLED
Fri Apr 29 08:27:31 2011 us=269545 Connection profiles [default]:
Fri Apr 29 08:27:31 2011 us=269566 proto = udp
Fri Apr 29 08:27:31 2011 us=269585 local = '192.168.1.139'
Fri Apr 29 08:27:31 2011 us=269605 local_port = 1193
Fri Apr 29 08:27:31 2011 us=269624 remote = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=269644 remote_port = 1193
Fri Apr 29 08:27:31 2011 us=269667 remote_float = DISABLED
Fri Apr 29 08:27:31 2011 us=269688 bind_defined = DISABLED
Fri Apr 29 08:27:31 2011 us=269707 bind_local = ENABLED
Fri Apr 29 08:27:31 2011 us=269727 connect_retry_seconds = 5
Fri Apr 29 08:27:31 2011 us=269820 connect_timeout = 10
Fri Apr 29 08:27:31 2011 us=269846 connect_retry_max = 0
Fri Apr 29 08:27:31 2011 us=269866 socks_proxy_server = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=269886 socks_proxy_port = 0
Fri Apr 29 08:27:31 2011 us=269906 socks_proxy_retry = DISABLED
Fri Apr 29 08:27:31 2011 us=269925 Connection profiles END
Fri Apr 29 08:27:31 2011 us=269944 remote_random = DISABLED
Fri Apr 29 08:27:31 2011 us=269964 ipchange = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=269983 dev = 'tun'
Fri Apr 29 08:27:31 2011 us=270005 dev_type = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=270025 dev_node = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=270044 lladdr = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=270064 topology = 3
Fri Apr 29 08:27:31 2011 us=270083 tun_ipv6 = DISABLED
Fri Apr 29 08:27:31 2011 us=270102 ifconfig_local = '10.8.0.1'
Fri Apr 29 08:27:31 2011 us=270121 ifconfig_remote_netmask = '255.255.255.0'
Fri Apr 29 08:27:31 2011 us=270141 ifconfig_noexec = DISABLED
Fri Apr 29 08:27:31 2011 us=270160 ifconfig_nowarn = DISABLED
Fri Apr 29 08:27:31 2011 us=270180 shaper = 0
Fri Apr 29 08:27:31 2011 us=270199 tun_mtu = 1500
Fri Apr 29 08:27:31 2011 us=270218 tun_mtu_defined = ENABLED
Fri Apr 29 08:27:31 2011 us=270238 link_mtu = 1500
Fri Apr 29 08:27:31 2011 us=270257 link_mtu_defined = DISABLED
Fri Apr 29 08:27:31 2011 us=270277 tun_mtu_extra = 0
Fri Apr 29 08:27:31 2011 us=270296 tun_mtu_extra_defined = DISABLED
Fri Apr 29 08:27:31 2011 us=270315 fragment = 0
Fri Apr 29 08:27:31 2011 us=270334 mtu_discover_type = -1
Fri Apr 29 08:27:31 2011 us=270354 mtu_test = 0
Fri Apr 29 08:27:31 2011 us=270381 mlock = DISABLED
Fri Apr 29 08:27:31 2011 us=270402 keepalive_ping = 10
Fri Apr 29 08:27:31 2011 us=270422 keepalive_timeout = 120
Fri Apr 29 08:27:31 2011 us=270441 inactivity_timeout = 0
Fri Apr 29 08:27:31 2011 us=270461 ping_send_timeout = 10
Fri Apr 29 08:27:31 2011 us=270480 ping_rec_timeout = 240
Fri Apr 29 08:27:31 2011 us=270499 ping_rec_timeout_action = 2
Fri Apr 29 08:27:31 2011 us=270518 ping_timer_remote = DISABLED
Fri Apr 29 08:27:31 2011 us=270538 remap_sigusr1 = 0
Fri Apr 29 08:27:31 2011 us=270557 explicit_exit_notification = 0
Fri Apr 29 08:27:31 2011 us=270576 persist_tun = ENABLED
Fri Apr 29 08:27:31 2011 us=270595 persist_local_ip = DISABLED
Fri Apr 29 08:27:31 2011 us=270614 persist_remote_ip = DISABLED
Fri Apr 29 08:27:31 2011 us=270633 persist_key = ENABLED
Fri Apr 29 08:27:31 2011 us=270653 mssfix = 1450
Fri Apr 29 08:27:31 2011 us=270672 passtos = DISABLED
Fri Apr 29 08:27:31 2011 us=270691 resolve_retry_seconds = 1000000000
Fri Apr 29 08:27:31 2011 us=270711 username = 'nobody'
Fri Apr 29 08:27:31 2011 us=270730 groupname = 'nogroup'
Fri Apr 29 08:27:31 2011 us=270749 chroot_dir = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=270784 cd_dir = '/etc/openvpn'
Fri Apr 29 08:27:31 2011 us=270805 writepid = '/var/run/openvpn.server.pid'
Fri Apr 29 08:27:31 2011 us=270824 up_script = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=270843 down_script = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=270863 down_pre = DISABLED
Fri Apr 29 08:27:31 2011 us=270882 up_restart = DISABLED
Fri Apr 29 08:27:31 2011 us=270901 up_delay = DISABLED
Fri Apr 29 08:27:31 2011 us=270920 daemon = ENABLED
Fri Apr 29 08:27:31 2011 us=270939 inetd = 0
Fri Apr 29 08:27:31 2011 us=270958 log = ENABLED
Fri Apr 29 08:27:31 2011 us=270977 suppress_timestamps = DISABLED
Fri Apr 29 08:27:31 2011 us=270996 nice = 0
Fri Apr 29 08:27:31 2011 us=271015 verbosity = 6
Fri Apr 29 08:27:31 2011 us=271035 mute = 0
Fri Apr 29 08:27:31 2011 us=271054 gremlin = 0
Fri Apr 29 08:27:31 2011 us=271073 status_file = 'openvpn-status.log'
Fri Apr 29 08:27:31 2011 us=271093 status_file_version = 1
Fri Apr 29 08:27:31 2011 us=271112 status_file_update_freq = 60
Fri Apr 29 08:27:31 2011 us=271131 occ = ENABLED
Fri Apr 29 08:27:31 2011 us=271151 rcvbuf = 65536
Fri Apr 29 08:27:31 2011 us=271170 sndbuf = 65536
Fri Apr 29 08:27:31 2011 us=271189 sockflags = 0
Fri Apr 29 08:27:31 2011 us=271208 fast_io = DISABLED
Fri Apr 29 08:27:31 2011 us=271227 lzo = 7
Fri Apr 29 08:27:31 2011 us=271246 route_script = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=271265 route_default_gateway = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=271284 route_default_metric = 0
Fri Apr 29 08:27:31 2011 us=271303 route_noexec = DISABLED
Fri Apr 29 08:27:31 2011 us=271323 route_delay = 0
Fri Apr 29 08:27:31 2011 us=271342 route_delay_window = 30
Fri Apr 29 08:27:31 2011 us=271361 route_delay_defined = DISABLED
Fri Apr 29 08:27:31 2011 us=271381 route_nopull = DISABLED
Fri Apr 29 08:27:31 2011 us=271400 route_gateway_via_dhcp = DISABLED
Fri Apr 29 08:27:31 2011 us=271420 max_routes = 100
Fri Apr 29 08:27:31 2011 us=271439 allow_pull_fqdn = DISABLED
Fri Apr 29 08:27:31 2011 us=271459 management_addr = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=271478 management_port = 0
Fri Apr 29 08:27:31 2011 us=271497 management_user_pass = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=271517 management_log_history_cache = 250
Fri Apr 29 08:27:31 2011 us=271537 management_echo_buffer_size = 100
Fri Apr 29 08:27:31 2011 us=271557 management_write_peer_info_file = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=271577 management_client_user = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=271596 management_client_group = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=271616 management_flags = 0
Fri Apr 29 08:27:31 2011 us=271635 shared_secret_file = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=271655 key_direction = 1
Fri Apr 29 08:27:31 2011 us=271674 ciphername_defined = ENABLED
Fri Apr 29 08:27:31 2011 us=271693 ciphername = 'BF-CBC'
Fri Apr 29 08:27:31 2011 us=271712 authname_defined = ENABLED
Fri Apr 29 08:27:31 2011 us=271732 authname = 'SHA1'
Fri Apr 29 08:27:31 2011 us=271751 prng_hash = 'SHA1'
Fri Apr 29 08:27:31 2011 us=271771 prng_nonce_secret_len = 16
Fri Apr 29 08:27:31 2011 us=271791 keysize = 0
Fri Apr 29 08:27:31 2011 us=271810 engine = DISABLED
Fri Apr 29 08:27:31 2011 us=271830 replay = ENABLED
Fri Apr 29 08:27:31 2011 us=271849 mute_replay_warnings = DISABLED
Fri Apr 29 08:27:31 2011 us=271869 replay_window = 64
Fri Apr 29 08:27:31 2011 us=271889 replay_time = 15
Fri Apr 29 08:27:31 2011 us=271908 packet_id_file = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=271927 use_iv = ENABLED
Fri Apr 29 08:27:31 2011 us=271947 test_crypto = DISABLED
Fri Apr 29 08:27:31 2011 us=271966 tls_server = ENABLED
Fri Apr 29 08:27:31 2011 us=271986 tls_client = DISABLED
Fri Apr 29 08:27:31 2011 us=272005 key_method = 2
Fri Apr 29 08:27:31 2011 us=272025 ca_file = 'ca.crt'
Fri Apr 29 08:27:31 2011 us=272045 ca_path = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=272064 dh_file = 'dh2048.pem'
Fri Apr 29 08:27:31 2011 us=272084 cert_file = 'server.crt'
Fri Apr 29 08:27:31 2011 us=272103 priv_key_file = 'server.key'
Fri Apr 29 08:27:31 2011 us=272137 pkcs12_file = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=272158 cipher_list = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=272177 tls_verify = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=272197 tls_remote = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=272216 crl_file = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=272236 ns_cert_type = 0
Fri Apr 29 08:27:31 2011 us=272256 remote_cert_ku[i] = 0
Fri Apr 29 08:27:31 2011 us=272277 remote_cert_ku[i] = 0
Fri Apr 29 08:27:31 2011 us=272296 remote_cert_ku[i] = 0
Fri Apr 29 08:27:31 2011 us=272316 remote_cert_ku[i] = 0
Fri Apr 29 08:27:31 2011 us=272335 remote_cert_ku[i] = 0
Fri Apr 29 08:27:31 2011 us=272355 remote_cert_ku[i] = 0
Fri Apr 29 08:27:31 2011 us=272375 remote_cert_ku[i] = 0
Fri Apr 29 08:27:31 2011 us=272394 remote_cert_ku[i] = 0
Fri Apr 29 08:27:31 2011 us=272413 remote_cert_ku[i] = 0
Fri Apr 29 08:27:31 2011 us=272433 remote_cert_ku[i] = 0
Fri Apr 29 08:27:31 2011 us=272452 remote_cert_ku[i] = 0
Fri Apr 29 08:27:31 2011 us=272472 remote_cert_ku[i] = 0
Fri Apr 29 08:27:31 2011 us=272491 remote_cert_ku[i] = 0
Fri Apr 29 08:27:31 2011 us=272511 remote_cert_ku[i] = 0
Fri Apr 29 08:27:31 2011 us=272530 remote_cert_ku[i] = 0
Fri Apr 29 08:27:31 2011 us=272550 remote_cert_ku[i] = 0
Fri Apr 29 08:27:31 2011 us=272569 remote_cert_eku = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=272589 tls_timeout = 2
Fri Apr 29 08:27:31 2011 us=272608 renegotiate_bytes = 0
Fri Apr 29 08:27:31 2011 us=272627 renegotiate_packets = 0
Fri Apr 29 08:27:31 2011 us=272647 renegotiate_seconds = 3600
Fri Apr 29 08:27:31 2011 us=272667 handshake_window = 60
Fri Apr 29 08:27:31 2011 us=272687 transition_window = 3600
Fri Apr 29 08:27:31 2011 us=272706 single_session = DISABLED
Fri Apr 29 08:27:31 2011 us=272725 tls_exit = DISABLED
Fri Apr 29 08:27:31 2011 us=272744 tls_auth_file = 'ta.key'
Fri Apr 29 08:27:31 2011 us=272764 pkcs11_protected_authentication = DISABLED
Fri Apr 29 08:27:31 2011 us=272783 pkcs11_protected_authentication = DISABLED
Fri Apr 29 08:27:31 2011 us=272803 pkcs11_protected_authentication = DISABLED
Fri Apr 29 08:27:31 2011 us=272822 pkcs11_protected_authentication = DISABLED
Fri Apr 29 08:27:31 2011 us=272841 pkcs11_protected_authentication = DISABLED
Fri Apr 29 08:27:31 2011 us=272861 pkcs11_protected_authentication = DISABLED
Fri Apr 29 08:27:31 2011 us=272880 pkcs11_protected_authentication = DISABLED
Fri Apr 29 08:27:31 2011 us=272899 pkcs11_protected_authentication = DISABLED
Fri Apr 29 08:27:31 2011 us=272919 pkcs11_protected_authentication = DISABLED
Fri Apr 29 08:27:31 2011 us=272938 pkcs11_protected_authentication = DISABLED
Fri Apr 29 08:27:31 2011 us=272957 pkcs11_protected_authentication = DISABLED
Fri Apr 29 08:27:31 2011 us=272977 pkcs11_protected_authentication = DISABLED
Fri Apr 29 08:27:31 2011 us=272996 pkcs11_protected_authentication = DISABLED
Fri Apr 29 08:27:31 2011 us=273015 pkcs11_protected_authentication = DISABLED
Fri Apr 29 08:27:31 2011 us=273034 pkcs11_protected_authentication = DISABLED
Fri Apr 29 08:27:31 2011 us=273054 pkcs11_protected_authentication = DISABLED
Fri Apr 29 08:27:31 2011 us=273075 pkcs11_private_mode = 00000000
Fri Apr 29 08:27:31 2011 us=273095 pkcs11_private_mode = 00000000
Fri Apr 29 08:27:31 2011 us=273115 pkcs11_private_mode = 00000000
Fri Apr 29 08:27:31 2011 us=273134 pkcs11_private_mode = 00000000
Fri Apr 29 08:27:31 2011 us=273154 pkcs11_private_mode = 00000000
Fri Apr 29 08:27:31 2011 us=273174 pkcs11_private_mode = 00000000
Fri Apr 29 08:27:31 2011 us=273193 pkcs11_private_mode = 00000000
Fri Apr 29 08:27:31 2011 us=273212 pkcs11_private_mode = 00000000
Fri Apr 29 08:27:31 2011 us=273232 pkcs11_private_mode = 00000000
Fri Apr 29 08:27:31 2011 us=273251 pkcs11_private_mode = 00000000
Fri Apr 29 08:27:31 2011 us=273271 pkcs11_private_mode = 00000000
Fri Apr 29 08:27:31 2011 us=273290 pkcs11_private_mode = 00000000
Fri Apr 29 08:27:31 2011 us=273310 pkcs11_private_mode = 00000000
Fri Apr 29 08:27:31 2011 us=273345 pkcs11_private_mode = 00000000
Fri Apr 29 08:27:31 2011 us=273365 pkcs11_private_mode = 00000000
Fri Apr 29 08:27:31 2011 us=273386 pkcs11_private_mode = 00000000
Fri Apr 29 08:27:31 2011 us=273405 pkcs11_cert_private = DISABLED
Fri Apr 29 08:27:31 2011 us=273425 pkcs11_cert_private = DISABLED
Fri Apr 29 08:27:31 2011 us=273444 pkcs11_cert_private = DISABLED
Fri Apr 29 08:27:31 2011 us=273463 pkcs11_cert_private = DISABLED
Fri Apr 29 08:27:31 2011 us=273483 pkcs11_cert_private = DISABLED
Fri Apr 29 08:27:31 2011 us=273502 pkcs11_cert_private = DISABLED
Fri Apr 29 08:27:31 2011 us=273521 pkcs11_cert_private = DISABLED
Fri Apr 29 08:27:31 2011 us=273540 pkcs11_cert_private = DISABLED
Fri Apr 29 08:27:31 2011 us=273559 pkcs11_cert_private = DISABLED
Fri Apr 29 08:27:31 2011 us=273578 pkcs11_cert_private = DISABLED
Fri Apr 29 08:27:31 2011 us=273598 pkcs11_cert_private = DISABLED
Fri Apr 29 08:27:31 2011 us=273617 pkcs11_cert_private = DISABLED
Fri Apr 29 08:27:31 2011 us=273636 pkcs11_cert_private = DISABLED
Fri Apr 29 08:27:31 2011 us=273655 pkcs11_cert_private = DISABLED
Fri Apr 29 08:27:31 2011 us=273674 pkcs11_cert_private = DISABLED
Fri Apr 29 08:27:31 2011 us=273693 pkcs11_cert_private = DISABLED
Fri Apr 29 08:27:31 2011 us=273713 pkcs11_pin_cache_period = -1
Fri Apr 29 08:27:31 2011 us=273732 pkcs11_id = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=273763 pkcs11_id_management = DISABLED
Fri Apr 29 08:27:31 2011 us=273795 server_network = 10.8.0.0
Fri Apr 29 08:27:31 2011 us=273819 server_netmask = 255.255.255.0
Fri Apr 29 08:27:31 2011 us=273841 server_bridge_ip = 0.0.0.0
Fri Apr 29 08:27:31 2011 us=273863 server_bridge_netmask = 0.0.0.0
Fri Apr 29 08:27:31 2011 us=273885 server_bridge_pool_start = 0.0.0.0
Fri Apr 29 08:27:31 2011 us=273906 server_bridge_pool_end = 0.0.0.0
Fri Apr 29 08:27:31 2011 us=273926 push_entry = 'route-gateway 10.8.0.1'
Fri Apr 29 08:27:31 2011 us=273945 push_entry = 'topology subnet'
Fri Apr 29 08:27:31 2011 us=273964 push_entry = 'ping 10'
Fri Apr 29 08:27:31 2011 us=273984 push_entry = 'ping-restart 120'
Fri Apr 29 08:27:31 2011 us=274003 ifconfig_pool_defined = ENABLED
Fri Apr 29 08:27:31 2011 us=274025 ifconfig_pool_start = 10.8.0.2
Fri Apr 29 08:27:31 2011 us=274047 ifconfig_pool_end = 10.8.0.253
Fri Apr 29 08:27:31 2011 us=274069 ifconfig_pool_netmask = 255.255.255.0
Fri Apr 29 08:27:31 2011 us=274088 ifconfig_pool_persist_filename = 'ipp.txt'
Fri Apr 29 08:27:31 2011 us=274108 ifconfig_pool_persist_refresh_freq = 600
Fri Apr 29 08:27:31 2011 us=274127 n_bcast_buf = 256
Fri Apr 29 08:27:31 2011 us=274147 tcp_queue_limit = 64
Fri Apr 29 08:27:31 2011 us=274166 real_hash_size = 256
Fri Apr 29 08:27:31 2011 us=274185 virtual_hash_size = 256
Fri Apr 29 08:27:31 2011 us=274205 client_connect_script = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=274224 learn_address_script = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=274243 client_disconnect_script = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=274263 client_config_dir = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=274282 ccd_exclusive = DISABLED
Fri Apr 29 08:27:31 2011 us=274301 tmp_dir = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=274320 push_ifconfig_defined = DISABLED
Fri Apr 29 08:27:31 2011 us=274342 push_ifconfig_local = 0.0.0.0
Fri Apr 29 08:27:31 2011 us=274363 push_ifconfig_remote_netmask = 0.0.0.0
Fri Apr 29 08:27:31 2011 us=274383 enable_c2c = DISABLED
Fri Apr 29 08:27:31 2011 us=274402 duplicate_cn = DISABLED
Fri Apr 29 08:27:31 2011 us=274422 cf_max = 0
Fri Apr 29 08:27:31 2011 us=274441 cf_per = 0
Fri Apr 29 08:27:31 2011 us=274461 max_clients = 1024
Fri Apr 29 08:27:31 2011 us=274480 max_routes_per_client = 256
Fri Apr 29 08:27:31 2011 us=274500 auth_user_pass_verify_script = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=274520 auth_user_pass_verify_script_via_file = DISABLED
Fri Apr 29 08:27:31 2011 us=274539 ssl_flags = 0
Fri Apr 29 08:27:31 2011 us=274559 port_share_host = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=274578 port_share_port = 0
Fri Apr 29 08:27:31 2011 us=274612 client = DISABLED
Fri Apr 29 08:27:31 2011 us=274633 pull = DISABLED
Fri Apr 29 08:27:31 2011 us=274652 auth_user_pass_file = '[UNDEF]'
Fri Apr 29 08:27:31 2011 us=274676 OpenVPN 2.1.0 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 12 2010
Fri Apr 29 08:27:31 2011 us=275083 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing c$
Fri Apr 29 08:27:31 2011 us=275121 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Apr 29 08:27:31 2011 us=477633 Diffie-Hellman initialized with 2048 bit key
Fri Apr 29 08:27:31 2011 us=478961 /usr/bin/openssl-vulnkey -q -b 2048 -m <modulus omitted>
Fri Apr 29 08:27:31 2011 us=758417 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Fri Apr 29 08:27:31 2011 us=758539 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 29 08:27:31 2011 us=758569 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 29 08:27:31 2011 us=758628 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Apr 29 08:27:31 2011 us=762334 TUN/TAP device tun0 opened
Fri Apr 29 08:27:31 2011 us=762452 TUN/TAP TX queue length set to 100
Fri Apr 29 08:27:31 2011 us=762532 /sbin/ifconfig tun0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Fri Apr 29 08:27:31 2011 us=768818 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Apr 29 08:27:31 2011 us=774608 GID set to nogroup
Fri Apr 29 08:27:31 2011 us=774732 UID set to nobody
Fri Apr 29 08:27:31 2011 us=774794 Socket Buffers: R=[114688->131072] S=[114688->131072]
Fri Apr 29 08:27:31 2011 us=774848 UDPv4 link local (bound): [AF_INET]192.168.1.139:1193
Fri Apr 29 08:27:31 2011 us=774871 UDPv4 link remote: [undef]
Fri Apr 29 08:27:31 2011 us=774907 MULTI: multi_init called, r=256 v=256
Fri Apr 29 08:27:31 2011 us=775109 IFCONFIG POOL: base=10.8.0.2 size=252
Fri Apr 29 08:27:31 2011 us=775186 IFCONFIG POOL LIST
Fri Apr 29 08:27:31 2011 us=775212 portable1,10.8.0.2
Fri Apr 29 08:27:31 2011 us=775275 Initialization Sequence Completed
think that is everything and should answer both of your questions. I hope. Thank you again for your assistance.
Mike
Re: ubuntu server 10.10 and Openvpn
Posted: Fri Apr 29, 2011 8:54 pm
by janjust
so the first client that connects is assigned the address 10.8.0.2, right?
is it allowed to ping the server VPN address, i.e. 10.8.0.1 ?
your firewall looks complicated and I did not read it very carefully; for debugging purposes, try adding
Code: Select all
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
this will temporarily allow all traffic going in and out of the tun adapter; can you now access the shares on '\\10.8.0.1' ?
Re: ubuntu server 10.10 and Openvpn
Posted: Fri Apr 29, 2011 9:33 pm
by machine
correct the first client is given the address 10.8.0.2.
I can ping 10.8.0.1. Although sometimes one of the four packets will not make it through.
I added the iptables settings you specified.
No change.
Re: ubuntu server 10.10 and Openvpn
Posted: Sat Apr 30, 2011 2:05 pm
by maikcat
hi there,
i suggest for testing purposes temporally disable the firewall..
from your lan , do you access the shares?
ps: keep in mind that you need to open ports 137,138,139,445 for smb to work.
Michael.
Re: ubuntu server 10.10 and Openvpn
Posted: Sat Apr 30, 2011 3:12 pm
by machine
disabled the firewall, and still no luck accessing the shares.
Re: ubuntu server 10.10 and Openvpn
Posted: Sun May 01, 2011 9:19 am
by maikcat
hi there,
i noticed this
>interfaces = 127.0.0.1/8 192.168.1.100/24 10.8.0.0/24
try this
interfaces = 127.0.0.1/8 192.168.1.100/24 10.8.0.1/24
restart smd daemons
Michael.
Re: ubuntu server 10.10 and Openvpn
Posted: Sun May 01, 2011 2:37 pm
by machine
unfortunately, no change.
Re: ubuntu server 10.10 and Openvpn
Posted: Mon May 02, 2011 5:01 am
by maikcat
hi there,
besides smb,other protocols (ssh) work?
if yes ,can you post smb.log as well..?
Michael.
Re: ubuntu server 10.10 and Openvpn
Posted: Mon May 02, 2011 11:23 pm
by machine
I use putty to work on the server using sshd both from my local LAN and over the internet.
smb.log
Code: Select all
[2011/05/01 06:37:08.512501, 0] printing/print_cups.c:108(cups_connect)
Unable to connect to CUPS server localhost:631 - Connection refused
[2011/05/01 06:37:08.525809, 0] printing/print_cups.c:108(cups_connect)
Unable to connect to CUPS server localhost:631 - Connection refused
[2011/05/01 06:37:08.526445, 0] smbd/server.c:281(remove_child_pid)
Could not find child 2079 -- ignoring
[2011/05/01 06:37:08.527207, 0] smbd/server.c:281(remove_child_pid)
Could not find child 2084 -- ignoring
[2011/05/01 09:22:53, 0] smbd/server.c:1123(main)
smbd version 3.5.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2010
[2011/05/01 09:22:53.698160, 0] printing/print_cups.c:108(cups_connect)
Unable to connect to CUPS server localhost:631 - Connection refused
[2011/05/01 09:22:53.704162, 0] printing/print_cups.c:108(cups_connect)
Unable to connect to CUPS server localhost:631 - Connection refused
[2011/05/01 09:22:53.705208, 0] smbd/server.c:1169(main)
standard input is not a socket, assuming -D option
[2011/05/01 09:22:53.707479, 0] lib/pidfile.c:121(pidfile_create)
ERROR: smbd is already running. File /var/run/samba/smbd.pid exists and process id 695 is running.
nmbd.log
Code: Select all
[2011/05/01 09:22:58, 0] nmbd/nmbd.c:857(main)
nmbd version 3.5.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2010
[2011/05/01 09:22:58.998326, 0] nmbd/nmbd.c:885(main)
standard input is not a socket, assuming -D option
[2011/05/01 09:22:59.000943, 0] lib/util_sock.c:880(open_socket_in)
bind failed on port 137 socket_addr = 192.168.1.100.
Error = Cannot assign requested address
[2011/05/01 09:22:59.001399, 0] nmbd/nmbd_subnetdb.c:104(make_subnet)
nmbd_subnetdb:make_subnet()
Failed to open nmb socket on interface 192.168.1.100 for port 137. Error was Cannot assign requested address
[2011/05/01 09:22:59.001458, 0] nmbd/nmbd.c:963(main)
ERROR: Failed when creating subnet lists. Exiting.
Re: ubuntu server 10.10 and Openvpn
Posted: Tue May 03, 2011 6:32 am
by janjust
this is getting off-topic for an OpenVPN list but I just noticed this:
interfaces = 127.0.0.1/8 192.168.1.100/24 10.8.0.0/24
bind interfaces only = yes
the interfaces you specify should be valid interfaces on the Samba server; as far as I can tell this would be '192.168.1.139' and '10.8.0.1' in your case.
Re: ubuntu server 10.10 and Openvpn
Posted: Tue May 03, 2011 9:35 am
by maikcat
hi there,
although i noticed and mentioned earlier the change to 10.8.0.1 on interfaces directive
i didnt see that servers lan ip is 192.168.1.139,
nmb logs the error..
>bind failed on port 137 socket_addr = 192.168.1.100
as janjust said change also the interfaces to 192.168.1.139..
Michael.
Re: ubuntu server 10.10 and Openvpn
Posted: Wed May 04, 2011 4:48 am
by machine
well thanks for all your help. It's much appreciated.