Page 1 of 1
Wrong preconfigurated TUN-Device?
Posted: Wed Aug 24, 2011 1:20 pm
by Mysterion01
Hi all,
my VPS Provider uses Linux-vServer for virtualization so they had to create a TUN-Device for me that I can use for OpenVPN. But I think there is a bad configuration in the ifconfig and route settings. My Provider said I have to configurate my server.conf like the on in this Tutorial:
http://linux-vserver.org/Frequently_Ask ... a_guest.3F
ifconfig says
tun1459-90 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.1.89 P-t-P:10.0.1.90 Mask:255.255.255.255
UP POINTOPOINT NOARP MULTICAST MTU:1500 Metric:1
RX packets:433 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:22806 (22.8 KB) TX bytes:372 (372.0 B)
Okay, thats the preconfigurated Tun-Dev. Now lets take a look at the preconfigurated routes:
10.0.1.90 * 255.255.255.255 UH 0 0 0 tun1459-90
10.0.1.86 * 255.255.255.255 UH 0 0 0 *
10.0.1.88 10.0.1.90 255.255.255.252 UG 0 0 0 tun1459-90
10.0.1.84 * 255.255.255.252 UG 0 0 0 *
[...]
According to the Tutorial, I have to use this Option in my server.conf (right?)
server 10.0.1.88 255.255.255.252
But when I try to start OpenVPN, I'm getting this error message:
Options error: --server directive when used with --dev tun must define a subnet of 255.255.255.248 (/29) or lower
Use --help for more information.
Is it a bad route configuration by my provider?
Re: Wrong preconfigurated TUN-Device?
Posted: Wed Aug 24, 2011 1:26 pm
by Mimiko
Re: Wrong preconfigurated TUN-Device?
Posted: Wed Aug 24, 2011 1:46 pm
by Mysterion01
Hi,
now it starts. I also can connect from my client to the server, but when I try to ping the servers IP from the client (or vice versa) it says that the destination is unreachable
Re: Wrong preconfigurated TUN-Device?
Posted: Wed Aug 24, 2011 1:57 pm
by Mimiko
Show OpenVPN server's and client's config files. Show routes on both end with VPN connected. Which version of OpenVPN server you are using?
Re: Wrong preconfigurated TUN-Device?
Posted: Wed Aug 24, 2011 2:16 pm
by Mysterion01
client.conf:
route-method exe
route-delay 2
client
dev tun
proto udp
remote xxxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
client routes while connected to vpn-server:
Code: Select all
Aktive Routen:
Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.113 20
10.0.1.89 255.255.255.255 10.0.1.93 10.0.1.94 31
10.0.1.92 255.255.255.252 Auf Verbindung 10.0.1.94 286
10.0.1.94 255.255.255.255 Auf Verbindung 10.0.1.94 286
10.0.1.95 255.255.255.255 Auf Verbindung 10.0.1.94 286
127.0.0.0 255.0.0.0 Auf Verbindung 127.0.0.1 306
127.0.0.1 255.255.255.255 Auf Verbindung 127.0.0.1 306
127.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 306
192.168.2.0 255.255.255.0 Auf Verbindung 192.168.2.113 276
192.168.2.113 255.255.255.255 Auf Verbindung 192.168.2.113 276
192.168.2.255 255.255.255.255 Auf Verbindung 192.168.2.113 276
224.0.0.0 240.0.0.0 Auf Verbindung 127.0.0.1 306
224.0.0.0 240.0.0.0 Auf Verbindung 192.168.2.113 276
224.0.0.0 240.0.0.0 Auf Verbindung 10.0.1.94 286
255.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 306
255.255.255.255 255.255.255.255 Auf Verbindung 192.168.2.113 276
255.255.255.255 255.255.255.255 Auf Verbindung 10.0.1.94 286
server.conf (Server Version OpenVPN 2.1):
ifconfig-noexec
;push "redirect-gateway"
;push "dhcp-option DNS 10.0.1.1"
port 1194
proto udp
dev tun1459-90
ca ca.crt
cert server.crt
key secret.file # This file should be kept secret
dh dh1024.pem
server 10.0.1.88 255.255.255.248
keepalive 10 60
comp-lzo
persist-key
;persist-tun
status openvpn-status.log
verb 4
server routes while a client is connected:
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.1.90 * 255.255.255.255 UH 0 0 0 tun1459-90
10.0.1.86 * 255.255.255.255 UH 0 0 0 *
10.0.1.88 10.0.1.90 255.255.255.252 UG 0 0 0 tun1459-90
10.0.1.84 * 255.255.255.252 UG 0 0 0 *
195.x.x.x * 255.255.255.0 U 0 0 0 eth0
91.x.x.x * 255.255.255.0 U 0 0 0 eth0
default xx.xxxx.nl.alvo 0.0.0.0 UG 0 0 0 eth0
Re: Wrong preconfigurated TUN-Device?
Posted: Thu Aug 25, 2011 5:32 am
by Mimiko
Oh, I see. The mask confugured on tun device is 252. Then in your server config must be:
Code: Select all
topology subnet
server 10.0.1.88 255.255.255.252
Also read this thread:
topic8538.html, especialy page 4 for external links.
Re: Wrong preconfigurated TUN-Device?
Posted: Thu Aug 25, 2011 7:45 am
by janjust
almost correct, mimiko
the server is configured using
server 10.0.1.88 255.255.255.248
when subnetting rules for 255.255.255.248 are applied this boils down to a subnet which
- * starts at 10.0.1.80
*ends at 10.0.1.96
* provides 14 address
the server is configured at a boundary address - I'd suggest to change the server line to
as I am getting the impression that OpenVPN did something funny to the network masks . There should have been a server rout
Code: Select all
10.0.1.88 10.0.1.90 255.255.255.248 UG 0 0 0 tun1459-90
(note the .248!)
Re: Wrong preconfigurated TUN-Device?
Posted: Thu Aug 25, 2011 7:52 am
by Mimiko
Thanks junjust. I also thought about using 248 mask correctly, but as I understood - the IP and mask 252 of TUN adapter was set by admins prior, so it can't be changed by user.
Re: Wrong preconfigurated TUN-Device?
Posted: Thu Aug 25, 2011 6:13 pm
by Mysterion01
It works now!
This is my server.conf
ifconfig-noexec
push "redirect-gateway"
;push "dhcp-option DNS 10.0.1.1"
port 1194
proto udp
dev tun1459-90
ca /etc/openvpn/examples/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/examples/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/examples/easy-rsa/2.0/keys/server.key # This file should be kept secret
dh /etc/openvpn/examples/easy-rsa/2.0/keys/dh1024.pem
topology subnet
server 10.0.1.88 255.255.255.248
keepalive 10 60
comp-lzo
persist-key
;persist-tun
status openvpn-status.log
verb 4
Thanks for your help!