openvpn issue on a clone machine
Posted: Tue Nov 15, 2011 5:46 am
I use an openvpn client from my home PC running arch linux to connect to an openvpn server at work place also running arch linux. I have no problems and everything works ok.
I have cloned the hard disk of my home PC and put it in another PC at home. Now when I try to connect from the PC with cloned hard disk I get the following error. The configuration files, keys are all the same.
Appreciate any help/pointers in solving this problem. The error log and configuration file is given below.
=====
[XXX@YYY openvpn]$ sudo openvpn --config /etc/openvpn/vpn1.conf
Sun Mar 3 22:31:31 2002 OpenVPN 2.1_rc20 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Oct 18 2009
Sun Mar 3 22:31:31 2002 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Mar 3 22:31:31 2002 WARNING: file '/etc/openvpn/keys/host/user.key' is group or others accessible
Sun Mar 3 22:31:31 2002 LZO compression initialized
Sun Mar 3 22:31:31 2002 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Mar 3 22:31:31 2002 TUN/TAP device tap0 opened
Sun Mar 3 22:31:31 2002 TUN/TAP TX queue length set to 100
Sun Mar 3 22:31:31 2002 /sbin/ifconfig tap0 192.168.100.66 netmask 255.255.255.0 mtu 1500 broadcast 192.168.100.255
Sun Mar 3 22:31:31 2002 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Mar 3 22:31:31 2002 Local Options hash (VER=V4): '4bf8e197'
Sun Mar 3 22:31:31 2002 Expected Remote Options hash (VER=V4): '2f06f1e2'
Sun Mar 3 22:31:31 2002 GID set to nobody
Sun Mar 3 22:31:31 2002 UID set to nobody
Sun Mar 3 22:31:31 2002 Socket Buffers: R=[114688->131072] S=[114688->131072]
Sun Mar 3 22:31:31 2002 UDPv4 link local (bound): [undef]:13374
Sun Mar 3 22:31:31 2002 UDPv4 link remote: 125.13.206.170:13374
Sun Mar 3 22:31:31 2002 TLS Error: Unroutable control packet received from 125.13.206.170:13374 (si=3 op=P_ACK_V1)
Sun Mar 3 22:31:33 2002 TLS Error: Unroutable control packet received from 125.13.206.170:13374 (si=3 op=P_ACK_V1)
Sun Mar 3 22:31:35 2002 TLS Error: Unroutable control packet received from 125.13.206.17013374 (si=3 op=P_ACK_V1)
Sun Mar 3 22:31:37 2002 TLS: Initial packet from 125.13.206.170:13374, sid=3751ddbc 94b5ea5e
Sun Mar 3 22:31:38 2002 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=IN/ST=MH/L=Mumbai/O=Fort/CN=Fort_CA/emailAddress=me@myhost.mydomain
Sun Mar 3 22:31:38 2002 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify fail
ed
Sun Mar 3 22:31:38 2002 TLS Error: TLS object -> incoming plaintext read error
Sun Mar 3 22:31:38 2002 TLS Error: TLS handshake failed
Sun Mar 3 22:31:38 2002 TCP/UDP: Closing socket
Sun Mar 3 22:31:38 2002 SIGUSR1[soft,tls-error] received, process restarting
Sun Mar 3 22:31:38 2002 Restart pause, 2 second(s)
Sun Mar 3 22:31:40 2002 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Mar 3 22:31:40 2002 Re-using SSL/TLS context
Sun Mar 3 22:31:40 2002 LZO compression initialized
Sun Mar 3 22:31:40 2002 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Mar 3 22:31:40 2002 Preserving previous TUN/TAP instance: tap0
Sun Mar 3 22:31:40 2002 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Mar 3 22:31:40 2002 Local Options hash (VER=V4): '4bf8e197'
Sun Mar 3 22:31:40 2002 Expected Remote Options hash (VER=V4): '2f06f1e2'
Sun Mar 3 22:31:40 2002 Socket Buffers: R=[114688->131072] S=[114688->131072]
Sun Mar 3 22:31:40 2002 UDPv4 link local (bound): [undef]:13374
Sun Mar 3 22:31:40 2002 UDPv4 link remote: 125.13.206.170:13374
Sun Mar 3 22:31:40 2002 TLS Error: Unroutable control packet received from 125.13.206.170::13374 (si=3 op=P_CONTROL_V1)
Sun Mar 3 22:31:40 2002 TLS: Initial packet from 125.13.206.170:13374, sid=73797886 e4db215e
Sun Mar 3 22:31:41 2002 TLS Error: Unroutable control packet received from 125.13.206.170::13374 (si=3 op=P_CONTROL_V1)
â¥Sun Mar 3 22:31:41 2002 event_wait : Interrupted system call (code=4)
Sun Mar 3 22:31:41 2002 TCP/UDP: Closing socket
Sun Mar 3 22:31:41 2002 Closing TUN/TAP interface
Sun Mar 3 22:31:41 2002 /sbin/ifconfig tap0 0.0.0.0
SIOCSIFADDR: Permission denied
SIOCSIFFLAGS: Permission denied
Sun Mar 3 22:31:41 2002 Linux ip addr del failed: external program exited with error status: 255
Sun Mar 3 22:31:42 2002 SIGINT[hard,] received, process exiting
============================
The client config file is below -
#/etc/openvpn/vpn1.conf
#
# Sample OpenVPN server configuration file
# using a pre-shared static key.
#
# See man openvpn for more configuration options.
# (the config file options are the same as the commandline switches)
#
# '#' or ';' may be used to delimit comments.
# below ip address is of the office
remote 125.13.206.170
ifconfig 192.168.100.66 255.255.255.0
# Define the virtual ethernet device.
dev tap0
# In SSL/TLS key exchange, Office will
# assume server role and Home
# will assume client role.
tls-client
ns-cert-type server
# Certificate Authority file
ca /etc/openvpn/keys/host/ca.crt
# Our certificate/public key
cert /etc/openvpn/keys/host/user.crt
# Our private key
key /etc/openvpn/keys/host/user.key
# OpenVPN uses UDP port 1194 by default.
# Each OpenVPN tunnel must use
# a different port number.
# lport or rport can be used
# to denote different ports
# for local and remote.
port 13374
# Protocol to use; udp is the default for good reason.
# Alternative is 'tcp-server' (with 'tcp-client' on the other side of the line)
# which can be useful in certain situations or behind certain firewalls.
proto udp
# Downgrade UID and GID to
# "nobody" after initialization
# for extra security.
user nobody
group nobody
# If you built OpenVPN with
# LZO compression, uncomment
# out the following line.
comp-lzo
# Send a UDP ping to remote once
# every 15 seconds to keep
# stateful firewall connection
# alive. Uncomment this
# out if you are using a stateful
# firewall.
; ping 15
# Uncomment this section for a more reliable detection when a system
# loses its connection. For example, dial-ups or laptops that
# travel to other locations.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 3
==========
server.conf given below
#/etc/openvpn/vpn0.conf
#
# Sample OpenVPN server configuration file
# using a pre-shared static key.
#
# See man openvpn for more configuration options.
# (the config file options are the same as the commandline switches)
#
# '#' or ';' may be used to delimit comments.
# Define the virtual ethernet device.
dev tap0
# Our pre-shared static key
# secret /etc/openvpn/vpn0.key
# In SSL/TLS key exchange, Office will
# assume server role and Home
# will assume client role.
tls-server
# Diffie-Hellman Parameters (tls-server only)
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
# Certificate Authority file
ca /etc/openvpn/easy-rsa/keys/ca.crt
# Our certificate/public key
cert /etc/openvpn/easy-rsa/keys/vpnserver.crt
# Our private key
key /etc/openvpn/easy-rsa/keys/vpnserver.key
# OpenVPN uses UDP port 1194 by default.
# Each OpenVPN tunnel must use
# a different port number.
# lport or rport can be used
# to denote different ports
# for local and remote.
port 13374
# Protocol to use; udp is the default for good reason.
# Alternative is 'tcp-server' (with 'tcp-client' on the other side of the line)
# which can be useful in certain situations or behind certain firewalls.
; proto udp
# Downgrade UID and GID to
# "nobody" after initialization
# for extra security.
user nobody
group nobody
# If you built OpenVPN with
# LZO compression, uncomment
# out the following line.
comp-lzo
# push "route 192.168.100.0 255.255.255.0"
# push "route 192.168.200.0 255.255.255.0"
# push "redirect-gateway"
# Send a UDP ping to remote once
# every 15 seconds to keep
# stateful firewall connection
# alive. Uncomment this
# out if you are using a stateful
# firewall.
; ping 15
# Uncomment this section for a more reliable detection when a system
# loses its connection. For example, dial-ups or laptops that
# travel to other locations.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 3
# Max number of clients that can connect to the VPN Server
#max-clients 10
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files. This is recommended only for testing
# purposes. For production use, each client
# should have its own certificate/key pair.
#duplicate-cn
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
#client-to-client
I have cloned the hard disk of my home PC and put it in another PC at home. Now when I try to connect from the PC with cloned hard disk I get the following error. The configuration files, keys are all the same.
Appreciate any help/pointers in solving this problem. The error log and configuration file is given below.
=====
[XXX@YYY openvpn]$ sudo openvpn --config /etc/openvpn/vpn1.conf
Sun Mar 3 22:31:31 2002 OpenVPN 2.1_rc20 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Oct 18 2009
Sun Mar 3 22:31:31 2002 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Mar 3 22:31:31 2002 WARNING: file '/etc/openvpn/keys/host/user.key' is group or others accessible
Sun Mar 3 22:31:31 2002 LZO compression initialized
Sun Mar 3 22:31:31 2002 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Mar 3 22:31:31 2002 TUN/TAP device tap0 opened
Sun Mar 3 22:31:31 2002 TUN/TAP TX queue length set to 100
Sun Mar 3 22:31:31 2002 /sbin/ifconfig tap0 192.168.100.66 netmask 255.255.255.0 mtu 1500 broadcast 192.168.100.255
Sun Mar 3 22:31:31 2002 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Mar 3 22:31:31 2002 Local Options hash (VER=V4): '4bf8e197'
Sun Mar 3 22:31:31 2002 Expected Remote Options hash (VER=V4): '2f06f1e2'
Sun Mar 3 22:31:31 2002 GID set to nobody
Sun Mar 3 22:31:31 2002 UID set to nobody
Sun Mar 3 22:31:31 2002 Socket Buffers: R=[114688->131072] S=[114688->131072]
Sun Mar 3 22:31:31 2002 UDPv4 link local (bound): [undef]:13374
Sun Mar 3 22:31:31 2002 UDPv4 link remote: 125.13.206.170:13374
Sun Mar 3 22:31:31 2002 TLS Error: Unroutable control packet received from 125.13.206.170:13374 (si=3 op=P_ACK_V1)
Sun Mar 3 22:31:33 2002 TLS Error: Unroutable control packet received from 125.13.206.170:13374 (si=3 op=P_ACK_V1)
Sun Mar 3 22:31:35 2002 TLS Error: Unroutable control packet received from 125.13.206.17013374 (si=3 op=P_ACK_V1)
Sun Mar 3 22:31:37 2002 TLS: Initial packet from 125.13.206.170:13374, sid=3751ddbc 94b5ea5e
Sun Mar 3 22:31:38 2002 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=IN/ST=MH/L=Mumbai/O=Fort/CN=Fort_CA/emailAddress=me@myhost.mydomain
Sun Mar 3 22:31:38 2002 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify fail
ed
Sun Mar 3 22:31:38 2002 TLS Error: TLS object -> incoming plaintext read error
Sun Mar 3 22:31:38 2002 TLS Error: TLS handshake failed
Sun Mar 3 22:31:38 2002 TCP/UDP: Closing socket
Sun Mar 3 22:31:38 2002 SIGUSR1[soft,tls-error] received, process restarting
Sun Mar 3 22:31:38 2002 Restart pause, 2 second(s)
Sun Mar 3 22:31:40 2002 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Mar 3 22:31:40 2002 Re-using SSL/TLS context
Sun Mar 3 22:31:40 2002 LZO compression initialized
Sun Mar 3 22:31:40 2002 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Mar 3 22:31:40 2002 Preserving previous TUN/TAP instance: tap0
Sun Mar 3 22:31:40 2002 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Mar 3 22:31:40 2002 Local Options hash (VER=V4): '4bf8e197'
Sun Mar 3 22:31:40 2002 Expected Remote Options hash (VER=V4): '2f06f1e2'
Sun Mar 3 22:31:40 2002 Socket Buffers: R=[114688->131072] S=[114688->131072]
Sun Mar 3 22:31:40 2002 UDPv4 link local (bound): [undef]:13374
Sun Mar 3 22:31:40 2002 UDPv4 link remote: 125.13.206.170:13374
Sun Mar 3 22:31:40 2002 TLS Error: Unroutable control packet received from 125.13.206.170::13374 (si=3 op=P_CONTROL_V1)
Sun Mar 3 22:31:40 2002 TLS: Initial packet from 125.13.206.170:13374, sid=73797886 e4db215e
Sun Mar 3 22:31:41 2002 TLS Error: Unroutable control packet received from 125.13.206.170::13374 (si=3 op=P_CONTROL_V1)
â¥Sun Mar 3 22:31:41 2002 event_wait : Interrupted system call (code=4)
Sun Mar 3 22:31:41 2002 TCP/UDP: Closing socket
Sun Mar 3 22:31:41 2002 Closing TUN/TAP interface
Sun Mar 3 22:31:41 2002 /sbin/ifconfig tap0 0.0.0.0
SIOCSIFADDR: Permission denied
SIOCSIFFLAGS: Permission denied
Sun Mar 3 22:31:41 2002 Linux ip addr del failed: external program exited with error status: 255
Sun Mar 3 22:31:42 2002 SIGINT[hard,] received, process exiting
============================
The client config file is below -
#/etc/openvpn/vpn1.conf
#
# Sample OpenVPN server configuration file
# using a pre-shared static key.
#
# See man openvpn for more configuration options.
# (the config file options are the same as the commandline switches)
#
# '#' or ';' may be used to delimit comments.
# below ip address is of the office
remote 125.13.206.170
ifconfig 192.168.100.66 255.255.255.0
# Define the virtual ethernet device.
dev tap0
# In SSL/TLS key exchange, Office will
# assume server role and Home
# will assume client role.
tls-client
ns-cert-type server
# Certificate Authority file
ca /etc/openvpn/keys/host/ca.crt
# Our certificate/public key
cert /etc/openvpn/keys/host/user.crt
# Our private key
key /etc/openvpn/keys/host/user.key
# OpenVPN uses UDP port 1194 by default.
# Each OpenVPN tunnel must use
# a different port number.
# lport or rport can be used
# to denote different ports
# for local and remote.
port 13374
# Protocol to use; udp is the default for good reason.
# Alternative is 'tcp-server' (with 'tcp-client' on the other side of the line)
# which can be useful in certain situations or behind certain firewalls.
proto udp
# Downgrade UID and GID to
# "nobody" after initialization
# for extra security.
user nobody
group nobody
# If you built OpenVPN with
# LZO compression, uncomment
# out the following line.
comp-lzo
# Send a UDP ping to remote once
# every 15 seconds to keep
# stateful firewall connection
# alive. Uncomment this
# out if you are using a stateful
# firewall.
; ping 15
# Uncomment this section for a more reliable detection when a system
# loses its connection. For example, dial-ups or laptops that
# travel to other locations.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 3
==========
server.conf given below
#/etc/openvpn/vpn0.conf
#
# Sample OpenVPN server configuration file
# using a pre-shared static key.
#
# See man openvpn for more configuration options.
# (the config file options are the same as the commandline switches)
#
# '#' or ';' may be used to delimit comments.
# Define the virtual ethernet device.
dev tap0
# Our pre-shared static key
# secret /etc/openvpn/vpn0.key
# In SSL/TLS key exchange, Office will
# assume server role and Home
# will assume client role.
tls-server
# Diffie-Hellman Parameters (tls-server only)
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
# Certificate Authority file
ca /etc/openvpn/easy-rsa/keys/ca.crt
# Our certificate/public key
cert /etc/openvpn/easy-rsa/keys/vpnserver.crt
# Our private key
key /etc/openvpn/easy-rsa/keys/vpnserver.key
# OpenVPN uses UDP port 1194 by default.
# Each OpenVPN tunnel must use
# a different port number.
# lport or rport can be used
# to denote different ports
# for local and remote.
port 13374
# Protocol to use; udp is the default for good reason.
# Alternative is 'tcp-server' (with 'tcp-client' on the other side of the line)
# which can be useful in certain situations or behind certain firewalls.
; proto udp
# Downgrade UID and GID to
# "nobody" after initialization
# for extra security.
user nobody
group nobody
# If you built OpenVPN with
# LZO compression, uncomment
# out the following line.
comp-lzo
# push "route 192.168.100.0 255.255.255.0"
# push "route 192.168.200.0 255.255.255.0"
# push "redirect-gateway"
# Send a UDP ping to remote once
# every 15 seconds to keep
# stateful firewall connection
# alive. Uncomment this
# out if you are using a stateful
# firewall.
; ping 15
# Uncomment this section for a more reliable detection when a system
# loses its connection. For example, dial-ups or laptops that
# travel to other locations.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 3
# Max number of clients that can connect to the VPN Server
#max-clients 10
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files. This is recommended only for testing
# purposes. For production use, each client
# should have its own certificate/key pair.
#duplicate-cn
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
#client-to-client