[resolved] OpenVPN on CentOS 6 using webmin

[s.boele]

Because we have only 3 open ports on our network we want to use openvpn.

We used webmin to install and configure openvpn using this guide (http://www.frontiernet.net/~beakmyn/vpn ... Guide.html)

Server config

Code: Select all

port 443
proto udp
dev tun0
ca keys/hadoop_vpn/ca.crt
cert keys/hadoop_vpn/serverkey.crt
key keys/hadoop_vpn/serverkey.key
dh keys/hadoop_vpn/dh1024.pem
server 10.8.0.0 255.255.255.0
crl-verify keys/hadoop_vpn/crl.pem
ifconfig-pool-persist servers/Hadoop_VPN/logs/ipp.txt
tls-auth servers/Hadoop_VPN/ta.key 0
cipher DES-CFB
user nobody
group adm
status servers/Hadoop_VPN/logs/openvpn-status.log
log-append servers/Hadoop_VPN/logs/openvpn.log
verb 2
mute 20
max-clients 10
keepalive 10 120
client-config-dir /etc/openvpn/servers/Hadoop_VPN/ccd
tls-server
comp-lzo
persist-key
persist-tun
ccd-exclusive

Client config

Code: Select all

client
proto udp
dev tun
ca ca.crt
dh dh1024.pem
cert clientkey_sander.crt
key clientkey_sander.key
remote xxx.xxx.xxx.xxx 443
tls-auth ta.key 1
cipher DES-CFB
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobind

Server log

Code: Select all

Fri Dec 30 13:18:53 2011 event_wait : Interrupted system call (code=4)
Fri Dec 30 13:18:53 2011 TCP/UDP: Closing socket
RTNETLINK answers: Operation not permitted
Fri Dec 30 13:18:53 2011 ERROR: Linux route delete command failed: external program exited with error status: 2
Fri Dec 30 13:18:53 2011 Closing TUN/TAP interface
Fri Dec 30 13:18:53 2011 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2
RTNETLINK answers: Operation not permitted
Fri Dec 30 13:18:53 2011 Linux ip addr del failed: external program exited with error status: 2
Fri Dec 30 13:18:53 2011 SIGTERM[hard,] received, process exiting
Fri Dec 30 13:18:55 2011 OpenVPN 2.2.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 12 2011
Fri Dec 30 13:18:55 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Dec 30 13:18:55 2011 WARNING: file 'keys/hadoop_vpn/serverkey.key' is group or others accessible
Fri Dec 30 13:18:55 2011 WARNING: file 'servers/Hadoop_VPN/ta.key' is group or others accessible
Fri Dec 30 13:18:55 2011 Control Channel Authentication: using 'servers/Hadoop_VPN/ta.key' as a OpenVPN static key file
Fri Dec 30 13:18:55 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 30 13:18:55 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 30 13:18:55 2011 TLS-Auth MTU parms [ L:1539 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Dec 30 13:18:55 2011 TUN/TAP device tun0 opened
Fri Dec 30 13:18:55 2011 /sbin/ip link set dev tun0 up mtu 1500
Fri Dec 30 13:18:55 2011 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Fri Dec 30 13:18:55 2011 Data Channel MTU parms [ L:1539 D:1450 EF:39 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Dec 30 13:18:55 2011 GID set to adm
Fri Dec 30 13:18:55 2011 UID set to nobody
Fri Dec 30 13:18:55 2011 UDPv4 link local (bound): [undef]:443
Fri Dec 30 13:18:55 2011 UDPv4 link remote: [undef]
Fri Dec 30 13:18:55 2011 Initialization Sequence Completed

Client log

Code: Select all

Fri Dec 30 13:37:33 2011 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010
Fri Dec 30 13:37:33 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 30 13:37:33 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Dec 30 13:37:38 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Dec 30 13:37:38 2011 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Fri Dec 30 13:37:38 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 30 13:37:38 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 30 13:37:38 2011 LZO compression initialized
Fri Dec 30 13:37:38 2011 Control Channel MTU parms [ L:1539 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Dec 30 13:37:38 2011 Data Channel MTU parms [ L:1539 D:1450 EF:39 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Dec 30 13:37:38 2011 Local Options hash (VER=V4): 'f8941acb'
Fri Dec 30 13:37:38 2011 Expected Remote Options hash (VER=V4): '2cc7a368'
Fri Dec 30 13:37:38 2011 UDPv4 link local: [undef]
Fri Dec 30 13:37:38 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:443

When I try to connect with the windows client, it asks for my password, but the state stays at connecting.

[maikcat]

hi there,

first

>cipher DES-CFB

better go along with blowfish...

the password you mention is the one you protected your key?

user verb 5 on server
did you configured centos firewall to accept openvpn packets?
what is the output of sestatus command on server?

with verb 5 if you dont see any messages below "Initialization Sequence Completed"
line you simply dont reach your server...

Michael.

[s.boele]

hi there,

first

>cipher DES-CFB

better go along with blowfish...

Why blowfish?

the password you mention is the one you protected your key?

Yes, it is the password i've protected my key with.

user verb 5 on server

What do you mean with "user verb 5 on server"

did you configured centos firewall to accept openvpn packets?

Iptables service is stopped so I suppose it accepts openvpn packets?
Or is there other firewall on centos i dont know about?

what is the output of sestatus command on server?

SELinux status: disabled

[maikcat]

>Why blowfish?

blowfish (which is the default) is far better that DES...

at least use DES-CBC if you want DES..

>What do you mean with "user verb 5 on server"

my fault,typo error,i meant use verb 5 on server,just add

verb 5

on your server config..

AFAIK 2 things you must check, selinux status (in your case is disabled)
and iptables (also disabled).

use verb 5 and post logs...

Michael.

[s.boele]

>Why blowfish?

blowfish (which is the default) is far better that DES...

at least use DES-CBC if you want DES..

>What do you mean with "user verb 5 on server"

my fault,typo error,i meant use verb 5 on server,just add

verb 5

on your server config..

AFAIK 2 things you must check, selinux status (in your case is disabled)
and iptables (also disabled).

use verb 5 and post logs...

Michael.

Okay changed from verb 2 to verb 5
selinux is already disabled and iptables aswell, so that shouldnt be a problem right?

New log:

Code: Select all

Fri Dec 30 14:27:58 2011 us=865215 event_wait : Interrupted system call (code=4)
Fri Dec 30 14:27:58 2011 us=865623 TCP/UDP: Closing socket
Fri Dec 30 14:27:58 2011 us=865705 /sbin/ip route del 10.8.0.0/24
RTNETLINK answers: Operation not permitted
Fri Dec 30 14:27:58 2011 us=868177 ERROR: Linux route delete command failed: external program exited with error status: 2
Fri Dec 30 14:27:58 2011 us=868238 Closing TUN/TAP interface
Fri Dec 30 14:27:58 2011 us=868271 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2
RTNETLINK answers: Operation not permitted
Fri Dec 30 14:27:58 2011 us=870725 Linux ip addr del failed: external program exited with error status: 2
Fri Dec 30 14:27:58 2011 us=882092 SIGTERM[hard,] received, process exiting
Fri Dec 30 14:28:00 2011 us=906815 Current Parameter Settings:
Fri Dec 30 14:28:00 2011 us=906930   config = 'Hadoop_VPN.conf'
Fri Dec 30 14:28:00 2011 us=906942   mode = 1
Fri Dec 30 14:28:00 2011 us=906951   persist_config = DISABLED
Fri Dec 30 14:28:00 2011 us=906959   persist_mode = 1
Fri Dec 30 14:28:00 2011 us=906968   show_ciphers = DISABLED
Fri Dec 30 14:28:00 2011 us=906976   show_digests = DISABLED
Fri Dec 30 14:28:00 2011 us=906985   show_engines = DISABLED
Fri Dec 30 14:28:00 2011 us=906993   genkey = DISABLED
Fri Dec 30 14:28:00 2011 us=907002   key_pass_file = '[UNDEF]'
Fri Dec 30 14:28:00 2011 us=907011   show_tls_ciphers = DISABLED
Fri Dec 30 14:28:00 2011 us=907020 Connection profiles [default]:
Fri Dec 30 14:28:00 2011 us=907029   proto = udp
Fri Dec 30 14:28:00 2011 us=907037   local = '[UNDEF]'
Fri Dec 30 14:28:00 2011 us=907046   local_port = 443
Fri Dec 30 14:28:00 2011 us=907055   remote = '[UNDEF]'
Fri Dec 30 14:28:00 2011 us=907063   remote_port = 443
Fri Dec 30 14:28:00 2011 us=907072   remote_float = DISABLED
Fri Dec 30 14:28:00 2011 us=907080   bind_defined = DISABLED
Fri Dec 30 14:28:00 2011 us=907088   bind_local = ENABLED
Fri Dec 30 14:28:00 2011 us=907097 NOTE: --mute triggered...
Fri Dec 30 14:28:00 2011 us=907124 248 variation(s) on previous 20 message(s) suppressed by --mute
Fri Dec 30 14:28:00 2011 us=907141 OpenVPN 2.2.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 12 2011
Fri Dec 30 14:28:00 2011 us=907331 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Dec 30 14:28:00 2011 us=909447 Diffie-Hellman initialized with 1024 bit key
Fri Dec 30 14:28:00 2011 us=909777 WARNING: file 'keys/hadoop_vpn/serverkey.key' is group or others accessible
Fri Dec 30 14:28:00 2011 us=910223 WARNING: file 'servers/Hadoop_VPN/ta.key' is group or others accessible
Fri Dec 30 14:28:00 2011 us=910236 Control Channel Authentication: using 'servers/Hadoop_VPN/ta.key' as a OpenVPN static key file
Fri Dec 30 14:28:00 2011 us=910259 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 30 14:28:00 2011 us=910272 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 30 14:28:00 2011 us=910298 TLS-Auth MTU parms [ L:1539 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Dec 30 14:28:00 2011 us=910338 Socket Buffers: R=[124928->131072] S=[124928->131072]
Fri Dec 30 14:28:00 2011 us=910470 ROUTE default_gateway=xxx.xxx.xxx.xxx
Fri Dec 30 14:28:00 2011 us=911579 TUN/TAP device tun0 opened
Fri Dec 30 14:28:00 2011 us=911599 TUN/TAP TX queue length set to 100
Fri Dec 30 14:28:00 2011 us=911634 /sbin/ip link set dev tun0 up mtu 1500
Fri Dec 30 14:28:00 2011 us=915103 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Fri Dec 30 14:28:00 2011 us=919571 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Fri Dec 30 14:28:00 2011 us=923187 Data Channel MTU parms [ L:1539 D:1450 EF:39 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Dec 30 14:28:00 2011 us=933147 GID set to adm
Fri Dec 30 14:28:00 2011 us=933281 UID set to nobody
Fri Dec 30 14:28:00 2011 us=933347 UDPv4 link local (bound): [undef]:443
Fri Dec 30 14:28:00 2011 us=933359 UDPv4 link remote: [undef]
Fri Dec 30 14:28:00 2011 us=933380 MULTI: multi_init called, r=256 v=256
Fri Dec 30 14:28:00 2011 us=933607 IFCONFIG POOL: base=10.8.0.4 size=62
Fri Dec 30 14:28:00 2011 us=933636 IFCONFIG POOL LIST
Fri Dec 30 14:28:00 2011 us=933719 Initialization Sequence Completed

[maikcat]

it seems that udp packets doesnt arrive to your server from
your client..

did you check your router on your server side? (nat,firewall etc)

Michael.

[s.boele]

it seems that udp packets doesnt arrive to your server from
your client..

did you check your router on your server side? (nat,firewall etc)

Michael.

I dont have acces to the router on the server side.
But port 22,80,443 should be open. 22 is used for ssh, 80 for webmin and we want to use 443 for VPN.

Code: Select all

Fri Dec 30 14:27:58 2011 us=865215 event_wait : Interrupted system call (code=4)
Fri Dec 30 14:27:58 2011 us=865623 TCP/UDP: Closing socket
Fri Dec 30 14:27:58 2011 us=865705 /sbin/ip route del 10.8.0.0/24
RTNETLINK answers: Operation not permitted
Fri Dec 30 14:27:58 2011 us=868177 ERROR: Linux route delete command failed: external program exited with error status: 2
Fri Dec 30 14:27:58 2011 us=868238 Closing TUN/TAP interface
Fri Dec 30 14:27:58 2011 us=868271 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2
RTNETLINK answers: Operation not permitted
Fri Dec 30 14:27:58 2011 us=870725 Linux ip addr del failed: external program exited with error status: 2
Fri Dec 30 14:27:58 2011 us=882092 SIGTERM[hard,] received, process exiting

Here it shows some errors though, do those mean anything important?

[maikcat]

>But port 22,80,443 should be open

*should*....hmm...

keep in mind that port 22 is used for ssh (22/tcp) 80 is used for http (80/tcp)
and 443 is used for https (443/tcp) you MUST verify that 443/udp is allowed.

also you can simply change your config from udp to tcp and try to connect..

the errors i guess they coming while you try to stop openvpn..
are you testing your config as root ?
are you starting/stoping the openvpn service via cli or via network manager?

Michael.

[s.boele]

>But port 22,80,443 should be open

*should*....hmm...

keep in mind that port 22 is used for ssh (22/tcp) 80 is used for http (80/tcp)
and 443 is used for https (443/tcp) you MUST verify that 443/udp is allowed.

also you can simply change your config from udp to tcp and try to connect..

the errors i guess they coming while you try to stop openvpn..
are you testing your config as root ?
are you starting/stoping the openvpn service via cli or via network manager?

Michael.

I'll verify if 443/udp is allowed. Changing proto from udp to tcp-server doesnt help.

The errors show up when I start the server via de webmin interface.
According to the webmin tutorial the color of the start link should change and the text form start to stop, but that doesnt happen.

Sander

[maikcat]

if you issue ifconfig ,do you see tun interface up?

can you try to start manually openvpn (without webmin) and see if it comes up?
try using root as user...

Michael.

[s.boele]

if you issue ifconfig ,do you see tun interface up?

can you try to start manually openvpn (without webmin) and see if it comes up?
try using root as user...

Michael.

Yes, it shows up in ifconfig.

Code: Select all

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

You mean starting it like service openvpn restart?

[starcraftcats]

I'm bored so I'll chime in:

Code: Select all

Fri Dec 30 13:18:55 2011 WARNING: file 'keys/hadoop_vpn/serverkey.key' is group or others accessible
Fri Dec 30 13:18:55 2011 WARNING: file 'servers/Hadoop_VPN/ta.key' is group or others accessible

Perhaps chmod those files to 400. It's telling you they are world readable I guess.

[s.boele]

When I execute "lsof -i:443" it shows that openvpn is running.

Code: Select all

openvpn 4244 nobody    5u  IPv4  17973      0t0  TCP *:https (LISTEN)

[maikcat]

all .key files must be 400 perms..

your interface comes up so i believe its ok..

you can still test it using a pc INSIDE your lan
and use as remote yours server LAN ip address..

your client WILL connect and receive 10.8.0.6 ip address..

if it doesnt connect then you have problem..

ps: when using tcp ,if you telnet to openvpn service it WILL respond

Michael.

[s.boele]

I am now running openvpn on port 80 instead of 443 and it works.
However, when I start webmin on port 443 both webmin and openvpn stop working.

[maikcat]

AFAIK webmin by default uses 10000/tcp for its console..

do you change its port to 443?

you still need to check if 443 udp is forwarded..

Michael.

[s.boele]

AFAIK webmin by default uses 10000/tcp for its console..

do you change its port to 443?

you still need to check if 443 udp is forwarded..

Michael.

I think 443 is closed indeed. We got it working now on port 80.
First it disconnected right after it got the ip. We changed cipher from DES-CFB to AES-128-CBC.

Now its working! Thanks for help mate!

[maikcat]

glad to helped you out

happy new year!

wishes etc etc

Michael.