Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Subnet Problem with OpenVPN [SOLVED]
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Ctrl+Alt+Del
Guru
Guru


Joined: 04 Jul 2004
Posts: 326
Location: .de
PostPosted: Fri Sep 09, 2005 8:21 am    Post subject: Subnet Problem with OpenVPN [SOLVED] Reply with quote
Hello Folks :)
I'm trying to set up OpenVPN with dhcp support. In general it works and i can connect one client to it. If i connect a second client it's getting the same ip as the first one.
In The Server cfg file i declared the dhcp-pool to be 172.16.0.0 255.255.255.240, which should be enough for my needs. The Clients however, are always getting 172.16.0.6 / 255.255.255.252.

local.conf (Server)
Quote:
port 5000
dev tun0
mode server
status /etc/openvpn/phone/openvpn-status.log
status-version 2
server 172.16.0.0 255.255.255.240
tls-server
dh /etc/openvpn/phone/easy-rsa/keys/dh1024.pem
ca /etc/openvpn/phone/easy-rsa/keys/ca.crt
cert /etc/openvpn/phone/easy-rsa/keys/server.crt
key /etc/openvpn/phone/easy-rsa/keys/server.key
#user openvpn
#group openvpn
persist-key
persist-tun
status openvpn-status.log
verb 3


server-status.log
Quote:
TITLE,OpenVPN 2.0.1 i686-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 5 2005
TIME,Fri Sep 9 10:27:43 2005,1126254463
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t)
CLIENT_LIST,asterisk,192.168.106.112:1654,172.16.0.6,3779,3962,Fri Sep 9 10:27:39 2005,1126254459
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
ROUTING_TABLE,172.16.0.6,asterisk,192.168.106.112:1654,Fri Sep 9 10:27:39 2005,1126254459
GLOBAL_STATS,Max bcast/mcast queue length,1
END


client.conf (windows)
Quote:

client
dev tun
proto udp
remote 192.168.106.3 5000

resolv-retry infinite
nobind
persist-key
persist-tun
ca C:\\Programme\\OpenVPN\\easy-rsa\\keys\\ca.crt
cert C:\\Programme\\OpenVPN\\easy-rsa\\keys\\client2.crt
key C:\\Programme\\OpenVPN\\easy-rsa\\keys\\client2.key
ns-cert-type server
verb 3


Client connect log
Quote:
Fri Sep 09 10:25:52 2005 PUSH: Received control message: 'PUSH_REPLY,route 172.16.0.1,ifconfig 172.16.0.6 172.16.0.5'
Fri Sep 09 10:25:52 2005 OPTIONS IMPORT: --ifconfig/up options modified
Fri Sep 09 10:25:52 2005 OPTIONS IMPORT: route options modified
Fri Sep 09 10:25:52 2005 TAP-WIN32 device [LAN-Verbindung 3] opened: \\.\Global\{81FE36F0-4858-4F9C-A3A0-883DA69453F0}.tap
Fri Sep 09 10:25:52 2005 TAP-Win32 Driver Version 8.1
Fri Sep 09 10:25:52 2005 TAP-Win32 MTU=1500
Fri Sep 09 10:25:52 2005 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.16.0.6/255.255.255.252 on interface {81FE36F0-4858-4F9C-A3A0-883DA69453F0} [DHCP-serv: 172.16.0.5, lease-time: 31536000]
Fri Sep 09 10:25:52 2005 Successful ARP Flush on interface [3] {81FE36F0-4858-4F9C-A3A0-883DA69453F0}
Fri Sep 09 10:25:53 2005 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Fri Sep 09 10:25:53 2005 Route: Waiting for TUN/TAP interface to come up...
Fri Sep 09 10:25:53 2005 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Fri Sep 09 10:25:53 2005 Route: Waiting for TUN/TAP interface to come up...
Fri Sep 09 10:25:54 2005 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Fri Sep 09 10:25:54 2005 route ADD 172.16.0.1 MASK 255.255.255.255 172.16.0.5
Fri Sep 09 10:25:54 2005 Route addition via IPAPI succeeded
Fri Sep 09 10:25:54 2005 Initialization Sequence Completed


Any Ideas?


EDIT: It seems the duplicated ip's where caused by the fact that the two client certs had the same common name. Adding 'duplicate-cn' to the config fixed that issue. This is now ignored. The 255.255.255.252 subnet seems to be intentional to prevent Clients from communicating with each other. Kinda annoying in my case, so i'll have to find a way around it. :)

Last edited by Ctrl+Alt+Del on Mon Sep 12, 2005 8:32 am; edited 1 time in total
Back to top
View user's profile Send private message
bigfunkymo
Apprentice
Apprentice


Joined: 23 Jan 2004
Posts: 237
PostPosted: Fri Sep 09, 2005 1:12 pm    Post subject: Reply with quote
You need to use the directives 'route' and either 'client-to-client' or 'iroute'. The route directive causes openvpn to create a route in the kernel to openvpn. The iroute directive in a server side client configuration file allows openvpn to tell which connection each route goes to. Client-to-client tells openvpn to set up routing automatically between all clients. Having it done with client-to-client is really easy but doesn't give you any control over firewalling or routing.

For example:
If you want to have each client to individually connect (direct client connection versus having a router establish the tunnel and route a network)
in /etc/openvpn/hypothetical-server.conf
Code:
(not a complete example in itself, but you can take something from it)
server 172.20.1.0 255.255.255.0  #specifies a subnet and pool of addresses to use
route  172.20.1.0 255.255.255.0  #creates a route for this subnet in the kernel
client-to-client


For another example:
If you want to control routing for a connection with a router that will route a whole network through the tunnel. The duplicate-cn directive cannot be used with this configuration. And honestly, it's a bad idea to have clients sharing keys anyway.
in /etc/openvpn/hypothetical-server.conf
Code:
(still not a complete configuration)
server 172.20.1.0 255.255.255.0  #specifies a subnet and pool of addresses to use for the VPN links
client-config-dir hypothetical-server/client-configs  #where the client configs can be found
route  172.25.1.0 255.255.255.0  #creates a route for the client's subnet in the kernel

and in /etc/openvpn/hypothetical-server/client-configs/common-name-in-client's-cert
Code:
(this is actually a complete file)
iroute 172.25.1.0 255.255.255.0


I hope that made some sense to you
_________________
[No package... Grabbing a set.]
Back to top
View user's profile Send private message
Ctrl+Alt+Del
Guru
Guru


Joined: 04 Jul 2004
Posts: 326
Location: .de
PostPosted: Mon Sep 12, 2005 8:32 am    Post subject: Reply with quote
Thx a lot for that explanation, had to read it a few times, but i think i got it :)
Only thing bugging me is that i need a manual config step for every user i add, but i guess i can live with that.
Back to top
View user's profile Send private message
bigfunkymo
Apprentice
Apprentice


Joined: 23 Jan 2004
Posts: 237
PostPosted: Tue Sep 13, 2005 1:03 pm    Post subject: Reply with quote
If your clients are connecting to the VPN aggregator individually, then the client-to-client method should be sufficient--which doesn't require individual client configurations. The individual client config files are for routing whole networks through the VPN like if you establish the VPN tunnel between 2 routers.
_________________
[No package... Grabbing a set.]
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy