- This topic is empty.
-
Posts
-
I’m trying to setup a VPN to connect one LAN to another LAN. I feel I’m close but still have problems.
Using 1.0.beta4
Box1 – Zeroshell running at my office
ETH00 – WAN address
ETH01 – 10.0.0.100
VPN00 – 10.8.0.1 running as Server
Remote Host: blank
params: –dev tun –ifconfig 10.8.0.1 255.0.0.0 –verb 5 –tls-auth /root/static.keyBox2 – Zeroshell running at home
ETH00 – 192.168.0.75 – NAT through my home router. The router is setup to route back to Box2 so incoming traffic will go to the box. The real IP on the router is dynamic.
ETH01 – 10.0.0.150
VPN00 – 10.8.0.3 running as Client (I couldn’t get it to work as Server)
Remote Host: The WAN address of Box 1
params: –dev tun –ifconfig 10.8.0.3 255.0.0.0 –verb 5 –tls-auth /root/static.keyI couldn’t figure out the CA stuff so, I’m running with static.keys. I managed to modify the database so that I can save the key and copy it at the opportune time (through rc.local) so when the VPN comes up, it will use it. Both boxes are sharing the same key.
With the above setup, the VPN status at both ends is “Connected”. However, I can’t ping the 10.8.0.X addresses from either end (Destination Host Unreachable).
The route table of Box1 is:
Destination Netmask Type Metric Gateway Interface Flags State Source
WANADDR 255.255.255.248 Net 0 none ETH00 U Up Auto
10.0.0.0 255.0.0.0 Net 0 none ETH01 U Up Auto
10.0.0.0 255.0.0.0 Net 0 none tap0 U Up Auto
DEFAULT GATEWAY 0.0.0.0 Net 0 WANGW ETH00 UG Up Statictap0 seems to always want to route to 10.0.0.0. Could this be the problem?
When I try to ping:
PING 10.8.0.3 (10.8.0.3) 56(84) bytes of data.
From 10.0.0.100 icmp_seq=1 Destination Host Unreachable
From 10.0.0.100 icmp_seq=2 Destination Host Unreachable
From 10.0.0.100 icmp_seq=3 Destination Host Unreachable
It seems to want to get out through ETH01I don’t think there is any firewall issue because running tcpdump at each side shows port 1194 traffic going both directions at each end.
Appricate any help
1) Don’t use –dev tun paramater because ZeroShell uses tap device which is automatically set without any additional parameter.
2) You shouldn’t use –ifconfig option to configure the IP address, but use directly the web interface to add the IP to VPN00 vpn interface.
Regards
FulvioWhen I tried to do that, the bottom status window shows:
Apr 20 15:57,39 SUCCESS: VPN00 successfully configured.
Apr 20 16:10,08 ERROR: IP 10.8.0.1/255.0.0.0 not added to VPN00 : 10.0.0.0/8 overlaps 10.0.0.0/8 (ETH01)After I used the web interface to add the IP 11.8.0.1 (which was successful), the vpn log shows:
6:07:31 TLS: new session incoming connection from x.x.x.x:1194
16:07:36 VERIFY OK: depth=1, /C=IT/O=Zeroshell.net/OU=Example/CN=Zer … oshell.net
16:07:36 VERIFY OK: depth=0, /OU=hosts/CN=flexstar.com
16:07:36 WARNING: ‘ifconfig’ is present in remote config but missing in local config, remote=’ifconfig 10.0.0.0 255.0.0.0′
16:07:36 Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
16:07:36 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
16:07:36 Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
16:07:36 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
16:07:36 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
16:07:36 TLS: tls_multi_process: untrusted session promoted to trusted
16:07:36 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
16:09:41 MANAGEMENT: Client connected from 127.0.0.1:34000
16:09:41 MANAGEMENT: Client disconnected
16:10:31 MANAGEMENT: Client connected from 127.0.0.1:34000
16:10:31 MANAGEMENT: Client disconnectedIt seems like ifconfig is complaining.
From the web interface, how do you specify the remote IP address (the vpn IP address, not the hostname)?
In openvpn, they show that an argument of ifconfig is given l & rn where l=local IP, and rn=remote IP.
OK – I’m progressing.
I got home and did the same to Box2:
1) took out the parameter except for –verb 5 –tls-auth /root/static.key
2) set the VPN00 IP to 11.8.0.3Vola! I can ping 11.8.0.1 from the Box2 at home.
Now how do I access the other network attached to either boxes? The plan is to be able to ping from home the 10.0.0.x network at the office (Box1).
OK – I’m learning on my own (actually I found the answer on this forum).
I did the bridge trick you talked about with the console ‘B’ key.Now I can ping both ETH01 networks on both Box1 & Box2. But now, it seems to disconnect very frequently. Looking at the VPN log from Box2:
03:27:33 Initialization Sequence Completed
03:27:46 MANAGEMENT: Client connected from 127.0.0.1:34000
03:27:46 MANAGEMENT: Client disconnected
03:28:25 [Box1 WAN Addr] Inactivity timeout (–ping-restart), restarting
03:28:25 TCP/UDP: Closing socket
03:28:25 Closing TUN/TAP interface
03:28:25 SIGUSR1[soft,ping-restart] received, process restarting
03:28:25 Restart pause, 2 second(s)
03:28:27 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
03:28:27 Control Channel Authentication: using ‘/root/static.key’ as a OpenVPN static key file
03:28:27 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
03:28:27 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
03:28:27 LZO compression initialized
03:28:27 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
03:28:27 TUN/TAP device VPN00 opened
03:28:27 TUN/TAP TX queue length set to 100
03:28:27 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
03:28:27 Local Options String: ‘V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client’
03:28:27 Expected Remote Options String: ‘V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server’
03:28:27 Local Options hash (VER=V4): ’46a60371′
03:28:27 Expected Remote Options hash (VER=V4): ‘f7b041bb’
03:28:27 Socket Buffers: R=[108544->131072] S=[108544->131072]
03:28:27 UDPv4 link local (bound): [undef]:1194
03:28:27 UDPv4 link remote: Box1 WAN Addr:1194
03:28:27 TLS Error: local/remote TLS keys are out of sync: Box1 WAN Addr:1194 [0]
03:28:27 TLS: Initial packet from Box1 WAN Addr:1194, sid=be93f0b6 fb9724bc
03:28:29 TLS Error: local/remote TLS keys are out of sync: Box1 WAN Addr:1194 [0]
03:28:30 VERIFY OK: depth=1, /C=IT/O=Zeroshell.net/OU=Example/CN=Zer … oshell.net
03:28:30 VERIFY OK: depth=0, /OU=hosts/CN=Box1 WAN Addr
03:28:30 TLS Error: local/remote TLS keys are out of sync: Box1 WAN Addr:1194 [0]
03:28:31 TLS Error: local/remote TLS keys are out of sync: Box1 WAN Addr:1194 [0]
03:28:32 MANAGEMENT: Client connected from 127.0.0.1:34000
03:28:32 MANAGEMENT: Client disconnected
03:28:34 TLS Error: local/remote TLS keys are out of sync: Box1 WAN Addr:1194 [0]
03:28:34 [Box1 WAN Addr] Inactivity timeout (–ping-restart), restarting
03:28:34 TCP/UDP: Closing socket
03:28:34 Closing TUN/TAP interface
03:28:34 SIGUSR1[soft,ping-restart] received, process restarting
03:28:34 Restart pause, 2 second(s)
03:28:36 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
03:28:36 Control Channel Authentication: using ‘/root/static.key’ as a OpenVPN static key file
03:28:36 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
03:28:36 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
03:28:36 LZO compression initialized
03:28:36 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
03:28:36 TUN/TAP device VPN00 opened
03:28:36 TUN/TAP TX queue length set to 100
03:28:36 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
03:28:36 Local Options String: ‘V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client’
03:28:36 Expected Remote Options String: ‘V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server’
03:28:36 Local Options hash (VER=V4): ’46a60371′
03:28:36 Expected Remote Options hash (VER=V4): ‘f7b041bb’
03:28:36 Socket Buffers: R=[108544->131072] S=[108544->131072]
03:28:36 UDPv4 link local (bound): [undef]:1194
03:28:36 UDPv4 link remote: Box1 WAN Addr:1194
03:28:36 TLS Error: Unroutable control packet received from Box1 WAN Addr:1194 (si=3 op=P_ACK_V1)Do I just have very bad Internet connection? or do I need to tweek a setting?
- You must be logged in to reply to this topic.