[leaf-user] Bering-uClibc_2.3-beta4 (OpenVPN 2.0 rev.1)

Troy Aden Sun, 17 Jul 2005 18:26:23 -0700

 I just bit the bullet and upgraded my Bering box to the latest. I also
got a little ambitious and decided to install OpenVPN. After fighting
with it for a couple nights I have it working. But I just am noticing
some warning messages in the connect log and I am hoping someone on the
list may be able to help me out.


First off, I am using the following:
openvpnz.lrp
liblzo.lrp
aes.o -Module for cripto  loaded in /lib/modules and uncommented in the
modules config.
libcrpto.lrp
libssl.lrp
openssl.lrp

Ok here is a client config:

SNIP>>>>>>>>>>>>>>>>>>
# tun-style tunnel
dev tap0

#OpenVPN Standard port (UDP)
port 1194

#Local for testing only
remote 10.126.26.254

#Remote for testing
#remote 139.157.237.176

#Cipher to use
cipher AES-128-CBC

#Enable Compression to save bandwidth
comp-lzo

# tls parameters
tls-client
tls-auth ta.key 1

#Keys
ca ca.crt
cert SicBoy.crt
key SicBoy.key

# get more configuration from the server
pull

# logging verbosity
verb 5

END SNIP>>>>>>>>>>>>>>>>>>>>>>>>

And here is the server config:

SNIP>>>>>>>>>>>>>>>>>>>>>>>>>>>>

# we are a multi-client udp server
mode    server

# tun-style tunnel
port    1194
dev     tap0

#Cipher
cipher AES-128-CBC   # AES

# TLS parameters
tls-server

#Keys
tls-auth /etc/openvpn/keys/ta.key 0  # This file is secret
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/Cerberus.crt
key /etc/openvpn/keys/Cerberus.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem

# virtual endpoints (are these arbitrary?)
ifconfig 10.10.33.1 255.255.255.0

# pool of IPs for connecting clients
push "ip-win32 dynamic"
ifconfig-pool 10.10.33.200 10.10.33.250 255.255.255.0

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 10

#Allow OpenVPN connected systems to see each other
client-to-client

# autoconfig all IP traffic over VPN
push    "route 10.0.0.0 255.0.0.0 10.10.33.1"
push    "dhcp-option DNS 10.10.26.254"
push    "dhcp-option WINS 10.10.27.26"
push    "dhcp-option DOMAIN Vallhalla.network"
push    "dhcp-option NBT 2"


# change to lower priviledges for more security
user    nobody
group   nogroup

#Log Location
status /var/log/openvpn-status.log
log         /var/log/openvpn.log

# logging verbosity
verb 4
mute 20

keepalive 10 60

END SNIP>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Ok now here is the log from a client connecting:

SNIP>>>>>>>>

Sun Jul 17 19:10:03 2005 us=163080 OpenVPN 2.0 Win32-MinGW [SSL] [LZO]
built on Apr 17 2005
Sun Jul 17 19:10:03 2005 us=163204 WARNING: No server certificate
verification method has been enabled.  See
http://openvpn.net/howto.html#mitm for more info.
Sun Jul 17 19:10:03 2005 us=165043 Control Channel Authentication: using
'ta.key' as a OpenVPN static key file
Sun Jul 17 19:10:03 2005 us=165082 Outgoing Control Channel
Authentication: Using 160 bit message hash 'SHA1' for HMAC
authentication
Sun Jul 17 19:10:03 2005 us=173792 Incoming Control Channel
Authentication: Using 160 bit message hash 'SHA1' for HMAC
authentication
Sun Jul 17 19:10:03 2005 us=173844 LZO compression initialized
Sun Jul 17 19:10:03 2005 us=173975 Control Channel MTU parms [ L:1590
D:166 EF:66 EB:0 ET:0 EL:0 ]
Sun Jul 17 19:10:03 2005 us=200567 Data Channel MTU parms [ L:1590
D:1450 EF:58 EB:23 ET:32 EL:0 AF:3/1 ]
Sun Jul 17 19:10:03 2005 us=200636 Local Options String: 'V4,dev-type
tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher
AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sun Jul 17 19:10:03 2005 us=200652 Expected Remote Options String:
'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir
0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method
2,tls-server'
Sun Jul 17 19:10:03 2005 us=200685 Local Options hash (VER=V4):
'a7133b47'
Sun Jul 17 19:10:03 2005 us=200707 Expected Remote Options hash
(VER=V4): 'c5677ab3'
Sun Jul 17 19:10:03 2005 us=200751 Socket Buffers: R=[8192->8192]
S=[8192->8192]
Sun Jul 17 19:10:03 2005 us=200776 UDPv4 link local (bound):
[undef]:1194
Sun Jul 17 19:10:03 2005 us=200790 UDPv4 link remote: 10.10.26.254:1194
Sun Jul 17 19:10:03 2005 us=208558 TLS: Initial packet from
10.10.26.254:1194, sid=1d5f95d1 b972000d
Sun Jul 17 19:10:03 2005 us=609797 VERIFY OK: depth=1,
/C=CA/ST=SK/L=Saskatoon/O=OpenVPN-Sic/CN=Cerberus/[EMAIL PROTECTED]
link.ca
Sun Jul 17 19:10:03 2005 us=610854 VERIFY OK: depth=0,
/C=CA/ST=SK/O=OpenVPN-Sic/CN=MyBox/[EMAIL PROTECTED]
Sun Jul 17 19:10:04 2005 us=91173 NOTE: Options consistency check may be
skewed by version differences
Sun Jul 17 19:10:04 2005 us=91220 WARNING: 'version' is used
inconsistently, local='version V4', remote='version V0 UNDEF'
Sun Jul 17 19:10:04 2005 us=91240 WARNING: 'dev-type' is present in
local config but missing in remote config, local='dev-type tap'
Sun Jul 17 19:10:04 2005 us=91258 WARNING: 'link-mtu' is present in
local config but missing in remote config, local='link-mtu 1590'
Sun Jul 17 19:10:04 2005 us=91276 WARNING: 'tun-mtu' is present in local
config but missing in remote config, local='tun-mtu 1532'
Sun Jul 17 19:10:04 2005 us=91293 WARNING: 'proto' is present in local
config but missing in remote config, local='proto UDPv4'
Sun Jul 17 19:10:04 2005 us=91312 WARNING: 'comp-lzo' is present in
local config but missing in remote config, local='comp-lzo'
Sun Jul 17 19:10:04 2005 us=91330 WARNING: 'keydir' is present in local
config but missing in remote config, local='keydir 0'
Sun Jul 17 19:10:04 2005 us=91349 WARNING: 'cipher' is present in local
config but missing in remote config, local='cipher AES-128-CBC'
Sun Jul 17 19:10:04 2005 us=91366 WARNING: 'auth' is present in local
config but missing in remote config, local='auth SHA1'
Sun Jul 17 19:10:04 2005 us=91383 WARNING: 'keysize' is present in local
config but missing in remote config, local='keysize 128'
Sun Jul 17 19:10:04 2005 us=91401 WARNING: 'tls-auth' is present in
local config but missing in remote config, local='tls-auth'
Sun Jul 17 19:10:04 2005 us=91418 WARNING: 'key-method' is present in
local config but missing in remote config, local='key-method 2'
Sun Jul 17 19:10:04 2005 us=91436 WARNING: 'tls-server' is present in
local config but missing in remote config, local='tls-server'
Sun Jul 17 19:10:04 2005 us=91618 Data Channel Encrypt: Cipher
'AES-128-CBC' initialized with 128 bit key
Sun Jul 17 19:10:04 2005 us=91636 Data Channel Encrypt: Using 160 bit
message hash 'SHA1' for HMAC authentication
Sun Jul 17 19:10:04 2005 us=91652 Data Channel Decrypt: Cipher
'AES-128-CBC' initialized with 128 bit key
Sun Jul 17 19:10:04 2005 us=91670 Data Channel Decrypt: Using 160 bit
message hash 'SHA1' for HMAC authentication
Sun Jul 17 19:10:04 2005 us=91895 Control Channel: TLSv1, cipher
TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sun Jul 17 19:10:04 2005 us=91928 [MyBox] Peer Connection Initiated with
10.10.26.254:1194
Sun Jul 17 19:10:05 2005 us=330312 SENT CONTROL [MyBox]: 'PUSH_REQUEST'
(status=1)
Sun Jul 17 19:10:05 2005 us=337736 PUSH: Received control message:
'PUSH_REPLY,ip-win32 dynamic,route 10.0.0.0 255.0.0.0
10.10.33.1,dhcp-option DNS 10.10.26.254,dhcp-option WINS
10.10.27.26,dhcp-option DOMAIN Vallhalla.network,dhcp-option NBT 2,ping
10,ping-restart 60,ifconfig 10.10.33.200 255.255.255.0'
Sun Jul 17 19:10:05 2005 us=337825 OPTIONS IMPORT: timers and/or
timeouts modified
Sun Jul 17 19:10:05 2005 us=337839 OPTIONS IMPORT: --ifconfig/up options
modified
Sun Jul 17 19:10:05 2005 us=337850 OPTIONS IMPORT: route options
modified
Sun Jul 17 19:10:05 2005 us=337861 OPTIONS IMPORT: --ip-win32 and/or
--dhcp-option options modified
Sun Jul 17 19:10:05 2005 us=348056 TAP-WIN32 device [Local Area
Connection 3] opened:
\\.\Global\{32AE1E07-D0EC-4160-8F8B-8809E4E878FD}.tap
Sun Jul 17 19:10:05 2005 us=348908 TAP-Win32 Driver Version 8.1 
Sun Jul 17 19:10:05 2005 us=349456 TAP-Win32 MTU=1500
Sun Jul 17 19:10:05 2005 us=350006 Notified TAP-Win32 driver to set a
DHCP IP/netmask of 10.10.33.200/255.255.255.0 on interface
{32AE1E07-D0EC-4160-8F8B-8809E4E878FD} [DHCP-serv: 10.10.33.0,
lease-time: 31536000]
Sun Jul 17 19:10:05 2005 us=350049 DHCP option string: 0f115661 6c6c6861
6c6c612e 6e657477 6f726b2e 01020604 0a0a1afe 2c040a0a 1b1a
Sun Jul 17 19:10:05 2005 us=352778 Successful ARP Flush on interface [2]
{32AE1E07-D0EC-4160-8F8B-8809E4E878FD}
Sun Jul 17 19:10:05 2005 us=375456 TEST ROUTES: 0/0 succeeded len=1
ret=0 a=0 u/d=down
Sun Jul 17 19:10:05 2005 us=375486 Route: Waiting for TUN/TAP interface
to come up...
Sun Jul 17 19:10:06 2005 us=612502 TEST ROUTES: 0/0 succeeded len=1
ret=0 a=0 u/d=down
Sun Jul 17 19:10:06 2005 us=612531 Route: Waiting for TUN/TAP interface
to come up...
Sun Jul 17 19:10:07 2005 us=862720 TEST ROUTES: 0/0 succeeded len=1
ret=0 a=0 u/d=down
Sun Jul 17 19:10:07 2005 us=862749 Route: Waiting for TUN/TAP interface
to come up...
Sun Jul 17 19:10:09 2005 us=113054 TEST ROUTES: 0/0 succeeded len=1
ret=0 a=0 u/d=down
Sun Jul 17 19:10:09 2005 us=113083 Route: Waiting for TUN/TAP interface
to come up...
Sun Jul 17 19:10:10 2005 us=378847 TEST ROUTES: 1/1 succeeded len=1
ret=1 a=0 u/d=up
Sun Jul 17 19:10:10 2005 us=378882 route ADD 10.0.0.0 MASK 255.0.0.0
10.10.33.1
Sun Jul 17 19:10:10 2005 us=381981 Route addition via IPAPI succeeded
Sun Jul 17 19:10:10 2005 us=382011 Initialization Sequence Completed

END SNIP>>>>>>>>>>>>>>>>>>>>>

------Here are the entries that concern me--------


Sun Jul 17 19:10:04 2005 us=91173 NOTE: Options consistency check may be
skewed by version differences
Sun Jul 17 19:10:04 2005 us=91220 WARNING: 'version' is used
inconsistently, local='version V4', remote='version V0 UNDEF'
Sun Jul 17 19:10:04 2005 us=91240 WARNING: 'dev-type' is present in
local config but missing in remote config, local='dev-type tap'
Sun Jul 17 19:10:04 2005 us=91258 WARNING: 'link-mtu' is present in
local config but missing in remote config, local='link-mtu 1590'
Sun Jul 17 19:10:04 2005 us=91276 WARNING: 'tun-mtu' is present in local
config but missing in remote config, local='tun-mtu 1532'
Sun Jul 17 19:10:04 2005 us=91293 WARNING: 'proto' is present in local
config but missing in remote config, local='proto UDPv4'
Sun Jul 17 19:10:04 2005 us=91312 WARNING: 'comp-lzo' is present in
local config but missing in remote config, local='comp-lzo'
Sun Jul 17 19:10:04 2005 us=91330 WARNING: 'keydir' is present in local
config but missing in remote config, local='keydir 0'
Sun Jul 17 19:10:04 2005 us=91349 WARNING: 'cipher' is present in local
config but missing in remote config, local='cipher AES-128-CBC'
Sun Jul 17 19:10:04 2005 us=91366 WARNING: 'auth' is present in local
config but missing in remote config, local='auth SHA1'
Sun Jul 17 19:10:04 2005 us=91383 WARNING: 'keysize' is present in local
config but missing in remote config, local='keysize 128'
Sun Jul 17 19:10:04 2005 us=91401 WARNING: 'tls-auth' is present in
local config but missing in remote config, local='tls-auth'
Sun Jul 17 19:10:04 2005 us=91418 WARNING: 'key-method' is present in
local config but missing in remote config, local='key-method 2'
Sun Jul 17 19:10:04 2005 us=91436 WARNING: 'tls-server' is present in
local config but missing in remote config, local='tls-server'



Can anyone please tell me what I am missing? How do I get rid of all
these "WARNING" messages?

Thanks in advance.

Troy



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
------------------------------------------------------------------------
leaf-user mailing list: [email protected]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Bering-uClibc_2.3-beta4 (OpenVPN 2.0 rev.1)

Reply via email to