Re: Openvpn on FreeBSD 7
Steve Quinn letter2steve at yahoo.com writes: I forgot to stress how important the sysctl setting is for net.inet.ip.forwarding The default is disabled (0) and I to could not connect beyond the OpenVPN server I'm editing the page now to include something like this Make sure IP Forwarding is enabled Check it with sysctl -a |grep net.inet.ip.f Set it with sysctl inet.inet.ip.forwarding=1 or Alternatively set it by adding this to /etc/sysctl.conf net.inet.ip.forwarding=1 Take care Steve I also upgraded from 6.2-RELEASE to 7.0-RELEASE a while back, recompiled my installed ports, and since then I have problems with OpenVPN. I have a laptop (Windows XP SP2) at home and a desktop (FreeBSD 7.0-RELEASE) at my office in the university. I have installed Samba 3.0.28,1 on my desktop and created a share. I can access the share from anywhere within the university network. But our university network is behind a firewall which blocks all incoming connections except SSH, so I cannot access my Samba share from home. What I did was to use Putty to SSH to my desktop at office, setup and OpenVPN client/server on my laptop/desktop computers, and forward all OpenVPN connections to my desktop through the SSH connection using Putty. Then I could connect to my Samba server. It used to work before upgrading to 7.0-RELEASE, but after that I can't access my shares from home. I have confirmed that my Samba share is working fine by accessing it from another computer in the university network, so the only culprit is OpenVPN. It connects, but apparently something is wrong and I can't access my data. I tried setting sysctl inet.inet.ip.forwarding=1 , but that didn't help either. The last lines of my /var/log/openvpn.log is below: Jun 16 11:39:37 rsx4 openvpn[660]: laptop/127.0.0.1:49937 MULTI: bad source address from client [192.168.2.100], packet dropped Jun 16 11:39:37 rsx4 openvpn[660]: laptop/127.0.0.1:49937 MULTI: bad source address from client [192.168.3.1], packet dropped Jun 16 11:41:38 rsx4 openvpn[660]: laptop/127.0.0.1:49937 Connection reset, restarting [0] Jun 16 11:41:38 rsx4 openvpn[660]: laptop/127.0.0.1:49937 SIGUSR1[soft,connection-reset] received, client-instance restarting Jun 16 11:41:38 rsx4 openvpn[660]: TCP/UDP: Closing socket I'd appreciate any help... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Openvpn on FreeBSD 7
Andrew Berry andrewberry at sentex.net writes: Hi, I recently upgraded a machine from FreeBSD 6.3 to 7.0. Everything is working fine except for the OpenVPN server. I had it set up with a bridge configuration, but now even with a basic tunnel I can't get successful ping across the VPN. I can make a connection from both Linux and OS X but neither can actually use the tunnel. Are there any changes in 7 which might affect this? Anyone else using OpenVPN on 7.0? Thanks, --Andrew I have the same exact problem. I upgraded from 6.2-RELEASE to 7.0-RELEASE a while back, recompiled my installed ports, and since then I have problems with OpenVPN. I have a laptop (Windows XP SP2) at home and a desktop (FreeBSD 7.0-RELEASE) at my office in the university. I have installed Samba 3.0.28,1 on my desktop and created a share. I can access the share from anywhere within the university network. But our university network is behind a firewall which blocks all incoming connections except SSH, so I cannot access my Samba share from home. What I did was to use Putty to SSH to my desktop at office, setup and OpenVPN client/server on my laptop/desktop computers, and forward all OpenVPN connections to my desktop through the SSH connection using Putty. Then I could connect to my Samba server. It used to work before upgrading to 7.0-RELEASE, but after that I can't access my shares from home. I have confirmed that my Samba share is working fine by accessing it from another computer in the university network, so the only culprit is OpenVPN. It connects, but apparently something is wrong and I can't access my data... Any ideas? Thanks... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Openvpn on FreeBSD 7
Hey, Set it with sysctl inet.inet.ip.forwarding=1 or Alternatively set it by adding this to /etc/sysctl.conf net.inet.ip.forwarding=1 I guess more proper way of doing this is adding: gateway_enable=YES into /etc/rc.conf? I don't have any sysctl custom configuration in my sysctl.conf and OpenVPN still works (I have gateway_enable in my rc.conf, of course). Bye, Nejc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Openvpn on FreeBSD 7
On 10-Jun-08, at 3:02 AM, Nejc Škoberne wrote: Actually I don't think you can do the same thing with a tunnel. You have to use a different IP addresses for the tunnel itself. Have you read the OpenVPN manual? Yes, I should have been clearer: With a tunnel, I can still push routes and DNS, as long as I'm willing to sacrifice the same IP address. Yes, I did: 'tcpdump -i tun0'. Nothing shows up on the server, but on the client (OS X) I can see the pings being sent. This means that there is a problem with the OpenVPN connection. Can you show the tail of your logs on both sides? Here's what I found: Wed Jun 11 12:49:46 2008 client1/192.168.0.1:53237 MULTI: Learn: 10.8.0.6 - client1/192.168.0.1:53237 Wed Jun 11 12:49:46 2008 client1/192.168.0.1:53237 MULTI: primary virtual IP for client1/192.168.0.1:53237: 10.8.0.6 This was interesting since that IP wasn't being set by the client. I'd been manually setting it to 10.8.0.2, which caused this: Wed Jun 11 12:50:04 2008 client1/192.168.0.1:53237 MULTI: bad source address from client [10.8.0.2], packet dropped Wed Jun 11 12:50:05 2008 client1/192.168.0.1:53237 MULTI: bad source address from client [10.8.0.2], packet dropped Wed Jun 11 12:50:06 2008 client1/192.168.0.1:53237 MULTI: bad source address from client [10.8.0.2], packet dropped Wed Jun 11 12:50:07 2008 client1/192.168.0.1:53237 MULTI: bad source address from client [10.8.0.2], packet dropped Changing it to 10.8.0.6 allowed the VPN to work over the tunnel. I could access the VPN server on .1. Bridging still doesn't work - and I don't see any traffic over the interface either. Unfortunately, my laptop's network card just kicked the dust so it's going in for servicing. I might test it out using the Windows client on my desktop, but since it's inside the network all ready I imagine it would be much harder to test. proto tcp Why are you using TCP anyway? I'd been having problems with UDP and QoS a long time ago. I just hadn't bothered to change it since it was working. Thanks, --Andrew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Openvpn on FreeBSD 7
Andrew Berry wrote: Nejc ?koberne wrote: Why are you using TCP anyway? I'd been having problems with UDP and QoS a long time ago. I just hadn't bothered to change it since it was working. Note that using TCP on top of TCP can cause certain problems, especially when packets are lost. There's a good explanation on this page: http://sites.inka.de/sites/bigred/devel/tcp-tcp.html The short story is: If any packets are lost, the resend-algorithms of the two TCP layers will start to interfere with each other, because both have their own timeouts and will start retransmitting packets at their respective levels. This is bad, because it leads to a snowball effect. If you can guarantee that there will be zero packet loss, then TCP is fine. Otherwise I recommend to run the VPN on UDP. Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd If you think C++ is not overly complicated, just what is a protected abstract virtual base pure virtual private destructor, and when was the last time you needed one? -- Tom Cargil, C++ Journal ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Openvpn on FreeBSD 7
Hey, I was using it because I could then assign my laptop the same IP easily through my router (a separate device with DHCP) and also have hostnames pushed through DHCP. But I imagine in my case I could do the same thing with a tunnel. Actually I don't think you can do the same thing with a tunnel. You have to use a different IP addresses for the tunnel itself. Have you read the OpenVPN manual? Yes, I did: 'tcpdump -i tun0'. Nothing shows up on the server, but on the client (OS X) I can see the pings being sent. This means that there is a problem with the OpenVPN connection. Can you show the tail of your logs on both sides? proto tcp Why are you using TCP anyway? Bye, Nejc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Openvpn on FreeBSD 7
--- On Tue, 6/10/08, Nejc Škoberne [EMAIL PROTECTED] wrote: Actually I don't think you can do the same thing with a tunnel. You have to use a different IP addresses for the tunnel itself. Have you read the OpenVPN manual? Yes, I did: 'tcpdump -i tun0'. Nothing shows up on the server, but on the client (OS X) I can see the pings being sent. This means that there is a problem with the OpenVPN connection. Can you show the tail of your logs on both sides? proto tcp Why are you using TCP anyway? Bye, Nejc Hi Andrew, Nejc, All I just built my first FreeBSD 7.0 machine to test OpenVPN on it It was a nice way to review/fix my OpenVPN page I forgot to stress how important the sysctl setting is for net.inet.ip.forwarding The default is disabled (0) and I to could not connect beyond the OpenVPN server I'm editing the page now to include something like this Make sure IP Forwarding is enabled Check it with sysctl -a |grep net.inet.ip.f Set it with sysctl inet.inet.ip.forwarding=1 or Alternatively set it by adding this to /etc/sysctl.conf net.inet.ip.forwarding=1 I hope this helps Take care Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Openvpn on FreeBSD 7
Hey, I recently upgraded a machine from FreeBSD 6.3 to 7.0. Everything is working fine except for the OpenVPN server. I had it set up with a bridge configuration, but now even with a basic tunnel I can't get successful ping across the VPN. I can make a connection from both Linux and OS X but neither can actually use the tunnel. Are there any changes in 7 which might affect this? Anyone else using OpenVPN on 7.0? I do. I don't use bridging, though. Do you have a good reason to use it? Have you tried to tcpdump the interfaces? How did you configure the bridge? We would certainly need more information to try to help you out. Bye, Nejc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Openvpn on FreeBSD 7
On 9-Jun-08, at 3:49 PM, Nejc koberne wrote: I do. I don't use bridging, though. Do you have a good reason to use it? I was using it because I could then assign my laptop the same IP easily through my router (a separate device with DHCP) and also have hostnames pushed through DHCP. But I imagine in my case I could do the same thing with a tunnel. Have you tried to tcpdump the interfaces? Yes, I did: 'tcpdump -i tun0'. Nothing shows up on the server, but on the client (OS X) I can see the pings being sent. How did you configure the bridge? Here is my current config: It's no longer doing bridging though. openvpn.conf: port 1194 proto tcp dev tun ca ca.crt cert server.crt dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3 And on my client: tls-client dev tun ca ca.crt cert client1.crt key client1.key remote my-remote-host proto tcp-client port 1194 comp-lzo ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key verb 3 I then ifconfig'ed the tun0 interface to be 10.8.0.2 = 10.8.0.1. Thanks! --Andrew