Welcome, Guest. Please login or register.
Did you miss your activation email?
August 21, 2017, 05:09:59 AM

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
13454 Posts in 4125 Topics by 4926 Members
Latest Member: CathernMat
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  OpenVPN connection done, but no LAN connection
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: OpenVPN connection done, but no LAN connection  (Read 335 times)
keysman75
Jr. Member
*
Offline Offline

Posts: 3


« on: July 10, 2017, 11:37:14 PM »

Good morning guys, I'm a new bie about OpenVPN. I followed a lot of tutorials and did read a lot of posts to setup my Endian Firewall OpenVPN but I for sure did some mistakes... maybe routing??!! I don't know. The main issue consist of connections to LAN hosts missing:

sh-3.2# ping 192.168.0.30
PING 192.168.0.30 (192.168.0.30): 56 data bytes
ping: sendto: Network is unreachable
ping: sendto: Network is unreachable


Let me introduce my facility:
  • Endian Firewall Community release 3.0.5beta1
  • Firewall->VPN Firewall Settings Disabled ;
  • Single user "keysman" configured;
    Username: keysman
    Password: *********
    Certificate configuration: Don't change
    Enabled: checked
  • OpenVPN settings;
    Authentication-type: PSK (username / password)
    Port: 1984
    Device Type: TAP
    Protocol UDP;
    Bridged: Checked
    Bridged to: GREEN
    Dynamic IP pool start: 192.168.0.240
    Dynamic IP pool end: 192.168.0.250
    Client to Client connections: Not allowed
    Push these networks: checked
    Networks: 192.168.0.0./24
     ;

Running Tunnelclick on my Mac I can connect (I think) to the VPN and even on the server side it seems a successfully connection.
Logs on client:
2017-07-10 14:27:45 *Tunnelblick: openvpnstart starting OpenVPN
2017-07-10 14:27:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2017-07-10 14:27:46 *Tunnelblick: Established communication with OpenVPN
2017-07-10 14:27:46 MANAGEMENT: CMD 'pid'
2017-07-10 14:27:46 MANAGEMENT: CMD 'state on'
2017-07-10 14:27:46 MANAGEMENT: CMD 'state'
2017-07-10 14:27:46 MANAGEMENT: CMD 'bytecount 1'
2017-07-10 14:27:46 MANAGEMENT: CMD 'hold release'
2017-07-10 14:27:50 MANAGEMENT: CMD 'username "Auth" "keysman"'
2017-07-10 14:27:50 MANAGEMENT: CMD 'password [...]'
2017-07-10 14:27:50 WARNING: No server certificate verification method has been enabled. 
2017-07-10 14:27:50 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-07-10 14:27:50 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-07-10 14:27:50 UDPv4 link local: [undef]
2017-07-10 14:27:50 UDPv4 link remote: [AF_INET]194.183.83.122:1194
2017-07-10 14:27:50 MANAGEMENT: >STATE:1499689670,WAIT,,,
2017-07-10 14:27:50 MANAGEMENT: >STATE:1499689670,AUTH,,,
2017-07-10 14:27:50 TLS: Initial packet from [AF_INET]194.183.83.122:1194, sid=732a5403 b8cc8d25
2017-07-10 14:27:50 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-07-10 14:27:51 VERIFY OK: depth=1, C=IT, O=efw, CN=efw CA
2017-07-10 14:27:51 VERIFY OK: depth=0, C=IT, O=efw, CN=194.183.83.122
2017-07-10 14:27:52 WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'
2017-07-10 14:27:52 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1574'
2017-07-10 14:27:52 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
2017-07-10 14:27:52 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2017-07-10 14:27:52 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-07-10 14:27:52 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-07-10 14:27:52 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2017-07-10 14:27:52 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-07-10 14:27:52 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-07-10 14:27:52 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
2017-07-10 14:27:52 [194.183.83.122] Peer Connection Initiated with [AF_INET]194.183.83.122:1194
2017-07-10 14:27:53 MANAGEMENT: >STATE:1499689673,GET_CONFIG,,,
2017-07-10 14:27:54 SENT CONTROL [194.183.83.122]: 'PUSH_REQUEST' (status=1)
2017-07-10 14:27:54 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.0.254,route 192.168.0.0 255.255.255.0,route-gateway 192.168.0.254,ping 5,ping-restart 30,ifconfig 192.168.0.240 255.255.255.0'
2017-07-10 14:27:54 OPTIONS IMPORT: timers and/or timeouts modified
2017-07-10 14:27:54 OPTIONS IMPORT: --ifconfig/up options modified
2017-07-10 14:27:54 OPTIONS IMPORT: route options modified
2017-07-10 14:27:54 OPTIONS IMPORT: route-related options modified
2017-07-10 14:27:54 WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address.  You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
2017-07-10 14:27:54 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2017-07-10 14:27:54 Opened utun device utun1
2017-07-10 14:27:54 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2017-07-10 14:27:54 MANAGEMENT: >STATE:1499689674,ASSIGN_IP,,192.168.0.240,
2017-07-10 14:27:54 /sbin/ifconfig utun1 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2017-07-10 14:27:54 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-07-10 14:27:54 /sbin/ifconfig utun1 192.168.0.240 255.255.255.0 mtu 1500 netmask 255.255.255.255 up
2017-07-10 14:27:54 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun1 1500 1542 192.168.0.240 255.255.255.0 init
                                        **********************************************
                                        Start of output from client.up.tunnelblick.sh
                                        NOTE: No network configuration changes need to be made.
                                        WARNING: Will NOT monitor for other network configuration changes.
                                        WARNING: Will NOT disable IPv6 settings.
                                        DNS servers '8.8.8.8 192.168.44.1' were set manually
                                        DNS servers '8.8.8.8 192.168.44.1' will be used for DNS queries when the VPN is active
                                        NOTE: The DNS servers include one or more free public DNS servers known to Tunnelblick and one or more DNS servers not known to Tunnelblick. If used, the DNS servers not known to Tunnelblick may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
                                        Flushed the DNS cache via dscacheutil
                                        /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
                                        Notified mDNSResponder that the DNS cache was flushed
                                        End of output from client.up.tunnelblick.sh
                                        **********************************************
2017-07-10 14:27:56 *Tunnelblick: No 'connected.sh' script to execute
2017-07-10 14:27:56 MANAGEMENT: >STATE:1499689676,ADD_ROUTES,,,
2017-07-10 14:27:56 /sbin/route add -net 192.168.0.0 192.168.0.254 255.255.255.0
                                        add net 192.168.0.0: gateway 192.168.0.254
2017-07-10 14:27:56 Initialization Sequence Completed
2017-07-10 14:27:56 MANAGEMENT: >STATE:1499689676,CONNECTED,SUCCESS,192.168.0.240,194.183.x.y


Logs on Endian:
OpenVPN   2017-07-10 13:56:14
openvpn[2637]: OpenVPN 2.3.6 i686-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 9 2015
OpenVPN   2017-07-10 13:56:14
openvpn[2637]: library versions: OpenSSL 1.0.1h 5 Jun 2014, LZO 2.01
OpenVPN   2017-07-10 13:56:14
openvpn[2637]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
OpenVPN   2017-07-10 13:56:14
openvpn[2637]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
OpenVPN   2017-07-10 13:56:14
openvpn[2637]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
OpenVPN   2017-07-10 13:56:14
openvpn[2637]: WARNING: file "/var/efw/vpn/ca/certs/194.183.83.122key.pem" is group or others accessible
OpenVPN   2017-07-10 13:56:14
openvpn[2637]: TUN/TAP device tap0 opened
OpenVPN   2017-07-10 13:56:14
openvpn[2637]: /usr/local/bin/dir.d-exec /etc/openvpn/ifup.server.d/ tap0 1500 1574 init
OpenVPN   2017-07-10 13:56:14
openvpn[2643]: GID set to openvpn
OpenVPN   2017-07-10 13:56:14
openvpn[2643]: UID set to openvpn
OpenVPN   2017-07-10 13:56:14
openvpn[2643]: UDPv4 link local (bound): [undef]
OpenVPN   2017-07-10 13:56:14
openvpn[2643]: UDPv4 link remote: [undef]
OpenVPN   2017-07-10 13:56:14
openvpn[2643]: ifconfig_pool_read(), in="keysman,192.168.0.240", TODO: IPv6
OpenVPN   2017-07-10 13:56:14
openvpn[2643]: succeeded -> ifconfig_pool_set()
OpenVPN   2017-07-10 13:56:14
openvpn[2643]: Initialization Sequence Completed
OpenVPN   2017-07-10 13:58:44
openvpn[2643]: 158.148.95.15:63569 WARNING: "dev-type" is used inconsistently, local="dev-type tap", remote="dev-type tun"
OpenVPN   2017-07-10 13:58:44
openvpn[2643]: 158.148.95.15:63569 WARNING: "link-mtu" is used inconsistently, local="link-mtu 1574", remote="link-mtu 1542"
OpenVPN   2017-07-10 13:58:44
openvpn[2643]: 158.148.95.15:63569 WARNING: "tun-mtu" is used inconsistently, local="tun-mtu 1532", remote="tun-mtu 1500"
OpenVPN   2017-07-10 13:58:44
openvpn[2643]: 158.148.95.15:63569 [keysman] Peer Connection Initiated with [AF_INET]158.148.95.15:63569 (via [AF_INET]194.183.x.y%ppp0)
OpenVPN   2017-07-10 13:58:44
openvpn[2643]: keysman/158.148.95.15:63569 MULTI_sva: pool returned IPv4=192.168.0.240, IPv6=(Not enabled)
OpenVPN   2017-07-10 13:58:46
openvpn[2643]: keysman/158.148.95.15:63569 send_push_reply(): safe_cap=940



The configuration on the client is the following:


client
dev tun
proto udp
remote 194.183.x.y 1194
auth-user-pass
resolv-retry infinite
nobind
persist-key
persist-tun
ca cacert.pem
comp-lzo
verb 3


Please have a look at attached images for VPN/Client settings and logs. Again I think connection was successfull because throwing ifconfig and netstat statements on the client I get the following:

sh-3.2# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
   options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
   inet 127.0.0.1 netmask 0xff000000
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
   nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   ether d0:e1:40:89:cc:98
   inet6 fe80::1021:a68e:860:6bda%en0 prefixlen 64 secured scopeid 0x4
   inet 192.168.43.222 netmask 0xffffff00 broadcast 192.168.43.255
   nd6 options=201<PERFORMNUD,DAD>
   media: autoselect
   status: active
en1: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
   options=60<TSO4,TSO6>
   ether 32:00:16:8d:20:00
   media: autoselect <full-duplex>
   status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   options=63<RXCSUM,TXCSUM,TSO4,TSO6>
   ether 32:00:16:8d:20:00
   Configuration:
      id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
      maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
      root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
      ipfilter disabled flags 0x2
   member: en1 flags=3<LEARNING,DISCOVER>
           ifmaxaddr 0 port 5 priority 0 path cost 0
   nd6 options=201<PERFORMNUD,DAD>
   media: <unknown type>
   status: inactive
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
   ether 02:e1:40:89:cc:98
   media: autoselect
   status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
   ether aa:bf:33:b7:59:8c
   inet6 fe80::a8bf:33ff:feb7:598c%awdl0 prefixlen 64 scopeid 0x8
   nd6 options=201<PERFORMNUD,DAD>
   media: autoselect
   status: active
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
   inet6 fe80::ba77:3719:8f70:6c86%utun0 prefixlen 64 scopeid 0x9
   nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
   inet 192.168.0.240 --> 255.255.255.0 netmask 0xffffffff


Routing tables

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.43.1       UGSc          196        0     en0
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              6    27494     lo0
169.254            link#4             UCS             0        0     en0
192.168.0          192.168.0.254      UGSc            0        0     en0
192.168.43         link#4             UCS             1        0     en0
192.168.43.1/32    link#4             UCS             1        0     en0
192.168.43.1       2:1a:11:f2:1e:1    UHLWIir       196       24     en0   1194
192.168.43.222/32  link#4             UCS             1        0     en0
192.168.43.222     d0:e1:40:89:cc:98  UHLWI           0        1     lo0
192.168.43.255     ff:ff:ff:ff:ff:ff  UHLWbI          0        3     en0
224.0.0/4          link#4             UmCS            2        0     en0
224.0.0.251        1:0:5e:0:0:fb      UHmLWI          0        0     en0
239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI          0       12     en0
255.255.255.0      192.168.0.240      UH              0        0   utun1
255.255.255.255/32 link#4             UCS             0        0     en0

Please help me to understand what kind of mistake I'm doing. If I forgot some details please ask me for them

Cheers

Christian


Logged
lucagiove
Full Member
***
Offline Offline

Posts: 12


« Reply #1 on: July 14, 2017, 01:16:13 AM »

Make sure that the device type matches between client and server, I read you have TAP on server but TUN on client, this won't work for sure
Logged
keysman75
Jr. Member
*
Offline Offline

Posts: 3


« Reply #2 on: July 14, 2017, 05:14:32 PM »

Thank you very much LucaGiove for the suggestion. Now I updated my client configuration and everything is working!!!

Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.089 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com