Has anyone been able to successfully use OpenVPN on OpenBSD with a 
VPN service? For some reason OpenBSD is the only OS I can't get my 
VPN subscription working on and I'd like to make it work.

I am running OpenBSD 4.8-release, on an almost-fresh install. I 
only pkg_added openvpn, firefox, scrotwm, and p7zip.

I have my client.ovpn and cert.dat in my /etc/openvpn directory.

Contents of /etc/hostname.tun0 :

up
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/client.ovpn

Contents of /etc/openvpn/client.ovpn :

# VPN config
ns-cert-type server
tls-client
pull
verb 3
tls-timeout 6
cipher BF-CBC
keysize 256
pkcs12 cert.dat
keepalive 30 120
hand-window 120
route-delay 2
persist-tun
persist-key
redirect-gateway def1
remote-random
route-metric 2
route-method exe
dev tun0
topology subnet
<connection>
proto tcp-client
remote [vpn url] 11000
remote [vpn ip] 11000
connect-retry 10
</connection>
<connection>
proto udp
remote [vpn url] 11000
remote [vpn ip] 11000
</connection>

The information within square brackets I removed as to not 
advertise the service.

Logs of connecting to VPN:

$ sudo openvpn --config client.ovpn 
Password:
Wed Feb  2 10:14:39 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8 
[SSL] [LZO2] built on Aug 10 2010
Wed Feb  2 10:14:39 2011 NOTE: OpenVPN 2.1 requires '--script-
security 2' or higher to call user-defined scripts or executables
Wed Feb  2 10:14:39 2011 WARNING: file 'cert.dat' is group or 
others accessible
Wed Feb  2 10:14:39 2011 Control Channel MTU parms [ L:1543 D:140 
EF:40 EB:0 ET:0 EL:0 ]
Wed Feb  2 10:14:39 2011 Data Channel MTU parms [ L:1543 D:1450 
EF:43 EB:4 ET:0 EL:0 ]
Wed Feb  2 10:14:39 2011 Local Options hash (VER=V4): 'bf6006bf'
Wed Feb  2 10:14:39 2011 Expected Remote Options hash (VER=V4): 
'3ce6ab7f'
Wed Feb  2 10:14:39 2011 Attempting to establish TCP connection 
with [vpn ip]:11000 [nonblock]
Wed Feb  2 10:14:40 2011 TCP connection established with [vpn 
ip]:11000
Wed Feb  2 10:14:40 2011 Socket Buffers: R=[16384->65536] S=[16384-
>65536]
Wed Feb  2 10:14:40 2011 TCPv4_CLIENT link local: [undef]
Wed Feb  2 10:14:40 2011 TCPv4_CLIENT link remote: [vpn ip]:11000
Wed Feb  2 10:14:40 2011 TLS: Initial packet from [vpn ip]:11000, 
sid=8683dadf 709ff51b
Wed Feb  2 10:14:42 2011 VERIFY OK: depth=1, 
/C=US/ST=NY/L=New_York/O=example.com/CN=example.com_CA/emailAddress=
ad...@example.com
Wed Feb  2 10:14:42 2011 VERIFY OK: nsCertType=SERVER
Wed Feb  2 10:14:42 2011 VERIFY OK: depth=0, 
/C=US/ST=NY/L=New_York/O=example.com/CN=server/emailAddress=admin@ex
ample.com
Wed Feb  2 10:14:46 2011 Data Channel Encrypt: Cipher 'BF-CBC' 
initialized with 256 bit key
Wed Feb  2 10:14:46 2011 Data Channel Encrypt: Using 160 bit 
message hash 'SHA1' for HMAC authentication
Wed Feb  2 10:14:46 2011 Data Channel Decrypt: Cipher 'BF-CBC' 
initialized with 256 bit key
Wed Feb  2 10:14:46 2011 Data Channel Decrypt: Using 160 bit 
message hash 'SHA1' for HMAC authentication
Wed Feb  2 10:14:46 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Feb  2 10:14:46 2011 [server] Peer Connection Initiated with 
[vpn ip]:11000
Wed Feb  2 10:14:49 2011 SENT CONTROL [server]: 'PUSH_REQUEST' 
(status=1)
Wed Feb  2 10:14:49 2011 PUSH: Received control message: 
'PUSH_REPLY,route 10.100.1.0 255.255.255.0,redirect-gateway,dhcp-
option DNS 10.100.1.1,route-gateway 10.100.1.1,topology subnet,ping 
120,ping-restart 360,socket-flags TCP_NODELAY,ifconfig 10.100.1.112 
255.255.255.0'
Wed Feb  2 10:14:49 2011 OPTIONS IMPORT: timers and/or timeouts 
modified
Wed Feb  2 10:14:49 2011 OPTIONS IMPORT: --socket-flags option 
modified
Wed Feb  2 10:14:49 2011 NOTE: setsockopt TCP_NODELAY=1 failed (No 
kernel support)
Wed Feb  2 10:14:49 2011 OPTIONS IMPORT: --ifconfig/up options 
modified
Wed Feb  2 10:14:49 2011 OPTIONS IMPORT: route options modified
Wed Feb  2 10:14:49 2011 OPTIONS IMPORT: route-related options 
modified
Wed Feb  2 10:14:49 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-
option options modified
Wed Feb  2 10:14:49 2011 ROUTE default_gateway=192.168.1.1
Wed Feb  2 10:14:49 2011 /sbin/ifconfig tun0 destroy
Wed Feb  2 10:14:49 2011 /sbin/ifconfig tun0 create
Wed Feb  2 10:14:49 2011 NOTE: Tried to delete pre-existing tun/tap 
instance -- No Problem if failure
Wed Feb  2 10:14:49 2011 /sbin/ifconfig tun0 10.100.1.112 netmask 
255.255.255.0 mtu 1500 broadcast 10.100.1.255 link0
Wed Feb  2 10:14:49 2011 TUN/TAP device /dev/tun0 opened
Wed Feb  2 10:14:51 2011 /sbin/route add -net [vpn ip] 192.168.1.1 -
netmask 255.255.255.255
add net [vpn ip]: gateway 192.168.1.1
Wed Feb  2 10:14:51 2011 /sbin/route add -net 0.0.0.0 10.100.1.1 -
netmask 128.0.0.0
add net 0.0.0.0: gateway 10.100.1.1
Wed Feb  2 10:14:51 2011 /sbin/route add -net 128.0.0.0 10.100.1.1 -
netmask 128.0.0.0
add net 128.0.0.0: gateway 10.100.1.1
Wed Feb  2 10:14:51 2011 /sbin/route add -net 10.100.1.0 10.100.1.1 
-netmask 255.255.255.0
add net 10.100.1.0: gateway 10.100.1.1
Wed Feb  2 10:14:51 2011 Initialization Sequence Completed

ifconfig while I left the VPN running:

$ sudo ifconfig -A
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200
        priority: 0
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:26:b0:da:a3:86
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::226:b0ff:feda:a386%nfe0 prefixlen 64 scopeid 0x1
        inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200
        priority: 0
        groups: pflog
tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 
1500
        lladdr fe:e1:ba:d4:20:7e
        priority: 0
        groups: tun
        status: active
        inet 10.100.1.112 netmask 0xffffff00 broadcast 10.100.1.255
        inet6 fe80::fce1:baff:fed4:207e%tun0 prefixlen 64 scopeid 
0x6

Routing table while the VPN is still running:

Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  
Prio Iface
0/1                10.100.1.1         UGS        0        0     -   
  8 tun0 
default            192.168.1.1        UGS        3     1313     -   
  8 nfe0 
10.100.1/24        link#6             UC         1        0     -   
  4 tun0 
10.100.1/24        10.100.1.1         UGS        0        0     -   
  8 tun0 
10.100.1.1         link#6             UHLc       3        0     -   
  4 tun0 
[vpn ip]/32   192.168.1.1        UGS        0        0     -     8 
nfe0 
127/8              127.0.0.1          UGRS       0        0 33200   
  8 lo0  
127.0.0.1          127.0.0.1          UH         2        0 33200   
  4 lo0  
128/1              10.100.1.1         UGS        0        1     -   
  8 tun0 
192.168.1/24       link#1             UC         1        0     -   
  4 nfe0 
192.168.1.1        00:1f:90:0f:88:8c  UHLc       2       38     -   
  4 nfe0 
192.168.1.4        127.0.0.1          UGHS       0        0 33200   
  8 lo0  
224/4              127.0.0.1          URS        0        0 33200   
  8 lo0  

The issue I am having is that while I can supposedly "connect" to 
the VPN, I cannot ping anything nor access any internet-necessary 
services like browsing to a website or going on IRC. (But 
everything works fine if I don't run the VPN. Just making sure 
there's no misunderstanding.)

Since I know it's not a server-side (as I've tested this on other 
OSes) it must be something with OpenBSD and OpenVPN? Maybe OpenBSD 
is not correctly routing or something when OpenVPN starts.

On another note, when I reboot, /etc/hostname.tun0 does not start 
up tun0 even though I have the line "up" in the file. tun0 is still 
down and OpenVPN does not start up at boot time (though this is not 
what I want; I'd rather run OpenVPN manually). It seems as if 
/etc/hostname.tun0 is being ignored? tun0 only goes up when I start 
OpenVPN.

Does anyone know what's wrong or if they've ran into this issue and 
solved it before?

Reply via email to