Has anyone been able to successfully use OpenVPN on OpenBSD with a
VPN service? For some reason OpenBSD is the only OS I can't get my
VPN subscription working on and I'd like to make it work.
I am running OpenBSD 4.8-release, on an almost-fresh install. I
only pkg_added openvpn, firefox, scrotwm, and p7zip.
I have my client.ovpn and cert.dat in my /etc/openvpn directory.
Contents of /etc/hostname.tun0 :
up
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/client.ovpn
Contents of /etc/openvpn/client.ovpn :
# VPN config
ns-cert-type server
tls-client
pull
verb 3
tls-timeout 6
cipher BF-CBC
keysize 256
pkcs12 cert.dat
keepalive 30 120
hand-window 120
route-delay 2
persist-tun
persist-key
redirect-gateway def1
remote-random
route-metric 2
route-method exe
dev tun0
topology subnet
<connection>
proto tcp-client
remote [vpn url] 11000
remote [vpn ip] 11000
connect-retry 10
</connection>
<connection>
proto udp
remote [vpn url] 11000
remote [vpn ip] 11000
</connection>
The information within square brackets I removed as to not
advertise the service.
Logs of connecting to VPN:
$ sudo openvpn --config client.ovpn
Password:
Wed Feb 2 10:14:39 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8
[SSL] [LZO2] built on Aug 10 2010
Wed Feb 2 10:14:39 2011 NOTE: OpenVPN 2.1 requires '--script-
security 2' or higher to call user-defined scripts or executables
Wed Feb 2 10:14:39 2011 WARNING: file 'cert.dat' is group or
others accessible
Wed Feb 2 10:14:39 2011 Control Channel MTU parms [ L:1543 D:140
EF:40 EB:0 ET:0 EL:0 ]
Wed Feb 2 10:14:39 2011 Data Channel MTU parms [ L:1543 D:1450
EF:43 EB:4 ET:0 EL:0 ]
Wed Feb 2 10:14:39 2011 Local Options hash (VER=V4): 'bf6006bf'
Wed Feb 2 10:14:39 2011 Expected Remote Options hash (VER=V4):
'3ce6ab7f'
Wed Feb 2 10:14:39 2011 Attempting to establish TCP connection
with [vpn ip]:11000 [nonblock]
Wed Feb 2 10:14:40 2011 TCP connection established with [vpn
ip]:11000
Wed Feb 2 10:14:40 2011 Socket Buffers: R=[16384->65536] S=[16384-
>65536]
Wed Feb 2 10:14:40 2011 TCPv4_CLIENT link local: [undef]
Wed Feb 2 10:14:40 2011 TCPv4_CLIENT link remote: [vpn ip]:11000
Wed Feb 2 10:14:40 2011 TLS: Initial packet from [vpn ip]:11000,
sid=8683dadf 709ff51b
Wed Feb 2 10:14:42 2011 VERIFY OK: depth=1,
/C=US/ST=NY/L=New_York/O=example.com/CN=example.com_CA/emailAddress=
ad...@example.com
Wed Feb 2 10:14:42 2011 VERIFY OK: nsCertType=SERVER
Wed Feb 2 10:14:42 2011 VERIFY OK: depth=0,
/C=US/ST=NY/L=New_York/O=example.com/CN=server/emailAddress=admin@ex
ample.com
Wed Feb 2 10:14:46 2011 Data Channel Encrypt: Cipher 'BF-CBC'
initialized with 256 bit key
Wed Feb 2 10:14:46 2011 Data Channel Encrypt: Using 160 bit
message hash 'SHA1' for HMAC authentication
Wed Feb 2 10:14:46 2011 Data Channel Decrypt: Cipher 'BF-CBC'
initialized with 256 bit key
Wed Feb 2 10:14:46 2011 Data Channel Decrypt: Using 160 bit
message hash 'SHA1' for HMAC authentication
Wed Feb 2 10:14:46 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Feb 2 10:14:46 2011 [server] Peer Connection Initiated with
[vpn ip]:11000
Wed Feb 2 10:14:49 2011 SENT CONTROL [server]: 'PUSH_REQUEST'
(status=1)
Wed Feb 2 10:14:49 2011 PUSH: Received control message:
'PUSH_REPLY,route 10.100.1.0 255.255.255.0,redirect-gateway,dhcp-
option DNS 10.100.1.1,route-gateway 10.100.1.1,topology subnet,ping
120,ping-restart 360,socket-flags TCP_NODELAY,ifconfig 10.100.1.112
255.255.255.0'
Wed Feb 2 10:14:49 2011 OPTIONS IMPORT: timers and/or timeouts
modified
Wed Feb 2 10:14:49 2011 OPTIONS IMPORT: --socket-flags option
modified
Wed Feb 2 10:14:49 2011 NOTE: setsockopt TCP_NODELAY=1 failed (No
kernel support)
Wed Feb 2 10:14:49 2011 OPTIONS IMPORT: --ifconfig/up options
modified
Wed Feb 2 10:14:49 2011 OPTIONS IMPORT: route options modified
Wed Feb 2 10:14:49 2011 OPTIONS IMPORT: route-related options
modified
Wed Feb 2 10:14:49 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-
option options modified
Wed Feb 2 10:14:49 2011 ROUTE default_gateway=192.168.1.1
Wed Feb 2 10:14:49 2011 /sbin/ifconfig tun0 destroy
Wed Feb 2 10:14:49 2011 /sbin/ifconfig tun0 create
Wed Feb 2 10:14:49 2011 NOTE: Tried to delete pre-existing tun/tap
instance -- No Problem if failure
Wed Feb 2 10:14:49 2011 /sbin/ifconfig tun0 10.100.1.112 netmask
255.255.255.0 mtu 1500 broadcast 10.100.1.255 link0
Wed Feb 2 10:14:49 2011 TUN/TAP device /dev/tun0 opened
Wed Feb 2 10:14:51 2011 /sbin/route add -net [vpn ip] 192.168.1.1 -
netmask 255.255.255.255
add net [vpn ip]: gateway 192.168.1.1
Wed Feb 2 10:14:51 2011 /sbin/route add -net 0.0.0.0 10.100.1.1 -
netmask 128.0.0.0
add net 0.0.0.0: gateway 10.100.1.1
Wed Feb 2 10:14:51 2011 /sbin/route add -net 128.0.0.0 10.100.1.1 -
netmask 128.0.0.0
add net 128.0.0.0: gateway 10.100.1.1
Wed Feb 2 10:14:51 2011 /sbin/route add -net 10.100.1.0 10.100.1.1
-netmask 255.255.255.0
add net 10.100.1.0: gateway 10.100.1.1
Wed Feb 2 10:14:51 2011 Initialization Sequence Completed
ifconfig while I left the VPN running:
$ sudo ifconfig -A
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200
priority: 0
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:26:b0:da:a3:86
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::226:b0ff:feda:a386%nfe0 prefixlen 64 scopeid 0x1
inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
enc0: flags=0<>
priority: 0
groups: enc
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200
priority: 0
groups: pflog
tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu
1500
lladdr fe:e1:ba:d4:20:7e
priority: 0
groups: tun
status: active
inet 10.100.1.112 netmask 0xffffff00 broadcast 10.100.1.255
inet6 fe80::fce1:baff:fed4:207e%tun0 prefixlen 64 scopeid
0x6
Routing table while the VPN is still running:
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu
Prio Iface
0/1 10.100.1.1 UGS 0 0 -
8 tun0
default 192.168.1.1 UGS 3 1313 -
8 nfe0
10.100.1/24 link#6 UC 1 0 -
4 tun0
10.100.1/24 10.100.1.1 UGS 0 0 -
8 tun0
10.100.1.1 link#6 UHLc 3 0 -
4 tun0
[vpn ip]/32 192.168.1.1 UGS 0 0 - 8
nfe0
127/8 127.0.0.1 UGRS 0 0 33200
8 lo0
127.0.0.1 127.0.0.1 UH 2 0 33200
4 lo0
128/1 10.100.1.1 UGS 0 1 -
8 tun0
192.168.1/24 link#1 UC 1 0 -
4 nfe0
192.168.1.1 00:1f:90:0f:88:8c UHLc 2 38 -
4 nfe0
192.168.1.4 127.0.0.1 UGHS 0 0 33200
8 lo0
224/4 127.0.0.1 URS 0 0 33200
8 lo0
The issue I am having is that while I can supposedly "connect" to
the VPN, I cannot ping anything nor access any internet-necessary
services like browsing to a website or going on IRC. (But
everything works fine if I don't run the VPN. Just making sure
there's no misunderstanding.)
Since I know it's not a server-side (as I've tested this on other
OSes) it must be something with OpenBSD and OpenVPN? Maybe OpenBSD
is not correctly routing or something when OpenVPN starts.
On another note, when I reboot, /etc/hostname.tun0 does not start
up tun0 even though I have the line "up" in the file. tun0 is still
down and OpenVPN does not start up at boot time (though this is not
what I want; I'd rather run OpenVPN manually). It seems as if
/etc/hostname.tun0 is being ignored? tun0 only goes up when I start
OpenVPN.
Does anyone know what's wrong or if they've ran into this issue and
solved it before?
