OpenVPN client on OpenBSD

Emile Sanders Wed, 02 Feb 2011 09:20:49 -0800

Has anyone ever gotten OpenVPN to run as a client successfully with a VPN
subscription? OpenBSD seems to be the only OS I can't get OpenVPN up
successfully on for some reason, and I'd like to make it work. So I've
confirmed it's not a server-side issue as I've tested it on other operating
systems as well as other people who are currently using the VPN service
without a problem (except none of them are on OpenBSD).


The issue is that when I connect with OpenVPN, it's apparently "connected",
but I can't seem to ping the gateway, any websites such as Google, nor use
any internet-relying services such as browsing to a website or going on IRC.

I am running OpenBSD 4.8 release, with almost a default install. I've just
got openvpn, scrotwm, firefox, and p7zip pkg_added on top of the
barebones/fresh install.

Here are some logs/configs:

/etc/hostname.tun0
$ cat /etc/hostname.tun0
up
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/client.ovpn

/* I'd like to mention here that even after rebooting, the tun0 interface
does NOT come up. An ifconfig shows that it is still down, and OpenVPN is
not started up at boottime. I have no idea why /etc/hostname.tun0 isn't
being read. */

OpenVPN client config:
$ cat /etc/client.ovpn
# VPN config
ns-cert-type server
tls-client
pull
verb 3
tls-timeout 6
cipher BF-CBC
keysize 256
pkcs12 cert.dat
keepalive 30 120
hand-window 120
route-delay 2
persist-tun
persist-key
redirect-gateway def1
remote-random
route-metric 2
route-method exe
dev tun0
topology subnet
<connection>
proto tcp-client
remote [vpn url] 11000
remote [vpn ip] 11000
connect-retry 10
</connection>
<connection>
proto udp
remote [vpn url] 11000
remote [vpn ip] 11000
</connection>

/* The square brackets contain the URL and IP address of the VPN service I
connect to. I filtered them out as to not spam/advertise their service. */

OpenVPN connection log:

$ sudo openvpn --config /etc/openvpn/client.ovpn
Wed Feb  2 10:19:53 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8 [SSL] [LZO2]
built on Aug 10 2010
Wed Feb  2 10:19:53 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or
higher to call user-defined scripts or executables
Wed Feb  2 10:19:53 2011 WARNING: file 'cert.dat' is group or others
accessible
Wed Feb  2 10:19:53 2011 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0
ET:0 EL:0 ]
Wed Feb  2 10:19:53 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4
ET:0 EL:0 ]
Wed Feb  2 10:19:53 2011 Local Options hash (VER=V4): '91138c76'
Wed Feb  2 10:19:53 2011 Expected Remote Options hash (VER=V4): 'f5a300ca'
Wed Feb  2 10:19:53 2011 Socket Buffers: R=[41600->65536] S=[9216->65536]
Wed Feb  2 10:19:53 2011 UDPv4 link local (bound): [undef]:1194
Wed Feb  2 10:19:53 2011 UDPv4 link remote: [vpn ip]:11000
Wed Feb  2 10:19:53 2011 TLS: Initial packet from [vpn ip]:11000,
sid=a16fdfdd b22d9c39
Wed Feb  2 10:19:54 2011 VERIFY OK: depth=1, /C=US/ST=NY/L=New_York/O=
example.com/CN=example.com_CA/emailAddress=ad...@example.com
Wed Feb  2 10:19:54 2011 VERIFY OK: nsCertType=SERVER
Wed Feb  2 10:19:54 2011 VERIFY OK: depth=0, /C=US/ST=NY/L=New_York/O=
example.com/CN=server/emailAddress=ad...@example.com
Wed Feb  2 10:20:02 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized
with 256 bit key
Wed Feb  2 10:20:02 2011 Data Channel Encrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Wed Feb  2 10:20:02 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized
with 256 bit key
Wed Feb  2 10:20:02 2011 Data Channel Decrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
Wed Feb  2 10:20:02 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Feb  2 10:20:02 2011 [server] Peer Connection Initiated with [vpn
ip]:11000
Wed Feb  2 10:20:04 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Feb  2 10:20:04 2011 PUSH: Received control message: 'PUSH_REPLY,route
10.100.2.0 255.255.255.0,redirect-gateway,dhcp-option DNS
10.100.2.1,route-gateway 10.100.2.1,topology subnet,ping 30,ping-restart
120,ifconfig 10.100.2.106 255.255.255.0'
Wed Feb  2 10:20:04 2011 OPTIONS IMPORT: timers and/or timeouts modified
Wed Feb  2 10:20:04 2011 OPTIONS IMPORT: --ifconfig/up options modified
Wed Feb  2 10:20:04 2011 OPTIONS IMPORT: route options modified
Wed Feb  2 10:20:04 2011 OPTIONS IMPORT: route-related options modified
Wed Feb  2 10:20:04 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option
options modified
Wed Feb  2 10:20:04 2011 ROUTE default_gateway=192.168.1.1
Wed Feb  2 10:20:04 2011 /sbin/ifconfig tun0 destroy
Wed Feb  2 10:20:04 2011 /sbin/ifconfig tun0 create
Wed Feb  2 10:20:04 2011 NOTE: Tried to delete pre-existing tun/tap instance
-- No Problem if failure
Wed Feb  2 10:20:04 2011 /sbin/ifconfig tun0 10.100.2.106 netmask
255.255.255.0 mtu 1500 broadcast 10.100.2.255 link0
Wed Feb  2 10:20:04 2011 TUN/TAP device /dev/tun0 opened
Wed Feb  2 10:20:07 2011 /sbin/route add -net [vpn ip] 192.168.1.1 -netmask
255.255.255.255
add net [vpn ip]: gateway 192.168.1.1
Wed Feb  2 10:20:07 2011 /sbin/route add -net 0.0.0.0 10.100.2.1 -netmask
128.0.0.0
add net 0.0.0.0: gateway 10.100.2.1
Wed Feb  2 10:20:07 2011 /sbin/route add -net 128.0.0.0 10.100.2.1 -netmask
128.0.0.0
add net 128.0.0.0: gateway 10.100.2.1
Wed Feb  2 10:20:07 2011 /sbin/route add -net 10.100.2.0 10.100.2.1 -netmask
255.255.255.0
add net 10.100.2.0: gateway 10.100.2.1
Wed Feb  2 10:20:07 2011 Initialization Sequence Completed

Now while OpenVPN is still running, here is the ifconfig:

$ sudo ifconfig -A
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200
        priority: 0
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:26:b0:da:a3:86
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::226:b0ff:feda:a386%nfe0 prefixlen 64 scopeid 0x1
        inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200
        priority: 0
        groups: pflog
tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500
        lladdr fe:e1:ba:d4:20:7e
        priority: 0
        groups: tun
        status: active
        inet 10.100.1.112 netmask 0xffffff00 broadcast 10.100.1.255
        inet6 fe80::fce1:baff:fed4:207e%tun0 prefixlen 64 scopeid 0x6

And the routing table while the OpenVPN is still running:

$ route -n show
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio
Iface
0/1                10.100.1.1         UGS        0        0     -     8 tun0

default            192.168.1.1        UGS        3     1313     -     8 nfe0

10.100.1/24        link#6             UC         1        0     -     4 tun0

10.100.1/24        10.100.1.1         UGS        0        0     -     8 tun0

10.100.1.1         link#6             UHLc       3        0     -     4 tun0

[vpn ip]/32   192.168.1.1        UGS        0        0     -     8 nfe0
127/8              127.0.0.1          UGRS       0        0 33200     8 lo0

127.0.0.1          127.0.0.1          UH         2        0 33200     4 lo0

128/1              10.100.1.1         UGS        0        1     -     8 tun0

192.168.1/24       link#1             UC         1        0     -     4 nfe0

192.168.1.1        00:1f:90:0f:88:8c  UHLc       2       38     -     4 nfe0

192.168.1.4        127.0.0.1          UGHS       0        0 33200     8 lo0

224/4              127.0.0.1          URS        0        0 33200     8 lo0


/* Left out IPv6 */

Just to avoid any misunderstanding, I'd like to add that everything (the
internet) works fine without OpenVPN running, I just run into this issue
with OpenVPN.

Is this some sort of routing issue? I'm not sure what the networking of
other operating systems do with a VPN that makes them just work out of the
box.
I cannot ping 10.100.1.1, 10.100.2.1 and 8.8.8.8 while on the VPN, so isn't
it like I'm almost not even on the VPN at all even though I am supposedly
"connected" as the OpenVPN log shows?

I just get this when I try to ping any website while the OpenVPN is running:

$ ping google.com
PING google.com (74.125.226.145): 56 data bytes
ping: sendto: No route to host
ping: wrote google.com 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote google.com 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote google.com 64 chars, ret=-1
--- google.com ping statistics ---
9 packets transmitted, 0 packets received, 100.0% packet loss

Here I am trying to ping the gateway whilst OpenVPN is running:

$ ping 10.100.1.1
PING 10.100.1.1 (10.100.1.1): 56 data bytes
ping: sendto: No route to host
ping: wrote 10.100.1.1 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 10.100.1.1 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 10.100.1.1 64 chars, ret=-1
ping: sendto: No route to host

$ ping 10.100.2.1
PING 10.100.2.1 (10.100.2.1): 56 data bytes
ping: sendto: Host is down
ping: wrote 10.100.2.1 64 chars, ret=-1
ping: sendto: Host is down
ping: wrote 10.100.2.1 64 chars, ret=-1
ping: sendto: Host is down

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host
ping: wrote 8.8.8.8 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 8.8.8.8 64 chars, ret=-1
ping: sendto: No route to host

Does anyone know how to successfully run OpenVPN on OpenBSD as a client with
a VPN subscription? Or run into similar problems?

OpenVPN client on OpenBSD

Reply via email to