Things look good but I can NOT reach the desired net 192.168.51.0/24 via
the VPN
[root@Awyr openvpn]# ssh 192.168.51.2
ssh: connect to host 192.168.51.2 port 22: Connection timed out
ping doesn't work either
I CAN scp over the established vpn connection
[root@Awyr openvpn]# scp VPNClientStats rrc@10.34.0.1:
Bienvenido a Narciso.moov.com.mx
Welcome to Narciso.moov.com.mx
Soyez bienvenus a Narciso.moov.com.mx
AVISO: Estamos supervisando su comportamiento
WARNING: We are monitoring this connection
AVERTISSEMENT : Nous controlons cette connexion
El abuso no va a ser tolerado
Abuse will NOT be tolerated
L'abus ne sera pas tolere
Password:
VPNClientStats 100% 7184
3.9MB/s 00:00
Here are data from the client
The ccd/rrc file:
[root@narciso openvpn]# cat ccd/rrc
#ifconfig-push 10.34.0.249 10.34.0.250
#ifconfig-push 10.34.0.249 255.255.255.0
#push "route 192.168.20.0 255.255.255.0"
push "route 192.168.51.0 255.255.255.0"
#push "route 10.30.40.0 255.255.255.0"
The ifconfig in many variations seemed to conflict so I eliminated it
relying upon the server's server 10.34.0.0 255.255.255.0 to do the
job and it seems to be working so only the push "route 192.168.51.0
255.255.255.0" is uncommented
[root@Awyr openvpn]# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
NO Firewall on Client - totally open
[root@Awyr openvpn]# ip add sh
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
state UP group default qlen 1000
link/ether c0:18:50:96:63:38 brd ff:ff:ff:ff:ff:ff
inet 187.251.133.221/30 brd 187.251.133.223 scope global enp3s0
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.34.0.2/24 scope global tun0
valid_lft forever preferred_lft forever
[root@Awyr openvpn]# ip route sh
10.34.0.0/24 dev tun0 proto kernel scope link src 10.34.0.2
187.251.133.220/30 dev enp3s0 proto kernel scope link src 187.251.133.221
192.168.51.0/24 via 10.34.0.1 dev tun0
[root@Awyr openvpn]# cat openvpn.log
2023-12-30 13:40:06 us=595665 --cipher is not set. Previous OpenVPN
version defaulted to BF-CBC as fallback when cipher negotiation failed
in this case. If you need this fallback please add
'--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC
to --data-ciphers.
2023-12-30 13:40:06 us=596133 Current Parameter Settings:
2023-12-30 13:40:06 us=596154 config = 'rrc.ovpn'
2023-12-30 13:40:06 us=596171 mode = 0
2023-12-30 13:40:06 us=596187 persist_config = DISABLED
2023-12-30 13:40:06 us=596203 persist_mode = 1
2023-12-30 13:40:06 us=596219 show_ciphers = DISABLED
2023-12-30 13:40:06 us=596235 show_digests = DISABLED
2023-12-30 13:40:06 us=596251 show_engines = DISABLED
2023-12-30 13:40:06 us=596266 genkey = DISABLED
2023-12-30 13:40:06 us=596282 genkey_filename = '[UNDEF]'
2023-12-30 13:40:06 us=596297 key_pass_file = '[UNDEF]'
2023-12-30 13:40:06 us=596339 show_tls_ciphers = DISABLED
2023-12-30 13:40:06 us=596354 connect_retry_max = 0
2023-12-30 13:40:06 us=596370 Connection profiles [0]:
2023-12-30 13:40:06 us=596387 proto = udp
2023-12-30 13:40:06 us=596402 local = '[UNDEF]'
2023-12-30 13:40:06 us=596418 local_port = '1194'
2023-12-30 13:40:06 us=596434 remote = '187.251.133.222'
2023-12-30 13:40:06 us=596450 remote_port = '1194'
2023-12-30 13:40:06 us=596466 remote_float = DISABLED
2023-12-30 13:40:06 us=596481 NOTE: --mute triggered...
2023-12-30 13:40:06 us=596526 268 variation(s) on previous 20 message(s)
suppressed by --mute
2023-12-30 13:40:06 us=596544 OpenVPN 2.5.0 x86_64-mageia-linux-gnu [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul
5 2022
2023-12-30 13:40:06 us=596579 library versions: OpenSSL 1.1.1v 1 Aug
2023, LZO 2.10
2023-12-30 13:40:06 us=599632 Control Channel MTU parms [ L:1621 D:1212
EF:38 EB:0 ET:0 EL:3 ]
2023-12-30 13:40:06 us=602363 Data Channel MTU parms [ L:1621 D:1450
EF:121 EB:406 ET:0 EL:3 ]
2023-12-30 13:40:06 us=602392 Local Options String (VER=V4):
'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth
SHA1,keysize 128,key-method 2,tls-client'
2023-12-30 13:40:06 us=602399 Expected Remote Options String (VER=V4):
'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth
SHA1,keysize 128,key-method 2,tls-server'
2023-12-30 13:40:06 us=602410 TCP/UDP: Preserving recently used remote
address: [AF_INET]187.251.133.222:1194
2023-12-30 13:40:06 us=602426 Socket Buffers: R=[212992->212992]
S=[212992->212992]
2023-12-30 13:40:06 us=602437 UDP link local (bound): [AF_INET][undef]:1194
2023-12-30 13:40:06 us=602444 UDP link remote: [AF_INET]187.251.133.222:1194
2023-12-30 13:40:06 us=603948 TLS: Initial packet from
[AF_INET]187.251.133.222:1194, sid=0acf94c4 ae972942
2023-12-30 13:40:06 us=610424 VERIFY OK: depth=1, C=MX, ST=Jalisco,
L=Tlaquepaque, O=Vame Vehiculos, OU=My Organizational Unit,
CN=narciso.moov.com.mx, emailAddress=salvador.ba...@moov.com.mx
2023-12-30 13:40:06 us=610699 VERIFY KU OK
2023-12-30 13:40:06 us=610720 Validating certificate extended key usage
2023-12-30 13:40:06 us=610739 ++ Certificate has EKU (str) TLS Web
Server Authentication, expects TLS Web Server Authentication
2023-12-30 13:40:06 us=610754 VERIFY EKU OK
2023-12-30 13:40:06 us=610770 VERIFY OK: depth=0, C=MX, ST=Jalisco,
L=Tlaquepaque, O=Vame Vehiculos, OU=My Organizational Unit,
CN=narciso.moov.com.mx, emailAddress=salvador.ba...@moov.com.mx
2023-12-30 13:40:06 us=616591 WARNING: 'link-mtu' is used
inconsistently, local='link-mtu 1541', remote='link-mtu 1549'
2023-12-30 13:40:06 us=616637 WARNING: 'auth' is used inconsistently,
local='auth SHA1', remote='auth [null-digest]'
2023-12-30 13:40:06 us=616660 WARNING: 'keysize' is used inconsistently,
local='keysize 128', remote='keysize 256'
2023-12-30 13:40:06 us=616741 Control Channel: TLSv1.3, cipher TLSv1.3
TLS_AES_256_GCM_SHA384, 2048 bit RSA
2023-12-30 13:40:06 us=616770 [narciso.moov.com.mx] Peer Connection
Initiated with [AF_INET]187.251.133.222:1194
2023-12-30 13:40:06 us=639393 PUSH: Received control message:
'PUSH_REPLY,route 192.168.51.0 255.255.255.0,route-gateway
10.34.0.1,topology subnet,ping 10,ping-restart 120,route 192.168.51.0
255.255.255.0,ifconfig 10.34.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2023-12-30 13:40:06 us=639640 OPTIONS IMPORT: timers and/or timeouts
modified
2023-12-30 13:40:06 us=639659 OPTIONS IMPORT: --ifconfig/up options modified
2023-12-30 13:40:06 us=639676 OPTIONS IMPORT: route options modified
2023-12-30 13:40:06 us=639690 OPTIONS IMPORT: route-related options modified
2023-12-30 13:40:06 us=639706 OPTIONS IMPORT: peer-id set
2023-12-30 13:40:06 us=639721 OPTIONS IMPORT: adjusting link_mtu to 1624
2023-12-30 13:40:06 us=639737 OPTIONS IMPORT: data channel crypto
options modified
2023-12-30 13:40:06 us=639756 Data Channel: using negotiated cipher
'AES-256-GCM'
2023-12-30 13:40:06 us=639787 Data Channel MTU parms [ L:1552 D:1450
EF:52 EB:406 ET:0 EL:3 ]
2023-12-30 13:40:06 us=639932 Outgoing Data Channel: Cipher
'AES-256-GCM' initialized with 256 bit key
2023-12-30 13:40:06 us=639952 Incoming Data Channel: Cipher
'AES-256-GCM' initialized with 256 bit key
2023-12-30 13:40:06 us=640005 net_route_v4_best_gw query: dst 0.0.0.0
2023-12-30 13:40:06 us=640152 net_route_v4_best_gw result: via 0.0.0.0 dev
2023-12-30 13:40:06 us=640216 ROUTE_GATEWAY 0.0.0.0
2023-12-30 13:40:06 us=647383 TUN/TAP device tun0 opened
2023-12-30 13:40:06 us=647435 do_ifconfig, ipv4=1, ipv6=0
2023-12-30 13:40:06 us=647526 net_iface_mtu_set: mtu 1500 for tun0
2023-12-30 13:40:06 us=647589 net_iface_up: set tun0 up
2023-12-30 13:40:06 us=647679 net_addr_v4_add: 10.34.0.2/24 dev tun0
2023-12-30 13:40:11 us=798441 net_route_v4_add: 192.168.51.0/24 via
10.34.0.1 dev [NULL] table 0 metric -1
2023-12-30 13:40:11 us=798687 net_route_v4_add: 192.168.51.0/24 via
10.34.0.1 dev [NULL] table 0 metric -1
2023-12-30 13:40:11 us=798778 WARNING: this configuration may cache
passwords in memory -- use the auth-nocache option to prevent this
2023-12-30 13:40:11 us=798801 Initialization Sequence Completed
[root@Awyr openvpn]# cat rrc.ovpn
client
dev tun
proto udp
remote 187.251.133.222 1194
persist-key
persist-tun
route-delay 5
ping-restart 10
ping 60
persist-tun
verb 4
ca ca.crt
cert rrc.crt
key rrc.key
remote-cert-tls server
data-ciphers AES-256-GCM
#data-ciphers-fallback AES-128-GCM
status openvpn-status.log
log openvpn.log
log-append openvpn.log
mute 20
#script-security 2
#auth-user-pass
Here are Data from the server
[root@narciso openvpn]# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
NO Firewall on Server - totally open
[root@narciso openvpn]# ip add sh
6: ens2f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
link/ether 7c:c2:55:64:0f:87 brd ff:ff:ff:ff:ff:ff
altname enp81s0f3
inet 192.168.51.100/24 brd 192.168.51.255 scope global ens2f3
valid_lft forever preferred_lft forever
inet6 2806:103e:19:5fda:7ec2:55ff:fe64:f87/64 scope global dynamic
mngtmpaddr
valid_lft 2591784sec preferred_lft 2591784sec
inet6 fe80::7ec2:55ff:fe64:f87/64 scope link
valid_lft forever preferred_lft forever
7: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
link/ether 7c:c2:55:27:9e:2c brd ff:ff:ff:ff:ff:ff
altname enp1s0f0
inet 187.251.133.222/30 brd 187.251.133.223 scope global eno1
valid_lft forever preferred_lft forever
inet6 fe80::7ec2:55ff:fe27:9e2c/64 scope link
valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.34.0.1/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::6b2e:f0a1:97a7:d887/64 scope link stable-privacy
valid_lft forever preferred_lft forever
IS tun0: <POINTOPOINT correct even thoug I have topo set to subnet?
[root@narciso openvpn]# ip route sh
default via 187.251.133.221 dev eno1 metric 10
10.34.0.0/24 dev tun0 proto kernel scope link src 10.34.0.1
187.251.133.220/30 dev eno1 proto kernel scope link src 187.251.133.222
192.168.51.0/24 dev ens2f3 proto kernel scope link src 192.168.51.100
[root@narciso openvpn]# cat openvpn.log
2023-12-30 13:35:36 OpenVPN 2.5.9 x86_64-mageia-linux-gnu [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb
21 2023
2023-12-30 13:35:36 library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10
2023-12-30 13:35:36 CRL: loaded 1 CRLs from file crl.pem
2023-12-30 13:35:36 TUN/TAP device tun0 opened
2023-12-30 13:35:36 net_iface_mtu_set: mtu 1500 for tun0
2023-12-30 13:35:36 net_iface_up: set tun0 up
2023-12-30 13:35:36 net_addr_v4_add: 10.34.0.1/24 dev tun0
2023-12-30 13:35:36 Could not determine IPv4/IPv6 protocol. Using AF_INET
2023-12-30 13:35:36 UDPv4 link local (bound): [AF_INET]187.251.133.222:1194
2023-12-30 13:35:36 UDPv4 link remote: [AF_UNSPEC]
2023-12-30 13:35:36 GID set to openvpn
2023-12-30 13:35:36 UID set to openvpn
2023-12-30 13:35:36 Initialization Sequence Completed
2023-12-30 13:40:11 187.251.133.221:1194 peer info: IV_VER=2.5.0
2023-12-30 13:40:11 187.251.133.221:1194 peer info: IV_PLAT=linux
2023-12-30 13:40:11 187.251.133.221:1194 peer info: IV_PROTO=6
2023-12-30 13:40:11 187.251.133.221:1194 peer info: IV_CIPHERS=AES-256-GCM
2023-12-30 13:40:11 187.251.133.221:1194 peer info: IV_LZ4=1
2023-12-30 13:40:11 187.251.133.221:1194 peer info: IV_LZ4v2=1
2023-12-30 13:40:11 187.251.133.221:1194 peer info: IV_LZO=1
2023-12-30 13:40:11 187.251.133.221:1194 peer info: IV_COMP_STUB=1
2023-12-30 13:40:11 187.251.133.221:1194 peer info: IV_COMP_STUBv2=1
2023-12-30 13:40:11 187.251.133.221:1194 peer info: IV_TCPNL=1
2023-12-30 13:40:11 187.251.133.221:1194 WARNING: 'link-mtu' is used
inconsistently, local='link-mtu 1549', remote='link-mtu 1541'
2023-12-30 13:40:11 187.251.133.221:1194 WARNING: 'auth' is used
inconsistently, local='auth [null-digest]', remote='auth SHA1'
2023-12-30 13:40:11 187.251.133.221:1194 WARNING: 'keysize' is used
inconsistently, local='keysize 256', remote='keysize 128'
2023-12-30 13:40:11 187.251.133.221:1194 [rrc] Peer Connection Initiated
with [AF_INET]187.251.133.221:1194
2023-12-30 13:40:11 rrc/187.251.133.221:1194 MULTI_sva: pool returned
IPv4=10.34.0.2, IPv6=(Not enabled)
[root@narciso openvpn]# cat server.conf
local 187.251.133.222
port 1194
proto udp
dev tun
ca ca.crt
cert narciso.moov.com.mx.crt
key narciso.moov.com.mx.key # This file should be kept secret
crl-verify crl.pem
dh dh2048.pem
server 10.34.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
topology subnet
keepalive 10 120
max-clients 50
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
mute 20
#data-ciphers AES-256-GCM
data-ciphers-fallback AES-256-GCM
explicit-exit-notify 1
push "route 192.168.51.0 255.255.255.0"
#script-security 2
#comp-lzo
#data-ciphers AES_256_GCM:CHACHA20_POLY1305:AES_128_GCM:AES_128_CCM
#data-ciphers-fallback AES-128-GCM
#route 10.30.40.0 255.255.255.0
#route 192.168.101.0 255.255.255.0
#route 192.168.99.0 255.255.255.0
#route 10.30.50.0 255.255.255.0
#route 192.168.1.0 255.255.255.0
#client-to-client
# plugin /usr/lib/openvpn/openvpn-auth-pam.so "login login USERNAME
password PASSWORD"
# plugin /usr/lib/openvpn/openvpn-auth-pam.so system-auth
# plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "login
login USERNAME password PASSWORD"
#plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
Thanks
Richard
On 12/30/23 05:30, Gert Doering wrote:
Hi,
On Sat, Dec 30, 2023 at 05:26:55AM -0600, Richard Couture wrote:
ifconfig-push 10.34.0.249 10.34.0.250
this is p2p style, it needs to be "something with a netmask" as 2nd
argument - "ifconfig-push 10.34.0.249 255.255.255.0" or such.
gert
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
