openvpn on openbsd problem....

[michaelk]

Hi Everyone,

When trying to connect to my VPN provider using openvpn (2.1_rc15) on
openbsd (both 4.4 and 4.5) everything works fine (i.e. i receive ip-adress
and correct routing table) except that I can't connect anywhere?!

I can ping my own tun0 ip-adress but seems like all other packets gets blocked.
(I'm not using pf)

The same client conf works fine in freebsd,linux,netbsd and windows so it seems
that I'm missing some special sysctl setting on openbsd?

Any hints what might be causing this?

I tried "tcpdump -i tun0" but all i see is:

arp who-has <default gatway> tell <my tun0 ip>

Thanks in advance,

Michael

[jggimi]

You might need to turn on packet forwarding, since you are "routing" through the tun(4) interface. It's a very quick test:

# sysctl net.inet.ip.forwarding=1

If that works, make it permanent in /etc/sysctl.conf.

[michaelk]

Quote:

Originally Posted by jggimi

You might need to turn on packet forwarding, since you are "routing" through the tun(4) interface. It's a very quick test:

# sysctl net.inet.ip.forwarding=1

If that works, make it permanent in /etc/sysctl.conf.

Thanks for the suggestion...just tested...but unfortunately it did not solve it

I'm on the local machine so forwarding should not be needed.

Any more clues how to troubleshoot this?

Anyone running openvpn successfully on openbsd? (as a client).

//Michael

[Oko]

Quote:

Originally Posted by michaelk

Anyone running openvpn successfully on openbsd? (as a client).

Yes

[There0]

I have an OpenBSD client using openvpn as well, it is a bit dated but I will post.


OpenBSD 4.3 client config

client
dev tun0
dev-type tap
port 5000
proto udp
remote xx.xx.xx.xx
redirect-gateway
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
tls-auth ta.key 1
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
cipher BF-CBC
comp-lzo
verb 4
mute 20

The first 2 bolded lines were the only real difference between this and my Windoz client config, hope it helps.

[BSDfan666]

Can you post the output of the following?

$ route show -inet
$ ifconfig -a # or just tun0.

Hopefully we'll know more about your setup this way, it's likely a configuration issue.. posting the output of /etc/mygate in [code][/code] blocks might also be helpful.

[michaelk]

Quote:

Originally Posted by BSDfan666

Can you post the output of the following?

$ route show -inet
$ ifconfig -a # or just tun0.

Hopefully we'll know more about your setup this way, it's likely a configuration issue.. posting the output of /etc/mygate in [code][/code] blocks might also be helpful.

The provider I try to connect to is http://ivacy.com

on freebsd:

Code:

~> Sat May 16 10:33:01 2009 OpenVPN 2.1_rc15 i386-portbld-freebsd7.1 [SSL] [LZO2] built on May  9 2009
Sat May 16 10:33:01 2009 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat May 16 10:33:01 2009 Control Channel Authentication: using 'keys/ivacy-tls.key' as a OpenVPN static key file
Sat May 16 10:33:01 2009 LZO compression initialized
Sat May 16 10:33:01 2009 RESOLVE: NOTE: openvpn.ivacy.com resolves to 2 addresses, choosing one by random
Sat May 16 10:33:01 2009 UDPv4 link local: [undef]
Sat May 16 10:33:01 2009 UDPv4 link remote: 85.249.223.29:1194
Sat May 16 10:33:01 2009 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat May 16 10:33:02 2009 [openvpn.ivacy.com] Peer Connection Initiated with 85.249.223.29:1194
Sat May 16 10:33:04 2009 TUN/TAP device /dev/tun0 opened
Sat May 16 10:33:04 2009 /sbin/ifconfig tun0 1.2.116.141 1.2.116.141 netmask 255.255.252.0 mtu 1500 up
add net 1.2.116.0: gateway 1.2.116.141
Sat May 16 10:33:04 2009 /usr/local/etc/openvpn/ivacy-up.sh tun0 1500 1542 1.2.116.141 255.255.252.0 init
add net 85.249.223.29: gateway 192.168.0.1
delete net 0.0.0.0: gateway 192.168.0.1
add net 0.0.0.0: gateway 1.2.116.1
Sat May 16 10:33:04 2009 WARNING: potential route subnet conflict between local LAN [1.2.116.0/255.255.255.0] and remote VPN [1.0.0.0/255.0.0.0]
add net 1.0.0.0: gateway 1.2.116.1
Sat May 16 10:33:04 2009 Initialization Sequence Completed

~> ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        inet 1.2.116.141 --> 1.2.116.141 netmask 0xfffffc00 
        Opened by PID 11411
~> netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            1.2.116.1          UGS         0        0   tun0
1.0.0.0/8          1.2.116.1          UGS         0        0   tun0
1.2.116.0/22       1.2.116.141        UGS         2        0   tun0
1.2.116.141        1.2.116.141        UH          1        0   tun0
85.249.223.29/32   192.168.0.1        UGS         0        2    le0
127.0.0.1          127.0.0.1          UH          0      244    lo0
192.168.0.0/24     link#1             UC          0        0    le0
192.168.0.1        00:0f:66:c8:90:fd  UHLW        2     2368    le0   1193
192.168.0.102      00:e0:4c:15:0c:1f  UHLW        1      188    le0   1180

> nslookup www.yahoo.se
Server:         1.254.2.2
Address:        1.254.2.2#53

Non-authoritative answer:
www.yahoo.se    canonical name = www.euro.fyeu.b.yahoo.com.
Name:   www.euro.fyeu.b.yahoo.com
Address: 87.248.120.129

~> ping 1.254.2.2
PING 1.254.2.2 (1.254.2.2): 56 data bytes
64 bytes from 1.254.2.2: icmp_seq=0 ttl=63 time=65.528 ms
64 bytes from 1.254.2.2: icmp_seq=1 ttl=63 time=65.315 ms
64 bytes from 1.254.2.2: icmp_seq=2 ttl=63 time=52.479 ms
^C
--- 1.254.2.2 ping statistics ---
4 packets transmitted, 3 packets received, 25.0% packet loss
round-trip min/avg/max/stddev = 52.479/61.107/65.528/6.102 ms

Works great!

The same thing on openbsd:

Code:

openbsd ~ # Sat May 16 10:35:09 2009 OpenVPN 2.1_rc15 i386-unknown-openbsd4.5 [SSL] [LZO1] built on May 12 2009
Sat May 16 10:35:09 2009 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat May 16 10:35:09 2009 Control Channel Authentication: using 'keys/ivacy-tls.key' as a OpenVPN static key file
Sat May 16 10:35:09 2009 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat May 16 10:35:09 2009 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat May 16 10:35:09 2009 LZO compression initialized
Sat May 16 10:35:09 2009 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sat May 16 10:35:09 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat May 16 10:35:09 2009 Local Options hash (VER=V4): '504e774e'
Sat May 16 10:35:09 2009 Expected Remote Options hash (VER=V4): '14168603'
Sat May 16 10:35:09 2009 Socket Buffers: R=[41600->65536] S=[9216->65536]
Sat May 16 10:35:09 2009 UDPv4 link local: [undef]
Sat May 16 10:35:09 2009 UDPv4 link remote: 85.249.223.29:1194
Sat May 16 10:35:09 2009 TLS: Initial packet from 85.249.223.29:1194, sid=a435a05c 7c5e375c
Sat May 16 10:35:09 2009 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat May 16 10:35:10 2009 VERIFY OK: depth=1, /C=RU/ST=MR/L=Moscow/O=ivacy.com/CN=ivacy.com_CA/emailAddress=admin@ivacy.com
Sat May 16 10:35:10 2009 VERIFY OK: nsCertType=SERVER
Sat May 16 10:35:10 2009 VERIFY OK: depth=0, /C=RU/ST=MR/L=Moscow/O=ivacy.com/CN=openvpn.ivacy.com/emailAddress=admin@ivacy.com
Sat May 16 10:35:10 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat May 16 10:35:10 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat May 16 10:35:10 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat May 16 10:35:10 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat May 16 10:35:10 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat May 16 10:35:10 2009 [openvpn.ivacy.com] Peer Connection Initiated with 85.249.223.29:1194
Sat May 16 10:35:12 2009 SENT CONTROL [openvpn.ivacy.com]: 'PUSH_REQUEST' (status=1)
Sat May 16 10:35:12 2009 PUSH: Received control message: 'PUSH_REPLY,route 1.0.0.0 255.0.0.0,dhcp-option DNS 1.254.2.2,dhcp-option DNS 1.254.2.3,dhcp-option DOMAIN vpn,explicit-exit-notify 2,route-gateway 1.2.116.1,topology subnet,ping 10,ping-restart 60,ifconfig 1.2.116.143 255.255.252.0'
Sat May 16 10:35:12 2009 OPTIONS IMPORT: timers and/or timeouts modified
Sat May 16 10:35:12 2009 OPTIONS IMPORT: explicit notify parm(s) modified
Sat May 16 10:35:12 2009 OPTIONS IMPORT: --ifconfig/up options modified
Sat May 16 10:35:12 2009 OPTIONS IMPORT: route options modified
Sat May 16 10:35:12 2009 OPTIONS IMPORT: route-related options modified
Sat May 16 10:35:12 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat May 16 10:35:12 2009 ROUTE default_gateway=192.168.0.1
Sat May 16 10:35:12 2009 /sbin/ifconfig tun0 destroy
ifconfig: SIOCIFDESTROY: Device not configured
Sat May 16 10:35:12 2009 /sbin/ifconfig tun0 create
Sat May 16 10:35:12 2009 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Sat May 16 10:35:12 2009 /sbin/ifconfig tun0 1.2.116.143 netmask 255.255.252.0 mtu 1500 broadcast 1.2.119.255 link0
Sat May 16 10:35:12 2009 TUN/TAP device /dev/tun0 opened
Sat May 16 10:35:12 2009 /etc/openvpn/ivacy-up.sh tun0 1500 1542 1.2.116.143 255.255.252.0 init
Sat May 16 10:35:12 2009 /sbin/route add -net 85.249.223.29 192.168.0.1 -netmask 255.255.255.255
add net 85.249.223.29: gateway 192.168.0.1
Sat May 16 10:35:12 2009 /sbin/route delete -net 0.0.0.0 192.168.0.1 -netmask 0.0.0.0
delete net 0.0.0.0: gateway 192.168.0.1
Sat May 16 10:35:12 2009 /sbin/route add -net 0.0.0.0 1.2.116.1 -netmask 0.0.0.0
add net 0.0.0.0: gateway 1.2.116.1
Sat May 16 10:35:12 2009 WARNING: potential route subnet conflict between local LAN [1.2.116.0/255.255.255.0] and remote VPN [1.0.0.0/255.0.0.0]
Sat May 16 10:35:12 2009 /sbin/route add -net 1.0.0.0 1.2.116.1 -netmask 255.0.0.0
add net 1.0.0.0: gateway 1.2.116.1
Sat May 16 10:35:12 2009 Initialization Sequence Completed

# route show -inet
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            1.2.116.1          UGS        0        0     -     8 tun0
1/8                1.2.116.1          UGS        0        8     -     8 tun0
1.2.116/22         link#4             UC         1        0     -     4 tun0
1.2.116.1          link#4             UHRLc      2        0     -     4 tun0
85.249.223.29/32   192.168.0.1        UGS        1       20     -     8 vic0
loopback           localhost          UGRS       0        0 33204     8 lo0
localhost          localhost          UH         2      314 33204     4 lo0
192.168.0/24       link#1             UC         2        0     -     4 vic0
192.168.0.1        00:0f:66:c8:90:fd  UHLc       2       19     -     4 vic0
192.168.0.102      00:e0:4c:15:0c:1f  UHLc       2      608     -     4 vic0
192.168.0.126      localhost          UGHS       0        0 33204     8 lo0
BASE-ADDRESS.MCAST localhost          URS        0        0 33204     8 lo0

openbsd ~ # ifconfig tun0
tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500
        lladdr 00:bd:a9:7c:44:01
        priority: 0
        groups: egress
        inet 1.2.116.141 netmask 0xfffffc00 broadcast 1.2.119.255
        inet6 fe80::2bd:a9ff:fe7c:4401%tun0 prefixlen 64 scopeid 0x4
        
openbsd ~ # nslookup www.yahoo.com   <<= just hangs!!!


openbsd ~ # cat /etc/resolv.conf
domain vpn
nameserver 1.254.2.2
nameserver 1.254.2.3
lookup file bind
openbsd ~ # ping 1.254.2.2

PING 1.254.2.2 (1.254.2.2): 56 data bytes
ping: sendto: No route to host
ping: wrote 1.254.2.2 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 1.254.2.2 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 1.254.2.2 64 chars, ret=-1
--- 1.254.2.2 ping statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss

Notice that openvpn is linked with lzo1 while freebsd is linked with lzo2

I also compiled a version on openbsd which is linked with lzo2 but unfortunatly
without any luck

Any clues?

Michael

[xobsdx]

I'm running into the same problem with connecting to my openvpn provider from my openbsd client machine.

Did you get it solved? How?

Thks

Henry

[J65nko]

See http://www.daemonforums.org/showthread.php?t=5653 for a solution on OpenBSD 4.9 beta