OpenVPN 2.1_rc21 is no longer working

ramik

Neuer User
Mitglied seit
3 Mai 2007
Beiträge
168
Punkte für Reaktionen
0
Punkte
16
I've been using OpenVPN on my fritz since some time, compiled with static SSL libraries, and it was ok till yesterday, when i checkout out the latest trunk (which includes 2.1_rc21) and made a new build of the Freetz for my 7140, and now i can no longer access the VPN. I did not change any option, all are the same as before which worked perfectly with the rc20.

It starts connecting but doesn't establish a connection, now i can't give you the log as i am in the office, later tonight i will submit the log.

Anybody else got this issue?
 
submit your log please. openvpn-2.1_rc21 works fine here in tap mode.
 
Here is the log:
Code:
Nov 16 11:08:06 fritz daemon.notice openvpn[1297]: OpenVPN 2.1_rc21 mipsel-linux [SSL] [LZO2] [EPOLL] built on Nov 15 2009
Nov 16 11:08:06 fritz daemon.warn openvpn[1297]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Nov 16 11:08:06 fritz daemon.notice openvpn[1297]: Diffie-Hellman initialized with 1024 bit key
Nov 16 11:08:06 fritz daemon.warn openvpn[1297]: WARNING: file '/tmp/flash/box.key' is group or others accessible
Nov 16 11:08:06 fritz daemon.notice openvpn[1297]: Control Channel Authentication: using '/tmp/flash/static.key' as a OpenVPN static key file
Nov 16 11:08:06 fritz daemon.notice openvpn[1297]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 16 11:08:06 fritz daemon.notice openvpn[1297]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 16 11:08:06 fritz daemon.notice openvpn[1297]: TLS-Auth MTU parms [ NUMBERS NUMBERS NUMBERS ]
Nov 16 11:08:06 fritz daemon.warn openvpn[1297]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Nov 16 11:08:06 fritz daemon.warn openvpn[1297]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.200.0
Nov 16 11:08:06 fritz daemon.notice openvpn[1297]: TUN/TAP device tap0 opened
Nov 16 11:08:06 fritz daemon.notice openvpn[1297]: TUN/TAP TX queue length set to 100
Nov 16 11:08:06 fritz daemon.notice openvpn[1297]: /sbin/ifconfig tap0 192.168.200.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.200.255
Nov 16 11:08:06 fritz daemon.notice openvpn[1297]: Data Channel MTU parms [ NUMBERS NUMBERS NUMBERS NUMBERS NUMBERS ]
Nov 16 11:08:06 fritz daemon.notice openvpn[1300]: chroot to '/tmp/openvpn' and cd to '/' succeeded
Nov 16 11:08:06 fritz daemon.notice openvpn[1300]: GID set to openvpn
Nov 16 11:08:06 fritz daemon.notice openvpn[1300]: UID set to openvpn
Nov 16 11:08:06 fritz daemon.notice openvpn[1300]: Listening for incoming TCP connection on [undef]:51194
Nov 16 11:08:06 fritz daemon.notice openvpn[1300]: Socket Buffers: R=[43689->131072] S=[16384->131072]
Nov 16 11:08:06 fritz daemon.notice openvpn[1300]: TCPv4_SERVER link local (bound): [undef]:51194
Nov 16 11:08:06 fritz daemon.notice openvpn[1300]: TCPv4_SERVER link remote: [undef]
Nov 16 11:08:06 fritz daemon.notice openvpn[1300]: MULTI: multi_init called, r=256 v=256
Nov 16 11:08:06 fritz daemon.notice openvpn[1300]: IFCONFIG POOL: base=192.168.200.10 size=41
Nov 16 11:08:06 fritz daemon.notice openvpn[1300]: MULTI: TCP INIT maxclients=5 maxevents=9
Nov 16 11:08:06 fritz daemon.notice openvpn[1300]: Initialization Sequence Completed
Nov 16 11:10:55 fritz daemon.notice openvpn[1300]: TCP/UDP: Closing socket
Nov 16 11:10:55 fritz daemon.notice openvpn[1300]: Closing TUN/TAP interface
Nov 16 11:10:55 fritz daemon.notice openvpn[1300]: /sbin/ifconfig tap0 0.0.0.0
Nov 16 11:10:55 fritz daemon.warn openvpn[1300]: Linux ip addr del failed: could not execute external program
Nov 16 11:10:55 fritz daemon.notice openvpn[1300]: SIGTERM[hard,] received, process exiting

All the options, configs, certificates and the keys are the same as what i used before, and before it was working perfectly, maybe the new openvpn needs an extra param?
 
Did you terminate the daemon by purpose or did it just die?
How do you try to connect and what is the log from the client side?
How did you do the forwarding to the daemon on the box?

Joerg
 
On the client side after the initial negoziation, certificates, it stops with a 'Connection timed out' error, and starts repeating that line over and over again, till i disconnect.

Client log is:
Code:
Mon Nov 16 15:28:02 2009 OpenVPN 2.1_rc19 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Jul 16 2009
Mon Nov 16 15:28:02 2009 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Nov 16 15:28:02 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Nov 16 15:28:03 2009 Control Channel Authentication: using 'auth.key' as a OpenVPN static key file
Mon Nov 16 15:28:03 2009 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 16 15:28:03 2009 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 16 15:28:03 2009 LZO compression initialized
Mon Nov 16 15:28:03 2009 Control Channel MTU parms [ NUMBERS NUMBERS NUMBERS ]
Mon Nov 16 15:28:03 2009 Data Channel MTU parms [ NUMBERS NUMBERS NUMBERS NUMBERS NUMBERS ]
Mon Nov 16 15:28:03 2009 Local Options hash (VER=V4): 'NUMNUMNUM'
Mon Nov 16 15:28:03 2009 Expected Remote Options hash (VER=V4): 'NUMNUMNUM'
Mon Nov 16 15:28:03 2009 Attempting to establish TCP connection with xxx.yyy.zzz.33:51194
Mon Nov 16 15:28:24 2009 TCP: connect to xxx.yyy.zzz.33:51194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
.
.
.
.
Mon Nov 16 15:28:50 2009 TCP/UDP: Closing socket
Mon Nov 16 15:28:50 2009 SIGTERM[hard,init_instance] received, process exiting

and as i said, the config and forward are the same as before when it used to work, i have the fritz with a virtual IP, and a port forward from outside port 51194 to this virtual ip same port.... before it used to work perfectly, till (the day before using the rc21), swtiching to rc21 made it stop...
 
Using a virtual IP might in fact be an issue, it is not known to work perfetcly well with newer firmwares afaik...
Nevertheless: Can you please provide the resulting config generated by freetz ("cat /mod/etc/openvpn.conf")?
I see different statements regarding the "LZO" and "TLS-AUTH" entries in the log on client and server side?? Might there be an issue?

Joerg
 
Using a virtual IP might in fact be an issue, it is not known to work perfetcly well with newer firmwares afaik...

I can't set a forward without the virtual IP, fritz will give the error that the destination ip is the fritz and can't be used, but anyway it starts making the connection then stops, so the forward is successful.

the contents of the openvpn.conf:
Code:
#  OpenVPN 2.1 Config, Tue Nov 17 16:38:06 CET 2009
proto tcp-server
dev tap0
ca /tmp/flash/ca.crt
cert /tmp/flash/box.crt
key /tmp/flash/box.key
dh /tmp/flash/dh.pem
tls-server
tls-auth /tmp/flash/static.key 0
port 51194
mode server
ifconfig-pool 192.168.200.10 192.168.200.50
push "route 192.168.200.1"
route 192.168.200.0 255.255.255.0
ifconfig 192.168.200.1 255.255.255.0
push "route-gateway 192.168.200.1"
push "route 192.168.178.0 255.255.255.0"
max-clients 5
tun-mtu 1500
mssfix
verb 3
daemon
cipher BF-CBC
comp-lzo
keepalive 10 120
status /var/log/openvpn.log
chroot /tmp/openvpn
user openvpn
group openvpn
persist-tun
persist-key
 
Zuletzt bearbeitet:
You can forward ports without the virtual IP.
You either edit the ar7.cfg via telnet/ssh or use the AVM-Firewall package in freetz.
 
You can forward ports without the virtual IP.
You either edit the ar7.cfg via telnet/ssh or use the AVM-Firewall package in freetz.

Ok, nearly solved.
You were right about the forward issue, it's a bad forward, i tried now doing the forward from the fritz to my pc, and my pc forwarded back to the fritz, and openvpn connected successfully. tonight i'll cook AVM Firewall in my firmware and deploy a forward without fritz.
 
If it is just for that purpose, you might also try the trick from here and won't need another freetz image with the AVM-firewall

Code:
pr=`find /var/html/ -name portrule.js`
sed  's/return g_mldIpAdr0000/return null/'  $pr > /var/tmp/portrule.js
mount -o bind  /var/tmp/portrule.js  $pr

Just execute it (put it into the rudishell or telnet ...) and you will be able to use 0.0.0.0 as the forwarding target (which means the box). This entry will not be shown after a reboot of a box (it is masked out by AVM), but it will still work ;-)

Joerg
 
Thanks MaxMuster, great tip, works well, but anyway later today i'll cook the AVM firewall and remove the virtual ip.

ps, to make such thing permanent, can't somebody add to Freetz a mod to patch portrule.js always?
 
Holen Sie sich 3CX - völlig kostenlos!
Verbinden Sie Ihr Team und Ihre Kunden Telefonie Livechat Videokonferenzen

Gehostet oder selbst-verwaltet. Für bis zu 10 Nutzer dauerhaft kostenlos. Keine Kreditkartendetails erforderlich. Ohne Risiko testen.

3CX
Für diese E-Mail-Adresse besteht bereits ein 3CX-Konto. Sie werden zum Kundenportal weitergeleitet, wo Sie sich anmelden oder Ihr Passwort zurücksetzen können, falls Sie dieses vergessen haben.