[Problem] Ubuntu 14.04 openvpn server, Freetz openvpn client

Sidebar Sidebar
Upgrade 3CX to v18 and get it hosted free!
W

wieserdk

Neuer User
Mitglied seit
27 Dez 2014
Beiträge
2
Punkte für Reaktionen
0
Punkte
0
Hello,

I've installed openvpn server on ubuntu 14.04

my server.conf:
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/zoe.crt
key /etc/openvpn/zoe.key
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3


on fritz!box I've installed freetz modification, which adds openvpn support. It generates such config file:
proto udp
dev tun
ca /tmp/flash/openvpn/ca.crt
cert /tmp/flash/openvpn/box.crt
key /tmp/flash/openvpn/box.key
tls-client
ns-cert-type server
remote [openvpn server ip address]
nobind
ifconfig 192.168.200.1 10.8.0.2
tun-mtu 1500
mssfix
verb 3
cipher BF-CBC
comp-lzo
keepalive 10 120
resolv-retry infinite
cd /var/tmp/openvpn
chroot /var/tmp/openvpn
user openvpn
group openvpn
persist-tun
persist-key

everything seems to work fine:
/etc/openvpn-status.log on server shows:
OpenVPN CLIENT LIST
Updated,Sat Dec 27 08:55:51 2014
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
katie,94.254.129.33:62737,8282,8994,Sat Dec 27 08:44:19 2014
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,katie,94.254.129.33:62737,Sat Dec 27 08:44:22 2014
GLOBAL STATS
Max bcast/mcast queue length,0
END

other settings:
net.ipv4.conf.all.forwarding = 1
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

but for some reason I'm not able to use that connection.
on client side: ping 10.8.0.1 gives nothing.

What's worng? Thanks for your help
 
ok, one problem solved. I've checked Receive options from server (only whith certificates) and it's working partially.

from FRITZ!BOX (telnet) I can ping tun0 and any external addresses like ping yahoo.com, but I can't do it from devices connected to F!B. ping yahoo.com from my computer gives nothing.
 
Some hints:
Mixing "comp-lzo" (client) with no "lzo" on the server will not work.
You found out about the part in assigning the IP to the client for yourself ;-)

About the not working LAN:
To connect a net behind a VPN client the server needs to know, where to route the packets (if, like in your case, you have a multi-client configuration). So first thing you will need is an "iroute" entry on your server in the client-config-dir for your client or in a connect-script.
Then of course the server needs to NAT this net, too.
Last point: It might be neccessary to give the DNS (like "8.8.8.8") also to the PCs in your LAN (the DNS the box uses for its own name resolution is different from the one used for the network clients iirc) .
 
I used a similar setup, but I did not use masquerading. My server.conf looks like this:

server.conf
Code: 
port 1194
proto udp
dev tun
ca /etc/openvpn/my_ca.pem
cert /etc/openvpn/servercert.pem
key /etc/openvpn/serverkey.pem
crl-verify crl.pem
dh /etc/openvpn/dh2048.pem
server 192.168.210.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.100.1"
client-config-dir ccd
push "dhcp-option WINS 192.168.100.100"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
auth SHA1
tun-mtu 1200
# Routing-Entries for Client Subnet Hosts
route 192.168.10.1 255.255.255.255
route 192.168.10.6 255.255.255.255

My client.conf looks like that:

client.conf
Code: 
client
dev tun
proto udp
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca my_ca.pem
cert client_cert.pem
key client_key.pem
cipher AES-256-CBC
comp-lzo
verb 3
auth SHA1
tun-mtu 1200
remote MY-SERVER-ADDRESS-OR-NAME

Now it is important to add a route to your OpenVPN subnet using the internal IP of the OpenVPN server as a gateway.

It might be possible that you have to remove the user nobody and group nogroup directives to make it work. I used this some time ago, I do not fully remember anymore.

Hope. this helps.

Edit: Almost forgot to mention my server side routing entries for each client:

example_ccd
Code: 
push "route 192.168.100.100 255.255.255.255"
push "route 192.168.100.101 255.255.255.255"
push "dhcp-option DNS 192.168.210.1"
push "redirect-gateway"

The latter entry is necessary only to force all cient data to be routed though the server.

Hawedieehre.
Fant.
 
Zuletzt bearbeitet:
Um antworten zu können musst du eingeloggt sein.

Zurzeit aktive Besucher

Gesamt: 736 (Mitglieder: 51, Gäste: 685)

Neueste Beiträge

Statistik des Forums

Themen
244,835
Beiträge
2,219,208
Mitglieder
371,541
Neuestes Mitglied
Mueba
Holen Sie sich 3CX - völlig kostenlos!
Verbinden Sie Ihr Team und Ihre Kunden Telefonie Livechat Videokonferenzen

Gehostet oder selbst-verwaltet. Für bis zu 10 Nutzer dauerhaft kostenlos. Keine Kreditkartendetails erforderlich. Ohne Risiko testen.

3CX
Für diese E-Mail-Adresse besteht bereits ein 3CX-Konto. Sie werden zum Kundenportal weitergeleitet, wo Sie sich anmelden oder Ihr Passwort zurücksetzen können, falls Sie dieses vergessen haben.
Ihr E-Mail-Adresse verifizieren

Ihr E-Mail-Adresse verifizieren

Wir haben Ihnen eine E-Mail geschickt. Klicken Sie auf die Schaltfläche im E-Mail-Text, um Ihre E-Mail-Adresse zu verifizieren – (Können Sie diese nicht finden können, dann überprüfen Sie Ihren Spam-Ordner).

IPPF im Überblick

Neueste Beiträge

Direktlinks Telefonanlage

Website-Sponsoren

3CX sponsor
KONTAKTIEREN SIE UNS BEI INTERESSE
| Style by ThemeHouse
XenPorta 2 PRO © Jason Axelrod of 8WAYRUN
Oben Unten
Zurück