7170 Fw 58.04.57 + freetz-1.0.1-2836 + Openvpn

[massimilianonba]

I guys, i've a problem with my fritz and his openvpn configuration. I've configure my fritz as openvpn server and i use other pc (with linux and windows OS) as client; the connection between the client and the server have no problem but i can't ping the server.

My local ip configuration is:
> fritz > 192.168.5.52
> client > 192.168.5.5*

I have attached my openvpn_conf.png and my openvpn_server_log.png.

Client.conf:

client
dev tun
proto udp
remote *****************.dvrdns.org
nobind
persist-key
persist-tun
ca ca.crt

cert raikonen.crt

key raikonen.key

ns-cert-type server
tls-auth key.txt 1
comp-lzo
verb 3

Client connection log:

Thu Dec 18 12:29:31 2008 OpenVPN 2.1_rc15 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 21 2008
Thu Dec 18 12:29:31 2008 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Dec 18 12:29:31 2008 WARNING: file 'raikonen.key' is group or others accessible
Thu Dec 18 12:29:31 2008 WARNING: file 'key.txt' is group or others accessible
Thu Dec 18 12:29:31 2008 Control Channel Authentication: using 'key.txt' as a OpenVPN static key file
Thu Dec 18 12:29:31 2008 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 18 12:29:31 2008 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 18 12:29:31 2008 LZO compression initialized
Thu Dec 18 12:29:31 2008 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Dec 18 12:29:31 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Dec 18 12:29:31 2008 Local Options hash (VER=V4): '504e774e'
Thu Dec 18 12:29:31 2008 Expected Remote Options hash (VER=V4): '14168603'
Thu Dec 18 12:29:31 2008 Socket Buffers: R=[112640->131072] S=[112640->131072]
Thu Dec 18 12:29:31 2008 UDPv4 link local: [undef]
Thu Dec 18 12:29:31 2008 UDPv4 link remote: 87.2.179.157:1194
Thu Dec 18 12:29:31 2008 TLS: Initial packet from 87.2.179.157:1194, sid=662131f9 51cc86f9
Thu Dec 18 12:29:31 2008 VERIFY OK: depth=1, *********************************************************************
Thu Dec 18 12:29:31 2008 VERIFY OK: nsCertType=*******
Thu Dec 18 12:29:31 2008 VERIFY OK: depth=0, *********************************************************************
Thu Dec 18 12:29:32 2008 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Dec 18 12:29:32 2008 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 18 12:29:32 2008 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Dec 18 12:29:32 2008 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 18 12:29:32 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Dec 18 12:29:32 2008 [server] Peer Connection Initiated with 87.2.179.157:1194
Thu Dec 18 12:29:33 2008 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Dec 18 12:29:33 2008 PUSH: Received control message: 'PUSH_REPLY,route 192.168.5.52 ,route-gateway 192.168.5.52 ,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Thu Dec 18 12:29:33 2008 OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 18 12:29:33 2008 OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 18 12:29:33 2008 OPTIONS IMPORT: route options modified
Thu Dec 18 12:29:33 2008 OPTIONS IMPORT: route-related options modified
Thu Dec 18 12:29:33 2008 ROUTE default_gateway=192.168.5.52
Thu Dec 18 12:29:33 2008 TUN/TAP device tun0 opened
Thu Dec 18 12:29:33 2008 TUN/TAP TX queue length set to 100
Thu Dec 18 12:29:33 2008 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Thu Dec 18 12:29:33 2008 WARNING: potential route subnet conflict between local LAN [192.168.5.0/255.255.255.0] and remote VPN [192.168.5.52/255.255.255.255]
Thu Dec 18 12:29:33 2008 OpenVPN ROUTE: omitted no-op route: 192.168.5.52/255.255.255.255 -> 192.168.5.52
Thu Dec 18 12:29:33 2008 Initialization Sequence Completed

Here is my route:

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.8.0.5 * 255.255.255.255 UH 0 0 0 tun0
192.168.5.0 * 255.255.255.0 U 0 0 0 wlan0
link-local * 255.255.0.0 U 0 0 0 wlan0
default 192.168.5.52 0.0.0.0 UG 0 0 0 wlan0

Can anybody help me please..??

Small edit: i try many different kind of server configuration and i've see that if i modify the "Extended client configuration" the web GUI change in LOCAL IP and SUBNET instead of LOCAL IP and REMOTE IP..
May be a GUI problem like in THIS MaxMuster's answer..??

I wait for some solutions, many thanks :groesste:

 

[massimilianonba]

I don't be able to understand because for every configuration that i try, the server.conf file (mod/etc/openvpn.conf) change, but the result remains always the same... the tun0 intarface not have a gateway..
If i try to modify the openvpn.conf by telnet my alternative configuration disappears when i restart the service...
I try with a

modsave flash

but my config still disappears at evry service restart... how i can make a permanent modification to my server configuration file..??

 

[massimilianonba]

I've solved my problem with the server conf below..

 

[MaxMuster]

Sorry, I didn't answer before.
Good to hear, it works now. But can you please discribe your problem a little further? Just to make out, if it was a configuration problem or an error in the package.

From your first post I see, you have the local interface set to 192.168.5.52 the remote to 10.8.0.1 . Was this done by purpose or did you enter other values and it was a "GUI problem"? Though it is possible with most OS around, Windows version of openvpn will not accept point-to-point adressing like this (it needs small "subnets" for the tun link). Setting the route to the openvpn-server failed, because the server sent the first pool IP pair to the client (ifconfig 10.8.0.6 10.8.0.5) so 192.168.5.52 was not reachable via openvpn. Last it seems, you tried from LAN with the same IP (potential route subnet conflict between local LAN [192.168.5.0/255.255.255.0] and remote VPN [192.168.5.52/255.255.255.255]).

Thanks!

Joerg

 

[massimilianonba]

Hi max and many thanks for your answer

Sincerely,i don't know where is the problem :noidea:
i mean: for me the best configuration is LOCAL IP 192.168.5.52 and REMOTE 10.8.0.1, but this don't work..
So i have tried the second one with the client "extended configuration", but at this point the gui was changed itself.. I don't know if this is a gui problem or it's normal, but in this case the connection have no problem and the vpn interface have his gateway so i can ping and use normally my vpn.
About this second configuration: if i check only client name and vpn ip it works, but if i add the client network too (with the normal <ip> <mask>), the connection fail again...

I hope that my answer it's ok for you, and again many thanks for your time :groesste:

 

[MaxMuster]

You're welcome ;-)

The "changing" GUI is intended, it (should) only show the "valid" options in respect of the choices you make.

There might be indeed another issue with the generated configuration (regarding the "route-gateway" entry which won't work in your config, too) .
But if you are only using Linux clients you should indeed be able to use point-to-point IPs of the scheme you intended (LAN-IP as 192.168.5.52 and 10.8.0.x for the remote clients). But because this is a very special situation, this is not supported by the GUI :-(...

On the other hand you should be able to use "remote networks" in the extended configuration. Did you enter only the networks (deleting the "-")? Can you provide a log of the failing connection? Of course the networks must be unique and different from your LAN ;-)


Joerg

 

[massimilianonba]

Of course the networks must be unique and different from your LAN

You're right
Y have tried to connect to my openvpn server from another lan and (and with my telephone as modem) and it works with the client network configuration too

Now the situation is perfect: i can use openvpn on the box with xp, vista (32 & 64..) and ubuntu with no problem and i can see the local network behind the box when i'm connected..