Good morning guys, I'm a new bie about OpenVPN. I followed a lot of tutorials and did read a lot of posts to setup my Endian Firewall OpenVPN but I for sure did some mistakes... maybe routing??!! I don't know. The main issue consist of connections to LAN hosts missing:
sh-3.2# ping 192.168.0.30
PING 192.168.0.30 (192.168.0.30): 56 data bytes
ping: sendto: Network is unreachable
ping: sendto: Network is unreachableLet me introduce my facility:
- Endian Firewall Community release 3.0.5beta1
- Firewall->VPN Firewall Settings Disabled ;
- Single user "keysman" configured;
Username: keysman
Password: *********
Certificate configuration: Don't change
Enabled: checked
- OpenVPN settings;
Authentication-type: PSK (username / password)
Port: 1984
Device Type: TAP
Protocol UDP;
Bridged: Checked
Bridged to: GREEN
Dynamic IP pool start: 192.168.0.240
Dynamic IP pool end: 192.168.0.250
Client to Client connections: Not allowed
Push these networks: checked
Networks: 192.168.0.0./24
;
Running Tunnelclick on my Mac I can connect (I think) to the VPN and even on the server side it seems a successfully connection.
Logs on client:
2017-07-10 14:27:45 *Tunnelblick: openvpnstart starting OpenVPN
2017-07-10 14:27:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2017-07-10 14:27:46 *Tunnelblick: Established communication with OpenVPN
2017-07-10 14:27:46 MANAGEMENT: CMD 'pid'
2017-07-10 14:27:46 MANAGEMENT: CMD 'state on'
2017-07-10 14:27:46 MANAGEMENT: CMD 'state'
2017-07-10 14:27:46 MANAGEMENT: CMD 'bytecount 1'
2017-07-10 14:27:46 MANAGEMENT: CMD 'hold release'
2017-07-10 14:27:50 MANAGEMENT: CMD 'username "Auth" "keysman"'
2017-07-10 14:27:50 MANAGEMENT: CMD 'password [...]'
2017-07-10 14:27:50 WARNING: No server certificate verification method has been enabled.
2017-07-10 14:27:50 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-07-10 14:27:50 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-07-10 14:27:50 UDPv4 link local: [undef]
2017-07-10 14:27:50 UDPv4 link remote: [AF_INET]194.183.83.122:1194
2017-07-10 14:27:50 MANAGEMENT: >STATE:1499689670,WAIT,,,
2017-07-10 14:27:50 MANAGEMENT: >STATE:1499689670,AUTH,,,
2017-07-10 14:27:50 TLS: Initial packet from [AF_INET]194.183.83.122:1194, sid=732a5403 b8cc8d25
2017-07-10 14:27:50 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-07-10 14:27:51 VERIFY OK: depth=1, C=IT, O=efw, CN=efw CA
2017-07-10 14:27:51 VERIFY OK: depth=0, C=IT, O=efw, CN=194.183.83.122
2017-07-10 14:27:52 WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'
2017-07-10 14:27:52 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1574'
2017-07-10 14:27:52 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
2017-07-10 14:27:52 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2017-07-10 14:27:52 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-07-10 14:27:52 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-07-10 14:27:52 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2017-07-10 14:27:52 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-07-10 14:27:52 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-07-10 14:27:52 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
2017-07-10 14:27:52 [194.183.83.122] Peer Connection Initiated with [AF_INET]194.183.83.122:1194
2017-07-10 14:27:53 MANAGEMENT: >STATE:1499689673,GET_CONFIG,,,
2017-07-10 14:27:54 SENT CONTROL [194.183.83.122]: 'PUSH_REQUEST' (status=1)
2017-07-10 14:27:54 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.0.254,route 192.168.0.0 255.255.255.0,route-gateway 192.168.0.254,ping 5,ping-restart 30,ifconfig 192.168.0.240 255.255.255.0'
2017-07-10 14:27:54 OPTIONS IMPORT: timers and/or timeouts modified
2017-07-10 14:27:54 OPTIONS IMPORT: --ifconfig/up options modified
2017-07-10 14:27:54 OPTIONS IMPORT: route options modified
2017-07-10 14:27:54 OPTIONS IMPORT: route-related options modified
2017-07-10 14:27:54 WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
2017-07-10 14:27:54 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2017-07-10 14:27:54 Opened utun device utun1
2017-07-10 14:27:54 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2017-07-10 14:27:54 MANAGEMENT: >STATE:1499689674,ASSIGN_IP,,192.168.0.240,
2017-07-10 14:27:54 /sbin/ifconfig utun1 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2017-07-10 14:27:54 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-07-10 14:27:54 /sbin/ifconfig utun1 192.168.0.240 255.255.255.0 mtu 1500 netmask 255.255.255.255 up
2017-07-10 14:27:54 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun1 1500 1542 192.168.0.240 255.255.255.0 init
**********************************************
Start of output from client.up.tunnelblick.sh
NOTE: No network configuration changes need to be made.
WARNING: Will NOT monitor for other network configuration changes.
WARNING: Will NOT disable IPv6 settings.
DNS servers '8.8.8.8 192.168.44.1' were set manually
DNS servers '8.8.8.8 192.168.44.1' will be used for DNS queries when the VPN is active
NOTE: The DNS servers include one or more free public DNS servers known to Tunnelblick and one or more DNS servers not known to Tunnelblick. If used, the DNS servers not known to Tunnelblick may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
End of output from client.up.tunnelblick.sh
**********************************************
2017-07-10 14:27:56 *Tunnelblick: No 'connected.sh' script to execute
2017-07-10 14:27:56 MANAGEMENT: >STATE:1499689676,ADD_ROUTES,,,
2017-07-10 14:27:56 /sbin/route add -net 192.168.0.0 192.168.0.254 255.255.255.0
add net 192.168.0.0: gateway 192.168.0.254
2017-07-10 14:27:56 Initialization Sequence Completed
2017-07-10 14:27:56 MANAGEMENT: >STATE:1499689676,CONNECTED,SUCCESS,192.168.0.240,194.183.x.y
Logs on Endian:
OpenVPN 2017-07-10 13:56:14
openvpn[2637]: OpenVPN 2.3.6 i686-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 9 2015
OpenVPN 2017-07-10 13:56:14
openvpn[2637]: library versions: OpenSSL 1.0.1h 5 Jun 2014, LZO 2.01
OpenVPN 2017-07-10 13:56:14
openvpn[2637]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
OpenVPN 2017-07-10 13:56:14
openvpn[2637]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
OpenVPN 2017-07-10 13:56:14
openvpn[2637]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
OpenVPN 2017-07-10 13:56:14
openvpn[2637]: WARNING: file "/var/efw/vpn/ca/certs/194.183.83.122key.pem" is group or others accessible
OpenVPN 2017-07-10 13:56:14
openvpn[2637]: TUN/TAP device tap0 opened
OpenVPN 2017-07-10 13:56:14
openvpn[2637]: /usr/local/bin/dir.d-exec /etc/openvpn/ifup.server.d/ tap0 1500 1574 init
OpenVPN 2017-07-10 13:56:14
openvpn[2643]: GID set to openvpn
OpenVPN 2017-07-10 13:56:14
openvpn[2643]: UID set to openvpn
OpenVPN 2017-07-10 13:56:14
openvpn[2643]: UDPv4 link local (bound): [undef]
OpenVPN 2017-07-10 13:56:14
openvpn[2643]: UDPv4 link remote: [undef]
OpenVPN 2017-07-10 13:56:14
openvpn[2643]: ifconfig_pool_read(), in="keysman,192.168.0.240", TODO: IPv6
OpenVPN 2017-07-10 13:56:14
openvpn[2643]: succeeded -> ifconfig_pool_set()
OpenVPN 2017-07-10 13:56:14
openvpn[2643]: Initialization Sequence Completed
OpenVPN 2017-07-10 13:58:44
openvpn[2643]: 158.148.95.15:63569 WARNING: "dev-type" is used inconsistently, local="dev-type tap", remote="dev-type tun"
OpenVPN 2017-07-10 13:58:44
openvpn[2643]: 158.148.95.15:63569 WARNING: "link-mtu" is used inconsistently, local="link-mtu 1574", remote="link-mtu 1542"
OpenVPN 2017-07-10 13:58:44
openvpn[2643]: 158.148.95.15:63569 WARNING: "tun-mtu" is used inconsistently, local="tun-mtu 1532", remote="tun-mtu 1500"
OpenVPN 2017-07-10 13:58:44
openvpn[2643]: 158.148.95.15:63569 [keysman] Peer Connection Initiated with [AF_INET]158.148.95.15:63569 (via [AF_INET]194.183.x.y%ppp0)
OpenVPN 2017-07-10 13:58:44
openvpn[2643]: keysman/158.148.95.15:63569 MULTI_sva: pool returned IPv4=192.168.0.240, IPv6=(Not enabled)
OpenVPN 2017-07-10 13:58:46
openvpn[2643]: keysman/158.148.95.15:63569 send_push_reply(): safe_cap=940
The configuration on the client is the following:
client
dev tun
proto udp
remote 194.183.x.y 1194
auth-user-pass
resolv-retry infinite
nobind
persist-key
persist-tun
ca cacert.pem
comp-lzo
verb 3
Please have a look at attached images for VPN/Client settings and logs. Again I think connection was successfull because throwing ifconfig and netstat statements on the client I get the following:
sh-3.2# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether d0:e1:40:89:cc:98
inet6 fe80::1021:a68e:860:6bda%en0 prefixlen 64 secured scopeid 0x4
inet 192.168.43.222 netmask 0xffffff00 broadcast 192.168.43.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
en1: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether 32:00:16:8d:20:00
media: autoselect <full-duplex>
status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether 32:00:16:8d:20:00
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en1 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 5 priority 0 path cost 0
nd6 options=201<PERFORMNUD,DAD>
media: <unknown type>
status: inactive
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
ether 02:e1:40:89:cc:98
media: autoselect
status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
ether aa:bf:33:b7:59:8c
inet6 fe80::a8bf:33ff:feb7:598c%awdl0 prefixlen 64 scopeid 0x8
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 fe80::ba77:3719:8f70:6c86%utun0 prefixlen 64 scopeid 0x9
nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.240 --> 255.255.255.0 netmask 0xffffffffRouting tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.43.1 UGSc 196 0 en0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 6 27494 lo0
169.254 link#4 UCS 0 0 en0
192.168.0 192.168.0.254 UGSc 0 0 en0
192.168.43 link#4 UCS 1 0 en0
192.168.43.1/32 link#4 UCS 1 0 en0
192.168.43.1 2:1a:11:f2:1e:1 UHLWIir 196 24 en0 1194
192.168.43.222/32 link#4 UCS 1 0 en0
192.168.43.222 d0:e1:40:89:cc:98 UHLWI 0 1 lo0
192.168.43.255 ff:ff:ff:ff:ff:ff UHLWbI 0 3 en0
224.0.0/4 link#4 UmCS 2 0 en0
224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI 0 12 en0
255.255.255.0 192.168.0.240 UH 0 0 utun1
255.255.255.255/32 link#4 UCS 0 0 en0
Please help me to understand what kind of mistake I'm doing. If I forgot some details please ask me for them
Cheers
Christian
Author