OpenVPN Issues (Routing and Connection - MT and Linux)

willempretorius · July 1, 2008, 12:29pm

I have an openvpn solution (Server on linux, with 2 linux clients and one mikrotik client)

All connections work perfectly to the server, but I cannot connect from 1 client to another (on their subnets, from the client server it does work though)
All clients can see the server subnet, and all in the vpn subnet.
So Ive tried to create a VPN Server on the mikrotik following the wiki to ensure I can access the network on the Mikrotik side, as for some reason I cannot access the networks behind clients)
Now the MT Client works fie to the Linux Server, But the Linux Client cannot connect to the MT server in reverse.
It would be nice to get the MT to allow me to see the network behind it (as a client), If not I will have to get the server running.

The Certs is fine…(working on linux fine)

Here is the logs for both:
MT Server:
4:14:22 ovpn,info : using encoding - AES-256-CBC/SHA1
14:15:07 ovpn,info : terminating… - peer disconnected
14:15:07 ovpn,info : disconnected
14:15:13 ovpn,info TCP connection established from 41.241.36.122
14:15:13 ovpn,info : dialing…
14:15:18 ovpn,info : using encoding - AES-256-CBC/SHA1
14:16:04 ovpn,info : terminating… - peer disconnected
14:16:04 ovpn,info : disconnected
14:16:09 ovpn,info TCP connection established from 41.241.36.122
14:16:09 ovpn,info : dialing…
14:16:14 ovpn,info : using encoding - AES-256-CBC/SHA1
14:17:00 ovpn,info : terminating… - peer disconnected
14:17:00 ovpn,info : disconnected
14:17:06 ovpn,info TCP connection established from 41.241.36.122
14:17:06 ovpn,info : dialing…
14:17:12 ovpn,info : using encoding - AES-256-CBC/SHA1
14:17:46 system,info,account user admin logged in from 41.241.36.122 via telnet
14:17:57 ovpn,info : terminating… - peer disconnected
14:17:57 ovpn,info : disconnected
14:18:02 ovpn,info TCP connection established from 41.241.36.122
14:18:02 ovpn,info : dialing…
14:18:08 ovpn,info : using encoding - AES-256-CBC/SHA1

Linux Client:

Tue Jul 1 14:14:27 2008 us=418170 [seaserver] Inactivity timeout (–ping-restart), restarting
Tue Jul 1 14:14:27 2008 us=418342 TCP/UDP: Closing socket
Tue Jul 1 14:14:27 2008 us=418399 SIGUSR1[soft,ping-restart] received, process restarting
Tue Jul 1 14:14:27 2008 us=418431 Restart pause, 5 second(s)
Tue Jul 1 14:14:32 2008 us=419358 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Jul 1 14:14:32 2008 us=419423 Re-using SSL/TLS context
Tue Jul 1 14:14:32 2008 us=419444 LZO compression initialized
Tue Jul 1 14:14:32 2008 us=419515 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Jul 1 14:14:32 2008 us=745495 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jul 1 14:14:32 2008 us=745587 Local Options String: ‘V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client’
Tue Jul 1 14:14:32 2008 us=745614 Expected Remote Options String: ‘V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server’
Tue Jul 1 14:14:32 2008 us=745642 Local Options hash (VER=V4): ‘958c5492’
Tue Jul 1 14:14:32 2008 us=745663 Expected Remote Options hash (VER=V4): ‘79ef4284’
Tue Jul 1 14:14:32 2008 us=745682 Attempting to establish TCP connection with 196.209.103.69:1196 [nonblock]
Tue Jul 1 14:14:33 2008 us=747055 TCP connection established with 196.209.103.69:1196
Tue Jul 1 14:14:33 2008 us=747097 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Jul 1 14:14:33 2008 us=747121 TCPv4_CLIENT link local: [undef]
Tue Jul 1 14:14:33 2008 us=747140 TCPv4_CLIENT link remote: 196.209.103.69:1196
Tue Jul 1 14:14:33 2008 us=747209 TCPv4_CLIENT WRITE [14] to 196.209.103.69:1196: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=0 DATA len=0
Tue Jul 1 14:14:33 2008 us=747340 TCPv4_CLIENT READ [14] from 196.209.103.69:1196: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=0 DATA len=0
Tue Jul 1 14:14:33 2008 us=747373 TLS: Initial packet from 196.209.103.69:1196, sid=2c70f55f 17de6100
Tue Jul 1 14:14:33 2008 us=747415 TCPv4_CLIENT WRITE [26] to 196.209.103.69:1196: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 0 ] pid=0 DATA len=0
Tue Jul 1 14:14:33 2008 us=825291 TCPv4_CLIENT READ [22] from 196.209.103.69:1196: P_ACK_V1 kid=0 [ 0 ]
Tue Jul 1 14:14:33 2008 us=825383 TCPv4_CLIENT WRITE [111] to 196.209.103.69:1196: P_CONTROL_V1 kid=0 pid=1 DATA len=97
Tue Jul 1 14:14:34 2008 us=1617 TCPv4_CLIENT READ [22] from 196.209.103.69:1196: P_ACK_V1 kid=0 [ 1 ]
Tue Jul 1 14:14:35 2008 us=712116 TCPv4_CLIENT READ [0] from 196.209.103.69:1196: DATA UNDEF len=0
Tue Jul 1 14:14:35 2008 us=713660 TCPv4_CLIENT READ [1414] from 196.209.103.69:1196: P_CONTROL_V1 kid=0 pid=1 DATA len=1400
Tue Jul 1 14:14:35 2008 us=713980 VERIFY OK: depth=0, /C=ZA/ST=WC/L=SW/O=SeaKay/CN=seaserver/emailAddress=willem@seaprop.co.za
Tue Jul 1 14:14:35 2008 us=714048 TCPv4_CLIENT WRITE [22] to 196.209.103.69:1196: P_ACK_V1 kid=0 [ 1 ]
Tue Jul 1 14:14:35 2008 us=811617 TCPv4_CLIENT READ [202] from 196.209.103.69:1196: P_CONTROL_V1 kid=0 pid=2 DATA len=188
Tue Jul 1 14:14:35 2008 us=915759 TCPv4_CLIENT WRITE [126] to 196.209.103.69:1196: P_CONTROL_V1 kid=0 [ 2 ] pid=2 DATA len=100
Tue Jul 1 14:14:35 2008 us=915835 TCPv4_CLIENT WRITE [114] to 196.209.103.69:1196: P_CONTROL_V1 kid=0 pid=3 DATA len=100
Tue Jul 1 14:14:35 2008 us=915879 TCPv4_CLIENT WRITE [114] to 196.209.103.69:1196: P_CONTROL_V1 kid=0 pid=4 DATA len=100
Tue Jul 1 14:14:35 2008 us=915919 TCPv4_CLIENT WRITE [40] to 196.209.103.69:1196: P_CONTROL_V1 kid=0 pid=5 DATA len=26
Tue Jul 1 14:14:36 2008 us=493471 TCPv4_CLIENT READ [22] from 196.209.103.69:1196: P_ACK_V1 kid=0 [ 2 ]
Tue Jul 1 14:14:36 2008 us=565348 TCPv4_CLIENT READ [22] from 196.209.103.69:1196: P_ACK_V1 kid=0 [ 3 ]
Tue Jul 1 14:14:36 2008 us=565413 TCPv4_CLIENT READ [22] from 196.209.103.69:1196: P_ACK_V1 kid=0 [ 4 ]
Tue Jul 1 14:14:36 2008 us=565460 TCPv4_CLIENT READ [22] from 196.209.103.69:1196: P_ACK_V1 kid=0 [ 5 ]
Tue Jul 1 14:14:37 2008 us=689846 TCPv4_CLIENT READ [73] from 196.209.103.69:1196: P_CONTROL_V1 kid=0 pid=3 DATA len=59
Tue Jul 1 14:14:37 2008 us=690049 TCPv4_CLIENT WRITE [126] to 196.209.103.69:1196: P_CONTROL_V1 kid=0 [ 3 ] pid=6 DATA len=100
Tue Jul 1 14:14:37 2008 us=690109 TCPv4_CLIENT WRITE [114] to 196.209.103.69:1196: P_CONTROL_V1 kid=0 pid=7 DATA len=100
Tue Jul 1 14:14:37 2008 us=690143 TCPv4_CLIENT WRITE [114] to 196.209.103.69:1196: P_CONTROL_V1 kid=0 pid=8 DATA len=100
Tue Jul 1 14:14:37 2008 us=690181 TCPv4_CLIENT WRITE [44] to 196.209.103.69:1196: P_CONTROL_V1 kid=0 pid=9 DATA len=30
Tue Jul 1 14:14:37 2008 us=771631 TCPv4_CLIENT READ [22] from 196.209.103.69:1196: P_ACK_V1 kid=0 [ 6 ]
Tue Jul 1 14:14:37 2008 us=881580 TCPv4_CLIENT READ [22] from 196.209.103.69:1196: P_ACK_V1 kid=0 [ 7 ]
Tue Jul 1 14:14:37 2008 us=881632 TCPv4_CLIENT READ [22] from 196.209.103.69:1196: P_ACK_V1 kid=0 [ 8 ]
Tue Jul 1 14:14:37 2008 us=881669 TCPv4_CLIENT READ [22] from 196.209.103.69:1196: P_ACK_V1 kid=0 [ 9 ]

MT Config:

1 name=“vng” local-address=10.15.32.33 remote-address=ovpn-pool
use-compression=default use-vj-compression=default
use-encryption=required only-one=default change-tcp-mss=default

[admin@MikroTik] /interface ovpn-server server> print
enabled: yes
port: 1196
mode: ip
netmask: 29
mac-address: FE:49:EB:F0:7D:DD
max-mtu: 1500
keepalive-timeout: disabled
default-profile: vng
certificate: cert1
require-client-certificate: no
auth: sha1,md5
cipher: blowfish128,aes128,aes192,aes256

Linux Config:
dev tun
#proto tcp-client
proto tcp
client
remote 1196 # Remote OpenVPN Servername or IP address

ca keys/ca.crt
cert keys/client1.crt
key keys/client1.key

#tls-client
port 1196

user nobody
group nobody

comp-lzo # Do not use compression. It doesn’t work with RouterOS (at least up to RouterOS 3.0rc9)

More reliable detection when a system loses its connection.

ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key

Silence the output of replay warnings, which are a common false

alarm on WiFi networks. This option preserves the security of

the replay protection code without the verbosity associated with

warnings about duplicate packets.

mute-replay-warnings

Verbosity level.

0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose

verb 6

cipher AES-256-CBC
auth SHA1
pull

#auth-user-pass auth.cfg
log /var/log/vngclient.log

I cant use the #auth-user-pass as i need to rebuild openvpn on the linux(and as far as I know i need it to connect to the MT)

Any Ideas??

mrz · July 1, 2008, 12:39pm

1)remove this line from linux config:
comp-lzo

2)uncomment this one:
auth-user-pass auth.cfg
3) and edit auth.cfg

LZO compression is not supported by RouterOS and username and password is required to authenticate.

willempretorius · July 1, 2008, 12:47pm

Done, get the following error.

Tue Jul 1 14:39:24 2008 us=822923 auth_user_pass_verify_script = ‘[UNDEF]’
Tue Jul 1 14:39:24 2008 us=822935 auth_user_pass_verify_script_via_file = DISABLED
Tue Jul 1 14:39:24 2008 us=822946 port_share_host = ‘[UNDEF]’
Tue Jul 1 14:39:24 2008 us=822958 port_share_port = 0
Tue Jul 1 14:39:24 2008 us=822981 client = ENABLED
Tue Jul 1 14:39:24 2008 us=822993 pull = ENABLED
Tue Jul 1 14:39:24 2008 us=823005 auth_user_pass_file = ‘auth.cfg’
Tue Jul 1 14:39:24 2008 us=823022 OpenVPN 2.1_rc7 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Apr 22 2008
Tue Jul 1 14:39:24 2008 us=823074 Sorry, ‘Auth’ password cannot be read from a file
Tue Jul 1 14:39:24 2008 us=823085 Exiting

mrz · July 1, 2008, 1:04pm

“The ability to read --askpass and --auth-user-pass
passwords from a file has been disabled by default.
To re-enable, use ./configure --enable-password-save.”

willempretorius · July 1, 2008, 2:21pm

Ok, Im recompiling openvpn now, but now i’m stuck at the next step:

lzo.o: In function lzo_compress_init': /root/openvpn-2.1_rc7/lzo.c:106: undefined reference to __lzo_init_v2’
collect2: ld returned 1 exit status

mrz · July 1, 2008, 2:42pm

most likely lzo libraries are not installed.

willempretorius · July 1, 2008, 2:58pm

Found the compile error:
add the --with-lzo-lib tag behind ./configure
eg. ./configure --with-lzo-lib
(gcc does not find the lzo libs if you do not specify the --with-lzo-lib tag)

willempretorius · July 1, 2008, 3:12pm

compiled - installed - added the route to the new tun, and all is working great! thanx all

Thanx again for all the help.

mhejek · July 2, 2008, 10:13am

i had follow this web (http://wiki.mikrotik.com/wiki/OpenVPN)
everything.

my client has been connected to the server .i see my detail and log both server and client.
but from my client i can’t ping ip vpn server/

can u help me where i wes miss

mhejek · July 2, 2008, 10:22am

oh ya.in interfacelist said my openvpn-client interfacenut shor R (running flag)
tq
i user mk ver 3.10 both