Community discussions

MikroTik App
 
User avatar
politick
newbie
Topic Author
Posts: 43
Joined: Sat Jul 14, 2012 9:41 am

ovpn - Open VPN Server on RB2011. Can't make it work...

Sat Jul 27, 2013 3:00 am

It's been a difficult journey...

my setup:
RB2011 as ovpn server
desktop as OpenVPN client using OpenVpnGui. I have OpenVPN Gui working with my home Ubuntu Gateway.


I've tried:
http://itsavedmyass.cyprusmania.net/rem ... -7-client/
http://wiki.mikrotik.com/wiki/OpenVPN

I did not try:
http://wiki.mikrotik.com/wiki/OpenVPN_C ... ep_by_Step

I think that this is at least one problem in my script :
/interface bridge port add interface=$Eth1Name bridge=vpn-bridge
but I can't put "interface=bridge" for some reason. I would expect that I need to bridge will all the other ethernet devices that are part of the intranet ...

This is my setup script to run with a DEFAULT RB2011 configuration:
#--- BEFORE THIS IS RUN YOU MUST IMPORT certificates for VPN
# sftp to 192.168.88.1 : RemoteNode.crt, RemoteNode.pem, ca.crt
# ssh  to 192.168.88.1 :
#   /certificate
#   import file=RemoteNode.crt
#   import file=RemoteNode.pem
#   import file=ca.crt


/
#-- Set this manually for each computer
global MachineIp     172.20.66.2
global MachineMask   255.255.192.0
# global MachineDns  172.20.64.1
 
#-- This should be fixed for all RB2011
global IntranetIp   192.168.77.1
global IntranetMask 255.255.255.0
global IntranetDhcp 192.168.77.0/24
global DhcpdRange   192.168.77.200-192.168.77.254
global Computer1    192.168.77.2
global Computer2    192.168.77.3
global Voip         192.168.77.10
global Eth1Name     eth1-gw

#--- Renaming Interfaces
/interface set ether1-gateway name=$Eth1Name 
/interface set ether2 name="eth2" 
/interface set ether3 name="eth3" 
/interface set ether4 name="eth4" 
/interface set ether5 name="eth5" 
/interface set ether6 name="eth6" 
/interface set ether7 name="eth7" 
/interface set ether8 name="eth8" 
/interface set ether9 name="eth9" 
/interface set ether10 name="eth10"


/interface set bridge name="bridge"

 
 
/ip address add address $IntranetIp netmask $IntranetMask interface bridge    comment="RB2011 Intranet";
/ip address add address $MachineIp  netmask $MachineMask  interface $Eth1Name comment="RB2011 Public";


#--- DHCP Client --- Don't ask for an IP address on the wireless network $Eth1Name
/ip dhcp-client
:foreach k in=[/ip dhcp-client find] do={
              remove $k 
           }

 
#--- dhcpd --- DHCP SERVER on Intranet 
/ip pool
:foreach k in=[/ip pool find] do={
              remove $k 
           }
/ip pool add name=DHCPd ranges=$DhcpdRange
 
 

#--- Change default DHCP IP address range so we know the RB2011 config is applied
/ip dhcp-server
:foreach k in=[/ip dhcp-server find] do={
              remove $k 
           }
/ip dhcp-server network
:foreach k in=[/ip dhcp-server network find] do={
              remove $k 
           }
/ip dhcp-server add interface=bridge address-pool=DHCPd authoritative=yes disabled=no name=dhcpd
/ip dhcp-server network add address $IntranetDhcp dns-server $IntranetIp domain RB2011.com gateway $IntranetIp
 
#--- DNS
/ip dns static 
:foreach k in=[/ip dns static find] do={
              remove $k 
           }
add address=$IntranetIp disabled=no name=router
 



#--- Disable SIP from service ports ---
/ip firewall service-port
:foreach k in=[/ip firewall service-port find name~"sip"] do={
              :put [/ip firewall service-port get $k ports]
              disable $k 
           }

#--- Setup VPN --- 
/certificate import file-name=RemoteNode.crt

/certificate import file-name=RemoteNode.pem

/certificate import file-name=ca.crt

/certificate print





#--- Setup VPN Networking --------------------
#--- Create a bridge called VPN-Bridge and put an Interface as part of it
/interface bridge add name=vpn-bridge
#--- I thinnk this is wrong... I think interface sould be the bridge that bridges all my InTRAnet together ???
/interface bridge port add interface=$Eth1Name bridge=vpn-bridge

#--- Setup the local IP address that the RB2011 will use to communicate with the computers on the VPN
/ip address add address=192.168.99.1/24 interface=vpn-bridge    comment="Vpn LAN"
#--- Tell RouterOS that it can reach other VPN computers through its local VPN IP Address
/ip route   add dst-address=192.168.99.0/24 gateway=192.168.99.1 comment="VPN Lan"
#--- Tell Router OS that the default Internet gateway is through its internal Intrenet IP Address
/ip route   add gateway=192.168.77.1                            comment="Internet Gateway"

#--- Setup VPN DHCPd addresses---------------
/ip pool    add name=vpn-pool ranges=192.168.99.100-192.168.99.111

 #--- OK Not really sure what this does ...  I copied from Mikrotik ... Says adding a VPN user
/ppp profile add comment="Vpn Profile" local-address=192.168.99.1 name="RemoteNode" remote-address=vpn-pool use-encryption=required 

 #--- Put a username and password to this user ---
/ppp secret add name="Wenco" password="VerySecret" \
   caller-id="" comment="" disabled=no  \
   routes="" service=any profile="RemoteNode"

#--- Tie the "VPN User" to the "oVPN Server".  It think... but not sure.  Copied this again from Mikrotik
/interface ovpn-server add name=ovpn-username user="Wenco"
#--- I can't even phatom wuy I need to bridge a user with the vpn-bridge... Copied this from Mikrotik
/interface bridge port add interface=ovpn-username bridge=vpn-bridge

#--- Configure the VPN Server and set it to use the above profile that we've just configured
/interface ovpn-server server 
set auth=sha1,md5 certificate=cert1 \
cipher=blowfish128,aes128,aes192,aes256 default-profile="RemoteNode" \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ethernet netmask=24 \
port=1194 require-client-certificate=no



#--- These were part of the first simple attempt documented at the first link I tried
#/ppp secret  add name=Wenco password="VerySecret" profile=ovpn service=ovpn
#/interface ovpn-server add name=ovpn user=Wenco
#/interface ovpn-server server set default-profile=ovpn enabled=yes mode=ethernet netmask=24 require-client-certificate=no certificate=cert1

:foreach k in=[/ip firewall filter find] do={
   :local tmpvar [/ip firewall filter get $k in-interface];
   :if ($tmpvar~$Eth1Name) do={
   :put "Removing $k";
    /ip firewall filter remove $k
   }
}


#--- Accept the port forwording packets
/ip firewall filter add action=accept chain=input disabled=no protocol=tcp dst-port=1194        comment="OpenVPN"
/ip firewall filter add action=accept chain=input disabled=no protocol=tcp dst-port=3388-3389   comment="RemoteDesktop"
/ip firewall filter add action=accept chain=input disabled=no protocol=tcp dst-port=25000-26055 comment="Computer1" 
/ip firewall filter add action=accept chain=input disabled=no protocol=udp dst-port=32100       comment="RTK" 

#--- Secure the rest of the ports from the radio ----------------
/ip firewall filter add action=drop   chain=input comment="Radio"     disabled=no in-interface=$Eth1Name


 
#--- Set port forwarding
/ip firewall nat
#--- Remote Desktop 
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=3389 to-ports=3389 to-addresses=$Computer1 in-interface=eth1-gw protocol=tcp comment=Computer1.Remote.Desktop 
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=3388 to-ports=3389 to-addresses=$Computer2 in-interface=eth1-gw protocol=tcp comment=Computer2.Remote.Desktop
#--- Computer1 ports
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=26000-26055 to-ports=26000-26055 to-addresses=$Computer1 in-interface=eth1-gw protocol=tcp comment=Computer1
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=25000-25009 to-ports=25000-25009 to-addresses=$Computer1 in-interface=eth1-gw protocol=tcp comment=Computer1
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=32100 to-ports=32100 to-addresses=$Computer1 in-interface=eth1-gw protocol=udp comment=RTK 
#--- Voip SIP pone: Cisco 7960
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=5060 to-ports=5060 to-addresses=$Voip in-interface=eth1-gw protocol=udp comment=Cisco.sip.7960 
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=30000-31000 to-ports=30000-31000 to-addresses=$Voip in-interface=eth1-gw protocol=udp comment=Cisco.rtp.7960
 

#--- Removing all IP addresses except "192.168.77.x" and $MachineIp    
/ip address
:foreach k in=[/ip address find] do={
   :local tmpvar [/ip address get $k address];
   :if (!($tmpvar~"192.168.77*") and !($tmpvar~$MachineIp."*") and !($tmpvar~"192.168.99*") ) do={
      :put "Removing $tmpvar"
      /ip address remove $k
   }
}





OpenVPN configuration:
##############################################
# Sample client-side OpenVPN 2.0 config file #
##############################################


tls-client

client
proto tcp-client
dev tap
remote 172.20.66.2 1194
resolv-retry infinite
nobind
persist-key
tls-client

ca "C:\\Program Files (x86)\\OpenVPN\\Key\\RB2011\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\Key\\RB2011\\User1.crt"
key "C:\\Program Files (x86)\\OpenVPN\\Key\\RB2011\\User1.key"

ping 10
verb 3

cipher AES-256-CBC
auth SHA1
pull

;auth-user-pass "C:\\Program Files (x86)\\OpenVPN\\Key\\RB2011\\auth.cfg"
;script-security 2 system
;route-up "route add LAN-IP mask 255.255.255.0 192.168.99.1"



Output from OpenVPN Gui:
Fri Jul 26 15:54:29 2013 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Fri Jul 26 15:54:29 2013 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri Jul 26 15:54:29 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Jul 26 15:54:29 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jul 26 15:54:33 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jul 26 15:54:33 2013 Control Channel MTU parms [ L:1591 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jul 26 15:54:33 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jul 26 15:54:33 2013 Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ]
Fri Jul 26 15:54:33 2013 Local Options hash (VER=V4): 'b60e7885'
Fri Jul 26 15:54:33 2013 Expected Remote Options hash (VER=V4): 'fbeb66e6'
Fri Jul 26 15:54:33 2013 Attempting to establish TCP connection with 172.20.66.2:1194
Fri Jul 26 15:54:54 2013 TCP: connect to 172.20.66.2:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Fri Jul 26 15:54:59 2013 TCP connection established with 172.20.66.2:1194
Fri Jul 26 15:54:59 2013 TCPv4_CLIENT link local: [undef]
Fri Jul 26 15:54:59 2013 TCPv4_CLIENT link remote: 172.20.66.2:1194
Fri Jul 26 15:54:59 2013 TLS: Initial packet from 172.20.66.2:1194, sid=6c75ca7b 76997723
Fri Jul 26 15:55:00 2013 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=Wenco/CN=WencoCanada/name=WencoCanada/emailAddress=politick@gmail.com
Fri Jul 26 15:55:00 2013 VERIFY OK: depth=0, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=RemoteNode/CN=RB2011/name=RB2011/emailAddress=politick@gmail.com
Fri Jul 26 15:55:00 2013 Connection reset, restarting [0]
Fri Jul 26 15:55:00 2013 TCP/UDP: Closing socket
Fri Jul 26 15:55:00 2013 SIGUSR1[soft,connection-reset] received, process restarting
Fri Jul 26 15:55:00 2013 Restart pause, 5 second(s)
Fri Jul 26 15:55:05 2013 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri Jul 26 15:55:05 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Jul 26 15:55:05 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jul 26 15:55:05 2013 Re-using SSL/TLS context
Fri Jul 26 15:55:05 2013 Control Channel MTU parms [ L:1591 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jul 26 15:55:05 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jul 26 15:55:05 2013 Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ]
Fri Jul 26 15:55:05 2013 Local Options hash (VER=V4): 'b60e7885'
Fri Jul 26 15:55:05 2013 Expected Remote Options hash (VER=V4): 'fbeb66e6'
Fri Jul 26 15:55:05 2013 Attempting to establish TCP connection with 172.20.66.2:1194
Fri Jul 26 15:55:05 2013 TCP connection established with 172.20.66.2:1194
Fri Jul 26 15:55:05 2013 TCPv4_CLIENT link local: [undef]
Fri Jul 26 15:55:05 2013 TCPv4_CLIENT link remote: 172.20.66.2:1194
Fri Jul 26 15:55:05 2013 TLS: Initial packet from 172.20.66.2:1194, sid=b396bae6 6f71dca0
Fri Jul 26 15:55:06 2013 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=Wenco/CN=WencoCanada/name=WencoCanada/emailAddress=politick@gmail.com
Fri Jul 26 15:55:06 2013 VERIFY OK: depth=0, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=RemoteNode/CN=RB2011/name=RB2011/emailAddress=politick@gmail.com
Fri Jul 26 15:55:06 2013 Connection reset, restarting [0]
Fri Jul 26 15:55:06 2013 TCP/UDP: Closing socket
Fri Jul 26 15:55:06 2013 SIGUSR1[soft,connection-reset] received, process restarting
Fri Jul 26 15:55:06 2013 Restart pause, 5 second(s)
Fri Jul 26 15:55:11 2013 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri Jul 26 15:55:11 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Jul 26 15:55:11 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jul 26 15:55:11 2013 Re-using SSL/TLS context
Fri Jul 26 15:55:11 2013 Control Channel MTU parms [ L:1591 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jul 26 15:55:11 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jul 26 15:55:11 2013 Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ]
Fri Jul 26 15:55:11 2013 Local Options hash (VER=V4): 'b60e7885'
Fri Jul 26 15:55:11 2013 Expected Remote Options hash (VER=V4): 'fbeb66e6'
Fri Jul 26 15:55:11 2013 Attempting to establish TCP connection with 172.20.66.2:1194
Fri Jul 26 15:55:11 2013 TCP connection established with 172.20.66.2:1194
Fri Jul 26 15:55:11 2013 TCPv4_CLIENT link local: [undef]
Fri Jul 26 15:55:11 2013 TCPv4_CLIENT link remote: 172.20.66.2:1194
Fri Jul 26 15:55:11 2013 TLS: Initial packet from 172.20.66.2:1194, sid=29391202 a8e70ea3
Fri Jul 26 15:55:12 2013 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=Wenco/CN=WencoCanada/name=WencoCanada/emailAddress=politick@gmail.com
Fri Jul 26 15:55:12 2013 VERIFY OK: depth=0, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=RemoteNode/CN=RB2011/name=RB2011/emailAddress=politick@gmail.com
Fri Jul 26 15:55:12 2013 Connection reset, restarting [0]
Fri Jul 26 15:55:12 2013 TCP/UDP: Closing socket
Fri Jul 26 15:55:12 2013 SIGUSR1[soft,connection-reset] received, process restarting
Fri Jul 26 15:55:12 2013 Restart pause, 5 second(s)
Fri Jul 26 15:55:17 2013 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri Jul 26 15:55:17 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Jul 26 15:55:17 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jul 26 15:55:17 2013 Re-using SSL/TLS context
Fri Jul 26 15:55:17 2013 Control Channel MTU parms [ L:1591 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jul 26 15:55:17 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jul 26 15:55:17 2013 Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ]
Fri Jul 26 15:55:17 2013 Local Options hash (VER=V4): 'b60e7885'
Fri Jul 26 15:55:17 2013 Expected Remote Options hash (VER=V4): 'fbeb66e6'
Fri Jul 26 15:55:17 2013 Attempting to establish TCP connection with 172.20.66.2:1194
Fri Jul 26 15:55:17 2013 TCP connection established with 172.20.66.2:1194
Fri Jul 26 15:55:17 2013 TCPv4_CLIENT link local: [undef]
Fri Jul 26 15:55:17 2013 TCPv4_CLIENT link remote: 172.20.66.2:1194
Fri Jul 26 15:55:17 2013 TLS: Initial packet from 172.20.66.2:1194, sid=185efb23 c12cadbc
Fri Jul 26 15:55:18 2013 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=Wenco/CN=WencoCanada/name=WencoCanada/emailAddress=politick@gmail.com
Fri Jul 26 15:55:18 2013 VERIFY OK: depth=0, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=RemoteNode/CN=RB2011/name=RB2011/emailAddress=politick@gmail.com
Fri Jul 26 15:55:18 2013 Connection reset, restarting [0]
Fri Jul 26 15:55:18 2013 TCP/UDP: Closing socket
Fri Jul 26 15:55:18 2013 SIGUSR1[soft,connection-reset] received, process restarting
Fri Jul 26 15:55:18 2013 Restart pause, 5 second(s)
Fri Jul 26 15:55:23 2013 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri Jul 26 15:55:23 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Jul 26 15:55:23 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jul 26 15:55:23 2013 Re-using SSL/TLS context
Fri Jul 26 15:55:23 2013 Control Channel MTU parms [ L:1591 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jul 26 15:55:23 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jul 26 15:55:23 2013 Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ]
Fri Jul 26 15:55:23 2013 Local Options hash (VER=V4): 'b60e7885'
Fri Jul 26 15:55:23 2013 Expected Remote Options hash (VER=V4): 'fbeb66e6'
Fri Jul 26 15:55:23 2013 Attempting to establish TCP connection with 172.20.66.2:1194
Fri Jul 26 15:55:23 2013 TCP connection established with 172.20.66.2:1194
Fri Jul 26 15:55:23 2013 TCPv4_CLIENT link local: [undef]
Fri Jul 26 15:55:23 2013 TCPv4_CLIENT link remote: 172.20.66.2:1194
Fri Jul 26 15:55:23 2013 TLS: Initial packet from 172.20.66.2:1194, sid=cf70fc06 8eb5e243
Fri Jul 26 15:55:24 2013 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=Wenco/CN=WencoCanada/name=WencoCanada/emailAddress=politick@gmail.com
Fri Jul 26 15:55:24 2013 VERIFY OK: depth=0, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=RemoteNode/CN=RB2011/name=RB2011/emailAddress=politick@gmail.com
Fri Jul 26 15:55:24 2013 Connection reset, restarting [0]
Fri Jul 26 15:55:24 2013 TCP/UDP: Closing socket
Fri Jul 26 15:55:24 2013 SIGUSR1[soft,connection-reset] received, process restarting
Fri Jul 26 15:55:24 2013 Restart pause, 5 second(s)
Fri Jul 26 15:55:29 2013 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri Jul 26 15:55:29 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Jul 26 15:55:29 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jul 26 15:55:29 2013 Re-using SSL/TLS context
Fri Jul 26 15:55:29 2013 Control Channel MTU parms [ L:1591 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jul 26 15:55:29 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jul 26 15:55:29 2013 Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ]
Fri Jul 26 15:55:29 2013 Local Options hash (VER=V4): 'b60e7885'
Fri Jul 26 15:55:29 2013 Expected Remote Options hash (VER=V4): 'fbeb66e6'
Fri Jul 26 15:55:29 2013 Attempting to establish TCP connection with 172.20.66.2:1194
Fri Jul 26 15:55:29 2013 TCP connection established with 172.20.66.2:1194
Fri Jul 26 15:55:29 2013 TCPv4_CLIENT link local: [undef]
Fri Jul 26 15:55:29 2013 TCPv4_CLIENT link remote: 172.20.66.2:1194
Fri Jul 26 15:55:29 2013 TLS: Initial packet from 172.20.66.2:1194, sid=9b6698b4 3858dac1
Fri Jul 26 15:55:30 2013 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=Wenco/CN=WencoCanada/name=WencoCanada/emailAddress=politick@gmail.com
Fri Jul 26 15:55:30 2013 VERIFY OK: depth=0, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=RemoteNode/CN=RB2011/name=RB2011/emailAddress=politick@gmail.com
Fri Jul 26 15:55:31 2013 Connection reset, restarting [0]
Fri Jul 26 15:55:31 2013 TCP/UDP: Closing socket
Fri Jul 26 15:55:31 2013 SIGUSR1[soft,connection-reset] received, process restarting
Fri Jul 26 15:55:31 2013 Restart pause, 5 second(s)
Fri Jul 26 15:55:36 2013 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri Jul 26 15:55:36 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Jul 26 15:55:36 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jul 26 15:55:36 2013 Re-using SSL/TLS context
Fri Jul 26 15:55:36 2013 Control Channel MTU parms [ L:1591 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jul 26 15:55:36 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jul 26 15:55:36 2013 Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ]
Fri Jul 26 15:55:36 2013 Local Options hash (VER=V4): 'b60e7885'
Fri Jul 26 15:55:36 2013 Expected Remote Options hash (VER=V4): 'fbeb66e6'
Fri Jul 26 15:55:36 2013 Attempting to establish TCP connection with 172.20.66.2:1194
Fri Jul 26 15:55:36 2013 TCP connection established with 172.20.66.2:1194
Fri Jul 26 15:55:36 2013 TCPv4_CLIENT link local: [undef]
Fri Jul 26 15:55:36 2013 TCPv4_CLIENT link remote: 172.20.66.2:1194
Fri Jul 26 15:55:36 2013 TLS: Initial packet from 172.20.66.2:1194, sid=269eca11 9a2bd0fa
Fri Jul 26 15:55:36 2013 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=Wenco/CN=WencoCanada/name=WencoCanada/emailAddress=politick@gmail.com
Fri Jul 26 15:55:36 2013 VERIFY OK: depth=0, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=RemoteNode/CN=RB2011/name=RB2011/emailAddress=politick@gmail.com
Fri Jul 26 15:55:37 2013 Connection reset, restarting [0]
Fri Jul 26 15:55:37 2013 TCP/UDP: Closing socket
Fri Jul 26 15:55:37 2013 SIGUSR1[soft,connection-reset] received, process restarting
Fri Jul 26 15:55:37 2013 Restart pause, 5 second(s)
Fri Jul 26 15:55:42 2013 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri Jul 26 15:55:42 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Jul 26 15:55:42 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jul 26 15:55:42 2013 Re-using SSL/TLS context
Fri Jul 26 15:55:42 2013 Control Channel MTU parms [ L:1591 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jul 26 15:55:42 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jul 26 15:55:42 2013 Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ]
Fri Jul 26 15:55:42 2013 Local Options hash (VER=V4): 'b60e7885'
Fri Jul 26 15:55:42 2013 Expected Remote Options hash (VER=V4): 'fbeb66e6'
Fri Jul 26 15:55:42 2013 Attempting to establish TCP connection with 172.20.66.2:1194
Fri Jul 26 15:55:42 2013 TCP connection established with 172.20.66.2:1194
Fri Jul 26 15:55:42 2013 TCPv4_CLIENT link local: [undef]
Fri Jul 26 15:55:42 2013 TCPv4_CLIENT link remote: 172.20.66.2:1194
Fri Jul 26 15:55:42 2013 TLS: Initial packet from 172.20.66.2:1194, sid=5163f1e3 b0e43c3b
Fri Jul 26 15:55:42 2013 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=Wenco/CN=WencoCanada/name=WencoCanada/emailAddress=politick@gmail.com
Fri Jul 26 15:55:42 2013 VERIFY OK: depth=0, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=RemoteNode/CN=RB2011/name=RB2011/emailAddress=politick@gmail.com
Fri Jul 26 15:55:43 2013 Connection reset, restarting [0]
Fri Jul 26 15:55:43 2013 TCP/UDP: Closing socket
Fri Jul 26 15:55:43 2013 SIGUSR1[soft,connection-reset] received, process restarting
Fri Jul 26 15:55:43 2013 Restart pause, 5 second(s)
Fri Jul 26 15:55:48 2013 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri Jul 26 15:55:48 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Jul 26 15:55:48 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jul 26 15:55:48 2013 Re-using SSL/TLS context
Fri Jul 26 15:55:48 2013 Control Channel MTU parms [ L:1591 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jul 26 15:55:48 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jul 26 15:55:48 2013 Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ]
Fri Jul 26 15:55:48 2013 Local Options hash (VER=V4): 'b60e7885'
Fri Jul 26 15:55:48 2013 Expected Remote Options hash (VER=V4): 'fbeb66e6'
Fri Jul 26 15:55:48 2013 Attempting to establish TCP connection with 172.20.66.2:1194
Fri Jul 26 15:55:48 2013 TCP connection established with 172.20.66.2:1194
Fri Jul 26 15:55:48 2013 TCPv4_CLIENT link local: [undef]
Fri Jul 26 15:55:48 2013 TCPv4_CLIENT link remote: 172.20.66.2:1194
Fri Jul 26 15:55:48 2013 TLS: Initial packet from 172.20.66.2:1194, sid=6bee3997 69071497
Fri Jul 26 15:55:48 2013 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=Wenco/CN=WencoCanada/name=WencoCanada/emailAddress=politick@gmail.com
Fri Jul 26 15:55:48 2013 VERIFY OK: depth=0, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=RemoteNode/CN=RB2011/name=RB2011/emailAddress=politick@gmail.com
Fri Jul 26 15:55:49 2013 Connection reset, restarting [0]
Fri Jul 26 15:55:49 2013 TCP/UDP: Closing socket
Fri Jul 26 15:55:49 2013 SIGUSR1[soft,connection-reset] received, process restarting
Fri Jul 26 15:55:49 2013 Restart pause, 5 second(s)
Fri Jul 26 15:55:54 2013 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri Jul 26 15:55:54 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Jul 26 15:55:54 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jul 26 15:55:54 2013 Re-using SSL/TLS context
Fri Jul 26 15:55:54 2013 Control Channel MTU parms [ L:1591 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jul 26 15:55:54 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jul 26 15:55:54 2013 Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ]
Fri Jul 26 15:55:54 2013 Local Options hash (VER=V4): 'b60e7885'
Fri Jul 26 15:55:54 2013 Expected Remote Options hash (VER=V4): 'fbeb66e6'
Fri Jul 26 15:55:54 2013 Attempting to establish TCP connection with 172.20.66.2:1194
Fri Jul 26 15:55:54 2013 TCP connection established with 172.20.66.2:1194
Fri Jul 26 15:55:54 2013 TCPv4_CLIENT link local: [undef]
Fri Jul 26 15:55:54 2013 TCPv4_CLIENT link remote: 172.20.66.2:1194
Fri Jul 26 15:55:54 2013 TLS: Initial packet from 172.20.66.2:1194, sid=04eaaff6 813cd470
Fri Jul 26 15:55:54 2013 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=Wenco/CN=WencoCanada/name=WencoCanada/emailAddress=politick@gmail.com
Fri Jul 26 15:55:54 2013 VERIFY OK: depth=0, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=RemoteNode/CN=RB2011/name=RB2011/emailAddress=politick@gmail.com
Fri Jul 26 15:55:55 2013 Connection reset, restarting [0]
Fri Jul 26 15:55:55 2013 TCP/UDP: Closing socket
Fri Jul 26 15:55:55 2013 SIGUSR1[soft,connection-reset] received, process restarting
Fri Jul 26 15:55:55 2013 Restart pause, 5 second(s)
Fri Jul 26 15:56:00 2013 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri Jul 26 15:56:00 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Jul 26 15:56:00 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jul 26 15:56:00 2013 Re-using SSL/TLS context
Fri Jul 26 15:56:00 2013 Control Channel MTU parms [ L:1591 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jul 26 15:56:00 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jul 26 15:56:00 2013 Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ]
Fri Jul 26 15:56:00 2013 Local Options hash (VER=V4): 'b60e7885'
Fri Jul 26 15:56:00 2013 Expected Remote Options hash (VER=V4): 'fbeb66e6'
Fri Jul 26 15:56:00 2013 Attempting to establish TCP connection with 172.20.66.2:1194
Fri Jul 26 15:56:00 2013 TCP connection established with 172.20.66.2:1194
Fri Jul 26 15:56:00 2013 TCPv4_CLIENT link local: [undef]
Fri Jul 26 15:56:00 2013 TCPv4_CLIENT link remote: 172.20.66.2:1194
Fri Jul 26 15:56:00 2013 TLS: Initial packet from 172.20.66.2:1194, sid=9411e8ca 04b3313a
Fri Jul 26 15:56:01 2013 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=Wenco/CN=WencoCanada/name=WencoCanada/emailAddress=politick@gmail.com
Fri Jul 26 15:56:01 2013 VERIFY OK: depth=0, /C=CA/ST=BC/L=Vancouver/O=Wenco/OU=RemoteNode/CN=RB2011/name=RB2011/emailAddress=politick@gmail.com
Fri Jul 26 15:56:01 2013 Connection reset, restarting [0]
Fri Jul 26 15:56:01 2013 TCP/UDP: Closing socket
Fri Jul 26 15:56:01 2013 SIGUSR1[soft,connection-reset] received, process restarting
Fri Jul 26 15:56:01 2013 Restart pause, 5 second(s)
Fri Jul 26 15:56:06 2013 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri Jul 26 15:56:06 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Jul 26 15:56:06 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jul 26 15:56:06 2013 Re-using SSL/TLS context
Fri Jul 26 15:56:06 2013 Control Channel MTU parms [ L:1591 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jul 26 15:56:06 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jul 26 15:56:06 2013 Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ]
Fri Jul 26 15:56:06 2013 Local Options hash (VER=V4): 'b60e7885'
Fri Jul 26 15:56:06 2013 Expected Remote Options hash (VER=V4): 'fbeb66e6'
Fri Jul 26 15:56:06 2013 Attempting to establish TCP connection with 172.20.66.2:1194
Fri Jul 26 15:56:06 2013 TCP/UDP: Closing socket
Fri Jul 26 15:56:06 2013 SIGTERM[hard,init_instance] received, process exiting

Any help would be GREATLY appreciated...
I've spent the week on this...

Kind Regards,
Martin Politick.
 
barkas
Member Candidate
Member Candidate
Posts: 260
Joined: Sun Sep 25, 2011 10:51 pm

Re: ovpn - Open VPN Server on RB2011. Can't make it work...

Mon Jul 29, 2013 10:06 pm

Looks to me like the RB2011 terminates the connection. Better look into the log on that side, too.
 
User avatar
politick
newbie
Topic Author
Posts: 43
Joined: Sat Jul 14, 2012 9:41 am

Re: ovpn - Open VPN Server on RB2011. Can't make it work...

Tue Jul 30, 2013 11:40 pm

Here you go, but there's not much here.
I don't know if there's a way to bump up the verbosity for ovpnd.
Although a strange thing is that it says "dialing...", like if it was a VPN client ...
Like I said in my script comments, I don't really understand the VPN server commands,
they are very unnatural to me.

As the logs shows, I've reset the time so the certificate date range is valid.
And worth mentioning, I've got cert1 and cert2 showing up as certificates and cert1 has the KR status infornt of it.

57 items
 	 	#	Time	Buffer	Topics	Message	 
0	Jan/01/1970 16:00:06	memory	system, info	router rebooted	
1	Jan/01/1970 16:00:10	memory	interface, info	eth1-gw link up (speed 100M, full duplex)	
2	Jan/01/1970 16:00:11	memory	interface, info	eth5 link up (speed 1000M, full duplex)	
3	Jan/01/1970 16:00:18	memory	system, info, account	user admin logged in from 192.168.77.254 via web	
4	Jul/30/2013 16:04:08	memory	system, info	system time zone settings changed by admin	
5	Jul/30/2013 16:04:09	memory	system, info	system time zone settings changed by admin	
6	Jul/30/2013 16:04:40	memory	ovpn, info	TCP connection established from 172.20.66.5	
7	Jul/30/2013 16:04:40	memory	ovpn, info	<ovpn-0>: dialing...	
8	Jul/30/2013 16:04:41	memory	ovpn, info	<ovpn-0>: using encoding - AES-256-CBC/SHA1	
9	Jul/30/2013 16:04:46	memory	ovpn, info	TCP connection established from 172.20.66.5	
10	Jul/30/2013 16:04:46	memory	ovpn, info	<ovpn-0>: dialing...	
11	Jul/30/2013 16:04:48	memory	ovpn, info	<ovpn-0>: using encoding - AES-256-CBC/SHA1	
12	Jul/30/2013 16:04:53	memory	ovpn, info	TCP connection established from 172.20.66.5	
13	Jul/30/2013 16:04:53	memory	ovpn, info	<ovpn-0>: dialing...	
14	Jul/30/2013 16:04:53	memory	ovpn, info	<ovpn-0>: terminating... - peer disconnected	
15	Jul/30/2013 16:04:53	memory	ovpn, info	<ovpn-0>: disconnected	
16	Jul/30/2013 19:50:19	memory	ovpn, info	TCP connection established from 172.20.66.5	
17	Jul/30/2013 19:50:19	memory	ovpn, info	<ovpn-0>: dialing...	
18	Jul/30/2013 19:50:20	memory	ovpn, info	<ovpn-0>: using encoding - AES-256-CBC/SHA1	
19	Jul/30/2013 19:50:25	memory	ovpn, info	TCP connection established from 172.20.66.5	
20	Jul/30/2013 19:50:25	memory	ovpn, info	<ovpn-0>: dialing...	
21	Jul/30/2013 19:50:26	memory	ovpn, info	<ovpn-0>: using encoding - AES-256-CBC/SHA1	
22	Jul/30/2013 19:50:32	memory	ovpn, info	TCP connection established from 172.20.66.5	
23	Jul/30/2013 19:50:32	memory	ovpn, info	<ovpn-0>: dialing...	
24	Jul/30/2013 19:50:33	memory	ovpn, info	<ovpn-0>: using encoding - AES-256-CBC/SHA1	
25	Jul/30/2013 19:50:38	memory	ovpn, info	TCP connection established from 172.20.66.5	
26	Jul/30/2013 19:50:38	memory	ovpn, info	<ovpn-0>: dialing...	
27	Jul/30/2013 19:50:39	memory	ovpn, info	<ovpn-0>: using encoding - AES-256-CBC/SHA1	
28	Jul/30/2013 19:50:44	memory	ovpn, info	TCP connection established from 172.20.66.5	
29	Jul/30/2013 19:50:44	memory	ovpn, info	<ovpn-0>: dialing...	
30	Jul/30/2013 19:50:45	memory	ovpn, info	<ovpn-0>: using encoding - AES-256-CBC/SHA1	
31	Jul/30/2013 19:50:50	memory	ovpn, info	TCP connection established from 172.20.66.5	
32	Jul/30/2013 19:50:50	memory	ovpn, info	<ovpn-0>: dialing...	
33	Jul/30/2013 19:50:51	memory	ovpn, info	<ovpn-0>: using encoding - AES-256-CBC/SHA1	
34	Jul/30/2013 19:50:56	memory	ovpn, info	TCP connection established from 172.20.66.5	
35	Jul/30/2013 19:50:56	memory	ovpn, info	<ovpn-0>: dialing...	
36	Jul/30/2013 19:50:57	memory	ovpn, info	<ovpn-0>: using encoding - AES-256-CBC/SHA1	
37	Jul/30/2013 19:50:58	memory	system, info, account	user admin logged in from 192.168.77.254 via web	
38	Jul/30/2013 19:51:02	memory	ovpn, info	TCP connection established from 172.20.66.5	
39	Jul/30/2013 19:51:02	memory	ovpn, info	<ovpn-0>: dialing...	
40	Jul/30/2013 19:51:03	memory	ovpn, info	<ovpn-0>: using encoding - AES-256-CBC/SHA1	
41	Jul/30/2013 19:51:08	memory	ovpn, info	TCP connection established from 172.20.66.5	
42	Jul/30/2013 19:51:08	memory	ovpn, info	<ovpn-0>: dialing...	
43	Jul/30/2013 19:51:09	memory	ovpn, info	<ovpn-0>: using encoding - AES-256-CBC/SHA1	
44	Jul/30/2013 19:51:14	memory	ovpn, info	TCP connection established from 172.20.66.5	
45	Jul/30/2013 19:51:14	memory	ovpn, info	<ovpn-0>: dialing...	
46	Jul/30/2013 19:51:16	memory	ovpn, info	<ovpn-0>: using encoding - AES-256-CBC/SHA1	
47	Jul/30/2013 19:51:21	memory	ovpn, info	TCP connection established from 172.20.66.5	
48	Jul/30/2013 19:51:21	memory	ovpn, info	<ovpn-0>: dialing...	
49	Jul/30/2013 19:51:22	memory	ovpn, info	<ovpn-0>: using encoding - AES-256-CBC/SHA1	
50	Jul/30/2013 19:51:27	memory	ovpn, info	TCP connection established from 172.20.66.5	
51	Jul/30/2013 19:51:27	memory	ovpn, info	<ovpn-0>: dialing...	
52	Jul/30/2013 19:51:28	memory	ovpn, info	<ovpn-0>: using encoding - AES-256-CBC/SHA1	
53	Jul/30/2013 19:51:33	memory	ovpn, info	TCP connection established from 172.20.66.5	
54	Jul/30/2013 19:51:33	memory	ovpn, info	<ovpn-0>: dialing...	
55	Jul/30/2013 19:51:33	memory	ovpn, info	<ovpn-0>: terminating... - peer disconnected	
56	Jul/30/2013 19:51:33	memory	ovpn, info	<ovpn-0>: disconnected	
Kind Regards
Martin Politick.
 
log
Member Candidate
Member Candidate
Posts: 105
Joined: Fri May 28, 2010 11:37 am

Re: ovpn - Open VPN Server on RB2011. Can't make it work...

Wed Jul 31, 2013 11:39 am

Have you tried to reboot rb? I had such problems few times, after I configured ovpn it doesnt work until i reboot rb (my was rb750 and ros 5.25).
Weird but at first time I've lost three days to solve it ...
 
User avatar
politick
newbie
Topic Author
Posts: 43
Joined: Sat Jul 14, 2012 9:41 am

Re: ovpn - Open VPN Server on RB2011. Can't make it work...

Thu Aug 01, 2013 12:56 am

Hi,
No I had not retried. Now I have twice.
Actually the first time I forgot to re-set the time to "today" so the certificates would be valid, but I did the second try and I observed the same behavior.

Does anyone know if the VPN server is supposed to "dial" ?
ovpn, info <ovpn-0>: dialing...


I've added a logging entry for ovpn in the logging
but I'm not getting anymore logs that what is there by default.

I've also tried to change my "public VPN IP" from the 172.16.0.0/12 as this subnet is for intranets
in case there was some logic not to use it as a valid VPN entry point ...
But that did not change anything.


Kind Regards,
Martin Politick

Who is online

Users browsing this forum: No registered users and 42 guests