OpenVPN GUI 2.0 client keeps disconnecting right after conne

Home Page Forums Network Management VPN OpenVPN GUI 2.0 client keeps disconnecting right after conne

This topic contains 29 replies, has 0 voices, and was last updated by  DrmCa 3 years, 2 months ago.

Viewing 15 posts - 16 through 30 (of 31 total)
  • Author
    Posts
  • #54083

    DrmCa
    Participant

    There is not enough words to express how much I appreciate your help in this matter. You’ve made this complex thing simple and were very patient with my learning curve. Thank you, redfive!!!

    #54084

    redfive
    Participant

    Don’t worry, we are all here for learn something …. I too ( and I do have much to learn)
    But, most important … is now running ??
    Next step is the static ip assignement to vpn users …
    Let me know
    Cheers,
    jonatha

    #54085

    DrmCa
    Participant

    I don’t know yet, as right now I am at work and cannot generate the user’s cert (router’s ssh and web interfaces restricted to LAN).
    Will generate tonight, take it to work and test tomorrow.

    #54086

    DrmCa
    Participant

    Just one question: if using password authentication only, would a client cert/key still be required?

    #54087

    redfive
    Participant

    If you declare ‘Only password’ as auth method, then you don’t need the client cert-key, only the CA cert on client side, the vpn server will act, basically, as an SSL server, where the client will trust the server certificate (thanks to the CA cert of the CA which has signed the server cert)
    Cheers,
    jonatha

    #54088

    DrmCa
    Participant

    Just for testing I set VPN up to use cert+password and created a certificate for the vpn0 user – it did not exist previously – then exported that certificate in pem format.
    Once stored in the OpenVPN config folder and pointed at in the zeroshell.ovpn config file, VPN finally connected! Yahoo! Thanks again, redfive!
    The VPN allocated a correct IP address 10.10.10.180 from the specified range to the connected client machine.
    Still I was not able to ping the lan IP from the client machine, guess I need to set something up for that?
    Also there was an unexpected side effect once disconnected from OpenVPN: I could no longer access any other VPNs (this is an office machine that normally connects to 1-2 other VPNs) until rebooted.
    After a while a password dialog popped up again, not sure why. Here’s the full log from connect to disconnect:

    Wed Apr 20 09:55:27 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Feb 1 2016
    Wed Apr 20 09:55:27 2016 Windows version 6.1 (Windows 7)
    Wed Apr 20 09:55:27 2016 library versions: OpenSSL 1.0.1r 28 Jan 2016, LZO 2.09
    Enter Management Password:
    Wed Apr 20 09:55:27 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Wed Apr 20 09:55:27 2016 Need hold release from management interface, waiting…
    Wed Apr 20 09:55:28 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Wed Apr 20 09:55:28 2016 MANAGEMENT: CMD ‘state on’
    Wed Apr 20 09:55:28 2016 MANAGEMENT: CMD ‘log all on’
    Wed Apr 20 09:55:28 2016 MANAGEMENT: CMD ‘hold off’
    Wed Apr 20 09:55:28 2016 MANAGEMENT: CMD ‘hold release’
    Wed Apr 20 09:55:37 2016 MANAGEMENT: CMD ‘username “Auth” “vpnuser0″‘
    Wed Apr 20 09:55:37 2016 MANAGEMENT: CMD ‘password […]’
    Wed Apr 20 09:55:38 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Wed Apr 20 09:55:38 2016 MANAGEMENT: >STATE:1461160538,RESOLVE,,,
    Wed Apr 20 09:55:38 2016 Attempting to establish TCP connection with [AF_INET]216.162.65.24:1194 [nonblock]
    Wed Apr 20 09:55:38 2016 MANAGEMENT: >STATE:1461160538,TCP_CONNECT,,,
    Wed Apr 20 09:55:39 2016 TCP connection established with [AF_INET]216.162.65.24:1194
    Wed Apr 20 09:55:39 2016 TCPv4_CLIENT link local: [undef]
    Wed Apr 20 09:55:39 2016 TCPv4_CLIENT link remote: [AF_INET]216.162.65.24:1194
    Wed Apr 20 09:55:39 2016 MANAGEMENT: >STATE:1461160539,WAIT,,,
    Wed Apr 20 09:55:39 2016 MANAGEMENT: >STATE:1461160539,AUTH,,,
    Wed Apr 20 09:55:39 2016 TLS: Initial packet from [AF_INET]216.162.65.24:1194, sid=888072a4 f1bcde6c
    Wed Apr 20 09:55:39 2016 VERIFY OK: depth=1, C=IT, O=Zeroshell.net, OU=Example, CN=ZeroShell Example CA, emailAddress=Fulvio.Ricciardi@zeroshell.net
    Wed Apr 20 09:55:39 2016 VERIFY X509NAME OK: OU=Hosts, CN=router.earthlovesme.ca
    Wed Apr 20 09:55:39 2016 VERIFY OK: depth=0, OU=Hosts, CN=router.earthlovesme.ca
    Wed Apr 20 09:55:40 2016 Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
    Wed Apr 20 09:55:40 2016 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
    Wed Apr 20 09:55:40 2016 Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
    Wed Apr 20 09:55:40 2016 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
    Wed Apr 20 09:55:40 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Wed Apr 20 09:55:40 2016 [router.earthlovesme.ca] Peer Connection Initiated with [AF_INET]216.162.65.24:1194
    Wed Apr 20 09:55:41 2016 MANAGEMENT: >STATE:1461160541,GET_CONFIG,,,
    Wed Apr 20 09:55:42 2016 SENT CONTROL [router.earthlovesme.ca]: ‘PUSH_REQUEST’ (status=1)
    Wed Apr 20 09:55:42 2016 PUSH: Received control message: ‘PUSH_REPLY,route-gateway 10.10.10.1,redirect-gateway,dhcp-option DNS 10.10.10.1,,ping 5,ping-restart 60,ifconfig 10.10.10.180 255.255.255.0’
    Wed Apr 20 09:55:42 2016 OPTIONS IMPORT: timers and/or timeouts modified
    Wed Apr 20 09:55:42 2016 OPTIONS IMPORT: –ifconfig/up options modified
    Wed Apr 20 09:55:42 2016 OPTIONS IMPORT: route options modified
    Wed Apr 20 09:55:42 2016 OPTIONS IMPORT: route-related options modified
    Wed Apr 20 09:55:42 2016 OPTIONS IMPORT: –ip-win32 and/or –dhcp-option options modified
    Wed Apr 20 09:55:42 2016 ROUTE_GATEWAY 172.16.12.1/255.255.255.0 I=11 HWADDR=d4:be:d9:91:9e:53
    Wed Apr 20 09:55:42 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Wed Apr 20 09:55:42 2016 MANAGEMENT: >STATE:1461160542,ASSIGN_IP,,10.10.10.180,
    Wed Apr 20 09:55:42 2016 open_tun, tt->ipv6=0
    Wed Apr 20 09:55:42 2016 TAP-WIN32 device [Local Area Connection 5] opened: \.Global{E4BB7804-B41F-4569-9898-C57AD86C462E}.tap
    Wed Apr 20 09:55:42 2016 TAP-Windows Driver Version 9.9
    Wed Apr 20 09:55:42 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.10.10.180/255.255.255.0 on interface {E4BB7804-B41F-4569-9898-C57AD86C462E} [DHCP-serv: 10.10.10.0, lease-time: 31536000]
    Wed Apr 20 09:55:42 2016 Successful ARP Flush on interface [51] {E4BB7804-B41F-4569-9898-C57AD86C462E}
    Wed Apr 20 09:55:47 2016 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
    Wed Apr 20 09:55:47 2016 C:Windowssystem32route.exe ADD 216.162.65.24 MASK 255.255.255.255 172.16.12.1
    Wed Apr 20 09:55:47 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
    Wed Apr 20 09:55:47 2016 Route addition via IPAPI succeeded [adaptive]
    Wed Apr 20 09:55:47 2016 C:Windowssystem32route.exe DELETE 0.0.0.0 MASK 0.0.0.0 172.16.12.1
    Wed Apr 20 09:55:47 2016 Route deletion via IPAPI succeeded [adaptive]
    Wed Apr 20 09:55:47 2016 C:Windowssystem32route.exe ADD 0.0.0.0 MASK 0.0.0.0 10.10.10.1
    Wed Apr 20 09:55:47 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Wed Apr 20 09:55:47 2016 Route addition via IPAPI succeeded [adaptive]
    Wed Apr 20 09:55:47 2016 Initialization Sequence Completed
    Wed Apr 20 09:55:47 2016 MANAGEMENT: >STATE:1461160547,CONNECTED,SUCCESS,10.10.10.180,216.162.65.24
    Wed Apr 20 09:56:06 2016 write TCPv4_CLIENT: Connection reset by peer (WSAECONNRESET) (code=10054)
    Wed Apr 20 09:56:06 2016 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
    Wed Apr 20 09:56:06 2016 Connection reset, restarting [-1]
    Wed Apr 20 09:56:06 2016 SIGUSR1[soft,connection-reset] received, process restarting
    Wed Apr 20 09:56:06 2016 MANAGEMENT: >STATE:1461160566,RECONNECTING,connection-reset,,
    Wed Apr 20 09:56:06 2016 Restart pause, 5 second(s)
    Wed Apr 20 09:56:16 2016 MANAGEMENT: Client disconnected
    Wed Apr 20 09:56:16 2016 ERROR: could not read Auth username/password/ok/string from management interface
    Wed Apr 20 09:56:16 2016 Exiting due to fatal error
    Wed Apr 20 09:56:16 2016 Assertion failed at misc.c:785 (es)
    Wed Apr 20 09:56:16 2016 Exiting due to fatal error

    #54089

    redfive
    Participant

    I’m still at work, later I’ll take a look in depth, in the meanwhile …. how is ‘placed’ the ZS box in your network ? Is a simply host ? Is the ZS the default gateway also for the hosts in your lan ?

    #54090

    DrmCa
    Participant

    It looks like this:

    [ISP] => [DSL modem in bridged mode] => [pppoe/eth0 Zeroshell PC eth1 10.10.10.1] => [Switch] => [LAN 10.10.10.2…10.10.10.254]

    ZS’s 10.10.10.1 is a default GW for the LAN hosts.
    There is a host running Jabber XMPP server on the LAN, 10.10.10.2 and that is the only address on the LAN what the VPN user is interested in – without that they cannot do voice/video chat with the LAN users (due to both being behind the routers). This is just to explain that the VPN user will not need to access the shares or connect to any other hosts/ports.

    #54091

    redfive
    Participant

    Something is unclear … are you using the VPN99 bridged with the ‘lan’ ? Or is on its own subnet ? The ip addresses seem the same ….. Anyway, you need L2 visibility among the vpn users and the lan hosts, or is enough, for VPN users, L3 visibility only to that specific host (and maybe, for the admin, the access to the whole network …) ?
    In the second case,…. ZS, for the H2L, by default uses the full-tunnel (–push-redirect-gateway, all clients traffic will flow through the vpn tunnel…. so, you may try, for starting, by using a dedicated network for the VPN99 ( eg. 192.168.240.1/28), and, via the ‘Net’ button, declare the networks which will be reacheable via the vpn tunnel ( as the cisco split-tunnel) , in your case 10.10.10.0/24, in this way, the normal traffic will flow through its normal way, while only the traffic destinated to the 10.10.10.0/24 will be ‘pushed’ in the vpn tunnel…..

    #54092

    DrmCa
    Participant

    Honestly – you lost me! The answer to almost all questions is – I don’t know 🙁
    As I only need one VPN user to be able to use one of the LAN hosts, I assume that would be a bridged mode?
    The goal is for that user to become one of the LAN hosts when connected to VPN, i.e. 10.10.10.180.
    That is the only requirement I have. I never thought that establishing VPN is so complicated.

    #54093

    redfive
    Participant

    Isn’t difficult, is ‘only’ …highly customizable …
    Well, let’s start from the beginning…. by default, ZS uses, for the VPN99, the ip address 192.168.254.254/24 …. leave it as is, remove the flag ‘Source Nat’, then via the ‘Net’ button, declare the network 10.10.10.0/24, save….. after that the vpn connection is established, from the command prompt, issue

    netstat -r | find "10.10.10.0"

    You should see something like

    10.10.10.0 255.255.255.0 192.168.250.x 192.168.250.254  21 

    And you should be able to reach the hosts on 10.10.10.0/24 network (if fw rules allow) … this is the first step …
    (the nice has still to come, don’t give up … 😉 )
    Cheers,
    jonatha

    #54094

    redfive
    Participant

    Fast way… if you want to reach only one host, declare, with the ‘Net’ button , only its ip address with a /32 mask ….
    jonatha

    #54095

    DrmCa
    Participant

    Here’s how I set it up now:

    Setup/network tab (noticed that VPN99 was not up, so I checked it off and saved):

    VPN tab:

    Does everything make sense? Is it Okay that my LAN has 10.10.10.2-254 while VPN will use 192.168.250.50-55? Which block of addresses will the connected client be assigned from? Will they be able to connect to 10.10.10.2 IP?

    Also:

    It just occurred to me that there may be simpler alternatives to OpenVPN.
    Windows has its own VPN connection. Is it possible to use it with Zeroshell?
    If using Windows own VPN connection, does anything like the above still need to be set up?

    #54096

    redfive
    Participant

    Yes, it does look correct … you should be able to reach, while connected via vpn, (only) the host 10.10.10.2.
    The connected clients will obtain an ip address from the vpn server, ‘Client IP Address Assignment’ , starting from 192.168.250.50 up to 192.168.250.55, based on your config
    Try and report …….. 😉
    IMHO, OpenVpn In ZS (I use openvpn on debian , on UBNT EdgeRouter …) is the simpler VPN service ever tried…. goes alone !! Like eat an ice cream, compared, for eg., to configure, via cli, the ezvpn with PKI on a cisco ISR…
    If all is ok , and you are still interested, I’ll post some configs for obtain other goals
    Cheers,
    jonatha
    P.S. if you are using the firewall, you have to create some rules in INPUT and FORWARDING, for allowing the vpn users to go where you want (but this is the same in each fw, where the firewall is used)

    #54097

    DrmCa
    Participant

    And… It works! 😀 Even w/o the firewall rules created.

    Thanks a million!

    Now if only we could entice Fulvio in expanding the VPN guides to include all these steps!

    The way I gather it, the process is as follows:

    1. Under VPN: Enable Host-to-LAN OpenVPN (save), remove Source Nat, add net/mask
    2. Under Users: create a VPN user, generate X509 cert for this user
    3. Under Setup: In Network tab enable VPN99 and its underlying connection
    4. Download CA.pem and user’s pem certs to OpenVPN config folder on the client machine
    5. Download sample config to the client machine, edit remote address, edit client cert/key to the name of user’s pem file

    This should be it?

Viewing 15 posts - 16 through 30 (of 31 total)

You must be logged in to reply to this topic.