VPN Setup

Home Page Forums Network Management ZeroShell VPN Setup

This topic contains 6 replies, has 0 voices, and was last updated by  Kimito Sakata 12 years, 5 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #40608

    I’m trying to setup a VPN to connect one LAN to another LAN. I feel I’m close but still have problems.

    Using 1.0.beta4

    Box1 – Zeroshell running at my office
    ETH00 – WAN address
    ETH01 – 10.0.0.100
    VPN00 – 10.8.0.1 running as Server
    Remote Host: blank
    params: –dev tun –ifconfig 10.8.0.1 255.0.0.0 –verb 5 –tls-auth /root/static.key

    Box2 – Zeroshell running at home
    ETH00 – 192.168.0.75 – NAT through my home router. The router is setup to route back to Box2 so incoming traffic will go to the box. The real IP on the router is dynamic.
    ETH01 – 10.0.0.150
    VPN00 – 10.8.0.3 running as Client (I couldn’t get it to work as Server)
    Remote Host: The WAN address of Box 1
    params: –dev tun –ifconfig 10.8.0.3 255.0.0.0 –verb 5 –tls-auth /root/static.key

    I couldn’t figure out the CA stuff so, I’m running with static.keys. I managed to modify the database so that I can save the key and copy it at the opportune time (through rc.local) so when the VPN comes up, it will use it. Both boxes are sharing the same key.

    With the above setup, the VPN status at both ends is “Connected”. However, I can’t ping the 10.8.0.X addresses from either end (Destination Host Unreachable).

    The route table of Box1 is:
    Destination Netmask Type Metric Gateway Interface Flags State Source
    WANADDR 255.255.255.248 Net 0 none ETH00 U Up Auto
    10.0.0.0 255.0.0.0 Net 0 none ETH01 U Up Auto
    10.0.0.0 255.0.0.0 Net 0 none tap0 U Up Auto
    DEFAULT GATEWAY 0.0.0.0 Net 0 WANGW ETH00 UG Up Static

    tap0 seems to always want to route to 10.0.0.0. Could this be the problem?

    When I try to ping:
    PING 10.8.0.3 (10.8.0.3) 56(84) bytes of data.
    From 10.0.0.100 icmp_seq=1 Destination Host Unreachable
    From 10.0.0.100 icmp_seq=2 Destination Host Unreachable
    From 10.0.0.100 icmp_seq=3 Destination Host Unreachable
    It seems to want to get out through ETH01

    I don’t think there is any firewall issue because running tcpdump at each side shows port 1194 traffic going both directions at each end.

    Appricate any help

    #45302

    imported_fulvio
    Participant

    1) Don’t use –dev tun paramater because ZeroShell uses tap device which is automatically set without any additional parameter.

    2) You shouldn’t use –ifconfig option to configure the IP address, but use directly the web interface to add the IP to VPN00 vpn interface.

    Regards
    Fulvio

    #45303

    When I tried to do that, the bottom status window shows:
    Apr 20 15:57,39 SUCCESS: VPN00 successfully configured.
    Apr 20 16:10,08 ERROR: IP 10.8.0.1/255.0.0.0 not added to VPN00 : 10.0.0.0/8 overlaps 10.0.0.0/8 (ETH01)

    #45304

    After I used the web interface to add the IP 11.8.0.1 (which was successful), the vpn log shows:

    6:07:31 TLS: new session incoming connection from x.x.x.x:1194
    16:07:36 VERIFY OK: depth=1, /C=IT/O=Zeroshell.net/OU=Example/CN=Zer … oshell.net
    16:07:36 VERIFY OK: depth=0, /OU=hosts/CN=flexstar.com
    16:07:36 WARNING: ‘ifconfig’ is present in remote config but missing in local config, remote=’ifconfig 10.0.0.0 255.0.0.0′
    16:07:36 Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
    16:07:36 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
    16:07:36 Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
    16:07:36 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
    16:07:36 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
    16:07:36 TLS: tls_multi_process: untrusted session promoted to trusted
    16:07:36 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    16:09:41 MANAGEMENT: Client connected from 127.0.0.1:34000
    16:09:41 MANAGEMENT: Client disconnected
    16:10:31 MANAGEMENT: Client connected from 127.0.0.1:34000
    16:10:31 MANAGEMENT: Client disconnected

    It seems like ifconfig is complaining.

    #45305

    From the web interface, how do you specify the remote IP address (the vpn IP address, not the hostname)?

    In openvpn, they show that an argument of ifconfig is given l & rn where l=local IP, and rn=remote IP.

    #45306

    OK – I’m progressing.

    I got home and did the same to Box2:
    1) took out the parameter except for –verb 5 –tls-auth /root/static.key
    2) set the VPN00 IP to 11.8.0.3

    Vola! I can ping 11.8.0.1 from the Box2 at home.

    Now how do I access the other network attached to either boxes? The plan is to be able to ping from home the 10.0.0.x network at the office (Box1).

    #45307

    OK – I’m learning on my own (actually I found the answer on this forum).
    I did the bridge trick you talked about with the console ‘B’ key.

    Now I can ping both ETH01 networks on both Box1 & Box2. But now, it seems to disconnect very frequently. Looking at the VPN log from Box2:

    03:27:33 Initialization Sequence Completed
    03:27:46 MANAGEMENT: Client connected from 127.0.0.1:34000
    03:27:46 MANAGEMENT: Client disconnected
    03:28:25 [Box1 WAN Addr] Inactivity timeout (–ping-restart), restarting
    03:28:25 TCP/UDP: Closing socket
    03:28:25 Closing TUN/TAP interface
    03:28:25 SIGUSR1[soft,ping-restart] received, process restarting
    03:28:25 Restart pause, 2 second(s)
    03:28:27 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    03:28:27 Control Channel Authentication: using ‘/root/static.key’ as a OpenVPN static key file
    03:28:27 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
    03:28:27 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
    03:28:27 LZO compression initialized
    03:28:27 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
    03:28:27 TUN/TAP device VPN00 opened
    03:28:27 TUN/TAP TX queue length set to 100
    03:28:27 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    03:28:27 Local Options String: ‘V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client’
    03:28:27 Expected Remote Options String: ‘V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server’
    03:28:27 Local Options hash (VER=V4): ’46a60371′
    03:28:27 Expected Remote Options hash (VER=V4): ‘f7b041bb’
    03:28:27 Socket Buffers: R=[108544->131072] S=[108544->131072]
    03:28:27 UDPv4 link local (bound): [undef]:1194
    03:28:27 UDPv4 link remote: Box1 WAN Addr:1194
    03:28:27 TLS Error: local/remote TLS keys are out of sync: Box1 WAN Addr:1194 [0]
    03:28:27 TLS: Initial packet from Box1 WAN Addr:1194, sid=be93f0b6 fb9724bc
    03:28:29 TLS Error: local/remote TLS keys are out of sync: Box1 WAN Addr:1194 [0]
    03:28:30 VERIFY OK: depth=1, /C=IT/O=Zeroshell.net/OU=Example/CN=Zer … oshell.net
    03:28:30 VERIFY OK: depth=0, /OU=hosts/CN=Box1 WAN Addr
    03:28:30 TLS Error: local/remote TLS keys are out of sync: Box1 WAN Addr:1194 [0]
    03:28:31 TLS Error: local/remote TLS keys are out of sync: Box1 WAN Addr:1194 [0]
    03:28:32 MANAGEMENT: Client connected from 127.0.0.1:34000
    03:28:32 MANAGEMENT: Client disconnected
    03:28:34 TLS Error: local/remote TLS keys are out of sync: Box1 WAN Addr:1194 [0]
    03:28:34 [Box1 WAN Addr] Inactivity timeout (–ping-restart), restarting
    03:28:34 TCP/UDP: Closing socket
    03:28:34 Closing TUN/TAP interface
    03:28:34 SIGUSR1[soft,ping-restart] received, process restarting
    03:28:34 Restart pause, 2 second(s)
    03:28:36 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    03:28:36 Control Channel Authentication: using ‘/root/static.key’ as a OpenVPN static key file
    03:28:36 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
    03:28:36 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
    03:28:36 LZO compression initialized
    03:28:36 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
    03:28:36 TUN/TAP device VPN00 opened
    03:28:36 TUN/TAP TX queue length set to 100
    03:28:36 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    03:28:36 Local Options String: ‘V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client’
    03:28:36 Expected Remote Options String: ‘V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server’
    03:28:36 Local Options hash (VER=V4): ’46a60371′
    03:28:36 Expected Remote Options hash (VER=V4): ‘f7b041bb’
    03:28:36 Socket Buffers: R=[108544->131072] S=[108544->131072]
    03:28:36 UDPv4 link local (bound): [undef]:1194
    03:28:36 UDPv4 link remote: Box1 WAN Addr:1194
    03:28:36 TLS Error: Unroutable control packet received from Box1 WAN Addr:1194 (si=3 op=P_ACK_V1)

    Do I just have very bad Internet connection? or do I need to tweek a setting?

    #45308

    imported_fulvio
    Participant

    I think the problem is the TLS configuration.
    Try to remove any additional OpenVPN parameter.
    In any case you should not use IP addresses belonging to the subnet 11.0.0.0/8 because this is a public subnet. Try to use 192.168.x.0/24 or 172.16.0.0/16 that are private subunets.

    Bye
    Fulvio

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.