Right now I’m only interested in setting up a VPN client. I’ve done that using openVPN and I’m connecting to the swissvpn.com site. My local LAN is 192.168.0.x
Here is the complete sequence shown /var/log/messages log:
Code:
Nov 11 14:27:50 draco openvpn[1786]: OpenVPN 2.1_rc20 amd64-portbld-freebsd7.2 [SSL] [LZO2] built on Nov 11 2009
Nov 11 14:27:50 draco openvpn[1786]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 11 14:27:50 draco openvpn[1786]: Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Nov 11 14:27:50 draco openvpn[1786]: Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Nov 11 14:27:50 draco openvpn[1786]: Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth
SHA1,keysize 128,key-method 2,tls-client'
Nov 11 14:27:50 draco openvpn[1786]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher
BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Nov 11 14:27:50 draco openvpn[1786]: Local Options hash (VER=V4): 'db02a8f8'
Nov 11 14:27:50 draco openvpn[1786]: Expected Remote Options hash (VER=V4): '7e068940'
Nov 11 14:27:50 draco openvpn[1787]: Attempting to establish TCP connection with 80.254.79.87:443 [nonblock]
Nov 11 14:27:51 draco openvpn[1787]: TCP connection established with 80.254.79.87:443
Nov 11 14:27:51 draco openvpn[1787]: Socket Buffers: R=[65572->65536] S=[33124->65536]
Nov 11 14:27:51 draco openvpn[1787]: TCPv4_CLIENT link local: [undef]
Nov 11 14:27:51 draco openvpn[1787]: TCPv4_CLIENT link remote: 80.254.79.87:443
Nov 11 14:27:51 draco openvpn[1787]: TLS: Initial packet from 80.254.79.87:443, sid=6403cc73 9e244097
Nov 11 14:27:51 draco openvpn[1787]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 11 14:27:54 draco openvpn[1787]: VERIFY OK: depth=1, /C=CH/ST=ZH/L=Regensdorf/O=Monzoon_Networks_AG/OU=OpenVPN_CA/CN=OpenVPN-
CA/emailAddress=operations@monzoon.net
Nov 11 14:27:54 draco openvpn[1787]: VERIFY OK: nsCertType=SERVER
Nov 11 14:27:54 draco openvpn[1787]: VERIFY OK: depth=0, /C=CH/ST=ZH/O=Monzoon_Networks_AG/OU=OpenVPN_server/CN=server
/emailAddress=operations@monzoon.net
Nov 11 14:27:56 draco openvpn[1787]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 11 14:27:56 draco openvpn[1787]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 11 14:27:56 draco openvpn[1787]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 11 14:27:56 draco openvpn[1787]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 11 14:27:56 draco openvpn[1787]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Nov 11 14:27:56 draco openvpn[1787]: [server] Peer Connection Initiated with 80.254.79.87:443
Nov 11 14:27:59 draco openvpn[1787]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Nov 11 14:27:59 draco openvpn[1787]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS
80.254.79.157,dhcp-option DNS 80.254.77.39,route-gateway 80.254.76.129,topology subnet,ping 10,ping-restart 60,socket-flags
TCP_NODELAY,ifconfig 80.254.76.210 255.255.255.128'
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: timers and/or timeouts modified
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: --socket-flags option modified
Nov 11 14:27:59 draco openvpn[1787]: NOTE: setsockopt TCP_NODELAY=1 failed (No kernel support)
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: route options modified
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: route-related options modified
Nov 11 14:27:59 draco openvpn[1787]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Nov 11 14:27:59 draco openvpn[1787]: ROUTE default_gateway=192.168.0.1
Nov 11 14:27:59 draco openvpn[1787]: TUN/TAP device /dev/tun0 opened
Nov 11 14:27:59 draco openvpn[1787]: /sbin/ifconfig tun0 80.254.76.210 netmask 255.255.255.128 mtu 1500 up
Nov 11 14:27:59 draco openvpn[1787]: /sbin/route add -net 80.254.76.128 80.254.76.210 255.255.255.128
Nov 11 14:27:59 draco openvpn[1787]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Nov 11 14:27:59 draco openvpn[1787]: /sbin/route add -net 80.254.79.87 192.168.0.1 255.255.255.255
Nov 11 14:27:59 draco openvpn[1787]: /sbin/route add -net 0.0.0.0 80.254.76.129 128.0.0.0
Nov 11 14:27:59 draco openvpn[1787]: /sbin/route add -net 128.0.0.0 80.254.76.129 128.0.0.0
Nov 11 14:27:59 draco openvpn[1787]: Initialization Sequence Completednote the error «ERROR: FreeBSD route add command failed: external program exited with error status: 1»
Is this line «ROUTE default_gateway=192.168.0.1» coming from the swissVPN openVPN server? So there’s a conflict between it and my local LAN?
I really don’t have a good grasp on the concept of routing, so be gentle here. Knowing that I have no control over the openVPN server, and that I’d prefer to keep using the TUN interface rather than a bridge, is there something that I can add to the client.conf file to make this conflict go away?
Is this error even hurting anything? the VPN seems to work.
Well there’s another Huh? moment for me.
I @TooMeeK:
WHY there is
ovpnc1 10.1.0.3 10.1.0.3 mtu 1500 netmask 255.255.255.0 up
shouldn’t be something like:
ovpnc1 10.1.0.1 10.1.0.2 mtu 1500 netmask 255.255.255.0 up
???
Do You have correct netmask on both sides?
I read your post and thought, «Aha, that does look strange». Then just for fun, I went back through my OpenVPN logs on my main router to look at what happens «normally».
This router has been running for about 6 years, currently at 2.1.4 on a HD with no major packages but some 5 OpenVPN servers and 20+ OpenVPN clients.
Lo and behold I found 1 of the server instances that produces the same type of entry in the logs » /sbin/ifconfig ovpns16 10.155.50.1 10.155.50.1 mtu 1500 netmask 255.255.255.0 up»! The other instances of server (and client) all show the expected .1 .2 split of a «normal» connection. To make matters worse (sort of ??? ) this particular connection routes traffic just fine, I can log into remote boxes, get to the client pfsense box, etc. I need to hunt down the difference in this particular connection and see what’s up….
But as far as the OP, it doesn’t necessarily matter. 
Edit:
Ahem — Woooops :-[
That’s what i get for typing instead of thinking <sigh>. The server I found in the logs was for a separate RoadWarrior connection, so my log entry is exactly what’s expected.
That leads me to believe that the original OP may have a similar problem. Now I noticed the screen shots show Peer to Peer mode in the client, but the log file shows the OpenVPN instance «ovpnc1» trying to connect in what looks like Remote Access mode. Either the log file doesn’t match the configuration screen or vice-versa.
One issue I have seen with OpenVPN (especially when changing certificates) is it’s possible to have a «cached» version of the OpenVPN instance that will hang around even after a GUI based restart of the instance. I’ve had to manually go in and kill the process then do a GUI start.
Perhaps it be simplest to do restart of pfSense o both ends, just to test?</sigh>
Topic: FreeBSD route add command failed (OpnVPN) (Read 5529 times)
Hey guys,
I setup multiple VPNs (NordVPN) alongside a fallback group/gateway group. Now the problem is that all of them show up as online however some just can’t connect to the internet. Using one at a time seems to work everytime, but with two or three running this error shows up:
"Dec 5 19:01:53 openvpn[26344]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Dec 5 19:01:53 openvpn[26344]: /sbin/route add -net 10.8.3.0 10.8.3.1 255.255.255.0"
So those that error out after restarting them show up as online but if selected as a gateway they can’t connect to the internet at all and the amount of data send or received doesn’t change either.
The biggest problem is that the VPNs sometimes restart themselves, then this error occurs and thus like half of my connections just time out. I really wanna get this solved because right now I am just using one single VPN as a gateway because this is the only way I can guarantee that I have a stable connection. However I would like a round robin like system which is already setup and sometimes work if all VPNs behave friendly that day. This seems to happen at random. If I restart them they sometimes work and sometimes this error shows up in the log instead. Any help is appreciated.
Here is my full (all I could gather) log btw:
https://hastebin.com/utiticiwix.log
Logged
Bump 
Logged
Maybe this tunnel network is already in use somewhere?
Logged
Maybe this tunnel network is already in use somewhere?
That would be 10.8.3.1? Or 10.8.3.0?
Can I check that in the console? And what part of opnsense could use such as mask? I didn’t set anything regarding that.
Logged
Logged
Just post a ifconfig
Just restarted a VPN and this is the current IP it tried to bind:
Dec 13 19:14:59 openvpn[14215]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Dec 13 19:14:59 openvpn[14215]: /sbin/route add -net 10.8.1.0 10.8.1.1 255.255.255.0
Here is my ifconfig:
https://hastebin.com/sogexuvawu.log
Just restarted again and now it worked with this log output:
Dec 13 19:21:09 openvpn[69428]: Initialization Sequence Completed
Dec 13 19:21:06 openvpn[69428]: /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpnc1 1500 1584 10.8.3.4 255.255.255.0 init
Dec 13 19:21:06 openvpn[69428]: /sbin/route add -net 10.8.3.0 10.8.3.1 255.255.255.0
This is my new ifconfig (after I restarted the VPN):
https://hastebin.com/unefimivov.log
« Last Edit: December 13, 2019, 08:22:54 pm by Jalau »
Logged
As you can see you had two interfaces with same IP
Logged
As you can see you had two interfaces with same IP
And how does this happen? Like what ip range do I need to change to avoid this?
Logged
Содержание
- forum.lissyara.su
- Проблема с VPN маршрутами
- Проблема с VPN маршрутами
- Услуги хостинговой компании Host-Food.ru
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Error freebsd route add command failed external program exited with error status
- OpenVPN Support Forum
- ERROR: Linux route add command failed: external program exited with error status: 1
- ERROR: Linux route add command failed: external program exited with error status: 1
- Error freebsd route add command failed external program exited with error status
forum.lissyara.su
Не сбить нас с верного пути, нам по фигу куда идти
Проблема с VPN маршрутами
Проблема с VPN маршрутами
В данном случае шлюз VPN это 10.20.30.1. 192.168.1.1 — это роутер через который идёт инет на клиенте.
Так трассируется ya.ru с клиента при поднятом VPN:
Услуги хостинговой компании Host-Food.ru
Re: Проблема с VPN маршрутами
Непрочитанное сообщение Гость » 2011-08-04 3:39:42
Re: Проблема с VPN маршрутами
Re: Проблема с VPN маршрутами
Непрочитанное сообщение mak_v_ » 2011-08-04 10:52:40
Re: Проблема с VPN маршрутами
Re: Проблема с VPN маршрутами
Re: Проблема с VPN маршрутами
Непрочитанное сообщение mak_v_ » 2011-08-04 14:05:44
вы с сервера не передаете default gw
Re: Проблема с VPN маршрутами
Re: Проблема с VPN маршрутами
Re: Проблема с VPN маршрутами
Непрочитанное сообщение Гость » 2011-08-05 0:12:22
Re: Проблема с VPN маршрутами
Re: Проблема с VPN маршрутами
Непрочитанное сообщение mak_v_ » 2011-08-05 9:29:23
2) дефолтом при push «redirect-gateway» у вас будет «другой конец впн», а именно 10.20.30.5, он же 10.20.30.1 для всех, хотя при трассировке у вас будет светиться 10.20.30.1 вместо 10.20.30.5, не пугайтесь, так должно быть.
Вышеперечисленоое надо прочитать несколько раз и понять. Просто вникните. Потом станет проще.
Источник
Error freebsd route add command failed external program exited with error status
Hello,
I have a weired problem with OpenVPN. I am new to FreeBSD/pfsense so maybe someone evry had this error message when try to establish VPN Tunnel:
Everything runs fine, but when the add route command get executed this here appears:
Dec 22 23:48:23 openvpn[7866]: Initialization Sequence Completed
Dec 22 23:48:23 openvpn[7866]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Dec 22 23:48:23 openvpn[7866]: /sbin/route add -net 128.0.0.0 5.254.134.1 128.0.0.0
Dec 22 23:48:23 openvpn[7866]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Dec 22 23:48:23 openvpn[7866]: /sbin/route add -net 0.0.0.0 5.254.134.1 128.0.0.0
Dec 22 23:48:23 openvpn[7866]: /sbin/route add -net 178.73.x.x 77.xx.xx.1 255.255.255.255
Dec 22 23:48:23 openvpn[7866]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1542 init
Dec 22 23:48:23 openvpn[7866]: TUN/TAP device /dev/tun2 opened
Dec 22 23:48:23 openvpn[7866]: TUN/TAP device ovpnc2 exists previously, keep at program end
Dec 22 23:48:23 openvpn[7866]: ROUTE_GATEWAY 77.xx.xx.1
Dec 22 23:48:23 openvpn[7866]: OPTIONS IMPORT: –ip-win32 and/or —dhcp-option options modified
Dec 22 23:48:23 openvpn[7866]: OPTIONS IMPORT: route-related options modified
Dec 22 23:48:23 openvpn[7866]: OPTIONS IMPORT: route options modified
Dec 22 23:48:23 openvpn[7866]: OPTIONS IMPORT: –ifconfig/up options modified
Dec 22 23:48:23 openvpn[7866]: OPTIONS IMPORT: timers and/or timeouts modified
I already checks logfiles and search here but I can not find any related post for this issue. Hope somebody can help me with this 🙁
That is indicating that you already have a route for those networks.
From the look of what it’s trying to add, the remote side is pushing you a default route (redirect-gateway def1), and if your first vpn client is already doing that, the second one can’t since the routes already exist.
Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!
Источник
OpenVPN Support Forum
Community Support Forum
ERROR: Linux route add command failed: external program exited with error status: 1
ERROR: Linux route add command failed: external program exited with error status: 1
Post by radu » Tue Oct 25, 2016 6:05 pm
I have a configuration that allowed me to route all traffic through VPN for about a year, but after a dd-wrt update I just couldn’t make it work anymore, was failing to add route. Unortunately had a TP-Link when it worked, did a restore to original firmware and they blocked custom firmware; ow new client router also says «Linux route add command failed» but » external program exited with error status: 1″ instead of status: 2, as TP-Link did:
State
Client: CONNECTED SUCCESS
Local Address: 10.1.1.2
Remote Address: 10.1.1.2
Status
VPN Client Stats
TUN/TAP read bytes 17171
TUN/TAP write bytes 0
TCP/UDP read bytes 3735
TCP/UDP write bytes 23022
Auth read bytes 64
pre-compress bytes 7914
post-compress bytes 7988
pre-decompress bytes 0
post-decompress bytes 0
Log
Clientlog:
20161025 20:20:17 I OpenVPN 2.3.12 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 18 2016
20161025 20:20:17 I library versions: OpenSSL 1.0.2j 26 Sep 2016 LZO 2.09
20161025 20:20:17 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20161025 20:20:17 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20161025 20:20:17 W NOTE: the current —script-security setting may allow this configuration to call user-defined scripts
20161025 20:20:17 W WARNING: file ‘/tmp/openvpncl/client.key’ is group or others accessible
20161025 20:20:17 Socket Buffers: R=[87380->87380] S=[16384->16384]
20161025 20:20:17 I Attempting to establish TCP connection with [AF_INET]82.xx.xx.48:443 [nonblock]
20161025 20:20:18 I TCP connection established with [AF_INET]82.xx.xx.48:443
20161025 20:20:18 I TCPv4_CLIENT link local: [undef]
20161025 20:20:18 I TCPv4_CLIENT link remote: [AF_INET]82.xx.xx.48:443
20161025 20:20:18 TLS: Initial packet from [AF_INET]82.xx.xx.48:443 sid=7e483803 e26adfea
20161025 20:20:18 VERIFY OK: depth=1 C=xx ST=xx L=xxx O=Radu OU=HomeServer CN=HomeServer name=HomeServer emailAddress=xx@xx.com
20161025 20:20:18 VERIFY OK: depth=0 C=xx ST=xx L=xx O=Radu OU=HomeServer CN=NightHawk name=NightHawk emailAddress=xx@oxx.com
20161025 20:20:18 NOTE: —mute triggered.
20161025 20:20:18 1 variation(s) on previous 3 message(s) suppressed by —mute
20161025 20:20:18 W WARNING: this cipher’s block size is less than 128 bit (64 bit). Consider using a —cipher with a larger block size.
20161025 20:20:18 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
20161025 20:20:18 Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
20161025 20:20:18 W WARNING: this cipher’s block size is less than 128 bit (64 bit). Consider using a —cipher with a larger block size.
20161025 20:20:18 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
20161025 20:20:18 Control Channel: TLSv1.2 cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384 1024 bit RSA
20161025 20:20:18 I [NightHawk] Peer Connection Initiated with [AF_INET]82.xx.xx.48:443
20161025 20:20:20 SENT CONTROL [NightHawk]: ‘PUSH_REQUEST’ (status=1)
20161025 20:20:20 PUSH: Received control message: ‘PUSH_REPLY route 192.168.1.1 255.255.255.0 redirect-gateway def1 dhcp-option DNS 193.xx.xx.1 route-gateway 10.1.1.1 topology subnet ping 10 ping-restart 120 socket-flags TCP_NODELAY ifconfig 10.1.1.2 255.255.255.0’
20161025 20:20:20 OPTIONS IMPORT: timers and/or timeouts modified
20161025 20:20:20 NOTE: —mute triggered.
20161025 20:20:20 5 variation(s) on previous 3 message(s) suppressed by —mute
20161025 20:20:20 I TUN/TAP device tun1 opened
20161025 20:20:20 TUN/TAP TX queue length set to 100
20161025 20:20:20 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0
20161025 20:20:20 I /sbin/ifconfig tun1 10.1.1.2 netmask 255.255.255.0 mtu 1500 broadcast 10.1.1.255
20161025 20:20:20 /sbin/route add -net 82.79.46.48 netmask 255.255.255.255 gw 192.168.0.1
20161025 20:20:20 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.1.1.1
20161025 20:20:20 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.1.1.1
20161025 20:20:20 /sbin/route add -net 192.168.1.1 netmask 255.255.255.0 gw 10.1.1.1
20161025 20:20:20 W ERROR: Linux route add command failed: external program exited with error status: 1
20161025 20:20:20 I Initialization Sequence Completed
20161025 20:20:22 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161025 20:20:22 D MANAGEMENT: CMD ‘state’
20161025 20:20:22 MANAGEMENT: Client disconnected
This would be the server log:
20161025 20:20:17 I TCP connection established with [AF_INET]95.xx.xx.1:60182
20161025 20:20:18 95.91.250.1:60182 TLS: Initial packet from [AF_INET]95.xx.xx.1:60182 sid=ca05dfea e5bb0e4e
20161025 20:20:18 95.91.250.1:60182 VERIFY OK: depth=1 C=xx ST=xx L=xx O=Radu OU=HomeServer CN=HomeServer name=HomeServer emailAddress=xx@xx.com
20161025 20:20:18 95.91.250.1:60182 VERIFY OK: depth=0 C=xx ST=xx L=xx O=Radu OU=HomeServer CN=Archer name=Archer emailAddress=xx@xx.com
20161025 20:20:18 95.91.250.1:60182 NOTE: —mute triggered.
20161025 20:20:18 95.91.250.1:60182 5 variation(s) on previous 3 message(s) suppressed by —mute
20161025 20:20:18 I 95.91.250.1:60182 [Archer] Peer Connection Initiated with [AF_INET]95.xx.xx.1:60182
20161025 20:20:18 I Archer/95.xx.xx.1:60182 MULTI_sva: pool returned IPv4=10.1.1.2 IPv6=(Not enabled)
20161025 20:20:18 Archer/95.xx.xx.1:60182 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_044afbfeb0c46a9ca6edba6296966941.tmp
20161025 20:20:18 Archer/95.xx.xx.1:60182 MULTI: Learn: 10.1.1.2 -> Archer/95.xx.xx.1:60182
20161025 20:20:18 Archer/95.xx.xx.1:60182 MULTI: primary virtual IP for Archer/95.xx.xx.1:60182: 10.1.1.2
20161025 20:20:20 Archer/95.xx.xx.1:60182 PUSH: Received control message: ‘PUSH_REQUEST’
20161025 20:20:20 I Archer/95.xx.xx.1:60182 send_push_reply(): safe_cap=940
20161025 20:20:20 Archer/95.xx.xx.1:60182 SENT CONTROL [Archer]: ‘PUSH_REPLY route 192.168.1.1 255.255.255.0 redirect-gateway def1 dhcp-option DNS 193.xx.xx.1 route-gateway 10.1.1.1 topology subnet ping 10 ping-restart 120 socket-flags TCP_NODELAY ifconfig 10.1.1.2 255.255.255.0’ (status=1)
Here are the configs (firewall and IP v6 off):
SERVER CONFIG (Home Location router); LAN IP: 192.168.1.1
Start Type: System
Config as: Server
Server Mode: Router (TUN)
Network: 10.1.1.0
Netmask: 255.255.255.0
Port: 443
Tunnel Protocol: TCP
Encryptions Cipher: Blowfish CBC
Hash Algorithm: SHA1
Advanced Options: Disable
Additional Config:
push «route 192.168.1.0 255.255.255.0»
push «dhcp-option DNS [provider dns]»
push «dhcp-option DNS [2nd provider dns]»
push «redirect-gateway def1»
server 10.1.1.0 255.255.255.0
dev tun0
proto tcp-server
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
CLIENT CONFIG (roaming location router); LAN IP: 192.168.2.1
Server IP/Name: [ddns link]
Port: 443
Tunnel Device: TUN
Tunnel Protocol: TCP
Encryption Cipher: Blowfish CBC
Hash Algorithm: SHA1
Advanced Options: Disable
Источник
Error freebsd route add command failed external program exited with error status
I am using openvpn quite some time now, and I just love it!
But I am having trouble with openvpn and routing.
The vpn connection is built up and working as far as the tunnel endpoint in this case 10.1.0.1, there I even could log into the pfsense firewall.
But I can’t reach any LAN networks behind the tunnel, also I have the right firewall rules in place, I can be sure they are, because there is no problem logging in and reaching the lan networks from my windows desktop if i connect to my remote server through viscosity openvpn client software. I think it has to do with the error message ERROR: FreeBSD route add command failed: external program exited with error status: 1 because the route could no be added..
Here my setup:
Network:
Local:
VMWare ESXI 5.5 u1
Wan = direct isp ip (datamodem only)
LAN = 192.168.1.0/24
OpenVPN IP: 10.1.0.0/24
Remote Server:
VMware ESXI 5.5 u1
WAN = Direct ISP IP
LAN1 = 10.0.0.0/24
LAN2 = 10.0.1.0/24
Software:
Local:
2.1.4-RELEASE (amd64)
built on Fri Jun 20 12:59:50 EDT 2014
FreeBSD 8.3-RELEASE-p16
Remote:
2.1.4-RELEASE (amd64)
built on Fri Jun 20 12:59:50 EDT 2014
FreeBSD 8.3-RELEASE-p16
Openvpn setup: Client: 
Error: 
Remote Server:
if you want I can post some settings, but like mentioned above there seems to be no problem logging in and reaching the LAN networks from my windows desktop through viscosity.
I really hope someone can help me here.
The way I’ve always setup site-site connections is to do all the routing at the server end.
So your client setup doesn’t need anything in the «IPv4 Remote Networks» box, those entries go in the server’s «IPv4 Remote Networks». The only other thing you have to make sure of of to add an «iroute» statement in the Client Specific Override section of the server for the client’s network(s).
You mentioned Viscosity linking in ok, do you use the same OpenVPN server for both your RoadWarrior and site-site connections?
If so, you’re the second person to suggest that. I’ve always created 2 separate servers so that i can deal with RoadWarriors and site-site connections in a distinct fashion and adjust one without affecting the other.
your «tunnel network» is the same as one of your «remote networks»
this is most likely the cause of this error. either change the tunnel network, or remove the remote-network.
your «tunnel network» is the same as one of your «remote networks»
this is most likely the cause of this error. either change the tunnel network, or remove the remote-network.
Er, I think you misread. The OP has tunnel network:
While the remote nets are:
No conflicts there, he’s using 10.0.0.x,10.0.1.x,and 10.1.0.x.
ovpnc1 10.1.0.3 10.1.0.3 mtu 1500 netmask 255.255.255.0 up
shouldn’t be something like:
ovpnc1 10.1.0.1 10.1.0.2 mtu 1500 netmask 255.255.255.0 up
.
Do You have correct netmask on both sides?
Well there’s another Huh? moment for me.
ovpnc1 10.1.0.3 10.1.0.3 mtu 1500 netmask 255.255.255.0 up
shouldn’t be something like:
ovpnc1 10.1.0.1 10.1.0.2 mtu 1500 netmask 255.255.255.0 up
.
Do You have correct netmask on both sides?
I read your post and thought, «Aha, that does look strange». Then just for fun, I went back through my OpenVPN logs on my main router to look at what happens «normally».
This router has been running for about 6 years, currently at 2.1.4 on a HD with no major packages but some 5 OpenVPN servers and 20+ OpenVPN clients.
Lo and behold I found 1 of the server instances that produces the same type of entry in the logs » /sbin/ifconfig ovpns16 10.155.50.1 10.155.50.1 mtu 1500 netmask 255.255.255.0 up»! The other instances of server (and client) all show the expected .1 .2 split of a «normal» connection. To make matters worse (sort of . ) this particular connection routes traffic just fine, I can log into remote boxes, get to the client pfsense box, etc. I need to hunt down the difference in this particular connection and see what’s up….
But as far as the OP, it doesn’t necessarily matter. 😮
Edit:
Ahem — Woooops :-[
That’s what i get for typing instead of thinking . The server I found in the logs was for a separate RoadWarrior connection, so my log entry is exactly what’s expected.
That leads me to believe that the original OP may have a similar problem. Now I noticed the screen shots show Peer to Peer mode in the client, but the log file shows the OpenVPN instance «ovpnc1» trying to connect in what looks like Remote Access mode. Either the log file doesn’t match the configuration screen or vice-versa.
One issue I have seen with OpenVPN (especially when changing certificates) is it’s possible to have a «cached» version of the OpenVPN instance that will hang around even after a GUI based restart of the instance. I’ve had to manually go in and kill the process then do a GUI start.
Perhaps it be simplest to do restart of pfSense o both ends, just to test?
Источник
Вытащил почти всё что касается VPN:
1. Конфиг сервера VPN
Код: Выделить всё
#NETWORK
port 2000
proto udp
dev tun
keepalive 20 240
server 10.20.30.0 255.255.255.0
route 10.20.30.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
#SECURITY
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
tls-server
tls-auth /etc/openvpn/keys/ta.key 0
tls-timeout 120
cipher BF-CBC
persist-key
persist-tun
2. Конфиг клиента
Код: Выделить всё
dev tun
proto udp
remote 178.94.20.202
port 2000
client
resolv-retry infinite
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
tls-client
tls-auth /etc/openvpn/ta.key 1
cipher BF-CBC
ns-cert-type server
comp-lzo
persist-key
persist-tun
verb 4
3. rc.conf VPN сервера
Код: Выделить всё
hostname="free-snich"
#ifconfig_rl0="DHCP"
ifconfig_rl0="inet 192.168.1.5 netmask 255.255.0.0"
defaultrouter="192.168.1.1"
inetd_enable="YES"
sshd_enable="YES"
apache22_enable="YES"
accf_http_load="YES"
mysql_enable="YES"
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/openvpn/server.conf"
openvpn_dir="/usr/openvpn"
gateway_enable="YES"
4. Таблица маршрутизации VPN сервера
Код: Выделить всё
free-snich# netstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGS 3 1874 rl0
10.20.30.0/24 10.20.30.2 UGS 0 0 tun0
10.20.30.1 link#4 UHS 0 0 lo0
10.20.30.2 link#4 UH 0 0 tun0
127.0.0.1 link#3 UH 0 3941 lo0
192.168.0.0/16 link#1 U 0 278 rl0
192.168.1.5 link#1 UHS 0 0 lo0
Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UH lo0
fe80::%lo0/64 link#3 U lo0
fe80::1%lo0 link#3 UHS lo0
ff01:3::/32 fe80::1%lo0 U lo0
ff02::%lo0/32 fe80::1%lo0 U lo0
5. Интерфейсы VPN сервера
Код: Выделить всё
free-snich# ifconfig -a
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=3808<VLAN_MTU,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
ether 00:e0:4c:19:02:9f
inet 192.168.1.5 netmask 0xffff0000 broadcast 192.168.255.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet 10.20.30.1
Интерфейсы клиента
Код: Выделить всё
gateway openvpn # ifconfig -a
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:365961 errors:0 dropped:0 overruns:0 frame:0
TX packets:365961 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:25253247 (24.0 MiB) TX bytes:25253247 (24.0 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.20.30.6 P-t-P:10.20.30.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:40 errors:0 dropped:0 overruns:0 frame:0
TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:6920 (6.7 KiB) TX bytes:5655 (5.5 KiB)
tunl0 Link encap:IPIP Tunnel HWaddr
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
vboxnet0 Link encap:Ethernet HWaddr 0a:00:27:00:00:00
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr 00:21:6b:11:16:f2
inet addr:192.168.1.167 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:120661 errors:0 dropped:0 overruns:0 frame:0
TX packets:125626 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:64875326 (61.8 MiB) TX bytes:14960296 (14.2 MiB)
6. Лог старта VPN сервера, также видно процесс подключения клиента (196.202.236.217 )
Код: Выделить всё
free-snich# cat /var/log/openvpn/openvpn.log
Thu Aug 4 10:48:59 2011 us=816384 Current Parameter Settings:
Thu Aug 4 10:48:59 2011 us=816626 config = '/usr/openvpn/server.conf'
Thu Aug 4 10:48:59 2011 us=816650 mode = 1
Thu Aug 4 10:48:59 2011 us=816671 show_ciphers = DISABLED
Thu Aug 4 10:48:59 2011 us=816691 show_digests = DISABLED
Thu Aug 4 10:48:59 2011 us=816712 show_engines = DISABLED
Thu Aug 4 10:48:59 2011 us=816731 genkey = DISABLED
Thu Aug 4 10:48:59 2011 us=816752 key_pass_file = '[UNDEF]'
Thu Aug 4 10:48:59 2011 us=816771 show_tls_ciphers = DISABLED
Thu Aug 4 10:48:59 2011 us=816793 Connection profiles [default]:
Thu Aug 4 10:48:59 2011 us=816813 NOTE: --mute triggered...
Thu Aug 4 10:48:59 2011 us=816849 206 variation(s) on previous 10 message(s) suppressed by --mute
Thu Aug 4 10:48:59 2011 us=816871 OpenVPN 2.2.0 i386-portbld-freebsd8.2 [SSL] [LZO2] [eurephia] built on Jul 27 2011
Thu Aug 4 10:48:59 2011 us=817050 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Thu Aug 4 10:48:59 2011 us=817076 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Aug 4 10:48:59 2011 us=834765 Diffie-Hellman initialized with 1024 bit key
Thu Aug 4 10:48:59 2011 us=836397 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Thu Aug 4 10:48:59 2011 us=836443 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 4 10:48:59 2011 us=836469 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 4 10:48:59 2011 us=836508 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Aug 4 10:48:59 2011 us=836592 Socket Buffers: R=[42080->65536] S=[9216->65536]
Thu Aug 4 10:48:59 2011 us=836769 ROUTE default_gateway=192.168.1.1
Thu Aug 4 10:48:59 2011 us=837125 TUN/TAP device /dev/tun0 opened
Thu Aug 4 10:48:59 2011 us=837226 /sbin/ifconfig tun0 10.20.30.1 10.20.30.2 mtu 1500 netmask 255.255.255.255 up
Thu Aug 4 10:48:59 2011 us=840379 /sbin/route add -net 10.20.30.0 10.20.30.2 255.255.255.0
add net 10.20.30.0: gateway 10.20.30.2
Thu Aug 4 10:48:59 2011 us=842560 /sbin/route add -net 10.20.30.0 10.20.30.2 255.255.255.0
route: writing to routing socket: File exists
add net 10.20.30.0: gateway 10.20.30.2: route already in table
Thu Aug 4 10:48:59 2011 us=844655 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Thu Aug 4 10:48:59 2011 us=844752 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Aug 4 10:48:59 2011 us=848751 GID set to nobody
Thu Aug 4 10:48:59 2011 us=848858 UID set to nobody
Thu Aug 4 10:48:59 2011 us=848908 UDPv4 link local (bound): [undef]:2000
Thu Aug 4 10:48:59 2011 us=848934 UDPv4 link remote: [undef]
Thu Aug 4 10:48:59 2011 us=848967 MULTI: multi_init called, r=256 v=256
Thu Aug 4 10:48:59 2011 us=849139 IFCONFIG POOL: base=10.20.30.4 size=62
Thu Aug 4 10:48:59 2011 us=849210 IFCONFIG POOL LIST
Thu Aug 4 10:48:59 2011 us=849234 client,10.20.30.4
Thu Aug 4 10:48:59 2011 us=849302 Initialization Sequence Completed
Thu Aug 4 10:49:05 2011 us=911587 MULTI: multi_create_instance called
Thu Aug 4 10:49:05 2011 us=911700 196.202.236.217:51624 Re-using SSL/TLS context
Thu Aug 4 10:49:05 2011 us=911768 196.202.236.217:51624 LZO compression initialized
Thu Aug 4 10:49:05 2011 us=912120 196.202.236.217:51624 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Aug 4 10:49:05 2011 us=912151 196.202.236.217:51624 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Aug 4 10:49:05 2011 us=912238 196.202.236.217:51624 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu Aug 4 10:49:05 2011 us=912259 196.202.236.217:51624 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu Aug 4 10:49:05 2011 us=912343 196.202.236.217:51624 Local Options hash (VER=V4): '14168603'
Thu Aug 4 10:49:05 2011 us=912378 196.202.236.217:51624 Expected Remote Options hash (VER=V4): '504e774e'
Thu Aug 4 10:49:05 2011 us=912473 196.202.236.217:51624 TLS: Initial packet from 196.202.236.217:51624, sid=e5ec741e fbf33033
Thu Aug 4 10:50:05 2011 us=875068 196.202.236.217:51624 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Aug 4 10:50:05 2011 us=875099 196.202.236.217:51624 TLS Error: TLS handshake failed
Thu Aug 4 10:50:05 2011 us=875327 196.202.236.217:51624 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Aug 4 10:50:07 2011 us=817786 MULTI: multi_create_instance called
Thu Aug 4 10:50:07 2011 us=817891 196.202.236.217:51624 Re-using SSL/TLS context
Thu Aug 4 10:50:07 2011 us=817919 196.202.236.217:51624 LZO compression initialized
Thu Aug 4 10:50:07 2011 us=818046 196.202.236.217:51624 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Aug 4 10:50:07 2011 us=818076 196.202.236.217:51624 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Aug 4 10:50:07 2011 us=818154 196.202.236.217:51624 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu Aug 4 10:50:07 2011 us=818174 196.202.236.217:51624 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu Aug 4 10:50:07 2011 us=818212 196.202.236.217:51624 Local Options hash (VER=V4): '14168603'
Thu Aug 4 10:50:07 2011 us=818244 196.202.236.217:51624 Expected Remote Options hash (VER=V4): '504e774e'
Thu Aug 4 10:50:07 2011 us=818307 196.202.236.217:51624 TLS: Initial packet from 196.202.236.217:51624, sid=101f8ca8 fd683252
Thu Aug 4 10:50:23 2011 us=90056 196.202.236.217:51624 VERIFY OK: depth=1, /C=UA/ST=Kherson/L=Kherson/O=hbk-wide/OU=server/CN=server/name=Kherson/emailAddress=kherson@server.ks
Thu Aug 4 10:50:23 2011 us=90581 196.202.236.217:51624 VERIFY OK: depth=0, /C=UA/ST=Kherson/L=Kherson/O=hbk-wide/OU=client/CN=client/name=client/emailAddress=me@myclient.conm
Thu Aug 4 10:50:26 2011 us=859184 196.202.236.217:51624 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Aug 4 10:50:26 2011 us=859254 196.202.236.217:51624 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 4 10:50:26 2011 us=859330 196.202.236.217:51624 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Aug 4 10:50:26 2011 us=859354 196.202.236.217:51624 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 4 10:50:27 2011 us=699067 196.202.236.217:51624 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Aug 4 10:50:27 2011 us=699152 196.202.236.217:51624 [client] Peer Connection Initiated with 196.202.236.217:51624
Thu Aug 4 10:50:27 2011 us=699268 client/196.202.236.217:51624 MULTI: Learn: 10.20.30.6 -> client/196.202.236.217:51624
Thu Aug 4 10:50:27 2011 us=699297 client/196.202.236.217:51624 MULTI: primary virtual IP for client/196.202.236.217:51624: 10.20.30.6
Thu Aug 4 10:50:30 2011 us=830703 client/196.202.236.217:51624 PUSH: Received control message: 'PUSH_REQUEST'
Thu Aug 4 10:50:30 2011 us=830820 client/196.202.236.217:51624 SENT CONTROL [client]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route 10.20.30.1,topology net30,ping 20,ping-restart 240,ifconfig 10.20.30.6 10.20.30.5' (status=1)
7. Лог с клиента
Код: Выделить всё
gateway openvpn # openvpn client.ovpn
Thu Aug 4 11:24:36 2011 us=815552 Current Parameter Settings:
Thu Aug 4 11:24:36 2011 us=821685 config = 'client.ovpn'
Thu Aug 4 11:24:36 2011 us=821748 mode = 0
Thu Aug 4 11:24:36 2011 us=821882 persist_config = DISABLED
Thu Aug 4 11:24:36 2011 us=821934 persist_mode = 1
Thu Aug 4 11:24:36 2011 us=821985 show_ciphers = DISABLED
Thu Aug 4 11:24:36 2011 us=822035 show_digests = DISABLED
Thu Aug 4 11:24:36 2011 us=822085 show_engines = DISABLED
Thu Aug 4 11:24:36 2011 us=822136 genkey = DISABLED
Thu Aug 4 11:24:36 2011 us=822186 key_pass_file = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=822236 show_tls_ciphers = DISABLED
Thu Aug 4 11:24:36 2011 us=822290 Connection profiles [default]:
Thu Aug 4 11:24:36 2011 us=823609 proto = udp
Thu Aug 4 11:24:36 2011 us=823667 local = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=823718 local_port = 2000
Thu Aug 4 11:24:36 2011 us=823769 remote = '178.94.20.202'
Thu Aug 4 11:24:36 2011 us=823820 remote_port = 2000
Thu Aug 4 11:24:36 2011 us=823877 remote_float = DISABLED
Thu Aug 4 11:24:36 2011 us=823928 bind_defined = DISABLED
Thu Aug 4 11:24:36 2011 us=823978 bind_local = ENABLED
Thu Aug 4 11:24:36 2011 us=824029 connect_retry_seconds = 5
Thu Aug 4 11:24:36 2011 us=824080 connect_timeout = 10
Thu Aug 4 11:24:36 2011 us=824130 connect_retry_max = 0
Thu Aug 4 11:24:36 2011 us=824181 socks_proxy_server = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=824231 socks_proxy_port = 0
Thu Aug 4 11:24:36 2011 us=824282 socks_proxy_retry = DISABLED
Thu Aug 4 11:24:36 2011 us=824332 Connection profiles END
Thu Aug 4 11:24:36 2011 us=824383 remote_random = DISABLED
Thu Aug 4 11:24:36 2011 us=824435 ipchange = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=824485 dev = 'tun'
Thu Aug 4 11:24:36 2011 us=824535 dev_type = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=824586 dev_node = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=824636 lladdr = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=824686 topology = 1
Thu Aug 4 11:24:36 2011 us=824736 tun_ipv6 = DISABLED
Thu Aug 4 11:24:36 2011 us=824786 ifconfig_local = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=824836 ifconfig_remote_netmask = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=824893 ifconfig_noexec = DISABLED
Thu Aug 4 11:24:36 2011 us=824944 ifconfig_nowarn = DISABLED
Thu Aug 4 11:24:36 2011 us=824994 shaper = 0
Thu Aug 4 11:24:36 2011 us=825044 tun_mtu = 1500
Thu Aug 4 11:24:36 2011 us=825094 tun_mtu_defined = ENABLED
Thu Aug 4 11:24:36 2011 us=825144 link_mtu = 1500
Thu Aug 4 11:24:36 2011 us=825194 link_mtu_defined = DISABLED
Thu Aug 4 11:24:36 2011 us=825245 tun_mtu_extra = 0
Thu Aug 4 11:24:36 2011 us=825295 tun_mtu_extra_defined = DISABLED
Thu Aug 4 11:24:36 2011 us=825345 fragment = 0
Thu Aug 4 11:24:36 2011 us=825395 mtu_discover_type = -1
Thu Aug 4 11:24:36 2011 us=825445 mtu_test = 0
Thu Aug 4 11:24:36 2011 us=825495 mlock = DISABLED
Thu Aug 4 11:24:36 2011 us=825545 keepalive_ping = 0
Thu Aug 4 11:24:36 2011 us=825596 keepalive_timeout = 0
Thu Aug 4 11:24:36 2011 us=825649 inactivity_timeout = 0
Thu Aug 4 11:24:36 2011 us=825700 ping_send_timeout = 0
Thu Aug 4 11:24:36 2011 us=825750 ping_rec_timeout = 0
Thu Aug 4 11:24:36 2011 us=825800 ping_rec_timeout_action = 0
Thu Aug 4 11:24:36 2011 us=825856 ping_timer_remote = DISABLED
Thu Aug 4 11:24:36 2011 us=825907 remap_sigusr1 = 0
Thu Aug 4 11:24:36 2011 us=825957 explicit_exit_notification = 0
Thu Aug 4 11:24:36 2011 us=826007 persist_tun = ENABLED
Thu Aug 4 11:24:36 2011 us=826057 persist_local_ip = DISABLED
Thu Aug 4 11:24:36 2011 us=826107 persist_remote_ip = DISABLED
Thu Aug 4 11:24:36 2011 us=826157 persist_key = ENABLED
Thu Aug 4 11:24:36 2011 us=826207 mssfix = 1450
Thu Aug 4 11:24:36 2011 us=826257 passtos = DISABLED
Thu Aug 4 11:24:36 2011 us=826308 resolve_retry_seconds = 1000000000
Thu Aug 4 11:24:36 2011 us=826358 username = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=826408 groupname = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=826458 chroot_dir = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=826510 cd_dir = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=826526 writepid = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=826541 up_script = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=826555 down_script = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=826570 down_pre = DISABLED
Thu Aug 4 11:24:36 2011 us=826585 up_restart = DISABLED
Thu Aug 4 11:24:36 2011 us=826599 up_delay = DISABLED
Thu Aug 4 11:24:36 2011 us=826614 daemon = DISABLED
Thu Aug 4 11:24:36 2011 us=826628 inetd = 0
Thu Aug 4 11:24:36 2011 us=826645 log = DISABLED
Thu Aug 4 11:24:36 2011 us=826659 suppress_timestamps = DISABLED
Thu Aug 4 11:24:36 2011 us=826674 nice = 0
Thu Aug 4 11:24:36 2011 us=826689 verbosity = 4
Thu Aug 4 11:24:36 2011 us=826703 mute = 0
Thu Aug 4 11:24:36 2011 us=826718 gremlin = 0
Thu Aug 4 11:24:36 2011 us=826732 status_file = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=826747 status_file_version = 1
Thu Aug 4 11:24:36 2011 us=826761 status_file_update_freq = 60
Thu Aug 4 11:24:36 2011 us=826775 occ = ENABLED
Thu Aug 4 11:24:36 2011 us=826790 rcvbuf = 65536
Thu Aug 4 11:24:36 2011 us=826805 sndbuf = 65536
Thu Aug 4 11:24:36 2011 us=826819 sockflags = 0
Thu Aug 4 11:24:36 2011 us=826833 fast_io = DISABLED
Thu Aug 4 11:24:36 2011 us=826854 lzo = 7
Thu Aug 4 11:24:36 2011 us=826869 route_script = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=826884 route_default_gateway = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=826899 route_default_metric = 0
Thu Aug 4 11:24:36 2011 us=826913 route_noexec = DISABLED
Thu Aug 4 11:24:36 2011 us=826928 route_delay = 0
Thu Aug 4 11:24:36 2011 us=826942 route_delay_window = 30
Thu Aug 4 11:24:36 2011 us=826957 route_delay_defined = DISABLED
Thu Aug 4 11:24:36 2011 us=826972 route_nopull = DISABLED
Thu Aug 4 11:24:36 2011 us=826986 route_gateway_via_dhcp = DISABLED
Thu Aug 4 11:24:36 2011 us=827001 max_routes = 100
Thu Aug 4 11:24:36 2011 us=827016 allow_pull_fqdn = DISABLED
Thu Aug 4 11:24:36 2011 us=827030 management_addr = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=827045 management_port = 0
Thu Aug 4 11:24:36 2011 us=827060 management_user_pass = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=827075 management_log_history_cache = 250
Thu Aug 4 11:24:36 2011 us=827090 management_echo_buffer_size = 100
Thu Aug 4 11:24:36 2011 us=827105 management_write_peer_info_file = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=827120 management_client_user = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=827135 management_client_group = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=827150 management_flags = 0
Thu Aug 4 11:24:36 2011 us=827165 shared_secret_file = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=827179 key_direction = 2
Thu Aug 4 11:24:36 2011 us=827194 ciphername_defined = ENABLED
Thu Aug 4 11:24:36 2011 us=827209 ciphername = 'BF-CBC'
Thu Aug 4 11:24:36 2011 us=827223 authname_defined = ENABLED
Thu Aug 4 11:24:36 2011 us=827238 authname = 'SHA1'
Thu Aug 4 11:24:36 2011 us=827253 prng_hash = 'SHA1'
Thu Aug 4 11:24:36 2011 us=827268 prng_nonce_secret_len = 16
Thu Aug 4 11:24:36 2011 us=827282 keysize = 0
Thu Aug 4 11:24:36 2011 us=827297 engine = DISABLED
Thu Aug 4 11:24:36 2011 us=827311 replay = ENABLED
Thu Aug 4 11:24:36 2011 us=827326 mute_replay_warnings = DISABLED
Thu Aug 4 11:24:36 2011 us=827341 replay_window = 64
Thu Aug 4 11:24:36 2011 us=827356 replay_time = 15
Thu Aug 4 11:24:36 2011 us=827370 packet_id_file = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=827385 use_iv = ENABLED
Thu Aug 4 11:24:36 2011 us=827400 test_crypto = DISABLED
Thu Aug 4 11:24:36 2011 us=827414 tls_server = DISABLED
Thu Aug 4 11:24:36 2011 us=827429 tls_client = ENABLED
Thu Aug 4 11:24:36 2011 us=827444 key_method = 2
Thu Aug 4 11:24:36 2011 us=827458 ca_file = '/etc/openvpn/ca.crt'
Thu Aug 4 11:24:36 2011 us=827473 ca_path = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=827488 dh_file = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=827503 cert_file = '/etc/openvpn/client.crt'
Thu Aug 4 11:24:36 2011 us=827518 priv_key_file = '/etc/openvpn/client.key'
Thu Aug 4 11:24:36 2011 us=827532 pkcs12_file = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=827546 cipher_list = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=827561 tls_verify = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=827575 tls_remote = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=827589 crl_file = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=827603 ns_cert_type = 64
Thu Aug 4 11:24:36 2011 us=827618 remote_cert_ku[i] = 0
Thu Aug 4 11:24:36 2011 us=827632 remote_cert_ku[i] = 0
Thu Aug 4 11:24:36 2011 us=827646 remote_cert_ku[i] = 0
Thu Aug 4 11:24:36 2011 us=827660 remote_cert_ku[i] = 0
Thu Aug 4 11:24:36 2011 us=827675 remote_cert_ku[i] = 0
Thu Aug 4 11:24:36 2011 us=827689 remote_cert_ku[i] = 0
Thu Aug 4 11:24:36 2011 us=827703 remote_cert_ku[i] = 0
Thu Aug 4 11:24:36 2011 us=827717 remote_cert_ku[i] = 0
Thu Aug 4 11:24:36 2011 us=827731 remote_cert_ku[i] = 0
Thu Aug 4 11:24:36 2011 us=827746 remote_cert_ku[i] = 0
Thu Aug 4 11:24:36 2011 us=827760 remote_cert_ku[i] = 0
Thu Aug 4 11:24:36 2011 us=827774 remote_cert_ku[i] = 0
Thu Aug 4 11:24:36 2011 us=827788 remote_cert_ku[i] = 0
Thu Aug 4 11:24:36 2011 us=827802 remote_cert_ku[i] = 0
Thu Aug 4 11:24:36 2011 us=827817 remote_cert_ku[i] = 0
Thu Aug 4 11:24:36 2011 us=827831 remote_cert_ku[i] = 0
Thu Aug 4 11:24:36 2011 us=827851 remote_cert_eku = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=827866 tls_timeout = 2
Thu Aug 4 11:24:36 2011 us=827880 renegotiate_bytes = 0
Thu Aug 4 11:24:36 2011 us=827895 renegotiate_packets = 0
Thu Aug 4 11:24:36 2011 us=827909 renegotiate_seconds = 3600
Thu Aug 4 11:24:36 2011 us=827923 handshake_window = 60
Thu Aug 4 11:24:36 2011 us=827938 transition_window = 3600
Thu Aug 4 11:24:36 2011 us=827952 single_session = DISABLED
Thu Aug 4 11:24:36 2011 us=827967 push_peer_info = DISABLED
Thu Aug 4 11:24:36 2011 us=827981 tls_exit = DISABLED
Thu Aug 4 11:24:36 2011 us=827995 tls_auth_file = '/etc/openvpn/ta.key'
Thu Aug 4 11:24:36 2011 us=828019 server_network = 0.0.0.0
Thu Aug 4 11:24:36 2011 us=828034 server_netmask = 0.0.0.0
Thu Aug 4 11:24:36 2011 us=828049 server_bridge_ip = 0.0.0.0
Thu Aug 4 11:24:36 2011 us=828065 server_bridge_netmask = 0.0.0.0
Thu Aug 4 11:24:36 2011 us=828080 server_bridge_pool_start = 0.0.0.0
Thu Aug 4 11:24:36 2011 us=828095 server_bridge_pool_end = 0.0.0.0
Thu Aug 4 11:24:36 2011 us=828110 ifconfig_pool_defined = DISABLED
Thu Aug 4 11:24:36 2011 us=828126 ifconfig_pool_start = 0.0.0.0
Thu Aug 4 11:24:36 2011 us=828141 ifconfig_pool_end = 0.0.0.0
Thu Aug 4 11:24:36 2011 us=828156 ifconfig_pool_netmask = 0.0.0.0
Thu Aug 4 11:24:36 2011 us=828170 ifconfig_pool_persist_filename = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=828185 ifconfig_pool_persist_refresh_freq = 600
Thu Aug 4 11:24:36 2011 us=828200 n_bcast_buf = 256
Thu Aug 4 11:24:36 2011 us=828214 tcp_queue_limit = 64
Thu Aug 4 11:24:36 2011 us=828229 real_hash_size = 256
Thu Aug 4 11:24:36 2011 us=828243 virtual_hash_size = 256
Thu Aug 4 11:24:36 2011 us=828257 client_connect_script = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=828272 learn_address_script = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=828286 client_disconnect_script = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=828301 client_config_dir = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=828316 ccd_exclusive = DISABLED
Thu Aug 4 11:24:36 2011 us=832015 tmp_dir = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=832032 push_ifconfig_defined = DISABLED
Thu Aug 4 11:24:36 2011 us=832048 push_ifconfig_local = 0.0.0.0
Thu Aug 4 11:24:36 2011 us=832063 push_ifconfig_remote_netmask = 0.0.0.0
Thu Aug 4 11:24:36 2011 us=832078 enable_c2c = DISABLED
Thu Aug 4 11:24:36 2011 us=832093 duplicate_cn = DISABLED
Thu Aug 4 11:24:36 2011 us=832107 cf_max = 0
Thu Aug 4 11:24:36 2011 us=832121 cf_per = 0
Thu Aug 4 11:24:36 2011 us=832136 max_clients = 1024
Thu Aug 4 11:24:36 2011 us=832150 max_routes_per_client = 256
Thu Aug 4 11:24:36 2011 us=832165 auth_user_pass_verify_script = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=832179 auth_user_pass_verify_script_via_file = DISABLED
Thu Aug 4 11:24:36 2011 us=832194 ssl_flags = 0
Thu Aug 4 11:24:36 2011 us=832208 port_share_host = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=832223 port_share_port = 0
Thu Aug 4 11:24:36 2011 us=832237 client = ENABLED
Thu Aug 4 11:24:36 2011 us=832252 pull = ENABLED
Thu Aug 4 11:24:36 2011 us=832266 auth_user_pass_file = '[UNDEF]'
Thu Aug 4 11:24:36 2011 us=832283 OpenVPN 2.1.4 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Mar 21 2011
Thu Aug 4 11:24:36 2011 us=832340 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Aug 4 11:24:36 2011 us=833336 WARNING: file '/etc/openvpn/ta.key' is group or others accessible
Thu Aug 4 11:24:36 2011 us=833356 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Thu Aug 4 11:24:36 2011 us=833379 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 4 11:24:36 2011 us=833397 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 4 11:24:36 2011 us=833426 LZO compression initialized
Thu Aug 4 11:24:36 2011 us=833502 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Aug 4 11:24:36 2011 us=833541 Socket Buffers: R=[122880->131072] S=[122880->131072]
Thu Aug 4 11:24:36 2011 us=833566 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Aug 4 11:24:36 2011 us=833589 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu Aug 4 11:24:36 2011 us=833605 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu Aug 4 11:24:36 2011 us=833631 Local Options hash (VER=V4): '504e774e'
Thu Aug 4 11:24:36 2011 us=833651 Expected Remote Options hash (VER=V4): '14168603'
Thu Aug 4 11:24:36 2011 us=833674 UDPv4 link local (bound): [undef]:2000
Thu Aug 4 11:24:36 2011 us=833690 UDPv4 link remote: 178.94.20.202:2000
Thu Aug 4 11:24:37 2011 us=947330 TLS: Initial packet from 178.94.20.202:2000, sid=c7cedaf9 bd952819
Thu Aug 4 11:25:36 2011 us=803875 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Aug 4 11:25:36 2011 us=803912 TLS Error: TLS handshake failed
Thu Aug 4 11:25:36 2011 us=804005 TCP/UDP: Closing socket
Thu Aug 4 11:25:36 2011 us=804033 SIGUSR1[soft,tls-error] received, process restarting
Thu Aug 4 11:25:36 2011 us=804048 Restart pause, 2 second(s)
Thu Aug 4 11:25:38 2011 us=804455 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Aug 4 11:25:38 2011 us=804504 Re-using SSL/TLS context
Thu Aug 4 11:25:38 2011 us=804528 LZO compression initialized
Thu Aug 4 11:25:38 2011 us=804575 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Aug 4 11:25:38 2011 us=804600 Socket Buffers: R=[122880->131072] S=[122880->131072]
Thu Aug 4 11:25:38 2011 us=804617 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Aug 4 11:25:38 2011 us=804639 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu Aug 4 11:25:38 2011 us=804650 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu Aug 4 11:25:38 2011 us=804667 Local Options hash (VER=V4): '504e774e'
Thu Aug 4 11:25:38 2011 us=804681 Expected Remote Options hash (VER=V4): '14168603'
Thu Aug 4 11:25:38 2011 us=804696 UDPv4 link local (bound): [undef]:2000
Thu Aug 4 11:25:38 2011 us=804708 UDPv4 link remote: 178.94.20.202:2000
Thu Aug 4 11:25:39 2011 us=867058 TLS: Initial packet from 178.94.20.202:2000, sid=7f4eb3a4 8e4b83f5
Thu Aug 4 11:25:44 2011 us=686168 VERIFY OK: depth=1, /C=UA/ST=Kherson/L=Kherson/O=hbk-wide/OU=server/CN=server/name=Kherson/emailAddress=kherson@server.ks
Thu Aug 4 11:25:44 2011 us=686348 VERIFY OK: nsCertType=SERVER
Thu Aug 4 11:25:44 2011 us=686360 VERIFY OK: depth=0, /C=UA/ST=Kherson/L=Kherson/O=hbk-wide/OU=hbk-wide/CN=server/name=Kherson/emailAddress=administrator@kherson.ks.ua
Thu Aug 4 11:25:59 2011 us=187273 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Aug 4 11:25:59 2011 us=187315 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 4 11:25:59 2011 us=187372 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Aug 4 11:25:59 2011 us=187384 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 4 11:25:59 2011 us=187444 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Aug 4 11:25:59 2011 us=187470 [server] Peer Connection Initiated with 178.94.20.202:2000
Thu Aug 4 11:26:01 2011 us=430898 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Aug 4 11:26:03 2011 us=161573 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route 10.20.30.1,topology net30,ping 20,ping-restart 240,ifconfig 10.20.30.6 10.20.30.5'
Thu Aug 4 11:26:03 2011 us=161649 OPTIONS IMPORT: timers and/or timeouts modified
Thu Aug 4 11:26:03 2011 us=161661 OPTIONS IMPORT: --ifconfig/up options modified
Thu Aug 4 11:26:03 2011 us=161670 OPTIONS IMPORT: route options modified
Thu Aug 4 11:26:03 2011 us=161803 ROUTE default_gateway=192.168.1.1
Thu Aug 4 11:26:03 2011 us=162173 TUN/TAP device tun0 opened
Thu Aug 4 11:26:03 2011 us=162194 TUN/TAP TX queue length set to 100
Thu Aug 4 11:26:03 2011 us=162226 /sbin/ifconfig tun0 10.20.30.6 pointopoint 10.20.30.5 mtu 1500
Thu Aug 4 11:26:03 2011 us=179575 /sbin/route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.20.30.5
Thu Aug 4 11:26:03 2011 us=200616 /sbin/route add -net 10.20.30.1 netmask 255.255.255.255 gw 10.20.30.5
Thu Aug 4 11:26:03 2011 us=208394 Initialization Sequence Completed
8. Сервер и VPN пингуют друг друга
Код: Выделить всё
gateway openvpn # ping 10.20.30.1
PING 10.20.30.1 (10.20.30.1) 56(84) bytes of data.
64 bytes from 10.20.30.1: icmp_req=1 ttl=64 time=2936 ms
64 bytes from 10.20.30.1: icmp_req=3 ttl=64 time=2599 ms
64 bytes from 10.20.30.1: icmp_req=4 ttl=64 time=1760 ms
===============
free-snich# ping 10.20.30.6
PING 10.20.30.6 (10.20.30.6): 56 data bytes
64 bytes from 10.20.30.6: icmp_seq=0 ttl=64 time=925.579 ms
64 bytes from 10.20.30.6: icmp_seq=1 ttl=64 time=844.054 ms
64 bytes from 10.20.30.6: icmp_seq=2 ttl=64 time=715.135 ms
64 bytes from 10.20.30.6: icmp_seq=3 ttl=64 time=755.718 ms
Содержание
- ошибки в маршрутизации openvpn
- forum.lissyara.su
- Проблема с VPN маршрутами
- Проблема с VPN маршрутами
- Услуги хостинговой компании Host-Food.ru
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Re: Проблема с VPN маршрутами
- Error freebsd route add command failed external program exited with error status
- Error freebsd route add command failed external program exited with error status
ошибки в маршрутизации openvpn
Здравствуйте. Поднимаю openvpn. Клиент подключается по впн к серверу, видит локальную сеть за сервером. А сервер в свою очередь сеть за клиентом не видит (а очень хочется чтоб видел). Преследуемая цель — пользователи обоих сетей видят сети друг друга. конфиг сервера.
выхлоп с сервера*
на чём сидит клиент?
оба сервера на убунту сервер 16.04
А на клиента перенаправление трафика разрешено?
форвардинг в /etc/sysctl.conf раскоментирован.
мля, опять клиент не является маршрутом по умолчанию для своей сети и очередной идиот ноет, что у него не работает.
ну спасибо на добром слове, сам то ты все сразу умел?
Начнём с того, что иптаблесы никакие не нужны. Нужно, чтобы умели оба маршрутизовать (net.ipv4.ip_forward) и чтобы были прописаны маршруты. Причём на клиент маршруты до сети сервака пушатся через конфиг у тебя, а на сервере маршрута до сети клиента нет. Не знаю, можно ли это через конфиги сделать, но можешь создать статический маршрут до сети клиента через VPN адрес клиента.
Хорошо, а что говорит ip r на сервере? Если там маршрут есть, то поставь на клиенте tcpdump и посмотри, доходят ли пакеты. Если доходят — посмотри на физическом интерфейсе, уходят ли, может быть так, что они уходят, но не возвращаются. Дальше уже в зависимости от того, что увидишь
на клиенте ничего не дропается, ufw пока отключил. маршрутизация у обоих включена. При добавление маршрута
Хочу поправится, клиент действительно не является шлюзом в своей сети, поэтому цель пока чтобы и клиент и сервер видели именно по тунелю не только тунельные ip друг друга (10.8.0.1,10.8.0.2), но и физические (10.27.1.5,10.2.1.5). На данный момент это может пока только клиент.
В логе openvpn что-нибудь есть? У тебя, насколько я помню документацию, сейчас подключение идёт не как нормальная подсеть, а как peer-to-peer. Соответственно, 10.8.0.2 — это адрес пира, которому сервер посылает данные, а у клиента должен быть .3 (там у них где-то таблица разрешённых адресов была, лень гуглить). Попробуй перенастроить клиент на другой адрес
помоему в логах ничего криминального. Да, ifconfig мне подсказывает что peer-to-peer
Ты, кстати, можешь сделать нормальную подсеть, сделав dev tap, а не tun
Ты на клиенте добавляешь? 10.8.0.2 — это что, ип сервера? Вроде он с .1 начинает.
Чтобы видеть сеть за клиентом, этот клиент должен являться маршрутизатором в своей сети. Хотя бы для сети той, что за сервером.
Лучше начни с того, что расскажие какие ипы по впн и в локалке у клиента и сервера. И какая таблица маршрутизации на каждом.
к сожалению не заработало. Попробовал в конфигах серва и клиента поменять tun на tap соединение вообще перестало происходить (правильно я понял ? только это менять в конфигах, остальное остается без изменений?)
тунельный ip 10.8.0.1
тунельный ip 10.8.0.4 (теперь уже, до момента когда мне XMs посоветовал его поменять был 10.8.0.2)
если речь о том когда я пытался добавить
Чтобы видеть сеть за клиентом, этот клиент должен являться маршрутизатором в своей сети. Хотя бы для сети той, что за сервером.
это отдельная песня как я буду заворачивать приходящий трафик на клиента в сеть, ее я буду реализовывать сам. Пока моя задача видеть пинговать с обоих серверов друг друга как по ip тунельным так и по физическим реальным адресам
Источник
forum.lissyara.su
Каждые 14 миллиардов лет учёные запускают андронный коллайдер
Проблема с VPN маршрутами
Проблема с VPN маршрутами
В данном случае шлюз VPN это 10.20.30.1. 192.168.1.1 — это роутер через который идёт инет на клиенте.
Так трассируется ya.ru с клиента при поднятом VPN:
Услуги хостинговой компании Host-Food.ru
Re: Проблема с VPN маршрутами
Непрочитанное сообщение Гость » 2011-08-04 3:39:42
Re: Проблема с VPN маршрутами
Re: Проблема с VPN маршрутами
Непрочитанное сообщение mak_v_ » 2011-08-04 10:52:40
Re: Проблема с VPN маршрутами
Re: Проблема с VPN маршрутами
Re: Проблема с VPN маршрутами
Непрочитанное сообщение mak_v_ » 2011-08-04 14:05:44
вы с сервера не передаете default gw
Re: Проблема с VPN маршрутами
Re: Проблема с VPN маршрутами
Re: Проблема с VPN маршрутами
Непрочитанное сообщение Гость » 2011-08-05 0:12:22
Re: Проблема с VPN маршрутами
Re: Проблема с VPN маршрутами
Непрочитанное сообщение mak_v_ » 2011-08-05 9:29:23
2) дефолтом при push «redirect-gateway» у вас будет «другой конец впн», а именно 10.20.30.5, он же 10.20.30.1 для всех, хотя при трассировке у вас будет светиться 10.20.30.1 вместо 10.20.30.5, не пугайтесь, так должно быть.
Вышеперечисленоое надо прочитать несколько раз и понять. Просто вникните. Потом станет проще.
Источник
Error freebsd route add command failed external program exited with error status
I am using openvpn quite some time now, and I just love it!
But I am having trouble with openvpn and routing.
The vpn connection is built up and working as far as the tunnel endpoint in this case 10.1.0.1, there I even could log into the pfsense firewall.
But I can’t reach any LAN networks behind the tunnel, also I have the right firewall rules in place, I can be sure they are, because there is no problem logging in and reaching the lan networks from my windows desktop if i connect to my remote server through viscosity openvpn client software. I think it has to do with the error message ERROR: FreeBSD route add command failed: external program exited with error status: 1 because the route could no be added..
Here my setup:
Network:
Local:
VMWare ESXI 5.5 u1
Wan = direct isp ip (datamodem only)
LAN = 192.168.1.0/24
OpenVPN IP: 10.1.0.0/24
Remote Server:
VMware ESXI 5.5 u1
WAN = Direct ISP IP
LAN1 = 10.0.0.0/24
LAN2 = 10.0.1.0/24
Software:
Local:
2.1.4-RELEASE (amd64)
built on Fri Jun 20 12:59:50 EDT 2014
FreeBSD 8.3-RELEASE-p16
Remote:
2.1.4-RELEASE (amd64)
built on Fri Jun 20 12:59:50 EDT 2014
FreeBSD 8.3-RELEASE-p16
Openvpn setup: Client:
Error:
Remote Server:
if you want I can post some settings, but like mentioned above there seems to be no problem logging in and reaching the LAN networks from my windows desktop through viscosity.
I really hope someone can help me here.
The way I’ve always setup site-site connections is to do all the routing at the server end.
So your client setup doesn’t need anything in the «IPv4 Remote Networks» box, those entries go in the server’s «IPv4 Remote Networks». The only other thing you have to make sure of of to add an «iroute» statement in the Client Specific Override section of the server for the client’s network(s).
You mentioned Viscosity linking in ok, do you use the same OpenVPN server for both your RoadWarrior and site-site connections?
If so, you’re the second person to suggest that. I’ve always created 2 separate servers so that i can deal with RoadWarriors and site-site connections in a distinct fashion and adjust one without affecting the other.
your «tunnel network» is the same as one of your «remote networks»
this is most likely the cause of this error. either change the tunnel network, or remove the remote-network.
your «tunnel network» is the same as one of your «remote networks»
this is most likely the cause of this error. either change the tunnel network, or remove the remote-network.
Er, I think you misread. The OP has tunnel network:
While the remote nets are:
No conflicts there, he’s using 10.0.0.x,10.0.1.x,and 10.1.0.x.
ovpnc1 10.1.0.3 10.1.0.3 mtu 1500 netmask 255.255.255.0 up
shouldn’t be something like:
ovpnc1 10.1.0.1 10.1.0.2 mtu 1500 netmask 255.255.255.0 up
.
Do You have correct netmask on both sides?
Well there’s another Huh? moment for me.
ovpnc1 10.1.0.3 10.1.0.3 mtu 1500 netmask 255.255.255.0 up
shouldn’t be something like:
ovpnc1 10.1.0.1 10.1.0.2 mtu 1500 netmask 255.255.255.0 up
.
Do You have correct netmask on both sides?
I read your post and thought, «Aha, that does look strange». Then just for fun, I went back through my OpenVPN logs on my main router to look at what happens «normally».
This router has been running for about 6 years, currently at 2.1.4 on a HD with no major packages but some 5 OpenVPN servers and 20+ OpenVPN clients.
Lo and behold I found 1 of the server instances that produces the same type of entry in the logs » /sbin/ifconfig ovpns16 10.155.50.1 10.155.50.1 mtu 1500 netmask 255.255.255.0 up»! The other instances of server (and client) all show the expected .1 .2 split of a «normal» connection. To make matters worse (sort of . ) this particular connection routes traffic just fine, I can log into remote boxes, get to the client pfsense box, etc. I need to hunt down the difference in this particular connection and see what’s up….
But as far as the OP, it doesn’t necessarily matter. 😮
Edit:
Ahem — Woooops :-[
That’s what i get for typing instead of thinking . The server I found in the logs was for a separate RoadWarrior connection, so my log entry is exactly what’s expected.
That leads me to believe that the original OP may have a similar problem. Now I noticed the screen shots show Peer to Peer mode in the client, but the log file shows the OpenVPN instance «ovpnc1» trying to connect in what looks like Remote Access mode. Either the log file doesn’t match the configuration screen or vice-versa.
One issue I have seen with OpenVPN (especially when changing certificates) is it’s possible to have a «cached» version of the OpenVPN instance that will hang around even after a GUI based restart of the instance. I’ve had to manually go in and kill the process then do a GUI start.
Perhaps it be simplest to do restart of pfSense o both ends, just to test?
Источник
Error freebsd route add command failed external program exited with error status
Hello,
I have a weired problem with OpenVPN. I am new to FreeBSD/pfsense so maybe someone evry had this error message when try to establish VPN Tunnel:
Everything runs fine, but when the add route command get executed this here appears:
Dec 22 23:48:23 openvpn[7866]: Initialization Sequence Completed
Dec 22 23:48:23 openvpn[7866]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Dec 22 23:48:23 openvpn[7866]: /sbin/route add -net 128.0.0.0 5.254.134.1 128.0.0.0
Dec 22 23:48:23 openvpn[7866]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Dec 22 23:48:23 openvpn[7866]: /sbin/route add -net 0.0.0.0 5.254.134.1 128.0.0.0
Dec 22 23:48:23 openvpn[7866]: /sbin/route add -net 178.73.x.x 77.xx.xx.1 255.255.255.255
Dec 22 23:48:23 openvpn[7866]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1542 init
Dec 22 23:48:23 openvpn[7866]: TUN/TAP device /dev/tun2 opened
Dec 22 23:48:23 openvpn[7866]: TUN/TAP device ovpnc2 exists previously, keep at program end
Dec 22 23:48:23 openvpn[7866]: ROUTE_GATEWAY 77.xx.xx.1
Dec 22 23:48:23 openvpn[7866]: OPTIONS IMPORT: –ip-win32 and/or —dhcp-option options modified
Dec 22 23:48:23 openvpn[7866]: OPTIONS IMPORT: route-related options modified
Dec 22 23:48:23 openvpn[7866]: OPTIONS IMPORT: route options modified
Dec 22 23:48:23 openvpn[7866]: OPTIONS IMPORT: –ifconfig/up options modified
Dec 22 23:48:23 openvpn[7866]: OPTIONS IMPORT: timers and/or timeouts modified
I already checks logfiles and search here but I can not find any related post for this issue. Hope somebody can help me with this 🙁
That is indicating that you already have a route for those networks.
From the look of what it’s trying to add, the remote side is pushing you a default route (redirect-gateway def1), and if your first vpn client is already doing that, the second one can’t since the routes already exist.
Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!
Источник
Hi guys,
I have a configuration that allowed me to route all traffic through VPN for about a year, but after a dd-wrt update I just couldn’t make it work anymore, was failing to add route. Unortunately had a TP-Link when it worked, did a restore to original firmware and they blocked custom firmware; ow new client router also says «Linux route add command failed» but » external program exited with error status: 1″ instead of status: 2, as TP-Link did:
State
Client: CONNECTED SUCCESS
Local Address: 10.1.1.2
Remote Address: 10.1.1.2
Status
VPN Client Stats
TUN/TAP read bytes 17171
TUN/TAP write bytes 0
TCP/UDP read bytes 3735
TCP/UDP write bytes 23022
Auth read bytes 64
pre-compress bytes 7914
post-compress bytes 7988
pre-decompress bytes 0
post-decompress bytes 0
Log
Clientlog:
20161025 20:20:17 I OpenVPN 2.3.12 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 18 2016
20161025 20:20:17 I library versions: OpenSSL 1.0.2j 26 Sep 2016 LZO 2.09
20161025 20:20:17 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20161025 20:20:17 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20161025 20:20:17 W NOTE: the current —script-security setting may allow this configuration to call user-defined scripts
20161025 20:20:17 W WARNING: file ‘/tmp/openvpncl/client.key’ is group or others accessible
20161025 20:20:17 Socket Buffers: R=[87380->87380] S=[16384->16384]
20161025 20:20:17 I Attempting to establish TCP connection with [AF_INET]82.xx.xx.48:443 [nonblock]
20161025 20:20:18 I TCP connection established with [AF_INET]82.xx.xx.48:443
20161025 20:20:18 I TCPv4_CLIENT link local: [undef]
20161025 20:20:18 I TCPv4_CLIENT link remote: [AF_INET]82.xx.xx.48:443
20161025 20:20:18 TLS: Initial packet from [AF_INET]82.xx.xx.48:443 sid=7e483803 e26adfea
20161025 20:20:18 VERIFY OK: depth=1 C=xx ST=xx L=xxx O=Radu OU=HomeServer CN=HomeServer name=HomeServer emailAddress=xx@xx.com
20161025 20:20:18 VERIFY OK: depth=0 C=xx ST=xx L=xx O=Radu OU=HomeServer CN=NightHawk name=NightHawk emailAddress=xx@oxx.com
20161025 20:20:18 NOTE: —mute triggered…
20161025 20:20:18 1 variation(s) on previous 3 message(s) suppressed by —mute
20161025 20:20:18 W WARNING: this cipher’s block size is less than 128 bit (64 bit). Consider using a —cipher with a larger block size.
20161025 20:20:18 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
20161025 20:20:18 Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
20161025 20:20:18 W WARNING: this cipher’s block size is less than 128 bit (64 bit). Consider using a —cipher with a larger block size.
20161025 20:20:18 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
20161025 20:20:18 Control Channel: TLSv1.2 cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384 1024 bit RSA
20161025 20:20:18 I [NightHawk] Peer Connection Initiated with [AF_INET]82.xx.xx.48:443
20161025 20:20:20 SENT CONTROL [NightHawk]: ‘PUSH_REQUEST’ (status=1)
20161025 20:20:20 PUSH: Received control message: ‘PUSH_REPLY route 192.168.1.1 255.255.255.0 redirect-gateway def1 dhcp-option DNS 193.xx.xx.1 route-gateway 10.1.1.1 topology subnet ping 10 ping-restart 120 socket-flags TCP_NODELAY ifconfig 10.1.1.2 255.255.255.0’
20161025 20:20:20 OPTIONS IMPORT: timers and/or timeouts modified
20161025 20:20:20 NOTE: —mute triggered…
20161025 20:20:20 5 variation(s) on previous 3 message(s) suppressed by —mute
20161025 20:20:20 I TUN/TAP device tun1 opened
20161025 20:20:20 TUN/TAP TX queue length set to 100
20161025 20:20:20 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0
20161025 20:20:20 I /sbin/ifconfig tun1 10.1.1.2 netmask 255.255.255.0 mtu 1500 broadcast 10.1.1.255
20161025 20:20:20 /sbin/route add -net 82.79.46.48 netmask 255.255.255.255 gw 192.168.0.1
20161025 20:20:20 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.1.1.1
20161025 20:20:20 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.1.1.1
20161025 20:20:20 /sbin/route add -net 192.168.1.1 netmask 255.255.255.0 gw 10.1.1.1
20161025 20:20:20 W ERROR: Linux route add command failed: external program exited with error status: 1
20161025 20:20:20 I Initialization Sequence Completed
20161025 20:20:22 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161025 20:20:22 D MANAGEMENT: CMD ‘state’
20161025 20:20:22 MANAGEMENT: Client disconnected
This would be the server log:
20161025 20:20:17 I TCP connection established with [AF_INET]95.xx.xx.1:60182
20161025 20:20:18 95.91.250.1:60182 TLS: Initial packet from [AF_INET]95.xx.xx.1:60182 sid=ca05dfea e5bb0e4e
20161025 20:20:18 95.91.250.1:60182 VERIFY OK: depth=1 C=xx ST=xx L=xx O=Radu OU=HomeServer CN=HomeServer name=HomeServer emailAddress=xx@xx.com
20161025 20:20:18 95.91.250.1:60182 VERIFY OK: depth=0 C=xx ST=xx L=xx O=Radu OU=HomeServer CN=Archer name=Archer emailAddress=xx@xx.com
20161025 20:20:18 95.91.250.1:60182 NOTE: —mute triggered…
20161025 20:20:18 95.91.250.1:60182 5 variation(s) on previous 3 message(s) suppressed by —mute
20161025 20:20:18 I 95.91.250.1:60182 [Archer] Peer Connection Initiated with [AF_INET]95.xx.xx.1:60182
20161025 20:20:18 I Archer/95.xx.xx.1:60182 MULTI_sva: pool returned IPv4=10.1.1.2 IPv6=(Not enabled)
20161025 20:20:18 Archer/95.xx.xx.1:60182 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_044afbfeb0c46a9ca6edba6296966941.tmp
20161025 20:20:18 Archer/95.xx.xx.1:60182 MULTI: Learn: 10.1.1.2 -> Archer/95.xx.xx.1:60182
20161025 20:20:18 Archer/95.xx.xx.1:60182 MULTI: primary virtual IP for Archer/95.xx.xx.1:60182: 10.1.1.2
20161025 20:20:20 Archer/95.xx.xx.1:60182 PUSH: Received control message: ‘PUSH_REQUEST’
20161025 20:20:20 I Archer/95.xx.xx.1:60182 send_push_reply(): safe_cap=940
20161025 20:20:20 Archer/95.xx.xx.1:60182 SENT CONTROL [Archer]: ‘PUSH_REPLY route 192.168.1.1 255.255.255.0 redirect-gateway def1 dhcp-option DNS 193.xx.xx.1 route-gateway 10.1.1.1 topology subnet ping 10 ping-restart 120 socket-flags TCP_NODELAY ifconfig 10.1.1.2 255.255.255.0’ (status=1)
Here are the configs (firewall and IP v6 off):
SERVER CONFIG (Home Location router); LAN IP: 192.168.1.1
Start Type: System
Config as: Server
Server Mode: Router (TUN)
Network: 10.1.1.0
Netmask: 255.255.255.0
Port: 443
Tunnel Protocol: TCP
Encryptions Cipher: Blowfish CBC
Hash Algorithm: SHA1
Advanced Options: Disable
Additional Config:
push «route 192.168.1.0 255.255.255.0»
push «dhcp-option DNS [provider dns]»
push «dhcp-option DNS [2nd provider dns]»
push «redirect-gateway def1»
server 10.1.1.0 255.255.255.0
dev tun0
proto tcp-server
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
CLIENT CONFIG (roaming location router); LAN IP: 192.168.2.1
Server IP/Name: [ddns link]
Port: 443
Tunnel Device: TUN
Tunnel Protocol: TCP
Encryption Cipher: Blowfish CBC
Hash Algorithm: SHA1
Advanced Options: Disable
any ideas?