OpenVPN help... verify error depth=0?
ERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=US/ST=CA/L=SanFrancisco/O=SekretOrg/CN=anon/emailAddress=anonymous@sekretorg.com
Fri Nov 25 16:21:18 2011 207.47.5.130:60713 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Fri Nov 25 16:21:18 2011 207.47.5.130:60713 TLS Error: TLS object -> incoming plaintext read error
Fri Nov 25 16:21:18 2011 207.47.5.130:60713 TLS Error: TLS handshake failed
Fri Nov 25 16:21:18 2011 207.47.5.130:60713 SIGUSR1[soft,tls-error] received, client-instance restarting
–-- what does this error mean?
15 Replies
It means you're using a server certificate to authenticate a client, or vice-versa.
Like using a fork to cut your meat. Unsupported purpose.
(yeah, I'm very good at pasting people's posts into google)
You don't mention which side of the connection this log is from, but I think SSL3GETCLIENT_CERTIFICATE only occurs on the server, so if that's the case, I'd check your client certificate type.
– David
@db3l:
The log snippet looks truncated (in the part included, everything but the truncated first line is just a consequence of that first line), but the first line's error means that the certificate being verified was not created with the appropriate type for its use. In the context of OpenVPN this usually means a server using a certificate that is not flagged (nsCertType) as a "server" or a client using a certificate that is not flagged as a "client".
You don't mention which side of the connection this log is from, but I think SSL3GETCLIENT_CERTIFICATE only occurs on the server, so if that's the case, I'd check your client certificate type.
– David
Thank you. Yes, the logs are from the server.
Here is the full message:
Fri Nov 25 18:29:06 2011 MULTI: multi_create_instance called
Fri Nov 25 18:29:06 2011 207.47.5.130:59120 Re-using SSL/TLS context
Fri Nov 25 18:29:06 2011 207.47.5.130:59120 LZO compression initialized
Fri Nov 25 18:29:06 2011 207.47.5.130:59120 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Nov 25 18:29:06 2011 207.47.5.130:59120 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Nov 25 18:29:06 2011 207.47.5.130:59120 Local Options hash (VER=V4): '530fdded'
Fri Nov 25 18:29:06 2011 207.47.5.130:59120 Expected Remote Options hash (VER=V4): '41690919'
Fri Nov 25 18:29:06 2011 207.47.5.130:59120 TLS: Initial packet from 207.47.5.130:59120, sid=21400a48 ae7152e4
Fri Nov 25 18:29:07 2011 207.47.5.130:59120 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=US/ST=CA/L=SanFrancisco/O=sekret/CN=anon/emailAddress=anonymous@sekret
Fri Nov 25 18:29:07 2011 207.47.5.130:59120 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Fri Nov 25 18:29:07 2011 207.47.5.130:59120 TLS Error: TLS object -> incoming plaintext read error
Fri Nov 25 18:29:07 2011 207.47.5.130:59120 TLS Error: TLS handshake failed
Fri Nov 25 18:29:07 2011 207.47.5.130:59120 SIGUSR1[soft,tls-error] received, client-instance restarting
On my local machine, which I'm trying to connect to this server from the cert had this with "server" in it ->
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Extended Key Usage:
TLS Web Server Authentication
I tried changing instances of "server" with "client" but that didn't work.
Any suggestions? Should I try to delete all cert files and config files and regenerate them? I was following the linode guide but I could've messed up somehow…
ns-cert-type server
I changed it to
ns-cert-type client
No luck still but noticed something odd locally anyway.
@arachn1d:
I tried changing instances of "server" with "client" but that didn't work.
Tried changing it where? In the text summary of the certificate at the top of the file? That's just a convenience (textual copy of the certificate, as you'd get from the "openssl x509" text output) but has no actual bearing on the certificate (which is strictly the portion between the "–---BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"). If you could just edit the text at will it would sort of defeat the purpose of a signed certificate.
> Any suggestions? Should I try to delete all cert files and config files and regenerate them? I was following the linode guide but I could've messed up somehow…
The only way to correct the certificate type extension field is, yes, to re-generate (and then re-sign) the certificate. You shouldn't have to do anything with your config files though, just re-do the client certificate.
The certificate type field is set in the openssl configuration file clause used when generating the certificate. If you're using the easy-rsa OpenVPN scripts (which I think the Linode library entries reference), the "build-key-server" script references a server extension that explicitly sets the server clause, so you'd want to use the regular "build-key" (or build-key-1yr) for clients. I think client certificates generated this way actually have no explicit type set.
> I noticed that "client.conf" had this
ns-cert-type serverI changed it to
ns-cert-type clientNo luck still but noticed something odd locally anyway.
That's actually a standard configuration element - it tells the client to verify that the server is using a "server" certificate (helps block MITM attacks), which is sort of the opposite of your problem.
I haven't tried this, but adding an "ns-cert-type server" to your server's configuration file might be a workaround, since in that case it would match your client's certificate type. I'm not 100% positive that setting is obeyed on the server side though.
In any event you'll want to restore your client.conf or else it'll probably now reject your server certificate - unless you have the reverse problem there and marked it as a client.
Personally, especially since you're just getting going, I'd probably chalk this up to a learning experience, and re-generate any certificates that are current mis-classified, to avoid confusion down the road and use a more standard configuration.
– David
Newish issue (happened before but eventually went away).
I am trying to connect but it's stuck at "waiting for server response" so my first intuition is to see if it's rejecting the connection. (which it is).
Here is my iptables
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp dpt:www reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:https reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:30000
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
If I try to````
telnet server 1194
It's rejected.
If I play with the other ports to see if changes are taking place it responds so I'm not sure why it's ignoring the openvpn ports? I tried both UDP/TCP for the heck of it.
Nov 25 21:12:23 li83-151 kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:4a:cf:f1:97:c8:4c:75:f5:d6:3f:08:00 SRC=207.47.5.130 DST=fake000 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=10221 DF PROTO=TCP SPT=53835 DPT=1194 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 25 21:12:24 li83-151 kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:4a:cf:f1:97:c8:4c:75:f5:d6:3f:08:00 SRC=207.47.5.130 DST=fake00 LEN=42 TOS=0x00 PREC=0x00 TTL=56 ID=11669 PROTO=UDP SPT=54235 DPT=1994 LEN=22
Anything I can do to make this connection go through? <e>:(</e>
OpenVPN is running…
ps aux | grep open
root 17893 0.0 0.2 21216 1148 ? Ss 21:07 0:00 /usr/sbin/openvpn --writepid /var/run/openvpn.server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf
root 17959 0.0 0.1 5156 776 pts/2 S+ 21:13 0:00 grep open
I think it'd work if the connection went through. I regenerated the certs and I'm pretty sure I generated a server cert for the client side.
And interesting output from the openvpn.log
Fri Nov 25 21:17:07 2011 event_wait : Interrupted system call (code=4)
Fri Nov 25 21:17:08 2011 TCP/UDP: Closing socket
Fri Nov 25 21:17:08 2011 /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
Fri Nov 25 21:17:08 2011 Closing TUN/TAP interface
Fri Nov 25 21:17:08 2011 /sbin/ifconfig tun0 0.0.0.0
Fri Nov 25 21:17:08 2011 SIGTERM[hard,] received, process exiting
tail: openvpn.log: file truncated
openvpn-status.log
tail: openvpn-status.log: file truncated
OpenVPN CLIENT LIST
Updated,Fri Nov 25 21:17:19 2011
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END
````
`cat openvpn.log
Fri Nov 25 21:56:04 2011 us=187709 Current Parameter Settings:
Fri Nov 25 21:56:04 2011 us=187825 config = '/etc/openvpn/server.conf'
Fri Nov 25 21:56:04 2011 us=187844 mode = 1
Fri Nov 25 21:56:04 2011 us=187859 persist_config = DISABLED
Fri Nov 25 21:56:04 2011 us=187873 persist_mode = 1
Fri Nov 25 21:56:04 2011 us=187887 show_ciphers = DISABLED
Fri Nov 25 21:56:04 2011 us=187901 show_digests = DISABLED
Fri Nov 25 21:56:04 2011 us=187914 show_engines = DISABLED
Fri Nov 25 21:56:04 2011 us=187928 genkey = DISABLED
Fri Nov 25 21:56:04 2011 us=187942 key_pass_file = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=187956 show_tls_ciphers = DISABLED
Fri Nov 25 21:56:04 2011 us=187974 Connection profiles [default]:
Fri Nov 25 21:56:04 2011 us=187990 proto = udp
Fri Nov 25 21:56:04 2011 us=188004 local = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188017 local_port = 1194
Fri Nov 25 21:56:04 2011 us=188031 remote = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188044 remote_port = 1194
Fri Nov 25 21:56:04 2011 us=188058 remote_float = DISABLED
Fri Nov 25 21:56:04 2011 us=188072 bind_defined = DISABLED
Fri Nov 25 21:56:04 2011 us=188085 bind_local = ENABLED
Fri Nov 25 21:56:04 2011 us=188099 connect_retry_seconds = 5
Fri Nov 25 21:56:04 2011 us=188113 connect_timeout = 10
Fri Nov 25 21:56:04 2011 us=188127 connect_retry_max = 0
Fri Nov 25 21:56:04 2011 us=188141 socks_proxy_server = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188154 socks_proxy_port = 0
Fri Nov 25 21:56:04 2011 us=188168 socks_proxy_retry = DISABLED
Fri Nov 25 21:56:04 2011 us=188186 Connection profiles END
Fri Nov 25 21:56:04 2011 us=188200 remote_random = DISABLED
Fri Nov 25 21:56:04 2011 us=188214 ipchange = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188227 dev = 'tun'
Fri Nov 25 21:56:04 2011 us=188241 dev_type = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188254 dev_node = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188268 lladdr = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188281 topology = 1
Fri Nov 25 21:56:04 2011 us=188295 tun_ipv6 = DISABLED
Fri Nov 25 21:56:04 2011 us=188308 ifconfig_local = '10.8.0.1'
Fri Nov 25 21:56:04 2011 us=188322 ifconfig_remote_netmask = '10.8.0.2'
Fri Nov 25 21:56:04 2011 us=188336 ifconfig_noexec = DISABLED
Fri Nov 25 21:56:04 2011 us=188349 ifconfig_nowarn = DISABLED
Fri Nov 25 21:56:04 2011 us=188362 shaper = 0
Fri Nov 25 21:56:04 2011 us=188376 tun_mtu = 1500
Fri Nov 25 21:56:04 2011 us=188390 tun_mtu_defined = ENABLED
Fri Nov 25 21:56:04 2011 us=188403 link_mtu = 1500
Fri Nov 25 21:56:04 2011 us=188417 link_mtu_defined = DISABLED
Fri Nov 25 21:56:04 2011 us=188430 tun_mtu_extra = 0
Fri Nov 25 21:56:04 2011 us=188444 tun_mtu_extra_defined = DISABLED
Fri Nov 25 21:56:04 2011 us=188457 fragment = 0
Fri Nov 25 21:56:04 2011 us=188471 mtu_discover_type = -1
Fri Nov 25 21:56:04 2011 us=188484 mtu_test = 0
Fri Nov 25 21:56:04 2011 us=188498 mlock = DISABLED
Fri Nov 25 21:56:04 2011 us=188512 keepalive_ping = 10
Fri Nov 25 21:56:04 2011 us=188526 keepalive_timeout = 120
Fri Nov 25 21:56:04 2011 us=188550 inactivity_timeout = 0
Fri Nov 25 21:56:04 2011 us=188564 ping_send_timeout = 10
Fri Nov 25 21:56:04 2011 us=188578 ping_rec_timeout = 240
Fri Nov 25 21:56:04 2011 us=188591 ping_rec_timeout_action = 2
Fri Nov 25 21:56:04 2011 us=188604 ping_timer_remote = DISABLED
Fri Nov 25 21:56:04 2011 us=188618 remap_sigusr1 = 0
Fri Nov 25 21:56:04 2011 us=188631 explicit_exit_notification = 0
Fri Nov 25 21:56:04 2011 us=188645 persist_tun = ENABLED
Fri Nov 25 21:56:04 2011 us=188658 persist_local_ip = DISABLED
Fri Nov 25 21:56:04 2011 us=188672 persist_remote_ip = DISABLED
Fri Nov 25 21:56:04 2011 us=188685 persist_key = ENABLED
Fri Nov 25 21:56:04 2011 us=188699 mssfix = 1450
Fri Nov 25 21:56:04 2011 us=188712 passtos = DISABLED
Fri Nov 25 21:56:04 2011 us=188731 resolve_retry_seconds = 1000000000
Fri Nov 25 21:56:04 2011 us=188746 username = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188760 groupname = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188773 chroot_dir = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188799 cd_dir = '/etc/openvpn'
Fri Nov 25 21:56:04 2011 us=188814 writepid = '/var/run/openvpn.server.pid'
Fri Nov 25 21:56:04 2011 us=188828 up_script = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188842 down_script = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188855 down_pre = DISABLED
Fri Nov 25 21:56:04 2011 us=188869 up_restart = DISABLED
Fri Nov 25 21:56:04 2011 us=188883 up_delay = DISABLED
Fri Nov 25 21:56:04 2011 us=188896 daemon = ENABLED
Fri Nov 25 21:56:04 2011 us=188910 inetd = 0
Fri Nov 25 21:56:04 2011 us=188924 log = ENABLED
Fri Nov 25 21:56:04 2011 us=188937 suppress_timestamps = DISABLED
Fri Nov 25 21:56:04 2011 us=188951 nice = 0
Fri Nov 25 21:56:04 2011 us=188965 verbosity = 5
Fri Nov 25 21:56:04 2011 us=188978 mute = 0
Fri Nov 25 21:56:04 2011 us=188992 gremlin = 0
Fri Nov 25 21:56:04 2011 us=189006 status_file = 'openvpn-status.log'
Fri Nov 25 21:56:04 2011 us=189020 status_file_version = 1
Fri Nov 25 21:56:04 2011 us=189033 status_file_update_freq = 60
Fri Nov 25 21:56:04 2011 us=189047 occ = ENABLED
Fri Nov 25 21:56:04 2011 us=189061 rcvbuf = 65536
Fri Nov 25 21:56:04 2011 us=189074 sndbuf = 65536
Fri Nov 25 21:56:04 2011 us=189088 sockflags = 0
Fri Nov 25 21:56:04 2011 us=189102 fast_io = DISABLED
Fri Nov 25 21:56:04 2011 us=189115 lzo = 7
Fri Nov 25 21:56:04 2011 us=189129 route_script = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189143 route_default_gateway = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189156 route_default_metric = 0
Fri Nov 25 21:56:04 2011 us=189170 route_noexec = DISABLED
Fri Nov 25 21:56:04 2011 us=189183 route_delay = 0
Fri Nov 25 21:56:04 2011 us=189197 route_delay_window = 30
Fri Nov 25 21:56:04 2011 us=189211 route_delay_defined = DISABLED
Fri Nov 25 21:56:04 2011 us=189224 route_nopull = DISABLED
Fri Nov 25 21:56:04 2011 us=189238 route_gateway_via_dhcp = DISABLED
Fri Nov 25 21:56:04 2011 us=189251 allow_pull_fqdn = DISABLED
Fri Nov 25 21:56:04 2011 us=189266 route 10.8.0.0/255.255.255.0/nil/nil
Fri Nov 25 21:56:04 2011 us=189280 management_addr = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189294 management_port = 0
Fri Nov 25 21:56:04 2011 us=189308 management_user_pass = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189321 management_log_history_cache = 250
Fri Nov 25 21:56:04 2011 us=189335 management_echo_buffer_size = 100
Fri Nov 25 21:56:04 2011 us=189349 management_write_peer_info_file = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189363 management_flags = 0
Fri Nov 25 21:56:04 2011 us=189377 shared_secret_file = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189391 key_direction = 0
Fri Nov 25 21:56:04 2011 us=189405 ciphername_defined = ENABLED
Fri Nov 25 21:56:04 2011 us=189419 ciphername = 'BF-CBC'
Fri Nov 25 21:56:04 2011 us=189433 authname_defined = ENABLED
Fri Nov 25 21:56:04 2011 us=189446 authname = 'SHA1'
Fri Nov 25 21:56:04 2011 us=189460 keysize = 0
Fri Nov 25 21:56:04 2011 us=189474 engine = DISABLED
Fri Nov 25 21:56:04 2011 us=189487 replay = ENABLED
Fri Nov 25 21:56:04 2011 us=189501 mute_replay_warnings = DISABLED
Fri Nov 25 21:56:04 2011 us=189515 replay_window = 64
Fri Nov 25 21:56:04 2011 us=189529 replay_time = 15
Fri Nov 25 21:56:04 2011 us=189552 packet_id_file = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189566 use_iv = ENABLED
Fri Nov 25 21:56:04 2011 us=189580 test_crypto = DISABLED
Fri Nov 25 21:56:04 2011 us=189594 tls_server = ENABLED
Fri Nov 25 21:56:04 2011 us=189607 tls_client = DISABLED
Fri Nov 25 21:56:04 2011 us=189621 key_method = 2
Fri Nov 25 21:56:04 2011 us=189635 ca_file = 'ca.crt'
Fri Nov 25 21:56:04 2011 us=189648 ca_path = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189662 dh_file = 'dh1024.pem'
Fri Nov 25 21:56:04 2011 us=189675 cert_file = 'server.crt'
Fri Nov 25 21:56:04 2011 us=189689 priv_key_file = 'server.key'
Fri Nov 25 21:56:04 2011 us=189703 pkcs12_file = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189716 cipher_list = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189730 tls_verify = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189743 tls_remote = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189765 crl_file = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189780 ns_cert_type = 0
Fri Nov 25 21:56:04 2011 us=189794 remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189815 remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189837 remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189859 remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189877 remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189891 remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189905 remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189918 remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189932 remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189945 remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189959 remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189972 remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189986 remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189999 remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=190013 remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=190027 remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=190040 remote_cert_eku = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=190054 tls_timeout = 2
Fri Nov 25 21:56:04 2011 us=190068 renegotiate_bytes = 0
Fri Nov 25 21:56:04 2011 us=190081 renegotiate_packets = 0
Fri Nov 25 21:56:04 2011 us=190095 renegotiate_seconds = 3600
Fri Nov 25 21:56:04 2011 us=190109 handshake_window = 60
Fri Nov 25 21:56:04 2011 us=190122 transition_window = 3600
Fri Nov 25 21:56:04 2011 us=190136 single_session = DISABLED
Fri Nov 25 21:56:04 2011 us=190150 tls_exit = DISABLED
Fri Nov 25 21:56:04 2011 us=190164 tls_auth_file = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=190177 pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190191 pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190204 pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190218 pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190231 pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190245 pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190258 pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190280 pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190302 pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190325 pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190347 pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190370 pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190386 pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190399 pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190413 pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190427 pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190441 pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190454 pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190468 pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190491 pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190507 pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190521 pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190544 pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190559 pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190573 pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190586 pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190600 pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190613 pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190627 pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190640 pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190654 pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190667 pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190681 pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190704 pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190718 pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190732 pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190745 pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190759 pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190772 pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190786 pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190799 pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190813 pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190826 pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190839 pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190853 pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190866 pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190879 pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190893 pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190907 pkcs11_pin_cache_period = -1
Fri Nov 25 21:56:04 2011 us=190920 pkcs11_id = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=190934 pkcs11_id_management = DISABLED
Fri Nov 25 21:56:04 2011 us=190949 server_network = 10.8.0.0
Fri Nov 25 21:56:04 2011 us=190965 server_netmask = 255.255.255.0
Fri Nov 25 21:56:04 2011 us=190980 server_bridge_ip = 0.0.0.0
Fri Nov 25 21:56:04 2011 us=190995 server_bridge_netmask = 0.0.0.0
Fri Nov 25 21:56:04 2011 us=191009 server_bridge_pool_start = 0.0.0.0
Fri Nov 25 21:56:04 2011 us=191024 server_bridge_pool_end = 0.0.0.0
Fri Nov 25 21:56:04 2011 us=191039 push_list = 'dhcp-option DNS 10.8.0.1,redirect-gateway def1,route 10.8.0.1,topology net30,ping 10,ping-restart 120'
Fri Nov 25 21:56:04 2011 us=191053 ifconfig_pool_defined = ENABLED
Fri Nov 25 21:56:04 2011 us=191067 ifconfig_pool_start = 10.8.0.4
Fri Nov 25 21:56:04 2011 us=191083 ifconfig_pool_end = 10.8.0.251
Fri Nov 25 21:56:04 2011 us=191097 ifconfig_pool_netmask = 0.0.0.0
Fri Nov 25 21:56:04 2011 us=191111 ifconfig_pool_persist_filename = 'ipp.txt'
Fri Nov 25 21:56:04 2011 us=191125 ifconfig_pool_persist_refresh_freq = 600
Fri Nov 25 21:56:04 2011 us=191139 n_bcast_buf = 256
Fri Nov 25 21:56:04 2011 us=191152 tcp_queue_limit = 64
Fri Nov 25 21:56:04 2011 us=191166 real_hash_size = 256
Fri Nov 25 21:56:04 2011 us=191180 virtual_hash_size = 256
Fri Nov 25 21:56:04 2011 us=191194 client_connect_script = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=191207 learn_address_script = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=191221 client_disconnect_script = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=191235 client_config_dir = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=191248 ccd_exclusive = DISABLED
Fri Nov 25 21:56:04 2011 us=191262 tmp_dir = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=191276 push_ifconfig_defined = DISABLED
Fri Nov 25 21:56:04 2011 us=191299 push_ifconfig_local = 0.0.0.0
Fri Nov 25 21:56:04 2011 us=191319 push_ifconfig_remote_netmask = 0.0.0.0
Fri Nov 25 21:56:04 2011 us=191333 enable_c2c = DISABLED
Fri Nov 25 21:56:04 2011 us=191347 duplicate_cn = DISABLED
Fri Nov 25 21:56:04 2011 us=191360 cf_max = 0
Fri Nov 25 21:56:04 2011 us=191374 cf_per = 0
Fri Nov 25 21:56:04 2011 us=191388 max_clients = 1024
Fri Nov 25 21:56:04 2011 us=191402 max_routes_per_client = 256
Fri Nov 25 21:56:04 2011 us=191415 client_cert_not_required = DISABLED
Fri Nov 25 21:56:04 2011 us=191429 username_as_common_name = DISABLED
Fri Nov 25 21:56:04 2011 us=191443 auth_user_pass_verify_script = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=191457 auth_user_pass_verify_script_via_file = DISABLED
Fri Nov 25 21:56:04 2011 us=191471 port_share_host = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=191489 port_share_port = 0
Fri Nov 25 21:56:04 2011 us=191503 client = DISABLED
Fri Nov 25 21:56:04 2011 us=191517 pull = DISABLED
Fri Nov 25 21:56:04 2011 us=191531 auth_user_pass_file = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=191561 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Fri Nov 25 21:56:04 2011 us=194913 Diffie-Hellman initialized with 1024 bit key
Fri Nov 25 21:56:04 2011 us=195708 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted="">
Fri Nov 25 21:56:04 2011 us=308821 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Nov 25 21:56:04 2011 us=309020 ROUTE default_gateway=74.207.241.1
Fri Nov 25 21:56:04 2011 us=309124 TUN/TAP device tun0 opened
Fri Nov 25 21:56:04 2011 us=309151 TUN/TAP TX queue length set to 100
Fri Nov 25 21:56:04 2011 us=309177 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri Nov 25 21:56:04 2011 us=311464 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Fri Nov 25 21:56:04 2011 us=312718 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Nov 25 21:56:04 2011 us=313266 Socket Buffers: R=[126976->131072] S=[126976->131072]
Fri Nov 25 21:56:04 2011 us=313337 UDPv4 link local (bound): [undef]:1194
Fri Nov 25 21:56:04 2011 us=313355 UDPv4 link remote: [undef]
Fri Nov 25 21:56:04 2011 us=313377 MULTI: multi_init called, r=256 v=256
Fri Nov 25 21:56:04 2011 us=313470 IFCONFIG POOL: base=10.8.0.4 size=62
Fri Nov 25 21:56:04 2011 us=313518 IFCONFIG POOL LIST
Fri Nov 25 21:56:04 2011 us=313558 Initialization Sequence Completed</modulus>`
edit:
I got it to work but now it says "reconnecting" after 30 seconds.
Output of openvpn.log
`~~[code]~~tail -f -n 0 openvpn.log
rWFri Nov 25 22:18:06 2011 us=865108 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:08 2011 us=975178 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:09 2011 us=325207 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:14 2011 us=188888 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:16 2011 us=857409 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:18 2011 us=975411 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWrWFri Nov 25 22:18:19 2011 us=44147 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)<e>[/code]</e>`[/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i]
I do see a few odd things in your INPUT chain:
* You have rules beyond the point where you log a failure, so I don't think such logs in your log files necessarily indicate a packet has been blocked, just that it reached the LOG rule in the chain. You probably want that LOG rule at the end if it's supposed to represent dropped/rejected packets.
You only permit the UDP OpenVPN port traffic. This should be fine, since it's usually what OpenVPN uses (unless you've configured it for TCP), but could explain the rejection of your telnet test which is TCP (except for the next point).
You seem to have a general acceptance rule even before your OpenVPN rule, so I can't see how anything (other than https or www) would be blocked at all. However, the dump you show doesn't include interface information (add -v) so perhaps those more general rules are bounded by interface? But I wouldn't worry about those until you have OpenVPN working without any filters. If it is the filters, I'd also check them (-v) to make sure that you aren't accidentally limiting the openvpn rule by interface, plus you should be able to use the stats on that rule to see if any of your client's packets are qualifying.
– David
@db3l:
Rather than guessing if it's the filters, can you form a connection if you disable them? If not, then you know you have to troubleshoot the OpenVPN side - if it does, then you know it's the filters. Also, has anything in this area changed since your initial post? Clearly at that point connections were getting through as they were being rejected at a higher level. Could the filters not have been active at that point?
I do see a few odd things in your INPUT chain:
* You have rules beyond the point where you log a failure, so I don't think such logs in your log files necessarily indicate a packet has been blocked, just that it reached the LOG rule in the chain. You probably want that LOG rule at the end if it's supposed to represent dropped/rejected packets.
You only permit the UDP OpenVPN port traffic. This should be fine, since it's usually what OpenVPN uses (unless you've configured it for TCP), but could explain the rejection of your telnet test which is TCP (except for the next point).
You seem to have a general acceptance rule even before your OpenVPN rule, so I can't see how anything (other than https or www) would be blocked at all. However, the dump you show doesn't include interface information (add -v) so perhaps those more general rules are bounded by interface? But I wouldn't worry about those until you have OpenVPN working without any filters. If it is the filters, I'd also check them (-v) to make sure that you aren't accidentally limiting the openvpn rule by interface, plus you should be able to use the stats on that rule to see if any of your client's packets are qualifying.
– David
Hey David,
I redid my filters using an example iptables config
I got the connection through finally and now I am getting the following:
"reconnecting" after 30 seconds.
Output of openvpn.log
tail -f -n 0 openvpn.log
rWFri Nov 25 22:18:06 2011 us=865108 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:08 2011 us=975178 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:09 2011 us=325207 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:14 2011 us=188888 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:16 2011 us=857409 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:18 2011 us=975411 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWrWFri Nov 25 22:18:19 2011 us=44147 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
````
rce destination
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:30000
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT tcp -- anywhere anywhere tcp flags:ACK/ACK
ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1024:65535
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp dpts:33434:33523
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
````
I'm going to keep tinkering. Thanks for staying on top of this with me… I appreciate it.
2011-11-25 22:32:43 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:54 *Tunnelblick leasewatch: A network configuration change was detected
* DNS configuration has changed:
* --- BEGIN EXPECTED DNS CFG ---
* DomainName : openvpn
* |ServerAddresses : <array> {
* 0 : 8.8.8.8
* 1 : 8.8.4.4
* }
* |SearchDomains : <array> {
* 0 : openvpn
* }
* |
* ---- END EXPECTED DNS CFG ----
*
* --- BEGIN CURRENT DNS CFG ---
* DomainName : ichotelsgroup.com
* |ServerAddresses : <array> {
* 0 : 8.8.8.8
* 1 : 8.8.4.4
* }
* |
* ---- END CURRENT DNS CFG ----
*
* --- BEGIN PRE-VPN DNS CFG ---
* ServerAddresses : <array> {
* 0 : 8.8.8.8
* 1 : 8.8.4.4
* }
* |
* ---- END PRE-VPN DNS CFG ----
* Sending USR1 to OpenVPN (process ID 10455) to restart the connection.
2011-11-25 22:32:55 event_wait : Interrupted system call (code=4)
2011-11-25 22:32:55 TCP/UDP: Closing socket
2011-11-25 22:32:55 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d tun0 1500 1542 10.8.0.6 10.8.0.5 restart
No such key
2011-11-25 22:32:55 SIGUSR1[hard,] received, process restarting
2011-11-25 22:32:55 MANAGEMENT: >STATE:1322289175,RECONNECTING,SIGUSR1,,
2011-11-25 22:32:55 *Tunnelblick client.down.tunnelblick.sh: Cancelled monitoring of system configuration changes
2011-11-25 22:32:55 *Tunnelblick client.down.tunnelblick.sh: Restored the DNS and WINS configurations
2011-11-25 22:32:56 MANAGEMENT: CMD 'hold release'
2011-11-25 22:32:56 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2011-11-25 22:32:56 Re-using SSL/TLS context
2011-11-25 22:32:56 LZO compression initialized
2011-11-25 22:32:56 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
2011-11-25 22:32:56 Socket Buffers: R=[42080->65536] S=[9216->65536]
2011-11-25 22:32:56 MANAGEMENT: >STATE:1322289176,RESOLVE,,,
2011-11-25 22:33:26 RESOLVE: Cannot resolve host address: anon.anon.com: [HOST_NOT_FOUND] The specified host is unknown.
2011-11-25 22:33:26 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
2011-11-25 22:33:26 Local Options hash (VER=V4): '41690919'
2011-11-25 22:33:26 Expected Remote Options hash (VER=V4): '530fdded'
2011-11-25 22:33:26 MANAGEMENT: >STATE:1322289206,RESOLVE,,,
2011-11-25 22:33:56 RESOLVE: signal received during DNS resolution attempt
2011-11-25 22:33:56 TCP/UDP: Closing socket
2011-11-25 22:33:56 /sbin/route delete -net 10.8.0.1 10.8.0.5 255.255.255.255
delete net 10.8.0.1: gateway 10.8.0.5
2011-11-25 22:33:56 /sbin/route delete -net fake00 10.71.0.1 255.255.255.255
delete net fake000: gateway 10.71.0.1
2011-11-25 22:33:56 /sbin/route delete -net 0.0.0.0 10.8.0.5 128.0.0.0
delete net 0.0.0.0: gateway 10.8.0.5
2011-11-25 22:33:56 /sbin/route delete -net 128.0.0.0 10.8.0.5 128.0.0.0
delete net 128.0.0.0: gateway 10.8.0.5
2011-11-25 22:33:56 Closing TUN/TAP interface
2011-11-25 22:33:56 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d tun0 1500 1542 10.8.0.6 10.8.0.5 init
2011-11-25 22:33:57 *Tunnelblick client.down.tunnelblick.sh: WARNING: No existing OpenVPN DNS configuration found; not tearing down anything; exiting.
2011-11-25 22:33:57 SIGTERM[hard,init_instance] received, process exiting
2011-11-25 22:33:57 MANAGEMENT: >STATE:1322289237,EXITING,init_instance,,
2011-11-25 22:33:59 *Tunnelblick: Flushed the DNS cache</array></array></array></array>
Now I'd lov to help you, but you need to realise something:
We still don't know what you're trying to do.
We have no idea what you did to get where you are
We still haven't seen any of your configuration files. Neither server nor client.
Take care,
zjl
So I fixed it by setting "Set DNS/WINS" to "DO NOT SET NAMESERVER"
Now I get no disconnects and everything seems to be running smoothly.
How do I test that my connection is secure?
If I were on a public wi-fi spot, no one should be able to see any of my traffic even over HTTP right?
To make sure traffic is going through the tunnel, connect to your vpn with tunnlblick and then check what your external IP address is, for instance by typing "What's My IP" in google.
You should see the IP of your linode.
Then, if your VPN is encrypted, then you're all set.
OpenVPN tunnels are encrypted unless you really go the extra mile to disable encryption when setting up your server.
To make sure, check the logs when connecting, you should see a line
Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Cipher may differ, but they're mostly all good enough.
Take care,
zjl
@zjl:
Glad you got it running then! This seems to be a tunnelblick issue after all
:-) To make sure traffic is going through the tunnel, connect to your vpn with tunnlblick and then check what your external IP address is, for instance by typing "What's My IP" in google.
You should see the IP of your linode.
Then, if your VPN is encrypted, then you're all set.
OpenVPN tunnels are encrypted unless you really go the extra mile to disable encryption when setting up your server.
To make sure, check the logs when connecting, you should see a line
Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit keyCipher may differ, but they're mostly all good enough.
Take care,
zjl
Seems mine is pretty low
> Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
How would I "upgrade" my cipher?
Still, you change the cipher by having a matching cipher line in both client and server configuration file.
Find the list of available ciphers by running
openvpn --show-ciphers
Then just add a line
cipher AES-256-CBC
to both client and server conf.
If you're interested in tweaking all this (and there's really no need), you may want to also look at tls-cipher and auth.
As an example, because I'm also pretty eager to always use the bigger even if it's not really needed, I have:
tls-cipher DHE-RSA-AES256-SHA
cipher AES-256-CBC
auth ecdsa-with-SHA1
Find a list of what's available on your particular system with
openvpn --show-tls
openvpn --show-ciphers
openvpn --show-digests
You should make sure that what you decide to use is supported both by your server and your client.
Have fun,
zjl