[OpenVPN] How to set up a client?

F

fonz

Howdy,

My question is simple: how do I use OpenVPN to obtain an IP address in my university's IP range?

Pretty much everything I found on the web seems to relate to setting up OpenVPN servers on FreeBSD but that's much more than I need (or want at this point). I simply need OpenVPN to act as a client to an existing server. There is a howto (in Dutch) on one of the university's webpages but it assumes you're using Ubuntu with this NetworkManager thingy so it's not of much help to me.

However, I have the following data, which ought to be enough to get it working:
  • server hostname/IP
  • university's IP range
  • a username/password
  • this GTE Cybertrust Global Root certificate thingy
  • additional options: a gateway port#, use TAP, use LZO, don't use TCP

Getting this to work would be a BIG step forward, so any help is appreciated.

Thanks in advance,

Alphons
 
If you know all of that, it shouldn't be too difficult to put those data into OpenVPN's client.conf, right?
 
DutchDaemon said:
If you know all of that, it shouldn't be too difficult to put those data into OpenVPN's client.conf, right?
Click to expand...

You'd think. But somehow it isn't working.
Here's the config file (most comments snipped):

Code: 
client
dev tap
;dev tun
;proto tcp
proto udp
remote openvpn.utwente.nl 1194
;remote-random
resolv-retry infinite
;nobind
user nobody
group nobody
persist-key
;persist-tun
mute-replay-warnings
ca /root/GTE_CyberTrust_Global_Root.pem
;cert client.crt
;key client.key
auth-user-pass
;ns-cert-type server
comp-lzo
verb 3
;mute 20

And here's what happens:
Code: 
]# openvpn /etc/openvpn.conf 
Tue Feb 17 15:30:47 2009 OpenVPN 2.0.6 i386-portbld-freebsd7.1 [SSL] [LZO] built on Sep  8 2008
Enter Auth Username:s*******
Enter Auth Password: ********
Tue Feb 17 15:30:58 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Feb 17 15:30:58 2009 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Feb 17 15:30:58 2009 LZO compression initialized
Tue Feb 17 15:30:58 2009 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Feb 17 15:30:58 2009 RESOLVE: NOTE: openvpn.utwente.nl resolves to 8 addresses, choosing one by random
Tue Feb 17 15:30:58 2009 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Feb 17 15:30:58 2009 Local Options hash (VER=V4): 'd79ca330'
Tue Feb 17 15:30:58 2009 Expected Remote Options hash (VER=V4): 'f7df56b8'
Tue Feb 17 15:30:58 2009 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Tue Feb 17 15:30:58 2009 UDPv4 link local: [undef]
Tue Feb 17 15:30:58 2009 UDPv4 link remote: 130.89.254.235:1194
Tue Feb 17 15:30:58 2009 TLS: Initial packet from 130.89.254.235:1194, sid=2065f171 b278981c
Tue Feb 17 15:31:03 2009 VERIFY OK: depth=2, /C=US/O=GTE_Corporation/OU=GTE_CyberTrust_Solutions__Inc./CN=GTE_CyberTrust_Global_Root
Tue Feb 17 15:31:03 2009 VERIFY OK: depth=1, /C=BE/O=Cybertrust/OU=Educational_CA/CN=Cybertrust_Educational_CA
Tue Feb 17 15:31:03 2009 VERIFY OK: depth=0, /C=NL/ST=OV/L=Enschede/O=University_of_Twente/OU=ICTS/CN=openvpn.utwente.nl/emailAddress=openvpn@utwente.nl
Tue Feb 17 15:31:08 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 17 15:31:08 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 17 15:31:08 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 17 15:31:08 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 17 15:31:08 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Feb 17 15:31:08 2009 [openvpn.utwente.nl] Peer Connection Initiated with 130.89.254.235:1194
Tue Feb 17 15:31:09 2009 SENT CONTROL [openvpn.utwente.nl]: 'PUSH_REQUEST' (status=1)
Tue Feb 17 15:31:09 2009 PUSH: Received control message: 'PUSH_REPLY,route 130.89.254.224 255.255.255.224 net_gateway,route-gateway 130.89.104.1,route 130.89.0.0 255.255.0.0,dhcp-option DNS 130.89.2.2,dhcp-option DNS 130.89.2.3,ping 10,ping-restart 120,ifconfig 130.89.107.88 255.255.248.0'
Tue Feb 17 15:31:09 2009 OPTIONS IMPORT: timers and/or timeouts modified
Tue Feb 17 15:31:09 2009 OPTIONS IMPORT: --ifconfig/up options modified
Tue Feb 17 15:31:09 2009 OPTIONS IMPORT: route options modified
Tue Feb 17 15:31:09 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Feb 17 15:31:09 2009 gw 192.168.1.254
Tue Feb 17 15:31:09 2009 Cannot allocate TUN/TAP dev dynamically
Tue Feb 17 15:31:09 2009 Exiting

Alphons
 
DutchDaemon said:
Do you have openvpn settings in /etc/rc.conf?
Click to expand...

No, that didn't occur to me because I don't need VPN started at boot time. When I'm actually at the university I use their WLAN so I then already get an IP address in their range anyway. I just need to start it manually when I'm somewhere else (e.g. at home).

As far as I can tell from OpenVPN's output everything seems to be ok until the next last line:
Code: 
Cannot allocate TUN/TAP dev dynamically

Any thoughts? Do I need to apply additional settings to allow the device to be created for instance?

Alphons
 
Are you using a custom kernel? The GENERIC kernel should have tun.

Try loading it by hand:
Code: 
# kldload if_tun

If it works after that either add device tun to your kernel conf or load it at boot time in /boot/loader.conf.
 
SirDice said:
Are you using a custom kernel? The GENERIC kernel should have tun.
Click to expand...

I happen to run on GENERIC now, it has tun indeed (kldload said "file exists"). But I think I see the problem now: I had "dev tun" commented out in the configfile. I uncommented it and although I now get the following as part of OpenVPN's output:
Code: 
Tue Feb 17 17:36:22 2009 /sbin/route add -net 130.89.254.224 192.168.1.254 255.255.255.224
add net 130.89.254.224: gateway 192.168.1.254
Tue Feb 17 17:36:22 2009 /sbin/route add -net 130.89.0.0 130.89.104.1 255.255.0.0
route: writing to routing socket: Network is unreachable
add net 130.89.0.0: gateway 130.89.104.1: Network is unreachable
Tue Feb 17 17:36:22 2009 ERROR: FreeBSD route add command failed: shell command exited with error status: 1
Tue Feb 17 17:36:22 2009 GID set to nobody
Tue Feb 17 17:36:22 2009 UID set to nobody
Tue Feb 17 17:36:22 2009 Initialization Sequence Completed
at least ifconfig says:
Code: 
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        inet 130.89.107.88 --> 255.255.248.0 netmask 0xffffffff 
        Opened by PID 3539
so it looks promising.

I'll go check if it's really working now but thanks already!

Next step would be to configure things in such a way that only traffic through a specific few ports goes over VPN while the rest goes over my normal ISP connection, but I'm getting ahead of myself now. First things first :e
 
I think you needed tap, not tun. For the record, I (using a tun), have this in rc.conf:

Code: 
openvpn_if="tun"

It loads the if_tun module and creates the tun0 interface.

Experiment with tap.
 
DutchDaemon said:
I think you needed tap, not tun.
[snip]
Experiment with tap.
Click to expand...

Got it. I didn't need tun after all, but whereas if_tun is in GENERIC, apparently if_tap is not. After I kldloaded it and commented the tun stuff out again, this is the result:
Code: 
Wed Feb 18 14:54:14 2009 TUN/TAP device /dev/tap0 opened
Wed Feb 18 14:54:14 2009 /sbin/ifconfig tap0 130.89.107.88 netmask 255.255.248.0 mtu 1500 up
Wed Feb 18 14:54:14 2009 /sbin/route add -net 130.89.254.224 192.168.1.254 255.255.255.224
add net 130.89.254.224: gateway 192.168.1.254
Wed Feb 18 14:54:14 2009 /sbin/route add -net 130.89.0.0 130.89.104.1 255.255.0.0
add net 130.89.0.0: gateway 130.89.104.1
Wed Feb 18 14:54:14 2009 GID set to nobody
Wed Feb 18 14:54:14 2009 UID set to nobody
Wed Feb 18 14:54:14 2009 Initialization Sequence Completed
And this is sure looking good:
Code: 
ifconfig -u
[rum0 and lo0 snipped]
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:bd:e4:bd:d8:00
        inet 130.89.107.88 netmask 0xfffff800 broadcast 130.89.111.255
        Opened by PID 61167

That's one thing fixed, thanks :beergrin
 
Glad it works.

P.S.

It's not really important whether tun and/or tap are in the kernel, as they're both kernel loadable modules that can be loaded on the fly. I don't have tun in my kernel (I always strip the kernel down to the bare minimum), just in my rc.conf.
 
You must log in or register to reply here.
Back
Top