boxysean · April 22, 2012 07:56
diff --git a/000-problem.txt b/000-problem.txt
 ### the following traceroute looks wrong to me. wonder if it's indicative of my issue. ###

 # on OS X 10.5
 # 192.168.0.1/32 is my home subnet.
 # 10.8.0.1/32 is my vpn subnet.

 $ netstat -rn
 Routing tables

 Internet:
 Destination Gateway Flags Refs Use Netif Expire
 default 192.168.1.1 UGSc 211 144 en1
 10.8.0.1/32 10.8.0.9 UGSc 0 0 tun0
 10.8.0.9 10.8.0.10 UH 1 0 tun0
 ...

 $ traceroute 10.8.0.6
 traceroute to 10.8.0.6 (10.8.0.6), 64 hops max, 40 byte packets
 1 192.168.1.1 (192.168.1.1) 4.212 ms 0.729 ms 0.651 ms
 ^C
 
 ### server iptables commands ###

 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
 iptables -A FORWARD -j REJECT
 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
diff --git a/client.conf b/client.conf
 spro:.vpn boxysean$ cat client.conf | grep -vE '^#|^;|^$'
 client
 dev tun
 proto udp
 remote boxysean.com 1194
 resolv-retry infinite
 nobind
 persist-key
 persist-tun
 ca ca.crt
 cert client1.crt
 key client1.key
 comp-lzo
 verb 3
diff --git a/client.log b/client.log
 ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
 [SSL] [LZO2] [eurephia] built on Apr 22 2012
 Sun Apr 22 03:52:29 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
 Sun Apr 22 03:52:29 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
 Sun Apr 22 03:52:29 2012 LZO compression initialized
 Sun Apr 22 03:52:29 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
 Sun Apr 22 03:52:29 2012 Socket Buffers: R=[42080->65536] S=[9216->65536]
 Sun Apr 22 03:52:29 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
 Sun Apr 22 03:52:29 2012 Local Options hash (VER=V4): '41690919'
 Sun Apr 22 03:52:29 2012 Expected Remote Options hash (VER=V4): '530fdded'
 Sun Apr 22 03:52:29 2012 UDPv4 link local: [undef]
 Sun Apr 22 03:52:29 2012 UDPv4 link remote: 66.228.39.61:1194
 Sun Apr 22 03:52:29 2012 TLS: Initial packet from 66.228.39.61:1194, sid=58105779 2e42ab8d
 Sun Apr 22 03:52:29 2012 VERIFY OK: depth=1, /C=US/ST=NY/L=NewYork/O=boxysean/CN=boxysean_CA/name=Sean/[email protected]
 Sun Apr 22 03:52:29 2012 VERIFY OK: depth=0, /C=US/ST=NY/L=NewYork/O=boxysean/CN=server/name=Sean/[email protected]
 Sun Apr 22 03:52:29 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
 Sun Apr 22 03:52:29 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
 Sun Apr 22 03:52:29 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
 Sun Apr 22 03:52:29 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
 Sun Apr 22 03:52:29 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
 Sun Apr 22 03:52:29 2012 [server] Peer Connection Initiated with 66.228.39.61:1194
 Sun Apr 22 03:52:31 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
 Sun Apr 22 03:52:31 2012 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9'
 Sun Apr 22 03:52:31 2012 OPTIONS IMPORT: timers and/or timeouts modified
 Sun Apr 22 03:52:31 2012 OPTIONS IMPORT: --ifconfig/up options modified
 Sun Apr 22 03:52:31 2012 OPTIONS IMPORT: route options modified
 Sun Apr 22 03:52:31 2012 ROUTE default_gateway=192.168.1.1
 Sun Apr 22 03:52:31 2012 TUN/TAP device /dev/tun0 opened
 Sun Apr 22 03:52:31 2012 /sbin/ifconfig tun0 delete
 Sun Apr 22 03:52:31 2012 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
 Sun Apr 22 03:52:31 2012 /sbin/ifconfig tun0 10.8.0.10 10.8.0.9 mtu 1500 netmask 255.255.255.255 up
 Sun Apr 22 03:52:31 2012 /sbin/route add -net 10.8.0.1 10.8.0.9 255.255.255.255
 add net 10.8.0.1: gateway 10.8.0.9
 Sun Apr 22 03:52:31 2012 Initialization Sequence Completed
 Sun Apr 22 03:52:34 2012 event_wait : Interrupted system call (code=4)
 Sun Apr 22 03:52:34 2012 TCP/UDP: Closing socket
 Sun Apr 22 03:52:34 2012 /sbin/route delete -net 10.8.0.1 10.8.0.9 255.255.255.255
 delete net 10.8.0.1: gateway 10.8.0.9
 Sun Apr 22 03:52:34 2012 Closing TUN/TAP interface
 Sun Apr 22 03:52:34 2012 SIGINT[hard,] received, process exiting
diff --git a/server.conf b/server.conf
 root@boxysean:/etc/openvpn# grep -vE '^#|^;|^$' server.conf
 port 1194
 proto udp
 dev tun
 ca ca.crt
 cert server.crt
 key server.key  # This file should be kept secret
 dh dh1024.pem
 server 10.8.0.0 255.255.255.0
 ifconfig-pool-persist ipp.txt
 keepalive 10 120
 comp-lzo
 persist-key
 persist-tun
 status openvpn-status.log
 verb 3
 management localhost 7505
	### the following traceroute looks wrong to me. wonder if it's indicative of my issue. ###

	# on OS X 10.5
	# 192.168.0.1/32 is my home subnet.
	# 10.8.0.1/32 is my vpn subnet.

	$ netstat -rn
	Routing tables

	Internet:
	Destination Gateway Flags Refs Use Netif Expire
	default 192.168.1.1 UGSc 211 144 en1
	10.8.0.1/32 10.8.0.9 UGSc 0 0 tun0
	10.8.0.9 10.8.0.10 UH 1 0 tun0
	...

	$ traceroute 10.8.0.6
	traceroute to 10.8.0.6 (10.8.0.6), 64 hops max, 40 byte packets
	1 192.168.1.1 (192.168.1.1) 4.212 ms 0.729 ms 0.651 ms
	^C

	### server iptables commands ###

	iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
	iptables -A FORWARD -j REJECT
	iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
	spro:.vpn boxysean$ cat client.conf \| grep -vE '^#\|^;\|^$'
	client
	dev tun
	proto udp
	remote boxysean.com 1194
	resolv-retry infinite
	nobind
	persist-key
	persist-tun
	ca ca.crt
	cert client1.crt
	key client1.key
	comp-lzo
	verb 3
	ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
	[SSL] [LZO2] [eurephia] built on Apr 22 2012
	Sun Apr 22 03:52:29 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
	Sun Apr 22 03:52:29 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
	Sun Apr 22 03:52:29 2012 LZO compression initialized
	Sun Apr 22 03:52:29 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
	Sun Apr 22 03:52:29 2012 Socket Buffers: R=[42080->65536] S=[9216->65536]
	Sun Apr 22 03:52:29 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
	Sun Apr 22 03:52:29 2012 Local Options hash (VER=V4): '41690919'
	Sun Apr 22 03:52:29 2012 Expected Remote Options hash (VER=V4): '530fdded'
	Sun Apr 22 03:52:29 2012 UDPv4 link local: [undef]
	Sun Apr 22 03:52:29 2012 UDPv4 link remote: 66.228.39.61:1194
	Sun Apr 22 03:52:29 2012 TLS: Initial packet from 66.228.39.61:1194, sid=58105779 2e42ab8d
	Sun Apr 22 03:52:29 2012 VERIFY OK: depth=1, /C=US/ST=NY/L=NewYork/O=boxysean/CN=boxysean_CA/name=Sean/[email protected]
	Sun Apr 22 03:52:29 2012 VERIFY OK: depth=0, /C=US/ST=NY/L=NewYork/O=boxysean/CN=server/name=Sean/[email protected]
	Sun Apr 22 03:52:29 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
	Sun Apr 22 03:52:29 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
	Sun Apr 22 03:52:29 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
	Sun Apr 22 03:52:29 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
	Sun Apr 22 03:52:29 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
	Sun Apr 22 03:52:29 2012 [server] Peer Connection Initiated with 66.228.39.61:1194
	Sun Apr 22 03:52:31 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
	Sun Apr 22 03:52:31 2012 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9'
	Sun Apr 22 03:52:31 2012 OPTIONS IMPORT: timers and/or timeouts modified
	Sun Apr 22 03:52:31 2012 OPTIONS IMPORT: --ifconfig/up options modified
	Sun Apr 22 03:52:31 2012 OPTIONS IMPORT: route options modified
	Sun Apr 22 03:52:31 2012 ROUTE default_gateway=192.168.1.1
	Sun Apr 22 03:52:31 2012 TUN/TAP device /dev/tun0 opened
	Sun Apr 22 03:52:31 2012 /sbin/ifconfig tun0 delete
	Sun Apr 22 03:52:31 2012 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
	Sun Apr 22 03:52:31 2012 /sbin/ifconfig tun0 10.8.0.10 10.8.0.9 mtu 1500 netmask 255.255.255.255 up
	Sun Apr 22 03:52:31 2012 /sbin/route add -net 10.8.0.1 10.8.0.9 255.255.255.255
	add net 10.8.0.1: gateway 10.8.0.9
	Sun Apr 22 03:52:31 2012 Initialization Sequence Completed
	Sun Apr 22 03:52:34 2012 event_wait : Interrupted system call (code=4)
	Sun Apr 22 03:52:34 2012 TCP/UDP: Closing socket
	Sun Apr 22 03:52:34 2012 /sbin/route delete -net 10.8.0.1 10.8.0.9 255.255.255.255
	delete net 10.8.0.1: gateway 10.8.0.9
	Sun Apr 22 03:52:34 2012 Closing TUN/TAP interface
	Sun Apr 22 03:52:34 2012 SIGINT[hard,] received, process exiting
	root@boxysean:/etc/openvpn# grep -vE '^#\|^;\|^$' server.conf
	port 1194
	proto udp
	dev tun
	ca ca.crt
	cert server.crt
	key server.key # This file should be kept secret
	dh dh1024.pem
	server 10.8.0.0 255.255.255.0
	ifconfig-pool-persist ipp.txt
	keepalive 10 120
	comp-lzo
	persist-key
	persist-tun
	status openvpn-status.log
	verb 3
	management localhost 7505