Can't get OpenVPN to work.

Freek

I'm trying to install OpenVPN on my Xen based VPS, but I can't get it to work.
I was thinking of doing it the easy way and used this script:
http://www.putdispenserhere.com/openvpn-debianubuntu-setup-script-for-openvz/

When trying to connect to OpenVPN I get this error:

Options error: Unrecognized option or missing parameter(s) in server.ovpn:5: 2a00:7b80:3002:4::cece:236d (2.2.2)
Use --help for more information.

I'm quite new to this so I have no idea what this could be. Google shows some hits but no results really...

I used this script before on my OpenVZ VPS and it worked, but since Xen is a bit different from OpenVZ, I think that's what causing the troubles.
The guy in the first comment says that on Xen, you need to manually install openvpn (apt-get install openvpn).
I did so and also rebooted my VPS and re-ran the script, but the same issue persists.

Any help is well appreciated!

Thanks

dnom

I assume you get that error from the client. If yes, did the openvpn daemon run correctly w/o errors? Can you post both of your config files?

dannix

It tells you that you have an error in server.ovpn, most probably around line number 5.
From that what I see it is because there is IPv6 specified there, because of the way how the IP gets detected

grep address /etc/network/interfaces | grep -v 127.0.0.1  | awk '{print $2}'

On a vps with both IPv4 and IPv6 it will return more than 1 line.

aa.bb.cc.dd
aaaa:bbbb:cccc:dddd:eeee:ffff:gggg

open the server.ovpn file and remove the the 5th line containing IPv6

Freek

Thanks for the replies!

@dnom To be honest, I'm not quite sure how I can check if the daemon is running correctly. I tried some commands with 'openvpn' in it, but the openvpn command is not found.

top

does not display openvpn and it doesn't look like a logfile is being generated either. See below for configs files.

@dannix Indeed, it seems like it has something todo with IPv6. I removed line 5 in my client config, consisting of a IPv6 IP address and it went a bit further with connecting, but still unsuccessful:

Fri Jan 13 10:55:13 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Fri Jan 13 10:55:13 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Jan 13 10:55:13 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jan 13 10:55:13 2012 LZO compression initialized
Fri Jan 13 10:55:13 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Jan 13 10:55:13 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jan 13 10:55:13 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Jan 13 10:55:13 2012 Local Options hash (VER=V4): '41690919'
Fri Jan 13 10:55:13 2012 Expected Remote Options hash (VER=V4): '530fdded'
Fri Jan 13 10:55:13 2012 UDPv4 link local: [undef]
Fri Jan 13 10:55:13 2012 UDPv4 link remote: 78.41.XXX.XX:53

Here's my old/original client.ovpn:

client
dev tun
proto udp
remote 78.41.XXX.XX
2a00:7b80:3002:4::cece:236d 53
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert freek.crt
key freek.key
comp-lzo
verb 3

Here's what I changed it into:

client
dev tun
proto udp
remote 78.41.XXX.XX 53
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert freek.crt
key freek.key
comp-lzo
verb 3

Here's the original server.conf:

;local 78.41.XXX.XX
2a00:7b80:3002:4::cece:236d
port 53
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

I noticed that the first line was commented out, so I uncommented and commented out the second line (the IPv6 address) and tried to reupload it to my VPS, but I can't. It says permission denied. Assumingly the daemon is running, I cannot replace a file which is in use? I think this is causing the problem.
Any tips on how I can replace this file? I use Filezilla to upload files over sftp.

Thanks!

dnom

you can use ps x | grep openvpn to see if it's running, then just kill the process.
You should be able to use the openvpn command after installing it via apt-get. If the command openvpn is not working for you, it means that it's not installed correctly so service openvpn stop might not work too.

Freek

Thanks for the reply @dnom.
Openvpn is running and I was able to use the openvpn command after logging in as root.. how stupid of me.
I've stopped the service and replaced the file, but not via sftp it kept refusing. So I uploaded it to another folder and copied it using putty.
I'm now able to connect successfully but I do not have internet access e.g. I cannot ping/visit websites.

Fri Jan 13 13:18:35 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Fri Jan 13 13:18:35 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Jan 13 13:18:35 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jan 13 13:18:35 2012 LZO compression initialized
Fri Jan 13 13:18:35 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Jan 13 13:18:35 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jan 13 13:18:35 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Jan 13 13:18:35 2012 Local Options hash (VER=V4): '41690919'
Fri Jan 13 13:18:35 2012 Expected Remote Options hash (VER=V4): '530fdded'
Fri Jan 13 13:18:35 2012 UDPv4 link local: [undef]
Fri Jan 13 13:18:35 2012 UDPv4 link remote: 78.41.XXXXX:53
Fri Jan 13 13:18:35 2012 TLS: Initial packet from 78.41.XXXXX:53, sid=7af6ba1e f7accce6
Fri Jan 13 13:18:35 2012 VERIFY OK: depth=1, /C=NL/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/name=Freek/[email protected]
Fri Jan 13 13:18:35 2012 VERIFY OK: depth=0, /C=NL/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/name=Freek/[email protected]
Fri Jan 13 13:18:36 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Jan 13 13:18:36 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 13 13:18:36 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Jan 13 13:18:36 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 13 13:18:36 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Jan 13 13:18:36 2012 [server] Peer Connection Initiated with 78.41.200.47:53
Fri Jan 13 13:18:38 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Jan 13 13:18:38 2012 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.8.0.6 10.8.0.5'
Fri Jan 13 13:18:38 2012 OPTIONS IMPORT: timers and/or timeouts modified
Fri Jan 13 13:18:38 2012 OPTIONS IMPORT: --ifconfig/up options modified
Fri Jan 13 13:18:38 2012 OPTIONS IMPORT: route options modified
Fri Jan 13 13:18:38 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Jan 13 13:18:38 2012 ROUTE default_gateway=192.168.2.1
Fri Jan 13 13:18:38 2012 TAP-WIN32 device [LAN-verbinding 2] opened: \\.\Global\{CA5BA1E1-F386-4015-A363-F4BA339B2945}.tap
Fri Jan 13 13:18:38 2012 TAP-Win32 Driver Version 9.9 
Fri Jan 13 13:18:38 2012 TAP-Win32 MTU=1500
Fri Jan 13 13:18:38 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {CA5BA1E1-F386-4015-A363-F4BA339B2945} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Fri Jan 13 13:18:38 2012 Successful ARP Flush on interface [15] {CA5BA1E1-F386-4015-A363-F4BA339B2945}
Fri Jan 13 13:18:43 2012 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Fri Jan 13 13:18:43 2012 C:\WINDOWS\system32\route.exe ADD 78.41.200.47 MASK 255.255.255.255 192.168.2.1
Fri Jan 13 13:18:43 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Fri Jan 13 13:18:43 2012 Route addition via IPAPI succeeded [adaptive]
Fri Jan 13 13:18:43 2012 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Fri Jan 13 13:18:43 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Fri Jan 13 13:18:43 2012 Route addition via IPAPI succeeded [adaptive]
Fri Jan 13 13:18:43 2012 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Fri Jan 13 13:18:43 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Fri Jan 13 13:18:43 2012 Route addition via IPAPI succeeded [adaptive]
Fri Jan 13 13:18:43 2012 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Fri Jan 13 13:18:43 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Fri Jan 13 13:18:43 2012 Route addition via IPAPI succeeded [adaptive]
Fri Jan 13 13:18:43 2012 Initialization Sequence Completed

I had this problem before on my OpenVZ VPS but I don't recall how I solved it.

dnom

I guess it's about the Iptables using the ipv6. try to change the iptables entry to your
I also experienced that problem once when setting up openvpn on port 53 so I just used the default 9201 on the server and used lport 53 on the client to achieve similar result. Although I had openvpn running fine on port 53 on my other vps.

dannix

Well I still don't get why are using such script (which doesn't really work) instead of making few steps required manually (a good starting point would be http://library.linode.com/networking/openvpn/debian-6-squeeze). But it is upto you. This script is trying to setup iptables for you, so the traffic from the vpn clients gets routed through you vpn server. As I've alreay pointed previously, since your vps has IPv6 address you've got something like

ip=78.41.XXX.XX
2a00:7b80:3002:4::cece:236d

this will not work properly in the script also in the line

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $ip

and in any other which uses ip variable:

echo "remote $ip $p" >> /etc/openvpn/keys/$c.ovpn

If you want use this script on the vps with IPv6 (but actually run openvpn on IPv4) you need to fix the line

ip=`grep address /etc/network/interfaces | grep -v 127.0.0.1  | awk '{print $2}'`

it should return only the IPv4 address of your server. A quick hack would be something like that:

/sbin/ifconfig | awk '/inet addr:/ {sub(/addr:/,"",$2); if ($2 !~ /127/) {print $2}}'

Try it on your server. If it gives you only the IPv4 address of your vps, then

# replace 
ip=`grep address /etc/network/interfaces | grep -v 127.0.0.1  | awk '{print $2}'`
# with
ip=`/sbin/ifconfig | awk '/inet addr:/ {sub(/addr:/,"",$2); if ($2 !~ /127/) {print $2}}'`

and run the script once again.
You could also just modify the line ip=78.41.XXX.XX in the script before running it.

Please note however I see few other problems with this script, if it has been started few times, so not sure if it will work for you.

dnom

@dannix said: Well I still don't get why are using such script (which doesn't really work) instead of making few steps required manually (a good starting point would be http://library.linode.com/networking/openvpn/debian-6-squeeze).

+1
It's really not hard to just install it manually.

Freek

Thanks for the replies guys.
I went ahead and reinstalled my VPS with a clean install of Debian 6 and followed the Linode tutorial but ran into some problems.
At the very last of the tutorial, you need to execute the following two commands to restart the OpenVPN server and dnsmasq:

/etc/init.d/openvpn restart
/etc/init.d/dnsmasq restart

That didn't go well... here's what my output was:

[email protected]:~# /etc/init.d/openvpn restart
Stopping virtual private network daemon:.
Starting virtual private network daemon: server failed!
[email protected]:~# /etc/init.d/dnsmasq restart
Restarting DNS forwarder and DHCP server: configuration syntax check failed!

So instead, I restarted my whole VPS.
The problem is, I can't connect because I think I'm missing a crucial file.
Currently I have 4 files sitting in my C:\Program Files (x86)\OpenVPN\config\VPN directory (the client machine):

ca.crt
client1.crt
client1.key
client1.conf

But as far as I'm aware, OpenVPN also needs a file with a .ovpn extension but I cannot find that in the tutorial. Am I missing something or overlooking something?

Thanks in advance!

dnom

Just make your own client1.ovpn.

client
dev tun
proto udp 
remote x.x.x.x 9201 #IP and port
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key

That's more or less how it looks like, there can be more parameters depending on your setup. You may want to post your client1.conf so I can try to help you more if that didn't work out. or you may want to use your old .conf(server) and your old .ovpn(client) from the auto install script since you managed to connect using them. Just match the name of the .crt files and the .key file on the appropriate lines.

Freek

@dnom Thanks! It's working now!
I don't quite get why they don't include this into their tutorial, as it's pretty crucial. Another thing I don't get why I wasn't able to restart openvpn or dnsmasq over putty but it does work accordingly after a full VPS reboot?

Once again thanks for all the help @dnom and @dannix

dnom

have you tried service openvpn restart ?

Freek

@dnom that does seem to work yes, thanks for the tip!
However,

service dnsmasq restart

doesn't:

 Restarting DNS forwarder and DHCP server: configuration syntax check failed!

I've just checked /etc/dnsmasq.conf and it's as in the Linode tutorial...