Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Can't get OpenVPN to work.
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Can't get OpenVPN to work.

FreekFreek Member
edited January 2012 in Help

I'm trying to install OpenVPN on my Xen based VPS, but I can't get it to work.
I was thinking of doing it the easy way and used this script:
http://www.putdispenserhere.com/openvpn-debianubuntu-setup-script-for-openvz/

When trying to connect to OpenVPN I get this error:

Options error: Unrecognized option or missing parameter(s) in server.ovpn:5: 2a00:7b80:3002:4::cece:236d (2.2.2)
Use --help for more information.

I'm quite new to this so I have no idea what this could be. Google shows some hits but no results really...

I used this script before on my OpenVZ VPS and it worked, but since Xen is a bit different from OpenVZ, I think that's what causing the troubles.
The guy in the first comment says that on Xen, you need to manually install openvpn (apt-get install openvpn).
I did so and also rebooted my VPS and re-ran the script, but the same issue persists.

Any help is well appreciated!

Thanks

Comments

  • I assume you get that error from the client. If yes, did the openvpn daemon run correctly w/o errors? Can you post both of your config files?

  • It tells you that you have an error in server.ovpn, most probably around line number 5.
    From that what I see it is because there is IPv6 specified there, because of the way how the IP gets detected

    grep address /etc/network/interfaces | grep -v 127.0.0.1  | awk '{print $2}'
    

    On a vps with both IPv4 and IPv6 it will return more than 1 line.

    aa.bb.cc.dd
    aaaa:bbbb:cccc:dddd:eeee:ffff:gggg
    

    open the server.ovpn file and remove the the 5th line containing IPv6

  • Thanks for the replies!

    @dnom To be honest, I'm not quite sure how I can check if the daemon is running correctly. I tried some commands with 'openvpn' in it, but the openvpn command is not found.

    top

    does not display openvpn and it doesn't look like a logfile is being generated either. See below for configs files.

    @dannix Indeed, it seems like it has something todo with IPv6. I removed line 5 in my client config, consisting of a IPv6 IP address and it went a bit further with connecting, but still unsuccessful:

    Fri Jan 13 10:55:13 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
    Fri Jan 13 10:55:13 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Fri Jan 13 10:55:13 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Fri Jan 13 10:55:13 2012 LZO compression initialized
    Fri Jan 13 10:55:13 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Fri Jan 13 10:55:13 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Fri Jan 13 10:55:13 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Fri Jan 13 10:55:13 2012 Local Options hash (VER=V4): '41690919'
    Fri Jan 13 10:55:13 2012 Expected Remote Options hash (VER=V4): '530fdded'
    Fri Jan 13 10:55:13 2012 UDPv4 link local: [undef]
    Fri Jan 13 10:55:13 2012 UDPv4 link remote: 78.41.XXX.XX:53
    

    Here's my old/original client.ovpn:

    client
    dev tun
    proto udp
    remote 78.41.XXX.XX
    2a00:7b80:3002:4::cece:236d 53
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert freek.crt
    key freek.key
    comp-lzo
    verb 3
    

    Here's what I changed it into:

    client
    dev tun
    proto udp
    remote 78.41.XXX.XX 53
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert freek.crt
    key freek.key
    comp-lzo
    verb 3
    

    Here's the original server.conf:

    ;local 78.41.XXX.XX
    2a00:7b80:3002:4::cece:236d
    port 53
    proto udp
    dev tun
    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/server.crt
    key /etc/openvpn/keys/server.key
    dh /etc/openvpn/keys/dh1024.pem
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    keepalive 5 30
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3
    

    I noticed that the first line was commented out, so I uncommented and commented out the second line (the IPv6 address) and tried to reupload it to my VPS, but I can't. It says permission denied. Assumingly the daemon is running, I cannot replace a file which is in use? I think this is causing the problem.
    Any tips on how I can replace this file? I use Filezilla to upload files over sftp.

    Thanks!

  • dnomdnom Member
    edited January 2012

    you can use ps x | grep openvpn to see if it's running, then just kill the process.
    You should be able to use the openvpn command after installing it via apt-get. If the command openvpn is not working for you, it means that it's not installed correctly so service openvpn stop might not work too.

  • Thanks for the reply @dnom.
    Openvpn is running and I was able to use the openvpn command after logging in as root.. how stupid of me.
    I've stopped the service and replaced the file, but not via sftp it kept refusing. So I uploaded it to another folder and copied it using putty.
    I'm now able to connect successfully but I do not have internet access e.g. I cannot ping/visit websites.

    Fri Jan 13 13:18:35 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
    Fri Jan 13 13:18:35 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Fri Jan 13 13:18:35 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Fri Jan 13 13:18:35 2012 LZO compression initialized
    Fri Jan 13 13:18:35 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Fri Jan 13 13:18:35 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Fri Jan 13 13:18:35 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Fri Jan 13 13:18:35 2012 Local Options hash (VER=V4): '41690919'
    Fri Jan 13 13:18:35 2012 Expected Remote Options hash (VER=V4): '530fdded'
    Fri Jan 13 13:18:35 2012 UDPv4 link local: [undef]
    Fri Jan 13 13:18:35 2012 UDPv4 link remote: 78.41.XXXXX:53
    Fri Jan 13 13:18:35 2012 TLS: Initial packet from 78.41.XXXXX:53, sid=7af6ba1e f7accce6
    Fri Jan 13 13:18:35 2012 VERIFY OK: depth=1, /C=NL/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/name=Freek/[email protected]
    Fri Jan 13 13:18:35 2012 VERIFY OK: depth=0, /C=NL/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/name=Freek/[email protected]
    Fri Jan 13 13:18:36 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Fri Jan 13 13:18:36 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Jan 13 13:18:36 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Fri Jan 13 13:18:36 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Jan 13 13:18:36 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Fri Jan 13 13:18:36 2012 [server] Peer Connection Initiated with 78.41.200.47:53
    Fri Jan 13 13:18:38 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Fri Jan 13 13:18:38 2012 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.8.0.6 10.8.0.5'
    Fri Jan 13 13:18:38 2012 OPTIONS IMPORT: timers and/or timeouts modified
    Fri Jan 13 13:18:38 2012 OPTIONS IMPORT: --ifconfig/up options modified
    Fri Jan 13 13:18:38 2012 OPTIONS IMPORT: route options modified
    Fri Jan 13 13:18:38 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Fri Jan 13 13:18:38 2012 ROUTE default_gateway=192.168.2.1
    Fri Jan 13 13:18:38 2012 TAP-WIN32 device [LAN-verbinding 2] opened: \\.\Global\{CA5BA1E1-F386-4015-A363-F4BA339B2945}.tap
    Fri Jan 13 13:18:38 2012 TAP-Win32 Driver Version 9.9 
    Fri Jan 13 13:18:38 2012 TAP-Win32 MTU=1500
    Fri Jan 13 13:18:38 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {CA5BA1E1-F386-4015-A363-F4BA339B2945} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
    Fri Jan 13 13:18:38 2012 Successful ARP Flush on interface [15] {CA5BA1E1-F386-4015-A363-F4BA339B2945}
    Fri Jan 13 13:18:43 2012 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
    Fri Jan 13 13:18:43 2012 C:\WINDOWS\system32\route.exe ADD 78.41.200.47 MASK 255.255.255.255 192.168.2.1
    Fri Jan 13 13:18:43 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
    Fri Jan 13 13:18:43 2012 Route addition via IPAPI succeeded [adaptive]
    Fri Jan 13 13:18:43 2012 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
    Fri Jan 13 13:18:43 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Fri Jan 13 13:18:43 2012 Route addition via IPAPI succeeded [adaptive]
    Fri Jan 13 13:18:43 2012 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
    Fri Jan 13 13:18:43 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Fri Jan 13 13:18:43 2012 Route addition via IPAPI succeeded [adaptive]
    Fri Jan 13 13:18:43 2012 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
    Fri Jan 13 13:18:43 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Fri Jan 13 13:18:43 2012 Route addition via IPAPI succeeded [adaptive]
    Fri Jan 13 13:18:43 2012 Initialization Sequence Completed
    

    I had this problem before on my OpenVZ VPS but I don't recall how I solved it.

  • dnomdnom Member
    edited January 2012

    I guess it's about the Iptables using the ipv6. try to change the iptables entry to your
    I also experienced that problem once when setting up openvpn on port 53 so I just used the default 9201 on the server and used lport 53 on the client to achieve similar result. Although I had openvpn running fine on port 53 on my other vps.

  • dannixdannix Member
    edited January 2012

    Well I still don't get why are using such script (which doesn't really work) instead of making few steps required manually (a good starting point would be http://library.linode.com/networking/openvpn/debian-6-squeeze). But it is upto you. This script is trying to setup iptables for you, so the traffic from the vpn clients gets routed through you vpn server. As I've alreay pointed previously, since your vps has IPv6 address you've got something like

    ip=78.41.XXX.XX
    2a00:7b80:3002:4::cece:236d
    

    this will not work properly in the script also in the line

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $ip
    

    and in any other which uses ip variable:

    echo "remote $ip $p" >> /etc/openvpn/keys/$c.ovpn
    

    If you want use this script on the vps with IPv6 (but actually run openvpn on IPv4) you need to fix the line

    ip=`grep address /etc/network/interfaces | grep -v 127.0.0.1  | awk '{print $2}'`
    

    it should return only the IPv4 address of your server. A quick hack would be something like that:

    /sbin/ifconfig | awk '/inet addr:/ {sub(/addr:/,"",$2); if ($2 !~ /127/) {print $2}}'
    

    Try it on your server. If it gives you only the IPv4 address of your vps, then

    # replace 
    ip=`grep address /etc/network/interfaces | grep -v 127.0.0.1  | awk '{print $2}'`
    # with
    ip=`/sbin/ifconfig | awk '/inet addr:/ {sub(/addr:/,"",$2); if ($2 !~ /127/) {print $2}}'`
    

    and run the script once again.
    You could also just modify the line ip=78.41.XXX.XX in the script before running it.

    Please note however I see few other problems with this script, if it has been started few times, so not sure if it will work for you.

  • @dannix said: Well I still don't get why are using such script (which doesn't really work) instead of making few steps required manually (a good starting point would be http://library.linode.com/networking/openvpn/debian-6-squeeze).

    +1
    It's really not hard to just install it manually.

  • Thanks for the replies guys.
    I went ahead and reinstalled my VPS with a clean install of Debian 6 and followed the Linode tutorial but ran into some problems.
    At the very last of the tutorial, you need to execute the following two commands to restart the OpenVPN server and dnsmasq:

    /etc/init.d/openvpn restart
    /etc/init.d/dnsmasq restart
    

    That didn't go well... here's what my output was:

    root@alpha:~# /etc/init.d/openvpn restart
    Stopping virtual private network daemon:.
    Starting virtual private network daemon: server failed!
    root@alpha:~# /etc/init.d/dnsmasq restart
    Restarting DNS forwarder and DHCP server: configuration syntax check failed!

    So instead, I restarted my whole VPS.
    The problem is, I can't connect because I think I'm missing a crucial file.
    Currently I have 4 files sitting in my C:\Program Files (x86)\OpenVPN\config\VPN directory (the client machine):

    ca.crt
    client1.crt
    client1.key
    client1.conf

    But as far as I'm aware, OpenVPN also needs a file with a .ovpn extension but I cannot find that in the tutorial. Am I missing something or overlooking something?

    Thanks in advance!

  • Just make your own client1.ovpn.

    client
    dev tun
    proto udp 
    remote x.x.x.x 9201 #IP and port
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client1.crt
    key client1.key
    

    That's more or less how it looks like, there can be more parameters depending on your setup. You may want to post your client1.conf so I can try to help you more if that didn't work out. or you may want to use your old .conf(server) and your old .ovpn(client) from the auto install script since you managed to connect using them. Just match the name of the .crt files and the .key file on the appropriate lines.

  • @dnom Thanks! It's working now!
    I don't quite get why they don't include this into their tutorial, as it's pretty crucial. Another thing I don't get why I wasn't able to restart openvpn or dnsmasq over putty but it does work accordingly after a full VPS reboot?

    Once again thanks for all the help @dnom and @dannix

  • dnomdnom Member
    edited January 2012

    have you tried service openvpn restart ?

  • @dnom that does seem to work yes, thanks for the tip!
    However,

    service dnsmasq restart

    doesn't:

     Restarting DNS forwarder and DHCP server: configuration syntax check failed!
    

    I've just checked /etc/dnsmasq.conf and it's as in the Linode tutorial...

Sign In or Register to comment.