openvpn: network and ports

Question

I've managed to setup openvpn in a test server, configuring the PKI and distributing certificates to test client machines. I can ssh from the client machines to the openvpn server using the IP of the other end of the tun bridge:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.1.0.2  P-t-P:10.1.0.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

which is achieved with this line in the openvpn configuration file:

ifconfig 10.1.0.2 10.1.0.1

i'm starting openvpn with the following openvpn-startup.sh script

dir=/home/lurscher/openvpn/testChapter8/sample-config-files/

# load the firewall
$dir/firewall.sh

# load TUN/TAP kernel module
modprobe tun

# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
openvpn --script-security 2 --cd $dir --daemon --config tls-office.conf --log $dir/log/vpn.log

this is tls-office.conf:

dev tun
ifconfig 10.1.0.1 10.1.0.2

up ./office.up
# the office.up script has this:
##!/bin/sh
#route add -net 10.0.1.0 netmask 255.255.255.0 gw $5 
#(in the openvpn manual, it says that if the Device is TUN, $5 stands for Remote IP)

tls-server
dh /home/lurscher/keys/dh1024.pem
ca /home/lurscher/keys/ca.crt
cert /home/lurscher/keys/vpnCh8TestServer.crt
key /home/lurscher/keys/vpnCh8TestServer.key
verb 3

For the client machine, i'm using the following config file:

dev tun
remote my.server.com

# 10.1.0.2 is our local VPN endpoint (home).
# 10.1.0.1 is our remote VPN endpoint (office).
;ifconfig 10.1.0.2 10.1.0.1

# Our up script will establish routes
# once the VPN is alive.
up ./home.up
##!/bin/sh
#route add -net 10.0.0.0 netmask 255.255.255.0 gw $5 
#(in the openvpn manual, it says that if the Device is TUN, $5 stands for Remote IP)

tls-client
ca /home/chuckq/keys/ca.crt
cert /home/chuckq/keys/vpnCh8TestClient.crt
key /home/chuckq/keys/vpnCh8TestClient.key
ns-cert-type server
; port 1194
; user nobody
; group nogroup
verb 3

However, i am a bit at a lost how to connect/see the IP pf other machines in the same side of the tunnel where the openvpn server is. I assume they get IP in the 10.1.X.X range, but i don't see any of them. Maybe i just don't know how to see what ip is assigned behind the tunnel because i just use ifconfig to know what local ip a machine has, but each machine reports only the tun IP bridge nodes (the client and the server) but no mention about other machines on either end

So, suppose there is a http server at a machine behind the openvpn server, its not on the same machine; how do i reach it or see it from the openvpn clients?

thanks!

score 1 · Accepted Answer · answered May 17 '11 at 11:43

1

The following directive

status /var/log/openvpn-status.log

in the OpenVPN server's config file will maintain a list of endpoint addresses and routed networks of all your OpenVPN clients in the /var/log/openvpn-status.log file, which is updated every 60 seconds as long as OpenVPN is running.

answered May 17 '11 at 11:43

the-wabbit

40,737
13
111
174

no its not creating that file, i've added to the post the commandline used in my openvpn-startup.sh script, do you know what option do i need to pass in order to create a status log? – lurscher May 17 '11 at 11:57
It is not apparent that "status" is used anywhere - could you post tls-office.conf as well please? – the-wabbit May 17 '11 at 12:03
just updated the post with the full configuration file – lurscher May 17 '11 at 12:13
reading the docs, it seems the config you mention is created with `ifconfig-pool-persist` option, in fact it seems i am not using server mode at all, just that lousy ifconfig line – lurscher May 17 '11 at 12:37
1

Indeed you did not specify "mode server", so you are running the default p2p mode. ifconfig-pool-persist is not a mandatory option, but take a look at the sample server config for a reasonable working set of options: http://openvpn.net/index.php/open-source/documentation/howto.html#examples – the-wabbit May 17 '11 at 14:39
@syneticon-dj i've added `server 10.8.117.0 255.255.255.0` line to the server.conf and commented the `ifconfig` lines both at client and server.conf, i am able to connect successfully, however running `ifconfig` at the client, i notice that the tun0 interface does not show up anymore! any idea what i might be missing? sorry if its absolutely needed, i can post the client.conf later (i'm at office atm) – lurscher May 17 '11 at 16:13
You will need to check on the logs (if no log file is explicitly specified in the config, logging will go to syslog, so check /var/log/messages and/or /var/log/syslog for openvpn messages with something like "egrep openvpn /var/log/syslog") to debug this. If tun0 is not showing up, the client connection is probably not successful for some reason. Checking the logs at server *and* client side for reported errors usually speeds up the process of finding the cause significantly. – the-wabbit May 17 '11 at 18:46
i've made a new question with the details after trying to configure server mode: http://serverfault.com/q/270821/75759 – lurscher May 18 '11 at 04:47

openvpn: network and ports

1 Answers1

Linked