OpenVPN Help

[Hat]

OpenVPN Help - RESOLVED

I installed OpenVPN as written up by jeremywillden. in this post. Installed OpenVPN for Windows with the security certs. I forwarded my chosen port on my router to my PIAF box, but could not connect. Hmm...ok, I need to set up an iptables rule on the pbx. The only rule I could come up with to allow access is:

-A INPUT -p udp -m udp --dport 27539 -j ACCEPT

The questions I have are as follows:

1. Do I even need a iptables rule? I ask, because there was no mention of needing a rule for access.
2. If I do, can the above listed rule be tighted up? It doesn't sit well with me to have this port wide open like it is. Is it okay as it is?
3. When I restart the box, the list of programs/daemons shows OpenVPN as Failed instead of OK, but it still works, Is this okay? Is there something that I can correct/add to clear this up?

Thanks for your help.

 

[jeremywillden]

I'm glad you found it useful. Let me take a crack at your issues:

1. When I first wrote up the instructions, I was using a much earlier version of PiaF that didn't have any rules set up in iptables, so yes, that's an addition that you need to make. I'll edit the post to add this info.

2. One of the reasons to use UDP instead of TCP for the VPN server port is that it's harder to find by "port sniffing." If you used the directives "user nobody" and "group nobody" in your configuration files, then the openvpn process cannot be exploited to run arbitrary processes on your box, because the process is downgraded after it starts. This reduces the risk of a security breach (particularly buffer overflows and the like). If I get a little time, I'll see if I can figure out how to configure fail2ban to watch openvpn.

I'm not an iptables expert by any stretch of the imagination, but it appears that your rule is pretty good - it restricts access to UDP traffic, which is good, and only opens the necessary port number.

3. I haven't seen this behavior. Post the output of this command and compare it to what I have here:

[FONT=Courier New]chkconfig --list | grep openvpn

openvpn         0:off   1:off   2:off   3:on    4:on    5:on    6:off
[/FONT]

also do service openvpn restart
and post the result (does it give you an OK for both shutdown and restart?).

 

[Hat]

Jeremy,

Thanks for answering my questions. Here is the output of the
chkconfig --list | grep openvpn command:

[FONT=Courier New]openvpn         0:off   1:off   2:on   3:on    4:on    5:on    6:off
[/FONT]

Seems mine is 2n and yours is 2ff.
The results for service openvpn restart are:

Shutting down openvpn:                       [[COLOR=Lime]  OK  [/COLOR]]
Starting openvpn:                            [[COLOR=Red]FAILED[/COLOR]]

 

[jroper]

Any logs that can give you a clue what has gone wrong.

Using poptop may be an easier alternative.

Joe

 

[cosmicwombat]

Did you consider Hamachi?

At any rate, I tried and failed with OpenVPN. I will have to read Jeremy's thread and have another go at it.

I like Hamachi, but I would love to get my Snom 370(w/OpenVPN support) to work in VPN mode...

 

[Hat]

Okay, so I checked the openvpn.log in /etc/openvpn and here is what I have:
The command, service openvpn stop I get this,

Sat Apr  4 22:48:43 2009 us=887495 event_wait : Interrupted system call (code=4)
Sat Apr  4 22:48:43 2009 us=888914 TCP/UDP: Closing socket
Sat Apr  4 22:48:43 2009 us=889077 /sbin/ip route del 10.100.100.0/24
RTNETLINK answers: Operation not permitted
Sat Apr  4 22:48:43 2009 us=895610 ERROR: Linux route delete command failed: shell command exited with error status: 2
Sat Apr  4 22:48:43 2009 us=895684 Closing TUN/TAP interface
Sat Apr  4 22:48:43 2009 us=914196 SIGTERM[hard,] received, process exiting

but the system shows [OK].

The command, service openvpn start shows no apparent errors or notices (at least to my less than knowing eye) yet the system shows [failed]. But it still funtions.

Joe and Robert,

To answer your comment/question as to using Poptop or Hamachi. I fiqured I'd go with OpenVPN based on what I have seen with respect to integration in products/software that I am using now or would like to use in the future. For example, the Snom 370 and hopefully other phones in the future, Untangle (which I would like to use in the future), DD-WRT firmware (which I am using now - just not the OpenVPN part....yet). These are just some of the reasons on why I chose OpenVPN over the others. No flames intended to any one loyal to any of the other vpn's out there.

Thanks,
Tom

 

[jeremywillden]

Hmmmm...
First thing - check your /etc/openvpn directory for any other .conf files - if there are multiple configuration files, openvpn will create a separate process for each one. If two exist and they try to use the same port (or other shared resource) then that process will fail.

I'm betting there is something in the log, but perhaps it isn't obvious. Try grepping the logfile for the word fail:

grep fail /etc/openvpn/openvpn.log

Don't post the results unless you've scrubbed for any possibly private info.

If you get too much material to review easily, try just grepping the last 1000 lines or so:

tail /etc/openvpn/openvpn.log | grep fail

Let me know what you find. The fact that it's running suggests that there's some error/status code that the service command doesn't like, yet the process runs just fine.

The service ... start command runs a portion of this script:
/etc/init.d/openvpn
which may give you/us some clues as well.

 

[Hat]

Resolved

Jeremy,

I went back and reread your original post and I found the following paragraph. This is what fixed my error problem.

Move all .conf files out of the /etc/openvpn directory to another location on your drive. When openvpn starts, it will try to create a process for each .conf file, and the client configuration files won't work when launched on your server.

I had finally found the error when I ran service openvpn status, until I did that the openvpn.log file did not show any errors on restart or start. The output was written to var/log/messages. I opened that file and saw the client.conf error message. I reread your orginal howto and discovered the above line. Thanks for your help, suggestions and writeup.

 

[Lost Trunk]

Did you consider Hamachi?

At any rate, I tried and failed with OpenVPN. I will have to read Jeremy's thread and have another go at it.

I like Hamachi, but I would love to get my Snom 370(w/OpenVPN support) to work in VPN mode...

Don't know if you ever got it working, but if not, there are some links posted on the FreePBX How-Tos and Tutorials on Other Sites page that may interest you:

Setting up an OpenVPN tunnel using a CentOS-based system as the server and a router flashed with Tomato firmware as the client – Part 1, Part 2, Part 3, and Part 4 - the server in this case was also running Elastix and FreePBX

I suspect that if these instructions work under Elastix they'd probably also work under PiaF with little or no modification.

 

[MrBostn]

Pfsense?

Have you considered pfsense as your fw? It has openvpn built in.