OpenVPN - Warum wird Netzmaske als IP interpretiert?

Sani120 · 31 Aug 2010

Hallo zusammen,

ich möchte mich von mehreren WindowsPC auf meine Freetz-Box per OpenVPN über Zertifikate verbinden. Leider schlägt dies fehl mit der Meldung "WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask."

Warum wird hier versucht, die Netzmaske als IP zu interpretieren?

Ich verstehe auch die Warnungen nicht, z.B. WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
. Ich habe tun-mtu weder in der Client, noch in der Serverconfig stehen.

Vielen Dank für eure Ratschläge,
Sani

Meine Serverconfig auf der FritzBox (/var/mod/etc/openvpn.conf):

Code:

#  OpenVPN 2.1 Config, Sat Aug 28 18:14:42 CEST 2010
proto udp
dev tun
ca /tmp/flash/ca.crt
cert /tmp/flash/box.crt
key /tmp/flash/box.key
dh /tmp/flash/dh.pem
tls-server
tls-auth /tmp/flash/static.key 0
port 1195
mode server
ifconfig-pool 192.168.23.10 192.168.23.30
push "route 192.168.23.1 "
ifconfig 192.168.23.1 255.255.255.0
client-config-dir /var/tmp/clients_openvpn
topology subnet
max-clients  20
route 192.168.20.0 -
tun-mtu 1500
mssfix
log /var/tmp/debug_openvpn.out
verb 6
daemon
cipher BF-CBC
comp-lzo
keepalive 10 120
status /var/log/openvpn.log

Die config auf dem Client (WindowsPC):

Code:

client
dev tun
proto udp
remote fb2 1195
cipher BF-CBC        
resolv-retry infinite
nobind
persist-key
persist-tun
ca "ca.crt"
cert "cert.crt"
key "key.key"
tls-auth "tls-auth.key" 1
verb 5
;log  "C:\\temp\\fritzVpn.log"
pull

Log des Clients beim Verbindungsversuch:

Code:

Tue Aug 31 09:40:46 2010 us=488000   config = '7270test.ovpn'
Tue Aug 31 09:40:46 2010 us=488000   mode = 0
Tue Aug 31 09:40:46 2010 us=488000   show_ciphers = DISABLED
Tue Aug 31 09:40:46 2010 us=488000   show_digests = DISABLED
Tue Aug 31 09:40:46 2010 us=488000   show_engines = DISABLED
Tue Aug 31 09:40:46 2010 us=488000   genkey = DISABLED
Tue Aug 31 09:40:46 2010 us=488000   key_pass_file = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=488000   show_tls_ciphers = DISABLED
Tue Aug 31 09:40:46 2010 us=488000 Connection profiles [default]:
Tue Aug 31 09:40:46 2010 us=488000   proto = udp
Tue Aug 31 09:40:46 2010 us=488000   local = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=488000   local_port = 0
Tue Aug 31 09:40:46 2010 us=488000   remote = 'fb2'
Tue Aug 31 09:40:46 2010 us=488000   remote_port = 1195
Tue Aug 31 09:40:46 2010 us=488000   remote_float = DISABLED
Tue Aug 31 09:40:46 2010 us=488000   bind_defined = DISABLED
Tue Aug 31 09:40:46 2010 us=488000   bind_local = DISABLED
Tue Aug 31 09:40:46 2010 us=488000   connect_retry_seconds = 5
Tue Aug 31 09:40:46 2010 us=488000   connect_timeout = 10
Tue Aug 31 09:40:46 2010 us=488000   connect_retry_max = 0
Tue Aug 31 09:40:46 2010 us=488000   socks_proxy_server = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=488000   socks_proxy_port = 0
Tue Aug 31 09:40:46 2010 us=488000   socks_proxy_retry = DISABLED
Tue Aug 31 09:40:46 2010 us=488000 Connection profiles END
Tue Aug 31 09:40:46 2010 us=488000   remote_random = DISABLED
Tue Aug 31 09:40:46 2010 us=488000   ipchange = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=488000   dev = 'tun'
Tue Aug 31 09:40:46 2010 us=488000   dev_type = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=488000   dev_node = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=488000   lladdr = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=488000   topology = 1
Tue Aug 31 09:40:46 2010 us=488000   tun_ipv6 = DISABLED
Tue Aug 31 09:40:46 2010 us=488000   ifconfig_local = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=488000   ifconfig_remote_netmask = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=488000   ifconfig_noexec = DISABLED
Tue Aug 31 09:40:46 2010 us=488000   ifconfig_nowarn = DISABLED
Tue Aug 31 09:40:46 2010 us=488000   shaper = 0
Tue Aug 31 09:40:46 2010 us=488000   tun_mtu = 1500
Tue Aug 31 09:40:46 2010 us=488000   tun_mtu_defined = ENABLED
Tue Aug 31 09:40:46 2010 us=488000   link_mtu = 1500
Tue Aug 31 09:40:46 2010 us=488000   link_mtu_defined = DISABLED
Tue Aug 31 09:40:46 2010 us=488000   tun_mtu_extra = 0
Tue Aug 31 09:40:46 2010 us=488000   tun_mtu_extra_defined = DISABLED
Tue Aug 31 09:40:46 2010 us=488000   fragment = 0
Tue Aug 31 09:40:46 2010 us=488000   mtu_discover_type = -1
Tue Aug 31 09:40:46 2010 us=488000   mtu_test = 0
Tue Aug 31 09:40:46 2010 us=488000   mlock = DISABLED
Tue Aug 31 09:40:46 2010 us=488000   keepalive_ping = 0
Tue Aug 31 09:40:46 2010 us=488000   keepalive_timeout = 0
Tue Aug 31 09:40:46 2010 us=488000   inactivity_timeout = 0
Tue Aug 31 09:40:46 2010 us=488000   ping_send_timeout = 0
Tue Aug 31 09:40:46 2010 us=488000   ping_rec_timeout = 0
Tue Aug 31 09:40:46 2010 us=488000   ping_rec_timeout_action = 0
Tue Aug 31 09:40:46 2010 us=488000   ping_timer_remote = DISABLED
Tue Aug 31 09:40:46 2010 us=488000   remap_sigusr1 = 0
Tue Aug 31 09:40:46 2010 us=488000   explicit_exit_notification = 0
Tue Aug 31 09:40:46 2010 us=488000   persist_tun = ENABLED
Tue Aug 31 09:40:46 2010 us=488000   persist_local_ip = DISABLED
Tue Aug 31 09:40:46 2010 us=488000   persist_remote_ip = DISABLED
Tue Aug 31 09:40:46 2010 us=488000   persist_key = ENABLED
Tue Aug 31 09:40:46 2010 us=488000   mssfix = 1450
Tue Aug 31 09:40:46 2010 us=488000   resolve_retry_seconds = 1000000000
Tue Aug 31 09:40:46 2010 us=488000   username = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=488000   groupname = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=488000   chroot_dir = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=488000   cd_dir = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=488000   writepid = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=488000   up_script = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=706000   down_script = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=706000   down_pre = DISABLED
Tue Aug 31 09:40:46 2010 us=706000   up_restart = DISABLED
Tue Aug 31 09:40:46 2010 us=706000   up_delay = DISABLED
Tue Aug 31 09:40:46 2010 us=706000   daemon = DISABLED
Tue Aug 31 09:40:46 2010 us=706000   inetd = 0
Tue Aug 31 09:40:46 2010 us=706000   log = DISABLED
Tue Aug 31 09:40:46 2010 us=706000   suppress_timestamps = DISABLED
Tue Aug 31 09:40:46 2010 us=706000   nice = 0
Tue Aug 31 09:40:46 2010 us=706000   verbosity = 5
Tue Aug 31 09:40:46 2010 us=706000   mute = 0
Tue Aug 31 09:40:46 2010 us=706000   gremlin = 0
Tue Aug 31 09:40:46 2010 us=706000   status_file = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=706000   status_file_version = 1
Tue Aug 31 09:40:46 2010 us=706000   status_file_update_freq = 60
Tue Aug 31 09:40:46 2010 us=722000   occ = ENABLED
Tue Aug 31 09:40:46 2010 us=722000   rcvbuf = 0
Tue Aug 31 09:40:46 2010 us=722000   sndbuf = 0
Tue Aug 31 09:40:46 2010 us=722000   sockflags = 0
Tue Aug 31 09:40:46 2010 us=722000   fast_io = DISABLED
Tue Aug 31 09:40:46 2010 us=722000   lzo = 0
Tue Aug 31 09:40:46 2010 us=722000   route_script = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=722000   route_default_gateway = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=722000   route_default_metric = 0
Tue Aug 31 09:40:46 2010 us=722000   route_noexec = DISABLED
Tue Aug 31 09:40:46 2010 us=722000   route_delay = 5
Tue Aug 31 09:40:46 2010 us=722000   route_delay_window = 30
Tue Aug 31 09:40:46 2010 us=722000   route_delay_defined = ENABLED
Tue Aug 31 09:40:46 2010 us=722000   route_nopull = DISABLED
Tue Aug 31 09:40:46 2010 us=722000   route_gateway_via_dhcp = DISABLED
Tue Aug 31 09:40:46 2010 us=722000   max_routes = 100
Tue Aug 31 09:40:46 2010 us=722000   allow_pull_fqdn = DISABLED
Tue Aug 31 09:40:46 2010 us=769000   management_addr = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=769000   management_port = 0
Tue Aug 31 09:40:46 2010 us=769000   management_user_pass = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=769000   management_log_history_cache = 250
Tue Aug 31 09:40:46 2010 us=769000   management_echo_buffer_size = 100
Tue Aug 31 09:40:46 2010 us=769000   management_write_peer_info_file = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=769000   management_client_user = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=769000   management_client_group = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=769000   management_flags = 0
Tue Aug 31 09:40:46 2010 us=769000   shared_secret_file = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=769000   key_direction = 2
Tue Aug 31 09:40:46 2010 us=769000   ciphername_defined = ENABLED
Tue Aug 31 09:40:46 2010 us=769000   ciphername = 'BF-CBC'
Tue Aug 31 09:40:46 2010 us=769000   authname_defined = ENABLED
Tue Aug 31 09:40:46 2010 us=769000   authname = 'SHA1'
Tue Aug 31 09:40:46 2010 us=769000   prng_hash = 'SHA1'
Tue Aug 31 09:40:46 2010 us=847000   prng_nonce_secret_len = 16
Tue Aug 31 09:40:46 2010 us=847000   keysize = 0
Tue Aug 31 09:40:46 2010 us=847000   engine = DISABLED
Tue Aug 31 09:40:46 2010 us=847000   replay = ENABLED
Tue Aug 31 09:40:46 2010 us=847000   mute_replay_warnings = DISABLED
Tue Aug 31 09:40:46 2010 us=847000   replay_window = 64
Tue Aug 31 09:40:46 2010 us=847000   replay_time = 15
Tue Aug 31 09:40:46 2010 us=847000   packet_id_file = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=847000   use_iv = ENABLED
Tue Aug 31 09:40:46 2010 us=847000   test_crypto = DISABLED
Tue Aug 31 09:40:46 2010 us=847000   tls_server = DISABLED
Tue Aug 31 09:40:46 2010 us=847000   tls_client = ENABLED
Tue Aug 31 09:40:46 2010 us=847000   key_method = 2
Tue Aug 31 09:40:46 2010 us=847000   ca_file = 'ca.crt'
Tue Aug 31 09:40:46 2010 us=847000   ca_path = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=847000   dh_file = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=847000   cert_file = 'cert.crt'
Tue Aug 31 09:40:46 2010 us=909000   priv_key_file = 'key.key'
Tue Aug 31 09:40:46 2010 us=909000   pkcs12_file = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=909000   cryptoapi_cert = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=909000   cipher_list = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=909000   tls_verify = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=909000   tls_remote = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=909000   crl_file = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=909000   ns_cert_type = 0
Tue Aug 31 09:40:46 2010 us=909000   remote_cert_ku[i] = 0
Tue Aug 31 09:40:46 2010 us=909000   remote_cert_ku[i] = 0
Tue Aug 31 09:40:46 2010 us=909000   remote_cert_ku[i] = 0
Tue Aug 31 09:40:46 2010 us=909000   remote_cert_ku[i] = 0
Tue Aug 31 09:40:46 2010 us=909000   remote_cert_ku[i] = 0
Tue Aug 31 09:40:46 2010 us=909000   remote_cert_ku[i] = 0
Tue Aug 31 09:40:46 2010 us=909000   remote_cert_ku[i] = 0
Tue Aug 31 09:40:46 2010 us=909000   remote_cert_ku[i] = 0
Tue Aug 31 09:40:46 2010 us=909000   remote_cert_ku[i] = 0
Tue Aug 31 09:40:46 2010 us=925000   remote_cert_ku[i] = 0
Tue Aug 31 09:40:46 2010 us=925000   remote_cert_ku[i] = 0
Tue Aug 31 09:40:46 2010 us=925000   remote_cert_ku[i] = 0
Tue Aug 31 09:40:46 2010 us=925000   remote_cert_ku[i] = 0
Tue Aug 31 09:40:46 2010 us=925000   remote_cert_ku[i] = 0
Tue Aug 31 09:40:46 2010 us=925000   remote_cert_ku[i] = 0
Tue Aug 31 09:40:46 2010 us=925000   remote_cert_ku[i] = 0
Tue Aug 31 09:40:46 2010 us=925000   remote_cert_eku = '[UNDEF]'
Tue Aug 31 09:40:46 2010 us=925000   tls_timeout = 2
Tue Aug 31 09:40:46 2010 us=925000   renegotiate_bytes = 0
Tue Aug 31 09:40:46 2010 us=925000   renegotiate_packets = 0
Tue Aug 31 09:40:46 2010 us=925000   renegotiate_seconds = 3600
Tue Aug 31 09:40:46 2010 us=925000   handshake_window = 60
Tue Aug 31 09:40:46 2010 us=925000   transition_window = 3600
Tue Aug 31 09:40:46 2010 us=925000   single_session = DISABLED
Tue Aug 31 09:40:46 2010 us=925000   tls_exit = DISABLED
Tue Aug 31 09:40:46 2010 us=956000   tls_auth_file = 'tls-auth.key'
Tue Aug 31 09:40:46 2010 us=956000   pkcs11_protected_authentication = DISABLED
Tue Aug 31 09:40:46 2010 us=956000   pkcs11_protected_authentication = DISABLED
Tue Aug 31 09:40:46 2010 us=956000   pkcs11_protected_authentication = DISABLED
Tue Aug 31 09:40:46 2010 us=956000   pkcs11_protected_authentication = DISABLED
Tue Aug 31 09:40:46 2010 us=956000   pkcs11_protected_authentication = DISABLED
Tue Aug 31 09:40:46 2010 us=956000   pkcs11_protected_authentication = DISABLED
Tue Aug 31 09:40:46 2010 us=956000   pkcs11_protected_authentication = DISABLED
Tue Aug 31 09:40:46 2010 us=956000   pkcs11_protected_authentication = DISABLED
Tue Aug 31 09:40:46 2010 us=956000   pkcs11_protected_authentication = DISABLED
Tue Aug 31 09:40:46 2010 us=956000   pkcs11_protected_authentication = DISABLED
Tue Aug 31 09:40:46 2010 us=956000   pkcs11_protected_authentication = DISABLED
Tue Aug 31 09:40:46 2010 us=956000   pkcs11_protected_authentication = DISABLED
Tue Aug 31 09:40:46 2010 us=987000   pkcs11_protected_authentication = DISABLED
Tue Aug 31 09:40:46 2010 us=987000   pkcs11_protected_authentication = DISABLED
Tue Aug 31 09:40:46 2010 us=987000   pkcs11_protected_authentication = DISABLED
Tue Aug 31 09:40:46 2010 us=987000   pkcs11_protected_authentication = DISABLED
Tue Aug 31 09:40:46 2010 us=987000   pkcs11_private_mode = 00000000
Tue Aug 31 09:40:46 2010 us=987000   pkcs11_private_mode = 00000000
Tue Aug 31 09:40:46 2010 us=987000   pkcs11_private_mode = 00000000
Tue Aug 31 09:40:46 2010 us=987000   pkcs11_private_mode = 00000000
Tue Aug 31 09:40:46 2010 us=987000   pkcs11_private_mode = 00000000
Tue Aug 31 09:40:46 2010 us=987000   pkcs11_private_mode = 00000000
Tue Aug 31 09:40:46 2010 us=987000   pkcs11_private_mode = 00000000
Tue Aug 31 09:40:46 2010 us=987000   pkcs11_private_mode = 00000000
Tue Aug 31 09:40:46 2010 us=987000   pkcs11_private_mode = 00000000
Tue Aug 31 09:40:46 2010 us=987000   pkcs11_private_mode = 00000000
Tue Aug 31 09:40:47 2010 us=3000   pkcs11_private_mode = 00000000
Tue Aug 31 09:40:47 2010 us=3000   pkcs11_private_mode = 00000000
Tue Aug 31 09:40:47 2010 us=3000   pkcs11_private_mode = 00000000
Tue Aug 31 09:40:47 2010 us=3000   pkcs11_private_mode = 00000000
Tue Aug 31 09:40:47 2010 us=3000   pkcs11_private_mode = 00000000
Tue Aug 31 09:40:47 2010 us=3000   pkcs11_private_mode = 00000000
Tue Aug 31 09:40:47 2010 us=3000   pkcs11_cert_private = DISABLED
Tue Aug 31 09:40:47 2010 us=3000   pkcs11_cert_private = DISABLED
Tue Aug 31 09:40:47 2010 us=3000   pkcs11_cert_private = DISABLED
Tue Aug 31 09:40:47 2010 us=3000   pkcs11_cert_private = DISABLED
Tue Aug 31 09:40:47 2010 us=3000   pkcs11_cert_private = DISABLED
Tue Aug 31 09:40:47 2010 us=3000   pkcs11_cert_private = DISABLED
Tue Aug 31 09:40:47 2010 us=3000   pkcs11_cert_private = DISABLED
Tue Aug 31 09:40:47 2010 us=3000   pkcs11_cert_private = DISABLED
Tue Aug 31 09:40:47 2010 us=3000   pkcs11_cert_private = DISABLED
Tue Aug 31 09:40:47 2010 us=34000   pkcs11_cert_private = DISABLED
Tue Aug 31 09:40:47 2010 us=34000   pkcs11_cert_private = DISABLED
Tue Aug 31 09:40:47 2010 us=34000   pkcs11_cert_private = DISABLED
Tue Aug 31 09:40:47 2010 us=34000   pkcs11_cert_private = DISABLED
Tue Aug 31 09:40:47 2010 us=34000   pkcs11_cert_private = DISABLED
Tue Aug 31 09:40:47 2010 us=34000   pkcs11_cert_private = DISABLED
Tue Aug 31 09:40:47 2010 us=34000   pkcs11_cert_private = DISABLED
Tue Aug 31 09:40:47 2010 us=34000   pkcs11_pin_cache_period = -1
Tue Aug 31 09:40:47 2010 us=34000   pkcs11_id = '[UNDEF]'
Tue Aug 31 09:40:47 2010 us=34000   pkcs11_id_management = DISABLED
Tue Aug 31 09:40:47 2010 us=34000   server_network = 0.0.0.0
Tue Aug 31 09:40:47 2010 us=34000   server_netmask = 0.0.0.0
Tue Aug 31 09:40:47 2010 us=34000   server_bridge_ip = 0.0.0.0
Tue Aug 31 09:40:47 2010 us=34000   server_bridge_netmask = 0.0.0.0
Tue Aug 31 09:40:47 2010 us=49000   server_bridge_pool_start = 0.0.0.0
Tue Aug 31 09:40:47 2010 us=49000   server_bridge_pool_end = 0.0.0.0
Tue Aug 31 09:40:47 2010 us=49000   ifconfig_pool_defined = DISABLED
Tue Aug 31 09:40:47 2010 us=49000   ifconfig_pool_start = 0.0.0.0
Tue Aug 31 09:40:47 2010 us=49000   ifconfig_pool_end = 0.0.0.0
Tue Aug 31 09:40:47 2010 us=49000   ifconfig_pool_netmask = 0.0.0.0
Tue Aug 31 09:40:47 2010 us=49000   ifconfig_pool_persist_filename = '[UNDEF]'
Tue Aug 31 09:40:47 2010 us=49000   ifconfig_pool_persist_refresh_freq = 600
Tue Aug 31 09:40:47 2010 us=49000   n_bcast_buf = 256
Tue Aug 31 09:40:47 2010 us=49000   tcp_queue_limit = 64
Tue Aug 31 09:40:47 2010 us=49000   real_hash_size = 256
Tue Aug 31 09:40:47 2010 us=49000   virtual_hash_size = 256
Tue Aug 31 09:40:47 2010 us=49000   client_connect_script = '[UNDEF]'
Tue Aug 31 09:40:47 2010 us=49000   learn_address_script = '[UNDEF]'
Tue Aug 31 09:40:47 2010 us=49000   client_disconnect_script = '[UNDEF]'
Tue Aug 31 09:40:47 2010 us=65000   client_config_dir = '[UNDEF]'
Tue Aug 31 09:40:47 2010 us=65000   ccd_exclusive = DISABLED
Tue Aug 31 09:40:47 2010 us=65000   tmp_dir = '[UNDEF]'
Tue Aug 31 09:40:47 2010 us=65000   push_ifconfig_defined = DISABLED
Tue Aug 31 09:40:47 2010 us=65000   push_ifconfig_local = 0.0.0.0
Tue Aug 31 09:40:47 2010 us=65000   push_ifconfig_remote_netmask = 0.0.0.0
Tue Aug 31 09:40:47 2010 us=65000   enable_c2c = DISABLED
Tue Aug 31 09:40:47 2010 us=65000   duplicate_cn = DISABLED
Tue Aug 31 09:40:47 2010 us=65000   cf_max = 0
Tue Aug 31 09:40:47 2010 us=65000   cf_per = 0
Tue Aug 31 09:40:47 2010 us=65000   max_clients = 1024
Tue Aug 31 09:40:47 2010 us=65000   max_routes_per_client = 256
Tue Aug 31 09:40:47 2010 us=65000   auth_user_pass_verify_script = '[UNDEF]'
Tue Aug 31 09:40:47 2010 us=65000   auth_user_pass_verify_script_via_file = DISABLED
Tue Aug 31 09:40:47 2010 us=65000   ssl_flags = 0
Tue Aug 31 09:40:47 2010 us=81000   client = ENABLED
Tue Aug 31 09:40:47 2010 us=81000   pull = ENABLED
Tue Aug 31 09:40:47 2010 us=81000   auth_user_pass_file = '[UNDEF]'
Tue Aug 31 09:40:47 2010 us=81000   show_net_up = DISABLED
Tue Aug 31 09:40:47 2010 us=81000   route_method = 0
Tue Aug 31 09:40:47 2010 us=81000   ip_win32_defined = DISABLED
Tue Aug 31 09:40:47 2010 us=81000   ip_win32_type = 3
Tue Aug 31 09:40:47 2010 us=81000   dhcp_masq_offset = 0
Tue Aug 31 09:40:47 2010 us=81000   dhcp_lease_time = 31536000
Tue Aug 31 09:40:47 2010 us=81000   tap_sleep = 0
Tue Aug 31 09:40:47 2010 us=81000   dhcp_options = DISABLED
Tue Aug 31 09:40:47 2010 us=81000   dhcp_renew = DISABLED
Tue Aug 31 09:40:47 2010 us=81000   dhcp_pre_release = DISABLED
Tue Aug 31 09:40:47 2010 us=81000   dhcp_release = DISABLED
Tue Aug 31 09:40:47 2010 us=81000   domain = '[UNDEF]'
Tue Aug 31 09:40:47 2010 us=81000   netbios_scope = '[UNDEF]'
Tue Aug 31 09:40:47 2010 us=96000   netbios_node_type = 0
Tue Aug 31 09:40:47 2010 us=96000   disable_nbt = DISABLED
Tue Aug 31 09:40:47 2010 us=96000 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Tue Aug 31 09:40:47 2010 us=96000 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Aug 31 09:40:47 2010 us=96000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Aug 31 09:40:47 2010 us=268000 Control Channel Authentication: using 'tls-auth.key' as a OpenVPN static key file
Tue Aug 31 09:40:47 2010 us=268000 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Aug 31 09:40:47 2010 us=268000 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Aug 31 09:40:47 2010 us=268000 Control Channel MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Aug 31 09:40:47 2010 us=268000 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Tue Aug 31 09:40:47 2010 us=268000 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Tue Aug 31 09:40:47 2010 us=268000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Tue Aug 31 09:40:47 2010 us=268000 Local Options hash (VER=V4): '70f5b3af'
Tue Aug 31 09:40:47 2010 us=268000 Expected Remote Options hash (VER=V4): 'a2e2498c'
Tue Aug 31 09:40:47 2010 us=268000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Aug 31 09:40:47 2010 us=268000 UDPv4 link local: [undef]
Tue Aug 31 09:40:47 2010 us=268000 UDPv4 link remote: 192.168.68.4:1195
Tue Aug 31 09:40:47 2010 us=455000 TLS: Initial packet from 192.168.68.4:1195, sid=1bc6eef8 97a6c734
Tue Aug 31 09:40:49 2010 us=467000 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=OpenVPN/CN=bp/[email protected]
Tue Aug 31 09:40:49 2010 us=467000 VERIFY OK: depth=0, /C=US/ST=CA/O=OpenVPN/CN=BPS/[email protected]
Tue Aug 31 09:40:55 2010 us=146000 NOTE: Options consistency check may be skewed by version differences
Tue Aug 31 09:40:55 2010 us=146000 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
Tue Aug 31 09:40:55 2010 us=146000 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
Tue Aug 31 09:40:55 2010 us=146000 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1541'
Tue Aug 31 09:40:55 2010 us=146000 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
Tue Aug 31 09:40:55 2010 us=146000 WARNING: 'proto' is present in local config but missing in remote config, local='proto UDPv4'
Tue Aug 31 09:40:55 2010 us=146000 WARNING: 'keydir' is present in local config but missing in remote config, local='keydir 0'
Tue Aug 31 09:40:55 2010 us=146000 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
Tue Aug 31 09:40:55 2010 us=146000 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
Tue Aug 31 09:40:55 2010 us=146000 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 128'
Tue Aug 31 09:40:55 2010 us=146000 WARNING: 'tls-auth' is present in local config but missing in remote config, local='tls-auth'
Tue Aug 31 09:40:55 2010 us=146000 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
Tue Aug 31 09:40:55 2010 us=146000 WARNING: 'tls-server' is present in local config but missing in remote config, local='tls-server'
Tue Aug 31 09:40:55 2010 us=146000 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Aug 31 09:40:55 2010 us=146000 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Aug 31 09:40:55 2010 us=146000 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Aug 31 09:40:55 2010 us=146000 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Aug 31 09:40:55 2010 us=146000 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Aug 31 09:40:55 2010 us=146000 [BPS] Peer Connection Initiated with 192.168.68.4:1195
Tue Aug 31 09:40:57 2010 us=423000 SENT CONTROL [BPS]: 'PUSH_REQUEST' (status=1)
Tue Aug 31 09:40:57 2010 us=720000 PUSH: Received control message: 'PUSH_REPLY,route 192.168.23.1 ,ping 10,ping-restart 120,ifconfig 192.168.23.10 255.255.255.0'
Tue Aug 31 09:40:57 2010 us=720000 OPTIONS IMPORT: timers and/or timeouts modified
Tue Aug 31 09:40:57 2010 us=720000 OPTIONS IMPORT: --ifconfig/up options modified
Tue Aug 31 09:40:57 2010 us=720000 OPTIONS IMPORT: route options modified
Tue Aug 31 09:40:57 2010 us=720000 WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address.  You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
Tue Aug 31 09:40:57 2010 us=735000 ROUTE default_gateway=192.168.1.1
Tue Aug 31 09:40:57 2010 us=735000 There is a problem in your selection of --ifconfig endpoints [local=192.168.23.10, remote=255.255.255.0].  The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet.  This is a limitation of --dev tun when used with the TAP-WIN32 driver.  Try 'openvpn --show-valid-subnets' option for more info.
Tue Aug 31 09:40:57 2010 us=735000 Exiting

olistudent · 31 Aug 2010

Das Problem hat jetzt aber auch gar nichts mit Freetz zu tun. Und die Fehlermeldungen beschreiben doch schon genau deine Fehler. Lies dir doch mal die Beschreibungen der fraglichen Parameter durch.

MfG Oliver

MaxMuster · 31 Aug 2010

@Oliver: Freetz ist nicht ganz unschuldig;-)

@all:
Irgendwie scheint in der "stable" Freetz-Version (ich denke, die nutzt du??) des OpenVPN Paketes (genauer in make/openvpn/files/root/etc/default.openvpn/openvpn_conf) noch was zu fehlen, in der Config des Servers fehlt ein

Code:

push "topology subnet"

(Siehe auch vorletzter Eintrag im Ticket 456).

Erstmal kannst du das in der Client-Config "fixen" mit einem zusätzlichen

Code:

topology subnet

Jörg

PS: Willkommen im Forum!

olistudent · 31 Aug 2010

Okay. Dann mach bitte einen Patch fertig, wenn das Problem gelöst ist.

MfG Oliver

MaxMuster · 31 Aug 2010

Eigentlich muss "nur" die "Trunk-Version" des OpenVPN Paketes in den Stable-Zweig, zumindst der "GUI- und Konfig-Teil" in make/openvpn/files/root/. Geht das auch so, oder brauchst du einen Patch dazu?

Jörg

olistudent · 31 Aug 2010

Ohne nachzuschauen würde ich vermute, dass da inkompatible Änderungen am rc Skript (modlibrc) sowie am cgi vorgenommen wurden.

MfG Oliver

MaxMuster · 31 Aug 2010

Schaue ich mir heute abend an und poste ggf. nen Patch.

Jörg

Sani120 · 31 Aug 2010

Hallo zusammen,

also der Eintrag "topology subnet" hat bei mir geholfen! Vielen Dank euch beiden für die schnelle Hilfe!!

Eine Frage noch: Wie kann ich die Freetzbox so konfigurieren, dass ich den OpenVPN Server von außen übers Internet erreichen kann? Ich habe bisher meinen Server im lokalen Netz gehabt und den Port (1194) entsprechend nach innen freigegeben/weitergeleitet. Jetzt aber, wo der Server auf der Freetzbox selber laufen soll, weiß ich mir nicht zu helfen.

Sani

MaxMuster · 31 Aug 2010

Schau dazu mal ins Wiki zum Paket.

Kurz gesagt, ändere die Weiterleitung so, dass als Zieladresse "0.0.0.0" steht, statt der IP deines Servers. Damit ist die Box selbst angesprochen. Wie das geht, steht im Wiki.

Im Anhang noch auf die Schnelle ein Patch, der den Fehler beheben sollte (gegen freetz-stable-1.1).

Jörg

olistudent · 31 Aug 2010

http://trac.freetz.org/changeset/5674

Danke.

MfG Oliver

Sani120 · 2 Sep 2010

MaxMuster schrieb:
Kurz gesagt, ändere die Weiterleitung so, dass als Zieladresse "0.0.0.0" steht, statt der IP deines Servers. Damit ist die Box selbst angesprochen. Wie das geht, steht im Wiki.

OK super, das hat jetzt funktioniert. Ich kann mich jetzt vom Internet aus mit der Freetzbox über VPN verbinden.
Ich kann allerdings weder darauf pingen, noch beispielsweise den telnet aufmachen. Ich benutzte dazu die Adresse 192.168.23.1, das ist doch richtig oder?

MaxMuster · 2 Sep 2010

Dann passt noch irgendwas anderes nicht (wenn das Forwarding ist sicher auf 0.0.0.0 geht und und nicht auf eine "virtuelle IP").

Was noch zu prüfen wäre, die Configs zu vergleichen auf identische Einträge. Was mir auffiel:
- In der oben geposteten Client-Config fehlt "comp-lzo", das kann das gleiche bewirken

Jörg

Sani120 · 2 Sep 2010

Cool, jetzt geht auch das! Ich habe einfach nur den "comp_lzo" in der Client-Config hinzugefügt.

Jörg Du bist echt der größte

Ich habe bei "Routing von IP-Netzen" mein lokales LAN (192.168.68.0) eingetragen, genauso die Route zurück ins VPN als statische Route in der Freetzbox. D.h. ich erreiche jetzt also auch die Rechner im lokalen LAN daheim hinter der Fritzbox.

Ich möchte es so hinbekommen, dass die Leute, die sich über das VPN von außen verbinden werden, ausschließlich Zugriff auf einen bestimmten Rechner im LAN mit einem bestimmten Port haben. D.h. keine anderen Rechner und auch nicht die Fritzbox soll übers VPN erreichbar sein.
Ich vermute mal ich brauche hierfür iptables, da die AVM Firewall keine Portunterscheidungen machen kann?

MaxMuster · 2 Sep 2010

Um es "wirklich sicher" zu machen: Ja, dafür brauchst du iptables.

Eventuell reicht es aber auch, das nur über das Routing zu machen, und den Clients nur eine "Host-Route" zu dem Server zu geben und nicht zum ganzen Netz (ist dann aber ohne "Portbeschränkung" und das könnte natürlich auf dem Client händisch umgangen werden...)

Jörg

olistudent · 2 Sep 2010

@Jörg
Magst du nicht mal einen automatischen Log Parser schreiben? Die Fehler scheinen mir immer gleich. Ich hab auf alle Fälle kein Plan von openvpn...

MfG Oliver

Sani120 · 2 Sep 2010

OK danke für die Info.

Ich möchte auf jeden Fall nur einen Port aufmachen.

Ich mache mal für das Thema einen neuen Thread auf.
Einen schönen Abend euch!

MaxMuster · 2 Sep 2010

@Oliver: Ich hab ja versucht, das im Wiki unter Ein paar Tips wenn es nicht gleich so klappt zu beschreiben, aber das wird entweder nicht genutzt oder das ist einfach unbrauchbar

.

'nen echten Parser zu schreiben wird wohl eher nichts, aber vielleicht nehme ich dort ein paar "Fehlerbilder" mit den möglichen Config-Fehlern auf...

Jörg

OpenVPN - Warum wird Netzmaske als IP interpretiert?

Neuer User

IPPF-Urgestein

IPPF-Promi

IPPF-Urgestein

IPPF-Promi

IPPF-Urgestein

IPPF-Promi

Neuer User

IPPF-Promi

Anhänge

IPPF-Urgestein

Neuer User

IPPF-Promi

Neuer User

IPPF-Promi

IPPF-Urgestein

Neuer User

IPPF-Promi

Statistik des Forums