View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions OpenVPN help... verify error depth=0?
Log in to Ask a Question

OpenVPN help... verify error depth=0?

openvpn error depth

I'm getting the following error in my log files. I am trying to setup OpenVPN for the first time ->

ERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=US/ST=CA/L=SanFrancisco/O=SekretOrg/CN=anon/emailAddress=anonymous@sekretorg.com
Fri Nov 25 16:21:18 2011 207.47.5.130:60713 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Fri Nov 25 16:21:18 2011 207.47.5.130:60713 TLS Error: TLS object -> incoming plaintext read error
Fri Nov 25 16:21:18 2011 207.47.5.130:60713 TLS Error: TLS handshake failed
Fri Nov 25 16:21:18 2011 207.47.5.130:60713 SIGUSR1[soft,tls-error] received, client-instance restarting

–-- what does this error mean?

15 Replies

The error is error=unsupported certificate purpose

It means you're using a server certificate to authenticate a client, or vice-versa.

Like using a fork to cut your meat. Unsupported purpose.

(yeah, I'm very good at pasting people's posts into google)

The log snippet looks truncated (in the part included, everything but the truncated first line is just a consequence of that first line), but the first line's error means that the certificate being verified was not created with the appropriate type for its use. In the context of OpenVPN this usually means a server using a certificate that is not flagged (nsCertType) as a "server" or a client using a certificate that is not flagged as a "client".

You don't mention which side of the connection this log is from, but I think SSL3GETCLIENT_CERTIFICATE only occurs on the server, so if that's the case, I'd check your client certificate type.

– David

@db3l:

The log snippet looks truncated (in the part included, everything but the truncated first line is just a consequence of that first line), but the first line's error means that the certificate being verified was not created with the appropriate type for its use. In the context of OpenVPN this usually means a server using a certificate that is not flagged (nsCertType) as a "server" or a client using a certificate that is not flagged as a "client".

You don't mention which side of the connection this log is from, but I think SSL3GETCLIENT_CERTIFICATE only occurs on the server, so if that's the case, I'd check your client certificate type.

– David

Thank you. Yes, the logs are from the server.

Here is the full message:

Fri Nov 25 18:29:06 2011 MULTI: multi_create_instance called
Fri Nov 25 18:29:06 2011 207.47.5.130:59120 Re-using SSL/TLS context
Fri Nov 25 18:29:06 2011 207.47.5.130:59120 LZO compression initialized
Fri Nov 25 18:29:06 2011 207.47.5.130:59120 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Nov 25 18:29:06 2011 207.47.5.130:59120 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Nov 25 18:29:06 2011 207.47.5.130:59120 Local Options hash (VER=V4): '530fdded'
Fri Nov 25 18:29:06 2011 207.47.5.130:59120 Expected Remote Options hash (VER=V4): '41690919'
Fri Nov 25 18:29:06 2011 207.47.5.130:59120 TLS: Initial packet from 207.47.5.130:59120, sid=21400a48 ae7152e4
Fri Nov 25 18:29:07 2011 207.47.5.130:59120 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=US/ST=CA/L=SanFrancisco/O=sekret/CN=anon/emailAddress=anonymous@sekret
Fri Nov 25 18:29:07 2011 207.47.5.130:59120 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Fri Nov 25 18:29:07 2011 207.47.5.130:59120 TLS Error: TLS object -> incoming plaintext read error
Fri Nov 25 18:29:07 2011 207.47.5.130:59120 TLS Error: TLS handshake failed
Fri Nov 25 18:29:07 2011 207.47.5.130:59120 SIGUSR1[soft,tls-error] received, client-instance restarting

On my local machine, which I'm trying to connect to this server from the cert had this with "server" in it ->

            Netscape Cert Type: 
                SSL Server

            Netscape Comment: 
                Easy-RSA Generated Server Certificate

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication

I tried changing instances of "server" with "client" but that didn't work.

Any suggestions? Should I try to delete all cert files and config files and regenerate them? I was following the linode guide but I could've messed up somehow…

I noticed that "client.conf" had this

ns-cert-type server

I changed it to

ns-cert-type client

No luck still but noticed something odd locally anyway.

@arachn1d:

I tried changing instances of "server" with "client" but that didn't work.
Tried changing it where? In the text summary of the certificate at the top of the file? That's just a convenience (textual copy of the certificate, as you'd get from the "openssl x509" text output) but has no actual bearing on the certificate (which is strictly the portion between the "–---BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"). If you could just edit the text at will it would sort of defeat the purpose of a signed certificate.

> Any suggestions? Should I try to delete all cert files and config files and regenerate them? I was following the linode guide but I could've messed up somehow…
The only way to correct the certificate type extension field is, yes, to re-generate (and then re-sign) the certificate. You shouldn't have to do anything with your config files though, just re-do the client certificate.

The certificate type field is set in the openssl configuration file clause used when generating the certificate. If you're using the easy-rsa OpenVPN scripts (which I think the Linode library entries reference), the "build-key-server" script references a server extension that explicitly sets the server clause, so you'd want to use the regular "build-key" (or build-key-1yr) for clients. I think client certificates generated this way actually have no explicit type set.

> I noticed that "client.conf" had this

ns-cert-type server

I changed it to

ns-cert-type client

No luck still but noticed something odd locally anyway.
That's actually a standard configuration element - it tells the client to verify that the server is using a "server" certificate (helps block MITM attacks), which is sort of the opposite of your problem.

I haven't tried this, but adding an "ns-cert-type server" to your server's configuration file might be a workaround, since in that case it would match your client's certificate type. I'm not 100% positive that setting is obeyed on the server side though.

In any event you'll want to restore your client.conf or else it'll probably now reject your server certificate - unless you have the reverse problem there and marked it as a client.

Personally, especially since you're just getting going, I'd probably chalk this up to a learning experience, and re-generate any certificates that are current mis-classified, to avoid confusion down the road and use a more standard configuration.

– David

Thank you.

Newish issue (happened before but eventually went away).

I am trying to connect but it's stuck at "waiting for server response" so my first intuition is to see if it's rejecting the connection. (which it is).

Here is my iptables

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             loopback/8          reject-with icmp-port-unreachable 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
REJECT     tcp  --  anywhere             anywhere            tcp dpt:www reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp dpt:https reject-with icmp-port-unreachable 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:30000 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
LOG        all  --  anywhere             anywhere            limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: ' 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            udp dpt:openvpn 
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere

If I try to````
telnet server 1194

It's rejected.

If I play with the other ports to see if changes are taking place it responds so I'm not sure why it's ignoring the openvpn ports? I tried both UDP/TCP for the heck of it.

Nov 25 21:12:23 li83-151 kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:4a:cf:f1:97:c8:4c:75:f5:d6:3f:08:00 SRC=207.47.5.130 DST=fake000 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=10221 DF PROTO=TCP SPT=53835 DPT=1194 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 25 21:12:24 li83-151 kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:4a:cf:f1:97:c8:4c:75:f5:d6:3f:08:00 SRC=207.47.5.130 DST=fake00 LEN=42 TOS=0x00 PREC=0x00 TTL=56 ID=11669 PROTO=UDP SPT=54235 DPT=1994 LEN=22 

Anything I can do to make this connection go through? <e>:(</e>

OpenVPN is running…

ps aux | grep open
root 17893 0.0 0.2 21216 1148 ? Ss 21:07 0:00 /usr/sbin/openvpn --writepid /var/run/openvpn.server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf
root 17959 0.0 0.1 5156 776 pts/2 S+ 21:13 0:00 grep open

I think it'd work if the connection went through. I regenerated the certs and I'm pretty sure I generated a server cert for the client side.

And interesting output from the openvpn.log

Fri Nov 25 21:17:07 2011 event_wait : Interrupted system call (code=4)
Fri Nov 25 21:17:08 2011 TCP/UDP: Closing socket
Fri Nov 25 21:17:08 2011 /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
Fri Nov 25 21:17:08 2011 Closing TUN/TAP interface
Fri Nov 25 21:17:08 2011 /sbin/ifconfig tun0 0.0.0.0
Fri Nov 25 21:17:08 2011 SIGTERM[hard,] received, process exiting
tail: openvpn.log: file truncated

openvpn-status.log

tail: openvpn-status.log: file truncated
OpenVPN CLIENT LIST
Updated,Fri Nov 25 21:17:19 2011
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END

````

More verbose debug :

`cat openvpn.log
Fri Nov 25 21:56:04 2011 us=187709 Current Parameter Settings:
Fri Nov 25 21:56:04 2011 us=187825   config = '/etc/openvpn/server.conf'
Fri Nov 25 21:56:04 2011 us=187844   mode = 1
Fri Nov 25 21:56:04 2011 us=187859   persist_config = DISABLED
Fri Nov 25 21:56:04 2011 us=187873   persist_mode = 1
Fri Nov 25 21:56:04 2011 us=187887   show_ciphers = DISABLED
Fri Nov 25 21:56:04 2011 us=187901   show_digests = DISABLED
Fri Nov 25 21:56:04 2011 us=187914   show_engines = DISABLED
Fri Nov 25 21:56:04 2011 us=187928   genkey = DISABLED
Fri Nov 25 21:56:04 2011 us=187942   key_pass_file = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=187956   show_tls_ciphers = DISABLED
Fri Nov 25 21:56:04 2011 us=187974 Connection profiles [default]:
Fri Nov 25 21:56:04 2011 us=187990   proto = udp
Fri Nov 25 21:56:04 2011 us=188004   local = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188017   local_port = 1194
Fri Nov 25 21:56:04 2011 us=188031   remote = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188044   remote_port = 1194
Fri Nov 25 21:56:04 2011 us=188058   remote_float = DISABLED
Fri Nov 25 21:56:04 2011 us=188072   bind_defined = DISABLED
Fri Nov 25 21:56:04 2011 us=188085   bind_local = ENABLED
Fri Nov 25 21:56:04 2011 us=188099   connect_retry_seconds = 5
Fri Nov 25 21:56:04 2011 us=188113   connect_timeout = 10
Fri Nov 25 21:56:04 2011 us=188127   connect_retry_max = 0
Fri Nov 25 21:56:04 2011 us=188141   socks_proxy_server = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188154   socks_proxy_port = 0
Fri Nov 25 21:56:04 2011 us=188168   socks_proxy_retry = DISABLED
Fri Nov 25 21:56:04 2011 us=188186 Connection profiles END
Fri Nov 25 21:56:04 2011 us=188200   remote_random = DISABLED
Fri Nov 25 21:56:04 2011 us=188214   ipchange = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188227   dev = 'tun'
Fri Nov 25 21:56:04 2011 us=188241   dev_type = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188254   dev_node = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188268   lladdr = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188281   topology = 1
Fri Nov 25 21:56:04 2011 us=188295   tun_ipv6 = DISABLED
Fri Nov 25 21:56:04 2011 us=188308   ifconfig_local = '10.8.0.1'
Fri Nov 25 21:56:04 2011 us=188322   ifconfig_remote_netmask = '10.8.0.2'
Fri Nov 25 21:56:04 2011 us=188336   ifconfig_noexec = DISABLED
Fri Nov 25 21:56:04 2011 us=188349   ifconfig_nowarn = DISABLED
Fri Nov 25 21:56:04 2011 us=188362   shaper = 0
Fri Nov 25 21:56:04 2011 us=188376   tun_mtu = 1500
Fri Nov 25 21:56:04 2011 us=188390   tun_mtu_defined = ENABLED
Fri Nov 25 21:56:04 2011 us=188403   link_mtu = 1500
Fri Nov 25 21:56:04 2011 us=188417   link_mtu_defined = DISABLED
Fri Nov 25 21:56:04 2011 us=188430   tun_mtu_extra = 0
Fri Nov 25 21:56:04 2011 us=188444   tun_mtu_extra_defined = DISABLED
Fri Nov 25 21:56:04 2011 us=188457   fragment = 0
Fri Nov 25 21:56:04 2011 us=188471   mtu_discover_type = -1
Fri Nov 25 21:56:04 2011 us=188484   mtu_test = 0
Fri Nov 25 21:56:04 2011 us=188498   mlock = DISABLED
Fri Nov 25 21:56:04 2011 us=188512   keepalive_ping = 10
Fri Nov 25 21:56:04 2011 us=188526   keepalive_timeout = 120
Fri Nov 25 21:56:04 2011 us=188550   inactivity_timeout = 0
Fri Nov 25 21:56:04 2011 us=188564   ping_send_timeout = 10
Fri Nov 25 21:56:04 2011 us=188578   ping_rec_timeout = 240
Fri Nov 25 21:56:04 2011 us=188591   ping_rec_timeout_action = 2
Fri Nov 25 21:56:04 2011 us=188604   ping_timer_remote = DISABLED
Fri Nov 25 21:56:04 2011 us=188618   remap_sigusr1 = 0
Fri Nov 25 21:56:04 2011 us=188631   explicit_exit_notification = 0
Fri Nov 25 21:56:04 2011 us=188645   persist_tun = ENABLED
Fri Nov 25 21:56:04 2011 us=188658   persist_local_ip = DISABLED
Fri Nov 25 21:56:04 2011 us=188672   persist_remote_ip = DISABLED
Fri Nov 25 21:56:04 2011 us=188685   persist_key = ENABLED
Fri Nov 25 21:56:04 2011 us=188699   mssfix = 1450
Fri Nov 25 21:56:04 2011 us=188712   passtos = DISABLED
Fri Nov 25 21:56:04 2011 us=188731   resolve_retry_seconds = 1000000000
Fri Nov 25 21:56:04 2011 us=188746   username = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188760   groupname = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188773   chroot_dir = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188799   cd_dir = '/etc/openvpn'
Fri Nov 25 21:56:04 2011 us=188814   writepid = '/var/run/openvpn.server.pid'
Fri Nov 25 21:56:04 2011 us=188828   up_script = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188842   down_script = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=188855   down_pre = DISABLED
Fri Nov 25 21:56:04 2011 us=188869   up_restart = DISABLED
Fri Nov 25 21:56:04 2011 us=188883   up_delay = DISABLED
Fri Nov 25 21:56:04 2011 us=188896   daemon = ENABLED
Fri Nov 25 21:56:04 2011 us=188910   inetd = 0
Fri Nov 25 21:56:04 2011 us=188924   log = ENABLED
Fri Nov 25 21:56:04 2011 us=188937   suppress_timestamps = DISABLED
Fri Nov 25 21:56:04 2011 us=188951   nice = 0
Fri Nov 25 21:56:04 2011 us=188965   verbosity = 5
Fri Nov 25 21:56:04 2011 us=188978   mute = 0
Fri Nov 25 21:56:04 2011 us=188992   gremlin = 0
Fri Nov 25 21:56:04 2011 us=189006   status_file = 'openvpn-status.log'
Fri Nov 25 21:56:04 2011 us=189020   status_file_version = 1
Fri Nov 25 21:56:04 2011 us=189033   status_file_update_freq = 60
Fri Nov 25 21:56:04 2011 us=189047   occ = ENABLED
Fri Nov 25 21:56:04 2011 us=189061   rcvbuf = 65536
Fri Nov 25 21:56:04 2011 us=189074   sndbuf = 65536
Fri Nov 25 21:56:04 2011 us=189088   sockflags = 0
Fri Nov 25 21:56:04 2011 us=189102   fast_io = DISABLED
Fri Nov 25 21:56:04 2011 us=189115   lzo = 7
Fri Nov 25 21:56:04 2011 us=189129   route_script = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189143   route_default_gateway = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189156   route_default_metric = 0
Fri Nov 25 21:56:04 2011 us=189170   route_noexec = DISABLED
Fri Nov 25 21:56:04 2011 us=189183   route_delay = 0
Fri Nov 25 21:56:04 2011 us=189197   route_delay_window = 30
Fri Nov 25 21:56:04 2011 us=189211   route_delay_defined = DISABLED
Fri Nov 25 21:56:04 2011 us=189224   route_nopull = DISABLED
Fri Nov 25 21:56:04 2011 us=189238   route_gateway_via_dhcp = DISABLED
Fri Nov 25 21:56:04 2011 us=189251   allow_pull_fqdn = DISABLED
Fri Nov 25 21:56:04 2011 us=189266   route 10.8.0.0/255.255.255.0/nil/nil
Fri Nov 25 21:56:04 2011 us=189280   management_addr = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189294   management_port = 0
Fri Nov 25 21:56:04 2011 us=189308   management_user_pass = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189321   management_log_history_cache = 250
Fri Nov 25 21:56:04 2011 us=189335   management_echo_buffer_size = 100
Fri Nov 25 21:56:04 2011 us=189349   management_write_peer_info_file = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189363   management_flags = 0
Fri Nov 25 21:56:04 2011 us=189377   shared_secret_file = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189391   key_direction = 0
Fri Nov 25 21:56:04 2011 us=189405   ciphername_defined = ENABLED
Fri Nov 25 21:56:04 2011 us=189419   ciphername = 'BF-CBC'
Fri Nov 25 21:56:04 2011 us=189433   authname_defined = ENABLED
Fri Nov 25 21:56:04 2011 us=189446   authname = 'SHA1'
Fri Nov 25 21:56:04 2011 us=189460   keysize = 0
Fri Nov 25 21:56:04 2011 us=189474   engine = DISABLED
Fri Nov 25 21:56:04 2011 us=189487   replay = ENABLED
Fri Nov 25 21:56:04 2011 us=189501   mute_replay_warnings = DISABLED
Fri Nov 25 21:56:04 2011 us=189515   replay_window = 64
Fri Nov 25 21:56:04 2011 us=189529   replay_time = 15
Fri Nov 25 21:56:04 2011 us=189552   packet_id_file = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189566   use_iv = ENABLED
Fri Nov 25 21:56:04 2011 us=189580   test_crypto = DISABLED
Fri Nov 25 21:56:04 2011 us=189594   tls_server = ENABLED
Fri Nov 25 21:56:04 2011 us=189607   tls_client = DISABLED
Fri Nov 25 21:56:04 2011 us=189621   key_method = 2
Fri Nov 25 21:56:04 2011 us=189635   ca_file = 'ca.crt'
Fri Nov 25 21:56:04 2011 us=189648   ca_path = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189662   dh_file = 'dh1024.pem'
Fri Nov 25 21:56:04 2011 us=189675   cert_file = 'server.crt'
Fri Nov 25 21:56:04 2011 us=189689   priv_key_file = 'server.key'
Fri Nov 25 21:56:04 2011 us=189703   pkcs12_file = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189716   cipher_list = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189730   tls_verify = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189743   tls_remote = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189765   crl_file = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=189780   ns_cert_type = 0
Fri Nov 25 21:56:04 2011 us=189794   remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189815   remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189837   remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189859   remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189877   remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189891   remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189905   remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189918   remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189932   remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189945   remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189959   remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189972   remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189986   remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=189999   remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=190013   remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=190027   remote_cert_ku[i] = 0
Fri Nov 25 21:56:04 2011 us=190040   remote_cert_eku = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=190054   tls_timeout = 2
Fri Nov 25 21:56:04 2011 us=190068   renegotiate_bytes = 0
Fri Nov 25 21:56:04 2011 us=190081   renegotiate_packets = 0
Fri Nov 25 21:56:04 2011 us=190095   renegotiate_seconds = 3600
Fri Nov 25 21:56:04 2011 us=190109   handshake_window = 60
Fri Nov 25 21:56:04 2011 us=190122   transition_window = 3600
Fri Nov 25 21:56:04 2011 us=190136   single_session = DISABLED
Fri Nov 25 21:56:04 2011 us=190150   tls_exit = DISABLED
Fri Nov 25 21:56:04 2011 us=190164   tls_auth_file = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=190177   pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190191   pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190204   pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190218   pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190231   pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190245   pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190258   pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190280   pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190302   pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190325   pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190347   pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190370   pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190386   pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190399   pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190413   pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190427   pkcs11_protected_authentication = DISABLED
Fri Nov 25 21:56:04 2011 us=190441   pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190454   pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190468   pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190491   pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190507   pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190521   pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190544   pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190559   pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190573   pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190586   pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190600   pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190613   pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190627   pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190640   pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190654   pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190667   pkcs11_private_mode = 00000000
Fri Nov 25 21:56:04 2011 us=190681   pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190704   pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190718   pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190732   pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190745   pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190759   pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190772   pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190786   pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190799   pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190813   pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190826   pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190839   pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190853   pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190866   pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190879   pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190893   pkcs11_cert_private = DISABLED
Fri Nov 25 21:56:04 2011 us=190907   pkcs11_pin_cache_period = -1
Fri Nov 25 21:56:04 2011 us=190920   pkcs11_id = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=190934   pkcs11_id_management = DISABLED
Fri Nov 25 21:56:04 2011 us=190949   server_network = 10.8.0.0
Fri Nov 25 21:56:04 2011 us=190965   server_netmask = 255.255.255.0
Fri Nov 25 21:56:04 2011 us=190980   server_bridge_ip = 0.0.0.0
Fri Nov 25 21:56:04 2011 us=190995   server_bridge_netmask = 0.0.0.0
Fri Nov 25 21:56:04 2011 us=191009   server_bridge_pool_start = 0.0.0.0
Fri Nov 25 21:56:04 2011 us=191024   server_bridge_pool_end = 0.0.0.0
Fri Nov 25 21:56:04 2011 us=191039   push_list = 'dhcp-option DNS 10.8.0.1,redirect-gateway def1,route 10.8.0.1,topology net30,ping 10,ping-restart 120'
Fri Nov 25 21:56:04 2011 us=191053   ifconfig_pool_defined = ENABLED
Fri Nov 25 21:56:04 2011 us=191067   ifconfig_pool_start = 10.8.0.4
Fri Nov 25 21:56:04 2011 us=191083   ifconfig_pool_end = 10.8.0.251
Fri Nov 25 21:56:04 2011 us=191097   ifconfig_pool_netmask = 0.0.0.0
Fri Nov 25 21:56:04 2011 us=191111   ifconfig_pool_persist_filename = 'ipp.txt'
Fri Nov 25 21:56:04 2011 us=191125   ifconfig_pool_persist_refresh_freq = 600
Fri Nov 25 21:56:04 2011 us=191139   n_bcast_buf = 256
Fri Nov 25 21:56:04 2011 us=191152   tcp_queue_limit = 64
Fri Nov 25 21:56:04 2011 us=191166   real_hash_size = 256
Fri Nov 25 21:56:04 2011 us=191180   virtual_hash_size = 256
Fri Nov 25 21:56:04 2011 us=191194   client_connect_script = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=191207   learn_address_script = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=191221   client_disconnect_script = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=191235   client_config_dir = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=191248   ccd_exclusive = DISABLED
Fri Nov 25 21:56:04 2011 us=191262   tmp_dir = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=191276   push_ifconfig_defined = DISABLED
Fri Nov 25 21:56:04 2011 us=191299   push_ifconfig_local = 0.0.0.0
Fri Nov 25 21:56:04 2011 us=191319   push_ifconfig_remote_netmask = 0.0.0.0
Fri Nov 25 21:56:04 2011 us=191333   enable_c2c = DISABLED
Fri Nov 25 21:56:04 2011 us=191347   duplicate_cn = DISABLED
Fri Nov 25 21:56:04 2011 us=191360   cf_max = 0
Fri Nov 25 21:56:04 2011 us=191374   cf_per = 0
Fri Nov 25 21:56:04 2011 us=191388   max_clients = 1024
Fri Nov 25 21:56:04 2011 us=191402   max_routes_per_client = 256
Fri Nov 25 21:56:04 2011 us=191415   client_cert_not_required = DISABLED
Fri Nov 25 21:56:04 2011 us=191429   username_as_common_name = DISABLED
Fri Nov 25 21:56:04 2011 us=191443   auth_user_pass_verify_script = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=191457   auth_user_pass_verify_script_via_file = DISABLED
Fri Nov 25 21:56:04 2011 us=191471   port_share_host = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=191489   port_share_port = 0
Fri Nov 25 21:56:04 2011 us=191503   client = DISABLED
Fri Nov 25 21:56:04 2011 us=191517   pull = DISABLED
Fri Nov 25 21:56:04 2011 us=191531   auth_user_pass_file = '[UNDEF]'
Fri Nov 25 21:56:04 2011 us=191561 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Fri Nov 25 21:56:04 2011 us=194913 Diffie-Hellman initialized with 1024 bit key
Fri Nov 25 21:56:04 2011 us=195708 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted="">
Fri Nov 25 21:56:04 2011 us=308821 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Nov 25 21:56:04 2011 us=309020 ROUTE default_gateway=74.207.241.1
Fri Nov 25 21:56:04 2011 us=309124 TUN/TAP device tun0 opened
Fri Nov 25 21:56:04 2011 us=309151 TUN/TAP TX queue length set to 100
Fri Nov 25 21:56:04 2011 us=309177 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri Nov 25 21:56:04 2011 us=311464 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Fri Nov 25 21:56:04 2011 us=312718 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Nov 25 21:56:04 2011 us=313266 Socket Buffers: R=[126976->131072] S=[126976->131072]
Fri Nov 25 21:56:04 2011 us=313337 UDPv4 link local (bound): [undef]:1194
Fri Nov 25 21:56:04 2011 us=313355 UDPv4 link remote: [undef]
Fri Nov 25 21:56:04 2011 us=313377 MULTI: multi_init called, r=256 v=256
Fri Nov 25 21:56:04 2011 us=313470 IFCONFIG POOL: base=10.8.0.4 size=62
Fri Nov 25 21:56:04 2011 us=313518 IFCONFIG POOL LIST
Fri Nov 25 21:56:04 2011 us=313558 Initialization Sequence Completed</modulus>`

edit:

I got it to work but now it says "reconnecting" after 30 seconds.

Output of openvpn.log

`~~[code]~~tail -f -n 0 openvpn.log
rWFri Nov 25 22:18:06 2011 us=865108 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:08 2011 us=975178 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:09 2011 us=325207 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:14 2011 us=188888 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:16 2011 us=857409 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:18 2011 us=975411 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWrWFri Nov 25 22:18:19 2011 us=44147 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)<e>[/code]</e>`[/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i]

Rather than guessing if it's the filters, can you form a connection if you disable them? If not, then you know you have to troubleshoot the OpenVPN side - if it does, then you know it's the filters. Also, has anything in this area changed since your initial post? Clearly at that point connections were getting through as they were being rejected at a higher level. Could the filters not have been active at that point?

I do see a few odd things in your INPUT chain:
* You have rules beyond the point where you log a failure, so I don't think such logs in your log files necessarily indicate a packet has been blocked, just that it reached the LOG rule in the chain. You probably want that LOG rule at the end if it's supposed to represent dropped/rejected packets.

  • You only permit the UDP OpenVPN port traffic. This should be fine, since it's usually what OpenVPN uses (unless you've configured it for TCP), but could explain the rejection of your telnet test which is TCP (except for the next point).

  • You seem to have a general acceptance rule even before your OpenVPN rule, so I can't see how anything (other than https or www) would be blocked at all. However, the dump you show doesn't include interface information (add -v) so perhaps those more general rules are bounded by interface? But I wouldn't worry about those until you have OpenVPN working without any filters. If it is the filters, I'd also check them (-v) to make sure that you aren't accidentally limiting the openvpn rule by interface, plus you should be able to use the stats on that rule to see if any of your client's packets are qualifying.

– David

@db3l:

Rather than guessing if it's the filters, can you form a connection if you disable them? If not, then you know you have to troubleshoot the OpenVPN side - if it does, then you know it's the filters. Also, has anything in this area changed since your initial post? Clearly at that point connections were getting through as they were being rejected at a higher level. Could the filters not have been active at that point?

I do see a few odd things in your INPUT chain:
* You have rules beyond the point where you log a failure, so I don't think such logs in your log files necessarily indicate a packet has been blocked, just that it reached the LOG rule in the chain. You probably want that LOG rule at the end if it's supposed to represent dropped/rejected packets.

  • You only permit the UDP OpenVPN port traffic. This should be fine, since it's usually what OpenVPN uses (unless you've configured it for TCP), but could explain the rejection of your telnet test which is TCP (except for the next point).

  • You seem to have a general acceptance rule even before your OpenVPN rule, so I can't see how anything (other than https or www) would be blocked at all. However, the dump you show doesn't include interface information (add -v) so perhaps those more general rules are bounded by interface? But I wouldn't worry about those until you have OpenVPN working without any filters. If it is the filters, I'd also check them (-v) to make sure that you aren't accidentally limiting the openvpn rule by interface, plus you should be able to use the stats on that rule to see if any of your client's packets are qualifying.

– David

Hey David,

I redid my filters using an example iptables config

I got the connection through finally and now I am getting the following:

"reconnecting" after 30 seconds.

Output of openvpn.log

tail -f -n 0 openvpn.log
rWFri Nov 25 22:18:06 2011 us=865108 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:08 2011 us=975178 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:09 2011 us=325207 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:14 2011 us=188888 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:16 2011 us=857409 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWFri Nov 25 22:18:18 2011 us=975411 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
rWrWFri Nov 25 22:18:19 2011 us=44147 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

````
rce destination

iptables -L

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:30000
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT tcp -- anywhere anywhere tcp flags:ACK/ACK
ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1024:65535
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp dpts:33434:33523

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

````

I'm going to keep tinkering. Thanks for staying on top of this with me… I appreciate it.

Errors on the client side after about 1 minute…

2011-11-25 22:32:43 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:44 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:45 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:46 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:47 write UDPv4: No route to host (code=65)
2011-11-25 22:32:54 *Tunnelblick leasewatch: A network configuration change was detected
                    *                                DNS configuration has changed:
                    *                                --- BEGIN EXPECTED DNS CFG ---
                    *                                DomainName : openvpn
                    *                    |ServerAddresses : <array> {
                    *                    0 : 8.8.8.8
                    *                    1 : 8.8.4.4
                    *                    }
                    *                    |SearchDomains : <array> {
                    *                    0 : openvpn
                    *                    }
                    *                    |
                    *                                ---- END EXPECTED DNS CFG ----
                    *                                
                    *                                --- BEGIN CURRENT DNS CFG ---
                    *                                DomainName : ichotelsgroup.com
                    *                    |ServerAddresses : <array> {
                    *                    0 : 8.8.8.8
                    *                    1 : 8.8.4.4
                    *                    }
                    *                    |
                    *                                ---- END CURRENT DNS CFG ----
                    *                                
                    *                                --- BEGIN PRE-VPN DNS CFG ---
                    *                                ServerAddresses : <array> {
                    *                    0 : 8.8.8.8
                    *                    1 : 8.8.4.4
                    *                    }
                    *                    |
                    *                                ---- END PRE-VPN DNS CFG ----
                    *                    Sending USR1 to OpenVPN (process ID 10455) to restart the connection.
2011-11-25 22:32:55 event_wait : Interrupted system call (code=4)
2011-11-25 22:32:55 TCP/UDP: Closing socket
2011-11-25 22:32:55 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d tun0 1500 1542 10.8.0.6 10.8.0.5 restart
                                          No such key
2011-11-25 22:32:55 SIGUSR1[hard,] received, process restarting
2011-11-25 22:32:55 MANAGEMENT: >STATE:1322289175,RECONNECTING,SIGUSR1,,
2011-11-25 22:32:55 *Tunnelblick client.down.tunnelblick.sh: Cancelled monitoring of system configuration changes
2011-11-25 22:32:55 *Tunnelblick client.down.tunnelblick.sh: Restored the DNS and WINS configurations
2011-11-25 22:32:56 MANAGEMENT: CMD 'hold release'
2011-11-25 22:32:56 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2011-11-25 22:32:56 Re-using SSL/TLS context
2011-11-25 22:32:56 LZO compression initialized
2011-11-25 22:32:56 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
2011-11-25 22:32:56 Socket Buffers: R=[42080->65536] S=[9216->65536]
2011-11-25 22:32:56 MANAGEMENT: >STATE:1322289176,RESOLVE,,,
2011-11-25 22:33:26 RESOLVE: Cannot resolve host address: anon.anon.com: [HOST_NOT_FOUND] The specified host is unknown.
2011-11-25 22:33:26 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
2011-11-25 22:33:26 Local Options hash (VER=V4): '41690919'
2011-11-25 22:33:26 Expected Remote Options hash (VER=V4): '530fdded'
2011-11-25 22:33:26 MANAGEMENT: >STATE:1322289206,RESOLVE,,,
2011-11-25 22:33:56 RESOLVE: signal received during DNS resolution attempt
2011-11-25 22:33:56 TCP/UDP: Closing socket
2011-11-25 22:33:56 /sbin/route delete -net 10.8.0.1 10.8.0.5 255.255.255.255
                                        delete net 10.8.0.1: gateway 10.8.0.5
2011-11-25 22:33:56 /sbin/route delete -net fake00 10.71.0.1 255.255.255.255
                                        delete net fake000: gateway 10.71.0.1
2011-11-25 22:33:56 /sbin/route delete -net 0.0.0.0 10.8.0.5 128.0.0.0
                                        delete net 0.0.0.0: gateway 10.8.0.5
2011-11-25 22:33:56 /sbin/route delete -net 128.0.0.0 10.8.0.5 128.0.0.0
                                        delete net 128.0.0.0: gateway 10.8.0.5
2011-11-25 22:33:56 Closing TUN/TAP interface
2011-11-25 22:33:56 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d tun0 1500 1542 10.8.0.6 10.8.0.5 init
2011-11-25 22:33:57 *Tunnelblick client.down.tunnelblick.sh: WARNING: No existing OpenVPN DNS configuration found; not tearing down anything; exiting.
2011-11-25 22:33:57 SIGTERM[hard,init_instance] received, process exiting
2011-11-25 22:33:57 MANAGEMENT: >STATE:1322289237,EXITING,init_instance,,
2011-11-25 22:33:59 *Tunnelblick: Flushed the DNS cache</array></array></array></array>

I have OpenVPN running on all my vpses. It's quick and easy to setup for me after so many opportunities to do it.

Now I'd lov to help you, but you need to realise something:

  • We still don't know what you're trying to do.

  • We have no idea what you did to get where you are

  • We still haven't seen any of your configuration files. Neither server nor client.

Take care,

zjl

Thanks for the comment.

So I fixed it by setting "Set DNS/WINS" to "DO NOT SET NAMESERVER"

Now I get no disconnects and everything seems to be running smoothly.

How do I test that my connection is secure?

If I were on a public wi-fi spot, no one should be able to see any of my traffic even over HTTP right?

Glad you got it running then! This seems to be a tunnelblick issue after all :-)

To make sure traffic is going through the tunnel, connect to your vpn with tunnlblick and then check what your external IP address is, for instance by typing "What's My IP" in google.

You should see the IP of your linode.

Then, if your VPN is encrypted, then you're all set.

OpenVPN tunnels are encrypted unless you really go the extra mile to disable encryption when setting up your server.

To make sure, check the logs when connecting, you should see a line

Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Cipher may differ, but they're mostly all good enough.

Take care,

zjl

@zjl:

Glad you got it running then! This seems to be a tunnelblick issue after all :-)

To make sure traffic is going through the tunnel, connect to your vpn with tunnlblick and then check what your external IP address is, for instance by typing "What's My IP" in google.

You should see the IP of your linode.

Then, if your VPN is encrypted, then you're all set.

OpenVPN tunnels are encrypted unless you really go the extra mile to disable encryption when setting up your server.

To make sure, check the logs when connecting, you should see a line

Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Cipher may differ, but they're mostly all good enough.

Take care,

zjl

Seems mine is pretty low

> Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

How would I "upgrade" my cipher?

Blowfish is the default cipher, unbreakable and chose by the OpenVPN team as a good balance of great strenght and low ressource usage. You have no reason to 'upgrade' it really.

Still, you change the cipher by having a matching cipher line in both client and server configuration file.

Find the list of available ciphers by running

openvpn --show-ciphers

Then just add a line

cipher AES-256-CBC

to both client and server conf.

If you're interested in tweaking all this (and there's really no need), you may want to also look at tls-cipher and auth.

As an example, because I'm also pretty eager to always use the bigger even if it's not really needed, I have:

tls-cipher DHE-RSA-AES256-SHA
cipher AES-256-CBC
auth ecdsa-with-SHA1

Find a list of what's available on your particular system with

openvpn --show-tls
openvpn --show-ciphers
openvpn --show-digests

You should make sure that what you decide to use is supported both by your server and your client.

Have fun,

zjl

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct