Hello everyone,
I am on the latest build of IPfire running on PCengines APU3a4.
With the information of the wiki I am unable to make the openVPN service work.
There are two problems:
- The openVPN service is not running (or I am not sure, because I got a positive and negative gui indicator)
- With the open vpn configuration on the client.
I started with creating the x509 certificate on the ipfire and I created the connection as well as established a dynamic DNS service connection.
When I try to start the server, I get these kind of error messages:
|23:21:44|openvpnserver[12808]:|/sbin/ip route del 10.182.113.0/24|
| — | — | — |
|23:21:44|openvpnserver[12808]:|Closing TUN/TAP interface|
|23:21:44|openvpnserver[12808]:|/sbin/ip addr del dev tun1 local 10.182.113.1 peer 10.182.113.2|
|23:22:01|openvpnserver[12969]:|DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated deb ug feature that will be removed in OpenVPN 2.6|
|23:22:01|openvpnserver[12969]:|WARNING: --topology net30 support for server configs with IPv4 pools will be rem oved in a future release. Please migrate to --topology subnet as soon as possibl e.|
|23:22:01|openvpnserver[12969]:|OpenVPN 2.5.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINF O] [AEAD] built on Jul 15 2021|
|23:22:01|openvpnserver[12969]:|library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10|
|23:22:01|openvpnserver[12970]:|WARNING: --keepalive option is missing from server config|
|23:22:01|openvpnserver[12970]:|NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192 .168.1.x. Be aware that this might create routing conflicts if you connect to t he VPN server from public locations such as internet cafes that use the same sub net.|
|23:22:01|openvpnserver[12970]:|NOTE: the current --script-security setting may allow this configuration to call user-defined scripts|
|23:22:01|openvpnserver[12970]:|Diffie-Hellman initialized with 4096 bit key|
|23:22:01|openvpnserver[12970]:|CRL: loaded 1 CRLs from file /var/ipfire/ovpn/crls/cacrl.pem|
|23:22:01|openvpnserver[12970]:|Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication|
|23:22:01|openvpnserver[12970]:|Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication|
|23:22:01|openvpnserver[12970]:|ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=red0 HWADDR=00:00:00:00:00:00|
|23:22:01|openvpnserver[12970]:|TUN/TAP device tun1 opened|
|23:22:01|openvpnserver[12970]:|/sbin/ip link set dev tun1 up mtu 1400|
|23:22:01|openvpnserver[12970]:|/sbin/ip link set dev tun1 up|
|23:22:01|openvpnserver[12970]:|/sbin/ip addr add dev tun1 local 10.182.113.1 peer 10.182.113.2|
|23:22:01|openvpnserver[12970]:|/sbin/ip route add 10.182.113.0/24 via 10.182.113.2|
|23:22:01|openvpnserver[12970]:|Could not determine IPv4/IPv6 protocol. Using AF_INET|
|23:22:01|openvpnserver[12970]:|Socket Buffers: R=[212992->212992] S=[212992->212992]|
|23:22:01|openvpnserver[12970]:|TCP/UDP: Socket bind failed on local address [AF_INET][undef]:1194: Address alre ady in use (errno=98)|
|23:22:01|openvpnserver[12970]:|Exiting due to fatal error|
|10:27:37|openvpnserver[5176]: |DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated deb ug feature that will be removed in OpenVPN 2.6|
|—|—|—|
|10:27:37|openvpnserver[5176]: |Options error: --server directive network/netmask combination is invalid|
|10:27:37|openvpnserver[5176]: |Use --help for more information.|
|11:02:30|openvpnserver[6068]: |DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated deb ug feature that will be removed in OpenVPN 2.6|
|11:02:30|openvpnserver[6068]: |Options error: --server directive network/netmask combination is invalid|
|11:02:30|openvpnserver[6068]: |Use --help for more information.|
|11:05:46|openvpnserver[6983]: |DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated deb ug feature that will be removed in OpenVPN 2.6|
|11:05:46|openvpnserver[6983]: |Options error: --server directive network/netmask combination is invalid|
|11:05:46|openvpnserver[6983]: |Use --help for more information.|
netstat -tulpen delivers also this line:
udp 0 0 0.0.0.0:1194 0.0.0.0:* 0 391891 9957/openvpn
Let me know if you need additional logfiles.
The second problem: The openVPN configuration file the system creates is not working on my ubuntu machine. I get an error message, that tls-client is not a valid pair. When I delete the first line and try again, it says the same for client.
#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote ipfire.localdomain 1194
pkcs12 user.p12
cipher AES-256-GCM
auth SHA512
tls-auth ta.key
verb 3
remote-cert-tls server
verify-x509-name ipfire.localdomain name
mssfix 0
A last question because I am not sure If I am doing it right:
The 3 certificate files that are needed are ALL generated from the p.12 file on ubuntu, right? The x509 certificate that was generated prior and the ta.key file from the client package are not needed?
thanks in advance