Hi there,
I have a problem with setting up the n2n network. Roadwarrior works.
When I activate the n2n, the picture says “Add Routes”. I am surprised as when I do ip routes, it sees the route. Later it states “Connected”.
BUT, I cannot ping the other side.
LOG Server:
Jun 26 12:25:45 central ToOfficen2n[14550]: disabling NCP mode (–ncp-disable) because not in P2MP client or server mode
Jun 26 12:25:45 central ToOfficen2n[14550]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Jun 26 12:25:45 central ToOfficen2n[14550]: OpenVPN 2.4.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 24 2020
Jun 26 12:25:45 central ToOfficen2n[14550]: library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.09
Jun 26 12:25:45 central ToOfficen2n[14551]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:4242
Jun 26 12:25:45 central ToOfficen2n[14551]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 26 12:25:45 central ToOfficen2n[14551]: Diffie-Hellman initialized with 4096 bit key
Jun 26 12:25:45 central ToOfficen2n[14551]: Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Jun 26 12:25:45 central ToOfficen2n[14551]: ECDH curve secp384r1 added
Jun 26 12:25:45 central ToOfficen2n[14551]: ROUTE_GATEWAY 192.168.254.254/255.255.255.0 IFACE=red0 HWADDR=xx:xx:xx:xx:xx:xx
Jun 26 12:25:45 central ToOfficen2n[14551]: TUN/TAP device tun1 opened
Jun 26 12:25:45 central ToOfficen2n[14551]: TUN/TAP TX queue length set to 100
Jun 26 12:25:45 central ToOfficen2n[14551]: /sbin/ip link set dev tun1 up mtu 1500
Jun 26 12:25:45 central ToOfficen2n[14551]: /sbin/ip addr add dev tun1 local 10.42.142.1 peer 10.42.142.2
Jun 26 12:25:45 central ToOfficen2n[14551]: /etc/init.d/static-routes start tun1 1500 1605 10.42.142.1 10.42.142.2 init
Jun 26 12:25:45 central ToOfficen2n[14551]: /sbin/ip route add 10.42.42.0/24 via 10.42.142.2
Jun 26 12:25:45 central ToOfficen2n[14551]: ERROR: Linux route add command failed: external program exited with error status: 2
Jun 26 12:25:45 central ToOfficen2n[14551]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Jun 26 12:25:45 central ToOfficen2n[14551]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Jun 26 12:25:45 central ToOfficen2n[14551]: UDPv4 link local (bound): [AF_INET]192.168.254.253:4242
Jun 26 12:25:45 central ToOfficen2n[14551]: UDPv4 link remote: [AF_UNSPEC]
Jun 26 12:25:45 central ToOfficen2n[14551]: GID set to nobody
Jun 26 12:25:45 central ToOfficen2n[14551]: UID set to nobody
Jun 26 12:25:45 central ToOfficen2n[14551]: TLS: Initial packet from [AF_INET]xx.xx.xx.xx:xx, sid=f874c9bc 96253aa8
Jun 26 12:25:45 central ToOfficen2n[14551]: VERIFY OK: depth=1, C=xx, ST=xx, L=xx, O=BOMJ, OU=HQ, CN=xx CA, emailAddress=xx@xx.xx
Jun 26 12:25:45 central ToOfficen2n[14551]: VERIFY OK: depth=0, C=xx, ST=xx, O=xx, OU=Office, CN=xx-xx.xx.xx
Jun 26 12:25:45 central ToOfficen2n[14551]: Outgoing Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Jun 26 12:25:45 central ToOfficen2n[14551]: Outgoing Data Channel: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Jun 26 12:25:45 central ToOfficen2n[14551]: Incoming Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Jun 26 12:25:45 central ToOfficen2n[14551]: Incoming Data Channel: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Jun 26 12:25:45 central ToOfficen2n[14551]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Jun 26 12:25:45 central ToOfficen2n[14551]: [xx.xx.xx] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:xx
Jun 26 12:25:46 central ToOfficen2n[14551]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Jun 26 12:25:46 central ToOfficen2n[14551]: Initialization Sequence Completed
Jun 26 12:25:48 central ToOfficen2n[14551]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:4242
Jun 26 12:25:48 central ToOfficen2n[14551]: MANAGEMENT: CMD ‘state’
Jun 26 12:25:48 central ToOfficen2n[14551]: MANAGEMENT: Client disconnected
Jun 26 12:26:54 central ToOfficen2n[14551]: TLS: new session incoming connection from [AF_INET]xx.xx.xx.xx:xx
Jun 26 12:26:54 central ToOfficen2n[14551]: VERIFY OK: depth=1, C=xx, ST=xx, L=xx, O=xx, OU=HQ, CN=xx CA, emailAddress=xx@xx.xx
Jun 26 12:26:54 central ToOfficen2n[14551]: VERIFY OK: depth=0, C=xx, ST=xx, O=xx, OU=xx, CN=xx-xx.xx.xx
Jun 26 12:26:54 central ToOfficen2n[14551]: Outgoing Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Jun 26 12:26:54 central ToOfficen2n[14551]: Outgoing Data Channel: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Jun 26 12:26:54 central ToOfficen2n[14551]: Incoming Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Jun 26 12:26:54 central ToOfficen2n[14551]: Incoming Data Channel: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Jun 26 12:26:54 central ToOfficen2n[14551]: TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Jun 26 12:26:54 central ToOfficen2n[14551]: TLS: tls_multi_process: untrusted session promoted to semi-trusted
Jun 26 12:26:55 central ToOfficen2n[14551]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
ip route
default via 192.168.254.254 dev red0
10.0.0.0/24 dev orange0 proto kernel scope link src 10.0.0.254
10.42.42.0/24 via 10.42.242.2 dev tun0 (road warriors)
10.42.142.2 dev tun1 proto kernel scope link src 10.42.142.1 (n2n network)
10.42.242.0/24 via 10.42.242.2 dev tun0 (road warriors)
10.42.242.2 dev tun0 proto kernel scope link src 10.42.242.1 (road warriors)
10.142.142.0/24 dev green0 proto kernel scope link src 10.142.142.254
192.168.254.0/24 dev red0 proto kernel scope link src 192.168.254.253
192.168.254.254 dev red0 scope link
Times are different because of time zones.
LOG Client:
Jun 26 17:26:54 labs ToCentraln2n[3911]: disabling NCP mode (–ncp-disable) because not in P2MP client or server mode
Jun 26 17:26:54 labs ToCentraln2n[3911]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Jun 26 17:26:54 labs ToCentraln2n[3911]: WARNING: file ‘/var/ipfire/ovpn/certs/ToCentral.p12’ is group or others accessible
Jun 26 17:26:54 labs ToCentraln2n[3911]: OpenVPN 2.4.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 14 2019
Jun 26 17:26:54 labs ToCentraln2n[3911]: library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.09
Jun 26 17:26:54 labs ToCentraln2n[3912]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:4242
Jun 26 17:26:54 labs ToCentraln2n[3912]: ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=red0 HWADDR=x:x:x:x:x
Jun 26 17:26:54 labs ToCentraln2n[3912]: TUN/TAP device tun0 opened
Jun 26 17:26:54 labs ToCentraln2n[3912]: TUN/TAP TX queue length set to 100
Jun 26 17:26:54 labs ToCentraln2n[3912]: /sbin/ip link set dev tun0 up mtu 1500
Jun 26 17:26:54 labs ToCentraln2n[3912]: /sbin/ip addr add dev tun0 local 10.42.142.2 peer 10.42.142.1
Jun 26 17:26:54 labs ToCentraln2n[3912]: /sbin/ip route add 10.142.142.0/24 via 10.42.142.1
Jun 26 17:26:54 labs ToCentraln2n[3912]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:xx
Jun 26 17:26:54 labs ToCentraln2n[3912]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Jun 26 17:26:54 labs ToCentraln2n[3912]: UDP link local (bound): [AF_INET]192.168.1.254:4242
Jun 26 17:26:54 labs ToCentraln2n[3912]: UDP link remote: [AF_INET]public_IP:Port
Jun 26 17:26:54 labs ToCentraln2n[3912]: GID set to nobody
Jun 26 17:26:54 labs ToCentraln2n[3912]: UID set to nobody
Jun 26 17:26:54 labs ToCentraln2n[3912]: TLS: Initial packet from [AF_INET]public_IP:Port, sid=d9d9521f f9ed1231
Jun 26 17:26:55 labs ToCentraln2n[3912]: VERIFY OK: depth=1, C=x, ST=x, L=x, O=x, OU=HQ, CN=x CA, emailAddress=xx@xx.xx
Jun 26 17:26:55 labs ToCentraln2n[3912]: VERIFY KU OK
Jun 26 17:26:55 labs ToCentraln2n[3912]: Validating certificate extended key usage
Jun 26 17:26:55 labs ToCentraln2n[3912]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jun 26 17:26:55 labs ToCentraln2n[3912]: VERIFY EKU OK
Jun 26 17:26:55 labs ToCentraln2n[3912]: VERIFY OK: depth=0, C=xx, ST=xx, O=xx, OU=HQ, CN=xx.xx.xx
Jun 26 17:26:55 labs ToCentraln2n[3912]: Outgoing Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Jun 26 17:26:55 labs ToCentraln2n[3912]: Outgoing Data Channel: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Jun 26 17:26:55 labs ToCentraln2n[3912]: Incoming Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Jun 26 17:26:55 labs ToCentraln2n[3912]: Incoming Data Channel: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Jun 26 17:26:55 labs ToCentraln2n[3912]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Jun 26 17:26:55 labs ToCentraln2n[3912]: [xx.xx.xx] Peer Connection Initiated with [AF_INET]public_IP:Port
Jun 26 17:26:56 labs ToCentraln2n[3912]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:4242
Jun 26 17:26:56 labs ToCentraln2n[3912]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Jun 26 17:26:56 labs ToCentraln2n[3912]: Initialization Sequence Completed
Jun 26 17:26:56 labs ToCentraln2n[3912]: MANAGEMENT: CMD ‘state’
Jun 26 17:26:56 labs ToCentraln2n[3912]: MANAGEMENT: Client disconnected
ip route
default via 192.168.1.1 dev red0
10.42.42.0/24 dev green0 proto kernel scope link src 10.42.42.254
10.42.142.1 dev tun0 proto kernel scope link src 10.42.142.2 (n2n network)
10.142.142.0/24 via 10.42.142.1 dev tun0
192.168.1.0/24 dev red0 proto kernel scope link src 192.168.1.254
192.168.1.1 dev red0 scope link
Any ideas, please?
Much appreciated.
Slarti