[plug] Working from home - VPN routers

Kevin Shackleton krshackleton at gmail.com
Sun Apr 12 10:46:55 AWST 2020


Thanks for playing around with this problem Ian.  Still - what else are we
all doing on the long weekend - Dunsborough?!  Not.

Is your router using DD-WRT or similar, that makes the client.ovpn and the
server_ovpn.cert files for the client?

The client.ovpn file (built by the ASUS router and not edited) starts with:

remote xxx.xxx.xxx.xxx 1194
float
nobind
proto udp
dev tap

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

sndbuf 0
rcvbuf 0
keepalive 15 60
comp-lzo adaptive
auth-user-pass
client
auth SHA256
cipher AES-256-CBC
remote-cert-tls server

followed by three certificates <ca>, <cert> and <key>, bound by ---BEGIN
CERTIFICATE---  . . ---END CERTIFICATE---.  I saved the inline certificates
to files including the bounds in order to use the Network Manager
configurator, though that's not needed for the command-line connection.

The guys wanted a TAP VPN (which CMIIW I understand as a bridging VPN
whereas a TUN is a routing VPN.  I'll try changing the config to a TUN and
see if my problems disappear . .

It's galling that it *just works* in the openvpn client compiled for
Windows but does not in Ubuntu 18.04.

Cheers,
Kevin.




On Sun, 12 Apr 2020 at 09:48, Ian Kent <raven at themaw.net> wrote:

> On Sat, 2020-04-11 at 13:18 +0800, Kevin Shackleton wrote:
> > I was assuming that sudo would run openvpn with adequate permissions
> >
> > Running from a root login results in the same output (specific
> > details x'd out):
> >
> > # openvpn --config /etc/openvpn/client.ovpn
> > Sat Apr 11 12:57:44 2020 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL
> > (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on
> > May 14 2019
> > Sat Apr 11 12:57:44 2020 library versions: OpenSSL 1.1.1  11 Sep
> > 2018, LZO 2.08
> > Enter Auth Username: xxxxxx
> > Enter Auth Password: ********
> > Sat Apr 11 12:57:54 2020 TCP/UDP: Preserving recently used remote
> > address: [AF_INET]xxx.xxx.xxx.xxx:1194
> > Sat Apr 11 12:57:54 2020 UDP link local: (not bound)
> > Sat Apr 11 12:57:54 2020 UDP link remote:
> > [AF_INET]xxx.xxx.xxx.xxx:1194
> > Sat Apr 11 12:57:54 2020 WARNING: this configuration may cache
> > passwords in memory -- use the auth-nocache option to prevent this
> > Sat Apr 11 12:57:54 2020 [DSL-AC68U] Peer Connection Initiated with
> > [AF_INET]xxx.xxx.xxx.xxx:1194
> > Sat Apr 11 12:57:55 2020 TUN/TAP device tap0 opened
> > Sat Apr 11 12:57:55 2020 Initialization Sequence Completed
> > Sat Apr 11 12:58:56 2020 [DSL-AC68U] Inactivity timeout (--ping-
> > restart), restarting
> > Sat Apr 11 12:58:56 2020 SIGUSR1[soft,ping-restart] received, process
> > restarting
> > Sat Apr 11 12:58:56 2020 SIGUSR1[soft,ping-restart] received, process
> > restarting
> > Sat Apr 11 12:59:01 2020 TCP/UDP: Preserving recently used remote
> > address: [AF_INET]xxx.xxx.xxx.xxx:1194
> > Sat Apr 11 12:59:01 2020 UDP link local: (not bound)
> > Sat Apr 11 12:59:01 2020 UDP link remote:
> > [AF_INET]xxx.xxx.xxx.xxx:1194
> > Sat Apr 11 12:59:01 2020 WARNING: 'link-mtu' is used inconsistently,
> > local='link-mtu 1582', remote='link-mtu 1602'
> > Sat Apr 11 12:59:01 2020 WARNING: 'cipher' is used inconsistently,
> > local='cipher AES-256-GCM', remote='cipher AES-256-CBC'
> > Sat Apr 11 12:59:01 2020 WARNING: 'auth' is used inconsistently,
> > local='auth [null-digest]', remote='auth SHA256'
> > Sat Apr 11 12:59:01 2020 [DSL-AC68U] Peer Connection Initiated with
> > [AF_INET]xxx.xxx.xxx.xxx:1194
> > Sat Apr 11 12:59:02 2020 TUN/TAP device tap0 opened
> > Sat Apr 11 12:59:02 2020 Initialization Sequence Completed
> > Sat Apr 11 13:00:02 2020 [DSL-AC68U] Inactivity timeout (--ping-
> > restart), restarting
>
> So I thought I'd try enabling a VPN server on my router and see if
> I could connect to it from the ubuntu vpn. It's far from a sensible
> test since it's on the same LAN as the vpn server and a different
> router than you are using and likely a different firmware.
>
> I get quite different result than you do:
>
> raven at sparky:~$ sudo openvpn --config /etc/openvpn/client1.ovpn
> Sun Apr 12 09:39:39 2020 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)]
> [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
> Sun Apr 12 09:39:39 2020 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO
> 2.08
> Enter Auth Username: raven
> Enter Auth Password: ******
> Sun Apr 12 09:39:46 2020 TCP/UDP: Preserving recently used remote address:
> [AF_INET]118.209.191.183:1194
> Sun Apr 12 09:39:46 2020 UDP link local: (not bound)
> Sun Apr 12 09:39:46 2020 UDP link remote: [AF_INET]118.209.191.183:1194
> Sun Apr 12 09:39:46 2020 WARNING: this configuration may cache passwords
> in memory -- use the auth-nocache option to prevent this
> Sun Apr 12 09:39:46 2020 [RT-AX88U] Peer Connection Initiated with
> [AF_INET]192.168.1.1:1194
> Sun Apr 12 09:39:47 2020 TUN/TAP device tun0 opened
> Sun Apr 12 09:39:47 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
> Sun Apr 12 09:39:47 2020 /sbin/ip link set dev tun0 up mtu 1500
> Sun Apr 12 09:39:47 2020 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast
> 10.8.0.255
> Sun Apr 12 09:39:47 2020 Initialization Sequence Completed
>
> and ifconfig shows tun0 present, but I haven't checked if I have
> throughput or actual connectivity.
>
> Ian
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20200412/6d9bd3a9/attachment.html>


More information about the plug mailing list