Active Topics
-
Error after installing Leste on sdcard (18)
to Maemo 7 / Leste by Maemish - 11 hrs, 24 mins ago -
Maemo 20th Anniversary (4)
to Brainstorm by teroyk - 2 days, 6 hrs ago -
Nokia Booklet 3G (RX-75) Drivers (64)
to Alternatives by teroyk - 2 days, 6 hrs ago -
Porting apps to Leste (46)
to Maemo 7 / Leste by teroyk - 4 days, 10 hrs ago - more...
|
2010-03-29
, 13:03
|
|
Posts: 18 |
Thanked: 18 times |
Joined on Oct 2009
@ Barcelona, Spain
|
#2
|
It seems you are suffering from this bug:
https://bugs.maemo.org/show_bug.cgi?id=7596
It has to do that you cant set the default route to a vpn connection without the workaround described in the bug report.
The easy way is to remove 'push "redirect-gateway"' from your server config and try again.
https://bugs.maemo.org/show_bug.cgi?id=7596
It has to do that you cant set the default route to a vpn connection without the workaround described in the bug report.
The easy way is to remove 'push "redirect-gateway"' from your server config and try again.
|
|
2010-03-29
, 13:36
|
|
Posts: 5 |
Thanked: 0 times |
Joined on Mar 2010
|
#3
|
yes.. what i did now is to disable that redirect option. Even though i would like to be able to use it.
But there are still some differences to that bug. The most important is that im still using the wlan0 interface.
Well but even with the disabled option its not possible to ping for example the server 192.168.179.0 when OpenVPN ist activated. Ping gives me:
Without OpenVpn that ping is no problem.
route tells me:
But there are still some differences to that bug. The most important is that im still using the wlan0 interface.
Well but even with the disabled option its not possible to ping for example the server 192.168.179.0 when OpenVPN ist activated. Ping gives me:
Code:
Nokia-N900:~# ping 192.168.179.0 PING 192.168.179.0 (192.168.179.0): 56 data bytes ^C --- 192.168.179.0 ping statistics --- 7 packets transmitted, 0 packets received, 100% packet loss
route tells me:
Code:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.178.0 * 255.255.255.0 U 0 0 0 wlan0 192.168.179.0 * 255.255.255.0 U 0 0 0 tap0 default 192.168.178.1 0.0.0.0 UG 0 0 0 wlan0
|
|
2010-03-29
, 13:53
|
|
Posts: 18 |
Thanked: 18 times |
Joined on Oct 2009
@ Barcelona, Spain
|
#4
|
And if you disable the other 'push' lines in the server config too? I dont recall they are needed unless you want to route to other networks.. but in your case its the same.
 |
|
2010-03-29
, 14:11
|
|
Posts: 850 |
Thanked: 626 times |
Joined on Sep 2009
@ Vienna, Austria
|
#5
|
Originally Posted by pioupus
your default route still points to the wlan0 interface.
route tells me:
Code:Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.178.0 * 255.255.255.0 U 0 0 0 wlan0 192.168.179.0 * 255.255.255.0 U 0 0 0 tap0 default 192.168.178.1 0.0.0.0 UG 0 0 0 wlan0
did you include the script from comment #9 in that bug?
you have to download the attachment, save it on the device, make it executable (chmod +x), and change every occurance of "gprs0" to "wlan0" if you want to use it over wlan.
the script in that attachment will update the routing table on every ip adress change, so that only the next hop over gprs (in your case wlan) will actually be routed over that interface, and the default route point to tap0 (your vpn interface).
disclaimer: i have my own script, so i don't know for sure if the script in that attachment i linked to actually works *g*
__________________
"What we perceive is not nature itself, but nature exposed to our method of questioning."
-- Werner Karl Heisenberg
"What we perceive is not nature itself, but nature exposed to our method of questioning."
-- Werner Karl Heisenberg
|
|
2010-03-29
, 15:51
|
|
Posts: 1,208 |
Thanked: 1,028 times |
Joined on Oct 2007
|
#6
|
redirect-gateway works with wlan0 interface. But when you are on same network as the server you have to add "local" flag ("redirect-gateway local"). It's alse recommended to use "def1" flag. See openvpn man page http://openvpn.net/index.php/open-so...penvpn-21.html
|
|
2010-03-29
, 17:03
|
|
Posts: 5 |
Thanked: 0 times |
Joined on Mar 2010
|
#7
|
My server conf is now like this:
I dont know how to delete my push routes from that config because its made automaticly by a freetz GUI. But yes, seems i dont have that problem anymore. It doesnt say anmore that the Network is unreachable if i do it via wlan0 or gprs0. But well, is still like this that i cant use any IP of the VPN.
The script i already tried but didnt help.
If i do a ping to 192.168.179.0 it just returns nothing. And this while the VPN is in a different address range than my wlan. My wlan works in 192.168.178.10/255.255.255.0 while the VPN is in 192.168.179.10/255.255.255.0.
ifconfig returns
Maybe there are already some guys out there who successfully set up an openvpn network on N900? Because like this its is quite useless and i cant imagine that it is not possible to acces my lan from outside via VPN.
Greetings,
pioupus
Last edited by pioupus; 2010-03-29 at 17:17.
Code:
# OpenVPN 2.1 Config, Mon Mar 29 18:09:59 CEST 2010 proto udp dev tap0 ca /tmp/flash/ca.crt cert /tmp/flash/box.crt key /tmp/flash/box.key dh /tmp/flash/dh.pem tls-server port 443 mode server ifconfig-pool 192.168.179.10 192.168.179.20 push "route 192.168.179.0 " ifconfig 192.168.179.0 255.255.255.0 push "route-gateway 192.168.179.0" max-clients 10 tun-mtu 1500 mssfix verb 3 daemon cipher AES-256-CBC comp-lzo keepalive 10 120
The script i already tried but didnt help.
Code:
Mon Mar 29 18:17:18 2010 OpenVPN 2.1_rc20 arm-unknown-linux-gnueabi [SSL] [LZO2] [EPOLL] [MH] [PF_INET6] built on Nov 29 2009 Mon Mar 29 18:17:18 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Mon Mar 29 18:17:18 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Mon Mar 29 18:17:18 2010 WARNING: file '/home/user/MyDocs/client01.key' is group or others accessible Mon Mar 29 18:17:18 2010 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted> Mon Mar 29 18:17:18 2010 ******* WARNING *******: '/home/user/MyDocs/client01.key' cannot be verified as a non-vulnerable key. See 'man openssl-vulnkey' for details. Mon Mar 29 18:17:18 2010 LZO compression initialized Mon Mar 29 18:17:18 2010 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Mar 29 18:17:18 2010 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ] Mon Mar 29 18:17:18 2010 Local Options hash (VER=V4): 'c6c7c21a' Mon Mar 29 18:17:18 2010 Expected Remote Options hash (VER=V4): '1a6d5c5d' Mon Mar 29 18:17:18 2010 Socket Buffers: R=[65536->131072] S=[16384->131072] Mon Mar 29 18:17:18 2010 UDPv4 link local: [undef] Mon Mar 29 18:17:18 2010 UDPv4 link remote: [AF_INET]85.177.145.128:443 Mon Mar 29 18:17:18 2010 TLS: Initial packet from [AF_INET]85.177.145.128:443, sid=2bef8764 02f530d7 Mon Mar 29 18:17:19 2010 VERIFY OK: depth=1, /C=DE/ST=Hamburg/L=Hamburg/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain Mon Mar 29 18:17:19 2010 VERIFY OK: depth=0, /C=DE/ST=CA/L=Hamburg/O=Fort-Funston/CN=fritzbox/emailAddress=me@myhost.mydomain Mon Mar 29 18:17:20 2010 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Mon Mar 29 18:17:20 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Mar 29 18:17:20 2010 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Mon Mar 29 18:17:20 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Mar 29 18:17:20 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Mon Mar 29 18:17:20 2010 [fritzbox] Peer Connection Initiated with [AF_INET]85.177.145.128:443 Mon Mar 29 18:17:22 2010 SENT CONTROL [fritzbox]: 'PUSH_REQUEST' (status=1) Mon Mar 29 18:17:23 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.168.179.0 ,route-gateway 192.168.179.0,ping 10,ping-restart 120,ifconfig 192.168.179.10 255.255.255.0' Mon Mar 29 18:17:23 2010 OPTIONS IMPORT: timers and/or timeouts modified Mon Mar 29 18:17:23 2010 OPTIONS IMPORT: --ifconfig/up options modified Mon Mar 29 18:17:23 2010 OPTIONS IMPORT: route options modified Mon Mar 29 18:17:23 2010 OPTIONS IMPORT: route-related options modified Mon Mar 29 18:17:23 2010 ROUTE default_gateway=192.168.178.1 Mon Mar 29 18:17:23 2010 TUN/TAP device tap0 opened Mon Mar 29 18:17:23 2010 TUN/TAP TX queue length set to 100 Mon Mar 29 18:17:23 2010 /sbin/ifconfig tap0 192.168.179.10 netmask 255.255.255.0 mtu 1500 broadcast 192.168.179.255 Mon Mar 29 18:17:23 2010 OpenVPN ROUTE: omitted no-op route: 192.168.179.0/255.255.255.255 -> 192.168.179.0 Mon Mar 29 18:17:23 2010 Initialization Sequence Completed
ifconfig returns
Code:
tap0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:192.168.179.10 Bcast:192.168.179.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:386 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:20180 (19.7 KiB) TX bytes:1341 (1.3 KiB)
Greetings,
pioupus
Last edited by pioupus; 2010-03-29 at 17:17.
|
|
2010-03-29
, 17:51
|
|
Posts: 850 |
Thanked: 626 times |
Joined on Sep 2009
@ Vienna, Austria
|
#8
|
i can show you my (very unprofessional) config, but i did some things differently - for one, on my openvpn server i have created a bridge so that the vpn clients are in the "normal" LAN, without the need for additional nat or similar.
this is how i create the bridge on the vpn server on startup:
my server.conf:
client config:
and the vpnroute_start script:
vpnroute_stop.sh is similar:
it's not very flexible (yes, the internal gateway/nameserver of the target network are inside that clientscript 
), and editing resolv.conf on the N900 is not really recommended, but it works and i only need this one VPN connection.
in the unlikely case i need another one, i'll just copy and edit the files *g*
but maybe it can help you.
this is how i create the bridge on the vpn server on startup:
Code:
openvpn --mktun --dev tap0 brctl addbr br0 brctl addif br0 eth0 brctl addif br0 tap0 ifconfig tap0 0.0.0.0 promisc up ifconfig eth0 0.0.0.0 promisc up ifconfig br0 <eth_ip> netmask <eth_netmask> broadcast <eth_broadcast> up route add default gw <eth_gateway> dev br0
Code:
port 1194 proto tcp dev tap0 ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/ceres.crt key /etc/openvpn/easy-rsa/keys/ceres.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem ifconfig-pool-persist ipp.txt server-bridge <eth_ip> <eth_broadcast> <eth_vpnpoolstart> <eth_vpnpoolend> push "redirect-gateway def1" keepalive 10 120 comp-lzo persist-key persist-tun status /var/log/openvpn-status.log verb 3 daemon
Code:
client dev tap proto tcp remote <vpn_server_ip> 1194 # resolv-retry infinite nobind pkcs12 /etc/openvpn/<certificate_file> ns-cert-type server comp-lzo verb 3 up /etc/openvpn/vpnroute_start.sh down /etc/openvpn/vpnroute_stop.sh script-security 2
Code:
#!/bin/sh route add -host <vpn_server_ip> dev gprs0 route del default dev gprs0 route add default gw <eth_gateway> dev tap0 echo nameserver <eth_nameserver> > /etc/resolv.conf
Code:
route del -host <vpn_server_ip> dev gprs0 route add default dev gprs0 echo nameserver 127.0.0.1 > /etc/resolv.conf
), and editing resolv.conf on the N900 is not really recommended, but it works and i only need this one VPN connection.in the unlikely case i need another one, i'll just copy and edit the files *g*
but maybe it can help you.
__________________
"What we perceive is not nature itself, but nature exposed to our method of questioning."
-- Werner Karl Heisenberg
"What we perceive is not nature itself, but nature exposed to our method of questioning."
-- Werner Karl Heisenberg
|
|
2010-04-01
, 23:50
|
|
Posts: 5 |
Thanked: 0 times |
Joined on Mar 2010
|
#9
|
When i do this:
it tells me
It really seems kind of strange.
does anybody ahve an idea?
Code:
route add default gw <eth_gateway> dev tap0
Code:
route: SIOCADDRT: Network is unreachable
does anybody ahve an idea?
|
|
2010-04-02
, 08:48
|
|
Posts: 850 |
Thanked: 626 times |
Joined on Sep 2009
@ Vienna, Austria
|
#10
|
Originally Posted by pioupus
i assume you don't actually use "<eth_gateway>", but it's ip address in the command.
When i do this:
it tells meCode:route add default gw <eth_gateway> dev tap0
It really seems kind of strange.Code:route: SIOCADDRT: Network is unreachable
does anybody ahve an idea?
is tap0 already set-up and active? you should be able to ping the eth_gateway once openvpn has started the tap0 interface.
also, in your original config, you have different nets for your lan and your openvpn clients. if your eth_gateway is in a different subnet than your openvpn clients, you have to set the route to that subnet first.
__________________
"What we perceive is not nature itself, but nature exposed to our method of questioning."
-- Werner Karl Heisenberg
"What we perceive is not nature itself, but nature exposed to our method of questioning."
-- Werner Karl Heisenberg
im trying to run OpenVPN on my N900. My Wlan router has the IP Adress 192.168.178.1 and works in the range 255.255.255.0. unfortunatly it returns this Error:
route: SIOCADDRT: Network is unreachable
I dont really know how to understand this error and how i can solve it. Anybody with an idea?
My Server config is: