OpenVPN client shuts down on server error

**NewtownGal** · March 26th, 2009, 11:02 AM

Hello,

I'm newbie to OpenVPN, but I've read a zillion OpenVPN posts and how-to's, and the manual, and I still can't solve these three problems. I'm running the latest OpenVPN 2 on Linux Ubuntu 8.04.1 LTS server.

The problems, which are related, are:

1) How do I keep the OpenVPN client from exiting due to a server configuration error ?

2) How do I set a static VPN IP address for each client ? There seems to be a mixup in whether a second parameter for ifconfig is a netmask or an IP addess.

3) Do I need to have a route command for the ccd section for the server, when the route is implied by the address range 10.8.0.0 255.255.255.0 given for the server ?

How do I keep the client running no matter what ? An error on the server's configuration shouldn't stop the client from trying to connect forever. The client seems to give up and stop trying to reach the server after a while.

Here's the error that I'm getting from syslog on the B-client, whose machine name is U8W. The name of the server is U8S:

.......................

Mar 25 18:15:15 U8S ovpn-B-client[4729]: SENT CONTROL [U8W]: 'PUSH_REQUEST' (status=1)
Mar 25 18:15:15 U8S ovpn-B-client[4729]: PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.17 255.255.255.0'
Mar 25 18:15:15 U8S ovpn-B-client[4729]: OPTIONS IMPORT: timers and/or timeouts modified
Mar 25 18:15:15 U8S ovpn-B-client[4729]: OPTIONS IMPORT: --ifconfig/up options modified
Mar 25 18:15:15 U8S ovpn-B-client[4729]: OPTIONS IMPORT: route options modified
Mar 25 18:15:15 U8S ovpn-B-client[4729]: WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
Mar 25 18:15:15 U8S kernel: [ 54.873973] tun: Universal TUN/TAP device driver, 1.6
Mar 25 18:15:15 U8S kernel: [ 54.873988] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Mar 25 18:15:15 U8S ovpn-B-client[4729]: TUN/TAP device tun0 opened
Mar 25 18:15:15 U8S ovpn-B-client[4729]: TUN/TAP TX queue length set to 100
Mar 25 18:15:15 U8S ovpn-B-client[4729]: ifconfig tun0 10.8.0.17 pointopoint 255.255.255.0 mtu 1500
Mar 25 18:15:15 U8S ovpn-B-client[4729]: Linux ifconfig failed: shell command exited with error status: 1
Mar 25 18:15:15 U8S ovpn-B-client[4729]: Exiting

...............

There's a number of messages just like the one above, and then they stop.

Here's my B-client.conf:

.....................

client
dev tun
proto udp
remote a.b.c.d 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/B-client.crt
key /etc/openvpn/keys/B-client.key
verb 3
mute 20

...................

Here's my server.conf. I want many clients who talk to a server. The clients don't need to talk to each other. There aren't any subnets behind any of the machines. I want to talk to the server via the Internet, and for those communications to be fed through the server through the vpn to the clients. The clients can also talk individually to the Internet:

......................

local 192.168.192.126
port 1194
proto udp
dev tun0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpn-server.crt
key /etc/openvpn/keys/vpn-server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 6
mute 20

...................

Here's /etc/openvpn/ccr/B-client. I want this client to have a static IP address of 10.8.0.10 within the vpn, but it's getting .17 as you can see from syslog:

.....................

ifconfig-push 10.8.0.1 10.8.0.10

......................

Any suggestions ?

Thank you.

-- NewtownGal

**GroundZero3** · March 26th, 2009, 11:15 AM

I could never get Static DHCP addresses working

but you might want to check this out

Putting OpenVPN in its place | The Fugue

Your best bet is probably have a third party DHCP server do the addressing

How do I keep the client running no matter what ? An error on the server's configuration shouldn't stop the client from trying to connect forever. The client seems to give up and stop trying to reach the server after a while.

If the server is not setup right, the client can not complete the connection. That is how most software works espically when it comes to security and vpns. If they aren't setup correctly they will not connect!

3) Do I need to have a route command for the ccd section for the server, when the route is implied by the address range 10.8.0.0 255.255.255.0 given for the server ?

If the servers are on a different subnet, yes you will need the route command for that subnet on the server.

**NewtownGal** · March 26th, 2009, 03:27 PM

Thank you, GroundZero3, for the quick reply.

I must correct one error that I made... The OpenVPN client, does, in fact, keep trying to connect to the server. Sorry about that error.

I'd be happy to manually assign static vpn IP addresses to the clients, and to have them on the same subnet as the server. That's what I was trying to do with the client files in /etc/openvpn/ccd, of the form ifconfig-push <server vpn IP address> <client vpn IP address>. But the server is choosing its own vpn IP address and sending it to the clients (I've tried this with more than one), and I'm getting a netmask error on the client.

I don't need DHCP.

Any suggestions how to setup the static vpn IP addresses for the clients ???

Thank you.

-- NewtownGal