[gentoo-user] openvpn static ip

[gentoo-user] openvpn static ip

[Joseph]

I've configured OpenVPN and it works OK but I can not seems to figure it out how to assign static IP to clients

My server.conf port 8458
proto udp
dev tun
mode server
ca /usr/share/openvpn/easy-rsa/keys/ca.crt
cert /usr/share/openvpn/easy-rsa/keys/server.crt
key /usr/share/openvpn/easy-rsa/keys/server.key
dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
server 192.168.139.0 255.255.255.0
client-to-client
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
tls-auth vpn_my.key 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
duplicate-cn
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
log        /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3

On client in /etc/openvpn/ccd directory I've created a file "syscon9" with:
ifconfig-push 192.168.139.15 192.168.139.1

This file suppose to have a name from client "CN"

client.conf
client
dev tun
proto udp
remote 68.148.245.78 8458
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
persist-key
persist-tun
remote-cert-tls server
ca "/etc/openvpn/client/ca.crt"
cert "/etc/openvpn/client/syscon9.crt"
key "/etc/openvpn/client/syscon9.key"
tls-auth "/etc/openvpn/client/vpn.key" 1
comp-lzo
log        /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3

-- 
Joseph

Re: [gentoo-user] openvpn static ip

[Albert Hopkins]

On Wed, 2010-02-24 at 18:32 -0700, Joseph wrote:
> I've configured OpenVPN and it works OK but I can not seems to figure it out how to assign static IP to clients

Put this your config config:

        client-config-dir client.d

And then in client.d/ have a file for each client, e.g.

        # cat client.d/client
        ifconfig-push 192.168.0.4 192.168.0.1

Re: [gentoo-user] openvpn static ip

[Joseph]

On 02/24/10 21:51, Albert Hopkins wrote:
>On Wed, 2010-02-24 at 18:32 -0700, Joseph wrote:
>> I've configured OpenVPN and it works OK but I can not seems to figure it out how to assign static IP to clients
>
>Put this your config config:
>
>        client-config-dir client.d
>
>And then in client.d/ have a file for each client, e.g.
>
>        # cat client.d/client
>        ifconfig-push 192.168.0.4 192.168.0.1

The directory name shouldn't make any difference, I'm using directory name "ccd"; though I've tried the IP's you suggested, it makes no difference, still 
not getting static IP :-/

Thanks for suggestion, I've been on it all day and can not find the solution. 
-- 
Joseph

Re: [gentoo-user] openvpn static ip

[Xavier Parizet]

[-- Attachment #1: Type: text/plain, Size: 1946 bytes --]

On 02/25/2010 02:32 AM, Joseph wrote:
> I've configured OpenVPN and it works OK but I can not seems to figure it
> out how to assign static IP to clients
> 
> My server.conf port 8458
> proto udp
> dev tun
> mode server
> ca /usr/share/openvpn/easy-rsa/keys/ca.crt
> cert /usr/share/openvpn/easy-rsa/keys/server.crt
> key /usr/share/openvpn/easy-rsa/keys/server.key
> dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
> server 192.168.139.0 255.255.255.0
> client-to-client
> ifconfig-pool-persist ipp.txt
> client-config-dir ccd
> keepalive 10 120
> tls-auth vpn_my.key 0
> tun-mtu 1500
> tun-mtu-extra 32
> mssfix 1200
> duplicate-cn
> comp-lzo
> max-clients 100
> persist-key
> persist-tun
> status openvpn-status.log
> log        /var/log/openvpn.log
> log-append /var/log/openvpn.log
> verb 3
> 
> On client in /etc/openvpn/ccd directory I've created a file "syscon9" with:
> ifconfig-push 192.168.139.15 192.168.139.1

Hmmm... 192.168.139.1 does not seem a remote netmask, isn't it ?
man openvpn tell me the following for ifconfig-push:
--ifconfig-push local remote-netmask

so, put ifconfig-push 192.168.139.15 255.255.255.0 rather than the line
above in the ccd directory.

If it doesn't work, then please post the openvpn.log of the client.

> This file suppose to have a name from client "CN"
> 
> client.conf
> client
> dev tun
> proto udp
> remote 68.148.245.78 8458
> resolv-retry infinite
> nobind
> tun-mtu 1500
> tun-mtu-extra 32
> mssfix 1200
> persist-key
> persist-tun
> remote-cert-tls server
> ca "/etc/openvpn/client/ca.crt"
> cert "/etc/openvpn/client/syscon9.crt"
> key "/etc/openvpn/client/syscon9.key"
> tls-auth "/etc/openvpn/client/vpn.key" 1
> comp-lzo
> log        /var/log/openvpn.log
> log-append /var/log/openvpn.log
> verb 3

-- 
      Xavier Parizet
YaGB :   http://gentooist.com
GPG  :    C7DC B10E FC21 63BE
B453 D239 F6E6 DF65 1569 91BF


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] openvpn static ip

[Albert Hopkins]

On Wed, 2010-02-24 at 20:37 -0700, Joseph wrote:
> The directory name shouldn't make any difference, I'm using directory
> name "ccd"; though I've tried the IP's you suggested, it makes no
> difference, still 
> not getting static IP :-/
> 
> Thanks for suggestion, I've been on it all day and can not find the
> solution. 

Yeah I know the directory name is arbitrary, I was only giving you the
example that works for me.

Not sure why it doesn't work for you. Do the file names match up with
the DNs (check the logs)?

-a

Re: [gentoo-user] openvpn static ip

[Joseph]

On 02/25/10 08:40, Xavier Parizet wrote:
>On 02/25/2010 02:32 AM, Joseph wrote:
>> I've configured OpenVPN and it works OK but I can not seems to figure it
>> out how to assign static IP to clients
>>
>> My server.conf port 8458
>> proto udp
>> dev tun
>> mode server
>> ca /usr/share/openvpn/easy-rsa/keys/ca.crt
>> cert /usr/share/openvpn/easy-rsa/keys/server.crt
>> key /usr/share/openvpn/easy-rsa/keys/server.key
>> dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
>> server 192.168.139.0 255.255.255.0
>> client-to-client
>> ifconfig-pool-persist ipp.txt
>> client-config-dir ccd
>> keepalive 10 120
>> tls-auth vpn_my.key 0
>> tun-mtu 1500
>> tun-mtu-extra 32
>> mssfix 1200
>> duplicate-cn
>> comp-lzo
>> max-clients 100
>> persist-key
>> persist-tun
>> status openvpn-status.log
>> log        /var/log/openvpn.log
>> log-append /var/log/openvpn.log
>> verb 3
>>
>> On client in /etc/openvpn/ccd directory I've created a file "syscon9" with:
>> ifconfig-push 192.168.139.15 192.168.139.1
>
>Hmmm... 192.168.139.1 does not seem a remote netmask, isn't it ?
>man openvpn tell me the following for ifconfig-push:
>--ifconfig-push local remote-netmask
>
>so, put ifconfig-push 192.168.139.15 255.255.255.0 rather than the line
>above in the ccd directory.
>
>If it doesn't work, then please post the openvpn.log of the client.

I've tried it many time, it doesn't work with the netmaks. 
File: syscon9 from ccd:
cat syscon9
ifconfig-push  192.168.0.15 255.255.255.0

log file from the client:
cat /var/log/openvpn.log
Thu Feb 25 09:47:17 2010 OpenVPN 2.1_rc15 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jan 16 2010
Thu Feb 25 09:47:17 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Feb 25 09:47:17 2010 Control Channel Authentication: using '/etc/openvpn/client_clinic2/vpn_my.key' as a OpenVPN static key file
Thu Feb 25 09:47:17 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 25 09:47:17 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 25 09:47:17 2010 LZO compression initialized
Thu Feb 25 09:47:17 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Feb 25 09:47:17 2010 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Feb 25 09:47:17 2010 Local Options hash (VER=V4): 'ec497616'
Thu Feb 25 09:47:17 2010 Expected Remote Options hash (VER=V4): '7cd8ed90'
Thu Feb 25 09:47:17 2010 Socket Buffers: R=[114688->131072] S=[114688->131072]
Thu Feb 25 09:47:17 2010 UDPv4 link local: [undef]
Thu Feb 25 09:47:17 2010 UDPv4 link remote: 208.38.31.237:9000
Thu Feb 25 09:47:17 2010 TLS: Initial packet from 208.38.31.237:9000, sid=7d5fc404 0c60dcb5
Thu Feb 25 09:47:17 2010 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain
Thu Feb 25 09:47:17 2010 Validating certificate key usage
Thu Feb 25 09:47:17 2010 ++ Certificate has key usage  00a0, expects 00a0
Thu Feb 25 09:47:17 2010 VERIFY KU OK
Thu Feb 25 09:47:17 2010 Validating certificate extended key usage
Thu Feb 25 09:47:17 2010 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Feb 25 09:47:17 2010 VERIFY EKU OK
Thu Feb 25 09:47:17 2010 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain
Thu Feb 25 09:47:18 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Feb 25 09:47:18 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 25 09:47:18 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Feb 25 09:47:18 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 25 09:47:18 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Feb 25 09:47:18 2010 [server] Peer Connection Initiated with 208.38.31.237:9000
Thu Feb 25 09:47:19 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Feb 25 09:47:19 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.168.139.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 
192.168.139.10 192.168.139.9'
Thu Feb 25 09:47:19 2010 OPTIONS IMPORT: timers and/or timeouts modified
Thu Feb 25 09:47:19 2010 OPTIONS IMPORT: --ifconfig/up options modified
Thu Feb 25 09:47:19 2010 OPTIONS IMPORT: route options modified
Thu Feb 25 09:47:19 2010 ROUTE default_gateway=10.0.0.1
Thu Feb 25 09:47:19 2010 TUN/TAP device tun0 opened
Thu Feb 25 09:47:19 2010 TUN/TAP TX queue length set to 100
Thu Feb 25 09:47:19 2010 /sbin/ifconfig tun0 192.168.139.10 pointopoint 192.168.139.9 mtu 1500
Thu Feb 25 09:47:19 2010 /etc/openvpn/up.sh tun0 1500 1574 192.168.139.10 192.168.139.9 init
Thu Feb 25 09:47:19 2010 /sbin/route add -net 192.168.139.0 netmask 255.255.255.0 gw 192.168.139.9
Thu Feb 25 09:47:19 2010 Initialization Sequence Completed

I got ip 192.168.139.10 not the 192.168.139.15 as requested in "ifconfig-push"

-- 
Joseph

Re: [gentoo-user] openvpn static ip

[Joseph]

On 02/25/10 06:56, Albert Hopkins wrote:
>On Wed, 2010-02-24 at 20:37 -0700, Joseph wrote:
>> The directory name shouldn't make any difference, I'm using directory
>> name "ccd"; though I've tried the IP's you suggested, it makes no
>> difference, still
>> not getting static IP :-/
>>
>> Thanks for suggestion, I've been on it all day and can not find the
>> solution.
>
>Yeah I know the directory name is arbitrary, I was only giving you the
>example that works for me.
>
>Not sure why it doesn't work for you. Do the file names match up with
>the DNs (check the logs)?
>
>-a

Can you please post your server.conf and client.conf?
I'll compare it with mine maybe I'm missing something. 

-- 
Joseph

Re: [gentoo-user] openvpn static ip

[Xavier Parizet]

[-- Attachment #1: Type: text/plain, Size: 1247 bytes --]

Le 25/02/2010 17:51, Joseph a écrit :
> On 02/25/10 08:40, Xavier Parizet wrote:
>> On 02/25/2010 02:32 AM, Joseph wrote:
>>> I've configured OpenVPN and it works OK but I can not seems to figure it
>>> out how to assign static IP to clients
>>>
>>> My server.conf port 8458
>>> [SNIP]
>>>
>>> On client in /etc/openvpn/ccd directory I've created a file "syscon9"
>>> with:
>>> ifconfig-push 192.168.139.15 192.168.139.1
>>
>> Hmmm... 192.168.139.1 does not seem a remote netmask, isn't it ?
>> man openvpn tell me the following for ifconfig-push:
>> --ifconfig-push local remote-netmask
>>
>> so, put ifconfig-push 192.168.139.15 255.255.255.0 rather than the line
>> above in the ccd directory.
>>
>> If it doesn't work, then please post the openvpn.log of the client.
> 
> I've tried it many time, it doesn't work with the netmaks. File: syscon9
> from ccd:
> cat syscon9
> ifconfig-push  192.168.0.15 255.255.255.0
                        ^^^
                         this is wrong (or maybe a typing mistake?)

If it's a typing mistake, then please post now server side log.

> [SNIP]

-- 
      Xavier Parizet
YaGB :   http://gentooist.com
GPG  :    C7DC B10E FC21 63BE
B453 D239 F6E6 DF65 1569 91BF


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] openvpn static ip

[Joseph]

On 02/25/10 18:12, Xavier Parizet wrote:
>Le 25/02/2010 17:51, Joseph a ??crit :
>> On 02/25/10 08:40, Xavier Parizet wrote:
>>> On 02/25/2010 02:32 AM, Joseph wrote:
>>>> I've configured OpenVPN and it works OK but I can not seems to figure it
>>>> out how to assign static IP to clients
>>>>
>>>> My server.conf port 8458
>>>> [SNIP]
>>>>
>>>> On client in /etc/openvpn/ccd directory I've created a file "syscon9"
>>>> with:
>>>> ifconfig-push 192.168.139.15 192.168.139.1
>>>
>>> Hmmm... 192.168.139.1 does not seem a remote netmask, isn't it ?
>>> man openvpn tell me the following for ifconfig-push:
>>> --ifconfig-push local remote-netmask
>>>
>>> so, put ifconfig-push 192.168.139.15 255.255.255.0 rather than the line
>>> above in the ccd directory.
>>>
>>> If it doesn't work, then please post the openvpn.log of the client.
>>
>> I've tried it many time, it doesn't work with the netmaks. File: syscon9
>> from ccd:
>> cat syscon9
>> ifconfig-push  192.168.0.15 255.255.255.0
>                        ^^^
>                         this is wrong (or maybe a typing mistake?)
>
>If it's a typing mistake, then please post now server side log.

Yes, it was a typo :-/ I corrected it:
cat syscon9
ifconfig-push  192.168.139.15 255.255.255.0

but from log you can see it still didn't give me what I want, I got IP 192.168.139.6 and was asking for: 192.168.139.15

log:
cat /var/log/openvpn.log
Thu Feb 25 12:14:04 2010 OpenVPN 2.1_rc15 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jan 16 2010
Thu Feb 25 12:14:04 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Feb 25 12:14:04 2010 Control Channel Authentication: using '/etc/openvpn/client_clinic2/vpn_my.key' as a OpenVPN static key file
Thu Feb 25 12:14:04 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 25 12:14:04 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 25 12:14:04 2010 LZO compression initialized
Thu Feb 25 12:14:04 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Feb 25 12:14:04 2010 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Feb 25 12:14:04 2010 Local Options hash (VER=V4): 'ec497616'
Thu Feb 25 12:14:04 2010 Expected Remote Options hash (VER=V4): '7cd8ed90'
Thu Feb 25 12:14:04 2010 Socket Buffers: R=[114688->131072] S=[114688->131072]
Thu Feb 25 12:14:04 2010 UDPv4 link local: [undef]
Thu Feb 25 12:14:04 2010 UDPv4 link remote: 208.38.31.237:9000
Thu Feb 25 12:15:04 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Feb 25 12:15:04 2010 TLS Error: TLS handshake failed
Thu Feb 25 12:15:04 2010 TCP/UDP: Closing socket
Thu Feb 25 12:15:04 2010 SIGUSR1[soft,tls-error] received, process restarting
Thu Feb 25 12:15:04 2010 Restart pause, 2 second(s)
Thu Feb 25 12:15:06 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Feb 25 12:15:06 2010 Re-using SSL/TLS context
Thu Feb 25 12:15:06 2010 LZO compression initialized
Thu Feb 25 12:15:06 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Feb 25 12:15:06 2010 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Feb 25 12:15:06 2010 Local Options hash (VER=V4): 'ec497616'
Thu Feb 25 12:15:06 2010 Expected Remote Options hash (VER=V4): '7cd8ed90'
Thu Feb 25 12:15:06 2010 Socket Buffers: R=[114688->131072] S=[114688->131072]
Thu Feb 25 12:15:06 2010 UDPv4 link local: [undef]
Thu Feb 25 12:15:06 2010 UDPv4 link remote: 208.38.31.237:9000
Thu Feb 25 12:16:06 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Feb 25 12:16:06 2010 TLS Error: TLS handshake failed
Thu Feb 25 12:16:06 2010 TCP/UDP: Closing socket
Thu Feb 25 12:16:06 2010 SIGUSR1[soft,tls-error] received, process restarting
Thu Feb 25 12:16:06 2010 Restart pause, 2 second(s)
Thu Feb 25 12:16:08 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Feb 25 12:16:08 2010 Re-using SSL/TLS context
Thu Feb 25 12:16:08 2010 LZO compression initialized
Thu Feb 25 12:16:08 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Feb 25 12:16:08 2010 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Feb 25 12:16:08 2010 Local Options hash (VER=V4): 'ec497616'
Thu Feb 25 12:16:08 2010 Expected Remote Options hash (VER=V4): '7cd8ed90'
Thu Feb 25 12:16:08 2010 Socket Buffers: R=[114688->131072] S=[114688->131072]
Thu Feb 25 12:16:08 2010 UDPv4 link local: [undef]
Thu Feb 25 12:16:08 2010 UDPv4 link remote: 208.38.31.237:9000
Thu Feb 25 12:16:25 2010 TLS: Initial packet from 208.38.31.237:9000, sid=9c654bbf 0689942b
Thu Feb 25 12:16:25 2010 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain
Thu Feb 25 12:16:25 2010 Validating certificate key usage
Thu Feb 25 12:16:25 2010 ++ Certificate has key usage  00a0, expects 00a0
Thu Feb 25 12:16:25 2010 VERIFY KU OK
Thu Feb 25 12:16:25 2010 Validating certificate extended key usage
Thu Feb 25 12:16:25 2010 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Feb 25 12:16:25 2010 VERIFY EKU OK
Thu Feb 25 12:16:25 2010 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain
Thu Feb 25 12:16:26 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Feb 25 12:16:26 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 25 12:16:26 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Feb 25 12:16:26 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 25 12:16:26 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Feb 25 12:16:26 2010 [server] Peer Connection Initiated with 208.38.31.237:9000
Thu Feb 25 12:16:27 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Feb 25 12:16:27 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.168.139.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 
192.168.139.6 192.168.139.5'
Thu Feb 25 12:16:27 2010 OPTIONS IMPORT: timers and/or timeouts modified
Thu Feb 25 12:16:27 2010 OPTIONS IMPORT: --ifconfig/up options modified
Thu Feb 25 12:16:27 2010 OPTIONS IMPORT: route options modified
Thu Feb 25 12:16:27 2010 ROUTE default_gateway=10.0.0.1
Thu Feb 25 12:16:27 2010 TUN/TAP device tun0 opened
Thu Feb 25 12:16:27 2010 TUN/TAP TX queue length set to 100
Thu Feb 25 12:16:27 2010 /sbin/ifconfig tun0 192.168.139.6 pointopoint 192.168.139.5 mtu 1500
Thu Feb 25 12:16:27 2010 /etc/openvpn/up.sh tun0 1500 1574 192.168.139.6 192.168.139.5 init
Thu Feb 25 12:16:27 2010 /sbin/route add -net 192.168.139.0 netmask 255.255.255.0 gw 192.168.139.5
Thu Feb 25 12:16:27 2010 Initialization Sequence Completed

-- 
Joseph

Re: [gentoo-user] openvpn static ip

[Etaoin Shrdlu]

On Thursday 25 February 2010, Joseph wrote:

> Yes, it was a typo :-/ I corrected it:
> cat syscon9
> ifconfig-push  192.168.139.15 255.255.255.0
> 
> but from log you can see it still didn't give me what I want, I got IP
>  192.168.139.6 and was asking for: 192.168.139.15

Try adding

topology subnet

to both client and server config.

Re: [gentoo-user] openvpn static ip

[Xavier Parizet]

[-- Attachment #1: Type: text/plain, Size: 1852 bytes --]

Le 25/02/2010 20:20, Joseph a écrit :
> On 02/25/10 18:12, Xavier Parizet wrote:
>> Le 25/02/2010 17:51, Joseph a ??crit :
>>> On 02/25/10 08:40, Xavier Parizet wrote:
>>>> On 02/25/2010 02:32 AM, Joseph wrote:
>>>>> I've configured OpenVPN and it works OK but I can not seems to
>>>>> figure it
>>>>> out how to assign static IP to clients
>>>>>
>>>>> My server.conf port 8458
>>>>> [SNIP]
>>>>>
>>>>> On client in /etc/openvpn/ccd directory I've created a file "syscon9"
>>>>> with:
>>>>> ifconfig-push 192.168.139.15 192.168.139.1
>>>>
>>>> Hmmm... 192.168.139.1 does not seem a remote netmask, isn't it ?
>>>> man openvpn tell me the following for ifconfig-push:
>>>> --ifconfig-push local remote-netmask
>>>>
>>>> so, put ifconfig-push 192.168.139.15 255.255.255.0 rather than the line
>>>> above in the ccd directory.
>>>>
>>>> If it doesn't work, then please post the openvpn.log of the client.
>>>
>>> I've tried it many time, it doesn't work with the netmaks. File: syscon9
>>> from ccd:
>>> cat syscon9
>>> ifconfig-push  192.168.0.15 255.255.255.0
>>                        ^^^
>>                         this is wrong (or maybe a typing mistake?)
>>
>> If it's a typing mistake, then please post now server side log.
> 
> Yes, it was a typo :-/ I corrected it:
> cat syscon9
> ifconfig-push  192.168.139.15 255.255.255.0
> 
> but from log you can see it still didn't give me what I want, I got IP
> 192.168.139.6 and was asking for: 192.168.139.15
> 
> log:
> cat /var/log/openvpn.log
> [SNIP]

Ok. After re-re-reading the man page, try to add parameter topology
subnet to server config. If it still don't work, then _please_ post the
openvpn.log of the server side.

-- 
      Xavier Parizet
YaGB :   http://gentooist.com
GPG  :    C7DC B10E FC21 63BE
B453 D239 F6E6 DF65 1569 91BF


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] openvpn static ip

[Joseph]

On 02/25/10 21:09, Xavier Parizet wrote:
[snip]
>> Yes, it was a typo :-/ I corrected it:
>> cat syscon9
>> ifconfig-push  192.168.139.15 255.255.255.0
>>
>> but from log you can see it still didn't give me what I want, I got IP
>> 192.168.139.6 and was asking for: 192.168.139.15
>>
>> log:
>> cat /var/log/openvpn.log
>> [SNIP]
>
>Ok. After re-re-reading the man page, try to add parameter topology
>subnet to server config. If it still don't work, then _please_ post the
>openvpn.log of the server side.
>
>--
>      Xavier Parizet
>YaGB :   http://gentooist.com
>GPG  :    C7DC B10E FC21 63BE
>B453 D239 F6E6 DF65 1569 91BF
>

I've added: topology subnet to both client and server conf but now when I try to disconnect and connect I'm getting consecutive IP's:
192.168.139.2
192.168.139.3
192.168.139.4
...

cat server.conf
port 9000
proto udp
dev tun
mode server
ca /usr/share/openvpn/easy-rsa/keys/ca.crt
cert /usr/share/openvpn/easy-rsa/keys/server.crt
key /usr/share/openvpn/easy-rsa/keys/server.key
dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
topology subnet
server 192.168.139.0 255.255.255.0
client-to-client
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
tls-auth vpn_my.key 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
duplicate-cn
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
log        /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3

cat client_clinic2.conf
client
dev tun
proto udp
topology subnet
remote 208.38.31.237 9000
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
persist-key
persist-tun
remote-cert-tls server
ca "/etc/openvpn/client_clinic2/ca.crt"
cert "/etc/openvpn/client_clinic2/syscon9.crt"
key "/etc/openvpn/client_clinic2/syscon9.key"
tls-auth "/etc/openvpn/client_clinic2/vpn_my.key" 1
comp-lzo
log        /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3


log file from client:

cat /var/log/openvpn.log
Thu Feb 25 13:50:30 2010 OpenVPN 2.1_rc15 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jan 16 2010
Thu Feb 25 13:50:30 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Feb 25 13:50:30 2010 Control Channel Authentication: using '/etc/openvpn/client_clinic2/vpn_my.key' as a OpenVPN static key file
Thu Feb 25 13:50:30 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 25 13:50:30 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 25 13:50:30 2010 LZO compression initialized
Thu Feb 25 13:50:30 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Feb 25 13:50:30 2010 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Feb 25 13:50:30 2010 Local Options hash (VER=V4): 'ec497616'
Thu Feb 25 13:50:30 2010 Expected Remote Options hash (VER=V4): '7cd8ed90'
Thu Feb 25 13:50:30 2010 Socket Buffers: R=[114688->131072] S=[114688->131072]
Thu Feb 25 13:50:30 2010 UDPv4 link local: [undef]
Thu Feb 25 13:50:30 2010 UDPv4 link remote: 208.38.31.237:9000
Thu Feb 25 13:50:30 2010 TLS: Initial packet from 208.38.31.237:9000, sid=766f3e2f 0cf96857
Thu Feb 25 13:50:30 2010 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain
Thu Feb 25 13:50:30 2010 Validating certificate key usage
Thu Feb 25 13:50:30 2010 ++ Certificate has key usage  00a0, expects 00a0
Thu Feb 25 13:50:30 2010 VERIFY KU OK
Thu Feb 25 13:50:30 2010 Validating certificate extended key usage
Thu Feb 25 13:50:30 2010 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Feb 25 13:50:30 2010 VERIFY EKU OK
Thu Feb 25 13:50:30 2010 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain
Thu Feb 25 13:50:31 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Feb 25 13:50:31 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 25 13:50:31 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Feb 25 13:50:31 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 25 13:50:31 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Feb 25 13:50:31 2010 [server] Peer Connection Initiated with 208.38.31.237:9000
Thu Feb 25 13:50:32 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Feb 25 13:50:32 2010 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.139.1,topology subnet,ping 10,ping-restart 120,ifconfig 
192.168.139.2 255.255.255.0'
Thu Feb 25 13:50:32 2010 OPTIONS IMPORT: timers and/or timeouts modified
Thu Feb 25 13:50:32 2010 OPTIONS IMPORT: --ifconfig/up options modified
Thu Feb 25 13:50:32 2010 OPTIONS IMPORT: route-related options modified
Thu Feb 25 13:50:32 2010 TUN/TAP device tun0 opened
Thu Feb 25 13:50:32 2010 TUN/TAP TX queue length set to 100
Thu Feb 25 13:50:32 2010 /sbin/ifconfig tun0 192.168.139.2 netmask 255.255.255.0 mtu 1500 broadcast 192.168.139.255
Thu Feb 25 13:50:32 2010 /etc/openvpn/up.sh tun0 1500 1574 192.168.139.2 255.255.255.0 init
Thu Feb 25 13:50:32 2010 Initialization Sequence Completed


log file from server:
Thu Feb 25 13:56:12 2010 syscon9/68.148.245.78:55861 [syscon9] Inactivity timeout (--ping-restart), restarting
Thu Feb 25 13:56:12 2010 syscon9/68.148.245.78:55861 SIGUSR1[soft,ping-restart] received, client-instance restarting
Thu Feb 25 13:56:57 2010 MULTI: multi_create_instance called
Thu Feb 25 13:56:57 2010 68.148.245.78:55868 Re-using SSL/TLS context
Thu Feb 25 13:56:57 2010 68.148.245.78:55868 LZO compression initialized
Thu Feb 25 13:56:57 2010 68.148.245.78:55868 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Feb 25 13:56:57 2010 68.148.245.78:55868 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Feb 25 13:56:57 2010 68.148.245.78:55868 Local Options hash (VER=V4): '7cd8ed90'
Thu Feb 25 13:56:57 2010 68.148.245.78:55868 Expected Remote Options hash (VER=V4): 'ec497616'
Thu Feb 25 13:56:57 2010 68.148.245.78:55868 TLS: Initial packet from 68.148.245.78:55868, sid=57c549f4 702a73f4
Thu Feb 25 13:56:58 2010 68.148.245.78:55868 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain
Thu Feb 25 13:56:58 2010 68.148.245.78:55868 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=syscon9/emailAddress=me@myhost.mydomain
Thu Feb 25 13:56:58 2010 68.148.245.78:55868 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Feb 25 13:56:58 2010 68.148.245.78:55868 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 25 13:56:58 2010 68.148.245.78:55868 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Feb 25 13:56:58 2010 68.148.245.78:55868 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 25 13:56:58 2010 68.148.245.78:55868 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Feb 25 13:56:58 2010 68.148.245.78:55868 [syscon9] Peer Connection Initiated with 68.148.245.78:55868
Thu Feb 25 13:56:58 2010 syscon9/68.148.245.78:55868 MULTI: Learn: 192.168.139.3 -> syscon9/68.148.245.78:55868
Thu Feb 25 13:56:58 2010 syscon9/68.148.245.78:55868 MULTI: primary virtual IP for syscon9/68.148.245.78:55868: 192.168.139.3
Thu Feb 25 13:56:59 2010 syscon9/68.148.245.78:55868 PUSH: Received control message: 'PUSH_REQUEST'
Thu Feb 25 13:56:59 2010 syscon9/68.148.245.78:55868 SENT CONTROL [syscon9]: 'PUSH_REPLY,route-gateway 192.168.139.1,topology subnet,ping 10,ping-restart 
120,ifconfig 192.168.139.3 255.255.255.0' (status=1)
Thu Feb 25 13:57:02 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Thu Feb 25 13:57:12 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

Whey sever log is always showing this message: [ECONNREFUSED]: Connection refused (code=111

-- 
Joseph

Re: [gentoo-user] openvpn static ip

[Xavier Parizet]

[-- Attachment #1: Type: text/plain, Size: 3043 bytes --]

Le 25/02/2010 22:01, Joseph a écrit :
> On 02/25/10 21:09, Xavier Parizet wrote:
> [snip]
>>> Yes, it was a typo :-/ I corrected it:
>>> cat syscon9
>>> ifconfig-push  192.168.139.15 255.255.255.0
>>>
>>> but from log you can see it still didn't give me what I want, I got IP
>>> 192.168.139.6 and was asking for: 192.168.139.15
>>>
>>> log:
>>> cat /var/log/openvpn.log
>>> [SNIP]
>>
>> Ok. After re-re-reading the man page, try to add parameter topology
>> subnet to server config. If it still don't work, then _please_ post the
>> openvpn.log of the server side.
>>
> 
> I've added: topology subnet to both client and server conf but now when
> I try to disconnect and connect I'm getting consecutive IP's:
> 192.168.139.2
> 192.168.139.3
> 192.168.139.4
> ...
> 
> cat server.conf
> port 9000
> proto udp
> dev tun
> mode server
> ca /usr/share/openvpn/easy-rsa/keys/ca.crt
> cert /usr/share/openvpn/easy-rsa/keys/server.crt
> key /usr/share/openvpn/easy-rsa/keys/server.key
> dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
> topology subnet
> server 192.168.139.0 255.255.255.0
> client-to-client
> ifconfig-pool-persist ipp.txt
> client-config-dir ccd
> keepalive 10 120
> tls-auth vpn_my.key 0
> tun-mtu 1500
> tun-mtu-extra 32
> mssfix 1200
> duplicate-cn
> comp-lzo
> max-clients 100
> persist-key
> persist-tun
> status openvpn-status.log
> log        /var/log/openvpn.log
> log-append /var/log/openvpn.log
> verb 3
> 
> cat client_clinic2.conf
> client
> dev tun
> proto udp
> topology subnet
> remote 208.38.31.237 9000
> resolv-retry infinite
> nobind
  ^^^^^^
  you should remove this line to avoid connection refused messages from
the server. As you are in udp, client should bind on udp source port to
get messages from the server.

> tun-mtu 1500
> tun-mtu-extra 32
> mssfix 1200
> persist-key
> persist-tun
> remote-cert-tls server
> ca "/etc/openvpn/client_clinic2/ca.crt"
> cert "/etc/openvpn/client_clinic2/syscon9.crt"
> key "/etc/openvpn/client_clinic2/syscon9.key"
> tls-auth "/etc/openvpn/client_clinic2/vpn_my.key" 1
> comp-lzo
> log        /var/log/openvpn.log
> log-append /var/log/openvpn.log
> verb 3
> 
> 
> log file from client:
> 
> cat /var/log/openvpn.log
> [SNIP]
> 
> Whey sever log is always showing this message: [ECONNREFUSED]:
> Connection refused (code=111

From what i can see, please try to add full path to the ccd directory in
client-config-dir directive on the server path. Also check permissions
on that directory. On which user are you running openvpn on the server ?
On the client ?

Can you increase verbosity and see if there is no open fails on the
server ? If it works, you should have the following line in server logs:
OPTIONS IMPORT: reading client specific options from: [path to ccd]/syscon9
MULTI: Learn: [192.168.139.15] -> syscon9/[ip source:port source]

-- 
      Xavier Parizet
YaGB :   http://gentooist.com
GPG  :    C7DC B10E FC21 63BE
B453 D239 F6E6 DF65 1569 91BF


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] openvpn static ip

[Joseph]

On 02/25/10 22:17, Xavier Parizet wrote:
[snip]
>> topology subnet
>> remote 208.38.31.237 9000
>> resolv-retry infinite
>> nobind
>  ^^^^^^
>  you should remove this line to avoid connection refused messages from
>the server. As you are in udp, client should bind on udp source port to
>get messages from the server.

I remove this one from client.conf

>
>> tun-mtu 1500
>> tun-mtu-extra 32
>> mssfix 1200
>> persist-key
>> persist-tun
>> remote-cert-tls server
>> ca "/etc/openvpn/client_clinic2/ca.crt"
>> cert "/etc/openvpn/client_clinic2/syscon9.crt"
>> key "/etc/openvpn/client_clinic2/syscon9.key"
>> tls-auth "/etc/openvpn/client_clinic2/vpn_my.key" 1
>> comp-lzo
>> log        /var/log/openvpn.log
>> log-append /var/log/openvpn.log
>> verb 3
>>
>>
>> log file from client:
>>
>> cat /var/log/openvpn.log
>> [SNIP]
>>
>> Whey sever log is always showing this message: [ECONNREFUSED]:
>> Connection refused (code=111
>
>From what i can see, please try to add full path to the ccd directory in
>client-config-dir directive on the server path. Also check permissions
>on that directory. On which user are you running openvpn on the server ?
>On the client ?
>
>Can you increase verbosity and see if there is no open fails on the
>server ? If it works, you should have the following line in server logs:
>OPTIONS IMPORT: reading client specific options from: [path to ccd]/syscon9
>MULTI: Learn: [192.168.139.15] -> syscon9/[ip source:port source]
>
>--
>      Xavier Parizet
>YaGB :   http://gentooist.com
>GPG  :    C7DC B10E FC21 63BE
>B453 D239 F6E6 DF65 1569 91BF
>

I added full path to the server for ccd:
/etc/openvpn/ccd

Now I'm getting consistent IP: 192.168.139.2 every-time I restart openvpn.client_clinic2
but I'm not getting what I requested in ccd/syscon9:
ifconfig-push  192.168.139.15 255.255.255.0

The client runs openvpn as user root,
the server runs openvpn as user openvpn.

-- 
Joseph

Re: [gentoo-user] openvpn static ip

[Joseph]

On 02/25/10 22:17, Xavier Parizet wrote:
>From what i can see, please try to add full path to the ccd directory in
>client-config-dir directive on the server path. Also check permissions
>on that directory. On which user are you running openvpn on the server ?
>On the client ?

On client:
drwxr-xr-x 2 root root 4096 Feb 24 18:49 ccd
-rw-r--r-- 1 root root 45 Feb 25 12:13 syscon9

so this looks OK,

>Can you increase verbosity and see if there is no open fails on the
>server ? If it works, you should have the following line in server logs:
>OPTIONS IMPORT: reading client specific options from: [path to ccd]/syscon9
>MULTI: Learn: [192.168.139.15] -> syscon9/[ip source:port source]

I've increased verbosity on server to 9
but I can not find any phrase in the serer log file: "fails" "IMPORT"

but I've noticed this section on the server log:

...syscon9/68.148.245.78:56172 TEST FILE '/etc/openvpn/ccd/syscon9' [0]
...syscon9/68.148.245.78:56172 TEST FILE '/etc/openvpn/ccd/DEFAULT' [0]
...syscon9/68.148.245.78:56172 MULTI: Learn: 192.168.139.2 -> syscon9/68.148.245.78:56172

If I change the directory to "ccd" the log just shows:
...syscon9/68.148.245.78:56172 TEST FILE 'ccd/syscon9' [0]
...syscon9/68.148.245.78:56172 TEST FILE 'ccd/DEFAULT' [0

-- 
Joseph

Re: [gentoo-user] openvpn static ip

[Xavier Parizet]

[-- Attachment #1: Type: text/plain, Size: 838 bytes --]

On 02/25/2010 11:21 PM, Joseph wrote:
> On 02/25/10 22:17, Xavier Parizet wrote:
>> [snip]
> 
> I added full path to the server for ccd:
> /etc/openvpn/ccd
> 
> Now I'm getting consistent IP: 192.168.139.2 every-time I restart
> openvpn.client_clinic2
> but I'm not getting what I requested in ccd/syscon9:
> ifconfig-push  192.168.139.15 255.255.255.0

retry ifconfig-push 192.168.139.15 192.168.139.1 .
Also post /etc/openvpn/ipp.txt content and try removing it and restart
openvpn server keep the full log level 4, and restart openvpn client,
keep the full log level 4.

I'm starting to be out of ideas ^^

> The client runs openvpn as user root,
> the server runs openvpn as user openvpn.

-- 
      Xavier Parizet
YaGB :   http://gentooist.com
GPG  :    C7DC B10E FC21 63BE
B453 D239 F6E6 DF65 1569 91BF


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] openvpn static ip

[J. Roeleveld]

On Friday 26 February 2010 01:39:55 Joseph wrote:
> On 02/25/10 22:17, Xavier Parizet wrote:
> >From what i can see, please try to add full path to the ccd directory in
> >client-config-dir directive on the server path. Also check permissions
> >on that directory. On which user are you running openvpn on the server ?
> >On the client ?
> 
> On client:
> drwxr-xr-x 2 root root 4096 Feb 24 18:49 ccd
> -rw-r--r-- 1 root root 45 Feb 25 12:13 syscon9
> 
> so this looks OK,

From this, it looks like the "syscon9" file is not in the ".../ccd/" 
directory?

Also, isn't this file supposed to be on the server?

> >Can you increase verbosity and see if there is no open fails on the
> >server ? If it works, you should have the following line in server logs:
> >OPTIONS IMPORT: reading client specific options from: [path to
> > ccd]/syscon9 MULTI: Learn: [192.168.139.15] -> syscon9/[ip source:port
> > source]
> 
> I've increased verbosity on server to 9
> but I can not find any phrase in the serer log file: "fails" "IMPORT"
> 
> but I've noticed this section on the server log:
> 
> ...syscon9/68.148.245.78:56172 TEST FILE '/etc/openvpn/ccd/syscon9' [0]
> ...syscon9/68.148.245.78:56172 TEST FILE '/etc/openvpn/ccd/DEFAULT' [0]
> ...syscon9/68.148.245.78:56172 MULTI: Learn: 192.168.139.2 ->
>  syscon9/68.148.245.78:56172
> 
> If I change the directory to "ccd" the log just shows:
> ...syscon9/68.148.245.78:56172 TEST FILE 'ccd/syscon9' [0]
> ...syscon9/68.148.245.78:56172 TEST FILE 'ccd/DEFAULT' [0

This seems to indicate it can't actually find the file 
"/etc/openvpn/ccd/syscon9"

This file needs to be located on the server, not on the client, as it's the 
server that determines the IP-address for the client.

--
Joost

Re: [gentoo-user][SOLVED] openvpn static ip

[Joseph]

On 02/26/10 09:33, J. Roeleveld wrote:
[snip]
>>
>> ...syscon9/68.148.245.78:56172 TEST FILE '/etc/openvpn/ccd/syscon9' [0]
>> ...syscon9/68.148.245.78:56172 TEST FILE '/etc/openvpn/ccd/DEFAULT' [0]
>> ...syscon9/68.148.245.78:56172 MULTI: Learn: 192.168.139.2 ->
>>  syscon9/68.148.245.78:56172
>>
>> If I change the directory to "ccd" the log just shows:
>> ...syscon9/68.148.245.78:56172 TEST FILE 'ccd/syscon9' [0]
>> ...syscon9/68.148.245.78:56172 TEST FILE 'ccd/DEFAULT' [0
>
>This seems to indicate it can't actually find the file
>"/etc/openvpn/ccd/syscon9"
>
>This file needs to be located on the server, not on the client, as it's the
>server that determines the IP-address for the client.
>
>--
>Joost

Yes, that was it :-/; I don't know what to say.  Such a simple mistake.
Just taking on a simple logic it make sense. I was thinking about it how it works that the client can request its own IP from the server; something didn't make 
sense.  

Thank you for all your help.
-- 
Joseph