[Tetaneutral] [Fwd: Re: Un peu de technique ... les tunnels openvpn sur OLSR]

Adrien van den Bossche adrien at mandelfi.net
Mon May 2 22:24:41 CEST 2011 

Le 28/04/2011 15:05, Laurent GUERBY a écrit :
> Tout ça pour dire que le reseau tetaneutral.net incluant la partie
> mesh toulouse-sans-fil.net et la partie datacenter local est enfin
> operationnel :).

Salut à tous,

un (premier ?) retour d'utilisation de la config TTN sous Win*. 
Visiblement, le driver tun WIN32 fourni a des limitations. Voici ce que 
l'on peut lire à la console :

There is a problem in your selection of --ifconfig endpoints 
[local=91.224.149.161, remote=91.224.149.153].  The local and remote VPN 
endpoints must exist within the same 255.255.255.252 subnet.  This is a 
limitation of --dev tun when used with the TAP-WIN32 driver.

Je donne le log entier :

Mon May 02 22:11:54 2011 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] 
[PKCS11] built on Dec 11 2009
Mon May 02 22:11:54 2011 WARNING: No server certificate verification 
method has been enabled.  See http://openvpn.net/howto.html#mitm for 
more info.
Mon May 02 22:11:54 2011 NOTE: OpenVPN 2.1 requires '--script-security 
2' or higher to call user-defined scripts or executables
Mon May 02 22:11:54 2011 LZO compression initialized
Mon May 02 22:11:54 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 
EB:0 ET:0 EL:0 ]
Mon May 02 22:11:54 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 
EB:135 ET:0 EL:0 AF:3/1 ]
Mon May 02 22:11:54 2011 Local Options hash (VER=V4): '41690919'
Mon May 02 22:11:54 2011 Expected Remote Options hash (VER=V4): '530fdded'
Mon May 02 22:11:54 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon May 02 22:11:54 2011 UDPv4 link local (bound): [undef]:1194
Mon May 02 22:11:54 2011 UDPv4 link remote: 91.224.149.151:11194
Mon May 02 22:11:54 2011 TLS: Initial packet from 91.224.149.151:11194, 
sid=82499a0a aadd0dab
Mon May 02 22:11:55 2011 VERIFY OK: depth=1, 
/C=FR/ST=31/L=Toulouse/O=tetaneutral.net/CN=tetaneutral.net_CA/emailAddress=adhesion at tetaneutral.net
Mon May 02 22:11:55 2011 VERIFY OK: depth=0, 
/C=FR/ST=31/L=Toulouse/O=tetaneutral.net/CN=h1/emailAddress=adhesion at tetaneutral.net
Mon May 02 22:12:02 2011 Data Channel Encrypt: Cipher 'BF-CBC' 
initialized with 128 bit key
Mon May 02 22:12:02 2011 Data Channel Encrypt: Using 160 bit message 
hash 'SHA1' for HMAC authentication
Mon May 02 22:12:02 2011 Data Channel Decrypt: Cipher 'BF-CBC' 
initialized with 128 bit key
Mon May 02 22:12:02 2011 Data Channel Decrypt: Using 160 bit message 
hash 'SHA1' for HMAC authentication
Mon May 02 22:12:02 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 1024 bit RSA
Mon May 02 22:12:02 2011 [h1] Peer Connection Initiated with 
91.224.149.151:11194
Mon May 02 22:12:05 2011 SENT CONTROL [h1]: 'PUSH_REQUEST' (status=1)
Mon May 02 22:12:05 2011 PUSH: Received control message: 
'PUSH_REPLY,route-gateway 91.224.149.153,redirect-gateway def1,ping 
10,ping-restart 60,ifconfig 91.224.149.161 91.224.149.153'
Mon May 02 22:12:05 2011 OPTIONS IMPORT: timers and/or timeouts modified
Mon May 02 22:12:05 2011 OPTIONS IMPORT: --ifconfig/up options modified
Mon May 02 22:12:05 2011 OPTIONS IMPORT: route options modified
Mon May 02 22:12:05 2011 OPTIONS IMPORT: route-related options modified
Mon May 02 22:12:05 2011 WARNING: potential conflict between --remote 
address [91.224.149.151] and --ifconfig address pair [91.224.149.161, 
91.224.149.153] -- this is a warning only that is triggered when 
local/remote addresses exist within the same /24 subnet as --ifconfig 
endpoints. (silence this warning with --ifconfig-nowarn)
Mon May 02 22:12:05 2011 ROUTE default_gateway=192.168.95.254
Mon May 02 22:12:05 2011 There is a problem in your selection of 
--ifconfig endpoints [local=91.224.149.161, remote=91.224.149.153].  The 
local and remote VPN endpoints must exist within the same 
255.255.255.252 subnet.  This is a limitation of --dev tun when used 
with the TAP-WIN32 driver.  Try 'openvpn --show-valid-subnets' option 
for more info.
Mon May 02 22:12:05 2011 Exiting
Press any key to continue...

OpenVPN refuse de continuer plus loin. Comme recommandé, voici le 
résultat d'un openvpn --show-valid-subnets :

C:\Documents and Settings\Adrien>openvpn --show-valid-subnets
On Windows, point-to-point IP support (i.e. --dev tun)
is emulated by the TAP-Win32 driver.  The major limitation
imposed by this approach is that the --ifconfig local and
remote endpoints must be part of the same 255.255.255.252
subnet.  The following list shows examples of endpoint
pairs which satisfy this requirement.  Only the final
component of the IP address pairs is at issue.

As an example, the following option would be correct:
     --ifconfig 10.7.0.5 10.7.0.6 (on host A)
     --ifconfig 10.7.0.6 10.7.0.5 (on host B)
because [5,6] is part of the below list.

[  1,  2] [  5,  6] [  9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]

hum pas cool. ça va certainement poser pb pour la suite... :-(

Drien

More information about the Tetaneutral mailing list