[Tetaneutral] [Fwd: Re: Un peu de technique ... les tunnels openvpn sur OLSR]

Adrien van den Bossche adrien at mandelfi.net
Thu May 5 18:03:36 CEST 2011 

Hello à tous,

connexion TTN réussie sous Windowz avec le driver tap (et plus tun...) ^^

Une question/demande : est ce que le serveur pourrait "pusher" une 
adresse de serveur DNS au client VPN ? Ma configuration est peut-être un 
peu particulière mais je ne suis probablement pas le seul dans ce cas : 
le serveur DNS que j'utilise n'est pas directement sur mon réseau local, 
je l'atteins en passant par ma passerelle par défaut. Mais comme il 
n'est pas non plus sur Internet, l'ajout des deux routes /1 empêche mon 
système d'aller l'atteindre une fois connecté au VPN TTN.

Tout ceci se discute car certains aiment bien choisir eux-même leur 
serveur DNS... C'est en fait le seul pb que j'ai actuellement pour la 
config marche parfaitement dans ma situation.

Drien



Le 02/05/2011 22:24, Adrien van den Bossche a écrit :
> Le 28/04/2011 15:05, Laurent GUERBY a écrit :
>> Tout ça pour dire que le reseau tetaneutral.net incluant la partie
>> mesh toulouse-sans-fil.net et la partie datacenter local est enfin
>> operationnel :).
>
> Salut à tous,
>
> un (premier ?) retour d'utilisation de la config TTN sous Win*.
> Visiblement, le driver tun WIN32 fourni a des limitations. Voici ce que
> l'on peut lire à la console :
>
> There is a problem in your selection of --ifconfig endpoints
> [local=91.224.149.161, remote=91.224.149.153]. The local and remote VPN
> endpoints must exist within the same 255.255.255.252 subnet. This is a
> limitation of --dev tun when used with the TAP-WIN32 driver.
>
> Je donne le log entier :
>
> Mon May 02 22:11:54 2011 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2]
> [PKCS11] built on Dec 11 2009
> Mon May 02 22:11:54 2011 WARNING: No server certificate verification
> method has been enabled. See http://openvpn.net/howto.html#mitm for more
> info.
> Mon May 02 22:11:54 2011 NOTE: OpenVPN 2.1 requires '--script-security
> 2' or higher to call user-defined scripts or executables
> Mon May 02 22:11:54 2011 LZO compression initialized
> Mon May 02 22:11:54 2011 Control Channel MTU parms [ L:1542 D:138 EF:38
> EB:0 ET:0 EL:0 ]
> Mon May 02 22:11:54 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42
> EB:135 ET:0 EL:0 AF:3/1 ]
> Mon May 02 22:11:54 2011 Local Options hash (VER=V4): '41690919'
> Mon May 02 22:11:54 2011 Expected Remote Options hash (VER=V4): '530fdded'
> Mon May 02 22:11:54 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
> Mon May 02 22:11:54 2011 UDPv4 link local (bound): [undef]:1194
> Mon May 02 22:11:54 2011 UDPv4 link remote: 91.224.149.151:11194
> Mon May 02 22:11:54 2011 TLS: Initial packet from 91.224.149.151:11194,
> sid=82499a0a aadd0dab
> Mon May 02 22:11:55 2011 VERIFY OK: depth=1,
> /C=FR/ST=31/L=Toulouse/O=tetaneutral.net/CN=tetaneutral.net_CA/emailAddress=adhesion at tetaneutral.net
>
> Mon May 02 22:11:55 2011 VERIFY OK: depth=0,
> /C=FR/ST=31/L=Toulouse/O=tetaneutral.net/CN=h1/emailAddress=adhesion at tetaneutral.net
>
> Mon May 02 22:12:02 2011 Data Channel Encrypt: Cipher 'BF-CBC'
> initialized with 128 bit key
> Mon May 02 22:12:02 2011 Data Channel Encrypt: Using 160 bit message
> hash 'SHA1' for HMAC authentication
> Mon May 02 22:12:02 2011 Data Channel Decrypt: Cipher 'BF-CBC'
> initialized with 128 bit key
> Mon May 02 22:12:02 2011 Data Channel Decrypt: Using 160 bit message
> hash 'SHA1' for HMAC authentication
> Mon May 02 22:12:02 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3
> DHE-RSA-AES256-SHA, 1024 bit RSA
> Mon May 02 22:12:02 2011 [h1] Peer Connection Initiated with
> 91.224.149.151:11194
> Mon May 02 22:12:05 2011 SENT CONTROL [h1]: 'PUSH_REQUEST' (status=1)
> Mon May 02 22:12:05 2011 PUSH: Received control message:
> 'PUSH_REPLY,route-gateway 91.224.149.153,redirect-gateway def1,ping
> 10,ping-restart 60,ifconfig 91.224.149.161 91.224.149.153'
> Mon May 02 22:12:05 2011 OPTIONS IMPORT: timers and/or timeouts modified
> Mon May 02 22:12:05 2011 OPTIONS IMPORT: --ifconfig/up options modified
> Mon May 02 22:12:05 2011 OPTIONS IMPORT: route options modified
> Mon May 02 22:12:05 2011 OPTIONS IMPORT: route-related options modified
> Mon May 02 22:12:05 2011 WARNING: potential conflict between --remote
> address [91.224.149.151] and --ifconfig address pair [91.224.149.161,
> 91.224.149.153] -- this is a warning only that is triggered when
> local/remote addresses exist within the same /24 subnet as --ifconfig
> endpoints. (silence this warning with --ifconfig-nowarn)
> Mon May 02 22:12:05 2011 ROUTE default_gateway=192.168.95.254
> Mon May 02 22:12:05 2011 There is a problem in your selection of
> --ifconfig endpoints [local=91.224.149.161, remote=91.224.149.153]. The
> local and remote VPN endpoints must exist within the same
> 255.255.255.252 subnet. This is a limitation of --dev tun when used with
> the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more
> info.
> Mon May 02 22:12:05 2011 Exiting
> Press any key to continue...
>
> OpenVPN refuse de continuer plus loin. Comme recommandé, voici le
> résultat d'un openvpn --show-valid-subnets :
>
> C:\Documents and Settings\Adrien>openvpn --show-valid-subnets
> On Windows, point-to-point IP support (i.e. --dev tun)
> is emulated by the TAP-Win32 driver. The major limitation
> imposed by this approach is that the --ifconfig local and
> remote endpoints must be part of the same 255.255.255.252
> subnet. The following list shows examples of endpoint
> pairs which satisfy this requirement. Only the final
> component of the IP address pairs is at issue.
>
> As an example, the following option would be correct:
> --ifconfig 10.7.0.5 10.7.0.6 (on host A)
> --ifconfig 10.7.0.6 10.7.0.5 (on host B)
> because [5,6] is part of the below list.
>
> [ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
> [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
> [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
> [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
> [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
> [101,102] [105,106] [109,110] [113,114] [117,118]
> [121,122] [125,126] [129,130] [133,134] [137,138]
> [141,142] [145,146] [149,150] [153,154] [157,158]
> [161,162] [165,166] [169,170] [173,174] [177,178]
> [181,182] [185,186] [189,190] [193,194] [197,198]
> [201,202] [205,206] [209,210] [213,214] [217,218]
> [221,222] [225,226] [229,230] [233,234] [237,238]
> [241,242] [245,246] [249,250] [253,254]
>
> hum pas cool. ça va certainement poser pb pour la suite... :-(
>
> Drien
>

More information about the Tetaneutral mailing list