Main Area and Open Discussion > Living Room
Looking for P2p file sharing for personal use
kartal:
4wd,
I actually checked the trouble shooting page yesterday but did not help mainly becuase I did not understand couple thigns, and the ones I understood did not resolve my issue.
I am attaching the logs
Shades,
I am using my router as wireless and wired router gateway. I will check out your suggestion.
4wd:
It's your server, more specifically this line in the log:
Tue Jul 07 10:34:14 2009 Route addition via IPAPI failed
To be able to add additions to the routing you need to be an Administrator - what's happening is the connection is being made OK but because the routing wasn't added to the system the system doesn't know where to send packets for IPs 10.8.0.x, so it fails.
Normally you only see this on Vista/Win7 and to get it to work you have to run OpenVPN-GUI as administrator, either by right-clicking and choosing 'Run As' or using the program properties.
You might also need to use the latest development build OpenVPN 2.1_rc18 which has patches for this, (still need to run the GUI as Administrator though).
EDIT: BTW, don't assume that because you are logged in as an Admin you are The Administrator, I had enough indications to the contrary over the years :)
I now use this registry edit which makes the Administrator Group owner of every file and not individual administrators - and I haven't had an issue with file ownership since.
--- ---; Make the Administartors group the owner of files instead of the individual Administrator account.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"nodefaultadminowner"=dword:00000000
This is fine for my machine as it's single user and any functionality to use 'Run As' or Secondary Logon has been stripped out. If yours is a multi-user machine then I wouldn't recommend it. Oh yeah, XP only AFAIK.
Another EDIT: What's actually interesting is that the client succeeded:
Mon Jul 06 23:10:03 2009 Route addition via IPAPI succeeded
And why is there a ~11 hour difference in system time if these were done at the same time?
kartal:
Hi guys,
sorry for the late follow up. My Vpn server crashed las night and I struggled to reinstall whole OS today. I think I have everything up and running and surprisingly the VPN server and client can ping and see eachother!!! Maybe there was something fishy about the previous OS install who knows. But now I have SSH and VPN running side by side I have not tried from outside. Thank you Shades and 4wd again. You guys did tremendous help here. I hope these will be helpful to others too. Points are on the way.
Now that I have stuff running how can I share stuff. I have couple final(ish) questions if you guys do not mind.
-How can I share it from outside? Do I do port forwarding if so which one?
-Can I also add password protection like some kind of dialup with password. Would that be too complicated for me?
thanks
Shades:
The text in the client log file mentions port 1194, which is officially designated to OpenVPN by IANA (the governing body for port numbers). So that would be the port you use in the port forwarding section of your router.
Because of the certificates you have already put up quite a hurdle for 'drive-by attackers'. If you use strong passwords with your (Windows and/or Linux) user login then you already have quite a decent security perimeter setup.
4wd:
The text in the client log file mentions port 1194, which is officially designated to OpenVPN by IANA (the governing body for port numbers). So that would be the port you use in the port forwarding section of your router.-Shades (July 09, 2009, 01:49 AM)
--- End quote ---
For me personally, this would be one reason to change it away from 1194 into the higher reaches, say >33000. Having a port open that's designated as an 'access' point to a network is like sticking up a sign saying "Break this Window" in front of a Liquor Store :)
Because of the certificates you have already put up quite a hurdle for 'drive-by attackers'. If you use strong passwords with your (Windows and/or Linux) user login then you already have quite a decent security perimeter setup.
--- End quote ---
Having a certificate that asks for a password is good in case your laptop is used without your knowledge, (when you're outside your LAN area), because it will ask for the password before the connection is completed.
It's easy enough to get a certificate that asks for a password, (as I found out by accident), when you install OpenVPN on a client mark the box to install the OpenVPN Certificate Wizard.
Run the wizard:
1) Fill out the info as per a normal key, Common Name (what this client will be called), location, etc (location/org/unit has to match server info).
2) Enter a passphrase and again to verify it.
3) Then hit the Create Request button.
This will create a {client}.key and a {client}.req in the C:\Program Files\OpenVPN\config directory - where {client} is the Common Name you entered for that client.
Rename {client}.req to {client}.csr (Certificate Signing Request).
Copy the file {client}.csr to the C:\Program Files\OpenVPN\easy-rsa\keys directory on the key signing PC, (the server in this case). If the directory doesn't exist, create it and copy the contents of the server's config directory into it except for the server.ovpn file.
Open a CLI in the easy-rsa directory and enter the following commands:
vars.bat
sign-cert.bat {client} <- where {client} matches the prefix of the .csr file
vars.bat already exists, so all you need is the part of build-key.bat that actually signs the CSR, thus:
sign-cert.bat
--- ---@echo off
cd %HOME%
rem sign the cert request with our ca, creating a cert/key pair
openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
rem delete any .old files created in this process, to avoid future file creation errors
del /q %KEY_DIR%\*.old
This will generate a {client}.crt certificate file.
Copy {client}.crt and the ca.crt from the server back to the config directory on the client.
Everytime the client now tries to connect to the VPN it will ask for the passphrase you gave when you generated it in the wizard.
Although the above seems rather involved, it isn't really......honest :D
ADDENDUM: Also, when you issue the build-key command to initially create the client keys there is the following optional response:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
--- End quote ---
Just enter a passphrase and verify in the next prompt.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version