Open-wisp firmware - VPN

[SKapoor]

Hi ,

 OpenWISP-manger is not able to discover my Acces-point which has openWISP -firmware.

I am hitting the following error :

--- Thu Jan 19 09:14:03 CET 2017 ------------------

* VPN is down, trying to restart it

** Can't update date/time: check network configuration, DNS and NTP and/or HTTP connectivity **

* Can't start VPN

Please, help me I am totally stuck.

Using  chaos -calmer -15.05

Regards

Sonia

[Federico Capoano]

The log says the management VPN can't start. Is OpenVPN installed and configured correctly on the server which hosts OpenWISP Manager?

Federico

[SKapoor]

Hi Federico,

 Appreciate ur quick reply :)

Steps:
I. I am using OpenWISP manager-1, was able to  successfully bring up the OpenWISP Manager with servername:3000 .

2. OpenWisp Firmware I am using Chos-calmer-15.05 and followed the following steps:

- cp feeds.conf.default feeds.conf
- echo "src-git openwisp https://github.com/openwisp/OpenWISP-Firmware.git" >> feeds.conf
- ./scripts/feeds update
- ./scripts/feeds install openwisp-fw
- make menuconfig # (choose your arch and include openwisp-fw package and submodule if appropriate)
- export OPENWISP_CONF="overlay.tar.gz"
- make -j 1 V=s

Once  I load this openWISP -firmware supported image I expect discovery of AP by OPENWISP-manager, but hard luck I dont see anything happening at both the ends.

3. I checked logs by following command # logread

Thu Jan 19 10:25:42 2017 daemon.notice openvpn[18315]: OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (PolarSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 18 2017

Thu Jan 19 10:25:42 2017 daemon.notice openvpn[18315]: library versions: PolarSSL 1.3.14, LZO 2.08

Thu Jan 19 10:25:42 2017 daemon.warn openvpn[18315]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Thu Jan 19 10:25:42 2017 daemon.err openvpn[18315]: Cannot load certificate file /etc/openvpn/client.crt

Thu Jan 19 10:25:42 2017 daemon.notice openvpn[18315]: Exiting due to fatal error

Thu Jan 19 10:25:47 2017 daemon.notice openvpn[18335]: OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (PolarSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 18 2017

Thu Jan 19 10:25:47 2017 daemon.notice openvpn[18335]: library versions: PolarSSL 1.3.14, LZO 2.08

Thu Jan 19 10:25:47 2017 daemon.warn openvpn[18335]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Thu Jan 19 10:25:47 2017 daemon.err openvpn[18335]: Cannot load certificate file /etc/openvpn/client.crt

Thu Jan 19 10:25:47 2017 daemon.notice openvpn[18335]: Exiting due to fatal error

4. Overlay.tar.gz I am exporting but I dont have it anywhere );

5.Do I need to make any modifications in etc/config/owispmanager in my AP (db120 reference board I am using)

So, here is a disconnect I am not able to understand what next , If you could please help me in understanding if the procedure is wrong or something I am missing.

If there is proper document which can guide me through the procedure  of  OpenWISP-firmware to get connected to OpenWISP-manager wil be great.



regards,

[Federico Capoano]

There's no much documentation apart from what's available on github regarding OpenWISP1.

What's your use case, what are you using OpenWISP for? I'm trying to understand if I can suggest you to use OpenWISP2 (which has better documentation and automatic install scripts) or not.

Federico

[SKapoor]

HI:

For a local community wifi coverage, we are installing 50 Access points. We are using AR9344 based db120 AP HW running openwrt Chaos Calmer 15 05. We wanted an open source Centralized Monitoring, group configuration and group firmware upgrade tool for managing all 50 APs. For this purpose we planned to use the openwisp package.

Two weeks back we read on opwnwisp.org that openwisp2 is still in development stage and for any stable requirements use openwisp1 package, hence we started our exercise with openwisp1 SW modules. As of Today, we have Openwisp1 Manager installed on a Ubuntu 12.04 and loaded openwisp firmware on a db120 based AP running openwrt.

currenlty we are running into the previously mentioned issues with openVPN. We just figured out there is no openVPN installed on the OenWisp Manager Ubuntu machine. 

we were following instaructions from a googled pdf "pekevski_bojan_-_Nadzor_in_upravljanje_Wi-Fi.pdf" for installing openwisp1 manager.

any help is highly appreciated,

thanks

[Jose Mota]

4. Overlay.tar.gz I am exporting but I dont have it anywhere );

 I'm no expert, but i believe this might be one of the causes of your problem. Maybe that's why the VPN is not up, since there's nothing on the other side to connect to.
The overlay configuration file provides server certificate information, along with users and passwords and other config. It's relatively easy to build, you should give it a try and check if it solves your problem ;)

[SKapoor]

Jose,

    Currently I created certificates in my Access point, as my understanding is every AP should have unique certificate.

So, my concern is will it be fine if I copy that same certificate in overlay.tar.gz and use the same for 50 APs .

Step I would take is :

1- copy the recently created certificate in AP to my local machine overlay.tar.gz

2- Also, maintain other configurations in the overlay.tar.gz and then export the same 

etc
├── config
│   └── owispmanager
├── openvpn
│   ├── ca.crt
│   ├── client.crt
│   └── ta.key
└── shadow

3 export OPENWISP_CONF= "/home/overlay.tar.gz"

4.make V=s 

Thanks in advance :)

[Federico Capoano]

Yes it will be fine if you copy the same cert on all 50 APs.

Federico

[sonia kapoor]

Federico,

So wht do you suggest if issue gets fixed with these changes of overlay.tar.gz , I should stick with this openWISP -1 or move to openWISP-2 ?

--


You received this message because you are subscribed to a topic in the Google Groups "OpenWISP" group.


To unsubscribe from this topic, visit https://groups.google.com/d/topic/openwisp/cNsZNyzFGjc/unsubscribe.


To unsubscribe from this group and all its topics, send an email to openwisp+u...@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

[Federico Capoano]

If you are happy with OpenWISP1, stick with it.

If you are not so happy and the feature that you are mostly interested in is configuration management and automatic configuration updates to your routers, I suggest you to try OpenWISP2 and then decide which one to stick with.

OpenWISP2 hasn't got monitoring features yet, but they will be added as optional modules in the future and in the meanwhile you can monitor your network with other existing (and mature) solutions.

If you want to try it, see ansible-openwisp2 for the controller and openwisp-config for OpenWRT.

Federico

[sonia kapoor]

openWISP1 support monitoring aspects ?

[Federico Capoano]

Not OpenWISP Manager, you will have to deploy another application, OpenWISP Geographic Monitoring.

Federico

[SKapoor]

Hi Federico

Code for openWISP firmware is compiled with overlay configuration file after loading the image I see following logs.

Few questions:

- Do I need openvpn on openWISP1- manager side ?

- Once the openWISP -firmware comes up I dont see cerificates though I got as part of openfirmware compilation.

- When both openWISP-manager and firmware comes up how the handshake starts , how can I get to know,is it through ethernet or wireless ?

Please, help me.

regards

[Federico Capoano]

On Monday, January 23, 2017 at 9:43:45 AM UTC+1, SKapoor wrote:

Code for openWISP firmware is compiled with overlay configuration file after loading the image I see following logs.

Few questions:

- Do I need openvpn on openWISP1- manager side ?

Yes

 

- Once the openWISP -firmware comes up I dont see cerificates though I got as part of openfirmware compilation.

What do you mean you don't see? You don't see them present on the filesystem? If the answer to this question is yes, something didn't go smoothly and you will have to repeat the compilation process ensuring you pass the right tar.gz file with the certificates in it.

 

- When both openWISP-manager and firmware comes up how the handshake starts , how can I get to know,is it through ethernet or wireless ?

When the firmware can connect to the manager, you can notice it via SSH or via the manager (it will show an IP address). Then you can use the manager to change its configuration.

Federico

[Federico Capoano]

On Monday, January 23, 2017 at 10:12:01 AM UTC+1, Federico Capoano wrote:

 

- When both openWISP-manager and firmware comes up how the handshake starts , how can I get to know,is it through ethernet or wireless ?

Forgot to mention, on OpenWISP Firmware (openwisp1) you can get information regarding its functioning by taing a look at /tmp/owispmanager.status 

eg:

tail -n 100 /tmp/owispmanager.status

Federico

[Nikunj Shah]

Hi SKapoor,

Were you able to solve the issue. I am facing similar problem.
Will be really helpful

Regards

[sonia kapoor]

Not yet...working on installing openvpn first on openWISP manager and creating certificates for both server and client (i.e openwisp firmware)

Could you let me know exactly where are you stuck?

Regards

[Federico Capoano]

To install openvpn, you could use:
https://github.com/Stouts/Stouts.openvpn

I use it on a couple of deployments and I even contributed to it to add a few use cases.

You received this message because you are subscribed to the Google Groups "OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+u...@googlegroups.com.

[Nikunj]

Thanks for the link.

I am using OpenWISP Controller 1. I have installed the OpenVPN server successfully on my controller which is a Ubuntu based Linux machine.

The issue is with the OpenWISP Firmware. It is not able to create the VPN tunnel for the OpenVPN Client.

As per my understanding, the Owispmanager script is able to create the setup99 interface which is the wireless interface but not the Setup00, which I believe should be the OpenVPN client interface.

Can you please suggest what I might be missing?

Regard

To unsubscribe from this group and all its topics, send an email to openwisp+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "OpenWISP" group.

To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "OpenWISP" group.

To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+unsubscribe@googlegroups.com.

[Nikunj]

The openWISP Controller 1 is up and running along with the openVPN server.

Openwisp Firmware is not able to create the OpenVPN client tunnel interface. It is able to create the setup99 interface (wireless) but can't see any tunnel interface for the VPN client, which i guess should be setup00.

Regards,

To unsubscribe from this group and all its topics, send an email to openwisp+unsubscribe@googlegroups.com.

[Federico Capoano]

Take a look at the log in /tmp/owispmanager.status
See also the openvpn log on the server side.
Report what you find here.

You received this message because you are subscribed to the Google Groups "OpenWISP" group.

To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+u...@googlegroups.com.

[Nikunj]

Below is the log at the server

OpenVPN CLIENT LIST
Updated,Mon Jan 30 15:11:22 2017
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END

Below is the log at /tmp/owispmanager.status on the unit

root@Unconfigured:/tmp# cat owispmanager.status
--- Thu Jan  1 00:00:10 UTC 1970 ------------------
* Checking prerequisites...
uHTTP Daemon is present!
hostapd is present (hostapd v2.5-devel)
OpenVPN is present
dnsmasq is present (Dnsmasq version 2.73  Copyright (c) 2000-2015 Simon Kelley)
Time synchronization daemon is present
Wget is present
GNU netcat is present (netcat (The GNU Netcat) 0.7.1)
phy0 up and running
phy0 ok, let's rock!
* Cleaning up...
* Uninstalling runtime configuration
--- Mon Jan 30 09:41:52 CET 2017 ------------------
* Uninstalling active configuration
sed: /tmp//owispmanager//uninstall.sh: No such file or directory
uci: Entry not found

* Stopping configuration services
--- Mon Jan 30 09:41:52 CET 2017 ------------------
* Stopping configuration services

* Goodbye!

* (Re-)starting...

--- Mon Jan 30 09:41:52 CET 2017 ------------------

* VPN is down, trying to restart it
** Can't update date/time: check network configuration, DNS and NTP and/or HTTP connectivity **
* Can't start VPN

--- Mon Jan 30 09:41:53 CET 2017 ------------------
* Stopping configuration services

--- Mon Jan 30 09:41:54 CET 2017 ------------------
* Starting configuration services
Configuration file: /tmp//configuration.hostapd
Using interface setup99 with hwaddr 04:f0:21:0c:a5:29 and ssid "owf-2E:1C:61:54:0B:BB"
setup99: interface state UNINITIALIZED->ENABLED
setup99: AP-ENABLED

--- Mon Jan 30 09:42:04 CET 2017 ------------------

* VPN is down, trying to restart it
** Can't update date/time: check network configuration, DNS and NTP and/or HTTP connectivity **
* Can't start VPN

--- Mon Jan 30 09:42:09 CET 2017 ------------------

* VPN is down, trying to restart it
** Can't update date/time: check network configuration, DNS and NTP and/or HTTP connectivity **
* Can't start VPN

To unsubscribe from this group and all its topics, send an email to openwisp+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "OpenWISP" group.

To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+unsubscribe@googlegroups.com.

[Federico Capoano]

The VPN cannot establish correctly, most common causes are either misconfiguration or firewalls blocking the vpn.
The textyou posted is from the status file, not the vpn. Please check che vpn log.

You received this message because you are subscribed to the Google Groups "OpenWISP" group.

To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+u...@googlegroups.com.

[Nikunj]

Ok I shall check that.

Openwisp2 communicate over VPN or SFTP?

Regards

To unsubscribe from this group and all its topics, send an email to openwisp+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "OpenWISP" group.

To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+unsubscribe@googlegroups.com.

[Federico Capoano]

OpenWISP2 communicates over HTTPS and does not require a VPN.
You can and probably should use some kind of management vpn with openwisp2, but you can do this in a later step. The setup of openwisp2 should be easier: learning from the difficulties experienced in deploying openwisp1, I paid particular attention to make openwisp2 simpler. That's why I am suggesting everyone to use it, your feedback will help us improve it quickly so we can deprecate openwisp1 manager asap.

F.

You received this message because you are subscribed to the Google Groups "OpenWISP" group.

To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+u...@googlegroups.com.

[Nikunj Shah]

Thanks Federico.

I shall try to install openwisp2 also and share my feedback

Regards

[Nikunj]

Hi Federico,

As you suggested openwisp2 controller relatively simpler and better documented.

Currently I am facing couple of issue with openwisp2 firmware

-- Openwisp2 firmware is not able to communicate with the controller. Can you please suggest the location of the logs, I am not able to find it in the /tmp/openwisp directory

--Luci GUI interface throws below error. Any probable suggestions, as I am not much aware

/usr/lib/lua/luci/controller/openwisp/actions.lua:12: attempt to call global 'post' (a nil value)
stack traceback:
	/usr/lib/lua/luci/controller/openwisp/actions.lua:12: in function 'v'
	/usr/lib/lua/luci/dispatcher.lua:536: in function 'createtree'
	/usr/lib/lua/luci/dispatcher.lua:201: in function 'dispatch'
	/usr/lib/lua/luci/dispatcher.lua:168: in function </usr/lib/lua/luci/dispatcher.lua:167>

Thanks

Regards,

To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+unsubscribe@googlegroups.com.

[Federico Capoano]

On Tue, Jan 31, 2017 at 2:38 PM Nikunj <niku...@gmail.com> wrote:

As you suggested openwisp2 controller relatively simpler and better documented.

 

I suppose you managed to install it, is my supposition correct?

Currently I am facing couple of issue with openwisp2 firmware

-- Openwisp2 firmware is not able to communicate with the controller. Can you please suggest the location of the logs, I am not able to find it in the /tmp/openwisp directory

See "Debugging" section on the openwisp-config README and let me know if you manage to proceed.

 

--Luci GUI interface throws below error. Any probable suggestions, as I am not much aware

/usr/lib/lua/luci/controller/openwisp/actions.lua:12: attempt to call global 'post' (a nil value)
stack traceback:
	/usr/lib/lua/luci/controller/openwisp/actions.lua:12: in function 'v'
	/usr/lib/lua/luci/dispatcher.lua:536: in function 'createtree'
	/usr/lib/lua/luci/dispatcher.lua:201: in function 'dispatch'
	/usr/lib/lua/luci/dispatcher.lua:168: in function </usr/lib/lua/luci/dispatcher.lua:167>

MM.. this is weird. 

function 'v' doesn't seem to exist in that file:

https://github.com/openwisp/luci-openwisp/blob/master/luci-mod-openwisp/luasrc/controller/openwisp/actions.lua

What OpenWRT or LEDE version are you using? How did you install luci-openwisp? Did you compile your own image?

Also, I want to let you know luci-openwisp is optional. It's a web ui that is designed for a category of users we call "operators", people who just need to install the access points but do not need root access. If you install the devices yourself, you are better off using the default luci admin interface.
I just realized I need to make this more explicit in the documentation.

Federico

[Nikunj]

HI Federico,

Yes I was able to install openwisp2 controller successfully

For openwrt firmware, I am facing following error ( output of "logread | grep openwisp" )

When I take a packet capture(wireshark) on my production server, I can see HTTP and TCP packet communications between the device and openwisp2 controller (HTTPS server). In the HTTP request from device, the contents contain the secret(my configured secret) and a key(some encrypted value), rest of the values are blank. Any suggestions?

Tue Jan 31 12:42:08 2017 daemon.info openwisp: br-lan
Tue Jan 31 12:42:39 2017 daemon.err openwisp: Failed to connect to controller during registration: curl exit code 28
Tue Jan 31 12:43:09 2017 daemon.info openwisp: Registering device...
Tue Jan 31 12:43:09 2017 daemon.info openwisp: br-lan
Tue Jan 31 12:43:39 2017 daemon.err openwisp: Failed to connect to controller during registration: curl exit code 28
Tue Jan 31 12:44:09 2017 daemon.info openwisp: Registering device...
Tue Jan 31 12:44:09 2017 daemon.info openwisp: br-lan
Tue Jan 31 12:44:39 2017 daemon.err openwisp: Failed to connect to controller during registration: curl exit code 28
Tue Jan 31 12:45:09 2017 daemon.info openwisp: Registering device...
Tue Jan 31 12:45:09 2017 daemon.info openwisp: br-lan
Tue Jan 31 12:45:39 2017 daemon.err openwisp: Failed to connect to controller during registration: curl exit code 28
Tue Jan 31 12:46:09 2017 daemon.info openwisp: Registering device...
Tue Jan 31 12:46:09 2017 daemon.info openwisp: br-lan
 

I shall debug luci later in that case

--

[Federico Capoano]

"Failed to connect to controller during registration: curl exit code 28"

The CURL docs says:

CURLE_OPERATION_TIMEDOUT (28)

Operation timeout. The specified time-out period was reached according to the conditions.

The request sent by openwisp-config timeout for some reason. Could you please paste the contents of /etc/config/openwisp_config, obscuring eventual sensitive information like uuid, key or shared_secret?

To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+u...@googlegroups.com.

[Nikunj]

There is file named openwisp in /etc/config on the device. Following is the output

root@OpenWrt:/etc/config# cat /etc/config/openwisp 

config controller 'http'

    option url '192.168.1.82'

    option shared_secret 'abcd'

    list unmanaged 'system.@led'

    list unmanaged 'network.loopback'

    list unmanaged 'network.@switch'

    list unmanaged 'network.@switch_vlan'

Regards

To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "OpenWISP" group.

To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+unsubscribe@googlegroups.com.

[Federico Capoano]

Can you reach the openwisp2 web application at:

https://192.168.1.82/admin

And can the device do that too (try with curl)?

To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+u...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "OpenWISP" group.

To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+u...@googlegroups.com.

[SKapoor]

Hi Federico,

 I am very close to done with installing/setup of openWISP-manager-1 and firmware after successful setup of openvpn on both the side with proper certification still I m facing an issue where when I do 'ps' the status show openvpn is up and running but at the same time I am not able to see 'setup00' which is tun interface when i do ifconfig in my access point. 

some error eating up ..Please help me in this not able to move out .

 I will also try openWISP-2 which I agree is the next generation of existing openWISP-1 but want to get this done first :) ..hope you understand.  

Here are the logs.

[Federico Capoano]

Please Sonia (and everyone reading this),

when you send logs, send them as plain text included in the email body (not as attachments). That will make the email easier and faster to read, which will be useful not only to me, but also to the future you that will go back to read it again, or another person who'll find the replies on search engines.

Here's the log contents:

Wed Feb  1 05:11:15 2017 daemon.notice openvpn[3277]: OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (PolarSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 31 2017

Wed Feb  1 05:11:15 2017 daemon.notice openvpn[3277]: library versions: PolarSSL 1.3.14, LZO 2.08

Wed Feb  1 05:11:15 2017 daemon.warn openvpn[3277]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Wed Feb  1 05:11:15 2017 daemon.warn openvpn[3277]: WARNING: file '/etc/openvpn/client.key' is group or others accessible

Wed Feb  1 05:11:15 2017 daemon.warn openvpn[3277]: WARNING: file '/etc/openvpn/ta.key' is group or others accessible

Wed Feb  1 05:11:15 2017 daemon.notice openvpn[3277]: Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file

Wed Feb  1 05:11:15 2017 daemon.notice openvpn[3277]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Wed Feb  1 05:11:15 2017 daemon.notice openvpn[3277]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Wed Feb  1 05:11:15 2017 daemon.notice openvpn[3277]: Socket Buffers: R=[163840->131072] S=[163840->131072]

Wed Feb  1 05:11:15 2017 daemon.notice openvpn[3278]: UDPv4 link local: [undef]

Wed Feb  1 05:11:15 2017 daemon.notice openvpn[3278]: UDPv4 link remote: [AF_INET]192.168.1.104:1194

Wed Feb  1 05:11:15 2017 daemon.notice openvpn[3278]: TLS: Initial packet from [AF_INET]192.168.1.104:1194, sid=c980d555 1c3ffa86

Wed Feb  1 05:11:15 2017 daemon.notice openvpn[3278]: VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, ??=changeme, emailAddress=ma...@host.domain

Wed Feb  1 05:11:15 2017 daemon.notice openvpn[3278]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

Wed Feb  1 05:11:15 2017 daemon.notice openvpn[3278]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Wed Feb  1 05:11:15 2017 daemon.notice openvpn[3278]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

Wed Feb  1 05:11:15 2017 daemon.notice openvpn[3278]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Wed Feb  1 05:11:15 2017 daemon.notice openvpn[3278]: Control Channel: TLSv1.0, cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA, 1024 bit RSA

Wed Feb  1 05:11:15 2017 daemon.notice openvpn[3278]: [changeme] Peer Connection Initiated with [AF_INET]192.168.1.104:1194

Wed Feb  1 05:11:18 2017 daemon.notice openvpn[3278]: SENT CONTROL [changeme]: 'PUSH_REQUEST' (status=1)

Wed Feb  1 05:11:18 2017 daemon.notice openvpn[3278]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.6.151 255.255.255.0,route-gateway 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8'

Wed Feb  1 05:11:18 2017 daemon.notice openvpn[3278]: OPTIONS IMPORT: timers and/or timeouts modified

Wed Feb  1 05:11:18 2017 daemon.notice openvpn[3278]: OPTIONS IMPORT: --ifconfig/up options modified

Wed Feb  1 05:11:18 2017 daemon.notice openvpn[3278]: OPTIONS IMPORT: route options modified

Wed Feb  1 05:11:18 2017 daemon.notice openvpn[3278]: OPTIONS IMPORT: route-related options modified

Wed Feb  1 05:11:18 2017 daemon.warn openvpn[3278]: WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address.  You are usin)

Wed Feb  1 05:11:18 2017 daemon.notice openvpn[3278]: TUN/TAP device setup00 opened

Wed Feb  1 05:11:18 2017 daemon.notice openvpn[3278]: TUN/TAP TX queue length set to 100

Wed Feb  1 05:11:18 2017 daemon.notice openvpn[3278]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Wed Feb  1 05:11:18 2017 daemon.notice openvpn[3278]: /sbin/ifconfig setup00 10.8.0.2 pointopoint 255.255.255.0 mtu 1500

Wed Feb  1 05:11:18 2017 daemon.err openvpn[3278]: Linux ifconfig failed: external program exited with error status: 1

Wed Feb  1 05:11:18 2017 daemon.notice openvpn[3278]: Exiting due to fatal error

It seems everything goes fine until the device tries to run ifconfig.

Questions:

• is this log from a network device running OpenWRT/LEDE or from the central server?
• does the user running openvpn have the privilges to run ifconfig? If you are on the server, you may need to configure openvpn to run as root;
  doing so may not be the most secure option, there is a way to run openvpn as unprivileged user but is even harder and I suggest you to try the easy way now and make it more secure later

--

You received this message because you are subscribed to the Google Groups "OpenWISP" group.

To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+u...@googlegroups.com.

[SKapoor]

Sure Federico will take care :)

ifconfig issue is resolved.

Good news is everything is up I mean the openvpn and ifconfig working fine I am able to see both the interface up and running but 

now the problem is openvpn server/ clinet is not able to ping eachother, it is trying  wget the configuration file but failing .

Here are the logs.

##################################################################################################################

root@Unconfigured:~# cat /tmp/owispmanager.status 

--- Thu Jan  1 00:00:11 UTC 1970 ------------------

* Checking prerequisites... 

uHTTP Daemon is present!

hostapd is present (hostapd v2.5-devel)

OpenVPN is present

dnsmasq is present (Dnsmasq version 2.73  Copyright (c) 2000-2015 Simon Kelley)

Time synchronization daemon is present

Wget is present

GNU netcat is present (netcat (The GNU Netcat) 0.7.1)

phy0 up and running

phy0 ok, let's rock!

* Cleaning up...

* Uninstalling runtime configuration

--- Wed Feb  1 09:52:03 CET 2017 ------------------

* Uninstalling active configuration

sh: unknown: bad number

* Stopping configuration services

--- Wed Feb  1 09:52:03 CET 2017 ------------------

* Stopping configuration services

* Goodbye!

* (Re-)starting...

--- Wed Feb  1 09:52:03 CET 2017 ------------------

* VPN is down, trying to restart it

** Can't update date/time: check network configuration, DNS and NTP and/or HTTP connectivity **

* VPN correctly started

--- Wed Feb  1 10:11:00 CET 2017 ------------------

Retrieving configuration...

* Cannot retrieve configuration from server!

--- Wed Feb  1 10:11:03 CET 2017 ------------------

* Stopping configuration services

--- Wed Feb  1 10:11:03 CET 2017 ------------------

* Starting configuration services

Configuration file: /tmp//configuration.hostapd

Using interface setup99 with hwaddr 00:20:a6:f6:1d:fe and ssid "owf-EA:6D:9A:CF:BB:43"

setup99: interface state UNINITIALIZED->ENABLED

setup99: AP-ENABLED 

--- Wed Feb  1 10:11:09 CET 2017 ------------------

Retrieving configuration...

* Cannot retrieve configuration from server!

--- Wed Feb  1 10:11:17 CET 2017 ------------------

Retrieving configuration...

* Cannot retrieve configuration from server!

--- Wed Feb  1 10:11:25 CET 2017 ------------------

Retrieving configuration...

* Cannot retrieve configuration from server!

--- Wed Feb  1 10:11:33 CET 2017 ------------------

Retrieving configuration...

* Cannot retrieve configuration from server!

##############################################################################################################################################

2840 root      1372 S    wget -O /tmp//owispmanager//configuration.tar.gz http://10.8.0.1:80/get_config/EA:6D:9A:CF:BB:43

############################################################################################################################################

What m I missing ?

Regards

[Nikunj]

The registration of the device is successful now.

The issue was that the script was not able to extract the MAC Address from the interface. I have hardcoded the MAC in the openwisp_config file.

Thanks for the help.

Regards,

Nikunj

 

To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "OpenWISP" group.

To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+unsubscribe@googlegroups.com.

[Federico Capoano]

Check the configuration of the webserver, ensure OpenWISP1 Manager is reachable on that ip address.

Federico

[Federico Capoano]

On Wednesday, February 1, 2017 at 10:27:14 AM UTC+1, Nikunj Shah wrote:

The registration of the device is successful now.

 

Great news

The issue was that the script was not able to extract the MAC Address from the interface. I have hardcoded the MAC in the openwisp_config file.

Oh no! That should not happen, please let me understand what happened!

What type of device are you using?

DId you hardcode the mac address in /usr/sbin/openwisp_config or in /etc/config/openwisp?

Federico