A common mistake when setting up a VPN based on OpenVPN is the type of adapter that is used. If the server is configured to use a TUN-style network but a client is configured to use a TAP-style interface, then the VPN connection will fail. In this recipe, we will show what is typically seen when this common configuration error is made.
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client was running Fedora 22 Linux and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf
, from the Server-side routing recipe from Chapter 2, Client-server IP-only Networks.
basic-udp-server.conf
: [root@server]# openvpn --config basic-udp-server.conf
client proto udp remote openvpnserver.example.com port 1194 dev tap nobind remote-cert-tls server tls-auth /etc/openvpn/cookbook/ta.key 1 ca /etc/openvpn/cookbook/ca.crt cert /etc/openvpn/cookbook/client1.crt key /etc/openvpn/cookbook/client1.key
Save it asexample6-2-client.conf
.
[root@client]# openvpn --config example6-2-client.conf
The client log will show the following:
... WARNING: 'dev-type' is used inconsistently, local='dev-type tap'', remote='dev-type tun'' ... WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1573'', remote='link-mtu 1541'' ... WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532'', remote='tun-mtu 1500'' ... [openvpnserver] Peer Connection Initiated with server- ip:1194 ... TUN/TAP device tap0 opened ... /sbin/ip link set dev tap0 up mtu 1500 ... /sbin/ip addr add dev tap0 10.200.0.2/24 broadcast 10.200.0.255 ... Initialization Sequence Completed
At this point, you can try pinging the server, but it will respond with an error:
[client]$ ping 10.200.0.1
PING 10.200.0.1 (10.200.0.1) 56(84) bytes of data.
From 10.200.0.2 icmp_seq=2 Destination Host Unreachable
From 10.200.0.2 icmp_seq=3 Destination Host Unreachable
From 10.200.0.2 icmp_seq=4 Destination Host Unreachable
A TUN-style interface offers a point-to-point connection over which only TCP/IP traffic can be tunneled. A TAP-style interface offers the equivalent of an Ethernet interface that includes extra headers. This allows a user to tunnel other types of traffic over the interface. When the client and the server are misconfigured, the expected packet size is different:
... WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532'', remote='tun-mtu 1500''
This shows that each packet that is sent through a TAP-style interface is 32- bytes larger than the packets sent through a TUN-style interface.
By correcting the client configuration, this problem is resolved.
3.146.34.218