ipcop support

I'm just about ready to get my VPN working, I just need to get the server started. All the certificates are generated, and I have the option to start the server. However when I click it, the page refreshes and it still says stopped. I have checked the logs and there isn't anything there.

I have a feeling it might be related to the fact that I changed the default local VPN Hostname/IP and the Subnet to new values. I have tried dumping all certificates and starting over and that didn't help either.

Anyone have any ideas?

Thanks, sharf.

Have you actually set up any tunnels yet? From what I recall, it doesn't show as running unless there's at least one active tunnel.

I added a user certificate, but that says closed. Though when I tried(unsuccessfuly) to set up a VPN before, it showed "running" without any user certificates.

@taustin: sharf wants a vpn between IPCop and the internet... Do not search the other side.
See here:
viewtopic.php?f=5&t=17055

only a variation of still unreplied topic
Franck

_________________
IPCop 1.4.24 patch, fixes SNORT and other pending updates. Here: http://franck78.ath.cx
http://ipcop.cvs.sourceforge.net/viewvc/ipcop/ipcop/html/cgi-bin/

I'm sorry if you think it is a variation of an unreplied topic. I stopped posting there because the information being provided was not helpful, and no longer on topic with my request. I have SINCE got the VPN working (I hope) the only problem now, is that I cannot get the server itself started. This is a very SPECIFIC (as the mods have told me repeatedly to be) question that does not belong in the general software forum. That post was about setting up SSH for remote access to the webGUI. Since VPN will get me there, and more securely, I decided to take that route. My question is now SPECIFICALY about VPNS, not whether I should use SSH or some other method of remote access.

I will go ask that my other topic be closed if you feel this is a copy of it.

What version AND where is the client connecting to the IPCop Server ?

_________________
IPCop 1.4.24 patch, fixes SNORT and other pending updates. Here: http://franck78.ath.cx
http://ipcop.cvs.sourceforge.net/viewvc/ipcop/ipcop/html/cgi-bin/

What version of IPCop? As I said in the topic title, 2.0.4. The client is trying to connect to the IPCop from the RED interface. The client get's the error "read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)". There are no errors (as far as I can tell) related to OpenVPN in the IPCop logs. When I press the "Start OpenVPN Server" button, the page "refreshes" acknowledging that I pressed the button, but the server stays in the "Stopped" state. I have tried deleted and regenerating all certificates, changing various settings (including adding a dynamic DNS and removing it, enabling/disabling SSH), taking out all firewall rules, and rebooting the system. Nothing I do can seem to get it started.

They say a picture is worth a thousand words, I hope the attached screenshots from a working v2.0.4 basic OpenVPN setup assist.

@MickZA: That is the exact same setup as mine (different hostname and subnet though, and no compression) but mine will not turn to "Running" when I press the button. That is where my problem lies. I have those settings, and I cannot get it started.

.... and the same hostname is declared under Services/Dynamic DNS and can be pinged?

I do not have a dynamic DNS setup within IPCop. But the hostname on the OpenVPN page can be pinged.

I'm sure it can be pinged, but it's not the RED IP address of your IPCop as it hasn't been updated.

Declare it and you should be OK.

Edit: Obviously the hostname you use must be unique for your IPCop and not used by another system.

It automatically resolves to my current IP Address. the hostname can be pinged/resolved to my RED IP Address given to me by my ISP. The external IP Address a.b.c.d given by my ISP, is the same address of mydomain.no-ip.biz I have a resolver on a server behind the firewall. (On that note, my supposedly "dynamic" IP Address has not changed in 5 years.)

I will be glad to declare it, but what exactly do you mean by that?

.... I will be glad to declare it, but what exactly do you mean by that?

Declare a new dynamic DNS for your IPCop at dyn.com eg: ipcopsharf.dnsalias.net (you could use no-ip but problems were reported with earlier versions of IPCop v2) and use this in Services/Dynamic DNS & OpenVPN.

Not sure why it needs to have a dynamic DNS registered to work, but I'll give it a shot and see what happens.

If your ISP has given you a static IP for RED you would use that (see System/Home IP Address (Internet): xxx.xxx.xxx.xxx) instead of a dynamic DNS name in OpenVPN.

BTW you'll need to create new certificates for the road warriors once you've sorted the hostname/IP issues out.

Alright well here's my problem. dyn.com requries me to put in a credit card. So I can't use that. I have a "static" IP from my ISP. I use quotes because it has not changed in 5 years even though it's supposed to. If I set up my VPN with my external address, the one my ISP gives me, it should work, until the IP changes and then I have to redo everything, correct?

..... If I set up my VPN with my external address, the one my ISP gives me, it should work, until the IP changes and then I have to redo everything, correct?

Correct, but you get free accounts from dyn.com as well. Also you could try no-ip.com as I think the issues might have been resolved, from my System/Updates page:

2.0.4 Fix for some not working dynamic DNS updaters after the 2.0.3 update.

Alright well I must not have found the right part of dyn.com, I only found a free trial. Regardless before we go to far im not sure this will fix the problem.

On my OpenVPN page, the hostname is currently set my external RED IP that my ISP gave me. The server still wont start, So I don't think setting up the dyndns(which I will do eventually anyway) will solve my problem.

Hi Sharf,

Some things that may or may not help.
I have my OpenVPN server setup to use TCP protocol, port 1194, MTU 1400, Encryption is BF-CBC & I use pre-shared keys.
Under the advanced section (can only be accessed when server is off) under "Push Routes" I only have Green & Blue Network selected.
Under Miscellaneous Options I have Static IP selected, Max Clients 100, Keep Alive 10 & 60.

You can setup the client to connect to either a host name (must be registered on a DNS somewhere) or ip address if static.

As far as I know you have to connect from the client on a seperate external internet connection from your red interface.
Although there has been discussion about OpenVPN from blue to green for example. Never tried it myself.

My server shows as running even with no active connections.

Hope this makes sense & some of it helps.

PS: I have client machines remote connecting using W-XP, W7, Mac OS-X Leopard & Lion as well as Linux Mint 11.
Not bragging just saying it can be done, the server & Host Certificate is the key.

EDIT: I forgot to mention if you want to remote admin IPC you have to add a Firewall rule for the OpenVPN connection in the IPCOP Access section.

Regards.

_________________
IPCop 2.0.4 - Copfilter 2.0.91beta3
RED - GREEN - BLUE - IPSec - OpenVPN
Pentium Dual Core 2.6Ghz - 2Gb RAM - 80Gb ATA HDD
Realtek RTL-8110SC/8169SC - 2 x Realtek RTL-8169

@Moshari: Thanks for the tips. I have tried those settings, and still no luck. Connecting clients is impossible (regardless of where they are, even though they are out on the RED) because the server won't start.

This is just a thought, and I can't imagine how, but could the server not be starting becuause I am editing it remotely? By that I don't mean external IPCop Access, I mean using teamviewer to control a computer behind the firewall. There are no firewall rules to allow external IPCop access, just a port forward.

IPCOP doesn't care how your admin it.

Sometimes, after fumbling around with various config options, the solution is simply starting fresh.

Do a fresh IPCOP install, setup OpenVPN, and see what happens.

Until you get a working solution, do NOT start out changing things. Just use the default options and see if that works for your setup. Once you have a working setup, then start changing it to suit your needs (or whims). If it still works, good job, if it breaks, at least then you know exactly what fubar'd your system.

_________________
For the 2.5^15th time :: Better Details = Better Answers

That's what I figured. I just thought I'd try fixing it remotely, because I wont be able to reinstall for a few weeks.

and the troll keep running. Don't you see this guy never gives usefull informations and allways have a new problem for each beginning of a solution ?

_________________
IPCop 1.4.24 patch, fixes SNORT and other pending updates. Here: http://franck78.ath.cx
http://ipcop.cvs.sourceforge.net/viewvc/ipcop/ipcop/html/cgi-bin/

What are you talking about? I've been working with everyone's ideas, tried them, posted the results, then just AGREED with VonSkippy that reinstalling is the best solution. Who is trolling? Who isn't giving information? The only one I see doing that is you.,