2


Alicia Asín – October 29, 2008

If you are going to administrate a remote mesh network, the first thing you need to do is setting up an secure mode to access it. The IPsec protocol provides integrity and confidenciality of data transiting the network, although it may be very hard to set up due to the big number of options that can be configured. This article describes how to configure a secured and remote access to a network in an easy way, using OpenVPN.

IPSec can operate in two different modes: transport and tunnel. On one hand, transport mode the traffic between two nodes is protected. However, a gateway between them cannot perform transparent mode encryption, which means that a new header is added on the original IP packet to allow for cryptographic functions to be applied to the packet. On the other hand, tunnel mode encapsulates a whole IP packet inside another IP packet, so that an intermediate gateway to provide IPsec protection to an entire network. Tunnel mode is the appropiate one for a VPN and that is waht we are going to use here.

OpenVPN is an open source VPN solution based on SSL/ TLS, which offers the same functionality as IPsec in tunnel mode. Multiple clients can connect to a single openvpn server process over a single TCP or UDP port. It supports different authentication methods based on certificates, smart cards and username-password credentials; in this article, we will use the certificates method. The scenario supposed here has an openvpn server in a private network behind a NAT.

  • Install openvpn package
    Enter in your Meshlium mesh router and install the package in both server and clients.

aptitude install openvpn

Create the certificates
When using the authentication method based on certificates, you need to create them first. You can do it in several ways, using openssh command line tool, TinyCA GUI or others. But openvpn package also includes the scripts necessaries to create them in an easy way. 

  • CA entity
    First, we create the CA entity which will signed all the certificates we build.

root@kaizen:/usr/share/doc/openvpn/examples/easy-rsa/2.0# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys
root@kaizen:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./clean-all
root@kaizen:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-ca
Generating a 1024 bit RSA private key
……………………………………..++++++
.++++++

writing new private key to ‘ca.key’

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [US]:ES
State or Province Name (full name) [CA]:za
Locality Name (eg, city) [SanFrancisco]:za
Organization Name (eg, company) [Fort-Funston]:libelium
Organizational Unit Name (eg, section) []:id
Common Name (eg, your name or your server’s hostname) [Fort-Funston CA]:
Email Address [me@myhost.mydomain]:info@libelium.com

  • Server
    The build-key-server script will designate the certificate as a server-only certificate by setting nsCertType=server. This is a precaution to protect against a potential man-in-the-middle attack. Remember to add the ns-cert-type server line in the clients config file.
root@kaizen:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-key-server server
Generating a 1024 bit RSA private key
..............++++++
...........++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:ES
State or Province Name (full name) [CA]:za
Locality Name (eg, city) [SanFrancisco]:za
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) []:Lib
Common Name (eg, your name or your server's hostname) [server]:openvpn-server
Email Address [me@myhost.mydomain]:infor@libelium.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'ES'
stateOrProvinceName :PRINTABLE:'za'
localityName :PRINTABLE:'za'
organizationName :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'Lib'
commonName :PRINTABLE:'openvpn-server'
emailAddress :IA5STRING:'infor@libelium.com'
Certificate is to be certified until Jul 9 11:57:34 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

In this case, we have chosen not to protect the certificate with a password to avoid it to be asked whenever the router boots. Instead of that, you can create an encrypted partition in Meshlium and keep the certificates safe them.

  • Clients

Use the build-key script followed by the name of the client you are creating the certificate to.

root@kaizen:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-key libelium1-mesh
Generating a 1024 bit RSA private key
..............++++++
........................................................++++++
writing new private key to 'libelium1-mesh.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:ES
State or Province Name (full name) [CA]:za
Locality Name (eg, city) [SanFrancisco]:za
Organization Name (eg, company) [Fort-Funston]:libelium
Organizational Unit Name (eg, section) []:id
Common Name (eg, your name or your server's hostname) [libelium1-mesh]:
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'ES'
stateOrProvinceName   :PRINTABLE:'za'
localityName          :PRINTABLE:'za'
organizationName      :PRINTABLE:'libelium'
organizationalUnitName:PRINTABLE:'id'
commonName            :PRINTABLE:'libelium1-mesh'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Jul  9 12:01:09 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Once you have created the certificates, you will get a directory similar to this one:

root@kaizen:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys# ls -l
total 96
-rw-r--r-- 1 root root 1257 2008-07-11 13:53 ca.crt
-rw------- 1 root root 891 2008-07-11 13:53 ca.key
-rw-r--r-- 1 root root 3794 2008-07-11 14:01 libelium1-mesh.crt
-rw-r--r-- 1 root root 680 2008-07-11 14:01 libelium1-mesh.csr
-rw------- 1 root root 887 2008-07-11 14:01 libelium1-mesh.key
-rw-r--r-- 1 root root 3794 2008-07-11 14:01 libelium2-mesh.crt
-rw-r--r-- 1 root root 680 2008-07-11 14:01 libelium2-mesh.csr
-rw------- 1 root root 887 2008-07-11 14:01 libelium2-mesh.key
-rw-r--r-- 1 root root 3794 2008-07-11 14:01 libelium3-mesh.crt
-rw-r--r-- 1 root root 680 2008-07-11 14:01 libelium3-mesh.csr
-rw------- 1 root root 887 2008-07-11 14:01 libelium3-mesh.key
-rw-r--r-- 1 root root 439 2008-07-11 14:02 index.txt
-rw-r--r-- 1 root root 20 2008-07-11 14:02 index.txt.attr
-rw-r--r-- 1 root root 3 2008-07-11 14:02 serial
-rw-r--r-- 1 root root 3938 2008-07-11 13:57 server.crt
-rw-r--r-- 1 root root 696 2008-07-11 13:57 server.csr
-rw------- 1 root root 887 2008-07-11 13:57 server.key

Copy the ca.crt file in both the server and clients, the server.* files in your openvpn server and so on with the clients certs.

Finally, create de Diffie Hellman parameters (server only).

#openssl dhparam -out dh1024.pem 1024

This file contains the parameters for the Diffie-Hellman protocol. Diffie-Hellman key exchange (D-H) is a cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This parameters are used in the SSL/TLS handshake renegotiation which occurs once per hour and client.

OpenVPN provides the user the opportunity to use a pre-shared passphrase (or static key) in conjunction with the –tls-auth directive to generate an HMAC key to authenticate the packets that are themselves part of the TLS handshake sequence. This protects against buffer overflows in the OpenSSL TLS implementation, because an attacker cannot even initiate a TLS handshake without being able to generate packets with the currect HMAC signature. To generate this key:

#openvpn --genkey --secret ta.key

  • Edit configuration files

    Finally, just edit the /etc/openvpn/openvpn.conf files depending on the role of each router. More info in this link.
    • Server
#################################################
# Libelium OpenVPN 2.0 config file for
# multi-client server.
#
# This file is for the server side
# of a many-clients <-> one-server
# OpenVPN configuration.
#
# 11 de julio de 2008
# Author: Alicia Asín
#################################################

# define role
tls-server

# Which TCP/UDP port should OpenVPN listen on?
port 1194

# TCP or UDP server?
proto udp

# "dev tun" will create a routed IP tunnel,
dev tun

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca certs/ca.crt
cert certs/server.crt
key certs/server.key # This file should be kept secret
dh certs/dh1024.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 192.168.100.0 255.255.255.0

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
cipher AES-128-CBC # AES

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
user nobody
group nogroup

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 0

# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20

Clients

#################################################
# Libelium OpenVPN 2.0 config file for
# multi-client server.
#
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files.
#
# 11 de julio de 2008
# Author: Alicia Asín
##################################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
tls-client 
# "dev tun" will create a routed IP tunnel,
dev tun

# Are we connecting to a TCP or UDP server?
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers. 
remote 89.130.x.x 23069

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca certs/ca.crt
cert certs/libelium1-mesh.crt
key certs/libelium1-mesh.key

# Accept only THIS server certificate, not any server certificate
tls-remote openvpn-server

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". 
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 0

# Silence repeating messages
mute 20
  • Testing

Now it is time to test your VPN (outputs generated with verb=5). Start from command line the server:

meshLium-AX:/etc/openvpn# openvpn server.conf
Mon Jul 14 07:14:47 2008 OpenVPN 2.1_rc4 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec 9 2007
Mon Jul 14 07:14:47 2008 Diffie-Hellman initialized with 1024 bit key
Enter Private Key Password:
Mon Jul 14 07:14:52 2008 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jul 14 07:14:52 2008 TUN/TAP device tun0 opened
Mon Jul 14 07:14:52 2008 TUN/TAP TX queue length set to 100
Mon Jul 14 07:14:52 2008 /sbin/ifconfig tun0 192.168.100.1 pointopoint 192.168.100.2 mtu 1500
Mon Jul 14 07:14:52 2008 /sbin/route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.100.2
Mon Jul 14 07:14:52 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jul 14 07:14:52 2008 GID set to nogroup
Mon Jul 14 07:14:52 2008 UID set to nobody
Mon Jul 14 07:14:52 2008 Socket Buffers: R=[109568->131072] S=[109568->131072]
Mon Jul 14 07:14:52 2008 UDPv4 link local (bound): [undef]:1194
Mon Jul 14 07:14:52 2008 UDPv4 link remote: [undef]
Mon Jul 14 07:14:52 2008 MULTI: multi_init called, r=256 v=256
Mon Jul 14 07:14:52 2008 IFCONFIG POOL: base=192.168.100.4 size=62
Mon Jul 14 07:14:52 2008 IFCONFIG POOL LIST
Mon Jul 14 07:14:52 2008 vpnclient,192.168.100.4
Mon Jul 14 07:14:52 2008 Initialization Sequence Completed

And one of the clients:

root@kaizen:/etc/openvpn# openvpn client.conf
Mon Jul 14 09:19:33 2008 us=562280 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on May 14 2008
Mon Jul 14 09:19:33 2008 us=562349 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Jul 14 09:19:33 2008 us=562363 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Jul 14 09:19:33 2008 us=562393 /usr/sbin/openssl-vulnkey -q certs/client-key.pem
Enter pass phrase for certs/client-key.pem:
Enter pass phrase for certs/client-key.pem:
WARN: could not open database for 4096 bits (skipping certs/client-key.pem)
Enter Private Key Password:
Mon Jul 14 09:19:43 2008 us=282902 LZO compression initialized
Mon Jul 14 09:19:43 2008 us=283180 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jul 14 09:19:43 2008 us=283395 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jul 14 09:19:43 2008 us=283566 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Mon Jul 14 09:19:43 2008 us=283769 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Mon Jul 14 09:19:43 2008 us=283986 Local Options hash (VER=V4): '41690919'
Mon Jul 14 09:19:43 2008 us=284119 Expected Remote Options hash (VER=V4): '530fdded'
Mon Jul 14 09:19:43 2008 us=284257 Socket Buffers: R=[110592->131072] S=[110592->131072]
Mon Jul 14 09:19:43 2008 us=284395 UDPv4 link local (bound): [undef]:1194
Mon Jul 14 09:19:43 2008 us=284522 UDPv4 link remote: 89.130.x.x:23069
WRMon Jul 14 09:19:43 2008 us=525663 TLS: Initial packet from 89.130.x.x:23069, sid=0d959702 ba36f11a
WWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRMon Jul 14 09:19:49 2008 us=448802 VERIFY OK: depth=1, /C=ES/ST=zaragoza/L=zaragoza/O=libelium/OU=security/CN=alica/emailAddress=ca@libelium.com
Mon Jul 14 09:19:49 2008 us=450837 VERIFY OK: depth=0, /C=ES/ST=zaragoza/L=zaragoza/O=libelium/OU=security/CN=vpnserver/emailAddress=vpnserver@libelium.com
WRWRWRWRWRWRWRWRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWWWWRRRRWRWRMon Jul 14 09:20:00 2008 us=371071 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jul 14 09:20:00 2008 us=371104 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 14 09:20:00 2008 us=371189 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jul 14 09:20:00 2008 us=371203 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WMon Jul 14 09:20:00 2008 us=371267 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Mon Jul 14 09:20:00 2008 us=371301 [vpnserver] Peer Connection Initiated with 89.130.x.x:23069
Mon Jul 14 09:20:01 2008 us=539915 SENT CONTROL [vpnserver]: 'PUSH_REQUEST' (status=1)
WRRWRMon Jul 14 09:20:01 2008 us=955089 PUSH: Received control message: 'PUSH_REPLY,route 192.168.100.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.100.6 192.168.100.5'
Mon Jul 14 09:20:01 2008 us=955199 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:2: topology (2.0.9)
Mon Jul 14 09:20:01 2008 us=955252 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jul 14 09:20:01 2008 us=955281 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jul 14 09:20:01 2008 us=955291 OPTIONS IMPORT: route options modified
Mon Jul 14 09:20:01 2008 us=955572 TUN/TAP device tun0 opened
Mon Jul 14 09:20:01 2008 us=955601 TUN/TAP TX queue length set to 100
Mon Jul 14 09:20:01 2008 us=955640 ifconfig tun0 192.168.100.6 pointopoint 192.168.100.5 mtu 1500
Mon Jul 14 09:20:01 2008 us=963079 route add -net 192.168.100.1 netmask 255.255.255.255 gw 192.168.100.5

As the client connects to the server you should see something like this:’

Mon Jul 14 07:16:24 2008 213.97.x.x:1194 Re-using SSL/TLS context
Mon Jul 14 07:16:24 2008 213.97.x.x:1194 LZO compression initialized
Mon Jul 14 07:16:24 2008 213.97.x.x:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jul 14 07:16:24 2008 213.97.x.x:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jul 14 07:16:24 2008 213.97.x.x:1194 Local Options hash (VER=V4): '530fdded'
Mon Jul 14 07:16:24 2008 213.97.x.x:1194 Expected Remote Options hash (VER=V4): '41690919'
Mon Jul 14 07:16:24 2008 213.97.x.x:1194 TLS: Initial packet from 213.97.11.13:1194, sid=f7201297 51930ff0
Mon Jul 14 07:16:39 2008 213.97.x.x:1194 VERIFY OK: depth=1, /C=ES/ST=zaragoza/L=zaragoza/O=libelium/OU=security/CN=alica/emailAddress=ca@libelium.com
Mon Jul 14 07:16:39 2008 213.97.x.x:1194 VERIFY OK: depth=0, /C=ES/ST=zaragoza/L=zaragoza/O=libelium/OU=security/CN=vpnclient/emailAddress=vpnclient@libelium.com
Mon Jul 14 07:16:41 2008 213.97.x.x:1194 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jul 14 07:16:41 2008 213.97.x.x:1194 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 14 07:16:41 2008 213.97.x.x:1194 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jul 14 07:16:41 2008 213.97.x.x:1194 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 14 07:16:41 2008 213.97.x.x:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Mon Jul 14 07:16:41 2008 213.97.x.x:1194 [vpnclient] Peer Connection Initiated with 213.97.x.x:1194
Mon Jul 14 07:16:41 2008 vpnclient/213.97.x.x:1194 MULTI: Learn: 192.168.100.6 -> vpnclient/213.97.x.x:1194
Mon Jul 14 07:16:41 2008 vpnclient/213.97.x.x:1194 MULTI: primary virtual IP for vpnclient/213.97.x.x:1194: 192.168.100.6
Mon Jul 14 07:16:42 2008 vpnclient/213.97.x.x:1194 PUSH: Received control message: 'PUSH_REQUEST'
Mon Jul 14 07:16:42 2008 vpnclient/213.97.x.x:1194 SENT CONTROL [vpnclient]: 'PUSH_REPLY,route 192.168.100.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.100.6 192.168.100.5' (status=1)

If everything worked, you are ready to start openvpn in daemon mode. You can see a register with the IP given to the clients connected to the server in /etc/openvpn/openvpn-status.log:

meshLium-AX:/etc/openvpn# cat openvpn-status.log
OpenVPN CLIENT LIST
Updated,Wed Jul 16 11:48:36 2008
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
laptop-ali,192.168.1.10:1194,7720,7982,Wed Jul 16 11:42:51 2008
libelium1-mesh,192.168.1.210:1194,7719,7913,Wed Jul 16 11:42:58 2008
libelium2-mesh,192.168.1.211:1194,8118,8312,Wed Jul 16 11:42:56 2008
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
192.168.100.14,libelium1-mesh,192.168.1.210:1194,Wed Jul 16 11:42:59 2008
192.168.100.10,laptop-ali,192.168.1.10:1194,Wed Jul 16 11:42:52 2008
192.168.100.18,libelium2-mesh,192.168.1.211:1194,Wed Jul 16 11:43:22 2008
GLOBAL STATS
Max bcast/mcast queue length,0
END

    Fake Watches – Authentic Quality Replica Watches at Affordable Prices