Re: [gentoo-user] openvpn experience, anyone?
On 9/18/22 14:23, William Kenworthy wrote: On 18/9/22 16:26, n952162 wrote: On 9/18/22 09:52, William Kenworthy wrote: On 18/9/22 15:26, n952162 wrote: Hello all, I want to ssh over my openvpn connection, and I can't do it, the connection times out. I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and thought maybe somebody here knows something about this. Earlier my institution recommended openconnect, and I was able to use ssh to login in to a host with no problem. Then, for some reason (licensing?), we were switched to openvpn, which works for xfreerdp but not for ssh. I don't have control over the institution's firewall (but I do have for the host itself) Perhaps when installing the new service, they tightened up the firewall rules. But maybe there's a configuration screw I can turn, or ... maybe a USE flag? - - down-root : Enable the down-root plugin - - examples : Install examples, usually source code - - inotify : Enable inotify filesystem monitoring support - - iproute2 : Enabled iproute2 support instead of net-tools + + lz4 : Enable support for lz4 compression (as implemented in app-arch/lz4) + + lzo : Enable support for lzo compression - - mbedtls : Use mbed TLS as the backend crypto library + + openssl : Use OpenSSL as the backend crypto library + + pam : Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip - - pkcs11 : Enable PKCS#11 smartcard support + + plugins : Enable the OpenVPN plugin system - - systemd : Enable use of systemd-specific libraries and features like socket activation or session tracking - - test : Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) TIA ssh and openvpn work well together. However I am doing most of the work using my own configs - gentoo tries to be too clever with its vpn networking and Ive never been able to get it to work reliably/acceptably. On some sites I have to use port 443 (https) to get through, and in extreme cases double wrap in ssl (using a mix of proxytunnel (windows host), stunnel and sslh) to disguise its a vpn but still separate it from regular https traffic on my firewall. You will need to figure out where the ssh is getting blocked/stripped out - is openvpn your endpoint or theirs? BillK I don't understand that question: "is openvpn your endpoint or theirs" - don't both sides have an endpoint on the tunnel? That would have been a class idea, using the https port ... unfortunately, there's a web server running on that machine... it's not being used, however ... hmmm. Wow: "in extreme cases double wrap in ssl (using a mix of proxytunnel (windows host), stunnel and sslh) to disguise its a vpn but still separate it from regular https traffic on my firewall." - sounds totally cool, except I have no idea what it means... which concept should I start with? - proxytunnel - sslh - double wrapping in ssl 1. Do you have control over both openvpn endpoints? Typically in a roadwarrior setup the company IT dept owns one and you don't get access to it which can make it very difficult to see whats going on - if you can access the configs of both ends its much easier. The firewall you mention might be dropping ssh packets exiting the tunnel if its hosting an endpoint that is subject to the firewall? Routing multiple hops past the vpn endpoint can be another issue with openvpn. Ah, now I have a better understanding of the question - yes, unfortunately, the vpn goes to the institution's intranet. I control the client and the host, and the link to the institution, but the remote endpoint of the tunnel is not in my control. 2. SSL packets have identifiers in the headers that indicate the type of traffic within - sslh is a multiplexor that detects openvpn, openssl, openssh etc. via the ssl packet headers (does not need to see into the encryption to do this) and redirects the packets to different hosts/ports as applicable - e.g, ssl web traffic to your web server and openvpn ssl to to the vpn concentrator even though it all comes in as ssl on port 443. Okay, that gets me a lot closer. Thank you. 3a. Before retiring I was working within various seriously locked down networks and needed to reach my own home server - some of the commercial firewalls are able to break and examine ssl streams, or identify it was openvpn on port 443 and block it. If you are using a commercial certificate with openvpn this may be happening. 3b. If you own/host both ends of the vpn tunnel on your own machines, use the end-to-end encryption options, and a private certificate. By feeding the openvpn ssl stream through something like proxytunnel you are encrypting the stream a second time with https characteristics which gets around this to some degree (if they do bother break out the ssl, they are prese
Re: [gentoo-user] openvpn experience, anyone?
On 9/18/22 1:26 AM, n952162 wrote: I want to ssh over my openvpn connection, and I can't do it, the connection times out. IMHO the first, second, and third thing to try when OpenSSH clients fail for some reason is `-v`, `-v -v`, and `-v -v -v` in your ssh command(s). That will almost always give you some sort of indication of the next place to start looking. That being said, -- assuming routing is good -- I would also question an MTU issue. The symptoms of this are OpenSSH establishes the TCP connection that carries the data and starts negotiating the SSH protocol but fails part way through and starts timing out when big packets are sent but never make it to the other end. As Michael alluded to, trying to SSH from the local gateway to the remote gateway can be a little tricky to configure as there can be a couple of source IPs (local inside & local outside) as well as a couple of destination IPs (remote outside & remote inside). Tunnels usually cover local inside communicating with remote inside but fail to account for any outside addresses. -- N.B. this can usually be addressed with a judicious route statement that specifies which source address to use. -- Grant. . . . unix || die
Re: [gentoo-user] openvpn experience, anyone?
On Sun, 2022-09-18 at 09:26 +0200, n952162 wrote: > > Then, for some reason (licensing?), we were switched to openvpn, which > works for xfreerdp but not for ssh. > > I don't have control over the institution's firewall (but I do have for > the host itself) > Is the machine that you're trying to SSH into also on the VPN? If so, it may have a firewall rule like "allow SSH from the LAN" but be missing a rule that says "allow SSH from the VPN interface."
Re: [gentoo-user] openvpn experience, anyone?
On 9/18/22 11:08, Michael wrote: On Sunday, 18 September 2022 08:52:13 BST William Kenworthy wrote: On 18/9/22 15:26, n952162 wrote: Hello all, I want to ssh over my openvpn connection, and I can't do it, the connection times out. I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and thought maybe somebody here knows something about this. Earlier my institution recommended openconnect, and I was able to use ssh to login in to a host with no problem. Then, for some reason (licensing?), we were switched to openvpn, which works for xfreerdp but not for ssh. I don't have control over the institution's firewall (but I do have for the host itself) Perhaps when installing the new service, they tightened up the firewall rules. But maybe there's a configuration screw I can turn, or ... maybe a USE flag? - - down-root : Enable the down-root plugin - - examples : Install examples, usually source code - - inotify : Enable inotify filesystem monitoring support - - iproute2 : Enabled iproute2 support instead of net-tools + + lz4 : Enable support for lz4 compression (as implemented in app-arch/lz4) + + lzo : Enable support for lzo compression - - mbedtls : Use mbed TLS as the backend crypto library + + openssl : Use OpenSSL as the backend crypto library + + pam : Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip - - pkcs11: Enable PKCS#11 smartcard support + + plugins : Enable the OpenVPN plugin system - - systemd : Enable use of systemd-specific libraries and features like socket activation or session tracking - - test : Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) TIA ssh and openvpn work well together. However I am doing most of the work using my own configs - gentoo tries to be too clever with its vpn networking and Ive never been able to get it to work reliably/acceptably. On some sites I have to use port 443 (https) to get through, and in extreme cases double wrap in ssl (using a mix of proxytunnel (windows host), stunnel and sslh) to disguise its a vpn but still separate it from regular https traffic on my firewall. You will need to figure out where the ssh is getting blocked/stripped out - is openvpn your endpoint or theirs? BillK Could it also be an issue with MTU being too large? It should be easy to test with: ping -c 1 -v -M do -s 1464 and decrease the packet size until gets through. Then configure your client accordingly: https://community.openvpn.net/openvpn/wiki/271-i-can-ping-through-the-tunnel-but-any-real-work-causes-it-to-lock-up-is-this-an-mtu-problem That was a good idea! Unfortunately, in this case it wasn't the cause: -- ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 331.754/331.754/331.754/0.000 ms
Re: [gentoo-user] openvpn experience, anyone?
On Sunday, 18 September 2022 08:52:13 BST William Kenworthy wrote: > On 18/9/22 15:26, n952162 wrote: > > Hello all, > > > > I want to ssh over my openvpn connection, and I can't do it, the > > connection times out. > > > > I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and > > thought maybe somebody here knows something about this. > > > > Earlier my institution recommended openconnect, and I was able to use > > ssh to login in to a host with no problem. > > > > Then, for some reason (licensing?), we were switched to openvpn, which > > works for xfreerdp but not for ssh. > > > > I don't have control over the institution's firewall (but I do have for > > the host itself) > > > > Perhaps when installing the new service, they tightened up the firewall > > rules. But maybe there's a configuration screw I can turn, or ... maybe > > a USE flag? > > > > - - down-root : Enable the down-root plugin > > - - examples : Install examples, usually source code > > - - inotify : Enable inotify filesystem monitoring support > > - - iproute2 : Enabled iproute2 support instead of net-tools > > + + lz4 : Enable support for lz4 compression (as implemented in > > app-arch/lz4) > > + + lzo : Enable support for lzo compression > > - - mbedtls : Use mbed TLS as the backend crypto library > > + + openssl : Use OpenSSL as the backend crypto library > > + + pam : Add support for PAM (Pluggable Authentication Modules) > > - DANGEROUS to > > arbitrarily flip > > - - pkcs11: Enable PKCS#11 smartcard support > > + + plugins : Enable the OpenVPN plugin system > > - - systemd : Enable use of systemd-specific libraries and features > > like socket > > activation or session tracking > > - - test : Enable dependencies and/or preparations necessary to > > run tests > > (usually controlled by FEATURES=test but can be > > toggled independently) > > > > TIA > > ssh and openvpn work well together. However I am doing most of the work > using my own configs - gentoo tries to be too clever with its vpn > networking and Ive never been able to get it to work > reliably/acceptably. On some sites I have to use port 443 (https) to > get through, and in extreme cases double wrap in ssl (using a mix of > proxytunnel (windows host), stunnel and sslh) to disguise its a vpn but > still separate it from regular https traffic on my firewall. You will > need to figure out where the ssh is getting blocked/stripped out - is > openvpn your endpoint or theirs? > > BillK Could it also be an issue with MTU being too large? It should be easy to test with: ping -c 1 -v -M do -s 1464 and decrease the packet size until gets through. Then configure your client accordingly: https://community.openvpn.net/openvpn/wiki/271-i-can-ping-through-the-tunnel-but-any-real-work-causes-it-to-lock-up-is-this-an-mtu-problem signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] openvpn experience, anyone?
On 18/9/22 15:26, n952162 wrote: Hello all, I want to ssh over my openvpn connection, and I can't do it, the connection times out. I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and thought maybe somebody here knows something about this. Earlier my institution recommended openconnect, and I was able to use ssh to login in to a host with no problem. Then, for some reason (licensing?), we were switched to openvpn, which works for xfreerdp but not for ssh. I don't have control over the institution's firewall (but I do have for the host itself) Perhaps when installing the new service, they tightened up the firewall rules. But maybe there's a configuration screw I can turn, or ... maybe a USE flag? - - down-root : Enable the down-root plugin - - examples : Install examples, usually source code - - inotify : Enable inotify filesystem monitoring support - - iproute2 : Enabled iproute2 support instead of net-tools + + lz4 : Enable support for lz4 compression (as implemented in app-arch/lz4) + + lzo : Enable support for lzo compression - - mbedtls : Use mbed TLS as the backend crypto library + + openssl : Use OpenSSL as the backend crypto library + + pam : Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip - - pkcs11 : Enable PKCS#11 smartcard support + + plugins : Enable the OpenVPN plugin system - - systemd : Enable use of systemd-specific libraries and features like socket activation or session tracking - - test : Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) TIA ssh and openvpn work well together. However I am doing most of the work using my own configs - gentoo tries to be too clever with its vpn networking and Ive never been able to get it to work reliably/acceptably. On some sites I have to use port 443 (https) to get through, and in extreme cases double wrap in ssl (using a mix of proxytunnel (windows host), stunnel and sslh) to disguise its a vpn but still separate it from regular https traffic on my firewall. You will need to figure out where the ssh is getting blocked/stripped out - is openvpn your endpoint or theirs? BillK
Re: [gentoo-user] OpenVPN - error
Hi Thelma, I think you need tls-server And tls-client In your respective configs below. Reference: https://askubuntu.com/questions/594868/openvpn-hmac-authentication-failure-no-matter-what-i-do And https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/ Grep for tls-server. On 22 February 2020 11:08:02 PM NZDT, the...@sys-concept.com wrote: >When I try to start openVPN on a client I see this error on a server: > >Sat Feb 22 02:32:10 2020 Authenticate/Decrypt packet error: packet HMAC >authentication failed >Sat Feb 22 02:32:10 2020 TLS Error: incoming packet authentication >failed from [AF_INET] > >cat server.conf >proto udp >port 9000 >dev tun >mode server >ca /etc/openvpn/cert/ca.crt >cert /etc/openvpn/cert/clinic_atom.crt >key /etc/openvpn/cert/clinic_atom.key >dh /etc/openvpn/cert/dh.pem >topology subnet >server 192.168.141.0 255.255.255.0 >client-to-client >ifconfig-pool-persist ipp.txt >client-config-dir ccd >keepalive 10 120 >tls-auth vpn_clinic.key 0 >tun-mtu 1500 >tun-mtu-extra 32 >mssfix 1200 >duplicate-cn >comp-lzo >max-clients 100 >persist-key >persist-tun >status openvpn-status.log >log /var/log/openvpn.log >log-append /var/log/openvpn.log >verb 3 > >On client-config: >clinic_atom.conf >client >dev tun >proto udp >port 9070 >topology subnet >remote xxx.xx.xx.xx 9070 # static IP >resolv-retry infinite >tun-mtu 1500 >tun-mtu-extra 32 >mssfix 1200 >persist-key >persist-tun >remote-cert-tls server >ca "/etc/openvpn/clinic_atom/ca.crt" >cert "/etc/openvpn/clinic_atom/syscon7.crt" >key "/etc/openvpn/clinic_atom/syscon7.key" >tls-auth "/etc/openvpn/clinic_atom/ta.key" 1 >comp-lzo >log /var/log/openvpn.log >log-append /var/log/openvpn.log >verb 3 > >-- >Thelma -- Kind regards, Roger
Re: [gentoo-user] openvpn rc script dependencies
On Tuesday, April 10, 2018 1:25:42 PM CEST Simon Thelen wrote: > On 18-04-10 at 10:55, Christoph Böhmwalder wrote: > > I was wondering how the OpenRC dependencies between start scripts work. > > > > Basically, I have two network interfaces on my laptop (wlp3s0 and > > enp0s20u2u3 for wireless and ethernet respectively). When I start the > > wireless interface service (rc-service net.wlp3s0 start) the OpenVPN > > service starts and vice versa. That's great, but I didn't configure > > that anywhere. > > What does your /etc/runlevels/ look like? Is the openvpn service in one > of the runlevels? Are either of your network interfaces in one of the > runlevels? > > > What's even worse is that when I'm not connected via WiFi (i.e. > > > ethernet), the VPN service won't start because net.wlp3s0 isn't started: > [..] > > > Why would it do that, can I configure this anywhere? > > Also check /etc/rc.conf and try setting rc_depend_strict="NO". I do wish > there were a way to modify require/provides without having to edit the > init scripts themselves. There is. You have (at least) 2 other options: 1) In the "/etc/conf.d" files (as I tend to do): # grep need /etc/conf.d/postgresql-9.5 rc_need="netmount" (This means, postgresql-9.5 needs the 'netmount' service to have started first) # grep need /etc/conf.d/netmount rc_need="net iscsid" (This means, netmount needs 'net' and 'iscsid' started first) 2) /etc/rc.conf See the following section in the default version: === # It's possible to define extra dependencies for services like so #rc_config="/etc/foo" #rc_need="openvpn" #rc_use="net.eth0" #rc_after="clock" #rc_before="local" #rc_provide="!net" === -- Joost
Re: [gentoo-user] openvpn rc script dependencies
On Tuesday, 10 April 2018 14:59:39 BST Christoph Böhmwalder wrote: > On Tue, Apr 10, 2018 at 01:25:42PM +0200, Simon Thelen wrote: > > What does your /etc/runlevels/ look like? Is the openvpn service in one > > of the runlevels? Are either of your network interfaces in one of the > > runlevels? > > Looking at `rc-status -a`, the openvpn service and the wifi interface > are both in runlevel default (which is kind of intentional). The wired > interface is in runlevel manual (I don't use it that often, so that's > fine). > > The thing is, I want to: > * Start the wifi service at boot > * Start the openvpn service when _any_ network connection is active > > > Also check /etc/rc.conf and try setting rc_depend_strict="NO". I do wish > > there were a way to modify require/provides without having to edit the > > init scripts themselves. > > Unfortunately I can't test this anymore, but looking at the > documentation this _should_ work. > > Thanks! > > -- > Regards, > Christoph I recall noticing a somewhat similar behaviour with the ipsec service of strongswan. In particular, it would complain that the wired interface was not up and therefore ipsec would not start until then. The wireless interface itself being up was not enough to start ipsec. I used to start it up manually from the command line. I didn't look into it back then. I wonder if it was also something to do with the configuration of the start up script of ipsec. PS. I had commented out #rc_depend_strict="YES" in /etc/rc.conf and set rc_hotplug="*", but did not experiment further with these settings at the time. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] openvpn rc script dependencies
On Tue, Apr 10, 2018 at 09:28:10AM -0400, Michael Orlitzky wrote: > This is half the problem, but the OpenVPN init script probably shouldn't > have "need net" in its depend() function to begin with. It runs fine > with only the loopback interface up. That's exactly why I got confused. Shouldn't it be possible to just "tie" openvpn to _any_ network interface? It's especially weird how it just magically defaults to the wifi interface (it is in runlevel default, but still). Very unclear imo. > You could try to file a bug for that with > > https://github.com/OpenRC/openrc/blob/master/service-script-guide.md > > as a reference. There's a section titled "Be wary of 'need net' > dependencies" that covers the issue. That does look like it addresses the issue. I'll try and poke around in there. Thanks! -- Regards, Christoph
Re: [gentoo-user] openvpn rc script dependencies
On Tue, Apr 10, 2018 at 01:25:42PM +0200, Simon Thelen wrote: > What does your /etc/runlevels/ look like? Is the openvpn service in one > of the runlevels? Are either of your network interfaces in one of the > runlevels? Looking at `rc-status -a`, the openvpn service and the wifi interface are both in runlevel default (which is kind of intentional). The wired interface is in runlevel manual (I don't use it that often, so that's fine). The thing is, I want to: * Start the wifi service at boot * Start the openvpn service when _any_ network connection is active > Also check /etc/rc.conf and try setting rc_depend_strict="NO". I do wish > there were a way to modify require/provides without having to edit the > init scripts themselves. Unfortunately I can't test this anymore, but looking at the documentation this _should_ work. Thanks! -- Regards, Christoph
Re: [gentoo-user] openvpn rc script dependencies
On 04/10/2018 07:25 AM, Simon Thelen wrote: > > Also check /etc/rc.conf and try setting rc_depend_strict="NO". I do wish > there were a way to modify require/provides without having to edit the > init scripts themselves. > This is half the problem, but the OpenVPN init script probably shouldn't have "need net" in its depend() function to begin with. It runs fine with only the loopback interface up. You could try to file a bug for that with https://github.com/OpenRC/openrc/blob/master/service-script-guide.md as a reference. There's a section titled "Be wary of 'need net' dependencies" that covers the issue.
Re: [gentoo-user] openvpn rc script dependencies
On 18-04-10 at 10:55, Christoph Böhmwalder wrote: > I was wondering how the OpenRC dependencies between start scripts work. > > Basically, I have two network interfaces on my laptop (wlp3s0 and > enp0s20u2u3 for wireless and ethernet respectively). When I start the > wireless interface service (rc-service net.wlp3s0 start) the OpenVPN > service starts and vice versa. That's great, but I didn't configure > that anywhere. What does your /etc/runlevels/ look like? Is the openvpn service in one of the runlevels? Are either of your network interfaces in one of the runlevels? > What's even worse is that when I'm not connected via WiFi (i.e. > ethernet), the VPN service won't start because net.wlp3s0 isn't started: [..] > Why would it do that, can I configure this anywhere? Also check /etc/rc.conf and try setting rc_depend_strict="NO". I do wish there were a way to modify require/provides without having to edit the init scripts themselves. -- Simon Thelen
Re: [gentoo-user] openvpn client IP address
On 01/18/2018 07:15 AM, Michael Orlitzky wrote: > On 01/17/2018 09:51 PM, the...@sys-concept.com wrote: >> How openvpn client obtains IP address from the server? >> >> On the sever in server.conf I had: >> server 192.168.139.0 255.255.255.0 >> route 10.0.0.0 255.255.255.0 192.168.139.7 >> >> On server in ccd/ I had client.file: >> ifconfig-push 192.168.139.3 255.255.255.0 > > Two things to check: > > First, the client configuration directory needs to be specified in the > server configuration file with the "client-config-dir" directive. In > your case, it looks like you need > > client-config-dir ccd > > but try an absolute path if that doesn't work for you. > > The second is the naming convention for the client configuration files > themselves. The files in "ccd" need to match the common names on the > certificates of your clients exactly, IIRC. So instead of "client.file", > you probably want just "client". Thanks for reply. I've already figure it out. The configuration file in ccd/ directory on a server is linked to a key generated for the client during setup on server: ./easyrsa build-client-full syscon7 nopass (this is client key pair) So the file in ccd/ (on server) has to be called "syscon7" and the client computer will take IP from this file (that you assign). Joseph
Re: [gentoo-user] openvpn client IP address
On 01/17/2018 09:51 PM, the...@sys-concept.com wrote: > How openvpn client obtains IP address from the server? > > On the sever in server.conf I had: > server 192.168.139.0 255.255.255.0 > route 10.0.0.0 255.255.255.0 192.168.139.7 > > On server in ccd/ I had client.file: > ifconfig-push 192.168.139.3 255.255.255.0 Two things to check: First, the client configuration directory needs to be specified in the server configuration file with the "client-config-dir" directive. In your case, it looks like you need client-config-dir ccd but try an absolute path if that doesn't work for you. The second is the naming convention for the client configuration files themselves. The files in "ccd" need to match the common names on the certificates of your clients exactly, IIRC. So instead of "client.file", you probably want just "client".
Re: [gentoo-user] openVPN
On Monday 06 Feb 2017 23:14:39 the...@sys-concept.com wrote: > On 02/06/2017 10:37 PM, the...@sys-concept.com wrote: > [snip] > > > but I'm getting an error below: > > > > ./easyrsa build-client-full syscon_home nopass > > NOTE: If you run ./clean-all, I will be doing a rm -rf on > > /usr/share/easy-rsa/keys > > > > Note: using Easy-RSA configuration from: ./vars > > > > Easy-RSA error: > > > > Missing expected CA file: serial (perhaps you need to run build-ca?) > > Run without commands for usage and command help. > > I think in order to build it I need to run: > > ./easyrsa build-ca nopass > ./easyrsa gen-req clinic_8amd nopass > ./easyrsa sign-req server clinic_8amd nopass > ./easyrsa gen-dh > ./easyrsa build-client-full home1 nopass > > But I'm stuck now with: > openvpn --genkey --secret /root/easy-rsa-example/pki/ta.key > > Mon Feb 6 23:13:20 2017 Cannot open shared secret file > '/root/easy-rsa-example/pki/ta.key' for write: No such file or directory > (errno=2) Mon Feb 6 23:13:20 2017 Exiting due to fatal error > > There is no such file "ta.key" > > -- > Thelma Have you created the desired directory, e.g. /root/easy-rsa-example/pki/ before you feed this path in the CLI above? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] openVPN
On 02/06/2017 10:37 PM, the...@sys-concept.com wrote: [snip] > but I'm getting an error below: > > ./easyrsa build-client-full syscon_home nopass > NOTE: If you run ./clean-all, I will be doing a rm -rf on > /usr/share/easy-rsa/keys > > Note: using Easy-RSA configuration from: ./vars > > Easy-RSA error: > > Missing expected CA file: serial (perhaps you need to run build-ca?) > Run without commands for usage and command help. I think in order to build it I need to run: ./easyrsa build-ca nopass ./easyrsa gen-req clinic_8amd nopass ./easyrsa sign-req server clinic_8amd nopass ./easyrsa gen-dh ./easyrsa build-client-full home1 nopass But I'm stuck now with: openvpn --genkey --secret /root/easy-rsa-example/pki/ta.key Mon Feb 6 23:13:20 2017 Cannot open shared secret file '/root/easy-rsa-example/pki/ta.key' for write: No such file or directory (errno=2) Mon Feb 6 23:13:20 2017 Exiting due to fatal error There is no such file "ta.key" -- Thelma
Re: [gentoo-user] openVPN
On 02/06/2017 08:23 PM, Michael Orlitzky wrote: > On 02/06/2017 09:53 PM, the...@sys-concept.com wrote: >> I'm trying to configure "openvpn" on my new box (have done it in the >> past - long time ago). >> >> Trying to follow some basic instruction but when I change to: >> cd /usr/share/easy-rsa/ >> >> and try to run: ./build-ca >> bash: ./build-ca: No such file or directory >> > > You want: ./easy-rsa build-ca > > It's all in one script one. It seems to me they have change a lot. I was following instructions from: https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts and these two went OK: ./easyrsa gen-req clinic_8amd nopass ./easyrsa gen-dh but I'm getting an error below: ./easyrsa build-client-full syscon_home nopass NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/keys Note: using Easy-RSA configuration from: ./vars Easy-RSA error: Missing expected CA file: serial (perhaps you need to run build-ca?) Run without commands for usage and command help. -- Thelma
Re: [gentoo-user] openVPN
On Mon, Feb 06, 2017 at 08:03:21PM -0700, the...@sys-concept.com wrote: > and try to re-emerge it, it is not taking any effect. > emerge -avq easy-rsa > > [ebuild R ] app-crypt/easy-rsa-3.0.1-r1 USE="(-libressl)" > > why isn't the package enclosing the libressl in emerge? The parentheses "()" around the libressl flag indicates that it's forced by your profile. In this case, the libressl USE flag is masked for most architectures/platforms for stable arch because there's no stable libressl package: /usr/portage/profiles/base/use.stable.mask: # Justin Lecher (30 Sep 2015) # No stable libressl yet # Addendum: also mask the USE_EXPAND flag, # Anthony G. Basile (26 Nov 2015) curl_ssl_libressl libressl -- Sam Jorna (wraeth) GnuPG Key: D6180C26 signature.asc Description: Digital signature
Re: [gentoo-user] openVPN
On 02/06/2017 09:53 PM, the...@sys-concept.com wrote: > I'm trying to configure "openvpn" on my new box (have done it in the > past - long time ago). > > Trying to follow some basic instruction but when I change to: > cd /usr/share/easy-rsa/ > > and try to run: ./build-ca > bash: ./build-ca: No such file or directory > You want: ./easy-rsa build-ca It's all in one script one.
Re: [gentoo-user] openVPN
On 02/06/2017 07:53 PM, the...@sys-concept.com wrote: > I'm trying to configure "openvpn" on my new box (have done it in the > past - long time ago). > > Trying to follow some basic instruction but when I change to: > cd /usr/share/easy-rsa/ > > and try to run: ./build-ca > bash: ./build-ca: No such file or directory It could be the reason is that it was emerged without "libressl" app-crypt/easy-rsa-3.0.1-r1 USE="(-libressl)" so I put package.use app-crypt/easy-rsa libressl and try to re-emerge it, it is not taking any effect. emerge -avq easy-rsa [ebuild R ] app-crypt/easy-rsa-3.0.1-r1 USE="(-libressl)" why isn't the package enclosing the libressl in emerge? -- Thelma
Re: [gentoo-user] openvpn
On Mon, Feb 9, 2015 at 8:57 PM, Joseph wrote: > > On 02/09/15 13:47, Michael Orlitzky wrote: >> >> On 02/09/2015 01:42 PM, Joseph wrote: >>> >>> I've openvpn installed: >>> ... >>> >>> amd I'm trying to generate server key but I don't have directory: >>> /usr/share/openvpn/easy-rsa/ >>> does "openvpn" creates this directory or I do it manually? >>> >> >> It moved to /usr/share/easy-rsa when the app-crypt/easy-rsa package was >> split off. > > > I've emerged easy-rsa but the /usr/share/openvpn/easy-rsa/ directory wasn't > created. the following command will be handy for you: $ equery files easy-resa
Re: [gentoo-user] openvpn
On 02/09/2015 01:57 PM, Joseph wrote: >> >> It moved to /usr/share/easy-rsa when the app-crypt/easy-rsa package was >> split off. > > I've emerged easy-rsa but the /usr/share/openvpn/easy-rsa/ directory wasn't > created. > That's because >> It moved to /usr/share/easy-rsa =)
Re: [gentoo-user] openvpn
On 02/09/15 11:57, Joseph wrote: On 02/09/15 13:47, Michael Orlitzky wrote: On 02/09/2015 01:42 PM, Joseph wrote: I've openvpn installed: ... amd I'm trying to generate server key but I don't have directory: /usr/share/openvpn/easy-rsa/ does "openvpn" creates this directory or I do it manually? It moved to /usr/share/easy-rsa when the app-crypt/easy-rsa package was split off. I've emerged easy-rsa but the /usr/share/openvpn/easy-rsa/ directory wasn't created. now it is: /usr/share/easy-rsa/ -- Joseph
Re: [gentoo-user] openvpn
On 02/09/15 13:47, Michael Orlitzky wrote: On 02/09/2015 01:42 PM, Joseph wrote: I've openvpn installed: ... amd I'm trying to generate server key but I don't have directory: /usr/share/openvpn/easy-rsa/ does "openvpn" creates this directory or I do it manually? It moved to /usr/share/easy-rsa when the app-crypt/easy-rsa package was split off. I've emerged easy-rsa but the /usr/share/openvpn/easy-rsa/ directory wasn't created. -- Joseph
Re: [gentoo-user] openvpn
On 02/09/15 11:42, Joseph wrote: I've openvpn installed: Installed versions: 2.3.6(11:44:47 PM 01/30/2015)(lzo pam plugins ssl -down-root -examples -iproute2 -passwordsave -pkcs11 -polarssl -selinux -static -systemd USERLAND="-BSD") amd I'm trying to generate server key but I don't have directory: /usr/share/openvpn/easy-rsa/ does "openvpn" creates this directory or I do it manually? -- Joseph Thanks I found it. "...Openvpn prior to 2.3 have easy-rsa scripts included, not the current one" -- Joseph
Re: [gentoo-user] openvpn
you can install app-crypt/easyrsa On Mon, Feb 9, 2015 at 8:42 PM, Joseph wrote: > I've openvpn installed: > Installed versions: 2.3.6(11:44:47 PM 01/30/2015)(lzo pam plugins ssl > -down-root -examples -iproute2 -passwordsave -pkcs11 -polarssl -selinux > -static -systemd USERLAND="-BSD") > > amd I'm trying to generate server key but I don't have directory: > /usr/share/openvpn/easy-rsa/ > does "openvpn" creates this directory or I do it manually? > > -- > Joseph > >
Re: [gentoo-user] openvpn
On 02/09/2015 01:42 PM, Joseph wrote: > I've openvpn installed: > ... > > amd I'm trying to generate server key but I don't have directory: > /usr/share/openvpn/easy-rsa/ > does "openvpn" creates this directory or I do it manually? > It moved to /usr/share/easy-rsa when the app-crypt/easy-rsa package was split off.
Re: [gentoo-user] openvpn static ip
On Friday 26 February 2010 01:39:55 Joseph wrote: > On 02/25/10 22:17, Xavier Parizet wrote: > >From what i can see, please try to add full path to the ccd directory in > >client-config-dir directive on the server path. Also check permissions > >on that directory. On which user are you running openvpn on the server ? > >On the client ? > > On client: > drwxr-xr-x 2 root root 4096 Feb 24 18:49 ccd > -rw-r--r-- 1 root root 45 Feb 25 12:13 syscon9 > > so this looks OK, From this, it looks like the "syscon9" file is not in the ".../ccd/" directory? Also, isn't this file supposed to be on the server? > >Can you increase verbosity and see if there is no open fails on the > >server ? If it works, you should have the following line in server logs: > >OPTIONS IMPORT: reading client specific options from: [path to > > ccd]/syscon9 MULTI: Learn: [192.168.139.15] -> syscon9/[ip source:port > > source] > > I've increased verbosity on server to 9 > but I can not find any phrase in the serer log file: "fails" "IMPORT" > > but I've noticed this section on the server log: > > ...syscon9/68.148.245.78:56172 TEST FILE '/etc/openvpn/ccd/syscon9' [0] > ...syscon9/68.148.245.78:56172 TEST FILE '/etc/openvpn/ccd/DEFAULT' [0] > ...syscon9/68.148.245.78:56172 MULTI: Learn: 192.168.139.2 -> > syscon9/68.148.245.78:56172 > > If I change the directory to "ccd" the log just shows: > ...syscon9/68.148.245.78:56172 TEST FILE 'ccd/syscon9' [0] > ...syscon9/68.148.245.78:56172 TEST FILE 'ccd/DEFAULT' [0 This seems to indicate it can't actually find the file "/etc/openvpn/ccd/syscon9" This file needs to be located on the server, not on the client, as it's the server that determines the IP-address for the client. -- Joost
Re: [gentoo-user] openvpn static ip
On 02/25/2010 11:21 PM, Joseph wrote: > On 02/25/10 22:17, Xavier Parizet wrote: >> [snip] > > I added full path to the server for ccd: > /etc/openvpn/ccd > > Now I'm getting consistent IP: 192.168.139.2 every-time I restart > openvpn.client_clinic2 > but I'm not getting what I requested in ccd/syscon9: > ifconfig-push 192.168.139.15 255.255.255.0 retry ifconfig-push 192.168.139.15 192.168.139.1 . Also post /etc/openvpn/ipp.txt content and try removing it and restart openvpn server keep the full log level 4, and restart openvpn client, keep the full log level 4. I'm starting to be out of ideas ^^ > The client runs openvpn as user root, > the server runs openvpn as user openvpn. -- Xavier Parizet YaGB : http://gentooist.com GPG :C7DC B10E FC21 63BE B453 D239 F6E6 DF65 1569 91BF signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] openvpn static ip
On 02/25/10 22:17, Xavier Parizet wrote: From what i can see, please try to add full path to the ccd directory in client-config-dir directive on the server path. Also check permissions on that directory. On which user are you running openvpn on the server ? On the client ? On client: drwxr-xr-x 2 root root 4096 Feb 24 18:49 ccd -rw-r--r-- 1 root root 45 Feb 25 12:13 syscon9 so this looks OK, Can you increase verbosity and see if there is no open fails on the server ? If it works, you should have the following line in server logs: OPTIONS IMPORT: reading client specific options from: [path to ccd]/syscon9 MULTI: Learn: [192.168.139.15] -> syscon9/[ip source:port source] I've increased verbosity on server to 9 but I can not find any phrase in the serer log file: "fails" "IMPORT" but I've noticed this section on the server log: ...syscon9/68.148.245.78:56172 TEST FILE '/etc/openvpn/ccd/syscon9' [0] ...syscon9/68.148.245.78:56172 TEST FILE '/etc/openvpn/ccd/DEFAULT' [0] ...syscon9/68.148.245.78:56172 MULTI: Learn: 192.168.139.2 -> syscon9/68.148.245.78:56172 If I change the directory to "ccd" the log just shows: ...syscon9/68.148.245.78:56172 TEST FILE 'ccd/syscon9' [0] ...syscon9/68.148.245.78:56172 TEST FILE 'ccd/DEFAULT' [0 -- Joseph
Re: [gentoo-user] openvpn static ip
On 02/25/10 22:17, Xavier Parizet wrote: [snip] topology subnet remote 208.38.31.237 9000 resolv-retry infinite nobind ^^ you should remove this line to avoid connection refused messages from the server. As you are in udp, client should bind on udp source port to get messages from the server. I remove this one from client.conf tun-mtu 1500 tun-mtu-extra 32 mssfix 1200 persist-key persist-tun remote-cert-tls server ca "/etc/openvpn/client_clinic2/ca.crt" cert "/etc/openvpn/client_clinic2/syscon9.crt" key "/etc/openvpn/client_clinic2/syscon9.key" tls-auth "/etc/openvpn/client_clinic2/vpn_my.key" 1 comp-lzo log/var/log/openvpn.log log-append /var/log/openvpn.log verb 3 log file from client: cat /var/log/openvpn.log [SNIP] Whey sever log is always showing this message: [ECONNREFUSED]: Connection refused (code=111 From what i can see, please try to add full path to the ccd directory in client-config-dir directive on the server path. Also check permissions on that directory. On which user are you running openvpn on the server ? On the client ? Can you increase verbosity and see if there is no open fails on the server ? If it works, you should have the following line in server logs: OPTIONS IMPORT: reading client specific options from: [path to ccd]/syscon9 MULTI: Learn: [192.168.139.15] -> syscon9/[ip source:port source] -- Xavier Parizet YaGB : http://gentooist.com GPG :C7DC B10E FC21 63BE B453 D239 F6E6 DF65 1569 91BF I added full path to the server for ccd: /etc/openvpn/ccd Now I'm getting consistent IP: 192.168.139.2 every-time I restart openvpn.client_clinic2 but I'm not getting what I requested in ccd/syscon9: ifconfig-push 192.168.139.15 255.255.255.0 The client runs openvpn as user root, the server runs openvpn as user openvpn. -- Joseph
Re: [gentoo-user] openvpn static ip
Le 25/02/2010 22:01, Joseph a écrit : > On 02/25/10 21:09, Xavier Parizet wrote: > [snip] >>> Yes, it was a typo :-/ I corrected it: >>> cat syscon9 >>> ifconfig-push 192.168.139.15 255.255.255.0 >>> >>> but from log you can see it still didn't give me what I want, I got IP >>> 192.168.139.6 and was asking for: 192.168.139.15 >>> >>> log: >>> cat /var/log/openvpn.log >>> [SNIP] >> >> Ok. After re-re-reading the man page, try to add parameter topology >> subnet to server config. If it still don't work, then _please_ post the >> openvpn.log of the server side. >> > > I've added: topology subnet to both client and server conf but now when > I try to disconnect and connect I'm getting consecutive IP's: > 192.168.139.2 > 192.168.139.3 > 192.168.139.4 > ... > > cat server.conf > port 9000 > proto udp > dev tun > mode server > ca /usr/share/openvpn/easy-rsa/keys/ca.crt > cert /usr/share/openvpn/easy-rsa/keys/server.crt > key /usr/share/openvpn/easy-rsa/keys/server.key > dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem > topology subnet > server 192.168.139.0 255.255.255.0 > client-to-client > ifconfig-pool-persist ipp.txt > client-config-dir ccd > keepalive 10 120 > tls-auth vpn_my.key 0 > tun-mtu 1500 > tun-mtu-extra 32 > mssfix 1200 > duplicate-cn > comp-lzo > max-clients 100 > persist-key > persist-tun > status openvpn-status.log > log/var/log/openvpn.log > log-append /var/log/openvpn.log > verb 3 > > cat client_clinic2.conf > client > dev tun > proto udp > topology subnet > remote 208.38.31.237 9000 > resolv-retry infinite > nobind ^^ you should remove this line to avoid connection refused messages from the server. As you are in udp, client should bind on udp source port to get messages from the server. > tun-mtu 1500 > tun-mtu-extra 32 > mssfix 1200 > persist-key > persist-tun > remote-cert-tls server > ca "/etc/openvpn/client_clinic2/ca.crt" > cert "/etc/openvpn/client_clinic2/syscon9.crt" > key "/etc/openvpn/client_clinic2/syscon9.key" > tls-auth "/etc/openvpn/client_clinic2/vpn_my.key" 1 > comp-lzo > log/var/log/openvpn.log > log-append /var/log/openvpn.log > verb 3 > > > log file from client: > > cat /var/log/openvpn.log > [SNIP] > > Whey sever log is always showing this message: [ECONNREFUSED]: > Connection refused (code=111 From what i can see, please try to add full path to the ccd directory in client-config-dir directive on the server path. Also check permissions on that directory. On which user are you running openvpn on the server ? On the client ? Can you increase verbosity and see if there is no open fails on the server ? If it works, you should have the following line in server logs: OPTIONS IMPORT: reading client specific options from: [path to ccd]/syscon9 MULTI: Learn: [192.168.139.15] -> syscon9/[ip source:port source] -- Xavier Parizet YaGB : http://gentooist.com GPG :C7DC B10E FC21 63BE B453 D239 F6E6 DF65 1569 91BF signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] openvpn static ip
On 02/25/10 21:09, Xavier Parizet wrote: [snip] Yes, it was a typo :-/ I corrected it: cat syscon9 ifconfig-push 192.168.139.15 255.255.255.0 but from log you can see it still didn't give me what I want, I got IP 192.168.139.6 and was asking for: 192.168.139.15 log: cat /var/log/openvpn.log [SNIP] Ok. After re-re-reading the man page, try to add parameter topology subnet to server config. If it still don't work, then _please_ post the openvpn.log of the server side. -- Xavier Parizet YaGB : http://gentooist.com GPG :C7DC B10E FC21 63BE B453 D239 F6E6 DF65 1569 91BF I've added: topology subnet to both client and server conf but now when I try to disconnect and connect I'm getting consecutive IP's: 192.168.139.2 192.168.139.3 192.168.139.4 ... cat server.conf port 9000 proto udp dev tun mode server ca /usr/share/openvpn/easy-rsa/keys/ca.crt cert /usr/share/openvpn/easy-rsa/keys/server.crt key /usr/share/openvpn/easy-rsa/keys/server.key dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem topology subnet server 192.168.139.0 255.255.255.0 client-to-client ifconfig-pool-persist ipp.txt client-config-dir ccd keepalive 10 120 tls-auth vpn_my.key 0 tun-mtu 1500 tun-mtu-extra 32 mssfix 1200 duplicate-cn comp-lzo max-clients 100 persist-key persist-tun status openvpn-status.log log/var/log/openvpn.log log-append /var/log/openvpn.log verb 3 cat client_clinic2.conf client dev tun proto udp topology subnet remote 208.38.31.237 9000 resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1200 persist-key persist-tun remote-cert-tls server ca "/etc/openvpn/client_clinic2/ca.crt" cert "/etc/openvpn/client_clinic2/syscon9.crt" key "/etc/openvpn/client_clinic2/syscon9.key" tls-auth "/etc/openvpn/client_clinic2/vpn_my.key" 1 comp-lzo log/var/log/openvpn.log log-append /var/log/openvpn.log verb 3 log file from client: cat /var/log/openvpn.log Thu Feb 25 13:50:30 2010 OpenVPN 2.1_rc15 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jan 16 2010 Thu Feb 25 13:50:30 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Thu Feb 25 13:50:30 2010 Control Channel Authentication: using '/etc/openvpn/client_clinic2/vpn_my.key' as a OpenVPN static key file Thu Feb 25 13:50:30 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Feb 25 13:50:30 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Feb 25 13:50:30 2010 LZO compression initialized Thu Feb 25 13:50:30 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ] Thu Feb 25 13:50:30 2010 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Thu Feb 25 13:50:30 2010 Local Options hash (VER=V4): 'ec497616' Thu Feb 25 13:50:30 2010 Expected Remote Options hash (VER=V4): '7cd8ed90' Thu Feb 25 13:50:30 2010 Socket Buffers: R=[114688->131072] S=[114688->131072] Thu Feb 25 13:50:30 2010 UDPv4 link local: [undef] Thu Feb 25 13:50:30 2010 UDPv4 link remote: 208.38.31.237:9000 Thu Feb 25 13:50:30 2010 TLS: Initial packet from 208.38.31.237:9000, sid=766f3e2f 0cf96857 Thu Feb 25 13:50:30 2010 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailaddress...@myhost.mydomain Thu Feb 25 13:50:30 2010 Validating certificate key usage Thu Feb 25 13:50:30 2010 ++ Certificate has key usage 00a0, expects 00a0 Thu Feb 25 13:50:30 2010 VERIFY KU OK Thu Feb 25 13:50:30 2010 Validating certificate extended key usage Thu Feb 25 13:50:30 2010 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Thu Feb 25 13:50:30 2010 VERIFY EKU OK Thu Feb 25 13:50:30 2010 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailaddress...@myhost.mydomain Thu Feb 25 13:50:31 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Feb 25 13:50:31 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Feb 25 13:50:31 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Feb 25 13:50:31 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Feb 25 13:50:31 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Thu Feb 25 13:50:31 2010 [server] Peer Connection Initiated with 208.38.31.237:9000 Thu Feb 25 13:50:32 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Thu Feb 25 13:50:32 2010 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.139.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.139.2 255.255.255.0' Thu Feb 25 13:50:32 2010 OPTIONS IMPORT: timers and/or timeouts modified Thu Feb 25 13:50:32 2010 OPTIONS IMPORT: --ifconfig/up options modified Thu Feb 25 13:50:32 2010 OPTIONS IMPORT: route-related options modified Thu Feb 25 13:50:32 2010 TUN/TAP device tun0 opened Thu Feb 25 13:50:32 2010 TUN/TAP TX
Re: [gentoo-user] openvpn static ip
On Thursday 25 February 2010, Joseph wrote: > Yes, it was a typo :-/ I corrected it: > cat syscon9 > ifconfig-push 192.168.139.15 255.255.255.0 > > but from log you can see it still didn't give me what I want, I got IP > 192.168.139.6 and was asking for: 192.168.139.15 Try adding topology subnet to both client and server config.
Re: [gentoo-user] openvpn static ip
Le 25/02/2010 20:20, Joseph a écrit : > On 02/25/10 18:12, Xavier Parizet wrote: >> Le 25/02/2010 17:51, Joseph a ??crit : >>> On 02/25/10 08:40, Xavier Parizet wrote: On 02/25/2010 02:32 AM, Joseph wrote: > I've configured OpenVPN and it works OK but I can not seems to > figure it > out how to assign static IP to clients > > My server.conf port 8458 > [SNIP] > > On client in /etc/openvpn/ccd directory I've created a file "syscon9" > with: > ifconfig-push 192.168.139.15 192.168.139.1 Hmmm... 192.168.139.1 does not seem a remote netmask, isn't it ? man openvpn tell me the following for ifconfig-push: --ifconfig-push local remote-netmask so, put ifconfig-push 192.168.139.15 255.255.255.0 rather than the line above in the ccd directory. If it doesn't work, then please post the openvpn.log of the client. >>> >>> I've tried it many time, it doesn't work with the netmaks. File: syscon9 >>> from ccd: >>> cat syscon9 >>> ifconfig-push 192.168.0.15 255.255.255.0 >>^^^ >> this is wrong (or maybe a typing mistake?) >> >> If it's a typing mistake, then please post now server side log. > > Yes, it was a typo :-/ I corrected it: > cat syscon9 > ifconfig-push 192.168.139.15 255.255.255.0 > > but from log you can see it still didn't give me what I want, I got IP > 192.168.139.6 and was asking for: 192.168.139.15 > > log: > cat /var/log/openvpn.log > [SNIP] Ok. After re-re-reading the man page, try to add parameter topology subnet to server config. If it still don't work, then _please_ post the openvpn.log of the server side. -- Xavier Parizet YaGB : http://gentooist.com GPG :C7DC B10E FC21 63BE B453 D239 F6E6 DF65 1569 91BF signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] openvpn static ip
On 02/25/10 18:12, Xavier Parizet wrote: Le 25/02/2010 17:51, Joseph a ??crit : On 02/25/10 08:40, Xavier Parizet wrote: On 02/25/2010 02:32 AM, Joseph wrote: I've configured OpenVPN and it works OK but I can not seems to figure it out how to assign static IP to clients My server.conf port 8458 [SNIP] On client in /etc/openvpn/ccd directory I've created a file "syscon9" with: ifconfig-push 192.168.139.15 192.168.139.1 Hmmm... 192.168.139.1 does not seem a remote netmask, isn't it ? man openvpn tell me the following for ifconfig-push: --ifconfig-push local remote-netmask so, put ifconfig-push 192.168.139.15 255.255.255.0 rather than the line above in the ccd directory. If it doesn't work, then please post the openvpn.log of the client. I've tried it many time, it doesn't work with the netmaks. File: syscon9 from ccd: cat syscon9 ifconfig-push 192.168.0.15 255.255.255.0 ^^^ this is wrong (or maybe a typing mistake?) If it's a typing mistake, then please post now server side log. Yes, it was a typo :-/ I corrected it: cat syscon9 ifconfig-push 192.168.139.15 255.255.255.0 but from log you can see it still didn't give me what I want, I got IP 192.168.139.6 and was asking for: 192.168.139.15 log: cat /var/log/openvpn.log Thu Feb 25 12:14:04 2010 OpenVPN 2.1_rc15 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jan 16 2010 Thu Feb 25 12:14:04 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Thu Feb 25 12:14:04 2010 Control Channel Authentication: using '/etc/openvpn/client_clinic2/vpn_my.key' as a OpenVPN static key file Thu Feb 25 12:14:04 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Feb 25 12:14:04 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Feb 25 12:14:04 2010 LZO compression initialized Thu Feb 25 12:14:04 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ] Thu Feb 25 12:14:04 2010 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Thu Feb 25 12:14:04 2010 Local Options hash (VER=V4): 'ec497616' Thu Feb 25 12:14:04 2010 Expected Remote Options hash (VER=V4): '7cd8ed90' Thu Feb 25 12:14:04 2010 Socket Buffers: R=[114688->131072] S=[114688->131072] Thu Feb 25 12:14:04 2010 UDPv4 link local: [undef] Thu Feb 25 12:14:04 2010 UDPv4 link remote: 208.38.31.237:9000 Thu Feb 25 12:15:04 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Thu Feb 25 12:15:04 2010 TLS Error: TLS handshake failed Thu Feb 25 12:15:04 2010 TCP/UDP: Closing socket Thu Feb 25 12:15:04 2010 SIGUSR1[soft,tls-error] received, process restarting Thu Feb 25 12:15:04 2010 Restart pause, 2 second(s) Thu Feb 25 12:15:06 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Thu Feb 25 12:15:06 2010 Re-using SSL/TLS context Thu Feb 25 12:15:06 2010 LZO compression initialized Thu Feb 25 12:15:06 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ] Thu Feb 25 12:15:06 2010 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Thu Feb 25 12:15:06 2010 Local Options hash (VER=V4): 'ec497616' Thu Feb 25 12:15:06 2010 Expected Remote Options hash (VER=V4): '7cd8ed90' Thu Feb 25 12:15:06 2010 Socket Buffers: R=[114688->131072] S=[114688->131072] Thu Feb 25 12:15:06 2010 UDPv4 link local: [undef] Thu Feb 25 12:15:06 2010 UDPv4 link remote: 208.38.31.237:9000 Thu Feb 25 12:16:06 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Thu Feb 25 12:16:06 2010 TLS Error: TLS handshake failed Thu Feb 25 12:16:06 2010 TCP/UDP: Closing socket Thu Feb 25 12:16:06 2010 SIGUSR1[soft,tls-error] received, process restarting Thu Feb 25 12:16:06 2010 Restart pause, 2 second(s) Thu Feb 25 12:16:08 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Thu Feb 25 12:16:08 2010 Re-using SSL/TLS context Thu Feb 25 12:16:08 2010 LZO compression initialized Thu Feb 25 12:16:08 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ] Thu Feb 25 12:16:08 2010 Data Channel MTU parms [ L:1574 D:1200 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Thu Feb 25 12:16:08 2010 Local Options hash (VER=V4): 'ec497616' Thu Feb 25 12:16:08 2010 Expected Remote Options hash (VER=V4): '7cd8ed90' Thu Feb 25 12:16:08 2010 Socket Buffers: R=[114688->131072] S=[114688->131072] Thu Feb 25 12:16:08 2010 UDPv4 link local: [undef] Thu Feb 25 12:16:08 2010 UDPv4 link remote: 208.38.31.237:9000 Thu Feb 25 12:16:25 2010 TLS: Initial packet from 208.38.31.237:9000, sid=9c654bbf 0689942b Thu Feb 25 12:16:25 2010 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailaddress...@myhost.mydomain Thu Feb 25 12:16:25 2010 Validating certifica
Re: [gentoo-user] openvpn static ip
Le 25/02/2010 17:51, Joseph a écrit : > On 02/25/10 08:40, Xavier Parizet wrote: >> On 02/25/2010 02:32 AM, Joseph wrote: >>> I've configured OpenVPN and it works OK but I can not seems to figure it >>> out how to assign static IP to clients >>> >>> My server.conf port 8458 >>> [SNIP] >>> >>> On client in /etc/openvpn/ccd directory I've created a file "syscon9" >>> with: >>> ifconfig-push 192.168.139.15 192.168.139.1 >> >> Hmmm... 192.168.139.1 does not seem a remote netmask, isn't it ? >> man openvpn tell me the following for ifconfig-push: >> --ifconfig-push local remote-netmask >> >> so, put ifconfig-push 192.168.139.15 255.255.255.0 rather than the line >> above in the ccd directory. >> >> If it doesn't work, then please post the openvpn.log of the client. > > I've tried it many time, it doesn't work with the netmaks. File: syscon9 > from ccd: > cat syscon9 > ifconfig-push 192.168.0.15 255.255.255.0 ^^^ this is wrong (or maybe a typing mistake?) If it's a typing mistake, then please post now server side log. > [SNIP] -- Xavier Parizet YaGB : http://gentooist.com GPG :C7DC B10E FC21 63BE B453 D239 F6E6 DF65 1569 91BF signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] openvpn static ip
On Wed, 2010-02-24 at 20:37 -0700, Joseph wrote: > The directory name shouldn't make any difference, I'm using directory > name "ccd"; though I've tried the IP's you suggested, it makes no > difference, still > not getting static IP :-/ > > Thanks for suggestion, I've been on it all day and can not find the > solution. Yeah I know the directory name is arbitrary, I was only giving you the example that works for me. Not sure why it doesn't work for you. Do the file names match up with the DNs (check the logs)? -a
Re: [gentoo-user] openvpn static ip
On 02/25/2010 02:32 AM, Joseph wrote: > I've configured OpenVPN and it works OK but I can not seems to figure it > out how to assign static IP to clients > > My server.conf port 8458 > proto udp > dev tun > mode server > ca /usr/share/openvpn/easy-rsa/keys/ca.crt > cert /usr/share/openvpn/easy-rsa/keys/server.crt > key /usr/share/openvpn/easy-rsa/keys/server.key > dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem > server 192.168.139.0 255.255.255.0 > client-to-client > ifconfig-pool-persist ipp.txt > client-config-dir ccd > keepalive 10 120 > tls-auth vpn_my.key 0 > tun-mtu 1500 > tun-mtu-extra 32 > mssfix 1200 > duplicate-cn > comp-lzo > max-clients 100 > persist-key > persist-tun > status openvpn-status.log > log/var/log/openvpn.log > log-append /var/log/openvpn.log > verb 3 > > On client in /etc/openvpn/ccd directory I've created a file "syscon9" with: > ifconfig-push 192.168.139.15 192.168.139.1 Hmmm... 192.168.139.1 does not seem a remote netmask, isn't it ? man openvpn tell me the following for ifconfig-push: --ifconfig-push local remote-netmask so, put ifconfig-push 192.168.139.15 255.255.255.0 rather than the line above in the ccd directory. If it doesn't work, then please post the openvpn.log of the client. > This file suppose to have a name from client "CN" > > client.conf > client > dev tun > proto udp > remote 68.148.245.78 8458 > resolv-retry infinite > nobind > tun-mtu 1500 > tun-mtu-extra 32 > mssfix 1200 > persist-key > persist-tun > remote-cert-tls server > ca "/etc/openvpn/client/ca.crt" > cert "/etc/openvpn/client/syscon9.crt" > key "/etc/openvpn/client/syscon9.key" > tls-auth "/etc/openvpn/client/vpn.key" 1 > comp-lzo > log/var/log/openvpn.log > log-append /var/log/openvpn.log > verb 3 -- Xavier Parizet YaGB : http://gentooist.com GPG :C7DC B10E FC21 63BE B453 D239 F6E6 DF65 1569 91BF signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] openvpn static ip
On 02/24/10 21:51, Albert Hopkins wrote: On Wed, 2010-02-24 at 18:32 -0700, Joseph wrote: I've configured OpenVPN and it works OK but I can not seems to figure it out how to assign static IP to clients Put this your config config: client-config-dir client.d And then in client.d/ have a file for each client, e.g. # cat client.d/client ifconfig-push 192.168.0.4 192.168.0.1 The directory name shouldn't make any difference, I'm using directory name "ccd"; though I've tried the IP's you suggested, it makes no difference, still not getting static IP :-/ Thanks for suggestion, I've been on it all day and can not find the solution. -- Joseph
Re: [gentoo-user] openvpn static ip
On Wed, 2010-02-24 at 18:32 -0700, Joseph wrote: > I've configured OpenVPN and it works OK but I can not seems to figure it out > how to assign static IP to clients Put this your config config: client-config-dir client.d And then in client.d/ have a file for each client, e.g. # cat client.d/client ifconfig-push 192.168.0.4 192.168.0.1
Re: [gentoo-user] OpenVPN and IPsec
2008/12/11 Etaoin Shrdlu : > On Thursday 11 December 2008, 22:08, Mick wrote: > >> Hi All, >> >> I would like to set up a VPN connection to a router which is using IKE >> & IPsec: >> http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7 >> >> Would I be able to achieve this using OpenVPN on my gentoo box? > > Unfortunately not, openvpn is mostly a software-only product until now > and is not found in hardware appliances like routers or firewalls (at > least as far as I know). > >> I read the IPsec HowTo and scared myself to death (it seems long enough >> to warrant me taking time off work to read it . . . and at least >> another day to try it ;) > > Yes, Ipsec can be a nightmare. For connecting to cisco, try using vpnc > (perhaps with kvpnc if you're under kde) which should work reasonably > well. Both programs are in portage. > kvpnc also acts as a single interface to handle various kinds of vpn > connections (including openvpn, ipsec, pptp (to connect to some > microsoft-based servers) and others). Well, the router is a Cisco clone so it might work - thanks for the tip! -- Regards, Mick
Re: [gentoo-user] OpenVPN and IPsec
On Thursday 11 December 2008, 22:08, Mick wrote: > Hi All, > > I would like to set up a VPN connection to a router which is using IKE > & IPsec: > http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7 > > Would I be able to achieve this using OpenVPN on my gentoo box? Unfortunately not, openvpn is mostly a software-only product until now and is not found in hardware appliances like routers or firewalls (at least as far as I know). > I read the IPsec HowTo and scared myself to death (it seems long enough > to warrant me taking time off work to read it . . . and at least > another day to try it ;) Yes, Ipsec can be a nightmare. For connecting to cisco, try using vpnc (perhaps with kvpnc if you're under kde) which should work reasonably well. Both programs are in portage. kvpnc also acts as a single interface to handle various kinds of vpn connections (including openvpn, ipsec, pptp (to connect to some microsoft-based servers) and others).
Re: [gentoo-user] OpenVPN setup
On Sunday 17 February 2008, Grant wrote: > > What wasn't mentioned is that SSL covers transport encryption, not > > necessarily application security. What that means is if you open IMAP, > > SMTP, CUPS, and SSH daemons over the internet then you also need to keep > > (better) track of security vulnerabilities found in those applications, > > and fix them as needed. SSL alone won't help you there. Whereas if > > you're only running, say OpenVPN over the Internet then that's the only > > application you gotta look out for. > > > > Also, doing things such as running IMAP over SSL using accounts with > > weak passwords doesn't gain you much either. > > Good points Albert. Is a daily 'emerge --sync && emerge -avDuN world' > generally enough as far as tracking security vulnerabilities? It will sure help. So will strong passwds, denyhosts, or fail2ban and equivalents, a well configured IDS, etc. and close monitoring of the log files. Let's be honest, a machine that runs services has the potential to get cracked one way or another. A well configured machine has a disproportionately small probability of getting cracked, than your average WinXP IT illiterate user around the world. So, it's really a matter of how paranoid you would like to get about it. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] OpenVPN setup
> > Good points Albert. Is a daily 'emerge --sync && emerge -avDuN world' > > generally enough as far as tracking security vulnerabilities? > > > > - Grant > > That's not really for me to say. But I can tell you that although the > Gentoo developers take matters of security seriously, there is no > full-time security tracker. Sometimes things don't get patched in > portage until someone (else) creates a bug report. And even if that > were not the case, there are 0-day exploits that have yet to be patched. > > So it really depends on how informed/paranoid you are about what you > have accepting requests from the Internet. While we're on the subject, what is the best way to stay on top of security vulnerabilities for a group of services? Should I be subscribed to their announcement mailing lists and make sure I'm notified of new mail? - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
> > Good points Albert. Is a daily 'emerge --sync && emerge -avDuN world' > > generally enough as far as tracking security vulnerabilities? > > > > - Grant > > That's not really for me to say. But I can tell you that although the > Gentoo developers take matters of security seriously, there is no > full-time security tracker. Sometimes things don't get patched in > portage until someone (else) creates a bug report. And even if that > were not the case, there are 0-day exploits that have yet to be patched. > > So it really depends on how informed/paranoid you are about what you > have accepting requests from the Internet. What do you think guys? Simplicity or security? - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Sun, 2008-02-17 at 12:03 -0800, Grant wrote: > Good points Albert. Is a daily 'emerge --sync && emerge -avDuN world' > generally enough as far as tracking security vulnerabilities? > > - Grant That's not really for me to say. But I can tell you that although the Gentoo developers take matters of security seriously, there is no full-time security tracker. Sometimes things don't get patched in portage until someone (else) creates a bug report. And even if that were not the case, there are 0-day exploits that have yet to be patched. So it really depends on how informed/paranoid you are about what you have accepting requests from the Internet. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
> > > I'd just like to reiterate that most of those don't need any extra > > > security. SSH and HTTPS are already secure, and IMAP and SMTP can be > > > accessed over SSL (like HTTPS). These are all secure enough to be > > > widely used without extra layers of encryption. > > > > I'm surprised, but glad to hear this. I was under the impression that > > opening services like SSH and CUPS to the internet was a bad idea. I > > guess they're secure enough. That removes #2 and #3 from my 4-part > > list above. > > > > If I can print with CUPS via SSL and submit SMTP mail via alternate > > port 587, I won't need a VPN or tunnel. > > > > Thanks a lot for everyone's help. I'm going to start a new thread for > > those topics. > > What wasn't mentioned is that SSL covers transport encryption, not > necessarily application security. What that means is if you open IMAP, > SMTP, CUPS, and SSH daemons over the internet then you also need to keep > (better) track of security vulnerabilities found in those applications, > and fix them as needed. SSL alone won't help you there. Whereas if > you're only running, say OpenVPN over the Internet then that's the only > application you gotta look out for. > > Also, doing things such as running IMAP over SSL using accounts with > weak passwords doesn't gain you much either. Good points Albert. Is a daily 'emerge --sync && emerge -avDuN world' generally enough as far as tracking security vulnerabilities? - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Sun, 2008-02-17 at 07:12 -0800, Grant wrote: > > I'd just like to reiterate that most of those don't need any extra > > security. SSH and HTTPS are already secure, and IMAP and SMTP can be > > accessed over SSL (like HTTPS). These are all secure enough to be > > widely used without extra layers of encryption. > > I'm surprised, but glad to hear this. I was under the impression that > opening services like SSH and CUPS to the internet was a bad idea. I > guess they're secure enough. That removes #2 and #3 from my 4-part > list above. > > If I can print with CUPS via SSL and submit SMTP mail via alternate > port 587, I won't need a VPN or tunnel. > > Thanks a lot for everyone's help. I'm going to start a new thread for > those topics. What wasn't mentioned is that SSL covers transport encryption, not necessarily application security. What that means is if you open IMAP, SMTP, CUPS, and SSH daemons over the internet then you also need to keep (better) track of security vulnerabilities found in those applications, and fix them as needed. SSL alone won't help you there. Whereas if you're only running, say OpenVPN over the Internet then that's the only application you gotta look out for. Also, doing things such as running IMAP over SSL using accounts with weak passwords doesn't gain you much either. Just my 2 cents. -a -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
> > Thanks a lot for everyone's help. Here is a more to-the-point list of > > what I'd like to accomplish: > > > > 1. encrypt CUPS printouts between remote server and local print server > > 2. add an additional layer of security around SSH and CUPS on local > > firewall/print server > > 3. add an additional layer of security around SSH, IMAP, and > > non-standard port HTTPS on remote server > > 4. enable access to SMTP on remote server for me which is blocked by > > my local ISP > > > > It sounds like I have 3 choices: > > > > 1. VPN > > 2. SSH tunneling > > 3. Zebedee tunneling > > > > Would all 3 of these choices accomplish all 4 requirements? I would > > think SSH tunneling can't really add an additional layer around SSH. > > I'd just like to reiterate that most of those don't need any extra > security. SSH and HTTPS are already secure, and IMAP and SMTP can be > accessed over SSL (like HTTPS). These are all secure enough to be > widely used without extra layers of encryption. I'm surprised, but glad to hear this. I was under the impression that opening services like SSH and CUPS to the internet was a bad idea. I guess they're secure enough. That removes #2 and #3 from my 4-part list above. If I can print with CUPS via SSL and submit SMTP mail via alternate port 587, I won't need a VPN or tunnel. Thanks a lot for everyone's help. I'm going to start a new thread for those topics. - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Wed, 13 Feb 2008 08:19:48 -0800 Grant <[EMAIL PROTECTED]> wrote: > > > > Even if you just want to encrypt some clear-text protocol that > > > > doesn't have an encrypted equivalent, a vpn is still overkill. > > > > For that you use ssh tunneling (which is essentially the same > > > > thing as an encrypted version of a protocol). 'ssh -X' is the > > > > classic example of easily tunneling a protocol that doesn't > > > > have a native encrypted equivalent. > > > > > > I see what you're saying. Can tunneling through ssh be made > > > automatic so that a cron job initiates a script that opens a > > > tunnel between the remote server and local print server and pages > > > are printed through the tunnel? > > > > Sure. ssh is just a process after all and in principle encapsulated > > whatever gets put into it. All you need is a connection that isn't > > firewalled out and an sshd that is listening to what is coming in. > > > > ssh will even port forward for you and can be made to transform any > > tcp connection to appear to come from whatever port you want. What > > you put inside the tunnel is up to you. If the print server won't > > accept what is coming in, then google will find you any number of > > apps that will mangle the traffic. > > > > > > Your statement "it seems like running SSH inside a VPN is better > > > > for security than running SSH on a non-standard port" is > > > > non-sensical. From a security and encryption perspective, ssh > > > > and OpenVPN are exactly the same thing - stuff wrapped in an > > > > encryption layer provided by ssl, complete with exactly the > > > > same key setup should you choose to use that route. > > > > > > What about having ssh, imap, smtp, cups, and possibly a > > > non-standard https port all hidden within a VPN? Should that be > > > considered a benefit of running a VPN? > > > > I've filed the original post somewhere else and forgot the > > scenario :-) Is this a setup you need to be present often or even > > all the time? If so, you have 5 protocols in use, and setting up > > tunnels could become cumbersome. You might consider that it's more > > effort than it's worth and a VPN that is there and JustWorks(tm) is > > preferable. I would call that a sensible use of a VPN :-) > > > > I don't think there's a golden rule about when using a VPN is right > > or wrong. It's more like "do the advantages outweigh the hassle of > > setting it up and maintaining it?". Sometimes this answer is > > obvious, sometimes less so. Sometimes it's a judgement call. > > Thanks a lot for everyone's help. Here is a more to-the-point list of > what I'd like to accomplish: > > 1. encrypt CUPS printouts between remote server and local print server > 2. add an additional layer of security around SSH and CUPS on local > firewall/print server > 3. add an additional layer of security around SSH, IMAP, and > non-standard port HTTPS on remote server > 4. enable access to SMTP on remote server for me which is blocked by > my local ISP > > It sounds like I have 3 choices: > > 1. VPN > 2. SSH tunneling > 3. Zebedee tunneling > > Would all 3 of these choices accomplish all 4 requirements? I would > think SSH tunneling can't really add an additional layer around SSH. Encrypted packets, encrypted? Why not? > I'd like to have something I can leave up all the time so the services > are always protected and I don't have to go through an extra step to > use email or print from the remote server. Can all 3 of these be left > up all the time? Is there any reason not to leave this type of > functionality up all the time? I don't use tunnels, but leave VPN up all the time. > It sounds like VPN would be the most difficult to set up and maintain, > followed by SSH tunneling, followed by Zebedee tunneling. Maybe I'm > wrong though. With tunneling, would I need to set up 4 or 5 different > tunnels for CUPS, IMAP, SMTP, non-standard port HTTPS, and SSH (if I'm > using Zebedee)? tunnels aren't configured, but would probably have to be created at boot. vpn is, I suppose, not super easy to configure. I will send you my config files though if you want. > To send me mail, mail servers need to connect to my remote server's > SMTP right? Would setting up a tunnel or VPN for my SMTP access > interfere with that? Not if you tunnel through to the right ports - or in the case of a VPN, no. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Wed, 2008-02-13 at 08:19 -0800, Grant wrote: > > Thanks a lot for everyone's help. Here is a more to-the-point list of > what I'd like to accomplish: > > 1. encrypt CUPS printouts between remote server and local print server > 2. add an additional layer of security around SSH and CUPS on local > firewall/print server > 3. add an additional layer of security around SSH, IMAP, and > non-standard port HTTPS on remote server > 4. enable access to SMTP on remote server for me which is blocked by > my local ISP > > It sounds like I have 3 choices: > > 1. VPN > 2. SSH tunneling > 3. Zebedee tunneling > Simplyfy - send cups and smtp send only by zebedee SSH and HTTPS are already highly regarded as "safe". Convert your email reading to to the secure imaps. Experience over the years has me sitting on the side of using as few layers as possible - anything you add is going to increase complexity (management time) and reduce reliability. I do run openvpn and zebedee (in the past) using iptables to restrict access, and the services themselves are killed/restarted at appropriate times via cron to minimise exposure. Zebedee handles it very well (except when in server mode on a doze box!!) - openvpn can be a bit .. ah ... fussy ... I find it will sometimes get in a loop of out of sync connection attempts requiring manually logging into both ends to fix, and complex routing is always fun. It is more designed to be always up and available rather than on/off. Zebedee however can handle most scenarios quite well, including a server behind a firewall where it can "call out" to the client. BillK -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
Hi Grant, On Thu, Feb 14, 2008 at 1:19 AM, Grant <[EMAIL PROTECTED]> wrote: > Thanks a lot for everyone's help. Here is a more to-the-point list of > what I'd like to accomplish: > > 1. encrypt CUPS printouts between remote server and local print server > 2. add an additional layer of security around SSH and CUPS on local > firewall/print server > 3. add an additional layer of security around SSH, IMAP, and > non-standard port HTTPS on remote server > 4. enable access to SMTP on remote server for me which is blocked by > my local ISP > > It sounds like I have 3 choices: > > 1. VPN > 2. SSH tunneling > 3. Zebedee tunneling > > Would all 3 of these choices accomplish all 4 requirements? I would > think SSH tunneling can't really add an additional layer around SSH. I'd just like to reiterate that most of those don't need any extra security. SSH and HTTPS are already secure, and IMAP and SMTP can be accessed over SSL (like HTTPS). These are all secure enough to be widely used without extra layers of encryption. Routing your printing over a tunnel is perfectly valid and, in my opinion, reason enough to set up OpenVPN and play with it :D > I'd like to have something I can leave up all the time so the services > are always protected and I don't have to go through an extra step to > use email or print from the remote server. Can all 3 of these be left > up all the time? Is there any reason not to leave this type of > functionality up all the time? I can't speak for all of those options, but OpenVPN should be able to stay up all the time. I currently have an established OpenVPN connection to my work, it's been up for some five days now. I also have experience with a Cisco VPN, for which I use vpnc[1]... that thing goes down all the time. [1] http://www.unix-ag.uni-kl.de/~massar/vpnc/ > It sounds like VPN would be the most difficult to set up and maintain, > followed by SSH tunneling, followed by Zebedee tunneling. Maybe I'm > wrong though. With tunneling, would I need to set up 4 or 5 different > tunnels for CUPS, IMAP, SMTP, non-standard port HTTPS, and SSH (if I'm > using Zebedee)? You can establish only one tunnel. Think of it this way, creating a tunnel is analogous to adding a NIC to your system. It will be called tun0 or tap0 (depending on whether you're tunneling or bridging). Then your system has an IP on your physical NIC (eth0) and your tun/tap interface as well. Your machine is now part of two network segments, the physical one and the virtual one. You only need one VPN tunnel; configure all your apps to route their CUPS, IMAP, SMTP, HTTPS and SSH connections through that virtual network. > To send me mail, mail servers need to connect to my remote server's > SMTP right? Would setting up a tunnel or VPN for my SMTP access > interfere with that? I would imagine your SMTP port needs to be accessible from the outside world in order to receive mail... so as long as packets bound for that machine's IP on port 25 (is it?) will reach the machine, you'll be OK. Perhaps someone more knowledgeable on mail servers can clarify this. At any rate, why not just go ahead with OpenVPN, set it up and see how it works for you? You'll be in a much better position then to determine whether it's really what you want or need. Have fun! Mike -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
> > > Even if you just want to encrypt some clear-text protocol that > > > doesn't have an encrypted equivalent, a vpn is still overkill. For > > > that you use ssh tunneling (which is essentially the same thing as > > > an encrypted version of a protocol). 'ssh -X' is the classic > > > example of easily tunneling a protocol that doesn't have a native > > > encrypted equivalent. > > > > I see what you're saying. Can tunneling through ssh be made > > automatic so that a cron job initiates a script that opens a tunnel > > between the remote server and local print server and pages are > > printed through the tunnel? > > Sure. ssh is just a process after all and in principle encapsulated > whatever gets put into it. All you need is a connection that isn't > firewalled out and an sshd that is listening to what is coming in. > > ssh will even port forward for you and can be made to transform any tcp > connection to appear to come from whatever port you want. What you put > inside the tunnel is up to you. If the print server won't accept what > is coming in, then google will find you any number of apps that will > mangle the traffic. > > > > Your statement "it seems like running SSH inside a VPN is better > > > for security than running SSH on a non-standard port" is > > > non-sensical. From a security and encryption perspective, ssh and > > > OpenVPN are exactly the same thing - stuff wrapped in an encryption > > > layer provided by ssl, complete with exactly the same key setup > > > should you choose to use that route. > > > > What about having ssh, imap, smtp, cups, and possibly a non-standard > > https port all hidden within a VPN? Should that be considered a > > benefit of running a VPN? > > I've filed the original post somewhere else and forgot the scenario :-) > Is this a setup you need to be present often or even all the time? If > so, you have 5 protocols in use, and setting up tunnels could become > cumbersome. You might consider that it's more effort than it's worth > and a VPN that is there and JustWorks(tm) is preferable. I would call > that a sensible use of a VPN :-) > > I don't think there's a golden rule about when using a VPN is right or > wrong. It's more like "do the advantages outweigh the hassle of setting > it up and maintaining it?". Sometimes this answer is obvious, sometimes > less so. Sometimes it's a judgement call. Thanks a lot for everyone's help. Here is a more to-the-point list of what I'd like to accomplish: 1. encrypt CUPS printouts between remote server and local print server 2. add an additional layer of security around SSH and CUPS on local firewall/print server 3. add an additional layer of security around SSH, IMAP, and non-standard port HTTPS on remote server 4. enable access to SMTP on remote server for me which is blocked by my local ISP It sounds like I have 3 choices: 1. VPN 2. SSH tunneling 3. Zebedee tunneling Would all 3 of these choices accomplish all 4 requirements? I would think SSH tunneling can't really add an additional layer around SSH. I'd like to have something I can leave up all the time so the services are always protected and I don't have to go through an extra step to use email or print from the remote server. Can all 3 of these be left up all the time? Is there any reason not to leave this type of functionality up all the time? It sounds like VPN would be the most difficult to set up and maintain, followed by SSH tunneling, followed by Zebedee tunneling. Maybe I'm wrong though. With tunneling, would I need to set up 4 or 5 different tunnels for CUPS, IMAP, SMTP, non-standard port HTTPS, and SSH (if I'm using Zebedee)? To send me mail, mail servers need to connect to my remote server's SMTP right? Would setting up a tunnel or VPN for my SMTP access interfere with that? - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
Grant wrote: I'm hoping to use the vpn in three few ways: 1. imap and smtp between my laptop and the mail server 2. ssh from my laptop to the remote server 3. cups printing from the remote server to the print server I don't think you need a VPN to SSH from your laptop to the remote server -- SSH is already encrypted. For sure, but it seems like running SSH inside a VPN is better for security than running SSH on a non-standard port or even port knocking. If I need to set up a VPN for printing, shouldn't I use it for other stuff too? Maybe not, I have yet to actually use a VPN so please correct me if I'm wrong. SSH + Public/Private Keys. I don't accept passwords on my box, you need to have a correct account name and a private key for that machine to even think about talking to you. The only authentication method is PubKeyAuth; everything else is NO. If your laptop is always behind your local firewall, then it should be sufficient to have an OpenVPN tunnel established between your local firewall/print server and your remote server. This should allow you to print. Configuring the routes on your laptop to go through your local firewall and VPN to the remote server should allow you to grab your mail. If you move around with your laptop then you'll need to establish the VPN tunnel to your remote server anytime you need to grab your mail from anywhere else but home (behind your local firewall). Ah, tunnels, OK. I need to think in terms of tunnels. I'll definitely be moving around and won't be behind my local firewall too much of the time. Can I set up the openvpn server on my remote system and keep a tunnel open between it and the firewall/print server for printing, and also initiate a tunnel between the laptop and the remote system whenever I need to mail or SSH? Does that sound like a good plan? - Grant The other thing you can do is run ssh and use tunneling to run printing over. Granted it's kind of a pita for more stuff, but it's a poor man's vpn. (and what I use to view my webservers at home) Eric -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tue, 2008-02-12 at 19:30 +0200, Alan McKinnon wrote: > On Tuesday 12 February 2008, Etaoin Shrdlu wrote: > > On Tuesday 12 February 2008, Alan McKinnon wrote: > > > Your statement "it seems like running SSH inside a VPN is better > > > for security than running SSH on a non-standard port" is > > > non-sensical. From a security and encryption perspective, ssh and > > > OpenVPN are exactly the same thing - stuff wrapped in an encryption > > > layer provided by ssl, complete with exactly the same key setup > > > should you choose to use that route. > > > > Perhaps confusingly, ssh itself can be used to create openVPN-like > > VPNs (actually, much simpler), using the -w option and a couple of > > tun (or tap) interfaces on the connected computers. > > hehehe, I'd forgetten about that one for a bit :-) > > I just thought of a nice way to describe the difference (seeing as > technically they are essentially equivalent): > > Use SSH if you need a quick ad-hoc connection or something temporary. > Use OpenVPN if you need something more permanent that is always prsent > and just works. > > -- > Alan McKinnon > alan dot mckinnon at gmail dot com > Another alternative not mentioned so far - zebedee. Its a port based tunnel - that is instead of creating a new network with all its fuss and bother, just create a local port (may be on another local machine) that "surfaces" on a distant machine/network. I used it for many years for email and protecting telnet servers before openvpn became of age and my needs expanded. Recommended. Again, ssh can do this as well, but zebedee is a lot more flexible/convenient. Create tunnels for ports 25, 143 and 631 and you have email and cups. e.g., I map port 2225 to port 25 and set my local mail client to send email to localhost:2225 and it magicly connects to my mail server at home. It can also be done at a user level - you dont need admin privileges so if you have user level access to a machine, you can run a tunnel on it unlike openvpn. It is also cross platform which is nice :) >From the mailing list, it seems there are quite a few enterprise users as its got a good reputation in its niche. BillK -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tue, 12 Feb 2008 19:42:44 +0200 Alan McKinnon <[EMAIL PROTECTED]> wrote: > > What about having ssh, imap, smtp, cups, and possibly a non-standard > > https port all hidden within a VPN? Should that be considered a > > benefit of running a VPN? One other thought about ssh+vpn, if you have VPN problems (for example, the server goes down or you can't route to the subnet (if, say, you were on a local subnet with the same address it gets hairy) you can still get in with SSH. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tuesday 12 February 2008, Grant wrote: > I need temporary, but automated. Can an ssh tunnel be set up in an > automated way? Sure. Can you write bash scripts? Can you read man pages? Just work out what command invocations do what you require and stick them in a script. Cron the script if that suits your needs -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tuesday 12 February 2008, Grant wrote: > > Use SSH if you need a quick ad-hoc connection or something > > temporary. Use OpenVPN if you need something more permanent that is > > always prsent and just works. > > I need temporary, but automated. Can an ssh tunnel be set up in an > automated way? Of course, especially if you set up public key authentication. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tuesday 12 February 2008, Alan McKinnon wrote: > > Perhaps confusingly, ssh itself can be used to create openVPN-like > > VPNs (actually, much simpler), using the -w option and a couple of > > tun (or tap) interfaces on the connected computers. > > hehehe, I'd forgetten about that one for a bit :-) > > I just thought of a nice way to describe the difference (seeing as > technically they are essentially equivalent): Well, almost. Ssh uses TCP, so a ssh-based VPN might encounter problems due to the notorious TCP-over-TCP issue (though I never had a problem, but I have a fast connection, so I might just be lucky), whereas OpenVPN uses UDP (by default at least) and thus must implement its own protocol for reliability and recovery. Both solutions introduce a certain amount of overhead, although I could not say which one is larger (perhaps OpenVPN?). (Well, actually every kind of VPN introduces some overhead, but that's another story.) From the point of view of the way virtual (tun/tap) interfaces are used, they are mostly the same, with OpenVPN designed to scale better when many connections are needed. Some considerations apply to both, for example that using bridged mode might rapidly produce a lot of traffic on the link if more than few machines are connected (especially if they are windows machines), so it should be avoided for large setups. > Use SSH if you need a quick ad-hoc connection or something temporary. > Use OpenVPN if you need something more permanent that is always prsent > and just works. 100% agree :-) -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tuesday 12 February 2008, Grant wrote: > > Even if you just want to encrypt some clear-text protocol that > > doesn't have an encrypted equivalent, a vpn is still overkill. For > > that you use ssh tunneling (which is essentially the same thing as > > an encrypted version of a protocol). 'ssh -X' is the classic > > example of easily tunneling a protocol that doesn't have a native > > encrypted equivalent. > > I see what you're saying. Can tunneling through ssh be made > automatic so that a cron job initiates a script that opens a tunnel > between the remote server and local print server and pages are > printed through the tunnel? Sure. ssh is just a process after all and in principle encapsulated whatever gets put into it. All you need is a connection that isn't firewalled out and an sshd that is listening to what is coming in. ssh will even port forward for you and can be made to transform any tcp connection to appear to come from whatever port you want. What you put inside the tunnel is up to you. If the print server won't accept what is coming in, then google will find you any number of apps that will mangle the traffic. > > Your statement "it seems like running SSH inside a VPN is better > > for security than running SSH on a non-standard port" is > > non-sensical. From a security and encryption perspective, ssh and > > OpenVPN are exactly the same thing - stuff wrapped in an encryption > > layer provided by ssl, complete with exactly the same key setup > > should you choose to use that route. > > What about having ssh, imap, smtp, cups, and possibly a non-standard > https port all hidden within a VPN? Should that be considered a > benefit of running a VPN? I've filed the original post somewhere else and forgot the scenario :-) Is this a setup you need to be present often or even all the time? If so, you have 5 protocols in use, and setting up tunnels could become cumbersome. You might consider that it's more effort than it's worth and a VPN that is there and JustWorks(tm) is preferable. I would call that a sensible use of a VPN :-) I don't think there's a golden rule about when using a VPN is right or wrong. It's more like "do the advantages outweigh the hassle of setting it up and maintaining it?". Sometimes this answer is obvious, sometimes less so. Sometimes it's a judgement call. Side note: I'm starting to consider that even the most whacky, bizarre and stupid use of OpenVPN is preferable to the heartache and pain involved with trying to get IPSec working as designed -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
> > > Your statement "it seems like running SSH inside a VPN is better > > > for security than running SSH on a non-standard port" is > > > non-sensical. From a security and encryption perspective, ssh and > > > OpenVPN are exactly the same thing - stuff wrapped in an encryption > > > layer provided by ssl, complete with exactly the same key setup > > > should you choose to use that route. > > > > Perhaps confusingly, ssh itself can be used to create openVPN-like > > VPNs (actually, much simpler), using the -w option and a couple of > > tun (or tap) interfaces on the connected computers. > > hehehe, I'd forgetten about that one for a bit :-) > > I just thought of a nice way to describe the difference (seeing as > technically they are essentially equivalent): > > Use SSH if you need a quick ad-hoc connection or something temporary. > Use OpenVPN if you need something more permanent that is always prsent > and just works. I need temporary, but automated. Can an ssh tunnel be set up in an automated way? - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tuesday 12 February 2008, Etaoin Shrdlu wrote: > On Tuesday 12 February 2008, Alan McKinnon wrote: > > Your statement "it seems like running SSH inside a VPN is better > > for security than running SSH on a non-standard port" is > > non-sensical. From a security and encryption perspective, ssh and > > OpenVPN are exactly the same thing - stuff wrapped in an encryption > > layer provided by ssl, complete with exactly the same key setup > > should you choose to use that route. > > Perhaps confusingly, ssh itself can be used to create openVPN-like > VPNs (actually, much simpler), using the -w option and a couple of > tun (or tap) interfaces on the connected computers. hehehe, I'd forgetten about that one for a bit :-) I just thought of a nice way to describe the difference (seeing as technically they are essentially equivalent): Use SSH if you need a quick ad-hoc connection or something temporary. Use OpenVPN if you need something more permanent that is always prsent and just works. -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
> > > I don't think you need a VPN to SSH from your laptop to the remote > > > server -- SSH is already encrypted. > > > > For sure, but it seems like running SSH inside a VPN is better for > > security than running SSH on a non-standard port or even port > > knocking. If I need to set up a VPN for printing, shouldn't I use it > > for other stuff too? Maybe not, I have yet to actually use a VPN so > > please correct me if I'm wrong. > > The name tells you everything you need to know. > > vpn is Virtual Private *Network*. If you would normally have a dedicated > line between this place and that place to form a network, but this is > too expensive so you use the internet instead, then you use a vpn. Why? > Because the internet is a public pathway and you don't want your stuff > out in the open. > > If you want a client machine somewhere to connect to a server machine > somewhere else, then this is normal internet connectivity and vpn is > the wrong thing. If you want the client machine to be part of the same > network the server is on so that lots of stuff works the way it does in > the office itself, then vpn is the correct thing. > > Even if you just want to encrypt some clear-text protocol that doesn't > have an encrypted equivalent, a vpn is still overkill. For that you use > ssh tunneling (which is essentially the same thing as an encrypted > version of a protocol). 'ssh -X' is the classic example of easily > tunneling a protocol that doesn't have a native encrypted equivalent. I see what you're saying. Can tunneling through ssh be made automatic so that a cron job initiates a script that opens a tunnel between the remote server and local print server and pages are printed through the tunnel? > Your statement "it seems like running SSH inside a VPN is better for > security than running SSH on a non-standard port" is non-sensical. From > a security and encryption perspective, ssh and OpenVPN are exactly the > same thing - stuff wrapped in an encryption layer provided by ssl, > complete with exactly the same key setup should you choose to use that > route. What about having ssh, imap, smtp, cups, and possibly a non-standard https port all hidden within a VPN? Should that be considered a benefit of running a VPN? - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tuesday 12 February 2008, Alan McKinnon wrote: > Your statement "it seems like running SSH inside a VPN is better for > security than running SSH on a non-standard port" is non-sensical. > From a security and encryption perspective, ssh and OpenVPN are > exactly the same thing - stuff wrapped in an encryption layer provided > by ssl, complete with exactly the same key setup should you choose to > use that route. Perhaps confusingly, ssh itself can be used to create openVPN-like VPNs (actually, much simpler), using the -w option and a couple of tun (or tap) interfaces on the connected computers. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Tuesday 12 February 2008, Grant wrote: > > I don't think you need a VPN to SSH from your laptop to the remote > > server -- SSH is already encrypted. > > For sure, but it seems like running SSH inside a VPN is better for > security than running SSH on a non-standard port or even port > knocking. If I need to set up a VPN for printing, shouldn't I use it > for other stuff too? Maybe not, I have yet to actually use a VPN so > please correct me if I'm wrong. The name tells you everything you need to know. vpn is Virtual Private *Network*. If you would normally have a dedicated line between this place and that place to form a network, but this is too expensive so you use the internet instead, then you use a vpn. Why? Because the internet is a public pathway and you don't want your stuff out in the open. If you want a client machine somewhere to connect to a server machine somewhere else, then this is normal internet connectivity and vpn is the wrong thing. If you want the client machine to be part of the same network the server is on so that lots of stuff works the way it does in the office itself, then vpn is the correct thing. Even if you just want to encrypt some clear-text protocol that doesn't have an encrypted equivalent, a vpn is still overkill. For that you use ssh tunneling (which is essentially the same thing as an encrypted version of a protocol). 'ssh -X' is the classic example of easily tunneling a protocol that doesn't have a native encrypted equivalent. Your statement "it seems like running SSH inside a VPN is better for security than running SSH on a non-standard port" is non-sensical. From a security and encryption perspective, ssh and OpenVPN are exactly the same thing - stuff wrapped in an encryption layer provided by ssl, complete with exactly the same key setup should you choose to use that route. -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
I do this with my work printer - the printer is locked down to a local network - I can print from locked out offices/labs anywhere (and even from home, picking up the printouts when I arrive - convenient!) I also transfer sometimes large files (using scp) and run ssh sessions and imap/smtp mail all through the same tunnel(s) - I actually use two in series with a convenient host in between to get around some local routing issues. All can be transparent and just work. scp can sometimes be a pain with slow speeds but its dependent on network conditions external to the tunnel - i.e., some external conditions cause interactions that affect packet sizes/latency within the tunnel - doesnt happen often though. Routing is often an issue (particularly to networks a few hops away on the "inside") - ospf (quagga) was the solution, though RIP is probably easier/better for this The downside - gentoos openvpn and networking design is ok for simple setups, but has to be overidden when getting complex. Can be "fragile" when design changes are taking place - breaks when you least expect it like when they introduced the bind flag into the init.d script (gr) Note that you need sympathetic or pliable IT staff if its a workplace - helps to have them onside if you are going to bypass their security policies for your own benefit! BillK On Mon, 2008-02-11 at 19:44 -0600, Dan Farrell wrote: > On Mon, 11 Feb 2008 16:00:49 -0800 > Grant <[EMAIL PROTECTED]> wrote: > > > You can print from your laptop to your printer at home while > > > overseas, for example. > > Sounds very convenient ; ) -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Mon, 11 Feb 2008 16:00:49 -0800 Grant <[EMAIL PROTECTED]> wrote: > You can print from your laptop to your printer at home while > > overseas, for example. Sounds very convenient ; ) -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
> > > > I'm hoping to use the vpn in three few ways: > > > > > > > > 1. imap and smtp between my laptop and the mail server > > > > 2. ssh from my laptop to the remote server > > > > 3. cups printing from the remote server to the print server > > > > > > I don't think you need a VPN to SSH from your laptop to the remote > > > server -- SSH is already encrypted. > > > > For sure, but it seems like running SSH inside a VPN is better for > > security than running SSH on a non-standard port or even port > > knocking. If I need to set up a VPN for printing, shouldn't I use it > > for other stuff too? Maybe not, I have yet to actually use a VPN so > > please correct me if I'm wrong. > > There are other ways to make SSH more "secure". For example, you could But what's wrong with this one? :) Honestly though, why would any of those methods be preferred to openvpn? > only enable PubkeyAuthentication while disabling all other methods of > Authentication, then use a large (4096-bit?) key pair with a strong > passphrase[1] and use keychain[2] so you don't have to type in the > passphrase all the time. OK, I'm exaggerating a bit with those > passwords from GRC, but you get the idea. > > [1] https://www.grc.com/passwords.htm > [2] http://www.gentoo.org/proj/en/keychain/ > > Also keep in mind the added overhead with OpenVPN -- your encrypted > SSH traffic is again encrypted by the VPN. Is this significant? Would my SSH latency be increased, the system slowed down, or both? > > > If your laptop is always behind your local firewall, then it should be > > > sufficient to have an OpenVPN tunnel established between your local > > > firewall/print server and your remote server. This should allow you to > > > print. > > > > > > Configuring the routes on your laptop to go through your local > > > firewall and VPN to the remote server should allow you to grab your > > > mail. > > > > > > If you move around with your laptop then you'll need to establish the > > > VPN tunnel to your remote server anytime you need to grab your mail > > > from anywhere else but home (behind your local firewall). > > > > Ah, tunnels, OK. I need to think in terms of tunnels. I'll > > definitely be moving around and won't be behind my local firewall too > > much of the time. Can I set up the openvpn server on my remote system > > and keep a tunnel open between it and the firewall/print server for > > printing, and also initiate a tunnel between the laptop and the remote > > system whenever I need to mail or SSH? Does that sound like a good > > plan? > > Yep, that should work. With a 'permanent' tunnel established between > your remote server and your local firewall/print server, you'll always > have access to those too simply by connecting via VPN to your remote > server. You can print from your laptop to your printer at home while > overseas, for example. Nice, thanks Mike. - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
Hi Grant, On Tue, Feb 12, 2008 at 8:11 AM, Grant <[EMAIL PROTECTED]> wrote: > > > I'm hoping to use the vpn in three few ways: > > > > > > 1. imap and smtp between my laptop and the mail server > > > 2. ssh from my laptop to the remote server > > > 3. cups printing from the remote server to the print server > > > > I don't think you need a VPN to SSH from your laptop to the remote > > server -- SSH is already encrypted. > > For sure, but it seems like running SSH inside a VPN is better for > security than running SSH on a non-standard port or even port > knocking. If I need to set up a VPN for printing, shouldn't I use it > for other stuff too? Maybe not, I have yet to actually use a VPN so > please correct me if I'm wrong. There are other ways to make SSH more "secure". For example, you could only enable PubkeyAuthentication while disabling all other methods of Authentication, then use a large (4096-bit?) key pair with a strong passphrase[1] and use keychain[2] so you don't have to type in the passphrase all the time. OK, I'm exaggerating a bit with those passwords from GRC, but you get the idea. [1] https://www.grc.com/passwords.htm [2] http://www.gentoo.org/proj/en/keychain/ Also keep in mind the added overhead with OpenVPN -- your encrypted SSH traffic is again encrypted by the VPN. > > If your laptop is always behind your local firewall, then it should be > > sufficient to have an OpenVPN tunnel established between your local > > firewall/print server and your remote server. This should allow you to > > print. > > > > Configuring the routes on your laptop to go through your local > > firewall and VPN to the remote server should allow you to grab your > > mail. > > > > If you move around with your laptop then you'll need to establish the > > VPN tunnel to your remote server anytime you need to grab your mail > > from anywhere else but home (behind your local firewall). > > Ah, tunnels, OK. I need to think in terms of tunnels. I'll > definitely be moving around and won't be behind my local firewall too > much of the time. Can I set up the openvpn server on my remote system > and keep a tunnel open between it and the firewall/print server for > printing, and also initiate a tunnel between the laptop and the remote > system whenever I need to mail or SSH? Does that sound like a good > plan? Yep, that should work. With a 'permanent' tunnel established between your remote server and your local firewall/print server, you'll always have access to those too simply by connecting via VPN to your remote server. You can print from your laptop to your printer at home while overseas, for example. Mike -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
> > I'm hoping to use the vpn in three few ways: > > > > 1. imap and smtp between my laptop and the mail server > > 2. ssh from my laptop to the remote server > > 3. cups printing from the remote server to the print server > > I don't think you need a VPN to SSH from your laptop to the remote > server -- SSH is already encrypted. For sure, but it seems like running SSH inside a VPN is better for security than running SSH on a non-standard port or even port knocking. If I need to set up a VPN for printing, shouldn't I use it for other stuff too? Maybe not, I have yet to actually use a VPN so please correct me if I'm wrong. > If your laptop is always behind your local firewall, then it should be > sufficient to have an OpenVPN tunnel established between your local > firewall/print server and your remote server. This should allow you to > print. > > Configuring the routes on your laptop to go through your local > firewall and VPN to the remote server should allow you to grab your > mail. > > If you move around with your laptop then you'll need to establish the > VPN tunnel to your remote server anytime you need to grab your mail > from anywhere else but home (behind your local firewall). Ah, tunnels, OK. I need to think in terms of tunnels. I'll definitely be moving around and won't be behind my local firewall too much of the time. Can I set up the openvpn server on my remote system and keep a tunnel open between it and the firewall/print server for printing, and also initiate a tunnel between the laptop and the remote system whenever I need to mail or SSH? Does that sound like a good plan? - Grant > > IMHO you should always go with routed first, then bridged if you need > > it. > > > > Ask yourself this question: do you really need ethernet traffic to go > > through the vpn? There are cases where it could be useful, but I'm hard > > pressed to find a general case. > > > > With a routed vpn, you work with IP addresses, just like you do on the > > internet. > > As Alan said, try going with routed first. > > Also, think about whether you really need this. As mentioned above, > SSH doesn't need to be tunneled over a VPN. IMAP and SMTP can be > encrypted too. That leaves printing, for which you could use VPN. > > Have fun! > Mike -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
Hi Grant, On Tue, Feb 12, 2008 at 5:41 AM, Grant <[EMAIL PROTECTED]> wrote: > I'm hoping to use the vpn in three few ways: > > 1. imap and smtp between my laptop and the mail server > 2. ssh from my laptop to the remote server > 3. cups printing from the remote server to the print server I don't think you need a VPN to SSH from your laptop to the remote server -- SSH is already encrypted. If your laptop is always behind your local firewall, then it should be sufficient to have an OpenVPN tunnel established between your local firewall/print server and your remote server. This should allow you to print. Configuring the routes on your laptop to go through your local firewall and VPN to the remote server should allow you to grab your mail. If you move around with your laptop then you'll need to establish the VPN tunnel to your remote server anytime you need to grab your mail from anywhere else but home (behind your local firewall). On Tue, Feb 12, 2008 at 5:53 AM, Alan McKinnon <[EMAIL PROTECTED]> wrote: > IMHO you should always go with routed first, then bridged if you need > it. > > Ask yourself this question: do you really need ethernet traffic to go > through the vpn? There are cases where it could be useful, but I'm hard > pressed to find a general case. > > With a routed vpn, you work with IP addresses, just like you do on the > internet. As Alan said, try going with routed first. Also, think about whether you really need this. As mentioned above, SSH doesn't need to be tunneled over a VPN. IMAP and SMTP can be encrypted too. That leaves printing, for which you could use VPN. Have fun! Mike -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] OpenVPN setup
On Monday 11 February 2008, Grant wrote: > The second guide deals with bridging and the first does not. Should > I be setting up bridging? The first guide seems simpler. Should I > be OK with that one? I'd hate to dig into one of them and then find > out I should have chosen the other. > > - Grant IMHO you should always go with routed first, then bridged if you need it. Ask yourself this question: do you really need ethernet traffic to go through the vpn? There are cases where it could be useful, but I'm hard pressed to find a general case. With a routed vpn, you work with IP addresses, just like you do on the internet. -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] openvpn and nfsmount
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Eric Martin wrote: > I would still use tcp rather than UDP for NFS if I was going to mount it > over a slow network. I did some benchmarks for my wireless and wired > network and TCP clearly beats UDP on files over 1MB. I know the > wireless limitations have something to do with it as well, but it's my > $0.02. OpenVPN transports over UDP (or TCP, but it's not recommended, there is a paper about TCP encapsulation over TCP). - -- Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica Servicios Ofrecidos: http://www.buanzo.com.ar/pro/ Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG1zPjAlpOsGhXcE0RCgdAAJ9CaBk4jBemiI6zzVbTBq2l7csgfwCfbxrn CI2KgpQ3gBBRW6Ghb1MLVYQ= =2OkK -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] openvpn and nfsmount
> And NFS, well, it's NFS. I don't love it, but I've used NFS exports from a > 14.k modem... So... maybe > he is having internet issues, router issues, firewall issues, compilation > issues... but OpenVPN and > NFS, given a relatively good network environment, work more than OK. I would still use tcp rather than UDP for NFS if I was going to mount it over a slow network. I did some benchmarks for my wireless and wired network and TCP clearly beats UDP on files over 1MB. I know the wireless limitations have something to do with it as well, but it's my $0.02.
Re: [gentoo-user] openvpn and nfsmount
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dan Farrell wrote: > Nevertheless I've used this many times before, and although realtime > performance isn't especially good, I certainly wouldn't go so far as to > call it "unstable". I've used OpenVPN to interconnect workstations and servers in Argentina, using all from Cable internet to ADSL, and GPRS modems. It rocks. And NFS, well, it's NFS. I don't love it, but I've used NFS exports from a 14.k modem... So... maybe he is having internet issues, router issues, firewall issues, compilation issues... but OpenVPN and NFS, given a relatively good network environment, work more than OK. - -- Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica Servicios Ofrecidos: http://www.buanzo.com.ar/pro/ Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG1hMeAlpOsGhXcE0RCgK2AJ9XX9CccDDyoLAv7Qdv1VCiGeEt4ACfbFLV xCbgUiIH5vrEEs4nyh8bW3w= =MHR/ -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] openvpn and nfsmount
On Wed, 29 Aug 2007 21:18:47 +0200 (CEST) Cipher van Byte <[EMAIL PROTECTED]> wrote: > It isn't good idea to mount nfs over openvpn. Both are highly > unstable. Openvpn is highly unstable? really? mine's been up for days. NFS is highly unstable? Hardly. Perhaps you mean that it's unstable over openvpn, especially with UDP whose retransmission for slow links like the internet isn't optimal. Nevertheless I've used this many times before, and although realtime performance isn't especially good, I certainly wouldn't go so far as to call it "unstable". Any feedback? -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] openvpn and nfsmount
It isn't good idea to mount nfs over openvpn. Both are highly unstable. You should try openssh and it's simple tunnel and ftp over it or any other networked file system. If you really need to use nfs set it to use tcp. -- Morpheus: "No, what happened, happened and couldn't have happened any other way." On Tue, 28 Aug 2007, Patrick Holthaus wrote: Hello! I am having difficulties in setting up nfs with my laptop. I have an openvpn server running at home that can be reached via dynamic dns from the "outside world". Now i would like to mount my nfs exports from everywhere I am. These exports are only available in the vpn subnet (10.8.0.*). There are basically three scenarios (all via net.wlan0): 1. Home: - Direct connection to the openvpn server with a static private IP adress (192.168.1.xxx) - ESSID is fixed (e.g. "home") - The openvpn service can be started via "/etc/init.d/openvpn.home start" (it is properly configured via /etc/openvpn/home.conf - After that net.tap0 can be started and gets an ip adress inside the vpn (e.g. 10.8.0.100) if i have the following in /etc/conf.d/net: config_tap0=( "dhcp" ) mac_tap0="00:FF:22:33:44:55" RC_NEED_tap0="openvpn.home" 2. Remote: - Connection via internet - This time the openvpn service has to be started via "/etc/init.d/openvpn.remote start" (because the config for that resides in /etc/openvpn/remote.conf) - You see that i have to change a line in /etc/conf.d/net to get things to work: config_tap0=( "dhcp" ) mac_tap0="00:FF:22:33:44:55" RC_NEED_tap0="openvpn.remote" Question is: Can I avoid changing these lines everytime I travel around? 3. Remote via vpnc: - Connection via internet (so openvpn.remote has to be used) - ESSID fixed (e.g. "unibi") - Additionally: The vpnc service (/etc/init.d/vpnc.uni) has to be active Second question: Can I start the vpnc service by knowing the ESSID of my wireless network, and if I can: how? Thanks for your time Patrick -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Openvpn configuration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Jason Carson wrote: > What I don't know what to do is what goes after ifconfig... 66.11.182.5 is > my servers ip address to the external world (eth0). 192.168.0.1 is the > internal network (eth1) address. What do I put after ifconfig? Go to www.openvpn.net and read the documentation. What you say about ifconfig has nothing to do with how openvpn works. If you need further help, contact me offlist. I've been openvpn-ing for a number of years now :) - -- Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica *ESTE SABADO 18/Ago* SHOW DE FUTURABANDA (Punk Libre)- Sarmiento 1679 CapFed Entradas anticipadas a traves de www.futurabanda.com.ar - Punk Rock Melodico -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGxmnfAlpOsGhXcE0RCuZxAJ43hvk9IU5vPw3VcyCflt6q88ejfgCeLZbE i/xrUsO5zSPlawGZ/dKksSg= =HJ1s -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] OpenVPN and DHCP
Hi, Patrick Holthaus schrieb: Hello everybody! Maybe this is a bit Off-Topic here, but maybe some of you like to help me anyway. I am trying to build a VPN network where the clients get their IP adresses from a local DHCP server (because it should notify the nameserver of the clients). The VPN should have its own adress pool 10.8.0.* while the unsecured clients in the server's LAN should get an 192.168.1.* adress. I got the VPN working but the clients do appearently not get their IP from the DHCP server but some random IP from the OpenVPN server. (The DHCP server only assignes 10.8.0.100-200 adresses but the clients get .8 or .10 for example) Now my questions are: Do I need bridging for making the DHCP server work in the VPN? Yes. DHCP is an ethernet protocol. DHCP over IP wouldn't make much sense, would it? To use your existing DHCP Server you need OSI Layer 2 VPN connections (TAP devices). How should the configuration files look like? Uhm, in your testing files, you try to configure IP's on a tap device? I think you mix the concepts up here. If you have a tap tunnel, your client sends ethernet frames to the server, who, when properly bridged, sends them to a local LAN, and vice versa. No IP involved on that level, you could use IPX or SCTP if you wanted. The only IP you mention in the config file is that of the server. But then a client could connect and use any IP you ask? Well, yes, as in any LAN. You can use iptables on the bridge to filter spoofed packets out, though. It's more easy and faster to stick with Layer3 vpn, though. Regards and HTH, Thomas -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OpenVPN and DHCP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Patrick Holthaus wrote: > Now my questions are: > Do I need bridging for making the DHCP server work in the VPN? > How should the configuration files look like? I don't think you can do it, because the openvpn client needs an IP provided by the OpenVPN server software to obtain the tunnel. If you want OpenVPN to provide a certain subnet range for your openvpn clients, then check out: - --server network netmask A helper directive designed to simplify the configuration of OpenVPN's server mode. This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. The server itself will take the ".1" address of the given network for use as the server-side endpoint of the local TUN/TAP interface. For example, --server 10.8.0.0 255.255.255.0 expands as follows: mode server tls-server push "topology [topology]" if dev tun AND (topology == net30 OR topology == p2p): ifconfig 10.8.0.1 10.8.0.2 ifconfig-pool 10.8.0.4 10.8.0.251 route 10.8.0.0 255.255.255.0 if client-to-client: push "route 10.8.0.0 255.255.255.0" else if topology == net30: push "route 10.8.0.1" if dev tap OR (dev tun AND topology == subnet): ifconfig 10.8.0.1 255.255.255.0 ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 push "route-gateway 10.8.0.1" Don't use --server if you are ethernet bridging. Use --server-bridge instead. - --server-bridge gateway netmask pool-start-IP pool-end-IP A helper directive similar to --server which is designed to simplify the configuration of OpenVPN's server mode in ethernet bridging configurations. To configure ethernet bridging, you must first use your OS's bridging capability to bridge the TAP interface with the ethernet NIC interface. For example, on Linux this is done with the brctl tool, and with Windows XP it is done in the Network Connections Panel by selecting the ethernet and TAP adapters and right-clicking on "Bridge Connections". Next you you must manually set the IP/netmask on the bridge interface. The gateway and netmask parameters to --server-bridge can be set to either the IP/netmask of the bridge interface, or the IP/netmask of the default gateway/router on the bridged subnet. Finally, set aside a IP range in the bridged subnet, denoted by pool-start-IP and pool-end-IP, for OpenVPN to allocate to connecting clients. For example, server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 expands as follows: mode server tls-server ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0 push "route-gateway 10.8.0.4" [taken from: http://openvpn.net/man.html no Named Anchors there...] - -- Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica Enigform for Firefox: A secure browsing experience: http://enigform.mozdev.org Mail Hosting Seguro y Consultoria - http://www.buanzo.com.ar/pro/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF+9NiAlpOsGhXcE0RCrNbAJ924t72yJMexav/3YESNXHziZm4OACeJy6s tLlNylW4KHjPt4ngjest/jE= =gIhv -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] openvpn multiple tunnels
> What you need to do is create a .conf file for your second > tunnel, and then link /etc/init.d/openvpn to /etc/init.d/. > Then you can start the second tunnel with either "/etc/init.d/ > start", or by using rc-update to add to the runlevel of your > choice. For example: > > cp /etc/openvpn/openvpn.conf /etc/openvpn/homevpn.conf > vi /etc/openvpn/homevpn.conf > ln -s openvpn /etc/init.d/homevp > rc-update add homevpn default > /etc/init.d/homevpn start ah! okay, so it works kinda like the net.eth0 link to net.lo, then? i'd seen that about creating a link, but i couldn't figure out where that was happening. thanks SO much -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] openvpn multiple tunnels
> Used to be you could have multiple tunnels open with vpn. when it changed > to > require /etc/openvpn/openvpn.conf, instead of launching all the tunnels, i > can no longer figure out how to open multiple tunnels. the docs seem to > mention an /etc/conf.d/openvpn file, but that didn't get created on my > system > and i can't find any reference to the format/options. can someone point > me > to a readme or howto on how to start a particular tunnel? What you need to do is create a .conf file for your second tunnel, and then link /etc/init.d/openvpn to /etc/init.d/. Then you can start the second tunnel with either "/etc/init.d/ start", or by using rc-update to add to the runlevel of your choice. For example: cp /etc/openvpn/openvpn.conf /etc/openvpn/homevpn.conf vi /etc/openvpn/homevpn.conf ln -s openvpn /etc/init.d/homevpn rc-update add homevpn default /etc/init.d/homevpn start -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] openvpn
Adding the route to my default gateway solved the problem !!! thank you all for the help !!! Allan On 9/18/05, capsel <[EMAIL PROTECTED]> wrote: > AFAIK: > packets can not reach destinations in other subnet (except 0.0.0.0) > than the subnet of your IP. You must have assigned an IP address from > same subnet as destination host. > > so client can ping all 10 and two sides of server > Please check if you can ping other IP from 192.168.0.0 subnet. > > My advice is to "fix" routing tables... or to set up NAT, or set > everywhere same subnet :) > > 2005/9/18, Oliver Friedrich <[EMAIL PROTECTED]>: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > Allan Spagnol Comar wrote: > > > > > Hi all, I having some strange problem on my VPN :( > > > > > > I had configured openvpn as tunnel server-client; had a tun > > > interface . > > > > > > I started the open vpn using 10.8.0.0 network and has my private > > > net at 192.168.0.0 and the open vpn is running at 192.168.0.230 > > > > > > I started one client; the client sync receive an IP 10.8.0.5 and > > > the route to 192.168.0.0 network; > > > > > > Until now everything looks ok, but here is the strange sinc, I can > > > ping 10.8.0.1 and I can ping 192.168.0.230 but when I try to ping > > > 192.168.0.1 it got connection time out > > > > > > There is the Problem, the 10.8.0.0 Network is only for the connection, > > your client is on 192.168.0.0 and your server is on 192.168.0.0 too... > > so as long as the tunnel exists, your server has two 192.168.0.230, > > one localy and one on the other side of the tunnel... > > > > client and server must not be in same subnet, since then the tunnel > > can cause IP conflicts. > > > > Sorry for my bad english > > > > Oliver "Beowulf" Friedrich > > -BEGIN PGP SIGNATURE- > > Version: GnuPG v1.4.1 (GNU/Linux) > > > > iD8DBQFDLd4ecZpid1GuHxcRArn5AKDGMdtppI8iDI2KLccWnBax5Gc33gCg0Eix > > Ta4t0uJ1UMWLhyLm/SaX1rM= > > =CDSa > > -END PGP SIGNATURE- > > > > -- > > gentoo-user@gentoo.org mailing list > > > > > > -- > gentoo-user@gentoo.org mailing list > > -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] openvpn
AFAIK: packets can not reach destinations in other subnet (except 0.0.0.0) than the subnet of your IP. You must have assigned an IP address from same subnet as destination host. so client can ping all 10 and two sides of server Please check if you can ping other IP from 192.168.0.0 subnet. My advice is to "fix" routing tables... or to set up NAT, or set everywhere same subnet :) 2005/9/18, Oliver Friedrich <[EMAIL PROTECTED]>: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Allan Spagnol Comar wrote: > > > Hi all, I having some strange problem on my VPN :( > > > > I had configured openvpn as tunnel server-client; had a tun > > interface . > > > > I started the open vpn using 10.8.0.0 network and has my private > > net at 192.168.0.0 and the open vpn is running at 192.168.0.230 > > > > I started one client; the client sync receive an IP 10.8.0.5 and > > the route to 192.168.0.0 network; > > > > Until now everything looks ok, but here is the strange sinc, I can > > ping 10.8.0.1 and I can ping 192.168.0.230 but when I try to ping > > 192.168.0.1 it got connection time out > > > There is the Problem, the 10.8.0.0 Network is only for the connection, > your client is on 192.168.0.0 and your server is on 192.168.0.0 too... > so as long as the tunnel exists, your server has two 192.168.0.230, > one localy and one on the other side of the tunnel... > > client and server must not be in same subnet, since then the tunnel > can cause IP conflicts. > > Sorry for my bad english > > Oliver "Beowulf" Friedrich > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFDLd4ecZpid1GuHxcRArn5AKDGMdtppI8iDI2KLccWnBax5Gc33gCg0Eix > Ta4t0uJ1UMWLhyLm/SaX1rM= > =CDSa > -END PGP SIGNATURE- > > -- > gentoo-user@gentoo.org mailing list > > -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] openvpn
Hi Allan, Allan Spagnol Comar schrieb: Hi all, I having some strange problem on my VPN :( I had configured openvpn as tunnel server-client; had a tun interface . I started the open vpn using 10.8.0.0 network and has my private net at 192.168.0.0 and the open vpn is running at 192.168.0.230 I started one client; the client sync receive an IP 10.8.0.5 and the route to 192.168.0.0 network; Until now everything looks ok, but here is the strange sinc, I can ping 10.8.0.1 and I can ping 192.168.0.230 but when I try to ping 192.168.0.1 it got connection time out I set up the iptables forward at the 192.168.0.230 machine what more I have missed ? anyone had a clue ? Thanks, Allan If want to access the network of the server from the client, you need the following things. (I am going from the top down, so that someone else might be able to follow this, and get something out of it.) When openvpn creates the tunnel, you have a point to point connection, between the server and the client. In your example, you use the 10.8.0.0 network for the server to client, point to point connection. Since you say that you can ping the server on the 10.8.0.0 network, the tunnel is most likely working. You say that the server is in the 192.168.0.0 network, and has the 192.168.0.230 address. You also say that a route to the 192.168.0.0 is added on the client machine, and that you can ping the server on the 192.168.0.0 network using the 192.168.0.230 address. So the routing on the client is also fine. Assuming that you want the client(s) to be seen in the private network (192.168.0.0) as being in the 10.8.0.0 network, you need to add a routing back to the client for the machines in the private network.. If your private network has a default gateway, it is usually the easist to add a route at the default gateway, saying that the 10.8.0.0 network can be reached over the gateway host 192.168.0.230 . The other important thing is to make sure that your open server has packet forwarding on. i.e. net.ipv4.ip_forward = 1 in /etc/sysctl.conf The best way to test you routing when you think it should be working, is to do a trace route from a machine in the private network to the client when the VPN is up. MfG, Scott -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] openvpn
Hi Allan, Allan Spagnol Comar schrieb: Hi all, I having some strange problem on my VPN :( I had configured openvpn as tunnel server-client; had a tun interface . I started the open vpn using 10.8.0.0 network and has my private net at 192.168.0.0 and the open vpn is running at 192.168.0.230 I started one client; the client sync receive an IP 10.8.0.5 and the route to 192.168.0.0 network; Until now everything looks ok, but here is the strange sinc, I can ping 10.8.0.1 and I can ping 192.168.0.230 but when I try to ping 192.168.0.1 it got connection time out I set up the iptables forward at the 192.168.0.230 machine what more I have missed ? anyone had a clue ? Thanks, Allan If want to access the network of the server from the client, you need the following things. (I am going from the top down, so that someone else might be able to follow this, and get something out of it.) When openvpn creates the tunnel, you have a point to point connection, between the server and the client. In your example, you use the 10.8.0.0 network for the server to client, point to point connection. Since you say that you can ping the server on the 10.8.0.0 network, the tunnel is most likely working. You say that the server is in the 192.168.0.0 network, and has the 192.168.0.230 address. You also say that a route to the 192.168.0.0 is added on the client machine, and that you can ping the server on the 192.168.0.0 network using the 192.168.0.230 address. So the routing on the client is also fine. Assuming that you want the client(s) to be seen in the private network (192.168.0.0) as being in the 10.8.0.0 network, you need to add a routing back to the client for the machines in the private network.. If your private network has a default gateway, it is usually the easist to add a route at the default gateway, saying that the 10.8.0.0 network can be reached over the gateway host 192.168.0.230 . The other important thing is to make sure that your open server has packet forwarding on. i.e. net.ipv4.ip_forward = 1 in /etc/sysctl.conf The best way to test you routing when you think it should be working, is to do a trace route from a machine in the private network to the client when the VPN is up. MfG, Scott -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] openvpn
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Allan Spagnol Comar wrote: > Hi all, I having some strange problem on my VPN :( > > I had configured openvpn as tunnel server-client; had a tun > interface . > > I started the open vpn using 10.8.0.0 network and has my private > net at 192.168.0.0 and the open vpn is running at 192.168.0.230 > > I started one client; the client sync receive an IP 10.8.0.5 and > the route to 192.168.0.0 network; > > Until now everything looks ok, but here is the strange sinc, I can > ping 10.8.0.1 and I can ping 192.168.0.230 but when I try to ping > 192.168.0.1 it got connection time out There is the Problem, the 10.8.0.0 Network is only for the connection, your client is on 192.168.0.0 and your server is on 192.168.0.0 too... so as long as the tunnel exists, your server has two 192.168.0.230, one localy and one on the other side of the tunnel... client and server must not be in same subnet, since then the tunnel can cause IP conflicts. Sorry for my bad english Oliver "Beowulf" Friedrich -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDLd4ecZpid1GuHxcRArn5AKDGMdtppI8iDI2KLccWnBax5Gc33gCg0Eix Ta4t0uJ1UMWLhyLm/SaX1rM= =CDSa -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list