[leaf-user] OpenVPN

[Scott Merrill]

I've seen some posts (here and on the Shorewall list) about OpenVPN, so I 
thought I'd take a look.  I like what I see, and I'd like to try to implement 
it on LEAF/Bering.

Getting OpenVPN compiled for Bering is problematic, though.  I followed the 
Bering UML instructions for creating a virtual slink environment for 
compiling userland programs, but the compilation of OpenVPN produced a binary 
that did not contain tun/tap device support (since it couldn't find the 
appropriate kernel bits).

I tried linking 2.4.20's /usr/src/linux/include/linux/if_tun.h into the 
virtual slink's /usr/include/linux/, but make throws an error about the tun.c 
portion of OpenVPN.

I tried compiling OpenVPN on both Debian woody and Red Hat 7.3, but running 
this binary segfaults on Bering.

This is my first stab at compiling something for Bering myself.  Is it 
possible to compile OpenVPN against slink's glibc and the newer Bering 
kernel?



---
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] OpenVPN

[Informática. Cabildo de La Gomera]

I´m trying to connect several offices, and I decided to use Bering uClib

because it seems to be the most up to date branch.




After several problems with network drivers it´s starting to work, but

now I have to decide about security: ipsec or openvpn. It seems that

openvpn is easier to configure and you can select the degree of security/cpu

that you want (my pc's are really old), so I think it´s the better solution
for

me, but I can´t see a package for openvpn using Bering uClib.




The questions are three:

-Do you think it´s a good idea to use Bering uClib?

-What about ipsec vs openvpn?

-Is there a package for openvpn under Bering uClib?




Thanks!!





Fernando Febles Armas
Jefe de la Sección de Informática
Tf.922140170  Fx.922140151
[EMAIL PROTECTED]
Cabildo de La Gomera  CIF:P384H
Profesor Armas Fernández 2
S/S Gomera 38800
Tenerife (Canarias)



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] OpenVpn

[theoleyre fabrice]

Hi,

I try to set up VPN with a leaf box.
I want to create VPN tunnels between the router and
several clients (Linux, WinXP, Win2K...). Some clients
have a NATed connection, with private addresses, which
cause some troubles with Ipsec.

OpenVPN is interesting: a single udp port is required
for the connection, not impacted by NAT because of the
encapsulation. However, I want VPN for roadwarriors:
several clients, with different addresses, dynamic,
not known. I saw that several clients on a signle udp
port is only supported in the 2.0 beta version. The
version for Leaf Bering is the 1.6.0. 

Does it exist a solution to connect roadwarriors with
OpenVpn 1.6.0, without the "mode-server" of openvpn
2.0 ? Did anybody try to set up such connections ? 

Regards,







Vous manquez d’espace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour 
dialoguer instantanément avec vos amis. A télécharger gratuitement sur 
http://fr.messenger.yahoo.com


---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] OpenVPN

[Stefaan Van Dooren]

Hi,

I'm using Bering uClibc 2.1 and I was wondering if anyone has allready made
a openvpn 2 package for it (only can find a version 1.6 on the site). I know
version 2 is still beta, but I need some of the new features..

Stefaan




---
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] OpenVPN

[Sylvain Pelletier]

Hi,

I would like to get the feedback of people who have succesfully
installed/tested openvpn with bering.

Thanks

Sylvain


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Openvpn

[Bob von Knobloch]

I am trying to get openvpn working on my WRAP box, but am hitting 
problems during installation. I am using Bering uClibc 2.3 and sourcing 
all packages from the current ISO.
I am using Kapeka's 'How-To' as an installation guide but am not sure 
how up-to-date it is.


Progress:
All packages & modules installed OK.
/etc/easyrsa/vars reconfigured for my system.
'build-ca' issued  (had to mkdir /etc/openvpn/keys - didn't exist) & 
root ca Cert. generated.

'build-dh' issued & Diffie-Hellmann '.pem' file created.

Problem:
'build-key-server' issued, generates private key, prompts for Cert. 
details, then throws an error

   "Using configuration from /etc/easyrsa/openssl.cnf
   /etc/openvpn/keys/index.txt: No such file or directory"

I can find no reference as to what should be in this file, can anyone help?

Thanks

Bob von Knobloch


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] openvpn

[C.Dummy]

 This might sound stupid but I have never used openvpn. If I want to use 
openvpn I can install server on my home machine and client on my laptop 
on the road than open UDP port in shorewall and use openvpn to connect 
(I hope). Why would I install openvpn on Bering box? Is this nessesary 
in order to get to work above setup?
Andrey

-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN

[Lynn Avants]

On Thursday 27 March 2003 02:46 pm, Scott Merrill wrote:
> Getting OpenVPN compiled for Bering is problematic, though.  I followed the
> Bering UML instructions for creating a virtual slink environment for
> compiling userland programs, but the compilation of OpenVPN produced a
> binary that did not contain tun/tap device support (since it couldn't find
> the appropriate kernel bits).
>
> I tried linking 2.4.20's /usr/src/linux/include/linux/if_tun.h into the
> virtual slink's /usr/include/linux/, but make throws an error about the
> tun.c portion of OpenVPN.

Have you tried installing the source code and applying the proper patches
to the 2.4.20 kernel in the Slink environment, THEN trying to compile OpenVPN?

This is likely the best chance you'll have to get it to work, unless the
kernel also needs to be patched for compatibility.
-- 
~Lynn Avants
Linux Embedded Appliance Firewall Developer
http://leaf.sourceforge.net
http://guitarlynn.homelinux.org:81


---
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVPN

[Jacques Nilo]

Le Jeudi 27 Mars 2003 21:46, Scott Merrill a écrit :
> I've seen some posts (here and on the Shorewall list) about OpenVPN, so I
> thought I'd take a look.  I like what I see, and I'd like to try to
> implement it on LEAF/Bering.
>
> Getting OpenVPN compiled for Bering is problematic, though.  I followed the
> Bering UML instructions for creating a virtual slink environment for
> compiling userland programs, but the compilation of OpenVPN produced a
> binary that did not contain tun/tap device support (since it couldn't find
> the appropriate kernel bits).
>
> I tried linking 2.4.20's /usr/src/linux/include/linux/if_tun.h into the
> virtual slink's /usr/include/linux/, but make throws an error about the
> tun.c portion of OpenVPN.
>
> I tried compiling OpenVPN on both Debian woody and Red Hat 7.3, but running
> this binary segfaults on Bering.
>
> This is my first stab at compiling something for Bering myself.  Is it
> possible to compile OpenVPN against slink's glibc and the newer Bering
> kernel?
Yes it is and I did it for you and for this nice community too ...
The package is here:
http://leaf.sf.net/devel/jnilo/packages/openvpn.lrp
It is statically compiled against openssl 0.9.7a and lzo 1.08
It is untested so please any feedback would be appreciated
do not forget to load the ifconfig.lrp package from Charles site
You also need to create:
mknod /dev/net/tun c 10 200
and load the tun.o module if you are using the tun/tap driver setup.

Also a volunteer for a Bering new user's guide chapter would be appreciated...

Jacques


---
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVPN

[Etienne Charlier]

Hello,
I use openvpn since 1 year with bering ( glibc) to connect 2 subnets through
adsl ( pppoe) lines

It's a wonderfull product. ( the easiest one to configure if both ends of
the tunnel are connected with changing extrnal addresses). I only used
static keys so far.
I'm working on building a .lrp for bering-uclibc using buildtool. I'm
cloning the openssh buildtool configuration but I didn't manage yet to make
it compile
I might have some news beginning of next year because I plan to work on it
during the end of year hollidays...


Regards,
Etienne Charlier
- Original Message - 
From: "Informática. Cabildo de La Gomera" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, December 22, 2003 12:59 PM
Subject: [leaf-user] OpenVPN


I´m trying to connect several offices, and I decided to use Bering uClib

because it seems to be the most up to date branch.




After several problems with network drivers it´s starting to work, but

now I have to decide about security: ipsec or openvpn. It seems that

openvpn is easier to configure and you can select the degree of security/cpu

that you want (my pc's are really old), so I think it´s the better solution
for

me, but I can´t see a package for openvpn using Bering uClib.




The questions are three:

-Do you think it´s a good idea to use Bering uClib?

-What about ipsec vs openvpn?

-Is there a package for openvpn under Bering uClib?




Thanks!!





Fernando Febles Armas
Jefe de la Sección de Informática
Tf.922140170  Fx.922140151
[EMAIL PROTECTED]
Cabildo de La Gomera  CIF:P384H
Profesor Armas Fernández 2
S/S Gomera 38800
Tenerife (Canarias)



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=ick

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.553 / Virus Database: 345 - Release Date: 18/12/2003



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVPN

[Steve Wright]

On Tue, 2003-12-23 at 00:59, Informática. Cabildo de La Gomera wrote:
> I´m trying to connect several offices, and I decided to use Bering uClib
> 
> because it seems to be the most up to date branch.
> 
> 
> 
> 
> After several problems with network drivers it´s starting to work, but
> 
> now I have to decide about security: ipsec or openvpn. It seems that
> 
> openvpn is easier to configure and you can select the degree of security/cpu
> 
> that you want (my pc's are really old), so I think it´s the better solution
> for
> 
> me, but I can´t see a package for openvpn using Bering uClib.


I am considering the same, and I am wondering about CIPE.  RedHat and
others package CIPE and include a GUI Wizard to set it up.  Very tidy.

I understand openvpn works over a ssh tunnel.  If this is true, then I
understand that are issues with doing this - it is not a good thing to
do.



> The questions are three:
> 
> -Do you think it´s a good idea to use Bering uClib?
> 
> -What about ipsec vs openvpn?
> 
> -Is there a package for openvpn under Bering uClib?


ipsec would be the best, and with full opportunism, probably the easiest
to maintain.  ipsec is difficult for newbies, as I can assure you.

CIPE is probably the next best, followed by openvpn, on the assumption
that openvpn runs over an ssh tunnel.


Hopefully others may shed light, as I could do with some guidance also.



best regards,
Steve

***compliments of the season to all***




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] OpenVPN howto

[M Lu]

Hi Martin and all,

I would like to install OpenVPN on my Bering uClibc. Do you have written any
howto specific for Bering or have any instructions? I would like to have
connections between 2 private subnets and also allow a couple of Windows
clients to connect from the outside to my subnet.

Thank you.

M Lu


- Original Message - 
From: "Martin Hejl" <[EMAIL PROTECTED]>
> I'd highly suggest OpenVPN - it's easy enough to set up, and well
> supported by the developer (and it also comes with an installer for
> windows clients, which makes setting things up under Windows a piece of
> cake). The only downside is (IMHO) that it only runs on Windows 2000 or
> XP (of course, it runs on every linux plattform I've tried it on). And
> it seems to be a bit more CPU intensive than IPSEC (tried it on a
> head-to-head comparison on a pretty slow box) but unless you're running
> a VPN over a 10MBit link, it should make no difference. Plus OpenVPN is
> _much_ easier to use over NATed connections.
>
> I maintain the lrp for Bering uClibc, but I'm afraid I don't know how
> current the version for Bering is.
>
> HTH
>
> Martin
>
> -- 
> You think that's tough?  Try herding cats!


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] openvpn help

[chiew yock sang]

I have implemented 2 basic routers with Bering-uClibc v2.1.1 and they are 
working. Then i add in openvpnz.lrp, libcrpto.lrp, libssl.lrp and liblzo.lrp 
and tun.o to get two VPN capability routers.

router A has the following IP:
eth0=10.1.4.1
eth1=192.168.1.254
tun0=192.168.99.1
router B
eth0=10.1.4.2
eth1=192.168.2.254
tun0=192.168.99.2
the following is my configuration for both routers

/etc/shorewall/zones
# zonedisplay  comments
netNet   Internet
vpnVPN  Remote Subnet
loc Local  Local networks
/etc/shorewall/interfaces(for routerA)
# zone interface broadcast options
net eth0  detect
vpn tun0192.168.2.255
loc  eth1  detect
/etc/shorewall/policy
#sourcedest  policy log level  limit:burst
loc  vpnACCEPT
vpn loc ACCEPT
loc  netACCEPT
fw  net ACCEPT
fw  loc  ACCEPT
/etc/shorewall/rules
#action  source   dest   proto   dest port  source ports   original dest
ACCEPT netfw  udp
/etc/shorewall/masq
#INTERFACE  SUBNETADDRESS
eth0  eth1
/etc/shorewall/tunnels (routerA)
#type zonegatewaygateway zone
openvpn:  net 192.168.99.2
/etc/openvpn/openvpn.conf
dev tun0
ifconfig 192.168.99.1 192.168.99.2
secret secret.key
I do
cd /etc/openvpn
openvpn --genkey --secret key
How to copy this key to router B and vice versa?Or i only need to generate 
the key in one router?

In routerA, when i try to ping 192.168.99.2, the following commands pop up:
Virtual device tun0 asks to queue packet!
ping: sendto: Network is down
and when i do,
openvpn --ping 5 --dev tun0
it says all encryption and authentication features disabled-- all data will 
be tunnelled as cleartext
socket bind failed on local address [undef]:5000:Address already in use
Exiting

Is it because I didn't enable encryption and authentication?Pls help

Thanks

_
Download ringtones, logos and picture messages from MSN Malaysia 
http://www.msn.com.my/mobile/ringtones/default.asp



---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVpn

[M Lu]

I think you will be much better off with OpenVPN regarding NATed clients.
You can have road-warriors with 1.6 but you have to use different port for
each warrior.

- Original Message - 
From: "theoleyre fabrice" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 22, 2004 9:14 AM
Subject: [leaf-user] OpenVpn


> Hi,
>
> I try to set up VPN with a leaf box.
> I want to create VPN tunnels between the router and
> several clients (Linux, WinXP, Win2K...). Some clients
> have a NATed connection, with private addresses, which
> cause some troubles with Ipsec.
>
> OpenVPN is interesting: a single udp port is required
> for the connection, not impacted by NAT because of the
> encapsulation. However, I want VPN for roadwarriors:
> several clients, with different addresses, dynamic,
> not known. I saw that several clients on a signle udp
> port is only supported in the 2.0 beta version. The
> version for Leaf Bering is the 1.6.0.
>
> Does it exist a solution to connect roadwarriors with
> OpenVpn 1.6.0, without the "mode-server" of openvpn
> 2.0 ? Did anybody try to set up such connections ?
>
> Regards,
>
>
>
>
>
>
>
> Vous manquez d'espace pour stocker vos mails ?
> Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
> Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/
>
> Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés
pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur
http://fr.messenger.yahoo.com
>
>
> ---
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> 
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
>


---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVpn

[theoleyre fabrice]

I forgot to explain that I have a firewall between my
clients and my leaf box. This firewall is a Border
Router, not on my responsability. I can only ask for
the opening of some ports. So, all clients must
connect to the leaf box via a single udp port.

Client --- Internet --- Firewall --- LeafBox (VPN)



 --- M Lu <[EMAIL PROTECTED]> a écrit : 
> I think you will be much better off with OpenVPN
> regarding NATed clients.
> You can have road-warriors with 1.6 but you have to
> use different port for
> each warrior.
> 
> - Original Message - 
> From: "theoleyre fabrice"
> <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, October 22, 2004 9:14 AM
> Subject: [leaf-user] OpenVpn
> 
> 
> > Hi,
> >
> > I try to set up VPN with a leaf box.
> > I want to create VPN tunnels between the router
> and
> > several clients (Linux, WinXP, Win2K...). Some
> clients
> > have a NATed connection, with private addresses,
> which
> > cause some troubles with Ipsec.
> >
> > OpenVPN is interesting: a single udp port is
> required
> > for the connection, not impacted by NAT because of
> the
> > encapsulation. However, I want VPN for
> roadwarriors:
> > several clients, with different addresses,
> dynamic,
> > not known. I saw that several clients on a signle
> udp
> > port is only supported in the 2.0 beta version.
> The
> > version for Leaf Bering is the 1.6.0.
> >
> > Does it exist a solution to connect roadwarriors
> with
> > OpenVpn 1.6.0, without the "mode-server" of
> openvpn
> > 2.0 ? Did anybody try to set up such connections ?
> >
> > Regards,
> >
> >
> >
> >
> >
> >
> >
> > Vous manquez d'espace pour stocker vos mails ?
> > Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
> > Créez votre Yahoo! Mail sur
> http://fr.benefits.yahoo.com/
> >
> > Le nouveau Yahoo! Messenger est arrivé ! Découvrez
> toutes les nouveautés
> pour dialoguer instantanément avec vos amis. A
> télécharger gratuitement sur
> http://fr.messenger.yahoo.com
> >
> >
> >
>
---
> > This SF.net email is sponsored by: IT Product
> Guide on ITManagersJournal
> > Use IT products in your business? Tell us what you
> think of them. Give us
> > Your Opinions, Get Free ThinkGeek Gift
> Certificates! Click to find out
> more
> >
>
http://productguide.itmanagersjournal.com/guidepromo.tmpl
> >
>

> > leaf-user mailing list:
> [EMAIL PROTECTED]
> >
>
https://lists.sourceforge.net/lists/listinfo/leaf-user
> > SR FAQ:
>
http://leaf-project.org/pub/doc/docmanager/docid_1891.html
> >
>  





Vous manquez d’espace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Créez vos avatars et envoyez des audiofuns. 
Découvrez toutes les nouveautés en le téléchargeant sur : http://fr.messenger.yahoo.com


---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVpn

[Charles Steinkuehler]

theoleyre fabrice wrote:
Hi,
I try to set up VPN with a leaf box.
I want to create VPN tunnels between the router and
several clients (Linux, WinXP, Win2K...). Some clients
have a NATed connection, with private addresses, which
cause some troubles with Ipsec.
OpenVPN is interesting: a single udp port is required
for the connection, not impacted by NAT because of the
encapsulation. However, I want VPN for roadwarriors:
several clients, with different addresses, dynamic,
not known. I saw that several clients on a signle udp
port is only supported in the 2.0 beta version. The
version for Leaf Bering is the 1.6.0. 

Does it exist a solution to connect roadwarriors with
OpenVpn 1.6.0, without the "mode-server" of openvpn
2.0 ? Did anybody try to set up such connections ? 
IPSec with the NAT traversal option enabled matches your requirements and is 
very flexible when configuring lots of different clients.  All data is sent 
on UDP port 500 in this mode, rather than using IP protocols 50/51 for 
encrypted data and UDP only for keying.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVpn

[M Lu]

In that case, you can contact Martin Hejl and see if he can port the 2.0 to
LEAF. We are looking forward to it too.


- Original Message - 
From: "theoleyre fabrice" <[EMAIL PROTECTED]>
To: "M Lu" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Friday, October 22, 2004 9:54 AM
Subject: Re: [leaf-user] OpenVpn


> I forgot to explain that I have a firewall between my
> clients and my leaf box. This firewall is a Border
> Router, not on my responsability. I can only ask for
> the opening of some ports. So, all clients must
> connect to the leaf box via a single udp port.
>
> Client --- Internet --- Firewall --- LeafBox (VPN)
>
>
>
>  --- M Lu <[EMAIL PROTECTED]> a écrit :
> > I think you will be much better off with OpenVPN
> > regarding NATed clients.
> > You can have road-warriors with 1.6 but you have to
> > use different port for
> > each warrior.
> >
> > - Original Message - 
> > From: "theoleyre fabrice"
> > <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Friday, October 22, 2004 9:14 AM
> > Subject: [leaf-user] OpenVpn
> >
> >
> > > Hi,
> > >
> > > I try to set up VPN with a leaf box.
> > > I want to create VPN tunnels between the router
> > and
> > > several clients (Linux, WinXP, Win2K...). Some
> > clients
> > > have a NATed connection, with private addresses,
> > which
> > > cause some troubles with Ipsec.
> > >
> > > OpenVPN is interesting: a single udp port is
> > required
> > > for the connection, not impacted by NAT because of
> > the
> > > encapsulation. However, I want VPN for
> > roadwarriors:
> > > several clients, with different addresses,
> > dynamic,
> > > not known. I saw that several clients on a signle
> > udp
> > > port is only supported in the 2.0 beta version.
> > The
> > > version for Leaf Bering is the 1.6.0.
> > >
> > > Does it exist a solution to connect roadwarriors
> > with
> > > OpenVpn 1.6.0, without the "mode-server" of
> > openvpn
> > > 2.0 ? Did anybody try to set up such connections ?
> > >
> > > Regards,
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Vous manquez d'espace pour stocker vos mails ?
> > > Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
> > > Créez votre Yahoo! Mail sur
> > http://fr.benefits.yahoo.com/
> > >
> > > Le nouveau Yahoo! Messenger est arrivé ! Découvrez
> > toutes les nouveautés
> > pour dialoguer instantanément avec vos amis. A
> > télécharger gratuitement sur
> > http://fr.messenger.yahoo.com
> > >
> > >
> > >
> >
> ---
> > > This SF.net email is sponsored by: IT Product
> > Guide on ITManagersJournal
> > > Use IT products in your business? Tell us what you
> > think of them. Give us
> > > Your Opinions, Get Free ThinkGeek Gift
> > Certificates! Click to find out
> > more
> > >
> >
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> > >
> >
> 
> > > leaf-user mailing list:
> > [EMAIL PROTECTED]
> > >
> >
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> > > SR FAQ:
> >
> http://leaf-project.org/pub/doc/docmanager/docid_1891.html
> > >
> >
>
>
>
>
>
> Vous manquez d'espace pour stocker vos mails ?
> Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
> Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/
>
> Le nouveau Yahoo! Messenger est arrivé ! Créez vos avatars et envoyez des
audiofuns. Découvrez toutes les nouveautés en le téléchargeant sur :
http://fr.messenger.yahoo.com
>
>
> ---
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> 
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
>


---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVpn

[Martin Hejl]

In that case, you can contact Martin Hejl and see if he can port the 2.0 to
LEAF. We are looking forward to it too.
Well, a package is available at
http://cvs.sourceforge.net/viewcvs.py/leaf/devel/hejl/
the reason that I haven't "officially" published it until now is that 
there's no up to date documentation for it, and worse, I have _no_ clue 
on the details of setting up certificates or even running an openvpn20 
tunnel.
In short, the only questions I can and will respond to are issues with 
the packaging, or with how the binaries were compiled (if they segfault, 
or something like that). With everything else, you're on your own.

Martin

---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVpn

[Scott Merrill]

On Friday 22 October 2004 13:43, Martin Hejl wrote:
> > In that case, you can contact Martin Hejl and see if he can port the 2.0
> > to LEAF. We are looking forward to it too.
>
> Well, a package is available at
>
> http://cvs.sourceforge.net/viewcvs.py/leaf/devel/hejl/
>
> the reason that I haven't "officially" published it until now is that
> there's no up to date documentation for it, and worse, I have _no_ clue
> on the details of setting up certificates or even running an openvpn20
> tunnel.
> In short, the only questions I can and will respond to are issues with
> the packaging, or with how the binaries were compiled (if they segfault,
> or something like that). With everything else, you're on your own.

I've just recently set up an OpenVPN 2.0 server.  It's actually pretty 
straightforward, if you're at least somewhat familiar with the old 1.x 
operation.

Included in the source is a directory called easy-rsa, which provides some 
scripts to streamline key management operations:
   http://openvpn.sourceforge.net/easyrsa.html


---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVpn

[Martin Hejl]

Hi Scott,
Scott Merrill wrote:
I've just recently set up an OpenVPN 2.0 server.  It's actually pretty 
straightforward, if you're at least somewhat familiar with the old 1.x 
operation.
I have no doubt - the config-file is not the problem (especially since 
the sample configs provided should almost work out of the box anyway).

Included in the source is a directory called easy-rsa, which provides some 
scripts to streamline key management operations:
   http://openvpn.sourceforge.net/easyrsa.html
I know - I created an easyrsa.lrp as well ;-)
To be honest, I have been able to create certs for a simple loopback 
test (did that just to make sure the binaries actually worked), using 
the easyrsa scripts plus the output of "help easyrsa" (which basically 
contains the info from the page you mentioned). But at the moment, I 
don't have time to support a package that I haven't really used myself, 
especially not since I still need to read up on the "big picture" of 
using certificates. Yes, the scripts and the instructions work, but I'd 
like to understand what I'm doing/telling people to do.

And having seen the kinds of questions that have come up on the openvpn 
lists, I'm rather weary about questions on key-management, 
revocation-lists, how to use certificates from MS Cert Store, what all 
those strange file-endings mean, where to keep the certs (and so on - I 
guess you get the idea).

Martin
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVPN

[K.-P. Kirchdörfer]

Am Dienstag, 1. Februar 2005 10:55 schrieb Stefaan Van Dooren:
> Hi,
>
> I'm using Bering uClibc 2.1 and I was wondering if anyone has
> allready made a openvpn 2 package for it (only can find a version
> 1.6 on the site). I know version 2 is still beta, but I need some
> of the new features..

2.0-rc1 is only available via buildtool yet - that means you have to 
have a buildtool environment to compile it yourself.

To make a supported 2.x version on our own, we need some more 
experience and docs.

I can offer you sending a 2.x lrp privately.

kp



---
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] OpenVPN

[Stefaan Van Dooren]

Thanks,

I grabbed the one from http://quackerhead.com/~duff/openvpn/ and so far I
haven't had any problems with it.

If I run into trouble you'll be hearing from me again ;-)


Stefaan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of K.-P.
Kirchdörfer
Sent: dinsdag 1 februari 2005 20:58
To: leaf-user@lists.sourceforge.net
Subject: Re: [leaf-user] OpenVPN


Am Dienstag, 1. Februar 2005 10:55 schrieb Stefaan Van Dooren:
> Hi,
>
> I'm using Bering uClibc 2.1 and I was wondering if anyone has allready
> made a openvpn 2 package for it (only can find a version 1.6 on the
> site). I know version 2 is still beta, but I need some of the new
> features..

2.0-rc1 is only available via buildtool yet - that means you have to
have a buildtool environment to compile it yourself.

To make a supported 2.x version on our own, we need some more
experience and docs.

I can offer you sending a 2.x lrp privately.

kp



---
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool
for open source databases. Create drag-&-drop reports. Save time by over
75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a
FREE copy at http://www.intelliview.com/go/osdn_nl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
iview.com/go/osdn_nl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] OpenVpn 2.0

[Pascal OFFREDO]

OpenVpn 2.0 final has been released

Has anyone built a leaf package with this release ?

Regards

Pascal OFFREDO






__
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! 
Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/


---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVPN

[Erich Titl]

Sylvain

Sylvain Pelletier wrote:

Hi,

I would like to get the feedback of people who have succesfully
installed/tested openvpn with bering.


I am running it on multiple systems without a hitch using Bering glibc

cheers

Erich



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN

[Mailing Lists]

Tens of installations using bering uclibc

Ciao
Gianni



Hi,

I would like to get the feedback of people who have succesfully
installed/tested openvpn with bering.



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] OpenVPN / FreeSwan

[Robert K Coffman Jr - Info From Data]

Can I run OpenVPN and FreeSwan on the same bering box?

I have a network-network OpenVPN connection, and I'd like to add a
connection to a Netgear FVS318, which I've done in the past with FreeSwan.

Thanks-

Bob Coffman



---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] openvpn

[Paul Wright]

>
> Why would I install openvpn on Bering box? Is this nessesary
> in order to get to work above setup?
>

No, the setup you described would work if the necessary ports were forwarded
through the firewall to your server.  Further, if you use the bridging mode
of openvpn, you could have access to any other resources behind your
firewall (printers, other servers, etc.) even with OpenVPN only installed on
the server.

However, if rather than a "road-warrior" setup you wanted to connect two
offices and allow full access to resources on both sides, you might want to
use OpenVPN on the LEAF routers at each end so that it is all transparent to
your users and there is no need for client software on each workstation,
server, etc.

It's not for everyone but it's a very useful capability that I use
frequently for clients who need a site-to-site VPN.

Regards,

paul
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Openvpn Installation

[Jim Ford]

I use a Ubuntu Linux machine where I work (at a school). At home I use 
an XP machine (because of Photoshop!) behind a Bering Leaf uClibc box.

I'd like to access my home machine from work and from what I can deduce, 
Openvpn seems the way to go.

I'm initially working on my Leaf box and am finding the docs with 
regards to keys/certificates rather opaque. It doesn't help that the 
'Chapter 8. Configuring openvpn' and the 'Package Help Text' in 
easyrsa.lrp differ in some respects - maybe minor, I can't tell.

I guess my setup it pretty basic, and maybe it will be made simpler that 
I can copy any files/keys/certificates/whatever on a usb memory stick, 
to transport between the 2 machines.

Does any one know of a 'Dumbasses Guide to Openvpn Installation' that 
can help me through this, please?

I guess that as in much of my experience, once it's set-up I'll start to 
understand it, but at the moment I'm floundering!

Jim

-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] OpenVPN on Bering

[JamesSturdevant]

Has anyone been able to create an OpenVPN tunnel with Bering? I get the 
initial connection established, but when I try to ping a host on the remote 
network the server on Bering dies.

I am using a Windows client to connect to the Bering machine. It travels 
through one NAT router on the way. I am using tun0 as the tunnel. The 
config below is the current testing setup on an internal network.

Thanks,
JamesS
# cat /etc/openvpn/server.conf
dev tun0
local 172.16.3.1
ifconfig 172.16.5.1 172.16.5.2
route 192.168.12.198 255.255.255.255
secret /etc/openvpn/static.key
#comp-lzo
verb 9


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] OpenVPN on Bering

[AdStar]

Hi guys,

I'm trying to setup a VPN (openvpn version 1.5.0) connection from my home
(ADSL, static IP) to my Office (Static IP).
Both networks have a leaf Bering machine as there firewalls, both running
shorewall 1.4.7c. I followed the guide at
http://www.shorewall.net/1.4/OPENVPN.html but I'm not 100% sure I have got
it right. I can get the openvpn side of things to connect but cannot ping
any machines on either side of the VPN from the firewall or internal
machines.

HOME internal LAN is 10.0.10.0/24
OFFICE internal LAN is 10.0.100.0/24

HOME Tunnel endpoint 192.168.0.1
OFFICE Tunnel endpoint 192.168.0.2

HOME Firewall IP: 202.52.33.145
OFFICE Firewall IP: 67.106.134.127

OFFICE:
/etc/shorewall/zones --> added  'vpn VPN VPN network'
/etc/shorewall/interfaces --> added 'vpn tun010.0.10.255'
/etc/shorewall/policy --> added 'loc vpn ACCEPT' and 'vpn
loc ACCEPT'
/etc/shorewall/tunnels --> added 'openvpn net
202.52.33.145'

openvpn.conf
dev tun
local 67.106.134.127
ifconfig 192.168.0.2 192.168.0.1
secret secret.key
verb 8


Restarted Shorewall no errors...
Start OpenVPN no errors..
Manually add the route: route add -net 10.0.10.0 netmask 255.255.255.0 gw
192.168.0.2

daemon.log
Apr  8 11:58:00 pyro openvpn[19238]: Current Parameter Settings:
Apr  8 11:58:00 pyro openvpn[19238]:   config = '/etc/openvpn/openvpn.conf'

Apr  8 12:00:00 pyro openvpn[32333]: Expected Remote Options hash (VER=V3):
'9af04bc6'
Apr  8 12:00:00 pyro openvpn[17555]: UDPv4 link local (bound):
67.106.134.127:5000
Apr  8 12:00:00 pyro openvpn[17555]: UDPv4 link remote: [undef]
Apr  8 12:01:46 pyro openvpn[17555]: UDPv4 READ [60] from
202.52.33.145:5000:  DATA len=60
Apr  8 12:01:46 pyro openvpn[17555]: Peer Connection Initiated with
202.52.33.145:5000
Apr  8 12:01:46 pyro openvpn[17555]: UDPv4 WRITE [188] to
202.52.33.145:5000:  DATA len=188
Apr  8 12:01:50 pyro openvpn[17555]: UDPv4 WRITE [60] to 202.52.33.145:5000:
 DATA len=60

$ ip route
192.168.0.1 dev tun0  proto kernel  scope link  src 192.168.0.2
10.0.100.0/24 dev eth1  proto kernel  scope link  src 10.0.100.1
67.106.134.0/24 dev eth0  proto kernel  scope link  src 67.106.134.127
10.0.10.0/24 via 192.168.0.2 dev tun0  scope link
default via 67.106.134.1 dev eth0


HOME:
/etc/shorewall/zones --> added  'vpn VPN VPN network'
/etc/shorewall/interfaces --> added 'vpn tun010.0.100.255'
/etc/shorewall/policy --> added 'loc vpn ACCEPT' and 'vpn
loc ACCEPT'
/etc/shorewall/tunnels --> added 'openvpn net
67.106.134.127'

openvpn.conf
dev tun
local 202.52.33.145
remote 67.106.134.127
ifconfig 192.168.0.1 192.168.0.2
secret secret.key
verb 8

Restarted Shorewall no errors...
Start OpenVPN no errors..
Manually add the route: route add -net 10.0.100.0 netmask 255.255.255.0 gw
192.168.0.1

daemon.log
Apr  8 02:29:06 talon openvpn[16327]: Expected Remote Options hash (VER=V3):
'b700f892'
Apr  8 02:29:06 talon openvpn[18778]: UDPv4 link local (bound):
202.52.33.145:5000
Apr  8 02:29:06 talon openvpn[18778]: UDPv4 link remote: 67.106.134.127:5000
Apr  8 02:29:16 talon openvpn[18778]: UDPv4 WRITE [60] to
67.106.134.127:5000:  DATA len=60
Apr  8 02:29:16 talon openvpn[18778]: UDPv4 READ [188] from
67.106.134.127:5000:  DATA len=188
Apr  8 02:29:17 talon openvpn[18778]: Peer Connection Initiated with
67.106.134.127:5000
Apr  8 02:29:21 talon openvpn[18778]: UDPv4 READ [60] from
67.106.134.127:5000:  DATA len=60
Apr  8 02:29:21 talon openvpn[18778]: UDPv4 WRITE [188] to
67.106.134.127:5000:  DATA len=188

# ip route
192.168.0.2 dev tun0  proto kernel  scope link  src 192.168.0.1
172.31.31.9 dev ppp0  proto kernel  scope link  src 202.52.33.145
10.0.100.0/24 via 192.168.0.1 dev tun0  scope link
10.0.10.0/24 dev eth1  proto kernel  scope link  src 10.0.10.1
default via 172.31.31.9 dev ppp0

I try and ping the OFFICE endpoint from HOME firewall
# ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2): 56 data bytes
ping: sendto: Operation not permitted

HOME: shorewall.log
Apr  8 02:31:39 talon Shorewall:all2all:REJECT: IN= OUT=tun0
MAC=00:90:27:58:e2:dd:00:e0:7d:ba:cd:ee:08:00  SRC=192.168.0.1
DST=192.168.0.2 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=63440 DF PROTO=ICMP TYPE=8
CODE=0 ID=37959 SEQ=0

The above is in my HOME shorewall.log I'm not sure how to fix this.
I'm sure my tunnels file is right. Any help would be muchly appreciated.

Regards
Adam.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc

[leaf-user] OpenVPN and routing

[ALParada]

Setting up OpenVPN on uClibc.  I will also be replacing the current Bering
install with uClibc. Have everything setup and working with static keys as
well as with certs. Since I was replacing and not installing from scratch  I
hadn't thought about any routing issues, until now. My scenario is this:

Openvpn connections will be coming in on eth1. However, eth2 is the default
gateway that leads to our current vpn solution (IPSEC) and out to the
Internet. I was trying to bypass our current vpn solution by coming in
through another interface. Unfortuately, now I don't know if any issues will
come from this.  If it were possible to have all the openvpn connections go
back out the same interface they came in through, it would be great.

Are tun and tap devices associated with any one interface? Will there be any
issues in having users come in on eth1 and go back out on eth2? Will
multiple gateways just mess things up?

Any ideas or feedback would be greatly appreciated.

TIA



---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] openvpn help

[Martin Hejl]

chiew yock sang wrote:
/etc/shorewall/tunnels (routerA)
#type zonegatewaygateway zone
openvpn:  net 192.168.99.2
this is either a typo, or a problem - the error message you quoted later 
suggests openvpn runs on port 5000 - but in /etc/shorewall/tunnels you 
define that it uses port  - this is most likely not going to work...


How to copy this key to router B and vice versa?Or i only need to 
generate the key in one router?
In any way that would be considered "secure". So, either by using a 
connection that uses strong encryption or by simply using a floppy. 
Remember, when using pre-shared keys, the security of the VPN relies on 
how securely those keys were transferred (and kept).

In routerA, when i try to ping 192.168.99.2, the following commands pop up:
Virtual device tun0 asks to queue packet!
ping: sendto: Network is down
Hm, I've never seen that error - but I must say, I'm not quite sure how 
commands actually "pop up" - do you mean that the message you quoted 
appears on the console? Or in the logs (and if so, which log)?

and when i do,
openvpn --ping 5 --dev tun0
it says all encryption and authentication features disabled-- all data 
will be tunnelled as cleartext
socket bind failed on local address [undef]:5000:Address already in use
Exiting
Do a "ps aux" on the router in question to find out if openvpn is 
already running, most likely, this is the source of your error. You can 
also use netstat to find out if something is indeed already listening on 
port 5000. Openvpn should not really be started "by hand" (by entering 
"openvpn" at the prompt) buit rather by the init-script). So, if you 
want to start openvpn, do a
svi openvpn start
the --ping 5 option can also be specified in the config file (and tun0 
as dev is already specified in your config file, so that would be 
redundant).

Martin



---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] openvpn help

[chiew yock sang]

From: Martin Hejl <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: [leaf-user] openvpn help
Date: Fri, 14 May 2004 19:41:12 +0200
chiew yock sang wrote:
/etc/shorewall/tunnels (routerA)
#type zonegatewaygateway zone
openvpn:  net 192.168.99.2
this is either a typo, or a problem - the error message you quoted later 
suggests openvpn runs on >port 5000 - but in /etc/shorewall/tunnels you 
define that it uses port  - this is most likely not >going to work...
Yes, a typo, i have changed it to openvpn, but the problem still exist.
In routerA, when i try to ping 192.168.99.2, the following commands pop 
up:
Virtual device tun0 asks to queue packet!
ping: sendto: Network is down
Hm, I've never seen that error - but I must say, I'm not quite sure how 
commands actually "pop >up" - do you mean that the message you quoted 
appears on the console? Or in the logs (and if >so, which log)?
Sorry, not pop up, but it appear in the command window (the place where i 
type ping 192.168.99.2). I don't know how to call it..

and when i do,
openvpn --ping 5 --dev tun0
it says all encryption and authentication features disabled-- all data 
will be tunnelled as cleartext
socket bind failed on local address [undef]:5000:Address already in use
Exiting
Do a "ps aux" on the router in question to find out if openvpn is already 
running, most likely, this is >the source of your error. You can also use 
netstat to find out if something is indeed already >listening on port 5000. 
Openvpn should not really be started "by hand" (by entering "openvpn" at 
>the prompt) buit rather by the init-script). So, if you want to start 
openvpn, do a
svi openvpn start
the --ping 5 option can also be specified in the config file (and tun0 as 
dev is already specified in >your config file, so that would be redundant).
when i do ps aux, in the command line shows, /usr/sbin/openvpn --daemon 
--writepid /var/run/openvpn (the rest can't be seen).

when i do netstat, it shows,
netstat: no support for 'AF INET6 (tcp)' on this system
netstat: no support for 'AF INET6 (udp)' on this system
netstat: no support for 'AF INET6 (raw)' on this system
where is the init-script? Is it in /etc/shorewall/init?

---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
_
Download the latest MSN Messenger http://messenger.msn.com.my

---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] openvpn help

[Martin Hejl]

chiew yock sang wrote:
when i do ps aux, in the command line shows, /usr/sbin/openvpn --daemon 
--writepid /var/run/openvpn (the rest can't be seen).
This means that openvpn is already running, so any attempt to start 
another instance (which is using the same config) will fail.

when i do netstat, it shows,
netstat: no support for 'AF INET6 (tcp)' on this system
netstat: no support for 'AF INET6 (udp)' on this system
netstat: no support for 'AF INET6 (raw)' on this system
Well "netstat -an" should produce more relevant results.
where is the init-script? Is it in /etc/shorewall/init?
No - it's in /etc/init.d, where all init-scripts reside. To start 
openvpn, you'd do
/etc/init.d/openvpn start

and to stop if
/etc/init.d/openvpn stop
There's also a "shortcut", so you don't have to type the /etc/init.d all 
the time - "svi openvpn start" and "svi openvpn stop" work as well

In short, never start a daemon "by hand" (by starting the executable 
directly) but always use the init-scripts - that is, unless you know 
what you're doing. After every change to the config file, you'll need to 
do a "svi openvpn restart" in order for those changes to take effect. 
This is nothing specific of openvpn, but simply the way things work on 
most linux distros (on RedHat, "svi" is called "service", but that's the 
only difference).

Martin

---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] openvpn help

[chiew yock sang]

when i do netstat, it shows,
netstat: no support for 'AF INET6 (tcp)' on this system
netstat: no support for 'AF INET6 (udp)' on this system
netstat: no support for 'AF INET6 (raw)' on this system
Well "netstat -an" should produce more relevant results.
When i do netstat -an, the following shows:
Proto  Recv-Q  Send-Q  Local AddressForeign AddressState
tcp  0  0  0.0.0.0:800.0.0.0:*Listen
tcp  0  0  0.0.0.0:10230.0.0.0:*
Listen
netstat: no support for 'AF INET6 (tcp)' on this system
udp 0  0  0.0.0.0:5000   0.0.0.0:*


There's also a "shortcut", so you don't have to type the /etc/init.d all the 
time - "svi openvpn start" and "svi openvpn stop" work as well

When i do 'svi openvpn stop', it works. but when i do 'svi openvpn start', 
it just hang there:
may#svi open vpn start
Starting openvpn:

even i type reboot also no response..
_
Are you in love? Find a date on MSN Personals http://match.msn.com.my/

---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] openvpn help

[chiew yock sang]

From: Martin Hejl <[EMAIL PROTECTED]>
when i do netstat, it shows,
netstat: no support for 'AF INET6 (tcp)' on this system
netstat: no support for 'AF INET6 (udp)' on this system
netstat: no support for 'AF INET6 (raw)' on this system
Well "netstat -an" should produce more relevant results.
When i do netstat -an, the following shows:
Proto  Recv-Q  Send-Q  Local AddressForeign AddressState
tcp  0  0  0.0.0.0:800.0.0.0:*Listen
tcp  0  0  0.0.0.0:10230.0.0.0:*
Listen
netstat: no support for 'AF INET6 (tcp)' on this system
udp 0  0  0.0.0.0:5000   0.0.0.0:*


There's also a "shortcut", so you don't have to type the /etc/init.d all the 
time - "svi openvpn start" and "svi openvpn stop" work as well

When i do 'svi openvpn stop', it works. but when i do 'svi openvpn start', 
it just hang there:
may#svi open vpn start
Starting openvpn:

even i type reboot also no response..
_
Using a handphone prepaid card? Reload your credit online! 
http://www.msn.com.my/reloadredir/default.asp


---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] openvpn help

[Martin Hejl]

chiew yock sang wrote:
When i do netstat -an, the following shows:
Proto  Recv-Q  Send-Q  Local AddressForeign AddressState
tcp  0  0  0.0.0.0:800.0.0.0:*
Listen
tcp  0  0  0.0.0.0:10230.0.0.0:*
Listen
netstat: no support for 'AF INET6 (tcp)' on this system
udp 0  0  0.0.0.0:5000   0.0.0.0:*
The last line suggests that something (most likely openvpn) is indeed 
listening on port 5000.

When i do 'svi openvpn stop', it works. but when i do 'svi openvpn 
start', it just hang there:
may#svi open vpn start
Starting openvpn:

even i type reboot also no response..
Without any real info, it's hard to debug. Often, when an application 
seems to hang, it's due to the fact that name resolution doesn't work 
(for example because you specified a fully qualified domain name in 
/etc/openvpn/openvpn.conf but that name can't be resolved for whatever 
reason).

Please have a look at the documentation at the OpenVPN site - it 
contains lots of useful information for debugging (for example, the 
"verbose" setting in the config-file)

Martin

---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] openvpn help

[chiew yock sang]

From: Martin Hejl <[EMAIL PROTECTED]>
In routerA, when i try to ping 192.168.99.2, the following commands shows:
Virtual device tun0 asks to queue packet!
ping: sendto: Network is down
Hm, I've never seen that error - but I must say, I'm not quite sure how 
commands actually "pop up" - do you mean that the message you quoted appears 
on the console? Or in the logs (and if so, which log)?
it appears in the console. So, what is the problem? and what can i do to 
solve it?


openvpn --ping 5 --dev tun0
it says all encryption and authentication features disabled-- all data will 
be tunnelled as cleartext
socket bind failed on local address [undef]:5000:Address already in use
Exiting
Do a "ps aux" on the router in question to find out if openvpn is already 
running, most likely, this is the source of your error. You can also use 
netstat to find out if something is indeed already listening on port 5000. 
Openvpn should not really be started "by hand" (by entering "openvpn" at the 
prompt) buit rather by the init-script). So, if you want to start openvpn, 
do a
svi openvpn start
the --ping 5 option can also be specified in the config file (and tun0 as 
dev is already specified in your config file, so that would be redundant).

how to enable the encryption and authentication features? do i need to do 
sth with libssl or libcrpto


Martin

---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
_
Are you in love? Find a date on MSN Personals http://match.msn.com.my/

---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] openvpn help

[Martin Hejl]

chiew yock sang wrote:
From: Martin Hejl <[EMAIL PROTECTED]>
In routerA, when i try to ping 192.168.99.2, the following commands 
shows:
Virtual device tun0 asks to queue packet!
ping: sendto: Network is down
Hm, I've never seen that error - but I must say, I'm not quite sure how 
commands actually "pop up" - do you mean that the message you quoted 
appears on the console? Or in the logs (and if so, which log)?
it appears in the console. So, what is the problem? and what can i do to 
solve it?
Please try to quote properly - of the above paragraph, everything until 
"...(and if so, which log)?" was written by me, the rest was written by 
you - but there's no way anyone can tell.

Regarding your question, I don't know - as I said, I've never seen that 
error. But the kind of message strongly suggests that the network link 
(either just the openvpn part of it, or all of it) is not quite working.

When setting up VPNs with OpenVPN, I've found it to be essential to 
actually stick to the documentation provided - for example, when the 
documentation says that the two endpoints of the tunnel need to be able 
to ping eachother, _do_ make sure this is the case before going any 
further with setting up OpenVPN (and not skip, or ignore that 
suggestion). Otherwise, you'll just end up debugging "problems" with 
OpenVPN which simply are problems of the underlying network...

how to enable the encryption and authentication features? do i need to 
do sth with libssl or libcrpto
Please do read the documentation on the OpenVPN homepage at 
http://openvpn.sourceforge.net
To enable encryption using static keys, you need to generate a key (as 
described in the docs from above site) and then use that key (using the 
"secret" keyword in the config file). If you want to use authentication, 
things get a little more complicated, but again, the procedure is well 
documented in the OpenVPN documentation (but I can already tell you that 
I have not done this myself so far, so there's little use in asking me 
about details regarding using SSL/TLS authentication).

In short, I've found OpenVPN to be very easy to set up (especially 
compared to other VPN solutions) on Linux as well as Windows - but as 
with every non-trivial program, one still needs to read and follow the 
documentation that is provided.

Martin

---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] openVPN and Dachstein

[Miguel De Avila]

Has anyone had success with openVPN on Dachstein?
thanks,
Miguel DeAvila

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Openvpn problems -- again..

[Tibbs, Richard]

Dear list. 
I have the following arrangement, running two instances of openvpn on
"home fw"  I want to protect my WLAN in back of the home fw and that
works fine.  I can see "Peer connection initiated with 192.168.1.3:5000"
in daemon.log on homefw.   
However nothing is initiated with officefw, nor can I ping the other end
of the tunnel at officefw.  I was hoping to be able to get from "subnet
to subnet" i.e. be able to ping from 192.168.1.3 to a machine like
192.168.10.13, (Later telnet securely) but this is not possible either.


home subnet office subnet
192.168.1.0/24 192.168.10.0/24
  winxp -- WLAN -- homefw -- Internet -- officefw
 <--- tun 1 -> <-- tun0 -->
10.1.1.2  10.1.1.1  10.1.10.1 10.1.10.2
   route 216.x.y.z  route 192.168.10.0/24route
192.168.1.0/24

Why does nothing work for tun0?
TIA
Rick

On homefw, the route table becomes
# ip route sho
10.1.10.2 dev tun0  proto kernel  scope link  src 10.1.10.1 
216.x.y.z via 10.1.1.2 dev tun1 
10.1.1.2 dev tun1  proto kernel  scope link  src 10.1.1.1 
216.12.22.64/26 dev eth0  proto kernel  scope link  src 216.x.y.z 
216.12.22.64/26 dev ipsec0  proto kernel  scope link  src 216.x.y.z 
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254 
192.168.10.0/24 via 10.1.10.2 dev tun0 
default via 216.12.22.65 dev eth0

and the tunnel conf on homefw (tun0) is
dev tun
disable-occ
port 50001
local 216.x.y.z< ... public IP anonymized...>
# Our remote peer (office subnet)
remote 137.p.q.r   < ... public IP anonymized...>
ifconfig 10.1.10.1 10.1.10.2
route 192.168.10.0 255.255.255.0
# Our pre-shared static key
secret static.key

The officefw conf is similar, except these things reversed
port 50001
local 137.p.q.r
remote  216.x.y.z
ifconfig 10.1.10.2 10.1.10.1
route 192.168.1.0 255.255.255.0


The config for the WLAN tunnel (tun1) is
dev tun
# For compatability with 2.x openvpn clients/servers
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
disable-occ
local 192.168.1.254
float
ifconfig 10.1.1.1 10.1.1.2
# only this route directive will work, all else fails.
route 216.x.y.z
# Our pre-shared static key
secret static.key



---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVpn 2.0

[Erich Titl]

Pascal OFFREDO wrote:
OpenVpn 2.0 final has been released
Has anyone built a leaf package with this release ?
 

Yes, for Bering 1.x
regards
Erich

---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVpn 2.0

[K.-P. Kirchdörfer]

Am Dienstag, 26. April 2005 12:41 schrieb Pascal OFFREDO:
> OpenVpn 2.0 final has been released
>
> Has anyone built a leaf package with this release ?

For LEAF Bering-uClibc see
http://leaf.sourceforge.net/bering-uclibc/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=3&MMN_position=3:

(one line)

kp


---
SF.Net email is sponsored by: Tell us your software development plans!
Take this survey and enter to win a one-year sub to SourceForge.net
Plus IDC's 2005 look-ahead and a copy of this survey
Click here to start!  http://www.idcswdc.com/cgi-bin/survey?id=105hix

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVpn 2.0

[Michael D Schleif]

Is this a drop-in replacement for existing implementations?

If not, howto find what requires change?

Thank you.


* "K.-P. Kirchdörfer" <[EMAIL PROTECTED]> [2005:04:27:18:54:31+0200] scribed:
> Am Dienstag, 26. April 2005 12:41 schrieb Pascal OFFREDO:
> > OpenVpn 2.0 final has been released
> >
> > Has anyone built a leaf package with this release ?
> 
> For LEAF Bering-uClibc see
> http://leaf.sourceforge.net/bering-uclibc/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=3&MMN_position=3:
> 
> (one line)
> 
> kp

-- 
Best Regards,

mds
mds resource
877.596.8237
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--


signature.asc
Description: Digital signature

Re: [leaf-user] OpenVpn 2.0

[Michael D Schleif]

Please, somebody comment on changes required to upgrade an existing v1.x
openvpn installation to this new version?

I have read about the enhancements, &c.; but, I am wondering whether or
not an existing configuration will simply work in v2.0 ???

What do you think?


* On 2005:04:28:16:47:31-0500 I, Michael D Schleif <[EMAIL PROTECTED]>, scribed:
> Is this a drop-in replacement for existing implementations?
> 
> If not, howto find what requires change?
> 
> Thank you.
> 
> 
> * "K.-P. Kirchdörfer" <[EMAIL PROTECTED]> [2005:04:27:18:54:31+0200] scribed:
> > Am Dienstag, 26. April 2005 12:41 schrieb Pascal OFFREDO:
> > > OpenVpn 2.0 final has been released
> > >
> > > Has anyone built a leaf package with this release ?
> > 
> > For LEAF Bering-uClibc see
> > http://leaf.sourceforge.net/bering-uclibc/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=3&MMN_position=3:
> > 
> > (one line)
> > 
> > kp

-- 
Best Regards,

mds
mds resource
877.596.8237
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--


signature.asc
Description: Digital signature

Re: [leaf-user] OpenVpn 2.0

[Erich Titl]

Michael
Michael D Schleif wrote:
Please, somebody comment on changes required to upgrade an existing v1.x
openvpn installation to this new version?
I have read about the enhancements, &c.; but, I am wondering whether or
not an existing configuration will simply work in v2.0 ???
 

AFAIK, no.
2.0 has server mode whereas 1.x didn't. It all depends what you intend 
to do with it.

cheers
Erich
---
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] openvpn and passwords

[Stephen More]

According to: http://openvpn.net/archive/openvpn-users/2004-10/msg00418.html
the openvpn system allows a user/password to be configured.

I did not see any mention of passwords on:
http://leaf.sourceforge.net/doc/guide/bucu-openvpn.html

Is there any LEAF package that allows one to maintain a list of users
and passwords and code that can be used as an authentication module
for openvpn ?

-Thanks
Steve More


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: R: [leaf-user] Openvpn

[Bob von Knobloch]

Thank you Gianni, the text was not clear that this should be run first.
My next stumbling block (referring to the HOW-TO) is in 7.5.1.
An entry like:
"route 192.168.25.0 255.255.255.0 vpn_gateway"
or similar must be made, but where is this to be made (there is no 
example in /etc/openvpn/server.conf) and which IP 'vpn_gateway' refers 
to is not mentioned (tunnel address or 'real' address).

How do I kill the client (comment out 'client' ??).
Thanks
Bob

Lists dumbware schrieb:

The first step is to run a "clean-all" command.
It creates the lkeys dir and the index.txt file as well as serial file

Be careful that this command erase all keys dir if it exists!!

Ciao
Gianni

  
I am trying to get openvpn working on my WRAP box, but am 
hitting problems during installation. I am using Bering 
uClibc 2.3 and sourcing all packages from the current ISO.
I am using Kapeka's 'How-To' as an installation guide but am 
not sure how up-to-date it is.






  




---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: R: [leaf-user] Openvpn

[Erich Titl]

Bob

Bob von Knobloch wrote:

Thank you Gianni, the text was not clear that this should be run first.
My next stumbling block (referring to the HOW-TO) is in 7.5.1.
An entry like:
"route 192.168.25.0 255.255.255.0 vpn_gateway"
or similar must be made, but where is this to be made (there is no 
example in /etc/openvpn/server.conf) and which IP 'vpn_gateway' refers 
to is not mentioned (tunnel address or 'real' address).

How do I kill the client (comment out 'client' ??).
Thanks
Bob


If you go to http://openvpn.net/ you will find complete instructions on 
how to install and configure openvpn. The site is extremely well documented.


cheers

Erich




---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: R: [leaf-user] Openvpn

[Bob von Knobloch]

Erich Titl schrieb:

Bob

Bob von Knobloch wrote:

Thank you Gianni, the text was not clear that this should be run first.
My next stumbling block (referring to the HOW-TO) is in 7.5.1.
An entry like:
"route 192.168.25.0 255.255.255.0 vpn_gateway"
or similar must be made, but where is this to be made (there is no 
example in /etc/openvpn/server.conf) and which IP 'vpn_gateway' 
refers to is not mentioned (tunnel address or 'real' address).

How do I kill the client (comment out 'client' ??).
Thanks
Bob


If you go to http://openvpn.net/ you will find complete instructions 
on how to install and configure openvpn. The site is extremely well 
documented.


cheers

Erich


Of course I was there but I must disagree, I find the documentation not 
so good.

Bob


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] OpenVPN on Bering

[Bob von Knobloch]

Does anyone know what this error message from OpenVPN in (daemon.log) 
might actually mean?


Wed Jan 18 22:30:07 2006 TCP/UDP: Socket bind failed on local address 
[undef]:1194: Address already in use


I have not specified a specific address and certainly have nothing 
running on port 1194.


Thanks
Bob



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: R: [leaf-user] Openvpn

[Erich Titl]

Bob von Knobloch wrote:

Erich Titl schrieb:


...



Of course I was there but I must disagree, I find the documentation not 
so good.


OK, I built a number of openvpn connections for my wrap boxes. I must 
admit, I am still using a derivative of Bering glibc and I compiled the 
openvpn package myself.


I did not have a problem setting up openvpn using the config files from 
the openvpn site, which are really full of comments and many examples.


Be aware that there are differences in the set up between openvpn 1.x 
and 2.x. I could not find the HowTo you referenced, so I am not clear 
what exactly your problem is (except, of course, that is does not work).


- Which Openvpn Version are you using
- Show us your config files
- Schow us your logs

even better, show them on the openvpn mailing list, all subscripbers 
there (I am there too :-)) read openvpn problems every day and they are 
extremely helpful (as of course everyone in the LEAF list)


cheers

Erich






---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] OpenVPN & Certificate revocation

[Bob von Knobloch]

Dear LEAF list,

I am using Bering uClibc 2.3 with OpenVPN. Everything works reaaly well 
- thanks !
I am trying to revoke a certificate (only to test the CRL mechanism). On 
the OpenVPN Howto a script is used "revoke-full" that is part of the 
easyRSA software. This does not seem to exist in the openvpn-lrp. Can I 
use the same script as in the 'non-LEAF' openvpn package or do I need to 
make some adjustments?
p.s. I don't find any information as to revocation/CRLs in the LEAF 
docs, I would be happy to write something once I get it working.

Regards,

Bob von Knobloch.



-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] OpenVPN compatibility question

[Jack Coates]

Hi,

I'm trying to do a simple OpenVPN between a couple of systems, and I'm
having trouble. The tunnel comes up fine according to the OpenVPN logs on
both sides, but they can't ping. Tcpdump -i tun0 on the server while the
client pings shows everything working fine, but tcpdump -i tun0 on the
client shows no traffic at all, zero packets captured (which is obviously
not correct since the server sees the pings and answers them).

Client:
VMWare bridged interface, currently bridged to wireless (host is XP).
LEAF Bering ucLibc 2.2 (2.4.31)
OpenVPN 2.0.6
Shorewall 2.4.2
**openvpn/client.conf
   remote 1.2.3.4
   dev tun
   ifconfig 172.16.42.2 172.16.42.1
   secret static.key
**shorewall/tunnels
openvpn   net   1.2.3.4
**shorewall/policy
all   all   accept
**shorewall/interfaces
neteth0detectdhcp,routefilter
dmz  eth1detectdhcp
loceth2detectdhcp
vpntun0detect-
**shorewall/zones
netOutsideInternet
dmz   ServersDMZ
loc Clients Local
vpn Home  VPN

Server:
basic physical whitebox (2.6.13-15.10-default)
OpenSuSE 10.0
OpenVPN 2.0.2
Shorewall 3.0.3
**openvpn/server.conf
dev tun
ifconfig 172.16.42.1 172.16.42.2
route 172.16.252.0 255.255.255.0 172.16.42.2
route 192.168.11.0 255.255.255.0 172.16.42.2
secret static.key
**shorewall/tunnels
openvpn   net0.0.0.0/0
**shorewall/policy
in  all ACCEPT
fw  all ACCEPT
vpn all ACCEPT
net all DROPinfo
all all REJECT  info
**shorewall/interfaces
net eth0detect  norfc1918,nosmurfs
in  eth1detect  dhcp
in  eth2detect  dhcp
in  eth3detect  dhcp
vpn tun0detect  -
**shorewall/zones
net ipv4
in  ipv4
vpn ipv4
...Server's tcpdump shows:
08:53:19.756950 IP 172.16.42.2 > 172.16.42.1: ICMP echo request, id 22625,
seq 512, length 64
08:53:19.757007 IP 172.16.42.1 > 172.16.42.2: ICMP echo reply, id 22625, seq
512, length 64


Is there something obvious I'm missing? And yes, I know that preshared
static key is not as secure as other options, I'm just keeping it simple
while I troubleshoot this pinging problem.
-- 
"I spent all me tin with the ladies drinking gin,
So across the Western ocean I must wander" -- traditional
-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Openvpn Installation

[Erich Titl]

Jim

Jim Ford schrieb:
I use a Ubuntu Linux machine where I work (at a school). At home I use 
an XP machine (because of Photoshop!) behind a Bering Leaf uClibc box.


I'd like to access my home machine from work and from what I can deduce, 
Openvpn seems the way to go.


I'm initially working on my Leaf box and am finding the docs with 
regards to keys/certificates rather opaque. It doesn't help that the 
'Chapter 8. Configuring openvpn' and the 'Package Help Text' in 
easyrsa.lrp differ in some respects - maybe minor, I can't tell.


What exactly is your problem? There may be a package or Version issue.

Nevertheless, you should not normally use your router for your CA, but 
rather something which is not connected to the net at all. I always 
suggest to use RoCA which boots from a CD and uses a memory stick for CA 
storage, but there are other programs around. Most use one or the other 
form of openssl for certificate creation.




I guess my setup it pretty basic, and maybe it will be made simpler that 
I can copy any files/keys/certificates/whatever on a usb memory stick, 
to transport between the 2 machines.


You did not mention if you want to use your PC as the VPN endpoint or 
your bering box to do a net-to-net VPN. You did not mention neither if 
there are other VPN users. What topology do you want to deploy?


I found the OpenVPN documentation pretty complete and the examples 
worked well.


cheers

Erich
-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Openvpn Installation

[Erich Titl]

Jim

Jim Ford wrote:

Erich Titl wrote:

Jim

Jim Ford schrieb:
I use a Ubuntu Linux machine where I work (at a school). At home I 
use an XP machine (because of Photoshop!) behind a Bering Leaf uClibc 
box.


I'd like to access my home machine from work and from what I can 
deduce, Openvpn seems the way to go.



What exactly is your problem? There may be a package or Version issue.


Thanks for the reply, Erich.

I guess the major problem I have is understanding the 'nitty gritty' of 
 VPNs! I've looked for a beginners guide explaining the basics, but not 
found one so far.


Nevertheless, you should not normally use your router for your CA, but 
rather something which is not connected to the net at all. I always 
suggest to use RoCA which boots from a CD and uses a memory stick for 
CA storage, but there are other programs around. Most use one or the 
other form of openssl for certificate creation.


Hmm, I understand very little of the above!
8^(


1) dont use your Bering Box to generate the certificates unless you know 
exactly what you do (e.g. stow away the CA and everything)


2) Use an external instance, like the RoCA to generate the certificates, 
it is much easier. All you have to do is to download, for example, RoCA 
and use a USB stick as CA storage.




You did not mention if you want to use your PC as the VPN endpoint or 
your bering box to do a net-to-net VPN. You did not mention neither if 
there are other VPN users. What topology do you want to deploy?


I want to use the PC as the endpoint. There are no other VPN users..


Personally, and from reading other users experience with OpenVPN server 
on Windoze, I would suggest to use your Bering router as the VPN server 
endpoint and your school PC as the client. This is a pretty basic set up 
and well documented on the OpenVPN site.


cheers

Erich
-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Openvpn multiple instances

[bob]

Hello leaf list,
I have LEAF running on a WRAP box using shorewall & openvpn.
We need to be able to serve udp & tcp openvpn for proxying reasons.
The 'standard' openvpn can be configured usin 2 '.opvn' config files.
How does this work on the LEAF package?
The config file is called server.conf, I tried to add a 'server2.conf'
but see that it is not parsed.
'.ovpn' files also don't get parsed, how can I achieve 2 servers, both
on the standard port, one TCP and the other UDP ?
Cheers,

Robert

--
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN autostart

[kp kirchdoerfer]

Am Sonntag, 11. Mai 2014, 21:10:20 schrieb Otto Halák - TeleLarm:
> Dear users,
> Running 5.0.2 and 5.0.3 (i486) on two WRAP boards and noticed on both,
> that OpenVPN does not want to automatically start after boot.
> I could try
> AUTOSTART="all"
> or
> AUTOSTART="client"
> with no success.
> 
> I always have to do svi openvpn start and then OpenVPN starts and runs
> fine. Any idea how to force openvpn to automatically start up?

Use openvpn logging and see what erros you are receiving.

Usually openvpn fails to start, if your date/time settings are not correct.

kp




--
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN on Bering

[Tom Eastep]

I'm only posting a reply to the LEAF list since that is where I prefer 
Leaf Shorewall support to be handled. I also dislike getting involved in 
mail threads that are cross-posted on several lists.

AdStar wrote:

I'm trying to setup a VPN (openvpn version 1.5.0) connection from my home
(ADSL, static IP) to my Office (Static IP).
Both networks have a leaf Bering machine as there firewalls, both running
shorewall 1.4.7c. I followed the guide at
http://www.shorewall.net/1.4/OPENVPN.html but I'm not 100% sure I have got
it right. I can get the openvpn side of things to connect but cannot ping
any machines on either side of the VPN from the firewall or internal
machines.
a) Your Shorewall rules/policies don't permit and fw<->vpn traffic so 
that rules out fw access via the tunnel.

b) I believe that the routes that you are adding are specifying the 
wrong gateway -- they should specify the remote end of the tunnel as the 
gateway, not the local end.

c) I suggest that you "shorewall clear" then debug your tunnel. Once it 
is working that way *then* start Shorewall. You will then be confident 
that any remaining problems are in your Shorewall config and not in your 
tunnel/routing setup.

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] openvpn with SSL/TLS

[ALParada]

Hello List,

Trying to get openvpn working with certs. I was able to get the static keys
working but not with SSL/TLS. I tried the instructions in the HOWTO on the
openvpn site:
http://openvpn.sourceforge.net/howto.html
as well as these:
http://mia.ece.uic.edu/~papers/volans/openvpn.html
http://mia.ece.uic.edu/~papers/volans/settingupCA.html
which are links at the openvpn site.

I also tried  the certificates and the keys howto at the openssl site.
http://www.openssl.org/docs/HOWTO/certificates.txt
http://www.openssl.org/docs/HOWTO/keys.txt

Also reviewed this one:
http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/other-formats/html_single/SSL-Certificates-HOWTO.html

Why the difference in file names such as pem, crt, cert and key. I
understand there are differences between the cert and the key but is there a
difference between crt and cert or between key and pem?

Following the HOWTO's on the openvpn site when I get to:

openssl ca -out home.crt -in home.csr

This is the error I am get:

Certificate is to be certified until May 15 12:20:42 2007 GMT (1100 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
firewall#

Any ideas?

TIA









---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVPN and routing

[ALParada]

I forgot to ask: Is a "route add" command the best/only way to handle this
situation?

Thanks


- Original Message - 
From: "ALParada" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 13, 2004 6:30 PM
Subject: [leaf-user] OpenVPN and routing


>
> Setting up OpenVPN on uClibc.  I will also be replacing the current Bering
> install with uClibc. Have everything setup and working with static keys as
> well as with certs. Since I was replacing and not installing from scratch
I
> hadn't thought about any routing issues, until now. My scenario is this:
>
> Openvpn connections will be coming in on eth1. However, eth2 is the
default
> gateway that leads to our current vpn solution (IPSEC) and out to the
> Internet. I was trying to bypass our current vpn solution by coming in
> through another interface. Unfortuately, now I don't know if any issues
will
> come from this.  If it were possible to have all the openvpn connections
go
> back out the same interface they came in through, it would be great.
>
> Are tun and tap devices associated with any one interface? Will there be
any
> issues in having users come in on eth1 and go back out on eth2? Will
> multiple gateways just mess things up?
>
> Any ideas or feedback would be greatly appreciated.
>
> TIA
>
>
>
> ---
> This SF.Net email is sponsored by: SourceForge.net Broadband
> Sign-up now for SourceForge Broadband and get the fastest
> 6.0/768 connection for only $19.95/mo for the first 3 months!
> http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
> 
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVPN and routing

[Martin Hejl]

ALParada wrote:
Are tun and tap devices associated with any one interface? 
Not that I know of - for all I know, they _are_ interfaces themselves.

I forgot to ask: Is a "route add" command the best/only way to handle this
situation?
I'd say, the the easiest solution to set up is to use the "route" 
keyword in the openvpn config file. This will automatically generate the 
proper entry in the routing table (pointing to the other end of the 
tunnel) when the tunnel is established, and also remove the route again, 
when the tunnel goes down.

Martin



---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Openvpn problems -- again..

[Tibbs, Richard]

OK, I deleted the route directive on the wireless laptop and everything
works fine.  I can ping each end of the tunnel from the other, etc. 
Apparently the route directive is completely unnecessary in my situation
on either end.
Thanks for everyone's patience with this.
Hope it helps some other openvpn newbie.
Rick.

The configs are shown  below and the route table on the laptop is now:


Interface List
0x1 ... MS TCP Loopback interface
0x3 ...00 0e 35 15 24 f3 .. Intel(R) PRO/Wireless 2200BG Network
Connection
- Deterministic Network Enhancer Miniport
0x4 ...00 ff 3e b0 bd 7d .. TAP-Win32 Adapter V8 - Deterministic
Network Enh
ancer Miniport

===

===
Active Routes:
Network DestinationNetmask  Gateway   Interface
Metric
  0.0.0.0  0.0.0.0192.168.1.254 192.168.1.3
2
 10.1.1.0  255.255.255.252 10.1.1.210.1.1.2
30
 10.1.1.2  255.255.255.255127.0.0.1   127.0.0.1
30
   10.255.255.255  255.255.255.255 10.1.1.210.1.1.2
30
127.0.0.0255.0.0.0127.0.0.1   127.0.0.1
1
  192.168.1.0255.255.255.0  192.168.1.3 192.168.1.3
2
  192.168.1.3  255.255.255.255127.0.0.1   127.0.0.1
2
192.168.1.255  255.255.255.255  192.168.1.3 192.168.1.3
2
224.0.0.0240.0.0.0 10.1.1.210.1.1.2
30
224.0.0.0240.0.0.0  192.168.1.3 192.168.1.3
2
  255.255.255.255  255.255.255.255 10.1.1.210.1.1.2
1
  255.255.255.255  255.255.255.255  192.168.1.3 192.168.1.3
1
Default Gateway: 192.168.1.254

===
Persistent Routes:
  None
== Winxp config (openvpn 2.0beta 15)
==
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ifconfig 10.1.1.2 10.1.1.1
secret secret.txt
ping-restart 60
 ping-timer-rem
 persist-tun
ping 10
verb 9
mute 10

== Bering openvpn 1.6 config 

dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
disable-occ
local 192.168.1.254
float
ifconfig 10.1.1.1 10.1.1.2

# Our pre-shared static key
secret static.key
verb 5
mute 10 




-Original Message-
From: Erich Titl [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 16, 2004 11:16 AM
To: Tibbs, Richard; [EMAIL PROTECTED]
Subject: Re: [leaf-user] Openvpn problems -- again..

Rick

Tibbs, Richard wrote:

>the pt-to-pt tunnel needed to know how to get to the other.
>  
>
Not the endpoints, your local end point is a device which is linked to 
an address and knows the other end of the tunnel. The local and remote 
directives apparently take care of the routing issues.

>>>>Apparently not so. 
>>>>
>>>>
>Two remaining issues that I will experiment later:
>1) Do I need a route directive on the wireless laptop?
>  
>
Look at the routing table on the laptop once you have the tunnel up.

>2) Pending the outcome of 1), Do I need route directives between home &
>office.
>  
>
IMHO that is the easy part of the set up. The tunnel between your home 
network and the office network takes care of the routing for the office.
Your home and wireless network are one and the same seen from the
office.

Your set up appears complicated to me because you want to tunnel through

your home network to address something inside your home network. I 
believe it could be done by bridging a tap device and eth1 and divide 
the home network in  2 subnets. I would go the easy way, define 2 
subnets, one for wired and one for wireless. Add one more nic to the 
home fw and connect your wireless bridge directly to that nic.

Example:

wired subnet:
eth1 192.168.1.0/26
wireless subnet
eth2 192.168.1.64/26

Both live in the 192.168.1.0/24 subnet, thus are one and the same for 
your office gateway. On your home gateway you have now dedicated subnets

for wired and wireless, which adds additional security to your set up 
because now broadcasts on the wire are not sent to the wireless 
environment. You will need to set up routing between the different 
shorewall zones but that should be easy.

cheers
Erich
 




---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Openvpn problems -- again..

[Tibbs, Richard]

Erich,
The "float" directive in the bering openvpn.conf allows the WinXP
wireless nic to get a variable IP.  Since I am rebooting quite often,
and LEAFs have no memory of the ip to mac address, so it would come up
192.168.1.3 or .4.

BTW, the Shorewall logs on both home and office fw's show no dropped
UDPs of port 5000, or 50001.
Rick.

-Original Message-
From: Erich Titl [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 14, 2004 12:09 PM
To: Tibbs, Richard
Subject: Re: [leaf-user] Openvpn problems -- again..

Rick

Tibbs, Richard wrote:

>Dear list. 
>I have the following arrangement, running two instances of openvpn on
>"home fw"  I want to protect my WLAN in back of the home fw and that
>works fine.  I can see "Peer connection initiated with
192.168.1.3:5000"
>in daemon.log on homefw.   
>However nothing is initiated with officefw, nor can I ping the other
end
>of the tunnel at officefw.  I was hoping to be able to get from "subnet
>to subnet" i.e. be able to ping from 192.168.1.3 to a machine like
>192.168.10.13, (Later telnet securely) but this is not possible either.
>  
>
I would suggest to split up the problem into:

1) homefw to officefw (or rather home network to office network)
2) wlan to anywhere (or part of home network to anywhere)

Problem 1 does not seem too complicated, you are connecting 2 distinct 
subnets, 192.168.1.0/24 and 192.168.10.0/24

Problem 2 looks different. Basically you include 2 more addresses in 
your local network 10.1.1.2 and 10.1.1.1 which are the logical endpoints

of your tunnel through the WLAN. On the other end of the tunnel you send

traffic oriented to a single machine. The float directive as I 
understand it allows any remote host to be the tunnel endpoint as long 
as it is authenticated. Now the question remains how to address the 
remote wlan machine through tun1. Below you have the tunnel endpoints 
10.1.1.1 and 10.1.1.2 for tun1. I am missing a route to the machine on 
the other end of the tunnel tun1 unless this machine is 216.x.y.z which 
I doubt it is.

On the windoze machine you will probably have a default route through 
the tunnel. I don't know if the tunnel description must match on both 
sides, if so tun1 must probably have a local address of 0.0.0.0/0 on 
homefw.

Now where do you route your packets from the WLAN machine. They should 
probably go through the tunnel to 192.168.1.254, which incidentially is 
also your tunnel endpoint address. Basically it depends what default 
address is assigned to the laptop, which you haven't told us yet. If it 
is the external interface of homefw, then your comments about the 
216.x.y.z. route start making sense to me.

HTH

Erich




---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Openvpn problems -- again..

[Erich Titl]

Rick
Tibbs, Richard wrote:
Erich,
The "float" directive in the bering openvpn.conf allows the WinXP
wireless nic to get a variable IP.  Since I am rebooting quite often,
and LEAFs have no memory of the ip to mac address, so it would come up
192.168.1.3 or .4.
 

OK, but still you are tunnelling through your own subnet using the 
addresses

BTW, the Shorewall logs on both home and office fw's show no dropped
UDPs of port 5000, or 50001.
 

Do you have connection from your home network (wired) to the office 
network through the tunnel? IMHO this is the basis of your connectivity. 
The tunnelled laptop is just the icing on the cake as it is part of your 
home network. Once you have connectivity to the office you can set up 
your wireless environment.

You still did not provide a clue about your routing on your wireless 
client.
Could you explain the rationale for the route 216.x.y.z through the 
tunnel? I see no need for this route assuming that it is the external 
address of your home fw.

---excerpts from your previous post
On homefw, the route table becomes
# ip route sho
10.1.10.2 dev tun0  proto kernel  scope link  src 10.1.10.1 
> dev tun0 gets an address of 10.1.10.1 with a peer of 10.1.10.2

192.168.10.0/24 via 10.1.10.2 dev tun0 
> packets for 192.168.10.0 (office network) are routed to 10.1.10.2 using tun0

10.1.1.2 dev tun1  proto kernel  scope link  src 10.1.1.1 
> dev tun1 gets an address of 10.1.1.1 with a peer of 10.1.1.2

216.12.22.64/26 dev eth0  proto kernel  scope link  src 216.x.y.z 
> this, I assume is your external address

216.x.y.z via 10.1.1.2 dev tun1 
> this is the result of your route entry which I fail to understand. This IMHO routes packets destined for 216.x.y.z through tun1 which I believe is the tunnel to access your wireless client. The local endpoint of this tunnel will be 10.1.1.1, the remote end will be 10.1.1.2 but what is the address you are tunneling to? Is it really 216.x.y.z? I doubt it. I believe you want to address the laptop with an address in the 192.168.1.0/24 subnet. The problem is the route below because it covers already the entire subnet. What is needed is a more specific route to the address of your laptop, possibly by placing this in a subnet of 192.168.1.0.

192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254 
> this is your inner interface, normal

216.12.22.64/26 dev ipsec0  proto kernel  scope link  src 216.x.y.z 
> this is built by ipsec, no importance here (hopefully) 

default via 216.12.22.65 dev eth
> and last, but not least, the default route used to access the internet 
and your peer at 137.p.q.r
cheers
Erich


---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Openvpn problems -- again..

[Erich Titl]

Rick
Tibbs, Richard wrote:
OK, I deleted the route directive on the wireless laptop and everything
works fine.  I can ping each end of the tunnel from the other, etc. 
Apparently the route directive is completely unnecessary in my situation
on either end.
 

Great it works for you, I have one question though. I do not see a route 
on that laptop for the net 192.168.10.0/24, e.g. the office network. I 
would expect a route to point to the tap adapter. Did you check that the 
traffic really goes through the tunnel. I would expect  a rather general 
route to point to the tunnel to send most/all traffic through the 
tunnel. You can probably check by running a tcpdump on tunx.

cheers
Erich

---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Openvpn problems -- again..

[Tibbs, Richard]

OK< 
As everyone has noted the route that I created makes no sense.
So I just commented out the route directive and everything still works
fine.
The history if this was, 
>>> tried an openvpn.up script to add the route, but that was failing.
>>> added a route directive to openvpn.conf, thinking that each end of
the pt-to-pt tunnel needed to know how to get to the other.
>>> Apparently not so. 
Two remaining issues that I will experiment later:
1) Do I need a route directive on the wireless laptop?
2) Pending the outcome of 1), Do I need route directives between home &
office.

HTH
Rick.

-Original Message-
From: Erich Titl [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 14, 2004 6:08 PM
To: Tibbs, Richard
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Openvpn problems -- again..

Rick

Tibbs, Richard wrote:

>Erich,
>The "float" directive in the bering openvpn.conf allows the WinXP
>wireless nic to get a variable IP.  Since I am rebooting quite often,
>and LEAFs have no memory of the ip to mac address, so it would come up
>192.168.1.3 or .4.
>  
>
OK, but still you are tunnelling through your own subnet using the 
addresses

>BTW, the Shorewall logs on both home and office fw's show no dropped
>UDPs of port 5000, or 50001.
>  
>
Do you have connection from your home network (wired) to the office 
network through the tunnel? IMHO this is the basis of your connectivity.

The tunnelled laptop is just the icing on the cake as it is part of your

home network. Once you have connectivity to the office you can set up 
your wireless environment.

You still did not provide a clue about your routing on your wireless 
client.
Could you explain the rationale for the route 216.x.y.z through the 
tunnel? I see no need for this route assuming that it is the external 
address of your home fw.

---excerpts from your previous post

On homefw, the route table becomes
# ip route sho

10.1.10.2 dev tun0  proto kernel  scope link  src 10.1.10.1 
> dev tun0 gets an address of 10.1.10.1 with a peer of 10.1.10.2

192.168.10.0/24 via 10.1.10.2 dev tun0 
> packets for 192.168.10.0 (office network) are routed to 10.1.10.2
using tun0

10.1.1.2 dev tun1  proto kernel  scope link  src 10.1.1.1 
> dev tun1 gets an address of 10.1.1.1 with a peer of 10.1.1.2

216.12.22.64/26 dev eth0  proto kernel  scope link  src 216.x.y.z 
> this, I assume is your external address

216.x.y.z via 10.1.1.2 dev tun1 
> this is the result of your route entry which I fail to understand.
This IMHO routes packets destined for 216.x.y.z through tun1 which I
believe is the tunnel to access your wireless client. The local endpoint
of this tunnel will be 10.1.1.1, the remote end will be 10.1.1.2 but
what is the address you are tunneling to? Is it really 216.x.y.z? I
doubt it. I believe you want to address the laptop with an address in
the 192.168.1.0/24 subnet. The problem is the route below because it
covers already the entire subnet. What is needed is a more specific
route to the address of your laptop, possibly by placing this in a
subnet of 192.168.1.0.

192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254 
> this is your inner interface, normal
 
216.12.22.64/26 dev ipsec0  proto kernel  scope link  src 216.x.y.z 
> this is built by ipsec, no importance here (hopefully) 

default via 216.12.22.65 dev eth
> and last, but not least, the default route used to access the
internet and your peer at 137.p.q.r

cheers
Erich






---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Openvpn problems -- again..

[Erich Titl]

Rick
Tibbs, Richard wrote:
the pt-to-pt tunnel needed to know how to get to the other.
 

Not the endpoints, your local end point is a device which is linked to 
an address and knows the other end of the tunnel. The local and remote 
directives apparently take care of the routing issues.

Apparently not so. 
   

Two remaining issues that I will experiment later:
1) Do I need a route directive on the wireless laptop?
 

Look at the routing table on the laptop once you have the tunnel up.
2) Pending the outcome of 1), Do I need route directives between home &
office.
 

IMHO that is the easy part of the set up. The tunnel between your home 
network and the office network takes care of the routing for the office.
Your home and wireless network are one and the same seen from the office.

Your set up appears complicated to me because you want to tunnel through 
your home network to address something inside your home network. I 
believe it could be done by bridging a tap device and eth1 and divide 
the home network in  2 subnets. I would go the easy way, define 2 
subnets, one for wired and one for wireless. Add one more nic to the 
home fw and connect your wireless bridge directly to that nic.

Example:
wired subnet:
eth1 192.168.1.0/26
wireless subnet
eth2 192.168.1.64/26
Both live in the 192.168.1.0/24 subnet, thus are one and the same for 
your office gateway. On your home gateway you have now dedicated subnets 
for wired and wireless, which adds additional security to your set up 
because now broadcasts on the wire are not sent to the wireless 
environment. You will need to set up routing between the different 
shorewall zones but that should be easy.

cheers
Erich

---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Openvpn problems -- again..

[Tibbs, Richard]

I am not sure the laptop needs a route to 192.168.10.0. 
In fact, although the tunnel between homefw and officefw is "working" --
I can ping either end of the tunnel IPs (10.1.10.1,2) from the other --
I can't get access to the individual subnets.

Although there is no route to 192.168.10 on the laptop, the home
firewall has a route in its route table for that subnet (see below). So,
the default route of the laptop takes over for those packets, and home
fw table sends them on the tunnel to office fw. 

See the ping from the winxp box way at the bottom, the opposite end of
the tunnel at office fw says destination unreachable. Yet obviously
192.168.10.0 is a directly connected net to office fw. 

I apologize in advance for the length of this post, and my obsessive
anonymizing of the public IPs (who knows who may lurk on the list... )

Any thoughts?

Rick.

I have been following 
www.shorewall.net/openvpn.html
Unfortunately that page uses a route-up script that is not displayed. So
I am guessing the config should be:

office openvpn.conf
dev tun
# For compatability with 2.x openvpn clients/servers
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
port 50001
disable-occ
local 137.p.q.190
# Remote peer 
remote 216.x.y.89
ifconfig 10.1.10.2 10.1.10.1
route 192.168.1.0 255.255.255.0
# Our pre-shared static key
secret static.key
verb 5
mute 10

The route directive is what I assume the upscript does. This makes the
office route table:
# ip route sho
10.1.10.1 dev tun0  proto kernel  scope link  src 10.1.10.2 
192.168.1.0/24 via 10.1.10.1 dev tun0 
192.168.10.0/24 dev eth1  proto kernel  scope link  src 192.168.10.254 
137.p.q.0/24 dev eth0  proto kernel  scope link  src 137.p.q.190 
137.p.q.0/24 dev ipsec0  proto kernel  scope link  src 137.p.q.190 
default via 137.p.q.55 dev eth0

on the home fw, the route directive is
route 192.168.10.0 255.255.255.0


=== Shorewall config 
# more zones
#ZONE   DISPLAY COMMENTS
net Net Internet
loc Local   Local Networks
vpn1VPN-1   Remote Subnet for IPsec Road Warrior
vpn3VPN-3   Openvpn sub to sub
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

firewall: -root-
# more interfaces
#ZONE   INTERFACE   BROADCAST   OPTIONS
net eth0detect  norfc1918
loc eth1detect
#locusb0
vpn1ipsec0
vpn3tun0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

firewall: -root-
# more policy
loc vpn1ACCEPT
fw  vpn3ACCEPT
loc vpn3ACCEPT
net vpn3ACCEPT
vpn1loc ACCEPT
vpn3loc ACCEPT
vpn3net ACCEPT
vpn3fw  ACCEPT
net all DROPULOG
all all REJECT  ULOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

tunnels:
# TYPE  ZONEGATEWAY GATEWAY ZONEPORT
ipsec   net 0.0.0.0/0   vpn1
openvpn:50001   net 216.x.y.89vpn3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


=== from winxp ===
ping 192.168.10.13

Pinging 192.168.10.13 with 32 bytes of data:

Reply from 10.1.10.2: Destination host unreachable.
Reply from 10.1.10.2: Destination host unreachable.
Reply from 10.1.10.2: Destination host unreachable.

Ping statistics for 192.168.10.13:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

-Original Message-
From: Erich Titl [mailto:[EMAIL PROTECTED] 
Sent: Friday, December 17, 2004 2:56 AM
To: Tibbs, Richard
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Openvpn problems -- again..

Rick

Tibbs, Richard wrote:

>OK, I deleted the route directive on the wireless laptop and everything
>works fine.  I can ping each end of the tunnel from the other, etc. 
>Apparently the route directive is completely unnecessary in my
situation
>on either end.
>  
>
Great it works for you, I have one question though. I do not see a route

on that laptop for the net 192.168.10.0/24, e.g. the office network. I 
would expect a route to point to the tap adapter. Did you check that the

traffic really goes through the tunnel. I would expect  a rather general

route to point to the tunnel to send most/all traffic through the 
tunnel. You can probably check by running a tcpdump on tunx.

cheers
Erich




---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http

Re: [leaf-user] Openvpn problems -- again..

[Erich Titl]

Tibbs, Richard wrote:
I am not sure the laptop needs a route to 192.168.10.0. 
In fact, although the tunnel between homefw and officefw is "working" --
I can ping either end of the tunnel IPs (10.1.10.1,2) from the other --
I can't get access to the individual subnets.

Although there is no route to 192.168.10 on the laptop, 

How will the laptop route 192.168.10.0. If there is no distinct route it 
will take the default route which might not go through the tunnel.

the home
firewall has a route in its route table for that subnet (see below). 
 

So,
the default route of the laptop takes over for those packets, and home
fw table sends them on the tunnel to office fw. 
 

Yes, but the default route might not go through the tunnel.
See the ping from the winxp box way at the bottom, the opposite end of
the tunnel at office fw says destination unreachable. Yet obviously
192.168.10.0 is a directly connected net to office fw. 

...
I have been following 
www.shorewall.net/openvpn.html
Unfortunately that page uses a route-up script that is not displayed. So
I am guessing the config should be:

office openvpn.conf
dev tun
# For compatability with 2.x openvpn clients/servers
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
port 50001
disable-occ
local 137.p.q.190
# Remote peer 
remote 216.x.y.89
ifconfig 10.1.10.2 10.1.10.1
route 192.168.1.0 255.255.255.0
# Our pre-shared static key
secret static.key
verb 5
mute 10

The route directive is what I assume the upscript does. This makes the
office route table:
# ip route sho
10.1.10.1 dev tun0  proto kernel  scope link  src 10.1.10.2 
192.168.1.0/24 via 10.1.10.1 dev tun0 
192.168.10.0/24 dev eth1  proto kernel  scope link  src 192.168.10.254 
137.p.q.0/24 dev eth0  proto kernel  scope link  src 137.p.q.190 
137.p.q.0/24 dev ipsec0  proto kernel  scope link  src 137.p.q.190 
default via 137.p.q.55 dev eth0

on the home fw, the route directive is
route 192.168.10.0 255.255.255.0
 

This will cover the route to the office.
Don't you need a route through the second tunnel to reach your laptop. 
Else the routing will be done outside your tunnel.

=== Shorewall config 
# more zones
#ZONE   DISPLAY COMMENTS
net Net Internet
loc Local   Local Networks
vpn1VPN-1   Remote Subnet for IPsec Road Warrior
vpn3VPN-3   Openvpn sub to sub
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
firewall: -root-
# more interfaces
#ZONE   INTERFACE   BROADCAST   OPTIONS
net eth0detect  norfc1918
loc eth1detect
#locusb0
vpn1ipsec0
vpn3tun0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

firewall: -root-
# more policy
loc vpn1ACCEPT
fw  vpn3ACCEPT
loc vpn3ACCEPT
net vpn3ACCEPT
vpn1loc ACCEPT
vpn3loc ACCEPT
vpn3net ACCEPT
vpn3fw  ACCEPT
net all DROPULOG
all all REJECT  ULOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
tunnels:
# TYPE  ZONEGATEWAY GATEWAY ZONEPORT
ipsec   net 0.0.0.0/0   vpn1
openvpn:50001   net 216.x.y.89vpn3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
=== from winxp ===
ping 192.168.10.13
Pinging 192.168.10.13 with 32 bytes of data:
Reply from 10.1.10.2: Destination host unreachable.
Reply from 10.1.10.2: Destination host unreachable.
Reply from 10.1.10.2: Destination host unreachable.
 

If I read this correctly, then the tunnel endpoint in your office does 
not know the way to the office network or rejects the packets with icmp 
host unreachable. Any entries in the log files?

Try to trace the path of your packets using tcpdump, then you will see 
exactly where they enter and exit the tunnels and if they use the 
tunnels at all.

cheers
Erich

---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Openvpn problems -- again..

[Tibbs, Richard]

Yes, Erich you are probably right.
The default on the laptop would not go through the tunnel (from laptop
to homefw.)   But key issue: when I ping 192.168.10.13 from the home
firewall,
I also cannot get through.  So something else needs to be done that I
don't understanding at this point.

Rick.

-Original Message-
From: Erich Titl [mailto:[EMAIL PROTECTED] 
Sent: Saturday, December 18, 2004 6:05 PM
To: Tibbs, Richard
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Openvpn problems -- again..

Tibbs, Richard wrote:

>I am not sure the laptop needs a route to 192.168.10.0. 
>In fact, although the tunnel between homefw and officefw is "working"
--
>I can ping either end of the tunnel IPs (10.1.10.1,2) from the other --
>I can't get access to the individual subnets.
>
>Although there is no route to 192.168.10 on the laptop, 
>
How will the laptop route 192.168.10.0. If there is no distinct route it

will take the default route which might not go through the tunnel.

>the home
>firewall has a route in its route table for that subnet (see below). 
>  
>
>So,
>the default route of the laptop takes over for those packets, and home
>fw table sends them on the tunnel to office fw. 
>  
>
Yes, but the default route might not go through the tunnel.

>See the ping from the winxp box way at the bottom, the opposite end of
>the tunnel at office fw says destination unreachable. Yet obviously
>192.168.10.0 is a directly connected net to office fw. 
>
>...
>I have been following 
>www.shorewall.net/openvpn.html
>Unfortunately that page uses a route-up script that is not displayed.
So
>I am guessing the config should be:
>
>office openvpn.conf
>dev tun
># For compatability with 2.x openvpn clients/servers
>tun-mtu 1500
>tun-mtu-extra 32
>mssfix 1450
>port 50001
>disable-occ
>local 137.p.q.190
># Remote peer 
>remote 216.x.y.89
>ifconfig 10.1.10.2 10.1.10.1
>route 192.168.1.0 255.255.255.0
># Our pre-shared static key
>secret static.key
>verb 5
>mute 10
>
>The route directive is what I assume the upscript does. This makes the
>office route table:
># ip route sho
>10.1.10.1 dev tun0  proto kernel  scope link  src 10.1.10.2 
>192.168.1.0/24 via 10.1.10.1 dev tun0 
>192.168.10.0/24 dev eth1  proto kernel  scope link  src 192.168.10.254 
>137.p.q.0/24 dev eth0  proto kernel  scope link  src 137.p.q.190 
>137.p.q.0/24 dev ipsec0  proto kernel  scope link  src 137.p.q.190 
>default via 137.p.q.55 dev eth0
>
>on the home fw, the route directive is
>route 192.168.10.0 255.255.255.0
>  
>
This will cover the route to the office.
Don't you need a route through the second tunnel to reach your laptop. 
Else the routing will be done outside your tunnel.

>
>=== Shorewall config 
># more zones
>#ZONE   DISPLAY COMMENTS
>net Net Internet
>loc Local   Local Networks
>vpn1VPN-1   Remote Subnet for IPsec Road Warrior
>vpn3VPN-3   Openvpn sub to sub
>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
>firewall: -root-
># more interfaces
>#ZONE   INTERFACE   BROADCAST   OPTIONS
>net eth0detect  norfc1918
>loc eth1detect
>#locusb0
>vpn1ipsec0
>vpn3tun0
>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>firewall: -root-
># more policy
>loc vpn1ACCEPT
>fw  vpn3ACCEPT
>loc vpn3ACCEPT
>net vpn3ACCEPT
>vpn1loc ACCEPT
>vpn3loc ACCEPT
>vpn3net ACCEPT
>vpn3fw  ACCEPT
>net all DROPULOG
>all all REJECT  ULOG
>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
>tunnels:
># TYPE  ZONEGATEWAY GATEWAY ZONEPORT
>ipsec   net 0.0.0.0/0   vpn1
>openvpn:50001   net 216.x.y.89vpn3
>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>
>=== from winxp ===
>ping 192.168.10.13
>
>Pinging 192.168.10.13 with 32 bytes of data:
>
>Reply from 10.1.10.2: Destination host unreachable.
>Reply from 10.1.10.2: Destination host unreachable.
>Reply from 10.1.10.2: Destination host unreachable.
>  
>
If I read this correctly, then the tunnel endpoint in your office does 
not know the way to the office network or rejects the packets with icmp 
host unreachable. Any entries in the log files?

Try to trace the path of you

Re: [leaf-user] openvpn and passwords

[Backhausen, Sven]

Am 01.07.2005 um 17:56 schrieb Stephen More:

According to: 
http://openvpn.net/archive/openvpn-users/2004-10/msg00418.html

the openvpn system allows a user/password to be configured.

I did not see any mention of passwords on:
http://leaf.sourceforge.net/doc/guide/bucu-openvpn.html

Is there any LEAF package that allows one to maintain a list of users
and passwords and code that can be used as an authentication module
for openvpn ?


You should consider using X.509 Certificates for Authentification. 
Certificates provide higher security than passwords and allow the users 
to change their passphrase without the need to change any passwords on 
the leaf-box.




---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Openvpn 2.0 routes problem

[Sylvain Pelletier]

Hi,

I try to set up a vpn with the lastest version of openssl (2.0.5)under
Bering-uClibc 2.3.

I try to connect a xp client to the bering gateway, the tls handshake
is succesfully achived.

>From the client's log:
[tremblay.chep.priv] Peer Connection Initiated with 82.124.204.58:1194

My client didn't obtain ip and routes from the server, and I get 
"Initialisation process completed with errors" in the log, as
explained in the documentation,  I checked that the dhcp client is
active on the tap interface and the firewall turn off, but my tunnel
is still unworking.


The server's config:

;local a.b.c.d
port 1194
;proto tcp
dev tun
;dev-node MyTap
ca keys/ca.crt
cert keys/tremblay.chep.priv.crt
key keys/tremblay.chep.priv.key  # This file should be kept secret
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/state/openvpn-ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
push "route 192.0.1.0 255.255.255.0 10.8.0.1"
;push "ip-win32 dynamic"
;push "route-delay 2 600"
keepalive 10 120
;comp-lzo
;user nobody
;group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
;log openvpn.log
;log-append  openvpn.log
verb 6
;mute 20

My client's config (under windows xp sp1):

client
dev tun
proto udp
remote "the ip of the server" 1194
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert trappes.chep.priv.crt
key trappes.chep.priv.key
;ns-cert-type server
;tls-auth ta.key 1
;cipher x
;comp-lzo
verb 7
;mute 20

Thanks for help

Sylvain


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN on Bering

[Erich Titl]

Bob von Knobloch wrote:
Does anyone know what this error message from OpenVPN in (daemon.log) 
might actually mean?


Wed Jan 18 22:30:07 2006 TCP/UDP: Socket bind failed on local address 
[undef]:1194: Address already in use


I have not specified a specific address and certainly have nothing 
running on port 1194.


looks like a lost openvpn server process, does it show on

ps -ef

cheers

Erich




---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN on Bering

[Martin Hejl]

Hi Bob,

> Does anyone know what this error message from OpenVPN in (daemon.log)
> might actually mean?
> 
> Wed Jan 18 22:30:07 2006 TCP/UDP: Socket bind failed on local address
> [undef]:1194: Address already in use
> 
> I have not specified a specific address and certainly have nothing
> running on port 1194.
could it be that you have several "*.conf" files in /etc/openvpn/ that
all use the same port (or that all use the default port, which amounts
to the same thing)?
For example, some "server.conf" and another file with your custom
config? The init script will try to start a daemon for each *.conf file
found in /etc/openvpn, if I recall correctly (it's been a while since I
played with openvpn)

Do a "netstat -an |grep 1194" to see if something is already listening
on that port.

To answer your question - the error message actually means that
_something_ else is already listening on that port, so openvpn failed to
start. If you have not specified a specific address (I guess you mean
port? Or do you want openvpn to only listen on a specific interface?) it
will default to 1194, since that's the port number that was assigned to
OpenVPN by IANA.

I hope that helps.

Martin


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Openvpn - Bering uClibc 2.3

[Bob von Knobloch]

Dear List,
I have now succeeded in installing an OpenVPNZ on my WRAP LEAF Box. 
Everything works very well. This sort of surprised me, I am used to 
working with professional IKE/IPSEC VPNs and OpenVPN seems at least as good.
For information, one small problem remains that is LEAF orientated: The 
boot-up process starts OpenVPN too soon, ntpsimpl needs to be started 
first. This acn be fixed but ntpsimpl, although modified with a script 
from Erich Titl does not actually set the system date for quite some 
time after it has fetched the time from the Internet.
For OpenVPN this causes the startup process to reject all local 
Certificates as being invalid (this is true - when a Certificate's date 
lies in the apparent future, the Certificate is indeed not valid).
This is not corrected by waiting. A new reboot is required. (To 
reiterate, the problem is caused by the ISP rejecting logon attempts for 
a period shortly after a disconnect - for example a 10 second power 
failure would cause the system to fail and stay failed).
I will think about this and experiment with solutions. Any suggestions 
are, of course, very welcome.

Bob


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN & Certificate revocation

[Eric Spakman]

Hi Bob,

The revoke-full script is a very simple shell script which only uses
openssl (you need the openssl.lrp package, probably the reason why the
script isn't added by default), so I don't see any reason why it shouldn't
work. I think you just can use it "as is" on Bering-uClibc.

Regards,
Eric

> Dear LEAF list,
>
>
> I am using Bering uClibc 2.3 with OpenVPN. Everything works reaaly well
> - thanks !
> I am trying to revoke a certificate (only to test the CRL mechanism). On
> the OpenVPN Howto a script is used "revoke-full" that is part of the
> easyRSA software. This does not seem to exist in the openvpn-lrp. Can I
> use the same script as in the 'non-LEAF' openvpn package or do I need to
> make some adjustments? p.s. I don't find any information as to
> revocation/CRLs in the LEAF docs, I would be happy to write something once
> I get it working.
>
>
> Regards,
>
>
> Bob von Knobloch.
>
>
>
>
> -
>  Using Tomcat but need to do more? Need to support web services,
> security? Get stuff done quickly with pre-integrated technology to make
> your job easier Download IBM WebSphere Application Server v.1.0.1 based on
> Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> 
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/
>
>



-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN & Certificate revocation

[Bob von Knobloch]

Hi Eric,

Thanks for answering, but the revoke script is neither in the openvpnz 
nor the openssl lrp package. I have both installed on my LEAF box.

Regards,
Bob

Eric Spakman schrieb:
> Hi Bob,
>
> The revoke-full script is a very simple shell script which only uses
> openssl (you need the openssl.lrp package, probably the reason why the
> script isn't added by default), so I don't see any reason why it shouldn't
> work. I think you just can use it "as is" on Bering-uClibc.
>
> Regards,
> Eric
>
>   
>> Dear LEAF list,
>>
>>
>> I am using Bering uClibc 2.3 with OpenVPN. Everything works reaaly well
>> - thanks !
>> I am trying to revoke a certificate (only to test the CRL mechanism). On
>> the OpenVPN Howto a script is used "revoke-full" that is part of the
>> easyRSA software. This does not seem to exist in the openvpn-lrp. Can I
>> use the same script as in the 'non-LEAF' openvpn package or do I need to
>> make some adjustments? p.s. I don't find any information as to
>> revocation/CRLs in the LEAF docs, I would be happy to write something once
>> I get it working.
>>
>>
>> Regards,
>>
>>
>> Bob von Knobloch.
>>
>>
>>
>>
>> -
>>  Using Tomcat but need to do more? Need to support web services,
>> security? Get stuff done quickly with pre-integrated technology to make
>> your job easier Download IBM WebSphere Application Server v.1.0.1 based on
>> Apache Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>> 
>> leaf-user mailing list: leaf-user@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/leaf-user
>> Support Request -- http://leaf-project.org/
>>
>>
>> 
>
>
>   


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN & Certificate revocation

[Eric Spakman]

Hi Bob,

Correct, but you can just copy the script from the openvpn source to the
Bering-uClibc system and make it executable.

Regards,
Eric

> Hi Eric,
>
>
> Thanks for answering, but the revoke script is neither in the openvpnz
> nor the openssl lrp package. I have both installed on my LEAF box.
>
> Regards,
> Bob
>
>
> Eric Spakman schrieb:
>
>> Hi Bob,
>>
>>
>> The revoke-full script is a very simple shell script which only uses
>> openssl (you need the openssl.lrp package, probably the reason why the
>> script isn't added by default), so I don't see any reason why it
>> shouldn't work. I think you just can use it "as is" on Bering-uClibc.
>>
>> Regards,
>> Eric
>>
>>
>>
>>> Dear LEAF list,
>>>
>>>
>>>
>>> I am using Bering uClibc 2.3 with OpenVPN. Everything works reaaly
>>> well - thanks !
>>> I am trying to revoke a certificate (only to test the CRL mechanism).
>>> On
>>> the OpenVPN Howto a script is used "revoke-full" that is part of the
>>> easyRSA software. This does not seem to exist in the openvpn-lrp. Can
>>> I
>>> use the same script as in the 'non-LEAF' openvpn package or do I need
>>> to make some adjustments? p.s. I don't find any information as to
>>> revocation/CRLs in the LEAF docs, I would be happy to write something
>>> once I get it working.
>>>
>>>
>>>
>>> Regards,
>>>
>>>
>>>
>>> Bob von Knobloch.
>>>
>>>
>>>
>>>
>>>
>>> -
>>> 
>>> Using Tomcat but need to do more? Need to support web services,
>>> security? Get stuff done quickly with pre-integrated technology to
>>> make your job easier Download IBM WebSphere Application Server v.1.0.1
>>> based on Apache Geronimo
>>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=1216
>>> 42
>>> --
>>> --
>>> leaf-user mailing list: leaf-user@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/leaf-user
>>> Support Request -- http://leaf-project.org/
>>>
>>>
>>>
>>>
>>
>>
>>
>
>
> -
>  Using Tomcat but need to do more? Need to support web services,
> security? Get stuff done quickly with pre-integrated technology to make
> your job easier Download IBM WebSphere Application Server v.1.0.1 based on
> Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> 
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/
>
>



-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN & Certificate revocation

[Bob von Knobloch]

Hi Eric,

Just to confirm, the script works fine without modification, the Server 
config needs "crl-verify keys/crl.pem" adding to be able to use the CRL 
generated by "full-revoke ".
On testing, the leaf box shows that a revoked certificate has been tried 
in daemon.log. Sadly the Windows Openvpn GUI does not show a revocation, 
just a TLS failure (maybe this is good security?).

Would it be worth adding the script to the LRP ?

Regards,

Bob
> Hi Bob,
>
> Correct, but you can just copy the script from the openvpn source to the
> Bering-uClibc system and make it executable.
>
> Regards,
> Eric
>
>   
>> Hi Eric,
>>
>>
>> Thanks for answering, but the revoke script is neither in the openvpnz
>> nor the openssl lrp package. I have both installed on my LEAF box.
>>
>> Regards,
>> Bob
>>
>>
>> Eric Spakman schrieb:
>>
>> 
>>> Hi Bob,
>>>
>>>
>>> The revoke-full script is a very simple shell script which only uses
>>> openssl (you need the openssl.lrp package, probably the reason why the
>>> script isn't added by default), so I don't see any reason why it
>>> shouldn't work. I think you just can use it "as is" on Bering-uClibc.
>>>
>>> Regards,
>>> Eric
>>>
>>>
>>>
>>>   
 Dear LEAF list,



 I am using Bering uClibc 2.3 with OpenVPN. Everything works reaaly
 well - thanks !
 I am trying to revoke a certificate (only to test the CRL mechanism).
 On
 the OpenVPN Howto a script is used "revoke-full" that is part of the
 easyRSA software. This does not seem to exist in the openvpn-lrp. Can
 I
 use the same script as in the 'non-LEAF' openvpn package or do I need
 to make some adjustments? p.s. I don't find any information as to
 revocation/CRLs in the LEAF docs, I would be happy to write something
 once I get it working.



 Regards,



 Bob von Knobloch.





 -
 
 Using Tomcat but need to do more? Need to support web services,
 security? Get stuff done quickly with pre-integrated technology to
 make your job easier Download IBM WebSphere Application Server v.1.0.1
 based on Apache Geronimo
 http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=1216
 42
 --
 --
 leaf-user mailing list: leaf-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 Support Request -- http://leaf-project.org/




 
>>>
>>>   
>> -
>>  Using Tomcat but need to do more? Need to support web services,
>> security? Get stuff done quickly with pre-integrated technology to make
>> your job easier Download IBM WebSphere Application Server v.1.0.1 based on
>> Apache Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>> 
>> leaf-user mailing list: leaf-user@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/leaf-user
>> Support Request -- http://leaf-project.org/
>>
>>
>> 
>
>
>   


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN & Certificate revocation

[Eric Spakman]

Hi Bob,

Sorry for responding so late.
If we add the script to openvpn.lrp the package would also require the
openssl.lrp package. I will think about a solution.

Regards,
Eric

> Hi Eric,
>
>
> Just to confirm, the script works fine without modification, the Server
> config needs "crl-verify keys/crl.pem" adding to be able to use the CRL
> generated by "full-revoke ". On testing, the leaf box shows that a
> revoked certificate has been tried in daemon.log. Sadly the Windows
> Openvpn GUI does not show a revocation,
> just a TLS failure (maybe this is good security?).
>
> Would it be worth adding the script to the LRP ?
>
>
> Regards,
>
>
> Bob
>
>> Hi Bob,
>>
>>
>> Correct, but you can just copy the script from the openvpn source to
>> the Bering-uClibc system and make it executable.
>>
>>
>> Regards,
>> Eric
>>
>>
>>
>>> Hi Eric,
>>>
>>>
>>>
>>> Thanks for answering, but the revoke script is neither in the
>>> openvpnz nor the openssl lrp package. I have both installed on my LEAF
>>> box.
>>>
>>> Regards,
>>> Bob
>>>
>>>
>>>
>>> Eric Spakman schrieb:
>>>
>>>
>>>
 Hi Bob,



 The revoke-full script is a very simple shell script which only
 uses openssl (you need the openssl.lrp package, probably the reason
 why the script isn't added by default), so I don't see any reason
 why it shouldn't work. I think you just can use it "as is" on
 Bering-uClibc.


 Regards,
 Eric





> Dear LEAF list,
>
>
>
>
> I am using Bering uClibc 2.3 with OpenVPN. Everything works
> reaaly well - thanks ! I am trying to revoke a certificate (only to
> test the CRL mechanism). On
> the OpenVPN Howto a script is used "revoke-full" that is part of
> the easyRSA software. This does not seem to exist in the
> openvpn-lrp. Can I
> use the same script as in the 'non-LEAF' openvpn package or do I
> need to make some adjustments? p.s. I don't find any information
> as to revocation/CRLs in the LEAF docs, I would be happy to write
> something once I get it working.
>
>
>
> Regards,
>
>
>
>
> Bob von Knobloch.
>
>
>
>
>
>
> -
> 
> 
> Using Tomcat but need to do more? Need to support web services,
> security? Get stuff done quickly with pre-integrated technology to
>  make your job easier Download IBM WebSphere Application Server
> v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat
> =1216
> 42
> --
> 
> --
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/
>
>
>
>
>
>


>>> -
>>> 
>>> Using Tomcat but need to do more? Need to support web services,
>>> security? Get stuff done quickly with pre-integrated technology to
>>> make your job easier Download IBM WebSphere Application Server v.1.0.1
>>> based on Apache Geronimo
>>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=1216
>>> 42
>>> --
>>> --
>>> leaf-user mailing list: leaf-user@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/leaf-user
>>> Support Request -- http://leaf-project.org/
>>>
>>>
>>>
>>>
>>
>>
>>
>
>



-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN & Certificate revocation

[Bodo Meissner]

Am 14.08.2006 23:15:19 schrieb(en) Eric Spakman:

> If we add the script to openvpn.lrp the package would also require the
> openssl.lrp package. I will think about a solution.
> 

Hello Eric,

I suggest to create a separate "openvpn CA" package that contains the  
revocation script and maybe other tools for key/certificate management.

I think the revocation must be done on the CA machine which should be  
separate from the machine running the VPN.


Bodo

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN & Certificate revocation

[Eric Spakman]

Hello Bodo,
>
> I suggest to create a separate "openvpn CA" package that contains the
> revocation script and maybe other tools for key/certificate management.
>
If you make a list of (simple) tools/scripts which would be valuable in
such a package I will make a package out of it.

> I think the revocation must be done on the CA machine which should be
> separate from the machine running the VPN.
>
Yes, I fully agree with Erich's mail about this.

>
> Bodo
>
Eric

>
> -
>  Using Tomcat but need to do more? Need to support web services,
> security? Get stuff done quickly with pre-integrated technology to make
> your job easier Download IBM WebSphere Application Server v.1.0.1 based on
> Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> 
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/
>
>



-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN & Certificate revocation

[KP Kirchdoerfer]

Hi;

Am Dienstag, 15. August 2006 21:30 schrieb Bodo Meissner:
> Am 14.08.2006 23:15:19 schrieb(en) Eric Spakman:
> > If we add the script to openvpn.lrp the package would also require the
> > openssl.lrp package. I will think about a solution.
>
> Hello Eric,
>
> I suggest to create a separate "openvpn CA" package that contains the
> revocation script and maybe other tools for key/certificate management.

The natural place for a revoke script would be easyrsa.lrp.
This package contains the key generation scripts and already requires 
openssl.lrp.


> I think the revocation must be done on the CA machine which should be
> separate from the machine running the VPN.

kp

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN compatibility question

[Jack Coates]

On 8/12/06, Jack Coates <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> I'm trying to do a simple OpenVPN between a couple of systems, and I'm
> having trouble. The tunnel comes up fine according to the OpenVPN logs on
> both sides, but they can't ping. Tcpdump -i tun0 on the server while the
> client pings shows everything working fine, but tcpdump -i tun0 on the
> client shows no traffic at all, zero packets captured (which is obviously
> not correct since the server sees the pings and answers them).
>
>
Figured it out... openvpn doesn't complain if it fails to connect. I just
kept restarting both ends until it really connected and stayed that way.

-- 
"I spent all me tin with the ladies drinking gin,
So across the Western ocean I must wander" -- traditional
-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN & Certificate revocation

[Eric Spakman]

Hi Kp,
>>
>>
>> I suggest to create a separate "openvpn CA" package that contains the
>> revocation script and maybe other tools for key/certificate management.
>
> The natural place for a revoke script would be easyrsa.lrp.
> This package contains the key generation scripts and already requires
> openssl.lrp.
>
Agree, the easyrsa package even already contains a revoke script (revoke-crt)

Eric


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN & Certificate revocation

[Bodo Meissner]

Am 15.08.2006 21:39:39 schrieb(en) Eric Spakman:

> If you make a list of (simple) tools/scripts which would be valuable
> in such a package I will make a package out of it.

Hello Eric,

I don't use OpenVPN and I don't create certificates.
(I use IPsec and the admin generates certs for me.)
That's why I don't know which tools are available.

Maybe you could follow KP's suggestion.

Am 16.08.2006 18:40:25 schrieb(en) KP Kirchdoerfer:

> The natural place for a revoke script would be easyrsa.lrp.
> This package contains the key generation scripts and already requires
> openssl.lrp.


Bodo

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN & Certificate revocation

[Eric Spakman]

Hello Bodo,
>
>> If you make a list of (simple) tools/scripts which would be valuable
>> in such a package I will make a package out of it.
>
> Hello Eric,
>
>
> I don't use OpenVPN and I don't create certificates.
> (I use IPsec and the admin generates certs for me.)
> That's why I don't know which tools are available.
>
I'm a bit in the same position, that's why I asked ;)

>
> Maybe you could follow KP's suggestion.
>
I just saw that the easyrsa package probably contains all that is needed,
even a revoke script.

Eric


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Openvpn multiple instances

[Juergen Northe]

Hi Robert,
take a look into /etc/init.d/openvpn :

CONFIG_DIR=/etc/openvpn
..
AUTOSTART="all"
..
..
   if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then
  # all VPNs shall be started automatically
  for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do
NAME=${CONFIG%%.conf}
start_vpn
  done


Autostart has to be set to "all" and the config files in
"/etc/openvpn" have to end with ".conf" .

This information is from ver 3.1 but should also work with later releases.



2010/10/1 bob :
> Hello leaf list,
> I have LEAF running on a WRAP box using shorewall & openvpn.
> We need to be able to serve udp & tcp openvpn for proxying reasons.
> The 'standard' openvpn can be configured usin 2 '.opvn' config files.
> How does this work on the LEAF package?
> The config file is called server.conf, I tried to add a 'server2.conf'
> but see that it is not parsed.
> '.ovpn' files also don't get parsed, how can I achieve 2 servers, both
> on the standard port, one TCP and the other UDP ?
> Cheers,
>
> Robert
>
> --
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> 
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/
>



-- 



mit freundlichem Gruss
Jürgen Northe

--
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Openvpn multiple instances

[Graziano Brioschi]

  give a look in /etc/default/openvpn for "AUTOSTART" variabile

graziano

Il 01/10/2010 12.30, bob ha scritto:
> Hello leaf list,
> I have LEAF running on a WRAP box using shorewall&  openvpn.
> We need to be able to serve udp&  tcp openvpn for proxying reasons.
> The 'standard' openvpn can be configured usin 2 '.opvn' config files.
> How does this work on the LEAF package?
> The config file is called server.conf, I tried to add a 'server2.conf'
> but see that it is not parsed.
> '.ovpn' files also don't get parsed, how can I achieve 2 servers, both
> on the standard port, one TCP and the other UDP ?
> Cheers,
>
> Robert
>
> --
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> 
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/


--
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Openvpn multiple instances

[Trev Peterson]

Hey Robert,

Not sure what your configuration is but what I've done for a client is
just copy /etc/openvpn to /etc/openvpn2 and /etc/init.d/openvpn
to /etc/init.d/openvpn2.  You need to make a few changes in the various
files for the new locations but then you have 2 independently controlled
openvpn instances.  In our case we run them on two different ISP
connections with different dns names.  Hope this helps,

On Fri, 2010-10-01 at 12:30 +0200, bob wrote:
> Hello leaf list,
> I have LEAF running on a WRAP box using shorewall & openvpn.
> We need to be able to serve udp & tcp openvpn for proxying reasons.
> The 'standard' openvpn can be configured usin 2 '.opvn' config files.
> How does this work on the LEAF package?
> The config file is called server.conf, I tried to add a 'server2.conf'
> but see that it is not parsed.
> '.ovpn' files also don't get parsed, how can I achieve 2 servers, both
> on the standard port, one TCP and the other UDP ?
> Cheers,
> 
> Robert
> 
> --
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> 
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/

-- 
Trev Peterson
Advanced Reality
Email: t...@advanced-reality.com
Phone: +1 847 406 9018


--
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] openvpn-auth-pam plugin

[dino muzic]

Hi,


has anyone tryed openvpn-auth-pam plugin on openVpn server in order to 
authenticate openVpn client with userid/password?

thanks
dm


--

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] openvpn server in v6

[Mark Berndt]

Hello all,

I just upgraded to v6.02 and had some time to play with the openvpn server, 
which did not work out of the box when I migrated from 5 to 6.

the problem was the paths are no longer relative to a base so in the 
server.conf:

ca keys/ca.crt
cert keys/Server.crt
key keys/Server.key  # This file should be kept secret
Additionally set the path to the key with the Diffie-Hellman parameters: 
dh keys/dh1024.pem

works when converted to:

ca /etc/easyrsa/keys/ca.crt
cert /etc/easyrsa/keys/Server.crt
key /etc/easyrsa/keys/Server.key  # This file should be kept secret
Additionally set the path to the key with the Diffie-Hellman parameters: 
dh /etc/easyrsa/keys/dh1024.pem

I still have problem with hostapd with a usb wifi, otherwise everything else I 
use work

cheers

Marko


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Openvpn problems - how to compile?

[Vladimir Ilic]

Hi everyone,

I am running Bering 1.1, and would like to use Openvpn
package. On Jacques Nilo's page I found openvpn.lrp
package, and it seems to work fine if UDP protocol is
used. However, in enviroment where I want to use this
box, only incoming TCP is allowed, so UDP is not an
option. If I start openvpn with --proto tcp-server and
tcp-client on the other end, I get such error:

# # openvpn --config /etc/openvpn/openvpn.conf 
--dev-node /dev/net/tun --proto tcp-client
Tue Feb 17 11:58:26 2004 0: OpenVPN 1.5.0
i686-pc-linux-gnu [SSL] [LZO] built on Nov 23 2003
Tue Feb 17 11:58:26 2004 1: Static Encrypt: Cipher
'AES-256-CBC' initialized with 256 bit key
Tue Feb 17 11:58:26 2004 2: Static Encrypt: Using 128
bit message hash 'MD5' for HMAC authentication
Tue Feb 17 11:58:26 2004 3: Static Decrypt: Cipher
'AES-256-CBC' initialized with 256 bit key
Tue Feb 17 11:58:26 2004 4: Static Decrypt: Using 128
bit message hash 'MD5' for HMAC authentication
Tue Feb 17 11:58:26 2004 5: TUN/TAP device tun0 opened
Tue Feb 17 11:58:26 2004 6: /sbin/ifconfig tun0
192.168.1.1 pointopoint 192.168.1.2 mtu 1500
Tue Feb 17 11:58:26 2004 7: Data Channel MTU parms [
L:1589 D:1589 EF:57 EB:0 ET:32 ]
Tue Feb 17 11:58:26 2004 8: Local Options hash
(VER=V3): '261b8842'
Tue Feb 17 11:58:26 2004 9: Expected Remote Options
hash (VER=V3): '7e816869'
Tue Feb 17 11:58:26 2004 10: Attempting to establish
TCP connection with 16.56.170.11:5000
Tue Feb 17 11:58:26 2004 11: TCP connection
established with 16.56.170.11:5000
Tue Feb 17 11:58:26 2004 12: TCPv4_CLIENT link local:
[undef]
Tue Feb 17 11:58:26 2004 13: TCPv4_CLIENT link remote:
16.56.170.11:5000
Tue Feb 17 11:58:36 2004 14: WARNING: Bad encapsulated
packet length from peer (0), which must be > 0 and <=
1589 -- please ensure that --tun-mtu or --link-mtu is
equal on both peers -- this condition could also
indicate a possible active attack on the TCP link --
[Attemping restart...]
Tue Feb 17 11:58:36 2004 15: Connection reset,
restarting [0]
Tue Feb 17 11:58:36 2004 16: Closing TCP/UDP socket
Tue Feb 17 11:58:36 2004 17: Closing TUN/TAP device
Tue Feb 17 11:58:36 2004 18: Restart pause, 3
second(s)


--
My config file looks like this:

# cat /etc/openvpn/openvpn.conf
dev tun
port 5000
#comp-lzo
#ping 15
verb 3
#shaper 1000
remote 16.56.170.11
ifconfig 192.168.1.1 192.168.1.2
tun-mtu 1500
tun-mtu-extra 32
#Using Pre-Shared Secret Key.
secret /home/openvpn/.cert/shared-secret.key
auth MD5
cipher AES-256-CBC
keysize 256

On the other side, settings are symetrical.
I tried to change tun-mtu parameter and tun-mtu-extra,
but I keep getting this message about bad encapsulated
packet. If I turn option --http-proxy, result is same.
I wrote to the developer of Openvpn, and his answer is
that such behaviour, if proxy is used, is noticed in
1.5 but without the proxy, this should not happen, and
in version 1.6 beta this is corrected.

So, I decided to give a try to version 1.6 beta, and
compile it myself. I used UML virtual machine as
described in Bering documentation, together with
openssl sources. I tried to compile with option
--enable-iproute2, and also without it. In both cases,
resulting binaries does not work properly.

If I start it using iproute2 (ifconfig command in
config file is disabled) I get something like this:

# ./openvpn16d --config /etc/openvpn/openvpn.conf 
--dev-node /dev/net/tun --proto tcp-client
Tue Feb 17 12:11:10 2004 0: OpenVPN 1.6_beta6
i686-pc-linux-gnu [SSL] built on Feb 17 2004
Tue Feb 17 12:11:10 2004 1: Static Encrypt: Cipher
'AES-256-CBC' initialized with 256 bit key
Tue Feb 17 12:11:10 2004 2: Static Encrypt: Using 128
bit message hash 'MD5' for HMAC authentication
Tue Feb 17 12:11:10 2004 3: Static Decrypt: Cipher
'AES-256-CBC' initialized with 256 bit key
Tue Feb 17 12:11:10 2004 4: Static Decrypt: Using 128
bit message hash 'MD5' for HMAC authentication
Tue Feb 17 12:11:10 2004 5: TUN/TAP device
/dev/net/tun opened
Tue Feb 17 12:11:10 2004 6: Data Channel MTU parms [
L:1389 D:1389 EF:57 EB:0 ET:32 ]
Tue Feb 17 12:11:10 2004 7: Local Options hash
(VER=V3): 'b2a73c02'
Tue Feb 17 12:11:10 2004 8: Expected Remote Options
hash (VER=V3): 'a34eab75'
Tue Feb 17 12:11:10 2004 9: Attempting to establish
TCP connection with 16.56.170.11:5000
Tue Feb 17 12:11:10 2004 10: TCP connection
established with 16.56.170.11:5000
Tue Feb 17 12:11:10 2004 11: TCPv4_CLIENT link local:
[undef]
Tue Feb 17 12:11:10 2004 12: TCPv4_CLIENT link remote:
16.56.170.11:5000
Tue Feb 17 12:11:10 2004 13: read from TUN/TAP : File
descriptor in bad state (code=77)
Tue Feb 17 12:11:10 2004 14: read from TUN/TAP : File
descriptor in bad state (code=77)
Tue Feb 17 12:11:10 2004 15: read from TUN/TAP : File
descriptor in bad state (code=77)
Tue Feb 17 12:11:10 2004 16: read from TUN/TAP : File
descriptor in bad state (code=77)
Tue Feb 17 12:11:10 2004 17: read from TUN/TAP : File
descriptor in bad state (code=77)
Tue Feb 17 12:11:10 2004 18: read from TUN/TA

[leaf-user] Openvpn problems executing up-script

[Tibbs, Richard]

Dear list -- apologies in advance, I am not familiar with unix scripts.
Using using openvpn 1.6 on a Bering 1.2 firewall (non-uclibc) I have
tried several different script lines to add the route. These are:
#!/bin/sh -e
ip route add 10.1.1.0 255.255.255.0 nexthop $5

#!/bin/sh -e
ip route add $1

#!/bin/sh -e
ip route add $1 $2 $3 $4 $5 $6

In each case I get the message in daemon.log
Dec  4 19:11:58 firewall openvpn[3939]: /etc/openvpn/openvpn.up tun0
1256 1300 10.1.1.1 10.1.1.2 init
Dec  4 19:11:58 firewall openvpn[3939]: script failed: shell command
exited with error status: 2
Dec  4 19:11:58 firewall openvpn[3939]: Exiting

Can anybody tell me how to get the script to succeed?

TIA
Rick.

 



---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] OpenVPN and IPSEC Routing Questions

[Darcy (Home)]

Good day All,

	I am trying to figure out how to route over ipsec to one site then over 
openvpn to another site as well as a few general questions re OpenVPN.


1.  I have 8 sites to deal with.  All sites will connect to Site #2 but 
I also need to get to Site #1 from Site #3 via Site # 2.  I have started 
migrating from IPSEC to OPenVPN and during this process until I can 
upgrade all locations to OpenVPN I will have to run them concurrently. 
Site #1 is the exception where I no longer have access to IPSEC, Only 
OPenVPN.


2.  A few quick questions re OpenVPN
Can I run both Client and Server on same FW
If yes do I use the same tap0 and udp port 1194 for both?

3.  Now the tricky part:

From Site #1 I have an OpenVPN tunnel established to Site #2 where 
Site #2 is acting as the openVPN server and Site #1 as the OpenVPN Client


From Site #3 I have an IPSEC tunnel to Site #2

I no longer have my IPSEC tunnel between Site #1 and Site #3
All other 5 sites connect to Site #2 through IPSEC but I plan to migrate 
this to OpenVPN as well.


How do I add a route so that any traffic to/from Site #1 to/From 
Site #3 is routed through Site #2?


Here are the routes from Site #2 and Site #3

ip routes from Site2
# net
46.24.125.0/24 dev eth0  proto kernel  scope link  src 46.24.125.4
# loc
10.30.4.0/24 dev eth1  proto kernel  scope link  src 10.30.4.254
# vpn
10.30.5.0/24 dev tap0  proto kernel  scope link  src 10.30.5.1
# ipsec
46.24.125.0/24 dev ipsec0  proto kernel  scope link  src 46.24.125.4
10.10.60.0/24 via 46.24.125.1 dev ipsec0 # Site3 to Site2
10.10.80.0/24 via 46.24.125.1 dev ipsec0 # Site4 to Site2
10.10.70.0/24 via 46.24.125.1 dev ipsec0 # Site5 to Site2
10.10.50.0/24 via 46.24.125.1 dev ipsec0 # Site6 to Site2
10.10.66.0/24 via 46.24.125.1 dev ipsec0 # Site7 to Site2
10.10.64.0/24 via 46.24.125.1 dev ipsec0 # Site8 to Site2
192.168.147.0/24 via 10.30.5.2 dev tap0  # Site1 to Site2
default via 46.24.125.1 dev eth0

ip routes from Location 3
# net
193.241.34.0/26 dev eth0  proto kernel  scope link  src 193.241.34.30
# loc
10.10.60.0/24 dev eth1  proto kernel  scope link  src 10.10.60.254
# dmz
10.10.61.0/24 dev eth2  proto kernel  scope link  src 10.10.61.254
# vpn
10.10.62.0/24 dev tap0  proto kernel  scope link  src 10.10.62.1
# ipsec
193.241.34.0/26 dev ipsec0  proto kernel  scope link  src 193.241.34.30
10.30.4.0/24 via 193.241.34.1 dev ipsec0 # Site3 to Site2
192.168.211.0/24 via 193.241.34.1 dev eth0
192.168.210.0/24 via 193.241.34.1 dev eth0
192.168.212.0/24 via 193.241.34.1 dev eth0
192.168.199.0/24 via 193.241.34.1 dev eth0
192.168.215.0/24 via 193.241.34.1 dev eth0
192.168.200.0/24 via 193.241.34.1 dev eth0
192.168.216.0/24 via 193.241.34.1 dev eth0
192.168.203.0/24 via 193.241.34.1 dev eth0
192.168.202.0/24 via 193.241.34.1 dev eth0
192.168.220.0/24 via 193.241.34.1 dev eth0
default via 193.241.34.1 dev eth0

*** How do add the route 192.168.147.0/24 to Location 3

Thanx for your help.

Darcy








---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Openvpn - Bering uClibc 2.3

[Erich Titl]

Bob

Bob von Knobloch wrote:
> Dear List,
> I have now succeeded in installing an OpenVPNZ on my WRAP LEAF Box.
> Everything works very well. This sort of surprised me, I am used to
> working with professional IKE/IPSEC VPNs and OpenVPN seems at least as
> good.
> For information, one small problem remains that is LEAF orientated: The
> boot-up process starts OpenVPN too soon, ntpsimpl needs to be started
> first. This acn be fixed but ntpsimpl, although modified with a script
> from Erich Titl does not actually set the system date for quite some
> time after it has fetched the time from the Internet.

You could still use ntpdate, although deprecated, it sets the time
immediately.

cheers

Erich



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Openvpn - Bering uClibc 2.3

[M Lu]

I use ntpdate and specify a NTP server in its config. This will correct the 
time right after your box is up. Make sure you allow your box to connect to 
that server. If you have an internal NTP server, it would be good.




- Original Message - 
From: "Bob von Knobloch" <[EMAIL PROTECTED]>

To: "LEAF Request" 
Sent: Friday, January 20, 2006 4:38 AM
Subject: [leaf-user] Openvpn - Bering uClibc 2.3



Dear List,
I have now succeeded in installing an OpenVPNZ on my WRAP LEAF Box. 
Everything works very well. This sort of surprised me, I am used to 
working with professional IKE/IPSEC VPNs and OpenVPN seems at least as 
good.
For information, one small problem remains that is LEAF orientated: The 
boot-up process starts OpenVPN too soon, ntpsimpl needs to be started 
first. This acn be fixed but ntpsimpl, although modified with a script 
from Erich Titl does not actually set the system date for quite some time 
after it has fetched the time from the Internet.
For OpenVPN this causes the startup process to reject all local 
Certificates as being invalid (this is true - when a Certificate's date 
lies in the apparent future, the Certificate is indeed not valid).
This is not corrected by waiting. A new reboot is required. (To reiterate, 
the problem is caused by the ISP rejecting logon attempts for a period 
shortly after a disconnect - for example a 10 second power failure would 
cause the system to fail and stay failed).
I will think about this and experiment with solutions. Any suggestions 
are, of course, very welcome.

Bob





---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] OpenVPN with compression, transfer stalls

[Lars]

V2.2.3 uClibc kernel 2.4.26
openvpnz 2.0.5 Rev 1

I connect from a Windows system to the Leaf box with
OpenVPN. Without compression everything works as
expected. With compression turned on applications that
transferes large amount of data stops responding after
a while (for example checking a large mailbox with
IMAP). I can still use other applications over the
link, for example ping or SSH login.

The Windows box is runnig the same OpenVPN version
(2.0.5) packaged with a GUI (see OpenVPN.se).

I tried different MTU settings with tun-mtu 1500
fragment 1300 mssfix with no luck.

Set up the log-level on OpenVPN but could not see
anything useful.

Anyone using compression that can confirm that it
works?

/Lars


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] OpenVPN with compression, transfer stalls

[Lars]

Hmm, I see that the liblzo package is quite old,
version 1.08-2. A newer version is available on the
lzo homepage (2.02). Anyone with experience from a
more recent version of lzo?

/Lars

--- Lars <[EMAIL PROTECTED]> skrev:

> Datum: Thu, 9 Feb 2006 12:31:44 +0100 (CET)
> Från: Lars <[EMAIL PROTECTED]>
> Ämne: OpenVPN with compression, transfer stalls
> Till: leaf-user@lists.sourceforge.net
> 
> V2.2.3 uClibc kernel 2.4.26
> openvpnz 2.0.5 Rev 1
> 
> I connect from a Windows system to the Leaf box with
> OpenVPN. Without compression everything works as
> expected. With compression turned on applications
> that
> transferes large amount of data stops responding
> after
> a while (for example checking a large mailbox with
> IMAP). I can still use other applications over the
> link, for example ping or SSH login.
> 
> The Windows box is runnig the same OpenVPN version
> (2.0.5) packaged with a GUI (see OpenVPN.se).
> 
> I tried different MTU settings with tun-mtu 1500
> fragment 1300 mssfix with no luck.
> 
> Set up the log-level on OpenVPN but could not see
> anything useful.
> 
> Anyone using compression that can confirm that it
> works?
> 
> /Lars
> 



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/