Re: [Openvpn-users] Disconnects, maybe from "Bad source address" messages after connection
On 19/04/15 12:05, Jeff Mitchell wrote: > > Unless the NAT implementation is broken. Read up a bit in the thread :-) > Ohh! :-) (but there are no broken NAT implementations! Say it ain't so!) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Disconnects, maybe from "Bad source address" messages after connection
Unless the NAT implementation is broken. Read up a bit in the thread :-) On Sat, Apr 18, 2015, 20:00 Jason Haar wrote: > On 19/04/15 01:55, Gert Doering wrote: > > OTOH, you'll see the behaviour in many mobile networks today: if there > > is no traffic inside OpenVPN for a given time, like "60 seconds" (yes, > > that short), it will time out the NAT entry and on the next packet, you > > end up with a new source port or source IP address > Doesn't "--ping" take care of that? Keepalive packets should mean the > TCP/UDP NAT session sees enough traffic to stop any NAT firewall from > timing it out (assuming ping is <30sec). That in turn should stop the > firewall needing to change port numbers > > -- > Cheers > > Jason Haar > Corporate Information Security Manager, Trimble Navigation Ltd. > Phone: +1 408 481 8171 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 > > > > -- > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live > exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > event?utm_ > > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Disconnects, maybe from "Bad source address" messages after connection
On 19/04/15 01:55, Gert Doering wrote: > OTOH, you'll see the behaviour in many mobile networks today: if there > is no traffic inside OpenVPN for a given time, like "60 seconds" (yes, > that short), it will time out the NAT entry and on the next packet, you > end up with a new source port or source IP address Doesn't "--ping" take care of that? Keepalive packets should mean the TCP/UDP NAT session sees enough traffic to stop any NAT firewall from timing it out (assuming ping is <30sec). That in turn should stop the firewall needing to change port numbers -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 signature.asc Description: OpenPGP digital signature -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Disconnects, maybe from "Bad source address" messages after connection
Hi, On Fri, Apr 17, 2015 at 07:34:36AM -0400, Jeff Mitchell wrote: > So hopefully peer-id will fix this, but I think I'll have to send some > feelers out to the VirtualBox guys and see if they agree that this > sounds like some issue in their stack. It's definintely a bug in the NAT implementation - while a conversation is active, there is no good reason to move it to a new source port. OTOH, you'll see the behaviour in many mobile networks today: if there is no traffic inside OpenVPN for a given time, like "60 seconds" (yes, that short), it will time out the NAT entry and on the next packet, you end up with a new source port or source IP address - so, peer-id is somewhat hacky, but takes today's Internet realities into account... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpwxajysr3u5.pgp Description: PGP signature -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Disconnects, maybe from "Bad source address" messages after connection
Hi, On Thu, Apr 16, 2015 at 04:51:34PM -0400, Jeff Mitchell wrote: > Any idea when 2.3.7 will be cut? You said earlier that 2.3.7 would > have the fix (using peer-id) on the client side and git master has the > fix on the server side. Will the peer-id server-side component make it > in to 2.3.7 or only the client and I'll need to make a server package > manually? 2.3.7 will only see the client side support (fixed for large packet sizes and MTU adjustment). The "MTU fix" is in the code base already, so you could build from git master for both client and server, and that should work well enough. The reason why the server side enhancements won't go into 2.3 is easy - it is a large and fairly intrusive change, and we try to limit changes in the 2.3 series to "bugfixes" and "important long-term compatibility changes". And no, I have no idea when 2.3.7 will happen - apologies for that. It follows the "when there is a pressing need, *or* when it's ready" mantra, and one of the bugs (trac #480) turned out to be way more time-consuming than expected... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpJFN9wYuh8W.pgp Description: PGP signature -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Unable to establish VPN
Hi, On Fri, Apr 17, 2015 at 11:22:12AM -0400, Chris Ross wrote: > At this point, I now at least know what OpenSSL and crypto libraries my > openvpn binary is linked against and can speak more correctly about them. Just for the record - we added code in 2.3.4 or so which will actually tell you the openssl library version at startup :-) - helps clarify things. > Apr 17 11:17:45 bifr?st openvpn[17201]: A.B.C.D:52232 VERIFY ERROR: depth=0, > error=unsupported certificate purpose: C=US, ST=Maryland, O=Distal Thoughts, > CN=client.outside.net "unsupported certificate purpose" is definitely the cause for the error, but I'm not sure where it's coming from - there are some flag fields in a cert, for "server usage" and "not server usage", and this has bitten me as well in the past. easy-rsa should get this right, though, as long as you do create the server cert with "build-key-server" and the client cert with "build-key"... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgptTK_3diryk.pgp Description: PGP signature -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users