Re: [Openvpn-users] any way to get local network details to flow through to the server?
Hi, On Tue, Jun 02, 2015 at 10:53:49PM +0200, Mathias Jeschke wrote: > On 2015-06-02 at 22:40 Mathias Jeschke wrote: > > > AFAIK, this is not possible, but you have options from my pov: > > > > (1) Deploy 2 OpenVPN configurations to your users - one for split > > tunnel and one without (redirect-gw). > > Forget this option - the redirect-gateway does not work at all in this > setup. The hotel 10/8 has higher precedence than the default route. Actually, you can push "redirect-gateway def1 block-local" which would send "local" networks into the tunnel. I still think that using "redirect-private" and pushing the 10-subnets as highly specifics (/25) should work fine... > > (2) For split tunneling push two routes to the clients instead 10/8: > > 10.0.0.0/9 and 10.128.0.0/9 > > These two routes have higher precedence than the conflicting > > 10/8 hotel route. > > You will probably also need to run a script (-route-up cmd) in order to > add a host route for the local hotel gateway which is very likely in the > 10/8 network. "redirect-private" :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpaepP8oESR9.pgp Description: PGP signature -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to get local network details to flow through to the server?
Hi Gert, On 2015-06-03 at 09:27 Gert Doering wrote: >> You will probably also need to run a script (-route-up cmd) in order to >> add a host route for the local hotel gateway which is very likely in the >> 10/8 network. > > "redirect-private" :-) This is definitly a nice option - looks like I should no longer use the first hit for "openvpn manpage" at Google which still refers to 2.0 ;) Cheers, Mathias. -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to get local network details to flow through to the server?
Hi, On Wed, Jun 03, 2015 at 09:36:33AM +0200, Mathias Jeschke wrote: > On 2015-06-03 at 09:27 Gert Doering wrote: > > >>You will probably also need to run a script (-route-up cmd) in order to > >>add a host route for the local hotel gateway which is very likely in the > >>10/8 network. > > > >"redirect-private" :-) > > This is definitly a nice option - looks like I should no longer use the > first hit for "openvpn manpage" at Google which still refers to 2.0 ;) I have *no* idea in which version this option was added - I just discovered it two weeks ago trying to understand a bug report related to this ;-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpKG_xUmpCQH.pgp Description: PGP signature -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to get local network details to flow through to the server?
Hi, On 2015-06-03 at 10:15 Gert Doering wrote: > I have *no* idea in which version this option was added - I just discovered > it two weeks ago trying to understand a bug report related to this ;-) Looks like it was added in 2.1 - and to the 2.2 manpage. Mathias. -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to get local network details to flow through to the server?
Gert Doering wrote: > Hi, > > On Wed, Jun 03, 2015 at 09:36:33AM +0200, Mathias Jeschke wrote: > >> On 2015-06-03 at 09:27 Gert Doering wrote: >> >> You will probably also need to run a script (-route-up cmd) in order to add a host route for the local hotel gateway which is very likely in the 10/8 network. >>> "redirect-private" :-) >>> >> This is definitly a nice option - looks like I should no longer use the >> first hit for "openvpn manpage" at Google which still refers to 2.0 ;) >> > > I have *no* idea in which version this option was added - I just discovered > it two weeks ago trying to understand a bug report related to this ;-) > > For the record: it's present in the 2.1.1 source code, but it could very well not have been documented until much later. the 2.2 code base did not have "redirect-gateway block-local", that was added in 2.3. Apart from this being a very nice discussion , it does absolutely nothing to help Jason, of course. Currently there is no way to send routing info from the client to the server while the connection is being set up; of course, it would be possible to run a script/command *after* the connection has come up, but this would require a new installer (as that script would run "outside"of the OpenVPN environment). JM2CW, JJK -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to get local network details to flow through to the server?
Hi, On Wed, Jun 03, 2015 at 10:46:23AM +0200, Jan Just Keijser wrote: > For the record: > it's present in the 2.1.1 source code, but it could very well not have > been documented until much later. > the 2.2 code base did not have "redirect-gateway block-local", that was > added in 2.3. > > Apart from this being a very nice discussion , it does absolutely > nothing to help Jason, of course. I think it does - it doesn't answer the question posed, but might solve the underlying problem ("ensure connectivity even if there is overlap in the RFC networks on client and server side"), *without* knowing the local connectivity details. > Currently there is no way to send routing info from the client to the > server while the connection is being set up; of course, it would be > possible to run a script/command *after* the connection has come up, but > this would require a new installer (as that script would run "outside"of > the OpenVPN environment). It might be possible to actually hack together something with a wrapper script around openvpn that does "--setenv UV_MY_NETWORK 1.2.3.0/24", because "UV_" env variables are sent as push-peer-info to the server. OTOH, that will require nontrivial amounts of hackery depending on the way openvpn is started on the clients. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpJqZ2R_DZ22.pgp Description: PGP signature -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to get local network details to flowthrough to the server?
Hi - Original Message - From: "Jason Haar" To: Sent: Tuesday, June 02, 2015 9:05 PM Subject: [Openvpn-users] any way to get local network details to flowthrough to the server? > Hi there > > We're using openvpn to connect employees to the corporate 10/8 network > and hit a problem with a client who was on a hotel 10/8 network. A simple solution would be to setup a second sever instance specifically to overcome network clashes of 10.8/24 network .. Regards -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] management
Hi all, Any idea what will cause the management-daemon to quit (telnet session broken) Except for restarting the vpn-process? Initially I started a telnet at the beginning of each client connection, but that was too slow/late. Now I permanently listen in on the management port, but sometimes the connection gets closed, while the corresponding vpn-process still runs... So I was wonder why. Is there perhaps a timeout hard-coded defined? Kind regards, Hans. __ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to get local network details to flow through to the server?
On 03/06/15 21:54, Gert Doering wrote: > It might be possible to actually hack together something with a wrapper > script around openvpn that does "--setenv UV_MY_NETWORK 1.2.3.0/24", > because "UV_" env variables are sent as push-peer-info to the server. Yeah I thought about that: easy enough to wrap something around Unix installs - harder for everything else. During the install on clients we grab their hostname and push it into their config via UV_HOSTNAME for precisely that reason. Would be great to have other metadata in there too Sounds like I'm stuck with the server having to do the donkey work. All our clients have to allow remote admin as a requirement (poor-mans NAC), so the server will log in, discover the routing table and if it's "funky", will reconfigure the client directly to route more traffic through the tunnel. Or maybe just generate an alert to begin with. Should probably learn how to walk before going crazy on people's routing tables ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 signature.asc Description: OpenPGP digital signature -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to get local network details to flow through to the server?
Hi, On Wed, Jun 03, 2015 at 10:52:56PM +1200, Jason Haar wrote: > Sounds like I'm stuck with the server having to do the donkey work. All > our clients have to allow remote admin as a requirement (poor-mans NAC), > so the server will log in, discover the routing table and if it's > "funky", will reconfigure the client directly to route more traffic > through the tunnel. Or maybe just generate an alert to begin with. > Should probably learn how to walk before going crazy on people's routing > tables ;-) I still think you should investigate --redirect-private :-) - you never said why that wouldn't work for you. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgp3y0DZSonIO.pgp Description: PGP signature -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to get local network details to flow through to the server?
You could setup bgp on the servers and clients, and configure the neighbors on the server as a route-reflector-client if you want to handle more complex client networks. That is assuming there is no overlapping private IP space between the different clients... that would allow for fully dynamic routing tables between clients and main site with full routing to flow. -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] RESOLVE error when upgrading openvpn 2.2.2 to 2.3.6
Hi. This morning, I tried to upgrade my 2 OpenVPN servers from 2.2.2 to 2.3.6. With the clients down, I started the 2.3.6 OpenVPN server. The server started fine. I then tried to start the clients, which were already running 2.3.6. The clients would hang and seemed unable to connect to the server. On the server, I kept seeing: Wed Jun 3 10:22:37 2015 us=509679 brayden/130.63.97.125:44636 RESOLVE: Cannot resolve host address: netmask: Name or service not known Wed Jun 3 10:22:37 2015 us=509778 brayden/130.63.97.125:44636 MULTI: Learn: 172.16.37.125 -> brayden/130.63.97.125:44636 Wed Jun 3 10:22:37 2015 us=509795 brayden/130.63.97.125:44636 MULTI: primary virtual IP for brayden/130.63.97.125:44636: 172.16.37.125 Running 2.2.2 on the server, the "RESOLVE:" error line did not exist. I tried to enable extra debugging on the server, but really, I couldn't see any errors other than the resolve error. Since I had a very short window where I could do the upgrade, I resorted the OpenVPN servers back to 2.2.2. The clients were still running 2.3.6. Everything was fine. In retrospect, I wish I had enabled logging on the client, and capture verbose logs. Maybe there were additional errors there. I setup a test 2.3.6 server with the identical config, and a 2.3.6 client, and the 2.3.6 client connects to the test 2.3.6 server perfectly fine, even though the "RESOLVE" error is still generated in the log file. I wish I could understand why it failed this morning, but it works now. That being said, I'd like to understand why the RESOLVE error is generated, and how to get rid of it before I try the upgrade to 2.3.6 again. The error seems to be complaining about both the host address, and the netmask, but it seems to resolve fine in the next line. Here's a few more details.. server config: dev tun proto udp port 1194 tmp-dir /tmp writepid /var/run/openvpn-server.pid crl-verify /xconf/openvpn/pki/crl.pem mode server tls-server ifconfig 172.16.32.26 172.16.32.1 route 172.16.32.0 255.255.240.0 push "route 172.16.0.0 255.255.240.0" client-connect /xsys/lib/openvpn-tools/connect keepalive 10 20 user nobody group nobody persist-key persist-tun status /var/log/openvpn-status log-append /var/log/openvpn-server verb 4 mute 20 cipher none comp-lzo txqueuelen 1000 daemon client config: client dev tun proto udp remote copper.cs.yorku.ca remote nickel.cs.yorku.ca remote-random writepid /var/run/openvpn.pid nobind user nobody group nobody persist-key persist-tun persist-remote-ip ns-cert-type server verb 3 mute 20 cipher none comp-lzo daemon connect script: In short, it returns for a given host "peach": ifconfig-push peach-vpn2 copper-vpn2 netmask 255.255.240.0 (It's the same script I've been using since OpenVPN 2.0.9 days) server startup: openvpn --ca /xconf/openvpn/pki/ca.crt --dh /xconf/openvpn/pki/dh2048.pem --cert /xconf/openvpn/pki/copper.server.crt --key /etc/openvpn/copper.server.key --config /xconf/openvpn/config/server.conf.coppy --script-security 3 system client startup: openvpn --ca /xconf/openvpn/pki/ca.crt --cert /xconf/openvpn/pki/jun48.crt --key /etc/openvpn/jun48.key --config /xconf/openvpn/config/client.conf In addition, on both the servers, /etc/resolv.conf is identical, pointing to our DNS. In addition, /etc/hosts contains all the hostnames as well. Thanks for any help you can provide.. Jason. -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] RESOLVE error when upgrading openvpn 2.2.2 to 2.3.6
Hi, On Wed, Jun 03, 2015 at 02:59:55PM -0400, Jason Keltz wrote: > In short, it returns for a given host "peach": > > ifconfig-push peach-vpn2 copper-vpn2 netmask 255.255.240.0 The syntax for "ifconfig-push" has never been to have the string "netmask" in there. Actually, the statement only takes two arguments - "local and remote IP" (for net30 topology) or "local and netmask" (for subnet topology or tap mode)... --ifconfig-push local remote-netmask [alias] Push virtual IP endpoints for client tunnel, overriding the --ifconfig-pool dynamic allocation. [..] I'm not sure why 2.2 is not complaining - but the reason it's complaining in 2.3 is that it wants to resolve "netmask" into something to be used for [alias]... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpVX8Af1Uowr.pgp Description: PGP signature -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] no group nobody: an issue?
Friends-- I have a Synology ds213j which since a recent update will not recognize the line in the server.conf that reads group nobody. If I comment out that line, it runs OK. (It still has the user nobody line, uncommented.) I have tried changing it to group nogroup and that does not help. In /etc/group there is a group nobody. Is this a security issue? If so, any suggested fixes? BTW, here is what their support response is on this: "Please note that changing files in SSH using root access is not supported. We do not really have the means to fix this, as it is a specialized .conf file setup for you. We don't assist in this type of troubleshooting, as it is outside our scope of support. We appreciate your understanding." -- :- Doug. Germann 574/291-0022 http://www.SouthBendElderCARINGlaw.com PS: This letter is intended only for the addressee. It may contain confidential or privileged material. If you have received this material in error, please destroy the original and all copies and notify the sender at once. -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users