Re: [Openvpn-users] push vs. client file options
Hi, On 27-04-17 08:47, Gert Doering wrote: > On Wed, Apr 26, 2017 at 05:58:19PM -0400, David Mehler wrote: >> Same question for the auth SHA512 line which is in both the server and >> client configuration files, if I add push "auth SHA512" can I remove >> the auth SHA512 line from the client? > > If you use GCM, the "auth" line is only used for tls-auth - and if you > use tls-auth (or tls-crypt), this needs to be correct before a connection > can be established at all. So, not pushable. One slight correction: --tls-crypt always uses HMAC-SHA-256, no matter what you specify for --auth. So if you are using NCP and --tls-crypt, both the --cipher and --auth options from the config file are no longer used. -Steffan signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Openvpn and samba
Hello, I've got a machine running Openvpn 2.4. It's also got a web server on it. Currently to alter files users have to sftp them in to place. What I was wondering is would it be possible to run samba4 as a standalone server not as a domain member or controller, and give connecting users rights to the web areas? Ideally they'd just hit their system's network area then the workgroup then the share and copy in files that way. One issue is I don't want smbd and nmbd listening on the public interface so I've got them locked down to 127.0.0.1 wondering if this would be an issue? Thanks. Dave. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn and samba
Hi, On Thu, Apr 27, 2017 at 01:12:11PM -0400, David Mehler wrote: > One issue is I don't want smbd and nmbd listening on the public > interface so I've got them locked down to 127.0.0.1 wondering if this > would be an issue? This will not work - 127.0.0.1 is not reachable from anywhere. You can make them listen to the tun IP on the server, and restrict client access to "openvpn client IPs" - that should work. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn and samba
On 27/04/17 19:12, David Mehler wrote: > Hello, > > I've got a machine running Openvpn 2.4. It's also got a web server on > it. Currently to alter files users have to sftp them in to place. What > I was wondering is would it be possible to run samba4 as a standalone > server not as a domain member or controller, and give connecting users > rights to the web areas? Ideally they'd just hit their system's > network area then the workgroup then the share and copy in files that > way. That can work. But Windows network browsing is a mysterious monster to me. I have used a similar setup elsewhere, but we added some logon scripts which assigned a drive letter to these shares. This can be done via --route-up script on the client, with the disconnect being run via --route-pre-down. > One issue is I don't want smbd and nmbd listening on the public > interface so I've got them locked down to 127.0.0.1 wondering if this > would be an issue? Gert covered the issue with 127.0.0.1. So either you need to ensure smbd is started _after_ the OpenVPN interface is configured on your system. Or you can add a dummy interface (modprobe dummy) and configure smbd to listen to that. Then you should be able to route to that interface properly via the VPN. Or you can let smbd listen to all IPs, and do the rest of the magic in iptables. In all these scenarios, you should also add restrictions in smb.conf. -- kind regards, David Sommerseth signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users