Re: [Openvpn-users] openvpn dns resolution on osx

[Gert Doering]

Hi,

On Mon, Jun 07, 2021 at 04:15:49PM -0700, Noah wrote:
> I am running osx 10.15.7 and installed the openvpn v3.2.7 client.

If this is the "OpenVPN Connect" client, please use the commercial
support channel for inquiries about it (I could not find out from
https://openvpn.net/client-connect-vpn-for-mac-os/ which version 
number that one has, so just guessing).

In here, you find the folks maintaining the open source code base - 
and that means openvpn 2.5.2, and on MacOS, with the Tunnelblick GUI
(https://tunnelblick.net/)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openvpn dns resolution on osx

[Jonathan K. Bullard]

Hi,

On Mon, Jun 7, 2021 at 7:36 PM Noah  wrote:
>
> Hi there,
>
> I am running osx 10.15.7 and installed the openvpn v3.2.7 client.
>
> Has anybody documented a decent way to be able to resolve hosts that are
> reachable by the VPN.  We have resolvers at the site I can get
> resolution from when using the dig @ command. Any really good
> solutions are welcome.

1. OpenVPN 3.2.7 is several years old and should not be used. The
current version is 2.5.2, which should work fine on macOS 10.15.7.

2. On macOS, "dig", "ping", and some other command line programs use
different DNS resolution than almost all other macOS programs.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] openvpn dns resolution on osx

[Noah]

Hi there,

I am running osx 10.15.7 and installed the openvpn v3.2.7 client.

Has anybody documented a decent way to be able to resolve hosts that are 
reachable by the VPN.  We have resolvers at the site I can get 
resolution from when using the dig @ command. Any really good 
solutions are welcome.


Cheers,

Noah




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] The preferred way to run a client on linux?

[Bo Berglund]

On Mon, 7 Jun 2021 11:46:02 +0200, David Sommerseth
 wrote:

>On 07/06/2021 09:41, Bo Berglund wrote:
>> 2) By adding a service
>> --
>> Do the same as above with the client.ovpn file
>> 
>> Then:
>> sudo systemctl enable openvpn@client.service
>> sudo service openvpn@client start
>> or
>> sudo systemctl start openvpn@client
>
>
>This is also NOT recommended.
>
>Put client configuration files into /etc/openvpn/client ... private keys 
>may be placed in /etc/openvpn/private
>
>Then use: systemd start openvpn-client@CONFIG_NAME
>
>This is the only approach supported by the upstream OpenVPN project. 
>For more details: 
>
>

The command you quoted above does not work, whereas this does:
sudo systemctl start openvpn-client@CONFIG_NAME

Must be a typo...


-- 
Bo Berglund
Developer in Sweden



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] The preferred way to run a client on linux?

[tincantech via Openvpn-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Silly typo correction:

‐‐‐ Original Message ‐‐‐
On Monday, 7 June 2021 21:34, tincantech via Openvpn-users 
 wrote:

> Hi,
>
> ‐‐‐ Original Message ‐‐‐
> On Monday, 7 June 2021 20:54, Bo Berglund bo.bergl...@gmail.com wrote:
>
> > On Mon, 7 Jun 2021 11:46:02 +0200, David Sommerseth
> > open...@sf.lists.topphemmelig.net wrote:
> > Thanks for your reply and information!
> > I am still confused, see below
> >
> > > > I have seen different ways of accomplishing this:
> > > >
> > > > 1.  Via the openvpn defaults
> > > >
> > > > In this case the client.ovpn file is renamed to client.conf and placed 
> > > > in
> > > > /etc/openvpn.
> > > > Then the defaults file is edited:
> > > > sudo nano /etc/default/openvpn
> > > > And the AUTOSTART line is set like this:
> > > > AUTOSTART="client"
> > > > Then:
> > > > sudo systemctl daemon-reload
> > > > sudo systemctl restart openvpn
> > >
> > > This is not recommended at all. This approach is Debian's way to
> > > simulate the behaviour of the pre-systemd days. Over the years, this
> > > has caused many unexpected behaviours.
> >
> > How can I invalidate my use of this method so I get a clean system again?
> > Is it enough to comment out the AUTOSTART line and then run the commands:
> > sudo systemctl daemon-reload
> > sudo systemctl stop openvpn
>
> Do not use the service named 'openvpn'
>
> -   systemctl disable openvpn
>
> That will stop your system using this out-dated and unsupported method.
>
> Use the Openvpn supported systemd unit files:
>
> -   For servers: openvpn-server@.service
> -   For clients: openvpn-client@.service
>
> Place your server openvpn config files in: /etc/openvpn/server
> Place your client openvpn config files is: /etc/openvpn/client
>
> Enable the instances which you wish to use:
>
> -   systemctl enable openvpn-server@YOUR-SERVER
> -   systemctl enable openvpn-server@YOUR-CLIENT

* systemctl enable openvpn-client@YOUR-CLIENT

>
> Above, 'YOUR-SERVER' and 'YOUR-CLIENT' would be the names
> of the openvpn config files, put into the correct directory,
> without the .conf extension. Not necessarily all CAPS.
>
> Start the instances which you wish to start:
>
> -   systemctl start openvpn-server@YOUR-SERVER
> -   systemctl start openvpn-server@YOUR-CLIENT

* systemctl start openvpn-client@YOUR-CLIENT

>
> Above, 'YOUR-SERVER' and 'YOUR-CLIENT' would be the names
> of the openvpn config files, put into the correct directory,
> without the .conf extension. Not necessarily all CAPS.
>
> Regards
> R
>


-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAGBQJgvoQLACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ0yaQgArWDGoXkBF4ty6L2/NYiJMqPW63nyzOqaDqMBcM/jPUNMO4kG
hpQiX4Nzkgu9HVrAMB8BSFNzpEMBkL7tJXCb4LBvu/NrVqs0FgAUk9D6LbJN
938h5PEppGJi+AGPEmBga4TkmiPQuhCWGU4vKcbecAi4/uJ4al3OTk2mtpa1
bd0qqM0ex7vQGHdXHr0N3+tzjL3wTSBvk5qoE1Ps0Pc3+lobFhf2vaW02NN0
ybL+zU9E/WD4NKIac84OMVM9aKJWgGLwFfGd+dt1/C25kkBybOsyayncR9uC
3e7bIqjUK+gDVk6aeNDqnfhxCLDJNPY6dqXYMwtZNuNSKFDYzfNH9w==
=qJkH
-END PGP SIGNATURE-


publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys


publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] The preferred way to run a client on linux?

[tincantech via Openvpn-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

‐‐‐ Original Message ‐‐‐
On Monday, 7 June 2021 20:54, Bo Berglund  wrote:

> On Mon, 7 Jun 2021 11:46:02 +0200, David Sommerseth
> open...@sf.lists.topphemmelig.net wrote:
>
> Thanks for your reply and information!
> I am still confused, see below
>
> > > I have seen different ways of accomplishing this:
> > >
> > > 1.  Via the openvpn defaults
> > >
> > > In this case the client.ovpn file is renamed to client.conf and placed in
> > > /etc/openvpn.
> > > Then the defaults file is edited:
> > > sudo nano /etc/default/openvpn
> > > And the AUTOSTART line is set like this:
> > > AUTOSTART="client"
> > > Then:
> > > sudo systemctl daemon-reload
> > > sudo systemctl restart openvpn
> >
> > This is not recommended at all. This approach is Debian's way to
> > simulate the behaviour of the pre-systemd days. Over the years, this
> > has caused many unexpected behaviours.
>
> How can I invalidate my use of this method so I get a clean system again?
> Is it enough to comment out the AUTOSTART line and then run the commands:
>
> sudo systemctl daemon-reload
> sudo systemctl stop openvpn


Do not use the service named 'openvpn'
 * systemctl disable openvpn

That will stop your system using this out-dated and unsupported method.

Use the Openvpn supported systemd unit files:

* For servers: openvpn-server@.service
* For clients: openvpn-client@.service

Place your server openvpn config files in: /etc/openvpn/server
Place your client openvpn config files is: /etc/openvpn/client

Enable the instances which you wish to use:

* systemctl enable openvpn-server@YOUR-SERVER
* systemctl enable openvpn-server@YOUR-CLIENT

Above, 'YOUR-SERVER' and 'YOUR-CLIENT' would be the names
of the openvpn config files, put into the correct directory,
without the .conf extension. Not necessarily all CAPS.

Start the instances which you wish to start:

* systemctl start openvpn-server@YOUR-SERVER
* systemctl start openvpn-server@YOUR-CLIENT

Above, 'YOUR-SERVER' and 'YOUR-CLIENT' would be the names
of the openvpn config files, put into the correct directory,
without the .conf extension. Not necessarily all CAPS.

Regards
R
-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAGBQJgvoLUACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ3i0Qf/SMny4XAjJW6xA9U84GuRukYfhQSPzyI9Tt/MXwGduE0IbapT
RdACp1aoPmCoNhuobZmfMcYJtpMJeShHNde9MNVqhRWQ3i39aFVx7ggtN2oa
WT/6es2+Us7fkkgHA3W3qIoBHQ/UTu+1XRhSptZW2L92GcdXmEpD+AClXoD1
HG+QJclFd50A/H9Sn8s8mSetiL79CpIvIfB5xeLsaIlqjCK1p2syOmKRcGYF
KztM+PtxKFnxvHiCdFhtbczr5yhb4e9GHEquWv/EpkO48ANuC7mZwDFOEI54
wLmXVgnaNmvc/Swbiw+ux/K9sl53W1dzL5xWHnv06uzOw+GbRoF00g==
=o6H5
-END PGP SIGNATURE-


publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys


publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] The preferred way to run a client on linux?

[Bo Berglund]

On Mon, 7 Jun 2021 11:46:02 +0200, David Sommerseth
 wrote:

Thanks for your reply and information!
I am still confused, see below

>> I have seen different ways of accomplishing this:
>> 
>> 1) Via the openvpn defaults
>> ---
>> In this case the client.ovpn file is renamed to client.conf and placed in
>> /etc/openvpn.
>> 
>> Then the defaults file is edited:
>> sudo nano /etc/default/openvpn
>> 
>> And the AUTOSTART line is set like this:
>> AUTOSTART="client"
>> 
>> Then:
>> sudo systemctl daemon-reload
>> sudo systemctl restart openvpn
>
>This is not recommended at all.  This approach is Debian's way to 
>simulate the behaviour of the pre-systemd days.  Over the years, this 
>has caused many unexpected behaviours.

How can I invalidate my use of this method so I get a clean system again?
Is it enough to comment out the AUTOSTART line and then run the commands:

sudo systemctl daemon-reload
sudo systemctl stop openvpn

>> 
>> 2) By adding a service
>> --
>> Do the same as above with the client.ovpn file
>> 
>> Then:
>> sudo systemctl enable openvpn@client.service
>> sudo service openvpn@client start
>> or
>> sudo systemctl start openvpn@client
>

>This is also NOT recommended.
OK - understood...

>
>Put client configuration files into /etc/openvpn/client ... private keys 
>may be placed in /etc/openvpn/private

I have now *moved* the client's conf file from /etc/openvpn to
/etc/openvpn/client after first doing this:

sudo systemctl stop openvpn@SSRemote002

>
>Then use: systemd start openvpn-client@CONFIG_NAME

So you mean that if the conf file is placed inside the client dir then running
this command will both start the connection and also make it a service that will
run on startup in the future?

  sudo systemd start openvpn-client@SSRemote002

Or will any conf file placed there be started on system startup?

>
>This is the only approach supported by the upstream OpenVPN project. 
>For more details: 
>
>

I tried to do what you described and this is the result:

$ systemd start openvpn-client@SSRemote002
Excess arguments.

Adding sudo in front causes the same Excess arguments response happen... :(

>> 3) By setting up a cron job running on startup
>> --
>> In this case cron is set up to run openvpn with the client.conf file as 
>> config,
>> not necessarily located in /etc/openvpn
>
>This sounds like a cludgy workaround hack.  Don't do that.  You will 
>have much more control when systemd is used correctly.  In addition to 
>systemd's journal also fetching the logs in way which is easier to 
>navigate in afterwords.

It was not something I seriously contemplated using but wanted to add as an
exaple of yet another way to start openvpn with the client's conf file to
connect to the remote location.

>
>The openvpn-server@.service unit also has "RestartSec=5s" and 
>"Restart=on-failure" set, which will automatically restart openvpn 
>servers if they die unexpectedly.  You can do a similar trick with the 
>openvpn-client@.service - also for only specific configuration files:
>
># systemctl edit openvpn-client@CONFIG_NAME
>
>This will fire off an editor, where you add these lines:
>
>[Service]
>RestartSec=1m
>Restart=on-failure
>
>This will automatically restart this particular configuration after 1 
>minute if the openvpn process dies unexpectedly.  "1 minute" may be 
>tweaked, but also consider race conditions against your server.  Not all 
>client configs will be too happy if started too quickly afterwards.  1 
>minute is very conservative - but based on this is a common timer delay 
>on the server side, 30 seconds might be enough and work fine too.

If this is not done, what happens?
Does the connection remain down until someone manually does some rescue action?
Is there no default timeout?


-- 
Bo Berglund
Developer in Sweden



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] figuring out connection interface

[Gert Doering]

Hi,

On Fri, Jun 04, 2021 at 12:55:04PM +0200, Gert Doering wrote:
> That said, I have no idea if it is ever exposed to management API or
> plugin/script env... "some reading of the source" is needed.

So.  "OpenVPN side" address is only available if ENABLE_IP_PKTINFO
is valid, and then it can be found in the "link_socket_actual" structure
in act->pi.in4 / act->pi.in4.ip_spec_dst / act->pi.in6.ipi6_addr, see
socket.c, print_link_socket_actual_ex().

The most interesting caller of this seems to be linksock_print_addr(),
which is called at the end of link_socket_init_phase2().


The incoming source address is setenv'ed by 

tls_process()
  link_socket_set_outgoing_addr()
link_socket_connection_initiated()
  setenv_trusted()
setenv_link_socket_actual()
  setenv_sockaddr()

... so that would be the call chain where one could add a "this is 
the local address used" setenv() call, similar to what 
print_link_socket_actual_ex() does.

Good practice might be to extract the whole "local address" part of
print_link_socket_actual_ex() into a new subfunction used for both
cases (= less code duplication, less testing).  But this is still not 
a totally trivial task.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] log

[David Sommerseth]

On 06/06/2021 14:33, Gokan Atmaca wrote:

Hello

I want to keep the records of all the clients connected to the ovpn ip
addresses for 1 year. How can I do that ? Thanks.


Use the --client-connect script hook on the server side.  That script 
will get all the details about connecting clients, and you can store 
them in a text file, insert into a database or similar things.


More information can be found in the openvpn man page:



--
kind regards,

David Sommerseth
OpenVPN Inc




OpenPGP_signature
Description: OpenPGP digital signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] The preferred way to run a client on linux?

[David Sommerseth]

On 07/06/2021 09:41, Bo Berglund wrote:

I am now on the home stretch at setting up a number of Raspberry Pi units as
data collectors and they need to connect by OpenVPN to a dedicated server.
The RPi units are running the latest version of Pi-OS based on Debian Buster.

I have seen different ways of accomplishing this:

1) Via the openvpn defaults
---
In this case the client.ovpn file is renamed to client.conf and placed in
/etc/openvpn.

Then the defaults file is edited:
sudo nano /etc/default/openvpn

And the AUTOSTART line is set like this:
AUTOSTART="client"

Then:
sudo systemctl restart openvpn


This is not recommended at all.  This approach is Debian's way to 
simulate the behaviour of the pre-systemd days.  Over the years, this 
has caused may unexpected behaviours.




2) By adding a service
--
Do the same as above with the client.ovpn file

Then:
sudo systemctl enable openvpn@client.service
sudo service openvpn@client start
or
sudo systemctl start openvpn@client



This is also NOT recommended.

Put client configuration files into /etc/openvpn/client ... private keys 
may be placed in /etc/openvpn/private


Then use: systemd start openvpn-client@CONFIG_NAME

This is the only approach supported by the upstream OpenVPN project. 
For more details: 





3) By setting up a cron job running on startup
--
In this case cron is set up to run openvpn with the client.conf file as config,
not necessarily located in /etc/openvpn


This sounds like a cludgy workaround hack.  Don't do that.  You will 
have much more control when systemd is used correctly.  In addition to 
systemd's journal also fetching the logs in way which is easier to 
navigate in afterwords.


The openvpn-server@.service unit also has "RestartSec=5s" and 
"Restart=on-failure" set, which will automatically restart openvpn 
servers if they die unexpectedly.  You can do a similar trick with the 
openvpn-client@.service - also for only specific configuration files:


   # systemctl edit openvpn-client@CONFIG_NAME

This will fire off an editor, where you add these lines:

   [Service]
   RestartSec=1m
   Restart=on-failure

This will automatically restart this particular configuration after 1 
minute if the openvpn process dies unexpectedly.  "1 minute" may be 
tweaked, but also consider race conditions against your server.  Not all 
client configs will be too happy if started too quickly afterwards.  1 
minute is very conservative - but based on this is a common timer delay 
on the server side, 30 seconds might be enough and work fine too.



For those wondering why we don't ship with this restart by default on 
client configs, it is simply that each site has different configs where 
some values works better than others. We can't evaluate that on-the-fly. 
 Some sites might not even want this behaviour.  We could enable it on 
the server side as we expect most uses wanting OpenVPN servers started 
via systemd to run constantly.  And we can have the short 5 seconds 
delay as that config will anyhow start the OpenVPN server with a clean 
and fresh state.  For clients restarting, there exists a state already 
on the server side which we want to avoid confusing.



--
kind regards,

David Sommerseth
OpenVPN Inc




OpenPGP_signature
Description: OpenPGP digital signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] log

[Gokan Atmaca]

>  better way would be to implement a client-connect script.

how can I do it ?

On Mon, Jun 7, 2021 at 7:42 AM Leroy Tennison via Openvpn-users
 wrote:
>
> A way, although not perfect, is to implement the status log.  You would have 
> to back it up periodically and retain a year's copies.  The limitation is 
> that it is a snapshot of the status and you could easily miss a temporary 
> connection.  A better way would be to implement a client-connect script.
>
>
> -Original Message-
> From: Gokan Atmaca 
> To: openvpn users list (openvpn-users@lists.sourceforge.net) 
> 
> Sent: Sun, Jun 6, 2021 7:33 am
> Subject: [Openvpn-users] log
>
> Hello
>
> I want to keep the records of all the clients connected to the ovpn ip
> addresses for 1 year. How can I do that ? Thanks.
>
> --
> ⢀⣴⠾⠻⢶⣦⠀
> ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
> ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
> ⠈⠳⣄
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] The preferred way to run a client on linux?

[Bo Berglund]

I am now on the home stretch at setting up a number of Raspberry Pi units as
data collectors and they need to connect by OpenVPN to a dedicated server.
The RPi units are running the latest version of Pi-OS based on Debian Buster.

I have seen different ways of accomplishing this:

1) Via the openvpn defaults
---
In this case the client.ovpn file is renamed to client.conf and placed in
/etc/openvpn.

Then the defaults file is edited:
sudo nano /etc/default/openvpn

And the AUTOSTART line is set like this:
AUTOSTART="client"

Then:
sudo systemctl restart openvpn


2) By adding a service
--
Do the same as above with the client.ovpn file

Then:
sudo systemctl enable openvpn@client.service
sudo service openvpn@client start
or
sudo systemctl start openvpn@client

3) By setting up a cron job running on startup
--
In this case cron is set up to run openvpn with the client.conf file as config,
not necessarily located in /etc/openvpn


To me it seems easiest to do it the first way...
But all 3 ways will probably work.

What I want is for the RPi to connect to the vpn server when it starts so that
it has access to the resources on the remote network.


-- 
Bo Berglund
Developer in Sweden



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users