Re: [Openvpn-users] Correct way to handle routing when on home network?
Hi, Could it have something to do with SMB Multichannel...? Sent with [Proton Mail](https://proton.me/) secure email. --- Original Message --- On Wednesday, September 28th, 2022 at 19:37, Selva Nair wrote: > Hello, > > On Wed, Sep 28, 2022 at 1:10 PM Sebastian Arcus wrote: > >> On 27/09/2022 21:09, tincantech wrote: >> Some updates from today's testing: >> >> Test case 1 >> >> Topology: subnet >> Adapter: WinTUN >> Netbios over TCP/IP: disabled or enabled >> Result: 300kbs (for both states of NetBIOS over TCP/IP) >> >> Test case 2 >> >> Topology: subnet >> Adapter: TAP >> Netbios over TCP/IP: disabled or enabled >> Result: 900Mbs (for both states of Netbios over TCP/IP) >> >> Essentially using "topology subnet" seems to work fine with the TAP >> adapter, but routes all smb traffic through the tunnel with the WinTUN >> adapter, even when Netbios over TCP/IP is disabled. >> >> I'm not sure if this actually clarifies things or makes it worse. I >> re-run the tests several times, and rebooted the machine after changing >> the settings on the adapters and before running the tests > > This is getting more and more mysterious. Somehow SMB traffic is using the > VPN IP and hence getting routed through the tunnel. DNS/netbios would have > been the obvious culprit, but that doesn't seem to be the case... As Windows > has no built-in policy routing facilities (does it?), probably there is some > third party port forwarding running on the client? However, that should have > affected both wintun and tap-windows tunnels. Can you mount a shared folder > using the LAN IP of the server like \\192.168.112.xx and see whether that > makes a difference? > > tcpdump could also help figure out why there are two smb streams one using > LAN IP and other using the VPN, which is carrying what traffic, which one > gets established first etc.. > > Selva___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Checking server and client certificates expiration?
On 28/09/2022 16:40, Joe Patterson wrote: The general form of what you want to do is: openssl x509 -in file.crt -noout -text | grep 'Not After' An easier way; this checks if the certificate expires within the next 30 days: $ openssl x509 -noout -checkend $((30*24*3600)) -in file.crt || echo "NEED RENEWAL" -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Checking server and client certificates expiration?
On Wed, Sep 28, 2022 at 11:18:41 -0400, Bo Berglund wrote: > On Wed, 28 Sep 2022 10:40:07 -0400, Joe Patterson > wrote: > > > >grep -A 100 -F '' openvpn.conf | openssl x509 -in - -noout -text > >| grep 'Not After' > so my OVPN files are structured like this: > > client > dev tun > > -BEGIN CERTIFICATE- > block of characters > -END CERTIFICATE- > > > -BEGIN CERTIFICATE- > block of characters > -END CERTIFICATE- > > I haven't used it specifically on inline certificates in openvpn.conf files, but in general I found that when processing multi-certificate input files, "openssl x509" will skip lines in its stdin until it finds a BEGIN CERTIFICATE block, then it will then process one certificate -- leaving stdin ready to be read further to repeat the process. So, you can probably use something like the following to display information on all the certificates found in a particular file: $ while openssl x509 -noout -text ; do echo "==" ; done < openssl.cnf | less The 'echo "=="' bit is just to put a little divider between each certificate's info in the output; you can tweak that to taste. At the end of this loop stderr will get a "PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE" error message; this is normal -- it just indicates that the while loop has gone through all the certificates in the file and couldn't find any new one to process. Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Checking server and client certificates expiration?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Sent with Proton Mail secure email. --- Original Message --- On Wednesday, September 28th, 2022 at 18:18, Bo Berglund wrote: > On Wed, 28 Sep 2022 16:03:11 +, tincantech via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > I can only presume that you have never heard of Easy-RSA before. > > > I have used easy-rsa version 2 since 2013 or so I recommend that you move to Easy-RSA version 3 but wait for v311 There is an upgrade procedure to make your PKI v3 compatible. If you have problem with that then I can help. Always make a backup first ;-) There is also Easy-TLS: https://github.com/TinCanTech/easy-tls That may not be something you would find useful. (Not officially endorsed) As a developer from Sweden, I would hope that POSIX/sh is something that you would have some familiarity with. The code there-in may be of some use to you. Both Easy-RSA and Easy-TLS are POSIX/sh. I only post this info because I get the impression that it could be useful to you. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJjNIdaACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1q3AgAwDsutOqydf5gffoqHpao/jq2WeILo0Io9LTUHLg6mShi2Tq2 5keeN+YWzSpM/vV85ib0h1xNscLhM8scXbIq2hTqKowV6ZvosRZs3dW0G2mE g1wQqlwlJgGKIUd2RoQWMDVQtrUrgrXb+F6hNAHYK3W6Nv+PbDdpzlSkftET 12o3lefOxim/YXalRvYDTAr8kxobc8QSKnXdznIevIDHasu1Dbo6p6kB4b0P 3GjM8EPhZwh0gwVsdenCWn2/RUne6R8fzsBJ/JRUVXVfHV/6WOmcDcPvfoCJ w1n+kzKcVvzBx0da3pxZFXUUVaofCyC2qVwP0ZwtzPFfRE7N6r69yQ== =BEYv -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Correct way to handle routing when on home network?
Hello, On Wed, Sep 28, 2022 at 1:10 PM Sebastian Arcus wrote: > > On 27/09/2022 21:09, tincantech wrote: > Some updates from today's testing: > > Test case 1 > > Topology: subnet > Adapter: WinTUN > Netbios over TCP/IP: disabled or enabled > Result: 300kbs (for both states of NetBIOS over TCP/IP) > > Test case 2 > > Topology: subnet > Adapter: TAP > Netbios over TCP/IP: disabled or enabled > Result: 900Mbs (for both states of Netbios over TCP/IP) > > > Essentially using "topology subnet" seems to work fine with the TAP > adapter, but routes all smb traffic through the tunnel with the WinTUN > adapter, even when Netbios over TCP/IP is disabled. > > I'm not sure if this actually clarifies things or makes it worse. I > re-run the tests several times, and rebooted the machine after changing > the settings on the adapters and before running the tests > This is getting more and more mysterious. Somehow SMB traffic is using the VPN IP and hence getting routed through the tunnel. DNS/netbios would have been the obvious culprit, but that doesn't seem to be the case... As Windows has no built-in policy routing facilities (does it?), probably there is some third party port forwarding running on the client? However, that should have affected both wintun and tap-windows tunnels. Can you mount a shared folder using the LAN IP of the server like \\192.168.112.xx and see whether that makes a difference? tcpdump could also help figure out why there are two smb streams one using LAN IP and other using the VPN, which is carrying what traffic, which one gets established first etc.. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Checking server and client certificates expiration?
On Wed, 28 Sep 2022 16:03:11 +, tincantech via Openvpn-users wrote: >I can only presume that you have never heard of Easy-RSA before. I have used easy-rsa version 2 since 2013 or so to create the client OVPN files using a script that calls Easy-Rsa functions. It accepts the Common Name as input argument and then pops up some questions long the process and finally writes the OVN file. But I am just using it, have not dived down into its functionality outside of this. -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Correct way to handle routing when on home network?
On 27/09/2022 20:47, Jan Just Keijser wrote: Hi, On 27/09/22 15:29, Sebastian Arcus wrote: On 26/09/2022 13:53, Jan Just Keijser wrote: Hi, On 26/09/22 13:49, Sebastian Arcus wrote: [...] Thank you for the extra suggestions. Please find below the output of the nbtstat commands, with the vpn up and a large slow file transfer in progress, just to be sure the fault was still present at the time. As far as I can tell from the output, the server name always resolves to the correct IP. I am accessing the share through a mapped drive, which uses the server name. Also, as per my other email this morning, the output of netstat during a slow file transfer confirms that the vpn/samba server is being accessed by its internal IP address - so it doesn't seem to be a name resolution issue. # nbtstat -c OpenVPN Wintun: Node IpAddress: [192.168.114.10] Scope Id: [] NetBIOS Remote Cache Name Table Name Type Host Address Life [sec] STAPELY-SERVER <00> UNIQUE 192.168.112.1 484 OpenVPN TAP-Windows6: Node IpAddress: [0.0.0.0] Scope Id: [] No names in cache Ethernet: Node IpAddress: [192.168.112.53] Scope Id: [] NetBIOS Remote Cache Name Table Name Type Host Address Life [sec] STAPELY-SERVER <20> UNIQUE 192.168.112.1 446 __SAMBA__ <20> UNIQUE 192.168.112.1 446 now this output is quite interesting: with the VPN up, the Netbios name of the client resolves first to 192.168.114.10 (and later to 122.53); so it could very well be that the Windows 10 smb client picks that address to connect with - which would explain the VPN route. The thing is, why does Windows do that and how can we influence it? I did notice that you are pushing a WINS server to your clients. Just to test, can you disable NetBios-over-TCPIP for the wintun adapter? that should be under Network properties. Hi and thank you for the further suggestions. Please see below updates: 1. Removing 'push "dhcp-option WINS 192.168.112.1"' from the server config file doesn't seem to make any difference - the problem is still there 2. Disabling Netbios over DNS on both ethernet and WinTUN adapters on the client fixes the issues 3. Enabling Netbios over DNS on either ethernet OR WinTUN breaks things again, and the transfers are very slow I tried reproducing this today on a Win 10 PC but to no avail: as long as the LAN-route has a lower metric than the VPN-route then a net share/smb command always goes over the LAN route. While reproducing , I did see something odd WRT "on-link" routes versus routes that have a gateway. You posted a while back your IPv4 routing table IPv4 Route Table === Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.112.1 192.168.112.236 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 192.168.112.0 255.255.255.0 On-link 192.168.112.236 281 192.168.112.0 255.255.255.0 192.168.114.5 192.168.114.6 500 what happens if you add a route *after* the VPN comes up : route add 192.168.112.0 mask 255.255.255.0 192.168.112.1 then re-test your performance? I've just tried this and it doesn't appear to make any difference - smb traffic is still routed through the tunnel ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Correct way to handle routing when on home network?
On 27/09/2022 21:09, tincantech wrote: Hi, Sent with Proton Mail secure email. --- Original Message --- On Thursday, September 22nd, 2022 at 19:25, tincantech wrote: --- Original Message --- On Thursday, September 22nd, 2022 at 15:06, Sebastian Arcus s.ar...@open-t.co.uk wrote: Server: openvpn 2.5.7, Linux Slackware Client: openvpn 2.5.7, Windows 10 OpenVPN server lan subnet: 192.168.112.0/24 OpenVPN subnet: 192.168.114.0/24 server.conf proto udp port 1194 dev tun server 192.168.114.0 255.255.255.0 push "route 192.168.112.0 255.255.255.0" push "dhcp-option DNS 192.168.112.1" push "dhcp-option WINS 192.168.112.1" push "route-metric 500" ca "ca.crt" cert "server.crt" key "server.key" tls-auth "ta.key" 0 dh "dh.pem" It is also worth mentioning that --topology net30 is deprecated. https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Changedefault--topologynet30tosubnet That may help routing. Some updates from today's testing: Test case 1 Topology: subnet Adapter: WinTUN Netbios over TCP/IP: disabled or enabled Result: 300kbs (for both states of NetBIOS over TCP/IP) Test case 2 Topology: subnet Adapter: TAP Netbios over TCP/IP: disabled or enabled Result: 900Mbs (for both states of Netbios over TCP/IP) Essentially using "topology subnet" seems to work fine with the TAP adapter, but routes all smb traffic through the tunnel with the WinTUN adapter, even when Netbios over TCP/IP is disabled. I'm not sure if this actually clarifies things or makes it worse. I re-run the tests several times, and rebooted the machine after changing the settings on the adapters and before running the tests ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Checking server and client certificates expiration?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Bo, the imminent release of Easy-RSA version 3.1.1 has tools to manage your PKI with relative ease. https://github.com/OpenVPN/easy-rsa Command `show-expire` will list your entire PKI, a subset of it or an individual certificate, at your request. I can only presume that you have never heard of Easy-RSA before. Sent with Proton Mail secure email. --- Original Message --- On Wednesday, September 28th, 2022 at 16:51, Gert Doering wrote: > Hi, > > On Wed, Sep 28, 2022 at 11:18:41AM -0400, Bo Berglund wrote: > > > > > -BEGIN CERTIFICATE- > > block of characters > > -END CERTIFICATE- > > > > > This is the client certificate (that the server will validate). > > > I don't know what each of these crypto sections does and if they contain > > some > > expire info... > > Or which section contains the date... > > > The not-before/not-after dates are encoded int the x509 blob in . > > > So, the "grep -A 100" command given will extract "cert plus everything > after it" from the config, and "openssl x509 -in $file -noout -text" > will decode the certificate for you. > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJjNHArACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0o/AgAv2DL+6dvWr5RH630RONmVqWurEKCwo8OLLyJAGXeqQ5sU2Wb wv1idZbVPrumlQMSa/34jPyD3N/ShuRn2o9nlB8B6MHHRoR38AfU8eyrDrAz ga0RDJCbluK/KuHsshTMeIyZmkbwQ03+D8iXNUbl4sNZZz+IW42WTi+DTqgY 2Sp5OM2a1C7cAUBIMSiFWUbHxxqqRxt8GJkpo9F95nbX5e17sIRea9MkeyVN Sfz7FGVj4WPoARqmPbluubT7/7MUoNtOfUEX69TIzWKcmOhZm2f8XJY8C60u sEBtjc1WVtlOMXuEvccWCDLdl8N6cMx7lv5c3Ab8FTuJ9Fxg6kjxvA== =KK+Y -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Checking server and client certificates expiration?
Hi, On Wed, Sep 28, 2022 at 11:18:41AM -0400, Bo Berglund wrote: > > -BEGIN CERTIFICATE- > block of characters > -END CERTIFICATE- > This is the client certificate (that the server will validate). > I don't know what each of these crypto sections does and if they contain some > expire info... > Or which section contains the date... The not-before/not-after dates are encoded int the x509 blob in . So, the "grep -A 100" command given will extract "cert plus everything after it" from the config, and "openssl x509 -in $file -noout -text" will decode the certificate for you. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Checking server and client certificates expiration?
On Wed, 28 Sep 2022 10:40:07 -0400, Joe Patterson wrote: >On Wed, Sep 28, 2022 at 10:08 AM Bo Berglund wrote: >> >> I have been using OpenVPN for a rather long time now and I have realized that >> there is a risk tat the server certificates may expire as well as the >> clients. >> The servers all run on Linux (Ubuntu server and Raspberry Pi) but clients are >> both Linux and Windows and actually also some ASUS routers... >> >> How can I check when this will happen? >> The clients use OVPN files with embedded crypto stuff and the server uses a >> set >> of crypto files in subdir etc/openvpn/keys. >> >> If I can check this and it turns out that they will be expiring in the near >> future, then what can I do to extend the life of them? >> Do I have to re-create the entire set of server and client certs? >> >> Notice: >> The certs were created using easy-rsa on the servers back when the system was >> created and new clients have been added over the years also using easy-rsa on >> the servers. >The general form of what you want to do is: > >openssl x509 -in file.crt -noout -text | grep 'Not After' > >If you use the same command against the client files with the embedded >crypto, it will give you the expiration date of the first certificate >block, which *might* be your client cert, or *might* be your CA cert, >depending on how the file is structured. > >you can manually copy the chunk between and and then >run it through openssl, or do something cleverish like: > >grep -A 100 -F '' openvpn.conf | openssl x509 -in - -noout -text >| grep 'Not After' > >Hope this is helpful. Thanks, so my OVPN files are structured like this: client dev tun proto udp remote 1194 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings ns-cert-type server key-direction 1 cipher AES-128-CBC comp-lzo verb 1 mute 20 -BEGIN CERTIFICATE- block of characters -END CERTIFICATE- -BEGIN CERTIFICATE- block of characters -END CERTIFICATE- -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,60C3A5C2A94EB51F block of characters -END RSA PRIVATE KEY- # # 2048 bit OpenVPN static key # -BEGIN OpenVPN Static key V1- block of characters -END OpenVPN Static key V1- I don't know what each of these crypto sections does and if they contain some expire info... Or which section contains the date... -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Checking server and client certificates expiration?
The general form of what you want to do is: openssl x509 -in file.crt -noout -text | grep 'Not After' If you use the same command against the client files with the embedded crypto, it will give you the expiration date of the first certificate block, which *might* be your client cert, or *might* be your CA cert, depending on how the file is structured. you can manually copy the chunk between and and then run it through openssl, or do something cleverish like: grep -A 100 -F '' openvpn.conf | openssl x509 -in - -noout -text | grep 'Not After' Hope this is helpful. -Joe On Wed, Sep 28, 2022 at 10:08 AM Bo Berglund wrote: > > I have been using OpenVPN for a rather long time now and I have realized that > there is a risk tat the server certificates may expire as well as the clients. > The servers all run on Linux (Ubuntu server and Raspberry Pi) but clients are > both Linux and Windows and actually also some ASUS routers... > > How can I check when this will happen? > The clients use OVPN files with embedded crypto stuff and the server uses a > set > of crypto files in subdir etc/openvpn/keys. > > If I can check this and it turns out that they will be expiring in the near > future, then what can I do to extend the life of them? > Do I have to re-create the entire set of server and client certs? > > Notice: > The certs were created using easy-rsa on the servers back when the system was > created and new clients have been added over the years also using easy-rsa on > the servers. > > > -- > Bo Berglund > Developer in Sweden > > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Checking server and client certificates expiration?
I have been using OpenVPN for a rather long time now and I have realized that there is a risk tat the server certificates may expire as well as the clients. The servers all run on Linux (Ubuntu server and Raspberry Pi) but clients are both Linux and Windows and actually also some ASUS routers... How can I check when this will happen? The clients use OVPN files with embedded crypto stuff and the server uses a set of crypto files in subdir etc/openvpn/keys. If I can check this and it turns out that they will be expiring in the near future, then what can I do to extend the life of them? Do I have to re-create the entire set of server and client certs? Notice: The certs were created using easy-rsa on the servers back when the system was created and new clients have been added over the years also using easy-rsa on the servers. -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users