date:20230814

Re: [Openvpn-users] A question about the local statement

2023-08-14 Thread Bruno Tréguier via Openvpn-users


Le 14/08/2023 à 23:19, Jason Long a écrit :


Hi Bruno,
Thank you so much for your reply.
Both (Server and Client) can ping each other and without the local
statement my client can connect to the OpenVPN server.
My client connecting to the server via an internal network:
Server: 192.168.1.20
Client: 192.168.1.21

Sorry Jason but your explanations regarding what you want to achieve are 
rather vague. You are talking about a server with several NICs, but what 
are they meant for?


A diagram mentioning the IPs would be quite useful to understand what 
your configuration is or what you want it to be.


Regards, Bruno
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN stopped working after upgrade from 2.5.6 to 2.6.3

2023-08-14 Thread Martin

On 2023-08-14 11:38, David Sommerseth wrote:
 Yes, this must go into the .ovpn file.  And it might very much be that
> the NetworkManager-openvpn does not grok the compat-mode option - so
> you can't run it via NetworkManager.

Thanks! Fortunately, TIL, that $company will upgrade the firewall RSN,
so I will get a new OpenVPN (and/or some IPSec stuff).

Maybe I just keep my old openvpn package 2.5.6
("echo openvpn hold | sudo dpkg --set-selections")
for now to keep the convenience of using NetworkManager.

And hope, that it's only for a very short time...

___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

2023-08-14 Thread tincantech via Openvpn-users

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256




Sent with Proton Mail secure email.

--- Original Message ---
On Monday, August 14th, 2023 at 22:11, Jason Long  wrote:


> On Mon, Aug 14, 2023 at 11:47 PM, tincantech
> 
> >  wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> > 
> > Hi,
> > 
> > --- Original Message ---
> > On Monday, August 14th, 2023 at 20:49, Jason Long  
> > wrote:
> > 
> > > On Mon, Aug 14, 2023 at 5:16 PM, tincantech
> > >
> > > >  wrote:
> > 
> > > >
> > > > Hello,
> > > > Thank you so much for your help.
> > > > I take a loot at 
> > > > "https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html;, but it only 
> > > > explained the capabilities of this option and did not provide any 
> > > > examples.
> > > > I did:
> > > > # mkdir /etc/openvpn/clients
> > > > # touch /etc/openvpn/clients/Client-1
> > > > Then, in server.conf:
> > > > client-config-dir clients 
> > > > ccd-exclusive
> > > > But, Windows client can't connect to the OpenVPN server and my 
> > > > connection restarted. Do I need to add something to the client 
> > > > configuration file?
> > 
> > No.
> > 
> > You have NEVER managed to have a client connect to your server.
> > Therefore, your question regarding this problem >is irrelevant.
> > 
> > 
> > Hi,
> > Not really, You wrong. I tested various scenarios and learned a lot from 
> > you and others. Now I want to learn this scenario, but unfortunately I 
> > could not find an article that teaches from the beginning. I would be 
> > grateful if you could tell me where the problem is.


There are many reasons which could explain your problem:
* You may be using a server with multiple NICs, which is configured
  incorrectly.
* You may have configured your network routing incorrectly.
8 You may have configured --ccd-exclusive incorrectly.
* You may have some other unknown problem.

Regarding the issue above, if you want to verify that --ccd-exclusive is
working correctly then simply remove 'ccd-exclusive' from your server config,
restart your server and try to connect again. If your client can now connect
then --ccd-exclusive was successfully rejecting your client because there
was no CCD file for that client.

HTH
tct

-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk2pwtCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAADkHQf+KtaF6ip0OoQBgdEDu8HBkZSnWIhwHrYFpPO85aRFPBWov7M+
SH/0gj1Q/P0nuJyh054rPO/nO7bdPir6V5qA19jrirN+Ze4BNkmMDmV/MQbv
pQjXfBFlb3MswLaLGETeOr5Ay8UvKpFjXP2045R5vCMlB3ipMamSD6J5hBG0
5KtHNbR8UuoNxiRyTF2ZPbCKzulaaGKE+rWpjmi2UjoErfOyWvVP0D1iaC0F
nM8S8JaHflhlmkdFfXCt15ZjiI+rgroAjMXWtL+lLkmD4EbIT6qqiB39880x
nbcAdOXbDzA5b51hBvz8oyCLvSJ6Z7j1gGoxmTjOyCrb1TEOgO/w+A==
=lOa7
-END PGP SIGNATURE-


publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys


publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] A question about the local statement

2023-08-14 Thread Jason Long via Openvpn-users

On Mon, Aug 14, 2023 at 8:22 PM, Gert Doering
 wrote:   Hi,

On Mon, Aug 14, 2023 at 01:59:32PM +, Jason Long wrote:
> But I am sure that in a real environment such a scenario can also exist.
> Consider an internal network where users connect to an internal OpenVPN 
> server and this server has several NICs with different IP addresses that are 
> connected to the Internet. Now you want to connect a group of users to a 
> specific NIC. For example, users with an IP address in the range of 
> 192.168.1.0-254 should connect to a NIC with an IP address of 10.0.0.10, and 
> the rest of the clients with other ranges should be connected to other NICs.

If routing is set up properly (DHCP, default gateway, etc), packets will
arrive at the server and things will work.

If not, there is no magic way to make clients know "ey, for 10.0.0.10,
>send packets by magic to *that* server".

Hi Gert,Thank you so much for your reply.I guess that I must enable some 
statements about the DHCP and DNS in server.conf file.I will test it.


gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                            Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                            g...@greenie.muc.de
  
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] A question about the local statement

2023-08-14 Thread Jason Long via Openvpn-users

On Mon, Aug 14, 2023 at 6:25 PM, Bruno Tréguier via Openvpn-users
 wrote:   Hello,

Le 14/08/2023 à 15:59, Jason Long via Openvpn-users a écrit :
> Hi,
> Thank you so much.
> But I am sure that in a real environment such a scenario can also exist.
> Consider an internal network where users connect to an internal OpenVPN 
> server and this server has several NICs with different IP addresses that are 
> connected to the Internet. Now you want to connect a group of users to a 
> specific NIC. For example, users with an IP address in the range of 
> 192.168.1.0-254 should connect to a NIC with an IP address of 10.0.0.10, and 
> the rest of the clients with other ranges should be connected to other NICs.
> What are you doing?

Route and/or NAT things correctly...

Even before considering OpenVPN or any other VPN mechanism, make sure 
everything is correctly routed. Each client machine should be able to 
ping (if you allow ICMP echo/reply) the VPN server they should be 
connecting to. If necessary and if possible, allow it temporarily to 
make sure the routes are correctly set up.

What I mean is that, as I understand things, and as tincantech just told 
you, your issue is *not* OpenVPN-related. It's a basic network problem. 
Make sure everything is ok network-wise before trying to use 
applications, especially ones which are sometimes tricky to set up.

>Regards, Bruno
Hi Bruno,Thank you so much for your reply.Both (Server and Client) can ping 
each other and without the local statement my client can connect to the OpenVPN 
server.My client connecting to the server via an internal network:Server: 
192.168.1.20Client: 192.168.1.21

___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

2023-08-14 Thread André via Openvpn-users

Hi,

Howto is here:
https://community.openvpn.net/openvpn/wiki/HOWTO

wkr
Pippin
--- Original Message ---
On Monday, August 14th, 2023 at 23:11, Jason Long via Openvpn-users 
 wrote:

> On Mon, Aug 14, 2023 at 11:47 PM, tincantech
>
>>  wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Hi,
>>
>> --- Original Message ---
>> On Monday, August 14th, 2023 at 20:49, Jason Long  
>> wrote:
>>
>>> On Mon, Aug 14, 2023 at 5:16 PM, tincantech
>>>
>>> >  wrote:
>>
>>> >
>>> > Hello,
>>> > Thank you so much for your help.
>>> > I take a loot at 
>>> > "https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html;, but it only 
>>> > explained the capabilities of this option and did not provide any 
>>> > examples.
>>> > I did:
>>> > # mkdir /etc/openvpn/clients
>>> > # touch /etc/openvpn/clients/Client-1
>>> > Then, in server.conf:
>>> > client-config-dir clients
>>> > ccd-exclusive
>>> > But, Windows client can't connect to the OpenVPN server and my connection 
>>> > restarted. Do I need to add something to the client configuration file?
>>
>> No.
>>
>> You have NEVER managed to have a client connect to your server.
>> Therefore, your question regarding this problem >is irrelevant.
>>
>> Hi,
>> Not really, You wrong. I tested various scenarios and learned a lot from you 
>> and others. Now I want to learn this scenario, but unfortunately I could not 
>> find an article that teaches from the beginning. I would be grateful if you 
>> could tell me where the problem is.
>>
>> HTH
>> tct
>> -BEGIN PGP SIGNATURE-
>> Version: ProtonMail
>>
>> wsBzBAEBCAAnBYJk2ou1CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
>> kLidAAChzQgAzelXSW91oK4EJBykmS/hVRXIbjt+jq8v1RsuUcVOcwt3EoOm
>> 19v2e9ZjcgcKS2rEMAWEgRpa3NpiXBeDM813fasySJTMdOfgHiRRyF9Bforr
>> /la+8qX6HeFCaS6HXFdD7J2Gtnwtsqnzla95PQpjXGHdqC54Ix1f9qXeMJaJ
>> ZVZvKId6DBwuCKEBrpfbg8UqTUbV2TVkRBiaNucJaw0T2nijTSQDFXFjUy6Z
>> WpKnLXVbHopmrJMMULdo2uMNNwmwZoGzhBh+unXHR3iqybrqmxZg3waF0PVR
>> 25jUYA2EPoePPEadWAhYNtiSyUJ9C6IiffVFCT52NNPd1CubRNb1hA==
>> =P8jt
>>
>> -END PGP SIGNATURE-___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

2023-08-14 Thread Jason Long via Openvpn-users

On Mon, Aug 14, 2023 at 11:47 PM, tincantech

 wrote:   -BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

--- Original Message ---
On Monday, August 14th, 2023 at 20:49, Jason Long  wrote:

> On Mon, Aug 14, 2023 at 5:16 PM, tincantech
> 
> >  wrote:

> > 
> > Hello,
> > Thank you so much for your help.
> > I take a loot at 
> > "https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html;, but it only 
> > explained the capabilities of this option and did not provide any examples.
> > I did:
> > # mkdir /etc/openvpn/clients
> > # touch /etc/openvpn/clients/Client-1
> > Then, in server.conf:
> > client-config-dir clients 
> > ccd-exclusive
> > But, Windows client can't connect to the OpenVPN server and my connection 
> > restarted. Do I need to add something to the client configuration file?

No.

You have NEVER managed to have a client connect to your server.
Therefore, your question regarding this problem >is irrelevant.

Hi,Not really, You wrong. I tested various scenarios and learned a lot from you 
and others. Now I want to learn this scenario, but unfortunately I could not 
find an article that teaches from the beginning. I would be grateful if you 
could tell me where the problem is.

HTH
tct
-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk2ou1CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAAChzQgAzelXSW91oK4EJBykmS/hVRXIbjt+jq8v1RsuUcVOcwt3EoOm
19v2e9ZjcgcKS2rEMAWEgRpa3NpiXBeDM813fasySJTMdOfgHiRRyF9Bforr
/la+8qX6HeFCaS6HXFdD7J2Gtnwtsqnzla95PQpjXGHdqC54Ix1f9qXeMJaJ
ZVZvKId6DBwuCKEBrpfbg8UqTUbV2TVkRBiaNucJaw0T2nijTSQDFXFjUy6Z
WpKnLXVbHopmrJMMULdo2uMNNwmwZoGzhBh+unXHR3iqybrqmxZg3waF0PVR
25jUYA2EPoePPEadWAhYNtiSyUJ9C6IiffVFCT52NNPd1CubRNb1hA==
=P8jt
-END PGP SIGNATURE-
  
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

2023-08-14 Thread tincantech via Openvpn-users

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

--- Original Message ---
On Monday, August 14th, 2023 at 20:49, Jason Long  wrote:

> On Mon, Aug 14, 2023 at 5:16 PM, tincantech
> 
> >  wrote:

> > 
> > Hello,
> > Thank you so much for your help.
> > I take a loot at 
> > "https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html;, but it only 
> > explained the capabilities of this option and did not provide any examples.
> > I did:
> > # mkdir /etc/openvpn/clients
> > # touch /etc/openvpn/clients/Client-1
> > Then, in server.conf:
> > client-config-dir clients 
> > ccd-exclusive
> > But, Windows client can't connect to the OpenVPN server and my connection 
> > restarted. Do I need to add something to the client configuration file?

No.

You have NEVER managed to have a client connect to your server.
Therefore, your question regarding this problem is irrelevant.

HTH
tct
-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk2ou1CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAAChzQgAzelXSW91oK4EJBykmS/hVRXIbjt+jq8v1RsuUcVOcwt3EoOm
19v2e9ZjcgcKS2rEMAWEgRpa3NpiXBeDM813fasySJTMdOfgHiRRyF9Bforr
/la+8qX6HeFCaS6HXFdD7J2Gtnwtsqnzla95PQpjXGHdqC54Ix1f9qXeMJaJ
ZVZvKId6DBwuCKEBrpfbg8UqTUbV2TVkRBiaNucJaw0T2nijTSQDFXFjUy6Z
WpKnLXVbHopmrJMMULdo2uMNNwmwZoGzhBh+unXHR3iqybrqmxZg3waF0PVR
25jUYA2EPoePPEadWAhYNtiSyUJ9C6IiffVFCT52NNPd1CubRNb1hA==
=P8jt
-END PGP SIGNATURE-


publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys


publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

2023-08-14 Thread Jason Long via Openvpn-users

On Mon, Aug 14, 2023 at 5:16 PM, tincantech

 wrote:   -BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Sent with Proton Mail secure email.

--- Original Message ---
On Monday, August 14th, 2023 at 14:13, Jason Long via Openvpn-users 
 wrote:

> Hello,
> To increase the security of OpenVPN, I want to use the ccd-exclusive.

--ccd-exclusive does not "increase the security of OpenVPN".
What it does it to provide a server with a convenient way to temporarily,
disable certain clients by client commonName.

This convenience means that the client certificate does not need to be
revoked.  And the client can have access to the server restored simply
by (re-)creating a CCD file.

--ccd-exclusive means that the server will ONLY allow clients access
if they have a CCD file in the folder configured by --client-connect-dir.

> I googled it, but I could not find a good example. I just found the following 
> question:
> 
> https://serverfault.com/questions/877201/limit-access-to-remote-server-via-particular-vpn

I strongly recommend that your search starts with the Openvpn manual:
https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html

EVERY option is described in the manual.

> But, I really don't know what to do.
> I must create a directory under the "/etc/openvpn", then create a file with 
> the name of clients in it? For example, if my Windows client host name is 
> "Client-1", then:
> 
> # mkdir /etc/openvpn/clients
> # touch /etc/openvpn/clients/Client-1
> 
> Then, in server.conf:
> 
> client-config-dir clients
> ccd-exclusive
> 
> Am I right?

Yes.

However, I strongly recommend that you learn the difference between
"absolute paths" verses "relative paths". (Out of scope for this mailing list)

> How about the client configuration? Do I need to add anything?

No.

Do exactly as the manual (above) describes.

>HTH
>tct

Hello,Thank you so much for your help.I take a loot at 
"https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html;, but it only 
explained the capabilities of this option and did not provide any examples.I 
did:# mkdir /etc/openvpn/clients# touch /etc/openvpn/clients/Client-1Then, in 
server.conf:client-config-dir clients ccd-exclusiveBut, Windows client can't 
connect to the OpenVPN server and my connection restarted. Do I need to add 
something to the client configuration file?

-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk2jAcCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAABp0wf/b8jrorfOi9WfhfRE8YvgGr7vbkwXlrofzEEdW7MVRWYv5/vm
rpHrsVSzYV23PMMWUSGe0gWRRcSuJ4c2L6j1f0mQnXTEU3qXiyTUhwW5EnjL
9ARTeWRCeElIDs5DTOvPqNSqt1qqNAlRZmtYyVafJZNgpCdBQIADDY1Ih+7S
hAPISxDe2nQ9+Yqzi8MpVqhf74ZCp/Zh3OQ6sKQhfmizS+BJ4S4crTqHgasB
U5jNZAQgWNjD+2UlMTfpZj2GwbCcF3EZ42Qj4HgdSxJarAHpf1rPQ0NLHviC
9QnaYudaG4ZE9NBh5mmmCuyCbE2K8gMb7CZHnMyGpF2Ee2r/4kKWNA==
=Hwqp
-END PGP SIGNATURE-

___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] A question about the local statement

2023-08-14 Thread Gert Doering

Hi,

On Mon, Aug 14, 2023 at 01:59:32PM +, Jason Long wrote:
> But I am sure that in a real environment such a scenario can also exist.
> Consider an internal network where users connect to an internal OpenVPN 
> server and this server has several NICs with different IP addresses that are 
> connected to the Internet. Now you want to connect a group of users to a 
> specific NIC. For example, users with an IP address in the range of 
> 192.168.1.0-254 should connect to a NIC with an IP address of 10.0.0.10, and 
> the rest of the clients with other ranges should be connected to other NICs.

If routing is set up properly (DHCP, default gateway, etc), packets will
arrive at the server and things will work.

If not, there is no magic way to make clients know "ey, for 10.0.0.10,
send packets by magic to *that* server".

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] A question about the local statement

2023-08-14 Thread Bruno Tréguier via Openvpn-users


Hello,

Le 14/08/2023 à 15:59, Jason Long via Openvpn-users a écrit :

Hi,
Thank you so much.
But I am sure that in a real environment such a scenario can also exist.
Consider an internal network where users connect to an internal OpenVPN server 
and this server has several NICs with different IP addresses that are connected 
to the Internet. Now you want to connect a group of users to a specific NIC. 
For example, users with an IP address in the range of 192.168.1.0-254 should 
connect to a NIC with an IP address of 10.0.0.10, and the rest of the clients 
with other ranges should be connected to other NICs.
What are you doing?


Route and/or NAT things correctly...

Even before considering OpenVPN or any other VPN mechanism, make sure 
everything is correctly routed. Each client machine should be able to 
ping (if you allow ICMP echo/reply) the VPN server they should be 
connecting to. If necessary and if possible, allow it temporarily to 
make sure the routes are correctly set up.


What I mean is that, as I understand things, and as tincantech just told 
you, your issue is *not* OpenVPN-related. It's a basic network problem. 
Make sure everything is ok network-wise before trying to use 
applications, especially ones which are sometimes tricky to set up.


Regards, Bruno



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] A question about the local statement

2023-08-14 Thread Jason Long via Openvpn-users

Hi,

On Mon, Aug 14, 2023 at 10:51:41AM +, Jason Long wrote:
> So, my iptables rules are OK and my problem is just my test environment.
> If someone really has such an environment, then what is the solution?

Build a proper test environment...  whatever you have at hand, either
wire an OpenWRT router in between, or use virtual networks in vmware, 
or use a client with an LTE uplink that comes back via your normal
Internet connection, etc.

>This very much depends on what you have and what you actually want to
>test and simulate.

Hi,
Thank you so much.
But I am sure that in a real environment such a scenario can also exist.
Consider an internal network where users connect to an internal OpenVPN server 
and this server has several NICs with different IP addresses that are connected 
to the Internet. Now you want to connect a group of users to a specific NIC. 
For example, users with an IP address in the range of 192.168.1.0-254 should 
connect to a NIC with an IP address of 10.0.0.10, and the rest of the clients 
with other ranges should be connected to other NICs.
What are you doing?

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
feed honest figures into a computer, honest figures come out. Never doubted 
it myself till I met a computer with a sense of humor."
                            Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                            g...@greenie.muc.de

___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [ext] Re: Strange DCO && UDP problem

2023-08-14 Thread Ralf Hildebrandt via Openvpn-users

* Lev Stipakov :

> I checked the logs you've sent to me in private and data channel
> params are identical in both dco and non-dco cases.

Ah thanks for the feedback (and to all the others: The logs were
huge, that's why I sent them in private)
 
> It would be nice to get the logs from the driver when you get admin
> access to the Windows machine.

I will try that

> Also would be interesting to know if this is reproducible on more than
> one Windows machine. Which Windows version are you using?

Windows 10 Education (22H2)

-- 
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [ext] Re: Strange DCO && UDP problem

2023-08-14 Thread Lev Stipakov

I checked the logs you've sent to me in private and data channel
params are identical in both dco and non-dco cases.

It would be nice to get the logs from the driver when you get admin
access to the Windows machine.

Also would be interesting to know if this is reproducible on more than
one Windows machine. Which Windows version are you using?

-- 
-Lev


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

2023-08-14 Thread tincantech via Openvpn-users

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256






Sent with Proton Mail secure email.

--- Original Message ---
On Monday, August 14th, 2023 at 14:13, Jason Long via Openvpn-users 
 wrote:


> Hello,
> To increase the security of OpenVPN, I want to use the ccd-exclusive.

--ccd-exclusive does not "increase the security of OpenVPN".
What it does it to provide a server with a convenient way to temporarily,
disable certain clients by client commonName.

This convenience means that the client certificate does not need to be
revoked.  And the client can have access to the server restored simply
by (re-)creating a CCD file.

--ccd-exclusive means that the server will ONLY allow clients access
if they have a CCD file in the folder configured by --client-connect-dir.



> I googled it, but I could not find a good example. I just found the following 
> question:
> 
> https://serverfault.com/questions/877201/limit-access-to-remote-server-via-particular-vpn

I strongly recommend that your search starts with the Openvpn manual:
https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html

EVERY option is described in the manual.



> But, I really don't know what to do.
> I must create a directory under the "/etc/openvpn", then create a file with 
> the name of clients in it? For example, if my Windows client host name is 
> "Client-1", then:
> 
> # mkdir /etc/openvpn/clients
> # touch /etc/openvpn/clients/Client-1
> 
> Then, in server.conf:
> 
> client-config-dir clients
> ccd-exclusive
> 
> Am I right?

Yes.

However, I strongly recommend that you learn the difference between
"absolute paths" verses "relative paths". (Out of scope for this mailing list)



> How about the client configuration? Do I need to add anything?

No.

Do exactly as the manual (above) describes.

HTH
tct

-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk2jAcCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAABp0wf/b8jrorfOi9WfhfRE8YvgGr7vbkwXlrofzEEdW7MVRWYv5/vm
rpHrsVSzYV23PMMWUSGe0gWRRcSuJ4c2L6j1f0mQnXTEU3qXiyTUhwW5EnjL
9ARTeWRCeElIDs5DTOvPqNSqt1qqNAlRZmtYyVafJZNgpCdBQIADDY1Ih+7S
hAPISxDe2nQ9+Yqzi8MpVqhf74ZCp/Zh3OQ6sKQhfmizS+BJ4S4crTqHgasB
U5jNZAQgWNjD+2UlMTfpZj2GwbCcF3EZ42Qj4HgdSxJarAHpf1rPQ0NLHviC
9QnaYudaG4ZE9NBh5mmmCuyCbE2K8gMb7CZHnMyGpF2Ee2r/4kKWNA==
=Hwqp
-END PGP SIGNATURE-


publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys


publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] How to use ccd-exclusive statement?

2023-08-14 Thread Jason Long via Openvpn-users

Hello,
To increase the security of OpenVPN, I want to use the ccd-exclusive. I googled 
it, but I could not find a good example. I just found the following question:

https://serverfault.com/questions/877201/limit-access-to-remote-server-via-particular-vpn

But, I really don't know what to do.
I must create a directory under the "/etc/openvpn", then create a file with the 
name of clients in it? For example, if my Windows client host name is 
"Client-1", then:

# mkdir /etc/openvpn/clients
# touch /etc/openvpn/clients/Client-1

Then, in server.conf:

client-config-dir clients
ccd-exclusive

Am I right?
How about the client configuration? Do I need to add anything?


Thank you.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] A question about the local statement

2023-08-14 Thread tincantech via Openvpn-users

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

Sent with Proton Mail secure email.

--- Original Message ---
On Monday, August 14th, 2023 at 11:51, Jason Long  wrote:

> Hi,
> 
> On Mon, Aug 14, 2023 at 10:13:48AM +, Jason Long wrote:
> 



> If someone really has such an environment, then what is the solution?

This question is not related to Openvpn.

You must learn some basic networking knowledge via other means.
A book or online class, perhaps.

For now, I recommend that you DO NOT use a server with multiple NICs.
See if you can get a simple server to work first.

HTH
tct
-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk2iXFCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAACh7QgAicmNdV9n/Cp8l2JaZ4GP8wIbUCaGLaU8YJGzNbcH1+FNmW+k
dcKk48WoTvfX8PxGQ4rDntykUtkEt+XlzABJsSUSNfEd67VN5x2yP6ucmBFr
cLL4Muv2+EWvoWy3O5tpjWyaBz2xgBYAcgBJsbtXqXX75x2ik/ZfmYpzRk6P
1/fuJDB4JoI1o9cj/+45pFp2HjXvGM/yw9HPmVL5Y541RW81YGCKZG7yiHTL
nF8dCMZltHYrQxP+jv6cIU66iU3YfoMstNqquzeiExNYS3pKnPIlqocMnMIC
PYDf9gXX6QXi2AlieQtxNnH8heWU9uz1rCMWML1cH1dllRSCkar+lg==
=nhWv
-END PGP SIGNATURE-


publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys


publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] A question about the local statement

2023-08-14 Thread Gert Doering

Hi,

On Mon, Aug 14, 2023 at 10:51:41AM +, Jason Long wrote:
> So, my iptables rules are OK and my problem is just my test environment.
> If someone really has such an environment, then what is the solution?

Build a proper test environment...   whatever you have at hand, either
wire an OpenWRT router in between, or use virtual networks in vmware, 
or use a client with an LTE uplink that comes back via your normal
Internet connection, etc.

This very much depends on what you have and what you actually want to
test and simulate.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de

signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [ext] Re: Strange DCO && UDP problem

2023-08-14 Thread Lev Stipakov

Hi,

> Attached are the verb 4 logs from the client
> mssfix 1400 makes no difference, though

Sadly I could not find anything wrong there. Could you try with verb 6
please? And if possible the same with --disable-dco.

> > Does it reproduce on different client machines?
>
> Not sure yet.

By the way, how do you measure performance? iperf3?


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [ext] Re: Strange DCO && UDP problem

2023-08-14 Thread Ralf Hildebrandt via Openvpn-users

> > Once I switch the 2.6.5 windows client (with DCO) to UDP mode, we
> > still have fast downstream (measured on the client, 644Mbit/s) but
> > only 0.76Mbit/s upstream.
> 
> Interesting. We haven't seen this before.

Thought so,

> > So it's some sort of DCO issue -- but only with UDP. Any ideas how we
> > could examine it further?
> 
> Anything interesting in server/client logs with verb 4?

Attached are the verb 4 logs from the client
mssfix 1400 makes no difference, though

> Logs from the DCO driver could be helpful.

I'll try that, but currently I have no elevated privileges on that
machine.

> Does it reproduce on different client machines?

Not sure yet.

-- 
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de
2023-08-14 12:54:38 us=859000 Current Parameter Settings:
2023-08-14 12:54:38 us=859000   config = 'chariteAD.ovpn'
2023-08-14 12:54:38 us=859000   mode = 0
2023-08-14 12:54:38 us=859000   show_ciphers = DISABLED
2023-08-14 12:54:38 us=859000   show_digests = DISABLED
2023-08-14 12:54:38 us=859000   show_engines = DISABLED
2023-08-14 12:54:38 us=859000   genkey = DISABLED
2023-08-14 12:54:38 us=859000   genkey_filename = '[UNDEF]'
2023-08-14 12:54:38 us=859000   key_pass_file = '[UNDEF]'
2023-08-14 12:54:38 us=859000   show_tls_ciphers = DISABLED
2023-08-14 12:54:38 us=859000   connect_retry_max = 0
2023-08-14 12:54:38 us=859000 Connection profiles [0]:
2023-08-14 12:54:38 us=859000   proto = udp
2023-08-14 12:54:38 us=859000   local = '[UNDEF]'
2023-08-14 12:54:38 us=859000   local_port = '[UNDEF]'
2023-08-14 12:54:38 us=859000   remote = '193.175.73.163'
2023-08-14 12:54:38 us=859000   remote_port = '1194'
2023-08-14 12:54:38 us=859000   remote_float = DISABLED
2023-08-14 12:54:38 us=859000   bind_defined = DISABLED
2023-08-14 12:54:38 us=859000   bind_local = DISABLED
2023-08-14 12:54:38 us=859000   bind_ipv6_only = DISABLED
2023-08-14 12:54:38 us=859000   connect_retry_seconds = 1
2023-08-14 12:54:38 us=859000   connect_timeout = 120
2023-08-14 12:54:38 us=859000   socks_proxy_server = '[UNDEF]'
2023-08-14 12:54:38 us=859000   socks_proxy_port = '[UNDEF]'
2023-08-14 12:54:38 us=859000   tun_mtu = 1500
2023-08-14 12:54:38 us=859000   tun_mtu_defined = ENABLED
2023-08-14 12:54:38 us=859000   link_mtu = 1500
2023-08-14 12:54:38 us=859000   link_mtu_defined = DISABLED
2023-08-14 12:54:38 us=859000   tun_mtu_extra = 0
2023-08-14 12:54:38 us=859000   tun_mtu_extra_defined = DISABLED
2023-08-14 12:54:38 us=859000   tls_mtu = 1250
2023-08-14 12:54:38 us=859000   mtu_discover_type = -1
2023-08-14 12:54:38 us=859000   fragment = 0
2023-08-14 12:54:38 us=859000   mssfix = 1400
2023-08-14 12:54:38 us=859000   mssfix_encap = DISABLED
2023-08-14 12:54:38 us=859000   mssfix_fixed = DISABLED
2023-08-14 12:54:38 us=859000   explicit_exit_notification = 1
2023-08-14 12:54:38 us=859000   tls_auth_file = '[UNDEF]'
2023-08-14 12:54:38 us=859000   key_direction = not set
2023-08-14 12:54:38 us=859000   tls_crypt_file = '[INLINE]'
2023-08-14 12:54:38 us=859000   tls_crypt_v2_file = '[UNDEF]'
2023-08-14 12:54:38 us=859000 Connection profiles END
2023-08-14 12:54:38 us=859000   remote_random = ENABLED
2023-08-14 12:54:38 us=859000   ipchange = '[UNDEF]'
2023-08-14 12:54:38 us=859000   dev = 'tun'
2023-08-14 12:54:38 us=859000   dev_type = '[UNDEF]'
2023-08-14 12:54:38 us=859000   dev_node = '[UNDEF]'
2023-08-14 12:54:38 us=859000   tuntap_options.disable_dco = DISABLED
2023-08-14 12:54:38 us=859000   lladdr = '[UNDEF]'
2023-08-14 12:54:38 us=859000   topology = 1
2023-08-14 12:54:38 us=859000   ifconfig_local = '[UNDEF]'
2023-08-14 12:54:38 us=859000   ifconfig_remote_netmask = '[UNDEF]'
2023-08-14 12:54:38 us=859000   ifconfig_noexec = DISABLED
2023-08-14 12:54:38 us=859000   ifconfig_nowarn = DISABLED
2023-08-14 12:54:38 us=859000   ifconfig_ipv6_local = '[UNDEF]'
2023-08-14 12:54:38 us=859000   ifconfig_ipv6_netbits = 0
2023-08-14 12:54:38 us=859000   ifconfig_ipv6_remote = '[UNDEF]'
2023-08-14 12:54:38 us=859000   shaper = 0
2023-08-14 12:54:38 us=859000   mtu_test = 0
2023-08-14 12:54:38 us=859000   mlock = DISABLED
2023-08-14 12:54:38 us=859000   keepalive_ping = 0
2023-08-14 12:54:38 us=859000   keepalive_timeout = 0
2023-08-14 12:54:38 us=859000   inactivity_timeout = 0
2023-08-14 12:54:38 us=859000   session_timeout = 0
2023-08-14 12:54:38 us=859000   inactivity_minimum_bytes = 0
2023-08-14 12:54:38 us=859000   ping_send_timeout = 0
2023-08-14 12:54:38 us=859000   ping_rec_timeout = 0
2023-08-14 12:54:38 us=859000   ping_rec_timeout_action = 0
2023-08-14 12:54:38 us=859000   ping_timer_remote = DISABLED
2023-08-14 12:54:38 us=859000   remap_sigusr1 = 0
2023-08-14 12:54:38 us=859000   persist_tun = ENABLED
2023-08-14 12:54:38 us=859000   persist_local_ip = DISABLED
2023-08-14 12:54:38 us=859000

Re: [Openvpn-users] A question about the local statement

2023-08-14 Thread Jason Long via Openvpn-users


Hi,

On Mon, Aug 14, 2023 at 10:13:48AM +, Jason Long wrote:

> And because my client does not have direct access to IP "20.1.1.20", then it 
> showed me that error. If my client connected to the OpenVPN server directly, 
> then I should not have such a problem. Am I right?


>You need to get your routing "outside of OpenVPN" sorted out before
>you can connect.  So, yes.



Hi Gert,
So, my iptables rules are OK and my problem is just my test environment.
If someone really has such an environment, then what is the solution?



gert
-- 
"If was one thing all people took for granted, was conviction that if you 
feed honest figures into a computer, honest figures come out. Never doubted 
it myself till I met a computer with a sense of humor."
                            Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                            g...@greenie.muc.de



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Strange DCO && UDP problem

2023-08-14 Thread Lev Stipakov

Hi,

> Once I switch the 2.6.5 windows client (with DCO) to UDP mode, we
> still have fast downstream (measured on the client, 644Mbit/s) but
> only 0.76Mbit/s upstream.

Interesting. We haven't seen this before.

> So it's some sort of DCO issue -- but only with UDP. Any ideas how we
> could examine it further?

Anything interesting in server/client logs with verb 4?

Logs from the DCO driver could be helpful.

1) Start log collection by running this command under elevated prompt:

> wpr -start ovpn-dco-win.wprp

You can get ovpn-dco-win.wprp from
https://github.com/OpenVPN/ovpn-dco-win/blob/master/ovpn-dco-win.wprp

2) Reproduce the problem

3) Stop log collection:

> wpr -stop ovpn-dco-win.etl

And share the .etl file with us (feel free to open an issue on GitHub).

Does it reproduce on different client machines?


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] A question about the local statement

2023-08-14 Thread Gert Doering

Hi,

On Mon, Aug 14, 2023 at 10:13:48AM +, Jason Long wrote:
> And because my client does not have direct access to IP "20.1.1.20", then it 
> showed me that error. If my client connected to the OpenVPN server directly, 
> then I should not have such a problem. Am I right?

You need to get your routing "outside of OpenVPN" sorted out before
you can connect.  So, yes.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Strange DCO && UDP problem

2023-08-14 Thread Ralf Hildebrandt via Openvpn-users

We have a setup with the server having no dco, but some clients do
have 2.6.5 and thus DCO enabled. Works like a charm in TCP mode
(upstream/downstream both high bandwidth).

Once I switch the 2.6.5 windows client (with DCO) to UDP mode, we
still have fast downstream (measured on the client, 644Mbit/s) but
only 0.76Mbit/s upstream.

Tried different servers: same problem. With TCP all is well, with UDP
upload sucks.

Disabling DCO: both with TCP and UDP all is well.

So it's some sort of DCO issue -- but only with UDP. Any ideas how we
could examine it further?

-- 
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] A question about the local statement

2023-08-14 Thread Gert Doering

Hi,

On Mon, Aug 14, 2023 at 08:23:51AM +, Jason Long wrote:
> Mon Aug 14 12:52:03 2023 read UDPv4: Connection reset by peer (WSAECONNRESET) 
> (fd=ec,code=10054)

"connection reset by peer" can mean a few things - "the server process
is not running", "there is an iptables rule that is not right" (and
packets are not permitted) or "there is something wrong with routing
or NAT towards this server", so packets never actually get there and
are rejected by something else on the way.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de

signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] A question about the local statement

2023-08-14 Thread Jason Long via Openvpn-users

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

Sent with Proton Mail secure email.

--- Original Message ---
On Monday, August 14th, 2023 at 09:23, Jason Long via Openvpn-users 
 wrote:


> 
> Mon Aug 14 12:52:03 2023 read UDPv4: Connection reset by peer (WSAECONNRESET) 
> (fd=ec,code=10054)
> 
> 
> 
> Which option is wrong?

> 

>This means that the client packets, sent to the server, are delivered to a 
>server
>which is not listening on the IP:Port combination configured in the client 
>--remote.



Hello,
I guess it too.
My OpenVPN test environment is:

OpenVPN Server : A VM with two NICs 
NAT: (10.0.2.15)
Internal Network: (192.168.1.20)

Client: A Windows OS with one NIC
Internal Network (192.168.1.21)


In the client configuration, I used:

client
dev tun20
proto udp
remote 192.168.1.20 2000

And because my client does not have direct access to IP "20.1.1.20", then it 
showed me that error. If my client connected to the OpenVPN server directly, 
then I should not have such a problem. Am I right?




Regards
-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk2fuICZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAADWhQf+MlP+lIYT41EtOYYpzFPC1yfOIzZUknvup2lEGk9ajggeUgkP
peQFYVsBCvw3Yj16Vsx2RXStIuGcxAqwoNF7qsujUy941jQ5zeBfEnux+Yia
DbMVU6xOTdpNjic1t9ef2YSe6hMKys9XvqXBQfm7P7siREolgzDmdHssmPKv
hQQsJCK9Cvm5zCvlmxQsGwe66Zt6YPX/OTxLDNDUZxhdZzU3OGLsRPblFK0M
R3uZO+7F+/xiqulUsoh3rPuTE+9y47eRJlZg7l/kySpVFLKilxETAY8uV5l2
vrXR/bZgiC1765qaW5LHuP3DxJaAPrqfpRXyFIyFcjxpuVXsFTNrNQ==
=mfKm
-END PGP SIGNATURE-



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] A question about the local statement

2023-08-14 Thread tincantech via Openvpn-users

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

Sent with Proton Mail secure email.

--- Original Message ---
On Monday, August 14th, 2023 at 09:23, Jason Long via Openvpn-users 
 wrote:

> 
> Mon Aug 14 12:52:03 2023 read UDPv4: Connection reset by peer (WSAECONNRESET) 
> (fd=ec,code=10054)
> 
> 
> 
> Which option is wrong?
> 

This means that the client packets, sent to the server, are delivered to a 
server
which is not listening on the IP:Port combination configured in the client 
--remote.

Regards
-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk2fuICZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAADWhQf+MlP+lIYT41EtOYYpzFPC1yfOIzZUknvup2lEGk9ajggeUgkP
peQFYVsBCvw3Yj16Vsx2RXStIuGcxAqwoNF7qsujUy941jQ5zeBfEnux+Yia
DbMVU6xOTdpNjic1t9ef2YSe6hMKys9XvqXBQfm7P7siREolgzDmdHssmPKv
hQQsJCK9Cvm5zCvlmxQsGwe66Zt6YPX/OTxLDNDUZxhdZzU3OGLsRPblFK0M
R3uZO+7F+/xiqulUsoh3rPuTE+9y47eRJlZg7l/kySpVFLKilxETAY8uV5l2
vrXR/bZgiC1765qaW5LHuP3DxJaAPrqfpRXyFIyFcjxpuVXsFTNrNQ==
=mfKm
-END PGP SIGNATURE-


publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys


publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN stopped working after upgrade from 2.5.6 to 2.6.3

2023-08-14 Thread David Sommerseth


On 13/08/2023 10:58, Martin wrote:

On 2023-08-13 08:52, Gert Doering wrote:

Run the client with --verb 3 or 4, have a close look at the logfile.

If there is nothing obvious to you, show us the log.


/var/log/openvpn/ is empty.
Probably I need to use journalctl ?


If the server runs 2.3.10 (which is, like, "ancient") then my guess is
that the server also runs "cipher BF-CBC", which is not considere a secure
cipher anymore - so 2.6 will not use that by default.

In this case, try adding

   cipher BF-CBC
   compat-mode 2.3.10


Adding

 cipher=BF-CBC
 compat-mode=2.3.10

to the [vpn] section of
/etc/NetworkManager/system-connections/MyConnection
did not help. Maybe this should go in my .opvn file.


Yes, this must go into the .ovpn file.  And it might very much be that 
the NetworkManager-openvpn does not grok the compat-mode option - so you 
can't run it via NetworkManager.



Now I try to use `openvpn` at the shell, and it complains about:

Options error: Unrecognized option or missing or extra parameter(s) in
u...@myconnection.ovpn:47: tls-remote (2.6.3)


The --tls-remote option was removed in OpenVPN 2.4.



to your client config (... and get company to upgrade to at least 2.5.x
as soon as possible).


Thanks for the headsup! I'll push them to do so as hard as I can :-)


Tell your IT folks about this page:


Make some fuzz about the the "End of life" date for OpenVPN 2.3.

No Linux/*BSD distribution which is valid (supported by the vendor) 
ships with OpenVPN 2.3.  RHEL/CentOS 7 + RHEL-8 are those shipping with 
OpenVPN 2.4.12 (via Fedora EPEL) - which are the oldest releases I'm 
aware of.  For RHEL/CentOS we also have separate Fedora Copr repos which 
ships both OpenVPN 2.5 [1] and OpenVPN 2.6 [2].


Even though OpenVPN 2.4 is from the OpenVPN community perspective EOL, I 
do support this release for the lifetime of RHEL-7 and RHEL-8 (I am the 
official Fedora/EPEL package manager for OpenVPN).  When needed security 
fixes are required - the OpenVPN 2.4 releaes will be updated as needed. 
But only highly critical issues are being considered.


[1] 
[2] 


--
kind regards,

David Sommerseth
OpenVPN Inc




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] A question about the local statement

2023-08-14 Thread Jason Long via Openvpn-users

Hi,

On Mon, Aug 14, 2023 at 06:33:52AM +, Jason Long wrote:
> Why without the local statement my OpenVPN worked?

As I explained weeks ago, the combination of "port" + "local IP" needs
to be unique.  So if you have only one OpenVPN process listening on
one port, you do not need to force the IP address to make the (port,IP)
tupel unique.

On a machine with multiple IP addresse and *no* --local binding, you will
need to use --multihome on UDP servers (otherwise OpenVPN might reply 
with a wrong source IP).

> When I see the error 10054, then this is related to the wrong firewall 
> settings or wrong port forwarding.

>I have no idea what an "error 10054" is.  If it's part of an OpenVPN
>error message, do post the full line +5 lines of context.



Hi,
Thanks again.
My OpenVPN server has multiple IP addresses and I want to run multiple OpenVPN 
server on it.
My server configuration is:

port 2000
proto udp
dev tun20
local 20.1.1.20       # My virtual NIC
ca ca.crt
cert server.crt
key server.key                             
dh dh.pem
server 10.10.0.0 255.255.255.0               
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 192.168.1.20"
keepalive 10 120
tls-crypt ta.key 0                           
data-ciphers AES-256-GCM
user nobody
group nogroup
persist-key
persist-tun


The client show me the following error:

Mon Aug 14 12:52:02 2023 Note: --cipher is not set. OpenVPN versions before 2.5 
defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If 
you need this fallback please add '--data-ciphers-fallback BF-CBC' to your 
configuration and/or add BF-CBC to --data-ciphers.
Mon Aug 14 12:52:02 2023 Note: ovpn-dco-win driver is missing, disabling data 
channel offload.
Mon Aug 14 12:52:02 2023 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] 
Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 
2023
Mon Aug 14 12:52:02 2023 Windows version 6.1 (Windows 7), amd64 executable
Mon Aug 14 12:52:02 2023 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
Mon Aug 14 12:52:02 2023 DCO version: v0
Mon Aug 14 12:52:02 2023 MANAGEMENT: TCP Socket listening on 
[AF_INET]127.0.0.1:25344
Mon Aug 14 12:52:02 2023 Need hold release from management interface, waiting...
Mon Aug 14 12:52:03 2023 MANAGEMENT: Client connected from 
[AF_INET]127.0.0.1:1032
Mon Aug 14 12:52:03 2023 MANAGEMENT: CMD 'state on'
Mon Aug 14 12:52:03 2023 MANAGEMENT: CMD 'log on all'
Mon Aug 14 12:52:03 2023 MANAGEMENT: CMD 'echo on all'
Mon Aug 14 12:52:03 2023 MANAGEMENT: CMD 'bytecount 5'
Mon Aug 14 12:52:03 2023 MANAGEMENT: CMD 'state'
Mon Aug 14 12:52:03 2023 MANAGEMENT: CMD 'hold off'
Mon Aug 14 12:52:03 2023 MANAGEMENT: CMD 'hold release'
Mon Aug 14 12:52:03 2023 TCP/UDP: Preserving recently used remote address: 
[AF_INET]192.168.1.20:2000
Mon Aug 14 12:52:03 2023 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Aug 14 12:52:03 2023 UDPv4 link local: (not bound)
Mon Aug 14 12:52:03 2023 UDPv4 link remote: [AF_INET]192.168.1.20:2000
Mon Aug 14 12:52:03 2023 MANAGEMENT: >STATE:1692001323,WAIT,,
Mon Aug 14 12:52:03 2023 read UDPv4: Connection reset by peer (WSAECONNRESET) 
(fd=ec,code=10054)



Which option is wrong?


gert
-- 
"If was one thing all people took for granted, was conviction that if you 
feed honest figures into a computer, honest figures come out. Never doubted 
it myself till I met a computer with a sense of humor."
                            Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                            g...@greenie.muc.de


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Interesting read

2023-08-14 Thread Jan Just Keijser

(original message with the table in attachment is pending approval of a 
moderator)


On 11/08/2023 12:12, Jan Just Keijser wrote:

hi all,

interesting read:
  "Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing 
Tables"

https://papers.mathyvanhoef.com/usenix2023-tunnelcrack.pdf
especially the table on page 16+ (see attachment).

share and enjoy,

JJK

___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] A question about the local statement

2023-08-14 Thread Gert Doering

Hi,

On Mon, Aug 14, 2023 at 06:33:52AM +, Jason Long wrote:
> Why without the local statement my OpenVPN worked?

As I explained weeks ago, the combination of "port" + "local IP" needs
to be unique.  So if you have only one OpenVPN process listening on
one port, you do not need to force the IP address to make the (port,IP)
tupel unique.

On a machine with multiple IP addresse and *no* --local binding, you will
need to use --multihome on UDP servers (otherwise OpenVPN might reply 
with a wrong source IP).

> When I see the error 10054, then this is related to the wrong firewall 
> settings or wrong port forwarding.

I have no idea what an "error 10054" is.  If it's part of an OpenVPN
error message, do post the full line +5 lines of context.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de

signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] A question about the local statement

2023-08-14 Thread Jason Long via Openvpn-users

Hi,

On Sun, Aug 13, 2023 at 08:55:21PM +, Jason Long via Openvpn-users wrote:
> Hello,Is the local statement only for physical NICs or does it work for 
> virtual NICs as well?

As I wrote like 2 weeks ago, this is *all* about IP addresses, not about

NICs.


>As a consequence, it does not matter where you configure the IP addresses,
>as long as it is reachable from the outside (routing, ARP, etc.)



Hi,
Thank you so much.
Why without the local statement my OpenVPN worked?
When I see the error 10054, then this is related to the wrong firewall settings 
or wrong port forwarding.



gert

-- 
"If was one thing all people took for granted, was conviction that if you 
feed honest figures into a computer, honest figures come out. Never doubted 
it myself till I met a computer with a sense of humor."
                            Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                            g...@greenie.muc.de



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] A question about the local statement

Re: [Openvpn-users] OpenVPN stopped working after upgrade from 2.5.6 to 2.6.3

Re: [Openvpn-users] How to use ccd-exclusive statement?

Re: [Openvpn-users] A question about the local statement

Re: [Openvpn-users] A question about the local statement

Re: [Openvpn-users] How to use ccd-exclusive statement?

Re: [Openvpn-users] How to use ccd-exclusive statement?

Re: [Openvpn-users] How to use ccd-exclusive statement?

Re: [Openvpn-users] How to use ccd-exclusive statement?

Re: [Openvpn-users] A question about the local statement

Re: [Openvpn-users] A question about the local statement

Re: [Openvpn-users] A question about the local statement

Re: [Openvpn-users] [ext] Re: Strange DCO && UDP problem

Re: [Openvpn-users] [ext] Re: Strange DCO && UDP problem

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Openvpn-users] How to use ccd-exclusive statement?

Re: [Openvpn-users] A question about the local statement

Re: [Openvpn-users] A question about the local statement

Re: [Openvpn-users] [ext] Re: Strange DCO && UDP problem

Re: [Openvpn-users] [ext] Re: Strange DCO && UDP problem

Re: [Openvpn-users] A question about the local statement

Re: [Openvpn-users] Strange DCO && UDP problem

Re: [Openvpn-users] A question about the local statement

[Openvpn-users] Strange DCO && UDP problem

Re: [Openvpn-users] A question about the local statement

Re: [Openvpn-users] A question about the local statement

Re: [Openvpn-users] A question about the local statement

Re: [Openvpn-users] OpenVPN stopped working after upgrade from 2.5.6 to 2.6.3

Re: [Openvpn-users] A question about the local statement

Re: [Openvpn-users] Interesting read

Re: [Openvpn-users] A question about the local statement

Re: [Openvpn-users] A question about the local statement

32 matches

Site Navigation

Mail list logo

Footer information