Re: [Openvpn-users] How to use ccd-exclusive statement?
Hi, On Wed, Aug 16, 2023 at 06:35:01AM +, Jason Long wrote: > I added the following lines to my server.conf: > > client-config-dir myclient > ccd-exclusive > route 192.168.1.0 255.255.255.0 This tells the server "put routing towards 192.168.1.0 into the VPN", while 192.168.1.x is your LAN network. So this does not make sense. > multihome > > > Client showed me: [..] > Wed Aug 16 11:01:39 2023 TLS: tls_multi_process: initial untrusted session > promoted to trusted So the network between client and server is good now... > Wed Aug 16 11:01:39 2023 AUTH: Received control message: AUTH_FAILED ... but the server refuses this client. So you must look into the server log to see why it does so. My guess is that the ccd file you created does not have the right name (must match the CN in the client certificate), or is not in the right place, or you did fancy thing with chroot (paths must match *inside* the chroot environment). gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
Hi, On Tue, Aug 15, 2023 at 12:54:45PM +, Jason Long via Openvpn-users wrote: > I did a tcpdump: > > # tcpdump --interface any udp port 2000 -n -v > tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture > size 262144 bytes > 08:50:47.761991 IP (tos 0x0, ttl 128, id 892, offset 0, flags [DF], proto UDP > (17), length 82) > 192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54 Client is sending to ip A. > 08:50:47.762524 IP (tos 0x0, ttl 64, id 24726, offset 0, flags [DF], proto > UDP (17), length 94) > 10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66 >... and server is replying from IP B. >Not sure how you ended there, but if you want the server on 10.10.0.1, >then the client needs to connect to *that* IP. >(I said it before: if a machine has multiple IP addresses and you use >UDP, you *must* use --multihome on the server) >gert Hi Gert, I added the following lines to my server.conf: client-config-dir myclient ccd-exclusive route 192.168.1.0 255.255.255.0 multihome Client showed me: Wed Aug 16 11:01:38 2023 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. Wed Aug 16 11:01:38 2023 Note: ovpn-dco-win driver is missing, disabling data channel offload. Wed Aug 16 11:01:38 2023 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023 Wed Aug 16 11:01:38 2023 Windows version 6.1 (Windows 7), amd64 executable Wed Aug 16 11:01:38 2023 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10 Wed Aug 16 11:01:38 2023 DCO version: v0 Wed Aug 16 11:01:38 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25343 Wed Aug 16 11:01:38 2023 Need hold release from management interface, waiting... Wed Aug 16 11:01:38 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1031 Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'state on' Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'log on all' Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'echo on all' Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'bytecount 5' Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'state' Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'hold off' Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'hold release' Wed Aug 16 11:01:39 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.20:2000 Wed Aug 16 11:01:39 2023 Socket Buffers: R=[8192->8192] S=[8192->8192] Wed Aug 16 11:01:39 2023 UDPv4 link local: (not bound) Wed Aug 16 11:01:39 2023 UDPv4 link remote: [AF_INET]192.168.1.20:2000 Wed Aug 16 11:01:39 2023 MANAGEMENT: >STATE:1692167499,WAIT,, Wed Aug 16 11:01:39 2023 MANAGEMENT: >STATE:1692167499,AUTH,, Wed Aug 16 11:01:39 2023 TLS: Initial packet from [AF_INET]192.168.1.20:2000, sid=2e7d21e3 db47853e Wed Aug 16 11:01:39 2023 VERIFY OK: depth=1, CN=Server Wed Aug 16 11:01:39 2023 VERIFY KU OK Wed Aug 16 11:01:39 2023 Validating certificate extended key usage Wed Aug 16 11:01:39 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Wed Aug 16 11:01:39 2023 VERIFY EKU OK Wed Aug 16 11:01:39 2023 VERIFY OK: depth=0, CN=server Wed Aug 16 11:01:39 2023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256 Wed Aug 16 11:01:39 2023 [server] Peer Connection Initiated with [AF_INET]192.168.1.20:2000 Wed Aug 16 11:01:39 2023 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1 Wed Aug 16 11:01:39 2023 TLS: tls_multi_process: initial untrusted session promoted to trusted Wed Aug 16 11:01:39 2023 AUTH: Received control message: AUTH_FAILED Wed Aug 16 11:01:39 2023 SIGUSR1[soft,auth-failure] received, process restarting Wed Aug 16 11:01:39 2023 MANAGEMENT: >STATE:1692167499,RECONNECTING,auth-failure, Wed Aug 16 11:01:39 2023 Restart pause, 1 second(s) What is your opinion? -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
On Tue, Aug 15, 2023 at 5:57 PM, tincantech wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Tuesday, August 15th, 2023 at 15:02, Gert Doering wrote: > Hi, > > On Tue, Aug 15, 2023 at 12:54:45PM +, Jason Long via Openvpn-users wrote: > > > I did a tcpdump: > > > > # tcpdump --interface any udp port 2000 -n -v > > tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture > > size 262144 bytes > > 08:50:47.761991 IP (tos 0x0, ttl 128, id 892, offset 0, flags [DF], proto > > UDP (17), length 82) > > 192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54 > > > Client is sending to ip A. > > > 08:50:47.762524 IP (tos 0x0, ttl 64, id 24726, offset 0, flags [DF], proto > > UDP (17), length 94) > > 10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66 > > > ... and server is replying from IP B. > > Not sure how you ended there, but if you want the server on 10.10.0.1, > then the client needs to connect to that IP. > > (I said it before: if a machine has multiple IP addresses and you use > UDP, you must use --multihome on the server) >Thank you for that insightful observation Gert. >However, this behavior >does not correlate with Jason's claim that >"Without --ccd-exclusive the >client *can* connect". >As I told Jason before, start with a simple >server, that does not have >multiple NICs. >Regards >tct Hello,As I told you, when I removed the --ccd-exclusive statement, then my server worked and I am trying to learn different scenarios. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk24snCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAArjgf/crT2EWnp/+4VHKbmfUY1fWHFsgpPh2Ws9y0GeAv2IgpWrJ08 Sn1x/ZYnAAUm6zjuyq3WPLAQZJhRACV1SrIMTSETdkp1vciBeGDSqhZF/RUl j7n3L9na0qIFwoHLbjea3JhMJyldFTkQnIOIMy+IbAh55OW6v898eDm7DhDu IHIn9Sl7LqrCJZLqljhGpcvPXcYOoQzpQPCGOhk6hNMxTWfKr1VR0qMhf1+W tT9coREHMTDJgbTxmwL8Ik1GlPiABfmwSlZWX0MOHdLkfiojbYAD3Hrfrz2v I2FDAfmW6569v/hHhurLJ+4/yMj3fpPvvaUhY8pBWPdZ7QG5Z0copw== =rstW -END PGP SIGNATURE- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
On Tue, Aug 15, 2023 at 5:33 PM, Gert Doering wrote: Hi, On Tue, Aug 15, 2023 at 12:54:45PM +, Jason Long via Openvpn-users wrote: > I did a tcpdump: > > # tcpdump --interface any udp port 2000 -n -v > tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture > size 262144 bytes > 08:50:47.761991 IP (tos 0x0, ttl 128, id 892, offset 0, flags [DF], proto UDP > (17), length 82) > 192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54 Client is sending to ip A. > 08:50:47.762524 IP (tos 0x0, ttl 64, id 24726, offset 0, flags [DF], proto > UDP (17), length 94) > 10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66 ... and server is replying from IP B. Not sure how you ended there, but if you want the server on 10.10.0.1, then the client needs to connect to *that* IP. >(I said it before: if a machine has multiple IP >addresses and you use >UDP, you *must* use --multihome on the server) >gert Hello,Gert, I used the multihome statement and when the client tries to connect to the server, the connection is repeatedly reset.I will show you the log tomorrow. -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Strange DCO && UDP problem
Yeah there is definitely something wrong with dco driver behavior on that Windows machine. Looks like some TCP packets (running over UDP tunnel) got lost? There is more we could do to look into it, but I need some time to prepare necessary steps. Meanwhile it would be nice to test from a different Windows machine. Also is there any chance for me to connect to that server? ti 15. elok. 2023 klo 15.19 Ralf Hildebrandt (ralf.hildebra...@charite.de) kirjoitti: > > > Does it reproduce on different client machines? > > I was able to reproduce it with a windows client against three > different openvpn servers (all linux) > > On the other hand I was able to use an 2.6.5 openvpn on Linux in UDP > mode DCO on linux (against the same set of servers) with no > manifestation of the upload issue. > > I performed a bandwidth test on the Windows machine with interesting > results (see attached screenshot); it seems data is being transferred > in "bursts". > > -- > Ralf Hildebrandt > Charité - Universitätsmedizin Berlin > Geschäftsbereich IT | Abteilung Netzwerk > > Campus Benjamin Franklin (CBF) > Haus I | 1. OG | Raum 105 > Hindenburgdamm 30 | D-12203 Berlin > > Tel. +49 30 450 570 155 > ralf.hildebra...@charite.de > https://www.charite.de -- -Lev ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Tuesday, August 15th, 2023 at 15:02, Gert Doering wrote: > Hi, > > On Tue, Aug 15, 2023 at 12:54:45PM +, Jason Long via Openvpn-users wrote: > > > I did a tcpdump: > > > > # tcpdump --interface any udp port 2000 -n -v > > tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture > > size 262144 bytes > > 08:50:47.761991 IP (tos 0x0, ttl 128, id 892, offset 0, flags [DF], proto > > UDP (17), length 82) > > 192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54 > > > Client is sending to ip A. > > > 08:50:47.762524 IP (tos 0x0, ttl 64, id 24726, offset 0, flags [DF], proto > > UDP (17), length 94) > > 10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66 > > > ... and server is replying from IP B. > > Not sure how you ended there, but if you want the server on 10.10.0.1, > then the client needs to connect to that IP. > > (I said it before: if a machine has multiple IP addresses and you use > UDP, you must use --multihome on the server) Thank you for that insightful observation Gert. However, this behavior does not correlate with Jason's claim that "Without --ccd-exclusive the client *can* connect". As I told Jason before, start with a simple server, that does not have multiple NICs. Regards tct -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk24snCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAArjgf/crT2EWnp/+4VHKbmfUY1fWHFsgpPh2Ws9y0GeAv2IgpWrJ08 Sn1x/ZYnAAUm6zjuyq3WPLAQZJhRACV1SrIMTSETdkp1vciBeGDSqhZF/RUl j7n3L9na0qIFwoHLbjea3JhMJyldFTkQnIOIMy+IbAh55OW6v898eDm7DhDu IHIn9Sl7LqrCJZLqljhGpcvPXcYOoQzpQPCGOhk6hNMxTWfKr1VR0qMhf1+W tT9coREHMTDJgbTxmwL8Ik1GlPiABfmwSlZWX0MOHdLkfiojbYAD3Hrfrz2v I2FDAfmW6569v/hHhurLJ+4/yMj3fpPvvaUhY8pBWPdZ7QG5Z0copw== =rstW -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
Hi, On Tue, Aug 15, 2023 at 12:54:45PM +, Jason Long via Openvpn-users wrote: > I did a tcpdump: > > # tcpdump --interface any udp port 2000 -n -v > tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture > size 262144 bytes > 08:50:47.761991 IP (tos 0x0, ttl 128, id 892, offset 0, flags [DF], proto UDP > (17), length 82) > 192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54 Client is sending to ip A. > 08:50:47.762524 IP (tos 0x0, ttl 64, id 24726, offset 0, flags [DF], proto > UDP (17), length 94) > 10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66 ... and server is replying from IP B. Not sure how you ended there, but if you want the server on 10.10.0.1, then the client needs to connect to *that* IP. (I said it before: if a machine has multiple IP addresses and you use UDP, you *must* use --multihome on the server) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Tuesday, August 15th, 2023 at 10:57, Jason Long wrote: > Hello, > My OpenVPN server internal network IP is "192.168.1.20" and the IP address of > client is "192.168.1.21". Both VMs can ping each other. > > According to "https://community.openvpn.net/openvpn/wiki/HOWTO";, I did the > following stpes: > > # mkdir /etc/openvpn/ccd > # nano /etc/openvpn/server.conf > > client-config-dir ccd > ccd-exclusive > route 192.168.1.0 255.255.255.0 > > Then: > > # touch /etc/openvpn/ccd/Test-PC > # nano /etc/openvpn/ccd/Test-PC > > iroute 192.168.1.0 255.255.255.0 > > > After it, I started the OpenVPN service and it worked. On client, when I want > to connect to my OpenVPN server, then it showed me: > > Tue Aug 15 14:10:22 2023 TLS Error: TLS key negotiation failed to occur > within 60 seconds (check your network connectivity) > Tue Aug 15 14:10:22 2023 TLS Error: TLS handshake failed > > > I take a look at > "https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/"; > too. > > When I removed the following lines from my server.conf, then my client can > connect to the server: > > client-config-dir ccd > ccd-exclusive > route 192.168.1.0 255.255.255.0 > > > How can I solve it? >As I have already explained: If your client can only connect when you remove >'ccd-exclusive' from your server config, this means that there is not a CCD >file for the client that is trying to connect. > I changed protocol from UDP to TCP, but problem was not solved. >If you were a pilot, I would go by train. >HTH >tct Hello, You said "this means that there is not a CCD file for the client that is trying to connect", then what does this mean: # touch /etc/openvpn/ccd/Test-PC # nano /etc/openvpn/ccd/Test-PC iroute 192.168.1.0 255.255.255.0 And about change from UDP to TCP: https://serverfault.com/questions/765521/openvpn-issue-tls-key-negotiation-failed-to-occur-within-60-seconds https://support.nordvpn.com/Connectivity/1061816172/Issue-TLS-key-negotiation-failed-to-occur.htm I did a tcpdump: # tcpdump --interface any udp port 2000 -n -v tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes 08:50:47.761991 IP (tos 0x0, ttl 128, id 892, offset 0, flags [DF], proto UDP (17), length 82) 192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54 08:50:47.762524 IP (tos 0x0, ttl 64, id 24726, offset 0, flags [DF], proto UDP (17), length 94) 10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66 08:51:03.573953 IP (tos 0x0, ttl 128, id 893, offset 0, flags [DF], proto UDP (17), length 82) 192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54 08:51:03.574449 IP (tos 0x0, ttl 64, id 26863, offset 0, flags [DF], proto UDP (17), length 94) 10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66 -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk22k6CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACcaAf+PasGH6O2qUqt7caze8p31vl23LgjwLoL7dKgYDQpxClPxIWc K+vA+e6sRyfvkY+OTK3Rfwv/06OCmj7XOsJIvuvK9gQSvqj7dN7x0f45xoUz 0WTo7E+focRcu1Rw1xk5oOpl601O9j9ac+NHa4P07rMe6yiVdr+BQjiZKad7 5455ZBM1vaRa5L7Fb66QhXcLsqxSS1mtYjyrmGzUVmTwESkV7avPGsBcjY6T vpO1rXicIqfdqGi7Rv/txWcCRf0D2YjLSIl0BMYPQc0LlQxiGN9KFD+pf9xg 9fBp1D1aCzyRyOGtn4CMk4+r9s+rEgd9hzkOTDDHk+PHJMnWz5fyNw== =GYK8 -END PGP SIGNATURE- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Tuesday, August 15th, 2023 at 10:57, Jason Long wrote: > Hello, > My OpenVPN server internal network IP is "192.168.1.20" and the IP address of > client is "192.168.1.21". Both VMs can ping each other. > > According to "https://community.openvpn.net/openvpn/wiki/HOWTO";, I did the > following stpes: > > # mkdir /etc/openvpn/ccd > # nano /etc/openvpn/server.conf > > client-config-dir ccd > ccd-exclusive > route 192.168.1.0 255.255.255.0 > > Then: > > # touch /etc/openvpn/ccd/Test-PC > # nano /etc/openvpn/ccd/Test-PC > > iroute 192.168.1.0 255.255.255.0 > > > After it, I started the OpenVPN service and it worked. On client, when I want > to connect to my OpenVPN server, then it showed me: > > Tue Aug 15 14:10:22 2023 TLS Error: TLS key negotiation failed to occur > within 60 seconds (check your network connectivity) > Tue Aug 15 14:10:22 2023 TLS Error: TLS handshake failed > > > I take a look at > "https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/"; > too. > > When I removed the following lines from my server.conf, then my client can > connect to the server: > > client-config-dir ccd > ccd-exclusive > route 192.168.1.0 255.255.255.0 > > > How can I solve it? As I have already explained: If your client can only connect when you remove 'ccd-exclusive' from your server config, this means that there is not a CCD file for the client that is trying to connect. > I changed protocol from UDP to TCP, but problem was not solved. If you were a pilot, I would go by train. HTH tct -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk22k6CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACcaAf+PasGH6O2qUqt7caze8p31vl23LgjwLoL7dKgYDQpxClPxIWc K+vA+e6sRyfvkY+OTK3Rfwv/06OCmj7XOsJIvuvK9gQSvqj7dN7x0f45xoUz 0WTo7E+focRcu1Rw1xk5oOpl601O9j9ac+NHa4P07rMe6yiVdr+BQjiZKad7 5455ZBM1vaRa5L7Fb66QhXcLsqxSS1mtYjyrmGzUVmTwESkV7avPGsBcjY6T vpO1rXicIqfdqGi7Rv/txWcCRf0D2YjLSIl0BMYPQc0LlQxiGN9KFD+pf9xg 9fBp1D1aCzyRyOGtn4CMk4+r9s+rEgd9hzkOTDDHk+PHJMnWz5fyNw== =GYK8 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with Proton Mail secure email. --- Original Message --- On Monday, August 14th, 2023 at 22:11, Jason Long wrote: > On Mon, Aug 14, 2023 at 11:47 PM, tincantech > > > wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Hi, > > > > --- Original Message --- > > On Monday, August 14th, 2023 at 20:49, Jason Long > > wrote: > > > > > On Mon, Aug 14, 2023 at 5:16 PM, tincantech > > > > > > > wrote: > > > > > > > > > > Hello, > > > > Thank you so much for your help. > > > > I take a loot at > > > > "https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html";, but it only > > > > explained the capabilities of this option and did not provide any > > > > examples. > > > > I did: > > > > # mkdir /etc/openvpn/clients > > > > # touch /etc/openvpn/clients/Client-1 > > > > Then, in server.conf: > > > > client-config-dir clients > > > > ccd-exclusive > > > > But, Windows client can't connect to the OpenVPN server and my > > > > connection restarted. Do I need to add something to the client > > > > configuration file? > > > > No. > > > > You have NEVER managed to have a client connect to your server. > > Therefore, your question regarding this problem >is irrelevant. > > > > > > Hi, > > Not really, You wrong. I tested various scenarios and learned a lot from > > you and others. Now I want to learn this scenario, but unfortunately I > > could not find an article that teaches from the beginning. I would be > > grateful if you could tell me where the problem is. There are many reasons which could explain your problem: * You may be using a server with multiple NICs, which is configured incorrectly. * You may have configured your network routing incorrectly. 8 You may have configured --ccd-exclusive incorrectly. * You may have some other unknown problem. Regarding the issue above, if you want to verify that --ccd-exclusive is working correctly then simply remove 'ccd-exclusive' from your server config, restart your server and try to connect again. If your client can now connect then --ccd-exclusive was successfully rejecting your client because there >was no CCD file for that client. >HTH >tct Hello, My OpenVPN server internal network IP is "192.168.1.20" and the IP address of client is "192.168.1.21". Both VMs can ping each other. According to "https://community.openvpn.net/openvpn/wiki/HOWTO";, I did the following stpes: # mkdir /etc/openvpn/ccd # nano /etc/openvpn/server.conf client-config-dir ccd ccd-exclusive route 192.168.1.0 255.255.255.0 Then: # touch /etc/openvpn/ccd/Test-PC # nano /etc/openvpn/ccd/Test-PC iroute 192.168.1.0 255.255.255.0 After it, I started the OpenVPN service and it worked. On client, when I want to connect to my OpenVPN server, then it showed me: Tue Aug 15 14:10:22 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Tue Aug 15 14:10:22 2023 TLS Error: TLS handshake failed I take a look at "https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/"; too. When I removed the following lines from my server.conf, then my client can connect to the server: client-config-dir ccd ccd-exclusive route 192.168.1.0 255.255.255.0 How can I solve it? I changed protocol from UDP to TCP, but problem was not solved. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk2pwtCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADkHQf+KtaF6ip0OoQBgdEDu8HBkZSnWIhwHrYFpPO85aRFPBWov7M+ SH/0gj1Q/P0nuJyh054rPO/nO7bdPir6V5qA19jrirN+Ze4BNkmMDmV/MQbv pQjXfBFlb3MswLaLGETeOr5Ay8UvKpFjXP2045R5vCMlB3ipMamSD6J5hBG0 5KtHNbR8UuoNxiRyTF2ZPbCKzulaaGKE+rWpjmi2UjoErfOyWvVP0D1iaC0F nM8S8JaHflhlmkdFfXCt15ZjiI+rgroAjMXWtL+lLkmD4EbIT6qqiB39880x nbcAdOXbDzA5b51hBvz8oyCLvSJ6Z7j1gGoxmTjOyCrb1TEOgO/w+A== =lOa7 -END PGP SIGNATURE- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
