Re: [Openvpn-users] How to use ccd-exclusive statement?

[Bo Berglund]

On Wed, 16 Aug 2023 21:28:29 + (UTC), Jason Long via Openvpn-users
 wrote:

>Hi Jochen,Thank you for your advice about the How-to articles.Can you answer 
>my questions?

>1- What is the difference between /etc/openvpn and /etc/openvpn/server 
>directories?
>   I put my server.conf file in the /etc/openvpn directory and it worked.

You are running an *old* version of OpenVPN! The service infrastructure has
changed and OpenVPN now defaults to using two subdirectories (client and server)
to /etc/openvpn to handle the two different uses of it.
Please read up on how it works in the new docs.

>2- You said "./easyrsa sign-req client client", make those unique ideally per 
>device,
>not just per user. How to make it unique per user?

You have to generate *separate* encryption files for each client where the CN
entry is *unique*, otherwise the server can never differentiate between them and
you cannot allow/block clients individually.
Also you open for abuse of your server.

>If I have 1000 clients, then I must generate 1000 key files???

Exactly!

>3- For the CA certificate, I must use "Server" not "server". May I ask why?

So you are not aware that Linux is case sensitive?
"Server" is NOT equal to "server"...
So what you use depends on what *exact* name you set the CN to when genererating
the files.


-- 
Bo Berglund
Developer in Sweden



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jochen Bern]

On 16.08.23 23:28, Jason Long wrote:

1- What is the difference between /etc/openvpn and /etc/openvpn/server 
directories?


The systemd "unit files" that define the templates for the services you 
"systemctl" later on used to expect all configs - whether for a server 
or a client instance - to be named /etc/openvpn/SomeInstanceName.conf , 
i.e., configs for both modes would sit together. Later versions of 
systemd-enabled OpenVPN split that into /etc/openvpn/client and 
/etc/openvpn/server , respectively.



   I put my server.conf file in the /etc/openvpn directory and it worked.


Then I'd say that your Debian 12 still uses the old convention, as did 
the how-to's Debian 10. (Over here, RHEL, Fedora, and IIRC Ubuntu as 
well take the new directories instead.)



2- You said [...] make those unique ideally per device, not just per
   user. How to make it unique per user?If I have 1000 clients, then
   I must generate 1000 key files???


Yes. By default, if several clients use the same cert+key, they'll keep 
pushing each other out of the VPN. Also, if you need to shut clients out 
of the service, revoking a cert is how you do it - *all* clients using 
that one cert will have their VPN access disabled, so clients sharing 
certs likely isn't what you want even if you disable the former default 
behavior.


Also note that with "server ..." specifying only a /24 for an address 
pool, and with Windows clients (so that you can't use "topology p2p"), 
your VPN server will actually be limited to 64 simultaneous clients, 
anyway. 1000 clients at once require at least a /20.



3- For the CA certificate, I must use "Server" not "server". May I ask why?


I never said that. If anything, the CN of your CA cert should mention 
"CA" somewhere, and *not* "server", no matter the capitalization.



Wed Aug 16 11:01:39 2023 VERIFY OK: depth=1, CN=Server > Wed Aug 16 11:01:39 
2023 VERIFY OK: depth=0, CN=server


This shows that your client presents a cert with CN "server" as its 
*client* cert (the procedure in the how-to should result in a client 
cert with CN "client"), which verifies OK against a CA cert with a CN of 
"Server" (the how-to suggests that it should be "server", as misguided 
as that seems). Hence, either your client uses the *wrong* cert, or you 
misnamed the certs as you created them (even more than that how-to 
instructs you to).


Anyway, in order to create a CCD file for your client using the cert it 
uses *now*, the CCD file would need to be named "server".


Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH


smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

On Wed, Aug 16, 2023 at 6:27 PM, Jochen Bern
 wrote:   On 16.08.23 15:05, Jason Long wrote:
> I used 
> "https://www.howtoforge.com/how-to-install-and-configure-openvpn-server-on-debian-10/";
>  tutorial to create my OpenVPN server.

(No date on the article ... no date on the comments ... OpenVPN version 
not shown anywhere ... according to one systemctl output, probably 
written in September 2019, when Debian 10 and OpenSSL 1.1.1c were in 
fact current ... still using /etc/openvpn instead of /etc/openvpn/server 
and /etc/openvpn/client, respectively ... no mention of doing a 
"systemctl enable openvpn@ConfigFileBaseName" on the server ... no 
explicit description of what the VPN set up is supposed to *do* 
(apparently: secure Inet access for a road warrior, no other servers at 
the site hosting the VPN peer, no communication back to the clients) ... 
no discussion of how he came to pick 10.8.0.0/24 for the tunnel IPs, how 
(far) to check for IP conflicts, how many clients you can accomodate 
with that /24 ...)

... word of warning: Just because the how-to doesn't ask you to enter 
something at

> Common Name (eg: your user, host, or server name) [client]:

>and later has you type in

> ./easyrsa sign-req client client

>doesn't mean that you want all client certs to be >named "client", or - 
>even worse - use the same client cert for them >all. Make those *unique* 
>- ideally per device, not just per user.

>However, if you worked along *that* how-to, your >CA certificate is 
>indeed using the CN of "server" (not "Server", but >that might be a 
>liberty that MS took). Exactly the same as the >server cert. X-C

> Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server



> About the server log [...]
> # cat /var/log/openvpn/virt1.log
> 2023-08-16 06:23:18 WARNING: --topology >net30 support for server configs 
> with IPv4 >pools will be removed in a future release. >Please migrate to 
> --topology subnet as soon as >possible.
>[...]
> 2023-08-16 06:23:18 Initialization Sequence Completed

>That shows us the startup phase of the >OpenVPN server. In order to check 
>what the server thinks about the cert the client >presents, you'll have 
>to have the client make an attempt to connect, >and then grab the logs 
>from *those* couple seconds.

>Kind regards,
>-- 
>Jochen Bern
>Systemingenieur

>Binect GmbH



Hi Jochen,Thank you for your advice about the How-to articles.Can you answer my 
questions?
1- What is the difference between /etc/openvpn and /etc/openvpn/server 
directories? I put my server.conf file in the /etc/openvpn directory and it 
worked.
2- You said "./easyrsa sign-req client client", make those unique ideally per 
device, not just per user. How to make it unique per user?If I have 1000 
clients, then I must generate 1000 key files???
3- For the CA certificate, I must use "Server" not "server". May I ask why?

Finally, I guess the information that you want from the client side are:
Wed Aug 16 11:01:38 2023 Note: --cipher is not set. OpenVPN versions before 2.5 
defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If 
you need this fallback please add '--data-ciphers-fallback BF-CBC' to your 
configuration and/or add BF-CBC to --data-ciphers.Wed Aug 16 11:01:38 2023 
Note: ovpn-dco-win driver is missing, disabling data channel offload.Wed Aug 16 
11:01:38 2023 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL 
(OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023Wed Aug 16 
11:01:38 2023 Windows version 6.1 (Windows 7), amd64 executableWed Aug 16 
11:01:38 2023 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10Wed Aug 16 
11:01:38 2023 DCO version: v0Wed Aug 16 11:01:38 2023 MANAGEMENT: TCP Socket 
listening on [AF_INET]127.0.0.1:25343Wed Aug 16 11:01:38 2023 Need hold release 
from management interface, waiting...Wed Aug 16 11:01:38 2023 MANAGEMENT: 
Client connected from [AF_INET]127.0.0.1:1031Wed Aug 16 11:01:38 2023 
MANAGEMENT: CMD 'state on'Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'log on 
all'Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'echo on all'Wed Aug 16 11:01:39 
2023 MANAGEMENT: CMD 'bytecount 5'Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 
'state'Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'hold off'Wed Aug 16 11:01:39 
2023 MANAGEMENT: CMD 'hold release'Wed Aug 16 11:01:39 2023 TCP/UDP: Preserving 
recently used remote address: [AF_INET]192.168.1.20:2000Wed Aug 16 11:01:39 
2023 Socket Buffers: R=[8192->8192] S=[8192->8192]Wed Aug 16 11:01:39 2023 
UDPv4 link local: (not bound)Wed Aug 16 11:01:39 2023 UDPv4 link remote: 
[AF_INET]192.168.1.20:2000Wed Aug 16 11:01:39 2023 MANAGEMENT: 
>STATE:1692167499,WAIT,,Wed Aug 16 11:01:39 2023 MANAGEMENT: 
>STATE:1692167499,AUTH,,Wed Aug 16 11:01:39 2023 TLS: Initial packet from 
[AF_INET]192.168.1.20:2000, sid=2e7d21e3 db47853eWed Aug 16 11:01:39 2023 
VERIFY OK: depth=1, CN=ServerWed Aug 16 11:01:39 2023 VERIFY KU OKWed Aug 16 
11:01:39 2023 Validating certificate extended key us

Re: [Openvpn-users] Easy-RSA minimal how-to

[tincantech via Openvpn-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

To follow up, a very brief introduction to Easy-RSA.

Download the latest Easy-RSA:
https://github.com/OpenVPN/easy-rsa/releases/tag/v3.1.5

Unpack that to a suitable folder in your HOME folder.
Change directory to the new folder.

Create your first PKI:
$ ./easyrsa init-pki

Create your CA:
$ ./easyrsa --nopass build-ca

Create your server certificate:
$ ./easyrsa --nopass build-server-full server1

Create your client certificate:
$ ./easyrsa --nopass build-client-full client1

Note:
These certificates will not be password protected
but you don't need password protection at this stage
of your learning curve.

Create a TLS key with Openvpn:
$ openvpn --genkey tls-crypt tls-crypt.key

That is all there is to generating a working PKI.

This will also create Inline files in the PKI folder,
under 'pki/inline' - These inline files are suitable for
use in your server and client config files by copy and
pasting them as-is into the config files.

To add the TLS key, you can copy and paste it as inline
but this is not automatically done by Easy-RSA, you must
do that yourself.

To use TLS keys inline, use the inline tag like so:


* Paste the tls-crypt.key file here *


(This does not require the --key-direction parameter)

Assuming that you do that correctly, your config files
are now ready to use, after you add the other Openvpn
directives. eg: --server or --client etc.

If that looks too difficult then try a script, such as:
https://github.com/pivpn/pivpn

Good luck,
tct

-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk3QSlCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAACS8Qf/bQcyzV9hH2gPY4l+sIMVHCkXalLYY2MnGMY0ONYci7qt+znD
cX/x0G/2jbEjz7/sUNM19g7BnH+xfsJ3pD+WHLBkYQFYKBO9wrlikek05OJZ
8QlxpzUMqDr4EzGeDkIOAik0TWdG/RjQRXEcOqZjGUgcndba0K/af0XKkyp2
BQLg5XzYKx9FZgILu2FTjkFKOfVV24kLciLGKNgmSE7EozP0eBZPh2YS0hP+
onw7IYvNeMrHFIgT4E/alkO544BFPwRnhdSkWI6U46LDS3D92VpbVxo/cwzg
fwSSL42l+aqG7TicFWVNXkftxmLBdEKVKySzQkrcGuI/rzKzTa22cQ==
=tAAy
-END PGP SIGNATURE-


publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys


publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[tincantech via Openvpn-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

--- Original Message ---
On Wednesday, August 16th, 2023 at 15:55, Jochen Bern  
wrote:



> However, if you worked along that how-to, your CA certificate is
> indeed using the CN of "server" (not "Server", but that might be a
> liberty that MS took). Exactly the same as the server cert. X-C
> 
> > Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server



Thank you Jochen, indeed, that is an unfortunate possibility..

@Jason - When you create your CA certificate, simply use the default Easy-RSA,
for the time being.  Creating and customising a new PKI can be done later, once
you get your VPN working.

Good luck,
tct

-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk3PYECZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAAAD7wf/baphGHzMkTzQLihrwUGqv7I16h40ghZEAPYpiom7dzE00L5k
jq82St5Yl/IIyYpFqCkMJ7mo7zJBqF5OuXFUvXZJwXVMXg0/npxTO3kBSUkY
ppRAMh4rBohhSCGt2s2j5Czbv7iVl5LZOPLhTDWKnSjuquuF9srNgdL9nnx+
2chg3pf+mByXwDiuRyNXp4PaWJc7JCk96aw/zudvJGTIUj3SbcN3qZdC+/KS
Ly9lx4pURvlV7vB330XemytgXc+FU7y0Q9zFpLYRO9s8TqAwlXSwmOMknuh6
8WIgS9qcbuIM3jwb+d9krU8HIvSHlMg50Lx5M7IlaMVUdXGh6fbswg==
=yypt
-END PGP SIGNATURE-


publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys


publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jochen Bern]

On 16.08.23 15:05, Jason Long wrote:

I used 
"https://www.howtoforge.com/how-to-install-and-configure-openvpn-server-on-debian-10/";
 tutorial to create my OpenVPN server.


(No date on the article ... no date on the comments ... OpenVPN version 
not shown anywhere ... according to one systemctl output, probably 
written in September 2019, when Debian 10 and OpenSSL 1.1.1c were in 
fact current ... still using /etc/openvpn instead of /etc/openvpn/server 
and /etc/openvpn/client, respectively ... no mention of doing a 
"systemctl enable openvpn@ConfigFileBaseName" on the server ... no 
explicit description of what the VPN set up is supposed to *do* 
(apparently: secure Inet access for a road warrior, no other servers at 
the site hosting the VPN peer, no communication back to the clients) ... 
no discussion of how he came to pick 10.8.0.0/24 for the tunnel IPs, how 
(far) to check for IP conflicts, how many clients you can accomodate 
with that /24 ...)


... word of warning: Just because the how-to doesn't ask you to enter 
something at



Common Name (eg: your user, host, or server name) [client]:


and later has you type in


./easyrsa sign-req client client


doesn't mean that you want all client certs to be named "client", or - 
even worse - use the same client cert for them all. Make those *unique* 
- ideally per device, not just per user.


However, if you worked along *that* how-to, your CA certificate is 
indeed using the CN of "server" (not "Server", but that might be a 
liberty that MS took). Exactly the same as the server cert. X-C



Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server





About the server log [...]
# cat /var/log/openvpn/virt1.log
2023-08-16 06:23:18 WARNING: --topology net30 support for server configs with 
IPv4 pools will be removed in a future release. Please migrate to --topology 
subnet as soon as possible.

[...]

2023-08-16 06:23:18 Initialization Sequence Completed


That shows us the startup phase of the OpenVPN server. In order to check 
what the server thinks about the cert the client presents, you'll have 
to have the client make an attempt to connect, and then grab the logs 
from *those* couple seconds.


Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH


smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

>On 16/08/2023 15:05, Jason Long via Openvpn-users wrote:
> On 16.08.23 12:23, Jason Long via Openvpn-users wrote:
>>> On Wed, Aug 16, 2023 at 06:35:01AM +, Jason Long wrote:
[...snip...]

> Hello,
> I used 
> "https://www.howtoforge.com/how-to-install-and-configure-openvpn-server-on-debian-10/";
>  tutorial to create my OpenVPN server.

>*sigh* Never use a random blog post on "how to do XYZ" when the project 
>itself has its own set of documentation.  No matter which project it is.

>I've read enough of those random "OpenVPN how-tos" over the last 15+ 
>years and the vast majority of them are not up-to-date, tricks you into 
>using insecure settings, being overly complicated or simply leads you to 
>misery.

>Doing networking isn't really suitable as a "click-this-type-that" type 
>of how-to, because you *really* need to understand how these things 
>works and impacts your configuration and setup.

>This guides you through the most important steps and should be 
>reasonably up-to-date (I spot a few things which could be improved, but 
>shouldn't stop you from getting a functional tun based OpenVPN tunnel 
>running).  This documentation is provided by the official OpenVPN 
>project and this project is responsible for keeping the documentation in 
>reasonable shape.

>

>Read this, read the man page entries for options used and try to 
>understand it.  Read the pointers to the related documentation in that 
>wiki page.  Try to understand all the information provided there.  Then 
>you can ask questions and get sensible replies back.

>If you need more documentation, buy your own copy of the OpenVPN 
>Cookbook by Jan Just Keijser.  He is a well-trusted OpenVPN community 
>member and knows this stuff very well.

>


> Gert tole me about the multihome statement and I added it.

>When Gert tells you to look at multihome, he has very good reasons for 
>doing that (I know him too, he is also really trustworthy - in 
>particular with networking and OpenVPN).  But it ALSO means you should 
>read the documentation for suggested options too.


>[...snip...]


> # cat /var/log/openvpn/virt1.log
> 2023-08-16 06:23:18 WARNING: --topology net30 support for server configs with 
> IPv4 pools will be removed in a future release. Please migrate to --topology 
> subnet as soon as possible.
> 2023-08-16 06:23:18 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but 
> missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). 
> OpenVPN ignores --cipher for cipher negotiations.

>Those two lines tells you something important.  You should fix this. 
>I'm not going to tell you how; read the documentation.  It is fully 
>explained in the man page.


>[...snip...]

> 2023-08-16 06:23:18 Listening for incoming TCP connection on 
> [AF_INET][undef]:2000
> 2023-08-16 06:23:18 TCPv4_SERVER link local (bound): [AF_INET][undef]:2000
> 2023-08-16 06:23:18 TCPv4_SERVER link remote: [AF_UNSPEC]

>I suspect this if from a server configuration (also an important detail 
>to tell).  And it tells you your VPN server is listening TCP port 2000.


>[...snip...]

> 2023-08-16 06:23:18 Initialization Sequence Completed

>This line means that the OpenVPN tunnel is up an running.  So that means 
>this tunnel instance is ready to see clients connecting to it.



>And finally.  Learn yourself some mailing list netiquette.  Inline 
>replies and replies at the bottom are very fine.  But keep the indenting 
>marks (>) on the original text so it's easier to understand who is 
>writing what and what you are responding to.

>A reasonably good summary of most common mailing list netiquette rules 
>used in open source (and this is the official recommendation from an 
>open source project; not a random blog post)

>


Hello,
Thanks again.
I can solve those two line with change the --data-ciphers algorithm. Please 
tell me what is the main problem. If the problem is that my OpenVPN server has 
an Internal NIC and a NAT NIC, then I'm sure such a scenario exists in the real 
world.
I added all statements that Gert said, but problem is exists.

-- 
kind regards,

David Sommerseth
OpenVPN Inc





___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[David Sommerseth]

On 16/08/2023 15:05, Jason Long via Openvpn-users wrote:

On 16.08.23 12:23, Jason Long via Openvpn-users wrote:

On Wed, Aug 16, 2023 at 06:35:01AM +, Jason Long wrote:

[...snip...]


Hello,
I used 
"https://www.howtoforge.com/how-to-install-and-configure-openvpn-server-on-debian-10/";
 tutorial to create my OpenVPN server.


*sigh* Never use a random blog post on "how to do XYZ" when the project 
itself has its own set of documentation.  No matter which project it is.


I've read enough of those random "OpenVPN how-tos" over the last 15+ 
years and the vast majority of them are not up-to-date, tricks you into 
using insecure settings, being overly complicated or simply leads you to 
misery.


Doing networking isn't really suitable as a "click-this-type-that" type 
of how-to, because you *really* need to understand how these things 
works and impacts your configuration and setup.


This guides you through the most important steps and should be 
reasonably up-to-date (I spot a few things which could be improved, but 
shouldn't stop you from getting a functional tun based OpenVPN tunnel 
running).  This documentation is provided by the official OpenVPN 
project and this project is responsible for keeping the documentation in 
reasonable shape.




Read this, read the man page entries for options used and try to 
understand it.  Read the pointers to the related documentation in that 
wiki page.  Try to understand all the information provided there.  Then 
you can ask questions and get sensible replies back.


If you need more documentation, buy your own copy of the OpenVPN 
Cookbook by Jan Just Keijser.  He is a well-trusted OpenVPN community 
member and knows this stuff very well.





> Gert tole me about the multihome statement and I added it.

When Gert tells you to look at multihome, he has very good reasons for 
doing that (I know him too, he is also really trustworthy - in 
particular with networking and OpenVPN).  But it ALSO means you should 
read the documentation for suggested options too.



[...snip...]



# cat /var/log/openvpn/virt1.log
2023-08-16 06:23:18 WARNING: --topology net30 support for server configs with 
IPv4 pools will be removed in a future release. Please migrate to --topology 
subnet as soon as possible.
2023-08-16 06:23:18 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but 
missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN 
ignores --cipher for cipher negotiations.


Those two lines tells you something important.  You should fix this. 
I'm not going to tell you how; read the documentation.  It is fully 
explained in the man page.



[...snip...]


2023-08-16 06:23:18 Listening for incoming TCP connection on 
[AF_INET][undef]:2000
2023-08-16 06:23:18 TCPv4_SERVER link local (bound): [AF_INET][undef]:2000
2023-08-16 06:23:18 TCPv4_SERVER link remote: [AF_UNSPEC]


I suspect this if from a server configuration (also an important detail 
to tell).  And it tells you your VPN server is listening TCP port 2000.



[...snip...]

2023-08-16 06:23:18 Initialization Sequence Completed
This line means that the OpenVPN tunnel is up an running.  So that means 
this tunnel instance is ready to see clients connecting to it.




And finally.  Learn yourself some mailing list netiquette.  Inline 
replies and replies at the bottom are very fine.  But keep the indenting 
marks (>) on the original text so it's easier to understand who is 
writing what and what you are responding to.


A reasonably good summary of most common mailing list netiquette rules 
used in open source (and this is the official recommendation from an 
open source project; not a random blog post)





--
kind regards,

David Sommerseth
OpenVPN Inc




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

On 16.08.23 12:23, Jason Long via Openvpn-users wrote:
>> On Wed, Aug 16, 2023 at 06:35:01AM +, Jason Long wrote:
>>> route 192.168.1.0 255.255.255.0
>> 
>> This tells the server "put routing towards 192.168.1.0 into the VPN"
[...]
> So, what is the right IP for the following statement?
> route 192.168.1.0 255.255.255.0

Unknown. Gert told you what this config statement does, I don't remember 
you ever mentioning that you plan to use such a feature, much less what 
subnet(s) you'd want to use for that.

> I opened the ca.crt file on the client and clicked on the Details tab
> and it showed me "CN = Server". So, I must change the "Test-PC" to
> "Server". Am I right?

... aybe. I wouldn't be too surprised if your client-side OpenVPN 
config did indeed take a client cert named "Server" out of a file named 
"ca.crt" ...

>... I would nonetheless recommend that you look at the server log (of 
>suitable verbosity) for a line telling what cert/CN the client has 
>actually sent, though.

>Kind regards


Hello,
I used 
"https://www.howtoforge.com/how-to-install-and-configure-openvpn-server-on-debian-10/";
 tutorial to create my OpenVPN server.
Gert tole me about the multihome statement and I added it.

About the server log, I used the following line in the server.conf file:

status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/virt1.log
log-append  /var/log/openvpn/virt1.log
verb 3

And:

# cat /var/log/openvpn/virt1.log
2023-08-16 06:23:18 WARNING: --topology net30 support for server configs with 
IPv4 pools will be removed in a future release. Please migrate to --topology 
subnet as soon as possible.
2023-08-16 06:23:18 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but 
missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN 
ignores --cipher for cipher negotiations. 
2023-08-16 06:23:18 NOTICE: --explicit-exit-notify ignored for --proto tcp
2023-08-16 06:23:18 --user specified but lacking CAP_SETPCAP. Cannot retain 
CAP_NET_ADMIN. Disabling data channel offload
2023-08-16 06:23:18 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] 
[LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2023-08-16 06:23:18 library versions: OpenSSL 3.0.9 30 May 2023, LZO 2.10
2023-08-16 06:23:18 DCO version: N/A
2023-08-16 06:23:18 net_route_v4_best_gw query: dst 0.0.0.0
2023-08-16 06:23:18 net_route_v4_best_gw result: via 10.0.2.2 dev enp0s3
2023-08-16 06:23:18 Diffie-Hellman initialized with 2048 bit key
2023-08-16 06:23:18 net_route_v4_best_gw query: dst 0.0.0.0
2023-08-16 06:23:18 net_route_v4_best_gw result: via 10.0.2.2 dev enp0s3
2023-08-16 06:23:18 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 
HWADDR=08:00:27:ed:b4:7c
2023-08-16 06:23:18 TUN/TAP device tun20 opened
2023-08-16 06:23:18 net_iface_mtu_set: mtu 1500 for tun20
2023-08-16 06:23:18 net_iface_up: set tun20 up
2023-08-16 06:23:18 net_addr_ptp_v4_add: 10.10.0.1 peer 10.10.0.2 dev tun20
2023-08-16 06:23:18 net_route_v4_add: 192.168.1.0/24 via 10.10.0.2 dev [NULL] 
table 0 metric -1
2023-08-16 06:23:18 net_route_v4_add: 10.10.0.0/24 via 10.10.0.2 dev [NULL] 
table 0 metric -1
2023-08-16 06:23:18 Could not determine IPv4/IPv6 protocol. Using AF_INET
2023-08-16 06:23:18 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-08-16 06:23:18 Listening for incoming TCP connection on 
[AF_INET][undef]:2000
2023-08-16 06:23:18 TCPv4_SERVER link local (bound): [AF_INET][undef]:2000
2023-08-16 06:23:18 TCPv4_SERVER link remote: [AF_UNSPEC]
2023-08-16 06:23:18 UID set to nobody
2023-08-16 06:23:18 GID set to nogroup
2023-08-16 06:23:18 Capabilities retained: CAP_NET_ADMIN
2023-08-16 06:23:18 MULTI: multi_init called, r=256 v=256
2023-08-16 06:23:18 IFCONFIG POOL IPv4: base=10.10.0.4 size=62
2023-08-16 06:23:18 MULTI: TCP INIT maxclients=1024 maxevents=1029
2023-08-16 06:23:18 Initialization Sequence Completed

I use Debian 12. 


>-- 
>Jochen Bern
>Systemingenieur

>Binect GmbH
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


smime.p7s
Description: S/MIME cryptographic signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[tincantech via Openvpn-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Edited for brevity:

--- Original Message ---
> On 16.08.23 12:23, Jason Long via Openvpn-users wrote:

> > I opened the ca.crt file on the client and clicked on the Details tab
> > and it showed me "CN = Server". So, I must change the "Test-PC" to
> > "Server". Am I right?
> 

No.

Given your apparent level of skill, I find it impossible to believe
that you have created a certificate with CN of Server, with a file name
of ca.crt -- And if you have done then you should start PKI from scratch.

Good luck,
tct

-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk3LhYCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAABtAwf9EyrX8YT9+tWiwrBuYBppie2Ikhj4gGI0e1hyXaO3+DUGLSc0
wDToApgo8v0J2jg4Bry5VEG0W4777/KY0Z7PwIpqDY9w2VGBjjauMR93fcFj
roKO/5MeVOfD9SLryXQ8qDL3ZUj29/isHZpCnmiHKtLsjM0mv6qgHbvT0lyC
Kw6DkKWPN5DzEvlN5fH7DdhbqTnQpwb4vScSzy7/cNDZ+TumrDV50EHVFDV0
B+RrxqUYwxEz/5ni6k5NEKHl3jiLEOyNTT3sReWDJy1nFyC4Ziuh9Ny4LaaO
fYm2P66Gy+M1T2HCvtP6IHYgkoNpDz3m21S0SajT3LzftTKczhP4hg==
=GsEC
-END PGP SIGNATURE-


publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys


publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jochen Bern]

On 16.08.23 12:23, Jason Long via Openvpn-users wrote:

On Wed, Aug 16, 2023 at 06:35:01AM +, Jason Long wrote:

route 192.168.1.0 255.255.255.0


This tells the server "put routing towards 192.168.1.0 into the VPN"

[...]

So, what is the right IP for the following statement?
route 192.168.1.0 255.255.255.0


Unknown. Gert told you what this config statement does, I don't remember 
you ever mentioning that you plan to use such a feature, much less what 
subnet(s) you'd want to use for that.



I opened the ca.crt file on the client and clicked on the Details tab
and it showed me "CN = Server". So, I must change the "Test-PC" to
"Server". Am I right?


... aybe. I wouldn't be too surprised if your client-side OpenVPN 
config did indeed take a client cert named "Server" out of a file named 
"ca.crt" ...


... I would nonetheless recommend that you look at the server log (of 
suitable verbosity) for a line telling what cert/CN the client has 
actually sent, though.


Kind regards
--
Jochen Bern
Systemingenieur

Binect GmbH


smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

Hi,

On Wed, Aug 16, 2023 at 06:35:01AM +, Jason Long wrote:
> I added the following lines to my server.conf:
> 
> client-config-dir myclient
> ccd-exclusive
> route 192.168.1.0 255.255.255.0

>This tells the server "put routing towards 192.168.1.0 into the VPN",
>while 192.168.1.x is your LAN network.  So this does not make sense.

> multihome
> 
> 
> Client showed me:
[..]
> Wed Aug 16 11:01:39 2023 TLS: tls_multi_process: initial untrusted session 
> promoted to trusted

>So the network between client and server is good now...

> Wed Aug 16 11:01:39 2023 AUTH: Received control message: AUTH_FAILED

>... but the server refuses this client.  So you must look into the server
>log to see why it does so.

>My guess is that the ccd file you created does not have the right name
>(must match the CN in the client certificate), or is not in the right
>place, or you did fancy thing with chroot (paths must match *inside*
>the chroot environment).



Hi Gert,
Thank you so much for your reply.
My OpenVPN server NICs are:

enp0s3: flags=4163  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::a00:27ff:feed:b47c  prefixlen 64  scopeid 0x20
        ether 08:00:27:ed:b4:7c  txqueuelen 1000  (Ethernet)
        RX packets 3984  bytes 1600249 (1.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3182  bytes 685377 (669.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s3:1: flags=4163  mtu 1500
        inet 20.1.1.20  netmask 255.0.0.0  broadcast 20.255.255.255
        ether 08:00:27:ed:b4:7c  txqueuelen 1000  (Ethernet)


enp0s8: flags=4163  mtu 1500
        inet 192.168.1.20  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::a00:27ff:fe74:6397  prefixlen 64  scopeid 0x20
        ether 08:00:27:74:63:97  txqueuelen 1000  (Ethernet)
        RX packets 396  bytes 76796 (74.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 174  bytes 49776 (48.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



So, what is the right IP for the following statement?

route 192.168.1.0 255.255.255.0


And about your second note, I must change the "/etc/openvpn/ccd/Test-PC" to the 
CN in the client certificate. I opened the ca.crt file on the client and 
clicked on the Details tab and it showed me "CN = Server". So, I must change 
the "Test-PC" to "Server". Am I right?



gert
-- 
"If was one thing all people took for granted, was conviction that if you 
feed honest figures into a computer, honest figures come out. Never doubted 
it myself till I met a computer with a sense of humor."
                            Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                            g...@greenie.muc.de


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Bo Berglund]

On Wed, 16 Aug 2023 06:35:01 + (UTC), Jason Long via Openvpn-users
 wrote:

>
>I added the following lines to my server.conf:
>
>client-config-dir myclient
>ccd-exclusive
>route 192.168.1.0 255.255.255.0
>multihome
>
>From the reference manual:

multihome

Configure a multi-homed UDP server. This option needs to be used when a
server has more than one IP address (e.g. multiple interfaces, or secondary IP
addresses), and is not using --local to force binding to one specific address
only. This option will add some extra lookups to the packet path to ensure that
the UDP reply packets are always sent from the address that the client is
talking to. This is not supported on all platforms, and it adds more processing,
so it's not enabled by default.Note: this option is only relevant for UDP
servers.

Note 2: if you do an IPv6+IPv4 dual-stack bind on a Linux machine with
multiple IPv4 address, connections to IPv4 addresses will not work right on
kernels before 3.15, due to missing kernel support for the IPv4-mapped case
(some distributions have ported this to earlier kernel versions, though).


-- 
Bo Berglund
Developer in Sweden



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users