[Openvpn-users] FW: openvpn on QNAP
Hi, Sending this mail again but now without the attached screenshot of the iPhone. It seems the msg was to large. :-( Here a link to the screenshot https://hogeschooltio-my.sharepoint.com/:i:/g/personal/b_bloksma_tio_nl/EfsJD4GeVshKkxgXqLnfnLIB_7Pswm5AkVyLiBHWgkk1HA?e=IY9S3l I leave the ovpn file here as an attachment, it is only 4k. -Oorspronkelijk bericht- Van: Bonno Bloksma Verzonden: woensdag 6 december 2023 17:29 Aan: openvpn users list (openvpn-users@lists.sourceforge.net) Onderwerp: openvpn on QNAP Hi, I have been using my QNAP as my OpenVPN server for a while but needed to refresh my config, partly due to a new external ip. I have a new OVPN file with all the relevant info, including the CA certificate. See attachment (redacted.ovpn) Unfortunately it seems the OpenVPN software on my iPhone refuses to see the certificate in the file. See the profile screen capture. This in kinda weird as I did not have this problem before. Now, it has been a while (years) when I imported my previous config so I have no idea what changed. I am using the "default" OpenVPN Connect app from OpenVPN Technologies. Anyone any idea what is going wrong? Of course I get a certificate warning when I try to connect as there is no CA certificate configured. The warning is: "Peer certificate verification failure". Is there a format error in the ovpn file? Is there a bug in the program? Bonno Bloksma redacted.ovpn Description: redacted.ovpn ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question about the VPN providers
> On 31.07.23 21:42, Jason Long via Openvpn-users wrote: >>> Hello,Is it possible to set public IP addresses from different >>> countries on one NIC? >>> VPN provider companies provide VPN service with IP addresses of >>> different countries. Do they have a separate server in that country? >>> Or have they just set IP addresses from different countries on the >>> same server? >> Maybe not really separate *servers*, but you may assume that *Internet >> connections* (or "larger versions" of such) bought from providers in / >> serving that country are involved. > Thank you so much for your reply. > So they can be just IP addresses from different countries that are set on a > NIC. As long as the company hosting the VPN server has the right to use those IP numbers AND has a route to the uplink / ISP for that ip number. It is no different from any other ip number, be it 10.x.x.x and 172.16.x.x or 192.168.1.x or some public ip number, the routing has to be correct. The registrar for the ip number will not dictate what machine can use the ip number nor what other ip number can be on that machine. Bonno Bloksma ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] openVPN vs openSSH for single user access
Hi, [...] > Now, if you add tls-auth or tls-crypt to the server (+client) config, even a > correct "openvpn UDP initial handshake" packet will *not* make the server > reply, > unless you also have the right tls-auth/tls-crypt configured on the client > side - which needs a (secret!) key to do so. > > So, with this config, OpenVPN is "invisible" because it will never reply > except to those that know the magic words :-) Which is why I looove this tls-auth feature and have had it enabled from the first day we started using OpenVPN. And that has been close to 10 years by now I think. :-) Bonno ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Commanding remote client to reconnect following server reboot?
Hi, >>> But doing it without VPN is hard when the ISP is not providing a >>> public IP address to the connected device... [...] > But when I switched to fiber out there the IP was NAT-ed and the site was > unreachable. > Had to talk to the fiber service provider and pay an extra charge to get a > public (non-NATed) IP. I guess CGN (Carrier Grade NAT) is having more and more impact, and all because we still want to use IPv4 and there is a severe shortage of IPv4 numbers. Especially on the mobile connections I see A LOT of CGN being applied. If I go 5 times to whatismyip.com within 1 minute I will get 5 different public ip numbers. If at all possible see if you can add ipv6 on the server and then see if you can use ipv6 on the various client sites with the problems. That should avoid the NAT problems. The use of IPv6 SHOULD not have a mandatory extra charge as it is NORMAL internet access. Met vriendelijke groet, Bonno Bloksma ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] openvpn dns resolution on osx
Hello Noah, > I am running osx 10.15.7 and installed the openvpn v3.2.7 client. I am not so I am not sure this will be relevant but... > Has anybody documented a decent way to be able to resolve hosts that are > reachable by the VPN. > We have resolvers at the site I can get resolution from when using the dig > @ command. Any really good solutions are welcome. If I understand correctly you want to open the VPN to the "other network" and after that want to access the hosts on the "other network" via dns lookup. Then why don’t you set your dns server to the dns servers at the "other site"? If you want to have that feature for all clients using OpenVPN then simply have the following line in the OpenVPN server config. push "dhcp-option DNS 192.168.1.10" (but then with the proper ip address). That line, along with the proper push "route 192.168.1.0 255.255.255.0" line will set you up for "normal" access to resources on that site. I do not know if you can set this in the client config on your side, probably you can. If the "other network" dns server does NOT do full dns for all names local and on the internet then you might need a dns resolver in between that knows what to resolve itself and what to forward to the "other network" dns server. I have it set up that way on my home situation where any dns name company.org gets sent to the company dns server via the vpn tunnel. Any other dns request will be forwarded to my isp. Bonno Bloksma ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] generate crl with easyrsa v2.2
Hi Gert, >> I tried >> $OPENSSL ca -gencrl -days $SA_EXPIRE -out "$CRL" -config "$KEY_CONFIG" >> but that still generated a crl file for one month. > > Make that "-crldays $SA_EXPIRE" Thanks, after fixing my own type ($CA_EXPIRE, not $SA_...) it works like expected. Now I have a crl file that is valid untill after my CA expires, that's long enough. ;-) Bonno Bloksma ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] generate crl with easyrsa v2.2
Hi, > > Got bitten (twice) with the problem that the new OpenVPN version DEMANDS an > > up2date CRL file. However, I am still using easyrsa v2.2 and it has no > > gen-crl command. >>[...] >> What do I need to change in this line? >> $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" >> ror the crl file to be valid for something like 5 years? > > I was never happy with the easyrsa stuff as it may becaus it was residing on > the system it is supposed to protect. That is why I have it on a server that most of the time is just off. I my case I could just stuff it in a zip/tar file and get it out when I need it. I only had update last year. > If you are happy with a windoze implementation of a primitive CA there are a > number of them floating around. > I still use xca which gives you a halfways decent user interface and keeps he > key stuff in a database of some sort. Rather not switch to Windows fort hat stuff. Like I wrote, I only have a few OpenVPN connections and for me easy-rsa is easy enough, it just that expiration date on the CRL file. I tried $OPENSSL ca -gencrl -days $SA_EXPIRE -out "$CRL" -config "$KEY_CONFIG" but that still generated a crl file for one month. Bonno Bloksma ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] generate crl with easyrsa v2.2
Hi, Got bitten (twice) with the problem that the new OpenVPN version DEMANDS an up2date CRL file. However, I am still using easyrsa v2.2 and it has no gen-crl command. I created a copy of revoke-full and deleted the revoke stuff so it just creates a new crl file. So far, that works. But. this crl is only valid for one month, how do I create one that is valid for a looong time? What do I need to change in this line? $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" ror the crl file to be valid for something like 5 years? I have almost no key updates, this is a static environment with currently just 3 links, so just a few keys/certs that will never change. I control all clients so I could even just delete a key on the client if I don't want to use it anymore. Only when I suspect some foul play would I ever need to revoke a key. Bonno Bloksma ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] logrotate
Hi, I remember asking this a long time ago and at the time there was no "clean" way to rotate the openvpn log because the process would keep the log open. I remember that at the time we compromised by doing a copy and truncate trick. Is there a "proper" way now to use the Linux logrotate feature without the copytruncate option? There is no default logrotate script in the Debian Linux I use, probably because there is no default openvpn log file. Becase in my openvpn config I have log-append /var/log/openvpn-user.log right now I am using for logrotate: /var/log/openvpn-user.log { rotate 12 monthly copytruncate compress missingok notifempty } Is this still the best way to do it? Using OpenVPN Version: 2.3.4-5+deb8u2 on Debian Bonno Bloksma -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Launching OpenVPN-GUI automatically on user login?
Hi, >> I think the silence translates to "nobody would mind". I will run a >> few tests on PR#55 myself and then it goes in. > > "I agree with Selva", so I saw no need to speak up :-) I just reread the suggestion and +1. I think 99% of those who start the GUI want to connect right after that. I assume this would only autoconnect if there was only 1 config to use, otherwise the software might launch the wrong VPN. Bonno Bloksma -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] building larger dh
Hi, Starting a new easy-rsa setup from scratch. New CA etc. I noticed in my old config I had a dh4096.pem file which I had supposedly build by temporarily increasing the KEY_SIZE line export KEY_SIZE=4096 ... I think. However, I can no longer find why I did this, supposedly to get a larger base for my TLS / session keys... I think. 1) Am I right? Does a larger dh.pem file indeed result in a larger pool for OpenVPN to get TLS/session keys from? 2) If 1) is correct and there is indeed a use for a bigger dh file, can I indeed create a new dh4096.pem file by temporarily increase the KEY_SIZE, run build-dh and then set it back to what I have? 3) Is there any use in creating an even bigger dh file, lets say a 8192 bit version? Bonno Bloksma -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Issue getting to LAN behind VPN Server
Hi, Ok, this getting away from OpenVPN so just this one reply. > One small remark below: > > > >> # Set policies >> $IPTABLES -P INPUT DROP >> $IPTABLES -P FORWARD DROP >> $IPTABLES -P OUTPUT ACCEPT >> > > > Why would you allow unrestricted outgoing traffic? > I would suggest to set also that policy to 'DROP', > only allow what you expect, and allow in either direction statefull packages. This is what I set up for small systems / sites, it is also perfect for private situations like my firewall/gateway at home. Remember OUTPUT is only what starts at the system itself. That can never be more then what is coming from the running services unless it is a workstation system. I have almost none of those, only Linux servers. But even then The use of port filtering is greatly reduced nowadays where most applications simply use port 80 or 443 when they want to go outside and the default option is denied. Or our larger sites I used to have a firewall with outbound ports listed and everything else would get denied. On those systems 90% percent of the traffic was port 80 and 443, and it wasn't only web traffic. A few months ago we switched to Palo Alto firewalls which inspect the traffic and filter on that. I can now filter on for instance allow facebook traffic but deny facebook games. That level of filtering is "a bit more then we need" ;-) but it is nice to have. Bonno Bloksma -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Issue getting to LAN behind VPN Server
Hi, [...] >>> If someone can point me in the right direction to create a specific >>> firewall rule for the forward chain I would be grateful. My thoughts [...] >>> >> If you want to allow all traffic to and from the tun network(s) to be >> forwarded then add something like >> >> iptables -A FORWARD -i tun+ -j ACCEPT >> iptables -A FORWARD -o tun+ -j ACCEPT >> >> remember that when forwarding traffic you need to write rules for both >> incoming and outgoing traffic. >> >> HTH, >> >> JJK >> > Thanks for the pointers. I am doing some research now reading through > the iptables man page and reading other examples. I suspect that my > initial forwarding rule attempt was lacking because I was only addressing > one direction and not the bi-directional nature of forwarding. > If I have some time this evening I will give this a try. > Thanks. > > Jeff For me a typical iptables firewall looks like this. In this case ALL outbound traffic from the box, and the internal network, is allowed. I use some variables to have the stuff that can change at the top. KEEPSTATE=" -m state --state ESTABLISHED,RELATED" WORLD_NET=0.0.0.0/0 IPTABLES=/sbin/iptables # If NAT is needed... WORLD_IF=eth0 WORLD_NAT=false # Set policies $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT ACCEPT # Flush all rules in all chains and then delete all chains chains=`cat /proc/net/ip_tables_names 2>/dev/null` for i in $chains; do $IPTABLES -t $i -F; done for i in $chains; do $IPTABLES -t $i -X; done # Reset all counters for default chains $IPTABLES -Z # Accept return traffic. $IPTABLES -A FORWARD -j ACCEPT $KEEPSTATE $IPTABLES -A INPUT -j ACCEPT $KEEPSTATE # SSH allowed $IPTABLES -A INPUT -s $WORLD_NET -p TCP --dport ssh -j ACCEPT # Loopback interface allow all $IPTABLES -A INPUT -i lo -j ACCEPT # We accept ping etc $IPTABLES -A INPUT -p icmp -j ACCEPT if [ $WORLD_NAT = true ] ; then $IPTABLES --table nat -A POSTROUTING -o $WORLD_IF -j MASQUERADE fi In here the "Accept return traffic" rules cover the return traffic so I only have to worry about the outgoing stuff in my other rules. For OpenVPN I need to add just a few more rules: # OpenVPN allowed (UDP and TCP) $IPTABLES -A INPUT -s $WORLD_NET -p UDP --dport openvpn -j ACCEPT $IPTABLES -A INPUT -s $WORLD_NET -p TCP --dport openvpn -j ACCEPT # Allow all traffic to the tunnel $IPTABLES -A FORWARD -i tun+ -j ACCEPT In my case the return traffic is covered as we still accept all established and related traffic. But the second line from Jan $IPTABLES -A FORWARD -o tun+ -j ACCEPT Covers that a bit more explicitly. This is my basic firewall rule set for a "simple" Linux box acting sometimes as a router if no additional filters are needed for outbound traffic. Bonno Bloksma -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Routing
Hello Axel, > Sorry, i dont understood: > why the 2 ips (gmx.de; spiegel.de) a different routing? both are public ips > with same scheme? why there a differnt handle by my routing table? > > > this server is a webserver. over tun0 comes traffic from internet. > also: client -> rootserver (public ip) ---vpn--> server (tun0/10.8.0.6) i > want that all traffic comes over tun0 goes back to tun0. Routing does not work that way. Routing works in a way that looks at where you want to go and send you to the proper "next hop" router. Advanced routing can also look at who is sending and take action based on that but I know of no way that routing can look at "via which route the original packet came from". Firewalls look at tcp/whatever session information and can act on that, but that is one level up from ip. Routers only look at the ip level. So you need to look at what might come from the tun0 interface and needs to be sent back that way. It usually is either a complete network like 192.168.25.0/24 and in that case you need a route telling OpenVPN and the host to send all that traffic to the OpenVPN tunnel. The iroute statement is used for that, I have several ccd config files for that purpose. If the other side of the tunnel is just 1 machine then that machine should use the VPN ip to send a request via the tunnel, the response will then automatically go via the OpenVPN tunnel as well. Now, if I understand your information correctly, you wrote: > this server is a webserver. over tun0 comes traffic from internet. > also: client -> rootserver (public ip) ---vpn--> server (tun0/10.8.0.6) i > want that all traffic comes over tun0 goes back to tun0. Do you mean to say that the webserver is ONLY linked to the internet via the openVPN tunnel? Because in that case indeed you need to have a default route to the ip number on the other side of the link. In that case make sure there is a separate routing line on the host so it can access all other hosts on the local network. But this no longer seems to be an OpenVPN problem, but a routing problem. And of course, those usually go hand in hand, that is why we have no problem here explaining routing related to OpenVPN but somehow I get the feeling you might miss some basic knowledge of routing in general. Please look up some additional information on the internet to enhance your knowledge if that is the case. OpenVPN simply creates another link for your server. Try to see if you can understand what would be needed if besides your normal br0 interface there is another interface with a REALY LONG (but still working) ethernet cable to that system at the other side of the OpenVPN link. What would need to change on your host? Bonno Bloksma Tio university of applied science -- Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Windows10 DNS Leak
Hi, Oops, hit send to fast, wanted to ask also: Is the DLL dependent on any specific version of OpenVPN for the plugin DLL? Does it have to be the latest released Windows version? Or is any 2.3.x version good? [...] Not sure from the docs at that page. Is this a DLL I have to install / register in Windows using the \Windows\System32\regsvr32.exe command? Or do I just need to put in in the OpenVPN bin dir? Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio university of applied sciences begijnenhof 8-12 / 5611 el eindhoven t +31 (0)40-296 28 28 b.blok...@tio.nl / www.tio.nl Volg ons op Twitter / Facebook / LinkedIn / YouTube -Oorspronkelijk bericht- Van: Bonno Bloksma [mailto:b.blok...@tio.nl] Verzonden: vrijdag 16 oktober 2015 9:09 Aan: ValdikSS; openvpn-users@lists.sourceforge.net Onderwerp: Re: [Openvpn-users] Windows10 DNS Leak Hi, >> We just ran into this problem as well. User cannot access resources on our >> network as pushed dns setting do not get used. >> Dns servers get properly pushed to the client, this is what the client sees: > You can use plugin as for now. > https://github.com/ValdikSS/openvpn-fix-dns-leak-plugin Ok, going to try that. Bonno Bloksma -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Windows10 DNS Leak
Hi, Not sure from the docs at that page. Is this a DLL I have to install / register in Windows using the \Windows\System32\regsvr32.exe command? Or do I just need to put in in the OpenVPN bin dir? Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio university of applied sciences begijnenhof 8-12 / 5611 el eindhoven t +31 (0)40-296 28 28 b.blok...@tio.nl / www.tio.nl Volg ons op Twitter / Facebook / LinkedIn / YouTube -Oorspronkelijk bericht- Van: Bonno Bloksma [mailto:b.blok...@tio.nl] Verzonden: vrijdag 16 oktober 2015 9:09 Aan: ValdikSS; openvpn-users@lists.sourceforge.net Onderwerp: Re: [Openvpn-users] Windows10 DNS Leak Hi, >> We just ran into this problem as well. User cannot access resources on our >> network as pushed dns setting do not get used. >> Dns servers get properly pushed to the client, this is what the client sees: > You can use plugin as for now. > https://github.com/ValdikSS/openvpn-fix-dns-leak-plugin Ok, going to try that. Bonno Bloksma -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Windows10 DNS Leak
Hi, >> We just ran into this problem as well. User cannot access resources on our >> network as pushed dns setting do not get used. >> Dns servers get properly pushed to the client, this is what the client sees: > You can use plugin as for now. > https://github.com/ValdikSS/openvpn-fix-dns-leak-plugin Ok, going to try that. Bonno Bloksma -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Windows10 DNS Leak
Hi, > as Windows10 Always uses local DNS servers this represents a built-in DNS > Leak. > At present, the only solution appears to be to de-configure default DNS > servers after connecting to a VPN. > I wonder if anybody has come up with a scripted solution (or other). > > https://community.openvpn.net/openvpn/ticket/605#ticket We just ran into this problem as well. User cannot access resources on our network as pushed dns setting do not get used. Dns servers get properly pushed to the client, this is what the client sees: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Windows Adapter V9 Physical Address. . . . . . . . . : 00-FF-94-B7-29-9B DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::b018:750b:7f60:4e93%34(Preferred) IPv4 Address. . . . . . . . . . . : 172.16.1.150(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.252 Lease Obtained. . . . . . . . . . : donderdag 15 oktober 2015 15:05:15 Lease Expires . . . . . . . . . . : vrijdag 14 oktober 2016 15:05:15 Default Gateway . . . . . . . . . : DHCP Server . . . . . . . . . . . : 172.16.1.149 DHCPv6 IAID . . . . . . . . . . . : 570490772 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-63-50-12-F0-76-1C-65-6D-C4 DNS Servers . . . . . . . . . . . : 172.16.128.40 Primary WINS Server . . . . . . . : 172.16.128.40 NetBIOS over Tcpip. . . . . . . . : Enabled However, Windows 10 keeps using the ISP provided dns servers and therefore all mapings etc fail. As most of my users are not "smart users" I do NOT want them to mess with the dns settings. So now what? Do we prohibit the use of Windows 10? That is not an option. ;-) Bonno Bloksma -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] dns routing problem
Hi, Ok, so not realy an openvpn problem but I am probably not the first to run into this problem. Someone probably has the solution already. ;-) Trying to understand why my Linux machine with the openvpn client is sending packets with one of it's local addresses via the tunnel to the other side. Fri Jul 10 12:11:51 2015 us=741813 m.duthler-lan/82.217.xxx.yyy: MULTI: bad source address from client [192.168.178.5], packet dropped How do I debug this? Or maybe I already understand what is happening, but in that case how to prevent it? Routing says to only send 172.16.0.0/16 traffic to the other side. Cause might be that this linux server needs to sometimes use our local company dns servers, so: linmwd:~# cat /etc/resolv.conf search tio.nl nameserver 172.16.128.40 nameserver 172.16.208.10 nameserver 8.8.8.8 How can I convince this Debian Linux machine to use it's local 172.16.18.1 address when doing a dns request to one of the 172.16.x.y dns servers? No dns service package installed on the machine. eth0 is the local LAN, eth1 is the connection to the on-site ISP router/modem. All local devives do not have this problem as they only have a 172.16.18.x number and their dns requests pass through the tunnel without a hitch. In case it is relevant. Client sided ipv4 and routing config: linmwd:~# ip addr 1: lo: mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:11:6b:99:34:90 brd ff:ff:ff:ff:ff:ff inet 172.16.18.1/24 brd 172.16.18.255 scope global eth0 inet6 fd00::1:211:6bff:fe99:3490/64 scope global dynamic valid_lft 6151sec preferred_lft 6151sec inet6 fe80::211:6bff:fe99:3490/64 scope link valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether b8:ac:6f:a0:24:a1 brd ff:ff:ff:ff:ff:ff inet 192.168.178.5/24 brd 192.168.178.255 scope global eth1 inet6 fe80::baac:6fff:fea0:24a1/64 scope link valid_lft forever preferred_lft forever 4: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/none inet 172.16.1.142 peer 172.16.1.141/32 scope global tun0 linmwd:~# ip route default via 192.168.178.1 dev eth1 172.16.0.0/16 via 172.16.1.141 dev tun0 172.16.1.129 via 172.16.1.141 dev tun0 172.16.1.141 dev tun0 proto kernel scope link src 172.16.1.142 172.16.18.0/24 dev eth0 proto kernel scope link src 172.16.18.1 192.168.178.0/24 dev eth1 proto kernel scope link src 192.168.178.5 linmwd:~# Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio university of applied sciences -- Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] openvpn download page
Hi, Thanks for the latest upgrades and I am realy gratefull for the static links to the latest Windows versions (32 and 64 bit) which saves me a lot on changing our helpdesk page each time there is an openvpn upgrade. ;-) I did notice one thing today. The comment on the download page near the old 2.3.2 point release still talks about 2.3.4 in a few places This is an old point release and you should in general use OpenVPN 2.3.4 instead. However, as OpenVPN 2.3.4 contains a few potentially disruptive changes you may want to use this older release instead. Windows I004 installers included a fix for the very serious heartbleed vulnerability (OpenVPN-specifics here). Windows I005 installers bundle OpenSSL 1.0.0h, which fixes severe security issues. Windows installer I006 bundles OpenSSL 1.0.1i, which fixes several vulnerabilities. All Windows users of OpenVPN 2.3.2 should upgrade to latest 2.3.2 or 2.3.4 release immediately. We are at 2.3.7. now so it probably should change a few (but not all) of those 2.3.4. references into 2.3.7 or just "the lastest 2.3.x release". Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio university of applied sciences -- Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to add additional DHCP options?
Hi, >> I can polish up my patch again and add NTP, TFTP and WPAD support, if >> there's enough demand for it. The patch would not be very large >> anyway, so the "lots of extra code" argument applies only a little > I know this is a little biased, but I've just reviewed all the standard > DHCP options Windows DHCP server has and I think if you were to add > the following options, that would cover all the useful ones actually > on offer (fighting words I know! ;-) > > * TFTP (150) > * WPAD (252) Well, I just took a look at our DHCP config to see what we use. The only usefull extra option to have in openvpn I see is ntp to make sure a client on the other side will have the correct time for Kerberos authentication against our AD. And wins just in case for that weird situation where dns goed wrond on al old or non AD connected machine. Bonno Bloksma -- Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Site-to-Site configuration?
Hi, For a layer 2 connection use tap in stead of tun. I use both, tun for my regular road warriors and tap for my backup internet vpn in case my layer 2 WAN connection goes down. When using tap be aware of the pitfalls using a layer 2 WAN connection, like broadcasts etc. I use it on my small layer 2 router network where there are just a few router / devices. Use different ports for the different simultaneous configurations. I use the default 1194 port for my road warriors and a different port for my WAN backup. Bonno Bloksma -Oorspronkelijk bericht- Van: Zesen Qian [mailto:openvpn-us...@riaqn.com] Verzonden: dinsdag 2 juni 2015 3:29 Aan: Bonno Bloksma CC: openvpn-users@lists.sourceforge.net Onderwerp: Re: [Openvpn-users] Site-to-Site configuration? Hello Bonno, Thanks for your help! Now I 've setup a working site-to-site config and I can ping from one site to another site. There still a small problem, though. Since it's a site-to-site config, I don't really need any IP address on either end of the tunnel. That is, I don't assign any IP address on server or client. I don't know if it's a bug or feature, but then I have to manually turn on the interface by "ip link set tun0 up" on both client and server. After that server can receive packets that is intended to the subnet on the server side. However, server seems not forwarding the packet from tun0 to the LAN interface. I 've already set 'sysctl net.conf.all.ip_forward=1'. Someone has any idea? any comment is appreciated. Bonno Bloksma writes: > Hi, > > I use a server/client environment to have OpenVPN connect my 5 sites. Simply > set it up as if you would for 1 client. > Then make sure you set up routing correctly. Most of that is done > using the iroute statement, best is to use 1 config file per client in > a ccd directory. > Remember, routing consists of 2 parts with openvpn. The OS needs to > know to send packets to the Openvpn interface, OpenVPN needs to know > which client has which network behind it. Using iroute wil let OpenVPN > set it up fout you for the most part. > Use a push-route in your server config to let the clients know what the > network behind the server is. > > What platform will you use for this? Redhat, Debian, etc? Or a non Linux > platform? > > > Met vriendelijke groet, > Bonno Bloksma > senior systeembeheerder > > tio > university of applied sciences > begijnenhof 8-12 / 5611 el eindhoven > t +31 (0)40-296 28 28 > b.blok...@tio.nl / www.tio.nl > > Volg ons op Twitter / Facebook / LinkedIn / YouTube > > -Oorspronkelijk bericht- > Van: Zesen Qian [mailto:openvpn-us...@riaqn.com] > Verzonden: vrijdag 29 mei 2015 16:59 > Aan: openvpn-users@lists.sourceforge.net > Onderwerp: [Openvpn-users] Site-to-Site configuration? > > Hello, > I 've just switched from IPsec(strongswan) to OpenVPN, and I want to > configure a site-to-site setup. I googled for it but find nothing. > There 're only tutorials for some GUI based configuration, but I need > the 'openvpn.conf' example. > Thanks! -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Site-to-Site configuration?
Hi, I use a server/client environment to have OpenVPN connect my 5 sites. Simply set it up as if you would for 1 client. Then make sure you set up routing correctly. Most of that is done using the iroute statement, best is to use 1 config file per client in a ccd directory. Remember, routing consists of 2 parts with openvpn. The OS needs to know to send packets to the Openvpn interface, OpenVPN needs to know which client has which network behind it. Using iroute wil let OpenVPN set it up fout you for the most part. Use a push-route in your server config to let the clients know what the network behind the server is. What platform will you use for this? Redhat, Debian, etc? Or a non Linux platform? Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio university of applied sciences begijnenhof 8-12 / 5611 el eindhoven t +31 (0)40-296 28 28 b.blok...@tio.nl / www.tio.nl Volg ons op Twitter / Facebook / LinkedIn / YouTube -Oorspronkelijk bericht- Van: Zesen Qian [mailto:openvpn-us...@riaqn.com] Verzonden: vrijdag 29 mei 2015 16:59 Aan: openvpn-users@lists.sourceforge.net Onderwerp: [Openvpn-users] Site-to-Site configuration? Hello, I 've just switched from IPsec(strongswan) to OpenVPN, and I want to configure a site-to-site setup. I googled for it but find nothing. There 're only tutorials for some GUI based configuration, but I need the 'openvpn.conf' example. Thanks! -- Regards, 祝好 Zesen Qian (钱泽森) -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Logjam: new tls/dh attack
Hi, >>> Just a heads up on this new attack >>> https://weakdh.org/ >>> >> the short gist of this attack is: upgrade your DH param file to 2048 >> bits or more otherwise you're vulnerable :) > > This is true, but in the case of OpenVPN the case is less horrible, because: > > 1) OpenVPN encourages users to generate their own DH-group using 'openssl > dhparam', > instead of using common groups. The man page / examples used to provide 1024 > bits > DH keys (updated to 2048 recently), Are you sure? I just looked at my setup which I generated many years ago and it has a dh4096.pem file I think I generated this using default parameters because I did not understand much about openvpn and keys at that time. But then again, maybe I did increase it myself. Bonno Bloksma -- One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN L2TP (VPN)
Hello Mahmoud >> Is the OpenVPN provide a best practice for L2TP, as i hear since some months >> ago, >> OpenVPN suffer from instability for L2VPN, is this correct ? >> Appreciate your feedback > > Any update, as i need to make OpenVPN layer 2 tunneling If you are looking to use OpenVPN to create a secure layer2 tunnel then look into using OpenVPN with the TAP interface. That will create a layer 2 tunnel. And yes, OpenVPN is a best practice solution unless you are required to use A-brand names. Just use the community version and if you need any help after reading the documentation just ask it here. There are a lot of experts here in this list. ;-) Bonno Bloksma -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] potential route subnet conflict
Hi, Can someone explain what the potential routing conflict is here? Is it because 172.16.17.0/24 is a subset of 172.16.0.0/16? But if so, what is the conflict? Log: Nov 6 14:10:41 linbobo ovpn-client[2381]: WARNING: potential route subnet conflict between local LAN [172.16.17.0/255.255.255.0] and remote VPN [172.16.0.0/255.255.0.0] Bonno Bloksma -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] finding openvpn version
Hi, To update on my mail below: After starting the OpenVPN Gui I can open the log and it will show the OpenVPN version at the top of the log and the TAP version several lines lower. So the most important information is there for the user to find and give to me. ;-) But, as per suggestion from Samuli, I will simply ask everyone who does not have version 2.3.5 yet to uninstall and reinstall. Bonno -Oorspronkelijk bericht- Van: Bonno Bloksma [mailto:b.blok...@tio.nl] Verzonden: maandag 3 november 2014 21:29 Aan: openvpn-users@lists.sourceforge.net Onderwerp: [Openvpn-users] finding openvpn version Hi, Because of what was written in the release info I decided it would be a good idea to find out which user is using which OLD version and maybe get everyone up to version 2.3.5 Just about all of my users are Windows users. A few are Linux users and some are Apple users. All Windows users have used the standard Windows installer to get the client on their system. It is the Windows users that are the "least savy" and that I want to help. I want to make it as easy for them to find out which version they have and to upgrade if needed. Even better if I can find that information from the OpenVPN server log. The Windows installation has 3 version numbers, for the GUI, the underlying openvpn and the TAP driver. The first two I know how to get the user to give me the info, but how about the TAP driver? Can I find the GUI and the TAP version from the server log? (Probably not) 1) Is there a 1:1 relation between the OpenVPN version and the TAP driver? 2) If someone has OpenVPN 2.x.y (x<3), can I simply tell them to uninstall OpenVPN and install the latest 2.3.5 version and will they then have the latest TAP driver? Met vriendelijke groet, Bonno Bloksma senior systeembeheerder -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] finding openvpn version
Hi, Because of what was written in the release info I decided it would be a good idea to find out which user is using which OLD version and maybe get everyone up to version 2.3.5 Just about all of my users are Windows users. A few are Linux users and some are Apple users. All Windows users have used the standard Windows installer to get the client on their system. It is the Windows users that are the "least savy" and that I want to help. I want to make it as easy for them to find out which version they have and to upgrade if needed. Even better if I can find that information from the OpenVPN server log. The Windows installation has 3 version numbers, for the GUI, the underlying openvpn and the TAP driver. The first two I know how to get the user to give me the info, but how about the TAP driver? Can I find the GUI and the TAP version from the server log? (Probably not) 1) Is there a 1:1 relation between the OpenVPN version and the TAP driver? 2) If someone has OpenVPN 2.x.y (x<3), can I simply tell them to uninstall OpenVPN and install the latest 2.3.5 version and will they then have the latest TAP driver? Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio university of applied sciences begijnenhof 8-12 / 5611 el eindhoven t +31 (0)40-296 28 28 b.blok...@tio.nl / www.tio.nl Volg ons op Twitter / Facebook / LinkedIn / YouTube -Oorspronkelijk bericht- Van: Samuli Seppänen [mailto:sam...@openvpn.net] [...] The OpenVPN community project team is proud to release OpenVPN 2.3.5. It can be downloaded from here: <http://openvpn.net/index.php/open-source/downloads.html> This release fixes a serious interoperability issue with OpenVPN and the tap-windows6 driver. In addition a fair number of other bug fixes and small enhancements are included. A full list of changes is available here: <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23> -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] revoke-full gives error
Hi, The mail below was written A LOOONG time ago, that is how often I have to revoke a VPN certificate. ;-) Today I had to do it again and once again ran into that error 23 line which got me confused whether I did something wrong or right? Is there any way to get rid of that error msg and report success in stead of an error when indeed it has successfully revoke the certificate? Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio university of applied sciences begijnenhof 8-12 / 5611 el eindhoven t +31 (0)40-296 28 28 b.blok...@tio.nl / www.tio.nl Volg ons op Twitter / Facebook / LinkedIn / YouTube -Oorspronkelijk bericht- Van: Bonno Bloksma [mailto:b.blok...@tio.nl] Verzonden: vrijdag 22 april 2011 9:02 Aan: openvpn-users@lists.sourceforge.net Onderwerp: Re: [Openvpn-users] revoke-full gives error Hi Yevgeny, >Bonno Bloksma wrote: >> Did it revoke the certificate? If I look at the crl.pem file it seems >> it did. >> What is that "error 23 at 0 depth lookup:certificate revoked"? >Yes it did. Error 23 refers to revocation test and means it was really >revoked. That's funny, to report success on a test as an error. Or is that just a message string that never got properly inserted in the (error) message database? Bonno -- Fulfilling the Lean Software Promise Lean software platforms are now widely adopted and the benefits have been demonstrated beyond question. Learn why your peers are replacing JEE containers with lightweight application servers - and what you can gain from the move. http://p.sf.net/sfu/vmware-sfemails ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Selectively routing traffic across the vpn. Need some help with which routes where.
Hi Dave, > Wow. Lots to think about. Once I get this all done, I'm thinking a wiki page > contribution, "by noob, for noob" will be in order! > > On 08/01/2014 01:35 PM, Bonno Bloksma wrote: >> Keep thinking of the OpenVPN setup as just 2 routers with a fixed Ethernet >> cable in between. >> That in reality the "ethernet cable" is a VPN tunnel does not change the >> routing setup. > > I guess that might be some of my problem. > > I've been thinking of it as 2 wires, not 1 (I like to think with diagrams > ...) We have all been there and done that. ;-) [] >> Yup, but that is only because OpenVPN needs to know TOO where to drop stuff >> once it comes in. > > So Openvpn is not CREATING those routes? We're just telling it about > EXISTING routes that have to have already been set up on each involved box/OS? Well, the nice thing is. > I usually handle that with iroute lines** in the client config file I > have in the ccd directory. OpenVPN sees the iroute lines and makes > sure the OS it is running on gets updates too. So, yes, OpenVPN will create those routing lines on the box it is running for you. > Linux box running OpenVPN has 2 extra routing rules > 172.16.17.0/24 via 172.16.1.130 dev tun0 > 172.16.18.0/24 via 172.16.1.130 dev tun0 Where 172.16.1.130 is the ip > number for OpenVPN itself on this box. OpenVPN made those routing lines all by itself. It is the only way too as OpenVPN is the only one that knows which ip it has created and where the traffic needs to be sent to. > Having a config file per client in a separate directory is an easy way to > keep track of what is where, > for me, and is a standard way for OpenVPN. > So breaking this down piece by piece, to do THAT^ I need related entries in > all of these > > Loc1 > /etc/openvpn/loc2.server.conf > /etc/openvpn/ccd/loc1.client.conf > /etc/sysconfig/network/ifroute-eth1 > /etc/sysconfig/network/ifroute-eth0 > > Loc2 > /etc/sysconfig/network/ifroute-eth1 > /etc/sysconfig/network/ifroute-eth0 > > making sure that the openvpn config data matches what's on the OS in the > ifroute-* stuff. > > Is that right? Nope, too complex. I am assuming Loc2 is the "server" side of OpenVPN. Loc1 /etc/openvpn/client.conf Loc2 /etc/openvpn/server.conf /etc/openvpn/ccd/loc1.conf Server.conf has the normal server side stuff and at least a push route line that lets all clients, in your case just 1, know which network is behind the server. So in my case push "route 172.16.0.0 255.255.0.0" Looking at my "real config" I see I have an additional "route statement" in my server config. It seems the routing lines at the OS lever are created by those statements and not the iroute statement. Another mistake in my previous mail. :-( >From the manual: -- --iroute network [netmask] Generate an internal route to a specific client. The netmask parameter, if omitted, defaults to 255.255.255.255. This directive can be used to route a fixed subnet from the server to a particular client, regardless of where the client is connecting from. Remember that you must also add the route to the system routing table as well (such as by using the --route directive). The reason why two routes are needed is that the --route directive routes the packet from the kernel to OpenVPN. Once in OpenVPN, the --iroute directive routes to the specific client. -- So server config also has a line route 172.16.17.0 255.255.255.0 Which is a copy of the iroute line below, missing just the i. loc1.conf is a very small conf file with maybe only just 1 line. In my case iroute 172.16.17.0 255.255.255.0 > I guess I could put the 'ip route add ...' commands in Openvpn up/down > scripts. Don't yet know if that's better than the ifroute-*. No, no aditional routing statements at the OS level. The ones you need in your setup can be created by OpenVPN [] >> The majority of the clients have no network behind them that need to >> be reachable, so they have no iroute statements. > Both ends of mine have lans. So you need ONE iroute statement for the network behind the ONE client, and the corresponding route line in the server conf. And a push route statement for the network behind the server. >> Some have an iroute line like: iroute 172.16.17.0/24 And yes, there was a "bug" in my example the the previous mail, the iroute statement still needs the netmask syntax, it cannot handle the CIDR syntax yet, according to the manual. :-( >> This way
Re: [Openvpn-users] Selectively routing traffic across the vpn. Need some help with which routes where.
Hi Dave, >> Not "just one service". >> >> "just one target network", yes, but stuff like "but just for one >> source IP and not all other PCs using that router" or "just one specific >> port" >> *can* be done (unlike most other VPNs) but it's work, and needs deep >> understanding of TCP/IP, routing, and "how to make it happen on Linux". >> >> It's not truly an OpenVPN question, as the decisions will have to >> happen on the OS side. > > I didn't realize that other vpns wouldnt be able to do it anyway! > > I get that getting it done requires routes. Or mostly routes. And that's > "on the OS side". > Keep thinking of the OpenVPN setup as just 2 routers with a fixed Ethernet cable in between. That in reality the "ethernet cable" is a VPN tunnel does not change the routing setup. > At the same time SOME of those routes need to be communicated to the OS from > inside of Openvpn's config. Yup, but that is only because OpenVPN needs to know TOO where to drop stuff once it comes in. I usually handle that with iroute lines** in the client config file I have in the ccd directory. OpenVPN sees the iroute lines and makes sure the OS it is running on gets updates too. Having a config file per client in a separate directory is an easy way to keep track of what is where, for me, and is a standard way for OpenVPN. So in my case I have a lot of networks and clients. The majority of the clients have no network behind them that need to be reachable, so they have no iroute statements. Some have an iroute line like: iroute 172.16.17.0/24 This way the OpenVPN servers knows that behind that client is a network and that all traffic for those ip-numbers needs to be sent to that client. That client will then handle the rest of the routing. A second client has a iroute 172.16.18.0/4 config so in the end my Linux box running OpenVPN has 2 extra routing rules 172.16.17.0/24 via 172.16.1.130 dev tun0 172.16.18.0/24 via 172.16.1.130 dev tun0 Where 172.16.1.130 is the ip number for OpenVPN itself on this box. In the OpenVPN config I further have a line pushing the routing line for all the networks this server knows about so all traffic from the clients destined for any of those ip-numbers will be sent here. push "route 172.16.0.0 255.255.0.0" So at my main site I have a core router that knows how to reach any part of my network, either direct or via other routers. It is also OpenVPN server and tells all clients to send all traffic for any 172.16.0.0/16 machine to that server unless they have a better way/route. So in my setup a PC in a LAN behind client 1 can talk to any PC/host in the rest of my network, even a PC in a LAN behind client 2, because I have iroute lines in the client config for both clients. X in the picture is 172.16 and I have NOT specified the internal ip numbers in the OpenVPN tunnel as they are NOT relevant to the routing between the LAN segments. (picture needs to be seen with fixed font) So PC1 (x.17.10) --- LAN --- OpenVPN Client (x.17.1) --- tunnel --- OpenVPN Server (x.16.1) --- tunnel --- OpenVPN Client (x.18.1) --- LAN --- PC2 (x.18.10) | LAN | other x.16.y PCs > I'm here on this list because I'm hoping that I'm more likely to bump into > people that think about routing > across vpns, unlike other places (don't know even which yet) that don't have > the vpn pieces in the process. The VPN can be considered a "black box" except for where to put the relevant routing lines. > If I'm understanding this so far, to do what I want is a limited # of static > routes in a limited number of places. > And that I can do that with Openvpn plus 'ip route'. Not needing any > "dynamic routing" or more > complicated tools like BGP, RIP ,OSPF, Quagga etc. I use a mix of OSPF via Quagga and static routes. Just use static routes when there are only a few connections and all go through the OpenVPN server. I have a setup where the OpenVPN link is just one of the links between sites. > I'd really like to get enough understanding to make this work in & with > Openvpn. So I'll stick with it for now. Just ask for more examples when you do not understand something. > Thanks! You're welcome. ** I have always interpreted this for myself as OpenVPN saying: I route this for you, although it probably stands for internal routing ;-) Bonno Bloksma -
Re: [Openvpn-users] TLS key negotiation failed to occur within 60 seconds
Hi, >>> The failure was a misadjusted time. The clients has the time 1970, >>> but the certificate is valid beginning 15. March 2014. >> [] >> >> This has been discussed in our developer meetings in #openvpn-devel >> and we recognise that in some environments this could be somewhat >> useful. But we consider the related security aspect around doing this >> to be far worse than the real usability of such a feature. >> > your right. This is a security leak, but i personally prefer have the > possibility to > switch off this "security feature" - only for debug proposals or maintanance > situations. > If so I would like to be able to disable it for just 1 client via a ccd file for instance. That way I do not have to restart the entire service and would not compromise any other connection. > In my case, the device has no hardware-clock on board (embedded computer) > and the crond daemon does not works. No i fixed it (with driving 4 hours on > highway), but when i had the possibility to disable this feature temporarly, > i > would spend this lost time and could repare this bug on client side. The problem with this you almost have to know that the time is the problem before knowing to use the feature, if David does decide to implement it. But like David wrote, please put at least a ntp client on the machine. Most (s)ntp clients will keep track of the ntp server and you do not need crond for that. The SNTP feature is present in a lot of embedded systems these days. Bonno Bloksma -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] expiry date CA
Hi, >> I want to find out when my CA expires, how do I do that. I cannot see >> any readable info by just looking at the ca.key or the ca.crt Which command >> will let me see that info? >> Which command will let me see when the client certs expire? > > openssl x509 -subject -dates -noout -in ca.crt [..] notBefore=May 16 06:04:32 2008 GMT notAfter=May 14 06:04:32 2018 GMT Ok, I've got a few years left. ;-) > openssl x509 -subject -dates -noout -in client-cert.crt And these are even later of course. Thanks Bonno Bloksma -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] expiry date CA
Hi, I want to find out when my CA expires, how do I do that. I cannot see any readable info by just looking at the ca.key or the ca.crt Which command will let me see that info? Which command will let me see when the client certs expire? I want to start getting ready for when my CA needs to be renewed. And for when the keys for my clients need to be renewed. Need to read up on how to generate next CA and make sure current and new clients can still connect. ;-) Bonno Bloksma -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] server sided script called via ccd
Hi, For a few users I would like to limit what they can do when they connect. I was thinking of a few additional firewall rules on the server side. So I want to fire of a bash script when they connect and I would like to configure that via the ccd so I can also easily disable the account when it is not needed for a while. 1) Where is the documentation for the config file in the ccd? 2) Where can I find which parameters are passed to the script? Server is Debian Squeeze at the moment with OpenVPN Version: 2.1.3-2+squeeze2 I will upgrade that soon to Debian Wheezy with Version: 2.2.1-8+deb7u2 Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio university of applied sciences julianalaan 9 / 7553 ab hengelo t +31 (0)74-255 06 10 b.blok...@tio.nl<mailto:b.blok...@tio.nl> / www.tio.nl<http://www.tio.nl/> Volg ons op Twitter<https://twitter.com/hogeschooltio> / Facebook<http://www.facebook.com/pages/TIO-Hogeschool-Hospitality-en-Toerisme/103881882987989#!/pages/Hogeschool-Tio/417375345610> / LinkedIn<http://www.linkedin.com/company/hogeschool-tio/> / YouTube<http://www.youtube.com/user/hogeschooltio> -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] download page release dates
Hi, I just updated my openvpn servicedesk page for our school where I send people who need OpenVPN for our school. It has a step by step instruction that so far everyone has been able to follow. ;-) I pointed it to the 2.3.2 I003 release but noticed some strange "date" comments at the top of the download page. Downloads OpenVPN 2.3.2 -- released on 2013.06.03 (Change Log) This release contains a number of bug fixes and small enhancements. The Windows installer I002 released on 13th Aug 2013 has OpenVPN-GUI v5, which contains additional bug fixes. The I003 Windows installer fixes a signature problem in tap-windows driver, which prevented the driver from being installed in many cases. The version I am downloading now seems to be version I003 which comes after I002, which seems to be released at 13th Aug. But it stated that OpenVPN 2.3.2 was released at 3rd Jun. So I am guessing this June release was the initial 2.3.2 release and I003 is now de latest one, for which there is no date listed. I understand this and on my instruction page I have a direct link to the 32bit and 64bit installer so my users should never have to read the download page. But if they do they might get confused by the dates (not) mentioned. Maybe listing a date for the I003 release somewhere might be a good idea? With kind regards, Bonno Bloksma system administrator tio university of applied sciences julianalaan 9 / 7553 ab hengelo / the netherlands t +31 (0)74-255 06 10 b.blok...@tio.nl<mailto:b.blok...@tio.nl> / www.tio.nl<http://www.tio.nl/en/> Follow us on Twitter<https://twitter.com/hogeschooltio> / Facebook<http://www.facebook.com/pages/TIO-Hogeschool-Hospitality-en-Toerisme/103881882987989#!/pages/Hogeschool-Tio/417375345610> / LinkedIn<http://www.linkedin.com/company/hogeschool-tio/> / YouTube<http://www.youtube.com/user/hogeschooltio> -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users