Re: [Openvpn-users] NTLMv1, NTLMv2 HTTP proxy support?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 How about ditching the NTLM and adding HTTPS proxy support instead? ;-) Does the privacy aspect of talking to proxies "properly" of course (Basic is fine over HTTPS) (and accidentally makes openvpn-over-TCP look like real TLS traffic too...) - -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 On 2021-11-07 at 13:55, g...@greenie.muc.de wrote: > Hi Community, > > OpenVPN supports HTTP proxies that require NTLM authentication, > supporting NTLMv1 and NTLMv2 protocols. > > This is old code, which was written in the dark ages, is not currently > unit/client tested, and uses DES which got deprecated in OpenSSL 3.0.0... > > That said, if people still *use* it, we are likely to keep it - otherwise > it might just become lost :-) > > So - if you use HTTP proxy in OpenVPN, and that proxy authenticates > against a Windows AD domain, and you use NTLMv1 or NTLMv2 authentication, > please speak up and tell us about your use case! > > gert > > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de -BEGIN PGP SIGNATURE- Version: FlowCrypt Email Encryption 8.1.3 Comment: Seamlessly send and receive encrypted email wsBzBAEBCAAGBQJhijNNACEJELKJYLkidhn+FiEECUyyIwVr5GK9x38wsolg uSJ2Gf6c+wf+PvoKQdvsHE/F2g9PE+JpS8NyTXX0zoOCOzl3MwnamWMJPHbS sW2DGT43mP6G8cFwC711YBmRUGGziyLMCMSEXmFTWtjt3YjfJfjIVAS3tWil Qx2GTCLcK4fWThJn07C+Clpe+9QwJJ9/1dFPWrDg0Jv82Pa5pxFa9ESwL8ah wLMWvf7asRa9BfJef1E839vwuhl4/u1bNXdEjHZlXTTMGmhdBB+nHAePMB4L i8jgblBQ2YsHDl31YG1TtnksFQuidow8v0iWVsMNIdDW9Xn1bhIMWr3hYJ/b Nm/KGxx/b1nn9zw2DmFMDqN8+2xWcDTgGfCBeZMU8V1sBjOWZevTEg== =B+1M -END PGP SIGNATURE- 0xB28960B9227619FE.asc Description: application/pgp-keys ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] weird Win2012 client issue
I've thrown the win2K12 away - moved the existing config directory to Win10 and it "just worked". No idea what was really behind this issue - no worse off with Win10 - so forwards I go ;-) On Wed, Jun 27, 2018 at 8:39 AM Selva Nair wrote: > Hi, > > On Tue, Jun 26, 2018 at 3:36 PM, Jason Haar > wrote: > >> Nope - didn't make any difference. I've tried TCP and UDP (with link-mtu >> 1200) - no difference. >> >> There probably aren't many people out there who tried openvpn on a >> Windows server. Probably a corner case. I think it would be best for me to >> delete the server (gotta love virtuals) and replace it with a Win10 system. >> Will probably be OK for what I want. >> > > I recall running the client on a Windows server 2012 host (server should > also work). > > FWIW, I just fired up a 2012 datacenter edition as a google compute > instance. Using the latest binary from openvpn.net, no issues on a quick > test of pinging and accessing a web page on the server using ipv4 tunnel ip. > > One glitch: the interactive service errored out while setting the ipv6 > address and route with > > TUN: adding address failed using service: Element not found. > [status=1168 if_index=22] > ROUTE: route addition failed using service: Element not found. > [status=1168 if_index=22] > > Did not investigate further, so not sure what went wrong there. > > Selva > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] weird Win2012 client issue
Hey there I'm trying to get a Win2012 openvpn client to talk to a Redhat7 openvpn server but aren't having much luck. I've reduced the config down to bare minimums: the link comes up, IP addresses are assigned at both ends - but they cannot even ping each other. It screams "firewall", but as far as I can see I've turned them off *and* disconnected the Windows one from the openvpn interface - so that shouldn't be it. But if I try to ping the server from the Win2012 client, tcpdump on the tun interface on the server shows the "echo request" coming in and the "echo reply" going back out over the same interface - but Windows never receives it (ie it still smells firewall to me). Routing table points the vpn subnet to the vpn (the ping proves it) - but no joy. I can't initiate pings in either direction. The weird thing if I reboot the Win client, after the link comes up I can *successfully* ping the client *once* (ie one packet). After that the dead symptoms kick in. I mean - what's that about? :-) Is there something weird that makes Win2012 act differently than (say) Win10? I've actually copied the openvpn config to a Win10 system where it works fine - so this is definitely a working config - just not for Win2012. Both ends are fully patched and the Windows installer was grabbed yesterday from openvpn.net Any ideas appreciated -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] feature request: multiple keys to improve config migration
On Wed, Nov 1, 2017 at 2:08 PM, Steffan Karger <stef...@karger.me> wrote: > Coming back to tls-crypt/tls-auth key rotation: the preferred way is > what Ilya suggested: add a new openvpn daemon which is using the new key > and is running on another port, then migrate your clients to the new > server and finally kill the old server. I guess we could assign new (2nd) IP addresses to the existing servers, and use identical configs - except for the new keys - and then alter DNS to round-robin? That way old-key clients would fail against the new IP but work on the old, and new-key clients would work on the new IP but fail on the old. Then after we see no more old-key connections, change the old IP server config to match the new. (I don't want to use more ports because we already use the good ones ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] feature request: multiple keys to improve config migration
Hi there Best practice would be to routinely rotate secrets, to mitigate configuration misuse/loss, etc. Due to CAs, certificates already support that concept, but tls-auth/tls-auth do not. So wouldn't it be a good idea to allow tls-auth/tls-crypt to contain multiple keys, so that the key could be rotated without an outage (really like a "major upgrade"). i.e. 1. replace server key with one containing old + new 2. replace client config, replacing old key with new one 3. wait weeks/months (probably) until you know all clients are reconfigured 4. replace server key with just the new one 5. rotation is now complete -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] * UPDATE * OpenVPN v2.4.3 and v2.3.17 releases
Does using tls-auth protect against these latest security issues? ie if you are running older versions but require tls-auth, then would that block attacks from hackers who don't have your tls-auth file? Thanks On Fri, Jun 23, 2017 at 1:29 AM, David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > > Hi, > > We are in an unfortunate situation that our Cloudflare front is > providing various results, depending on a lot of factors (region, > browser, computer, etc, etc). And it causes a massive noise on people > trying to download and verify that these downloads are correct. > > As most of this noise have been related to the source code downloads, I > have setup an emergency wiki page where an alternative download URL is > provided ... In addition the proper SHA256 checksums and proper > signature files are available too. > > This will hopefully help people to get the right download. > > <http://community.openvpn.net/openvpn/wiki/release-packages-2.4.3-2.3.17> > > > We will go more carefully through our release process and figure out how > to avoid this mess with the next release. The discussion have already > been initiated [1], and we will dig into this for the next release. > > [1] > <https://www.mail-archive.com/openvpn-devel@lists. > sourceforge.net/msg14937.html> > > > On behalf of the OpenVPN core community team, I am truly sorry for this > mess. This is not how we want our releases to appear. > > > -- > kind regards, > > David Sommerseth > OpenVPN Technologies, Inc > > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] kill seems to kill all clients - timeout issue?
Hi there I've noticed that if(via the management interface) I kill a client, *all* clients on the same tun interface are killed! ie - nc 127.0.0.1 port status (shows 'n' clients, including their remote IP:port) kill remote-IP:port SUCCESS: 1 client(s) at address remote-IP:port killed - result: 'n' clients disconnect instead of 1 I noticed it took >30sec before the "SUCCESS" comes back. Doing a strace showed my "client-disconnect" was doing some fiddling that took most of that time. I removed it and immediately solved the problem: only one client was disconnected as expected So I've solved it - but would like to figure out why it happened, as we do a lot via the scripts options and frankly I can imagine even myself adding some slow code to it accidentally again later :-) So is there some kind of suicide call happening if the kill takes too long? Or does "client-disconnect" block all clients until it completes - that would explain everything? (because clients have "ping-restart 20") Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] TLS Error: Unroutable control packet received
I don't want to seem a pendent, but it sounds to me like "unroutable" in this context is not referring to networking, but instead means it cannot be associated with an existing session? If so, wouldn't it be better to say something like "TLS Error: bogus/old control packet received from %s (si=%d op=%s)" All I know is that if I saw that "unroutable" message, I would be 100% thinking about network and firewall problems - I would never have thought this was anything else -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Question about tls-crypt and port 443 firewall ducking
On Tue, Jan 3, 2017 at 12:10 AM, Samuli Seppänen <sam...@openvpn.net> wrote: > We've discussed traffic obfuscation in the past many times, and have > always concluded that we don't want to play that cat-and-mouse game in > the _core_ OpenVPN. > I agree - sort of. I'd say the one exception would be to add proxy-over-TLS support into openvpn. It's merely an extension of existing code but means those who choose to use it would gain the ability to appear exclusively as an TCP/TLS transaction - no evidence of vpn traffic at all. ie, set up squid on your openvpn server with a TLS port (https_port), acl it down to only be a proxy for localhost:1194 (say). Then configure openvpn client as remote localhost:1194 tcp http-proxy squid.server 443 All anyone would see is the client making a TLS (with SNI) connection to https://squid.server/ (and lots of traffic...). Would look effectively identical to Skype, Hangouts, etc. ie large volumes of (assumed) HTTPS traffic. Could probably configure squid so that it defaults to a real Apache server, and does the "trick" just for "CONNECT localhost:1194" - that way even connecting to it would show a website Hmm, on second thoughts, this would be easier/cleaner to do in Apache via mod_proxy... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] question about "WARNING: this cipher's block size is less than 128 bit"
On Mon, Nov 7, 2016 at 10:46 PM, Gert Doering <g...@greenie.muc.de> wrote: > - 2.4 client talking to 2.4 server will send a special handshake > (IV_NCP=2) >which signals "I can do pushable cipher, and I can do AES-GCM", so the >server will (usually) send back "cipher AES-256-GCM" and move itself >to AES-256-GCM as well. > All right, let's get this clear for me and for others :-) If I have a 2.4 server, I can set it to "cipher BF-CBC" and keep all the 2.3 clients happy. Then I can migrate the clients to 2.4 (even with "cipher BF-CBC" too), and as they come in, they negotiate before "cipher" matters and go AES-256-GCM: basically "--cipher" is ignored in 2.4+ transactions? Or I can migrate the clients to 2.4 with "cipher BF-CBC", and when they fail to negotiate with the 2.3 server, they'll still be happy, and then when I migrate the server to 2.4, they all auto-update to AES Is that correct? That would be perfect as then no dual infrastructure would be required -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] question about "WARNING: this cipher's block size is less than 128 bit"
On Fri, Nov 4, 2016 at 8:47 PM, Gert Doering <g...@greenie.muc.de> wrote: > The other would be to live with the warning message until you can roll > out 2.4, which will be able to handle per-client ciphers, AND will > auto-upgrade 2.4 clients to AES-256-GCM. > By that do you mean that if you upgrade the clients to 2.4 (with 2.3 server), and don't define "cipher", they will figure it out and still work with the older server. And when I finally upgrade the server to 2.4 (without defining "cipher"), then after the restart, the 2.4 clients will all move off Blowfish to AES? That would be great - certainly worth waiting for :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [Openvpn-devel] OpenVPN 2.3.12 released
On Wed, Aug 24, 2016 at 3:52 AM, Samuli Seppänen <sam...@openvpn.net> wrote: > The OpenVPN community project team is proud to release OpenVPN 2.3.12. > Great work guys. Can you tell me if the peer-info and peer-id server side code is in this version too? I'm still running on a GIT version of the server because of my desire for the peer-id data, but I'd rather be vanilla to be honest :-) Thanks again! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Access from Client on a high latency link very slow
I'm in New Zealand and indeed can confirm VPN (basically any kind) works just fine over high-latency links. The only real issue is *packet loss*. If you are on a raw Internet link with (say) 1% packet loss, and mostly do non-stateful stuff like web surfing, then your Internet experience is "pleasant". However, if you run a VPN (any kind) over that 1% packet loss link, it "feels like" 10% packet loss within the VPN - and at that point from an end-user perspective is effectively *broken*. People complain, cat and dogs live together in harmony, world ending catastrophe. Packet loss is the enemy of VPNs - not distance On Tue, Aug 16, 2016 at 12:33 AM, Eduardo Wirth <ewi...@hexa.com.uy> wrote: > Hello > I live and work in Uruguay. > 300ms RTT Europe is expected as a normal delay. > South America Europe traffic is normally done by Miami > I agree with comments from Selva I have worked with satellite > connections (more than 1000ms) ... always it depends on the type of data > you want to transmit and its features (interactive or not) > But correctmente 300ms can work in most scenarios. > > Eduardo > > Dante F. B. Colò wrote: > > Hello everyone > > > > I have a issue with a client machine running openvpn 2.3.11 on Windows > > 10 located in London , my server is located here in São Paulo, Brazil > > and there is a high latency between the two endpoints , ping replies to > > each other take around 280 ms, when i try to access some service on my > > network almost everything take much time to respond, it's is pratically > > unusable, i already tried somethings like enable LZO compression , > > change mtu on client and server tun interfaces , i still don't have much > > experience with openvpn, is this normal ? Is there anything more that i > > can do to improve performance ? > > > > > > Regards > > Dante F. B. Colò > > > > > -- > > What NetFlow Analyzer can do for you? Monitors network bandwidth and > traffic > > patterns at an interface-level. Reveals which users, apps, and protocols > are > > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > > J-Flow, sFlow and other flows. Make informed decisions using capacity > > planning reports. http://sdm.link/zohodev2dev > > ___ > > Openvpn-users mailing list > > Openvpn-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-users > > > > -- > What NetFlow Analyzer can do for you? Monitors network bandwidth and > traffic > patterns at an interface-level. Reveals which users, apps, and protocols > are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. http://sdm.link/zohodev2dev > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Recommended MTU
I have always found that UDP never works without fiddling with MTU-related settings. So for UDP configs we use fragment 1400 mssfix explicit-exit-notify 2 No need for TCP - that just works On Fri, Jul 29, 2016 at 7:56 AM, Chris <chris2014+open...@postbox.xyz> wrote: > All, > > what are recommended MTU / fragment / mssfix settings for UDP road > warriors? > > What settings are best for clients connecting to port 443 (TCP)? > > - Chris > > > > -- > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] openvpn-install-2.3.11-I601-x86_64 bluescreens latest Win10 Insider build
On Fri, May 13, 2016 at 6:47 PM, Gert Doering <g...@greenie.muc.de> wrote: > Given that the tap6 driver works on about every version of windows since > Vista, and we've not received any reports about system crashes, I tend to > point at "microsoft broke something in the driver handling" - but have no > idea how to debug that, or what to do about it. > Is there any way one of the openvpn developers for Windows could get onto the Insider Build track to see this for themselves? This is probably a warning of things to come. It could be the next formal build release of Win10 to the public has this characteristic and then openvpn will be toast? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OT: howto make Ubuntu networkmanager restartdnsmasq?
On Tue, May 24, 2016 at 9:42 AM, Jan Just Keijser <janj...@nikhef.nl> wrote: > (/etc/NetworkManager/dispatcher.d/10_dnsmasq + > /etc/systemd/system/NetworkManager-dnsmasq.service) > Nah - there is no NetworkManager-dnsmasq service in Ubuntu-16.04 (and yes it is systemd based). There is no "*dnsmasq*" service at all - it's just something that NetworkManager calls somehow - but doesn't bother to keep tabs on. I think I might just go back to Fedora, I have not been enjoying the experience ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OT: howto make Ubuntu networkmanager restart dnsmasq?
Hi there I use the "up/down" feature of openvpn to enable/disable redirecting DNS lookups of intranet domains to our work network when openvpn is up and running - and tear it down when it's not However, I can't actually get that part to work. dnsmasq has a "feature" whereby you can't tell it to re-read it's config - it's only read at startup. So I've got "--up" creating a nice /etc/NetworkManager/dnsmasq.d/intranet file, but can't figure out how to tell NetworkManager to restart dnsmasq, so that it can discover that. Restarting NetworkManager certainly fixes the problem - but restarting the entire network stack just to fix DNS is not a solution... Anyone else figured that out? This is Ubuntu 16.04. Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] openvpn-install-2.3.11-I601-x86_64 bluescreens latest Win10 Insider build
Hi there I just heard from one of our IS staff who moved onto the Win10 Insider build 14332 that it was continually bluescreening - ended up disabling openvpn fixed it (we run openvpn as a service). So I did the same thing (installed 14332) using the current 2.3.11-I601-x86_64 and indeed the moment the TAP interface comes up (ie it gets a tunnel IP address), the system crashes. This issue also affects the older 2.3.10 version - so it's more likely the new Win10 build "does something differently" So this could be a major bug with Win10 14332 (it only just came out) that openvpn just happens to tickle - but it could also imply Win10 now has some subtle assumptions that openvpn/TAP isn't meeting? I dunno - that's why I brought it up :-) PS: The bluescreen only says "CRITICAL_PROCESS_DIED" and there's nothing in the eventlog about it. System comes up, openvpn is started, openvpn logs get to report "Initialization Sequence Completed", system crashes. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] feature request: HTTPS proxy support
Hi there We're starting to use proxy servers with native TLS support (you connect to the proxy over TLS, then send your proxy requests - ie all proxy traffic is encrypted). If openvpn supported such a mode, we could encapsulate openvpn traffic within a TLS channel - which could help openvpn actually work for some of our users when travelling to certain countries... Yes this is a obfuscation trick, but one that uses 99% of existing code :-) and yes I know this could be hacked together using stunnel/socat/etc. But notice the phrase "hacked together" -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Allowing all OpenVPN 2.4.x Windows users to run OpenVPN by default?
On Fri, Mar 4, 2016 at 1:38 AM, Gert Doering <g...@greenie.muc.de> wrote: > I think this needs to be a question the installer asks. > I agree. Let's face it, the use-case you are talking about is an organization using something like SCCM to roll out openvpn to a bunch of users - who don't have local admin (if they did, you wouldn't need this feature). Frankly, such an organization is really using SCCM to control who has openvpn, so would also probably want all users *who have openvpn installed* to be able to run openvpn - so would set the group to be "Domain Users" rather than anything finer-grained. Or they would make a domain group called "Openvpn Users" and use it to control who gets openvpn - and therefore also has the ability to run it Jason -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Push proxy settings on Windows
Traditionally the mechanism would be to use WPAD over DNS.
That would make a Windows computer resolve "wpad.XXX" for every domain
every DNS interface has, which means your VPN interface domain name
could respond - telling the browser about the local proxy/etc.
AD-integrated Windows computers would also look up
"wpad.their.ad.domain" too - which is another opportunity to respond
with WPAD details
Jason
On 21/12/15 10:44, Gert Doering wrote:
> Hi,
>
> On Sun, Dec 20, 2015 at 11:44:36AM -0800, Laurens Vets wrote:
>> Is it possible somehow to push proxy settings from the OpenVPN server
>> to clients (Windows or Linux)? I wasn't immediately able to find
>> anything that might explain it if it's supported...
> It is not, because it doesn't make sense - at least for the proxy settings
> for OpenVPN itself, because you need them before you can connect to the
> server to receive the info which proxy to use...
>
> As for clients using the VPN, that might be possible by passing
> environment variables ("push setenv ...") and setting up something
> in an --up script. But I'm not aware of any ready-made implementation.
>
> gert
>
>
>
> --
>
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] want to confirm: verify-x509-name for cert DNS check
On 14/12/15 00:29, Steffan Karger wrote: > No, verify-x509-name does not do anything with Subject alt names. It > validates the peer certificate subject (or a specific part of the > subject, if you use the 'name' or 'name-prefix' types). I think the man > page explains this quite accurately: My mistake - our server cert actually has the name I intend to use as the primary name - and the actual "real" server names as Subject Alt names. I sort of just assumed they were all treated as one "array" - like what happens in browsers In any case - excellent - I can work with this :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] openvpn server pretends to be .254 for emulated dhcp server?
On 05/12/15 15:10, Selva Nair wrote: > OpenVPN will fail with an error saying dhcp server address conflicts > with the client ip. > You can change this default behaviour using "ip-win32 dynamic 0" to > move the > dhcp server to x.y.z.0. Then 254 will be accepted. We use .1 on the server, so would "ip-win32 dynamic 1" make the client think the DHCP server was on 192.168.0.1? That would be perfect #This defines the "dhcp" range mode server tls-server push "topology subnet" ifconfig 192.168.0.1 255.255.255.0 ifconfig-pool 192.168.0.10 192.168.0.254 255.255.255.0 -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741911=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture questions
On 29/11/15 22:56, Steffan Karger wrote: > OpenVPN makes a distinction between control traffic (key/config > exchange, etc) and data traffic (actual vpn network packets). For > control packets, OpenVPN has a reliability layer that ACKs packets, > retransmits, etc. For data packets, OpenVPN does not do any of that. > (But, when you're using TCP mode, TCP does that, ofc.) ...Then why does it work so well over UDP? I almost exclusively use openvpn over UDP and I would have thought the lack of error checking on the data channel would hurt, so why doesn't it? eg, if there's no UDP error checking built into openvpn, then shouldn't DNS lookups (ie udp inside a udp openvpn tunnel) fail a lot? Or is the Internet generally so reliable that it doesn't matter? (eg 1% packet loss on Internet leads to 1% packet loss inside openvpn tunnel?) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] client config fallback from 1194 udp to 80 tcp
On 21/10/15 09:49, debbie...@gmail.com wrote: > NOTE: Just because you specify HTTP port 80 does not mean an intervening > firewall is not capable of detecting a NON HTTP protocol and blocking you > anyway. I agree - in fact I'd suggest NEVER use tcp/80 and instead use tcp/443 - as that's just as likely to be open and you are less likely to hit a transparent proxy Also, you had tcp/80 first and then udp/1194 - which I think is the opposite order to what you wanted? ie openvpn works from the top of the config downwards -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] anyone get ChromeOS openvpn working?
Hi there I've used the ONC documentation to create a ONC file for ChromeOS and used chrome://net-internals/#chromeos to import it in. The openvpn config contains tlsauth, client certs, CA certs, both udp and tcp and IgnoreDefaultRoute==true http://www.chromium.org/chromium-os/chromiumos-design-docs/open-network-configuration When I attempt to connect, the server shows the incoming connection and IP address assignment - but then - nothing. The device isn't pingable and sniffing the vpn interface (on the server) shows no traffic. Then after the ServerPollTimeout interval, the client disconnects and immediately reconnects - ad infinitum I don't know if there's a mechanism to debug the client, so I'm pretty much stumped. We have openvpn working on Linux/Mac/Windows/Android and IPhone - but for the life of me I cannot get it going on ChromeOS Has anyone got that working? -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] need some form of anti-DOS in openvpn?
Hi there There have been a few occasions where some valid Windows client would continually hit our openvpn server, but something goes wrong on the client end and it immediately retries: around once every 5 seconds. No idea what the root cause is (besides it's Windows ;-), but it's the impact on the server that this email is about We use the script options on --up,etc - so what happens is there is a flood of scripts being run against this client-that-is-broken and basically the load average goes through the roof (ie due to the scripts more than openvpn itself) and the entire server starts to stagger - which would affect all the nicely connected clients. To reiterate, this means the client gets a tunnel up and running, but then immediately gets another tunnel up and running (the first one still going, calling --up scripts and yet that client session is dead, waiting for the server to time it out) Not much to go on I know, but could there be some way for openvpn server to keep track of something like timestamp:externalIP:cert and basically start ignoring new sessions if it sees more than one every XX seconds? That would reduce the damage such events cause (note I don't include ports in my suggestion because an openvpn server may have multiple ports available to all clients - so they're not unique) Thanks PS: actually, I've seen this with the Chrome client too. Totally bugs on the client - but it kills the server -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to add additional DHCP options?
On 01/07/15 23:19, j.witvl...@mindef.nl wrote: I can polish up my patch again and add NTP, TFTP and WPAD support, if there's enough demand for it. The patch would not be very large anyway, so the lots of extra code argument applies only a little I know this is a little biased, but I've just reviewed all the standard DHCP options Windows DHCP server has and I think if you were to add the following options, that would cover all the useful ones actually on offer (fighting words I know! ;-) * TFTP (150) * WPAD (252) Even then WPAD isn't really needed as there's a much better alternative (wpad.* dns name) that works fine over openvpn, and the TFTP one is really just because of Cisco's product (I can't think of any other non boot-time application that wants to use TFTP to gain data - haven't they heard of SRV DNS records???) That would make for a small patch ;-) PS: I ignored my favorite sounds useful, but is poorly supported Timezone (101) option because your computer's timezone should always come from your physical location - not the remote end of a VPN tunnel. I think a lot of DHCP options aren't needed for the same reason -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] any way to add additional DHCP options?
Hi there We're having difficulty getting openvpn to work with IP Communicator - which relies on DHCP to tell it TFTP details As openvpn only supports a small number of fake dhcp options, I can't think of a way to push that value out to clients - any ideas? (the client does allow you to hardwire it to the correct value, but we're trying to make the application work like it does on the LAN - ie auto-configure) Obviously I'm running this in routing mode - not bridging (because then it would be working! ;-) Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to get local network details to flow through to the server?
On 03/06/15 21:54, Gert Doering wrote: It might be possible to actually hack together something with a wrapper script around openvpn that does --setenv UV_MY_NETWORK 1.2.3.0/24, because UV_ env variables are sent as push-peer-info to the server. Yeah I thought about that: easy enough to wrap something around Unix installs - harder for everything else. During the install on clients we grab their hostname and push it into their config via UV_HOSTNAME for precisely that reason. Would be great to have other metadata in there too Sounds like I'm stuck with the server having to do the donkey work. All our clients have to allow remote admin as a requirement (poor-mans NAC), so the server will log in, discover the routing table and if it's funky, will reconfigure the client directly to route more traffic through the tunnel. Or maybe just generate an alert to begin with. Should probably learn how to walk before going crazy on people's routing tables ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 signature.asc Description: OpenPGP digital signature -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to get local network details to flow through to the server?
On 03/06/15 10:58, David Sommerseth wrote: Hi, Have you looked at the --client-nat option in the man page? Yeah - but it's an issue of only wanting it under the condition when the local network conflicts with the corporate network. One-to-one NAT is great but it still breaks some applications, so no NAT is still the best option when appropriate. We run openvpn in always on mode - so there's no opportunity for end-users to change settings manually (not that most of them are technically up to the diagnostics required any way) - hence my desire to do it on the server end. Sounds like my option 3 is the only way: allow the user to connect, get server to query client to find out local routing table and then reconfigure the client to match conditions where appropriate -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] has anyone got the Chromebook openvpn client working?
Slight update. I just had the same problem on Android with the OpenVPN for Android app, but as it's basically the pure client it was easier to diagnose the issue. This is a UDP profile and the server has fragment 1400 - so the client has to have that too. Once I put that onto the Android, it started working. Unfortunately, I can't seem to find the ONC-equivalent for Chromebook - any ideas? Thanks BTW: I have NEVER got UDP working until I explicitly reduced the fragment size. So if the server is stating fragment XXX and the client either has no mention of fragment, or fragment is larger than the server, shouldn't it either error - or set itself to the same value? (and it isn't listed as pushable either). This seems such an obvious case for something else to happen? On 22/05/15 16:05, Jason Haar wrote: Hi there We've got a working openvpn server successfully supporting Linux/Windows/Mac clients. I just tried to get the native Chromebook client working via the .ONC file config support (have to due to tls-auth/etc) and didn't have much luck. It successfully connects and gets an IP, but immediately drops off. The server notices no real errors other than WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1546', remote='link-mtu 1542' WARNING: 'mtu-dynamic' is present in local config but missing in remote config, local='mtu-dynamic' We don't see that with any other client - just the Chromebook. Has anyone got the current Chromebook working with openvpn? I'd love to know what you did ;-) Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] has anyone got the Chromebook openvpn client working?
Hi there We've got a working openvpn server successfully supporting Linux/Windows/Mac clients. I just tried to get the native Chromebook client working via the .ONC file config support (have to due to tls-auth/etc) and didn't have much luck. It successfully connects and gets an IP, but immediately drops off. The server notices no real errors other than WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1546', remote='link-mtu 1542' WARNING: 'mtu-dynamic' is present in local config but missing in remote config, local='mtu-dynamic' We don't see that with any other client - just the Chromebook. Has anyone got the current Chromebook working with openvpn? I'd love to know what you did ;-) Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Disconnects, maybe from Bad source address messages after connection
On 19/04/15 01:55, Gert Doering wrote: OTOH, you'll see the behaviour in many mobile networks today: if there is no traffic inside OpenVPN for a given time, like 60 seconds (yes, that short), it will time out the NAT entry and on the next packet, you end up with a new source port or source IP address Doesn't --ping take care of that? Keepalive packets should mean the TCP/UDP NAT session sees enough traffic to stop any NAT firewall from timing it out (assuming ping is 30sec). That in turn should stop the firewall needing to change port numbers -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 signature.asc Description: OpenPGP digital signature -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15utm_medium=emailutm_campaign=VA_SF___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Disconnects, maybe from Bad source address messages after connection
On 19/04/15 12:05, Jeff Mitchell wrote: Unless the NAT implementation is broken. Read up a bit in the thread :-) Ohh! :-) (but there are no broken NAT implementations! Say it ain't so!) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15utm_medium=emailutm_campaign=VA_SF___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Traffic/client source
On 25/03/15 11:43, Bjorn S. Nilsson wrote: Sometimes I would like to find out what client is the source of certain outgoing OpenVPN server packages. Or, more precisely, which client is communicating with a particular host. If this is possible, echo status| nc manage.ment.ip mgt.port ie ensure openvpn has --management configured, then you can query that and it will tell you the name of the client cert, what local IP was allocated and what their external IP is. Then a packet sniffer (eg tcpdump) can be used to see what traffic is being generated - either internal or external (obviously the external will all be encrypted openvpn traffic - so it's not very interesting) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenSSL Security Advisory [19 Mar 2015]
Do any of them affect openvpn if it's set to use tls-auth (as recommended)? ie is openvpn immune from these if the bad guys don't have copies of your tls-auth file Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] is there a better way to capture disabled tap interfaces under Windows?
Hi there We run openvpn under Windows as a service and have had a couple of situations where users for one reason or another have decided to disable openvpn by disabling the TAP interface instead of shutting down the openvpn service. The problem is that openvpn doesn't appear to look too hard at the enable/disable state of the adaptor and goes through the entire connection to server, negotiating ip addresses, etc - before noticing and crashing/exiting. This causes an infinite loop: the client connects, crashes, sleeps, connects, etc - and the load on the server goes through the roof - all from one user. We can blame the service manager for that - but frankly I *want* it to restart openvpn on error - just not this error :-) Telling users what to do is fine and sensible, but has a 0% chance of working. Wouldn't it be better than openvpn checks the state of the interface right at the beginning and simply refuses to connect if it's in an unusable state? I'd rather the client went into an infinite loop of starting, checking, exiting, starting, etc than involve the server (which affects other users). A 5-10 second delay after such a condition was detected would help reduce any client impact too of course -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] anyone else seeing openvpn portscanning?
I have two openvpn routers - one in the US and one in NZ (ie completely different networks). Both are currently being scanned on tcp port 1194 from about 12 different IP addresses - all in Amazon (ie EC2 instances) They are causing no harm, but I'm seeing around 1 new connection every 2 seconds, and the scary thing is the NZ router is seeing the same source IP within seconds of the US one - which makes me feel like we're being targeted, but the lame, repetitive nature of the port scanner (it's basically a 3-way and hangup - no data as such) makes this the stoopidist scanner there is :-). We use tls-auth as well as certs so these aren't going to find anything. It's also only tcp/1194 - not even the default udp/1194, nor any of the other ports we run openvpn on Anyone else seeing these? 107.23.255.7 176.34.159.231 177.71.207.167 54.183.255.135 54.228.16.7 54.232.40.71 54.241.32.103 54.243.31.231 54.244.52.199 54.245.168.39 54.248.220.39 54.250.253.231 54.251.31.135 54.252.254.199 54.252.79.167 54.255.254.231 -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Status log not updating.
On 29/01/15 09:15, Stefan Monnier wrote: Reviewing code is too time consuming. Instead, I just download such crap through a VPN, this way I know I'm secure make sure it uses AES!!! Really important -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Windows 7 + Windows 8 (and Vista) - tunnel fails after resume from Sleep/Standby
I ditched using openvpnservice for precisely this reason and instead have had great results using nssm (The Non-Sucking Service Manager from http://nssm.cc/) Basically it is a better service manager than the default Windows one and I use it to control openvpn.exe. End result is we can have sleep/hibernate, restart, have tunnels die,etc and nssm will ensure openvpn.exe is restarted - precisely what you want in an always on vpn/headless solution Here's how we configure it c:\program files\openvpn\bin\nssm.exe set trimble-openvpn AppDirectory c:\Program Files\openvpn\config NUL 21 c:\program files\openvpn\bin\nssm.exe set trimble-openvpn AppParameters trimble.cfg NUL 21 c:\program files\openvpn\bin\nssm.exe set trimble-openvpn AppStdin C:\Program Files\openvpn\log\trimble-openvpn-stdin.log NUL 21 c:\program files\openvpn\bin\nssm.exe set trimble-openvpn AppStdout C:\Program Files\openvpn\log\trimble-openvpn-stdout.log NUL 21 c:\program files\openvpn\bin\nssm.exe set trimble-openvpn AppStderr C:\Program Files\openvpn\log\trimble-openvpn-stderr.log NUL 21 c:\program files\openvpn\bin\nssm.exe set trimble-openvpn AppRotateFiles 1 NUL 21 c:\program files\openvpn\bin\nssm.exe set trimble-openvpn DependOnService Dhcp tap0901 NUL 21 -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Yosemite mDNS issues
On 24/12/14 08:42, Sebastian Buks wrote: What is even more strange is that I have seen it been connected a few times, so there is some randomness to it. Has anyone else seen this issue or had issues with Bonjour and Yosemite? My guess would be that if you do see it randomly work, and you know that openvpn's config hasn't changed throughout those events, then it has to be a software problem - not a network problem The whole mdns thang seems buggy (to put it politely), even Microsoft gave up on broadcast based technology (remember WINS?) and settled on DNS. On top of that, I just struggled through getting my new Chromecast to even work on 3 different wifi networks - broadcast based issues again... (btw: multicast == broadcast in this email ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] ssh over OpenVPN incredibly stable
On 20/12/14 00:47, Jan Just Keijser wrote: packets and wait for answer (for a certain period of time). So, if your home internet connection drops out for , say, 20 seconds then the OpenVPN connection remains intact and so will all TCP-based sessions that are running over it. Don't be so modest. I run openvpn as a service (ie it's always running) and when I'm at home, I'm always logged into 5-10 SSH sessions open at work (via openvpn). I then suspend (ie sleep) my laptop and go to work - 20-60 minutes. I then un-sleep my laptop, it gets an entirely different local IP, openvpn reconnects to the vpn router, gets the same IP it had when at home and lo! my SSH sessions are still there and still respond. I can have SSH sessions last *weeks* with me shuttling between home and work every day. Awesome :-) BTW: you need to have sticky openvpn client IPs for that trick to work of course -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] multiple clients with same cert leads to problems
Hi there I've got a corner case I've picked up during testing that makes me wonder if there's a bug in openvpn Our openvpn server tests incoming clients to ensure they comply with our openvpn client standards - killing their session if they don't (basically client-less NAC). One thing we're doing is allowing duplicate-cn, but using our NAC test to reject clients using the same cert (get better logging of the offenders that way). Anyway, I have a Mac and Windows box set up to use the same cert to test this, and it causes an interesting situation... First client connects, second client connects, NAC script notices the same cert in use and kills the first connection. Second client later hangs up. If I then look at the first client hours later, it still thinks it's logged in! There is no error, it still has the tun interface up, but no traffic flows. The server shows no connection via either client (I use the management api to confirm that) We use --ping, and tcpdump confirms the first client and server are still exchanging packets - but the server does not classify the client as being connected. But as the openvpn pings are still working, the client doesn't know it's actually disconnected. A simple kill -HUP on the client fixes everything as it forces a full restart So I have two questions: 1. The client uses explicit-exit-notify - but it looks like using the kill management command on the server does not tell the client it is hanging up? Wouldn't that be a good idea? 2. The fact that ping is still working makes me think that means ping must be *separate* from session management? Isn't that a bad idea? Hopefully I'm wrong and someone will tell me I'm doing it incorrectly :-) server is 2.3_git, and this is over UDP of course (I doubt this is an issue over TCP, although I haven't tested) Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] blocking issue with management port
On 18/09/14 19:42, Gert Doering wrote: Are you frequently connecting and disconnecting to the management port? Yes. As part of the server's up scripts, we call the management interface to grab some details not available via environment variables. So there was a fair amount of echo status|nc 127.0.0.1 xxx calls going on during this error condition with the clients That seems to be racey, if clients and management client disconnect at the same time - the management interface is really designed for long-lasting connections to it, as in start up openvpn, connect to management interface, keep that around until openvpn ends. Doesn't mean we shouldn't fix the races, but this is why stuff might fail if used differently. gert Right. I'm certainly not using it as a long-term connection, all cut-n-run. I'll look to see if I can remove some of the calls, that should help -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] blocking issue with management port
Hi there We just rolled out a test version of a new client --up script for 4 Windows users running openvpn as a service and it was borked. The script had a bad exit value and so the client would connect, run up.cmd, error and disconnect. Then sleep 5 seconds and do it all over again End result was with just 4 clients in that state, the management port on the server became unusable. Some times you could connect - getting the banner - but any command you sent would just hang and never return. Other times it would connect - but you wouldn't get the banner, and other times it couldn't even connect! Fixed the clients, they reconnected and got working connections, and then the server came right all by itself Having the management interface going lala like that was a bit of a shock: the server itself actually uses that API during connection phase for some sanity checks - and they would fail once it stopped working, which in turn made the problem worse. This was openvpn-git - built a couple of weeks ago, so it's pretty fresh. I had verb 5 enabled and didn't see any error that implied a problem, but the connections were in a real state. I'm guessing there's some kind of blocking problem occurring when a client successfully connects and then immediately disconnects? Somehow that causes the management interface to pause, not knowing what to do next? This was UDP (but with explicit-exit-notify 2) Any ideas what I can do to stop this happening again (besides better QA on our up script ;-) Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] macox dns help for a novice?
Actually, things weren't as bad as I thought - that --up script does seem to work after all! My mistake (I did say I was a Mac novice!) was that I *assumed* nslookup srv.corporate.domain would work - well it didn't. What I didn't check was that ping srv.corporate.domain does work :-) i.e it looks like the Mac's resolver library (which most apps would use) does point particular DNS queries at the internal-over-openvpn DNS servers after all. It's just that pure DNS tools like nslookup cannot make use of it So it looks like it works to me? Jonathan, you should take another look at that script and confirm/deny? PS: Ubuntu's insistence on using dnsmasq and always making the DNS server 127.0.0.1 totally solves this problem 100% of the time for all applications - why can't the OSes be as smart :-) On 04/09/14 01:05, Jonathan K. Bullard wrote: On Wed, Sep 3, 2014 at 8:37 AM, Gert Doering wrote: On Wed, Sep 03, 2014 at 06:41:17PM +1200, Jason Haar wrote: Anyway, has anyone out there found out how to do this and is willing to share? :-) I have no direct answer, but maybe using Tunnelblick instead of raw openvpn would just solve this for you? (It's a very nice MacOS gui that bundles openvpn - just like the windows gui bundle) As the current Tunnelblick developer/maintainer, I appreciate Gert's kind words, but Tunnelblick does not do split DNS either. I've never been able to get it working -- in fact, I am hoping someone will respond to Jason's post with information or code so I could add this ability to Tunnelblick! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] macox dns help for a novice?
Hi there I'm trying to get openvpn working on a Mac client for the first time (tun mode), it's all working at the IP layer, but I want to get the scoped DNS bit working too: ie tell the Mac to send DNS lookups for *.company.domain through the tunnel to corporate DNS servers, and use the default interface DNS for everything else I found openvpn-tun-up-down.sh on the Internet which seems to be *almost* correct, but it doesn't quite work. It uses scutils to reconfigure DNS, but I ended up with company.domain set against the default DNS instead of the tunnel's DNS settings. It was written in 2006 so maybe it doesn't work on the newer OSes? Anyway, has anyone out there found out how to do this and is willing to share? :-) Thanks! PS: I'm using this http://openvpn.net/archive/openvpn-users/2006-10/msg00120.html -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] macox dns help for a novice?
On 04/09/14 01:05, Jonathan K. Bullard wrote: As the current Tunnelblick developer/maintainer, I appreciate Gert's kind words, but Tunnelblick does not do split DNS either. I've never been able to get it working -- in fact, I am hoping someone will respond to Jason's post with information or code so I could add this ability to Tunnelblick! Well that is depressing! :-) It must be *nearly* working. At home, after openvpn connects back to work and --up runs openvpn-tun-up-down.sh, my DNS is altered such that root# scutil --dns DNS configuration resolver #1 search domain[0] : corporate.domain search domain[1] : home.domain nameserver[0] : 192.168.248.3 DNS configuration (for scoped queries) resolver #1 search domain[0] : home.domain nameserver[0] : 192.168.248.3 ... resolver #2 nameserver[0] : 10.1.1.2 nameserver[1] : 10.1.2.1 if_index : 10 (tun0) So from what I can see, the only thing that needs to be done is to take corporate.domain out of resolver #1 from the general section, and put it down into resolver #2 in the scoped section. I'm not a Mac person, but I interpret this as meaning when I do nslookup blah.corporate.domain, the Mac sends it to resolver #1 instead of resolver #2. Once that is fixed, it should all work? -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Windows service mode doesn't seem to restart on timeout properly
Hi there I've got openvpn-2.3.4 under Win7 running. Works fine - except when there's a network change... I have verb 3 enabled and the log ends with Thu Sep 04 15:42:09 2014 [dns.host.name] Inactivity timeout (--ping-restart), restarting Thu Sep 04 15:42:09 2014 C:\WINDOWS\system32\route.exe DELETE 12.3.1 MASK 255.255.255.255 192.168.22.1 Thu Sep 04 15:42:09 2014 Warning: route gateway is not reachable on any active network adapters: 1.2.3.1 Thu Sep 04 15:42:09 2014 Route deletion via IPAPI failed [adaptive] Thu Sep 04 15:42:09 2014 Route deletion fallback to route.exe Thu Sep 04 15:42:09 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem Thu Sep 04 15:42:09 2014 Closing TUN/TAP interface Thu Sep 04 15:42:09 2014 ..\scripts\down.cmd openvpn 1500 1546 1.2.3.25 255.255.255.0 init Thu Sep 04 15:42:09 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem This machine changed from Ethernet to WiFi and got a new IP - which meant that openvpn's tunnel would have hung and ping-restart should have ensured it noticed and got a new tunnel up. I see ping-restart triggered, but nothing happened afterwards - no sign of it attempting to make a new connection. The routing errors are expected, I'm hoping they are not the cause of the issue as we've got some weird routing for a reason ;-) I did a net stop 'openvpn service', but could see openvpn.exe was still running. Couldn't do a net start because of it. If I manually kill openvpn.exe, then I could net start and immediately the tunnel comes up from scratch and everything is good again It seems like openvpn.exe is hanging because it doesn't loop around and retry making a connection - like it does on our Linux clients. Very odd. The log shows no real error that I can see - it simply seems to be sleeping without doing anything? BTW I download this logfile an hour after the client tunnel disappeared after the IP change - the last line in the logfile was an hour old - so there's no sign of openvpn doing anything since. Any ideas? -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn logout time?
On 03/09/14 10:56, Mathias Jeschke wrote: If you use the hammer, the machine is not able to send a TCP FIN, I don't think that's the case. Hammering a user process does not influence how the TCP stack operates (kernel space vs user space) - it would generate a TCP reset. Of course, unplugging the Ethernet cable would do what you're saying. No matter what way you look at it, you need to rely on ping-restart to pick up the corner-cases :-) I'm just dealing with another corner case. Clients who disconnect and reconnect before the server realises the first disconnect happened. So even --client-connect --client-disconnect cannot save you from seeing things out of order, eg 1. client connects, server triggers --client-connect 2. client disconnects harshly (not triggering --explicit-exit-notify) 3. client connects, server triggers --client-connect 4. server realizes client has disconnected I had some cleanup code in 4 which meant the server turned around and killed the 3 instead of the 1 - not what I wanted ;-). Still - all fixable thanks to the wondrous scripting options openvpn gives us :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] is it safe to let all clients negotiate tls-ciphers?
Hi there I've seen a few people claim it's more secure to force the clients to use stronger ciphers via the tls-cipher option: it's stops MiTM attacks from spoofing lower-quality connections. However, surely that depends on when the negotiation occurs? If it occurs after the TLS auth section, surely that would have picked up the MiTM and ditched the connection anyway? And what about tls-auth? We use that, so wouldn't that have break MiTM anyway? What I'd rather do is keep the clients as open as possible and make as many cipher/etc decisions as possible on the server, so I'd rather not define tls-cipher on the clients, only the server. So am I correct in saying that an openvpn network using tls-auth plus client certs should be effectively immune to MiTM attacks, thereby making it OK to leave as much decision making as possible to the server? Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] confusion over udp fragment
Hi there I'm on an openvpn optimization drive (ie it's all working great and I'm trying to squeeze more greatness out of it) and reading the Internet (took a while ;-) leads me to a confused state on the usefulness of fragment. There are several postings by long-term openvpn gurus who seem to lead their diagnostics of other people's openvpn connectivity problems with remove the fragment option. I, on the other hand, have found that I have NEVER got openvpn-over-udp to work without it! It looks to me like it cannot even get through the initial negotiation phase without fragment being enabled at both ends (I use 1400 - but that's just a lazy guess that works) In fact, I just did a related test. I removed fragment from the server and only set it on the client - end result, NO CONNECTION. Put that one line back (identical fragment values of course) and it all works again So I have two questions. 1. it looks to me like fragment is always needed for UDP. If so, shouldn't that be declared more strongly (maybe even error-ing on configs without it). 2. shouldn't both ends negotiate the fragment option and both ends should use the *smallest* value (or maybe fragment automatic as an option to achieve it), so that the server can have it disabled, and the client (where fragmentation issues are vastly more variable) can control it. However, my test makes me think that maybe even openvpn negotiation can create packets big enough to break negotiation? (ie that option has to pre-date the initial connection) I know some people may come back with comments about there being something on our network that is screwing with things, but that's the point - I know everything about our server on our work network and everything about (say) my client laptop on my home network - but there's a vast range of Internet between the two that I know nothing about, so it's not worth mentioning ;-) Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] how to use --push-peer-info?
On 21/08/14 21:11, Gert Doering wrote: push-peer-info data is visible in the server logs only in git master openvpn versions (and 2.4 will have it, of course). If you want to see it in 2.3.2, you need to talk to the management interface. gert OK, how do you do that? I've connected to the management port and went through the options that help showed - nothing seemed to show me such details? (eg status 2) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] how to use --push-peer-info?
Hi there I simply can't get it to work. I have openvpn-2.3.4 client for Win7 talking to a CentOS-6 openvpn-2.3.2 server and push-peer-info is set in the client. However, even though I have both tls-verify and client-connect set to scripts on the server, which contain set /tmp/file to dump environment variables, there's no such details from the clients getting through Have I missed something? Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN and Multi-Core processor
On 08/08/14 03:24, Jan Just Keijser wrote: I would also opt for function handlers/pointers per connection - that way you could server both udp+tcp from a single server instance Yes - having one server instance managing both udp and tcp AND being able to handle multiple ports should be part of any rewrite. We have found there are tonnes of different firewall variables in (client-end) networks we've come across - so currently have several openvpn instances running on the same server to maximize success rates. Having all that handled by one instance would be much simpler (with threading or forking - don't care - not a programmer ;-) If we're asking for ponies, can I also have one that can do some form of latency test first (in the case of DNS resolving to multiple server IPs) so that clients go to the fastest server? I'd love to have a single client config that would give users the best performance by default (by taking them to the openvpn server closest to their current location). Within our Cisco VPN environment - where the GUI shows users all our VPN gateways - users (if left to their own devices) will typically chose the FIRST one and then stick to it - even if they are travelling to other countries. We have gateways all over the world and users typically don't use the optimum one - they use the one that worked last time. And then they complain how slow VOIP is over it ;-) In the words of immortal Devo: Freedom from choice: is what you want ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [PATCH] Make code and documentation for --remote-random-hostname consistent.
What feature does --remote-random-hostname give you that having a 10second TTL on one DNS record wouldn't? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN Security
On 17/10/13 02:42, Les Mikesell wrote: Banking transactions would normally be done over https - which uses ssl. Openvpn would add another layer over the open wifi hop, but I'm not sure how much that adds to the security. For one thing it stops MITM attacks. Most people are naive and if they're on an untrusted network and someone MITM'ed their bank connection, they will click through the browser don't trust this website warning and bam - they've lost their bank creds. Forcing users through openvpn puts them on a trusted network where such skulduggery doesn't happen (and you could have AV proxies and other such stuff) ...of course, if the untrusted network is truly 0wneD, it could break openvpn, leading to the annoyed user disabling openvpn in order to get a working Internet connection and - well - see the first sentence ;-) You can try to engineer yourself a foolproof system, but the Universe can always engineer a better fool -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135031iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] openvpn
On 07/10/13 04:07, Luis Daniel Lucio Quiroz wrote: Port 53/udp is risqui since I have found some ISP's block udp packages logner than 512 bytes moving to port 443/tcp it seems to be most easy, since they will only see TLS negotiation, I think that's the best bet too - but to be precise, openvpn doesn't do standard TLS negotiation (at least if you are using tls-auth as you should be) - so some layer7 firewalls could potentially even block openvpn on tcp port 443 - however, most don't :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60134791iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN with intermediate CA
On 02/07/13 20:07, Gert Doering wrote: Out of curiousity, as I've seen this mentioned a few times but never read a reason for the hash-thing - how does openvpn (or apache, etc.) know the hash for the CRL file to look for, when it hasn't seen the CRL yet? gert All CRL support requires your servers to download the CRL via some schedule. Most parse the CA or server cert (which should contain either LDAP or HTTP urls to the CRL files) and download the CRL file at some interval the lifetime of the CRL. *Then* you'd hash it, etc. We have openvpn and client-cert protected web servers all over the place, all downloading CRL files every hour from the CA. The CA itself re-makes the CRL every hour, but with a 24 hour lifespan, which means we can take several hours of outages on any CRL component before our servers start rejecting valid connections... (you gotta think that part through - otherwise you will get burnt) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 signature.asc Description: OpenPGP digital signature -- This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
