Re: [Openvpn-users] Are my configurations secure enough?
> hi, > On Wed, Dec 27, 2023 at 09:48:34AM +, Jason Long via Openvpn-users wrote: > >My server and client configurations are as follows: > > >https://paste.mozilla.org/sR05JKfV > > >https://paste.mozilla.org/PxsW6MC8 > > >Are these suitable in terms of security? Do you have any suggestions to > >improve them? > > No idea? > You have asked questions like this before, and the answer you got was > "use the defaults + tls-crypt, these are reasonable". So this is still > the answer. > OTOH, I'm just too lazy to click on some random URLs in mails, and possibly > copy-back lines I want to comment on - so if you expect me to answer a > question (without paying me to), the question needs to be in the mail, not > causing extra effort for me. > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > Gert Doering - Munich, Germany g...@greenie.muc.de Hi, Sure. Server config is: port 2023 proto udp dev tun1 ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/H_Server.crt key /etc/openvpn/server/H_Server.key dh /etc/openvpn/server/dh.pem server 20.20.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 172.20.1.2" push "dhcp-option DNS 172.20.1.7" push "route 172.20.0.0 255.255.255.0" topology subnet keepalive 10 120 tls-crypt /etc/openvpn/server/ta.key 0 cipher AES-256-GCM data-ciphers AES-256-GCM user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1 Client config is: client dev tun1 proto udp remote IP 2023 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server data-ciphers AES-256-GCM cipher AES-256-GCM verb 3 # Ca.crt -BEGIN CERTIFICATE- -END CERTIFICATE- # Client.crt Certificate: ... -BEGIN CERTIFICATE- -END CERTIFICATE- # Client.key -BEGIN PRIVATE KEY- -END PRIVATE KEY- # Ta.key # # 2048 bit OpenVPN static key # -BEGIN OpenVPN Static key V1- -END OpenVPN Static key V1- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Are my configurations secure enough?
>Hello, >My server and client configurations are as follows: >https://paste.mozilla.org/sR05JKfV >https://paste.mozilla.org/PxsW6MC8 >Are these suitable in terms of security? Do you have any suggestions to >improve them? >Thank you. ___ >Openvpn-users mailing list >Openvpn-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/openvpn-users Hello, No idea? Thanks. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] How to use a 4096 bit OpenVPN static key?
Hello,How can I change the 2048 bit OpenVPN static key to 4096?When generating the Diffie-Hellman key, I chose it to be 4096 bits, are these two related? Thank you.___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Are my configurations secure enough?
Hello,My server and client configurations are as follows: https://paste.mozilla.org/sR05JKfV https://paste.mozilla.org/PxsW6MC8 Are these suitable in terms of security? Do you have any suggestions to improve them? Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Reference manual for OpenVPN 2.6 PDF
> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > I believe the correct answer here is: > OpenVPN does not provide a PDF form of the manual. > Which is a practical decision. > HTH > -- > Sent with Proton Mail secure email. > On Monday, 11 December 2023 at 18:13, Hans via Openvpn-users > wrote: > > > > > > > From: "Antonio Quartulli" > > Date: Monday, 11 December 2023 at 12:02:33 > > To: "Jason Long" , "Tincantech via Openvpn-users" > > > > Subject: Re: [Openvpn-users] Reference manual for OpenVPN 2.6 PDF > > > > Hi, > > > > On 11/12/2023 11:15, Jason Long via Openvpn-users wrote: > > > Hello, > > > How can I download the Reference manual for OpenVPN 2.6 > > > (https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/) > > > as a PDF file? > > > > maybe you could open the manpage at this link: > > > > https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html > > > > and print it is using the "Save as PDF" virtual printer? > > > > Cheers, > > > > -- > > Antonio Quartulli > > > > > > ___ > > Those reference manuals contain code examples, that are utterly unreadable. > Light shade of grey font. > > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet > de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt > u verzocht dat aan de afzender te melden en het bericht te verwijderen. De > Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die > verband houdt met risico's verbonden aan het elektronisch verzenden van > berichten. > > This message may contain information that is not intended for you. If you are > not the addressee or if this message was sent to you by mistake, you are > requested to inform the sender and delete the message. The State accepts no > liability for damage of any kind resulting from the risks inherent in the > electronic transmission of messages. > -BEGIN PGP SIGNATURE- > Version: ProtonMail > wsBzBAEBCAAnBYJld1QOCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr > kLidAAAKHggAi0piCNmQfhXV28L+B9kbyNrQawl1958Ll30QdtgMmiCYZYFr > UW/19wJdWWVxuk1vrt7BKWDOJm4qDS8CJ/4Lny7IMP/khppoB1sPPggPZ2/M > 6Av7zgaibS8Wixt1QEzJDo0YkEmQnkB07op8ZRwAvusJygHO0pWU48M2AqTh > 0qsssqxjtTOiOz9OQsPT6yqXE2eN4XnSMIIz4pkgAiH5HdVjJTy0paTOshrP > jkCwgE9s+seMhTDqlP+Q+GPE9nhkGiT3WZsLakP/0eW/UrV99j7vaZTHA+me > cW8MsD6V8aaUZtic/COLdZtiXy4UupS5MKeSxhkskQfOn9MpSCObrQ== > =U+bO > -END PGP SIGNATURE- Hello, Practical decision? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN for Android and iOS
> Hi, > On Tue, Dec 12, 2023 at 05:59:40AM +, Jason Long via Openvpn-users wrote: > https://paste.mozilla.org/CwWTPPW0 > I'd guess it's the "key-direction" line getting in the way. Remove this > from both client and server config. > Also, you are mixing tls-auth and tls-crypt in your questions - so, if > the server wants tls-crypt, you need to use tls-crypt on the clients > as well. > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > Gert Doering - Munich, Germany g...@greenie.muc.de Hello, Thanks again. I remove "key-direction 1" line, but I see the same error as before. My Server.conf file is as follows: https://paste.mozilla.org/R3O0S6qf My client.conf file is as follows: https://paste.mozilla.org/fTTL9gzK And log file is as follows: https://paste.mozilla.org/GaShRjED ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN for Android and iOS
> You need to check the server log to understand what's going on. > Cheers, On December 12, 2023 6:59:40 AM GMT+01:00, Jason Long wrote: > > On 11/12/2023 11:18, Jason Long via Openvpn-users wrote: >> Hello, >> If I want to use the "tls-crypt" option, then the "ta.key" must be a >> separate file and it cannot be merged with the rest of the keys in one file. >> To be honest, it is difficult to use for both computer and mobile users >> because it is two files. >> Is there a solution? > >> Yes, you can inline it like all other key material: > > >> >> > > >> Cheers, > >> -- >> Antonio Quartulli > > > > Hello, > Thanks. > My Client.ovpn file is as follows: > > https://paste.mozilla.org/CwWTPPW0 > > I got the following error: > > https://paste.mozilla.org/pa6b7Mch > > Antonio Quartulli Hello, Thank you. The log tells me: 2023-12-13 09:50:25 tls-crypt unwrap error: packet too short 2023-12-13 09:50:25 TLS Error: tls-crypt unwrapping failed from [AF_INET]172.21.50.67:39757 2023-12-13 09:50:27 tls-crypt unwrap error: packet too short 2023-12-13 09:50:27 TLS Error: tls-crypt unwrapping failed from [AF_INET]172.21.50.67:39757 2023-12-13 09:50:31 tls-crypt unwrap error: packet too short 2023-12-13 09:50:31 TLS Error: tls-crypt unwrapping failed from [AF_INET]172.21.50.67:39757 2023-12-13 09:50:39 tls-crypt unwrap error: packet too short 2023-12-13 09:50:39 TLS Error: tls-crypt unwrapping failed from [AF_INET]172.21.50.67:39757 2023-12-13 09:50:55 tls-crypt unwrap error: packet too short 2023-12-13 09:50:55 TLS Error: tls-crypt unwrapping failed from [AF_INET]172.21.50.67:39757 2023-12-13 09:51:26 tls-crypt unwrap error: packet too short 2023-12-13 09:51:26 TLS Error: tls-crypt unwrapping failed from [AF_INET]172.21.50.67:35172 2023-12-13 09:51:28 tls-crypt unwrap error: packet too short 2023-12-13 09:51:28 TLS Error: tls-crypt unwrapping failed from [AF_INET]172.21.50.67:35172 What is your opinion? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN for Android and iOS
> On 11/12/2023 11:18, Jason Long via Openvpn-users wrote: > Hello, > If I want to use the "tls-crypt" option, then the "ta.key" must be a separate > file and it cannot be merged with the rest of the keys in one file. To be > honest, it is difficult to use for both computer and mobile users because it > is two files. > Is there a solution? > Yes, you can inline it like all other key material: > > > Cheers, > -- > Antonio Quartulli Hello, Thanks. My Client.ovpn file is as follows: https://paste.mozilla.org/CwWTPPW0 I got the following error: https://paste.mozilla.org/pa6b7Mch ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OpenVPN for Android and iOS
Hello, If I want to use the "tls-crypt" option, then the "ta.key" must be a separate file and it cannot be merged with the rest of the keys in one file. To be honest, it is difficult to use for both computer and mobile users because it is two files. Is there a solution? Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Reference manual for OpenVPN 2.6 PDF
Hello, How can I download the Reference manual for OpenVPN 2.6 (https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/) as a PDF file? Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Remote DNS server
> On 06/12/2023 11:09, Jason Long via Openvpn-users wrote: > Hello, > Suppose the OpenVPN server is located in another country, but the DNS server > is inside the company. What options should be included in the server and > client configuration >file? > > Thank you. > For OpenVPN 2.6 and newer, the new --dns option is preferred. > For OpenVPN 2.5 and older, use --dhcp-option. > If you operate in a mixed environment with clients running both 2.5 and > 2.6, you can push both --dns and --dhcp-option from the server to > clients (via --push). And once all your client is updated to 2.6, > remove the --dhcp-option. > The reason for preferring --dns is that it should have a consistent > behavior across platforms. The --dhcp-option has several corner cases > where it does slightly different things depending on if you're on > Windows, macOS or Linux. *BSD and some Linux setups will not do the DNS > setup out-of-the-box and will require additional script hooks to be > enabled (the exception is when starting VPN sessions via > NetworkManager). Hosts running OpenVPN 3 Linux will get DNS setup > out-of-the-box, and that should support the --dns option as well. > -- > kind regards, > David Sommerseth > OpenVPN Inc Hello, Thank you so much. Do you mean the below lines for "server.conf": OpenVPN 2.5 ==> push "dhcp-option DNS IP" OpenVPN 2.6 ==> dns IP ? Do clients need special settings? Is "dns search-domains domain [domain ...]" necessary? For example, your local network has a domain like "example.xyz". ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Remote DNS server
Hello, Suppose the OpenVPN server is located in another country, but the DNS server is inside the company. What options should be included in the server and client configuration file? Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN + Tor
>-BEGIN PGP SIGNED MESSAGE- >Hash: SHA256 >Hi, >On Tuesday, 7 November 2023 at 05:27, Jason Long wrote: > > > Hello, > I added the following line to the server.conf file: > > push "route 172.20.0.0 255.255.255.0" > > Then, I restarted the OpenVPN service: > > # systemctl restart openvpn > > But, I can't ping computers on the internal network by name. >"by name" requires DNS, which is beyond the scope here. > > I have some questions about the following two lines: > > 1- Next, you must set up a route on the server-side LAN gateway to route the > VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary > if the OpenVPN server and the LAN gateway are different machines). > > Should I write the routing table on the OpenVPN server? >If you do not understand how to configure routing then >you can use iptables to do masquerading. > > > 2- Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN > server machine. > > I have enabled IP forwarding on the server. What is TUN/TAP forwarding? >Forwarding TAP/TUN means configuring your firewall to allow VPN traffic to >flow. >-- >-BEGIN PGP SIGNATURE- >Version: ProtonMail >wsBzBAEBCAAnBYJlTB4YCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr >kLidAAB7+Af/SJuRoNPhYraQo1k3NPVXEmuXyUsL5UJKWf4HX8ca7qGWtnyC >MutRP9Vn8Mo7gj1Wdy9G0htb86XTD3GuwTCYSuZoasxFyrNvbyShYCyRFGvD >a9+X8WMBeycj2PcHyNK04TsVYsYYnpaceNnfVIF2d+1E5P1xcIR70O/lJdHX >0xNW6fgn/v7nmFaa4nj3k8+HYObvN640VlSLVctEXOhD+dDrQdhwMxJnpbkd >ycX+fNXYhsu8RfuTbPPLg5E0oIRFg3DRCNh0M/noSP5SpRrIsaxQACSxKQuD >CBP7C2xjBVWo/Mc2t7lBAbrpUeYTc6xq47SC1lMAj+HXvEuWH17eSg== >=A1RG >-END PGP SIGNATURE- Hello, As I said, I have an internal DNS server and I have used the "push route" command. 1- Can you show me an example about iptables to do masquerading? 2- About "Configuring your firewall to allow VPN traffic to flow", I must say that, I did it. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to check the OpenVPN security?
>Hi, >On Wed, Nov 01, 2023 at 05:16:52PM +, Jason Long via Openvpn-users wrote: > Hello,Is there a tool to measure the security of OpenVPN connection? > Something that tells if the security parameters used in the configuration > file are sufficient or not. >For TLS and data channel ciphers, the tool is "trust OpenVPN and your TLS >libraries" (and do not forget to *update* your stuff regularily). >Under normal conditions there is nothing you can do in your config file >which will *improve* security. But there is much you can do wrong. >You do want to use tls-auth or tls-crypt, which is the only thing where >"default" is not good enough. >gert >-- >"If was one thing all people took for granted, was conviction that if you >feed honest figures into a computer, honest figures come out. Never doubted >it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress >Gert Doering - Munich, Germany g...@greenie.muc.de Hello, You said "Under normal conditions there is nothing you can do in your config file which will *improve* security.", what are abnormal conditions? Do you mean to use "tls-crypt" instead of "tls-auth"? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN + Tor
>-BEGIN PGP SIGNED MESSAGE- >Hash: SHA256 >Hi, >--- Original Message --- >On Monday, November 6th, 2023 at 12:26, Jason Long wrote: > > > Hello, > Thank you so much for your reply. > Some lines of my server.conf file are: > > push "redirect-gateway def1 bypass-dhcp" > push "dhcp-option DNS 172.20.1.2" > push "dhcp-option DNS 172.20.1.7" > topology subnet > > > Should I add the following line in my client configuration file: > > redirect-gateway def1 bypass-dns > > And add the following line to my server configuration file: > > pull-filter ignore 'redirect-gateway*' > > > Right? >No, >--pull-filter is a client option, so is used by the client. >However, because you are pushing DNS servers from the server, >I will assume that 172.20.1.0/24 is a subnet on the server >side of the VPN; In which case you need to read the Howto >section which explains "Expanding the scope of the VPN ": >https://community.openvpn.net/openvpn/wiki/HOWTO#ExpandingthescopeoftheVPNtoincludeadditionalmachinesoneithertheclientorserversubnet >You do not need to use "redirect-gateway" or "pull-filter" >on the client side at all. >-- >-BEGIN PGP SIGNATURE- >Version: ProtonMail >wsBzBAEBCAAnBYJlSOjyCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr >kLidAACXoAf/dw5/HO5VILQ8WVdKqsJl+9qEqIz9Ly1ykUQIEyy8Dt0Y/FmH >+pp9uyyMN9HroHCvmtxi0gEr2/WE43qte8T2OQ62XmgZKhYRG1HQ31by/pdP >5xZhKJlbZt16ZA2Hqlub8GnDYdZLUTE1LLPJqOrh3Ocr6KSL7z4vXKRE6ziw >zvmC44yk/t658irxC9+aG8HHDAVMLfwc7RBIWqxjZyCze4o07zVqf3ZdPBJ2 >XOkN79hWdRgxZrnA6wTgPqz3s6PxJqJ5HpRYpoXyFQdig25O6wuBqskAGN/T >JQkfl5UdQ6aQzFuqTJl51rtoxL+kWVR5Z97hQ8Un8KRJi7ICBK0eTw== >=1bvO >-END PGP SIGNATURE- Hello, I added the following line to the server.conf file: push "route 172.20.0.0 255.255.255.0" Then, I restarted the OpenVPN service: # systemctl restart openvpn But, I can't ping computers on the internal network by name. I have some questions about the following two lines: 1- Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines). Should I write the routing table on the OpenVPN server? 2- Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN server machine. I have enabled IP forwarding on the server. What is TUN/TAP forwarding? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN + Tor
>On Saturday, November 4, 2023 at 05:31:40 PM GMT+3:30, tincantech > wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA256 >Hi, >Your DNS server is non-local and you are most likely >redirecting your gateway to the VPN. >So, DNS packets for your DNS server are set into the >tunnel and are finally dropped by the server gateway. >Openvpn has option : '--redirect-gateway bypass-dns' >You could try that by using: > redirect-gateway def1 bypass-dns >in your client configuration file. >You will probably also need to ignore the server pushed >redirect-gateway by using: > pull-filter ignore 'redirect-gateway*' >Try experimenting with that and test if your DNS is then >reachable, while the VPN is up. >HTH >-- >-BEGIN PGP SIGNATURE- >Version: ProtonMail >wsBzBAEBCAAnBYJlRk6TCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr >kLidAADYHAgArJRKp+KNfCoDAca9BVi6PxgwEW9Yqgj5sXtUORpzI0G0ypom >lFgObi/As/sOOt2Zb16DOPj+rA7I4SAfSN/KtLUaZu/RoFNMXELOjsUxRY5t >gMp7BfFIeOyaNvFNWTgjEJ7O0xPdBFmdJb3eP6EBwjzJSCd3EEF9I5K8oE1i >Qd0VzifSeIO7XArfHesEqDMW1XvIOaPaHPle54zqwqp5h2zqiwnq2VgzMl8Y >QjnxtmDcg8G2nFDhnZcPQjFs7Lcv15FsMQ96AABE6MH2nA3eUQWipcaNZw4b >OYXrB4+AEKP4u0WQg6/3GgkpjDQaZVd51BXVqa1kyAMSXprpFvkq3Q== >=phoQ >-END PGP SIGNATURE- Hello, Thank you so much for your reply. Some lines of my server.conf file are: push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 172.20.1.2" push "dhcp-option DNS 172.20.1.7" topology subnet Should I add the following line in my client configuration file: redirect-gateway def1 bypass-dns And add the following line to my server configuration file: pull-filter ignore 'redirect-gateway*' Right? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OpenVPN + Tor
Hello, I was able to combine OpenVPN with Tor using "https://gist.github.com/kremalicious/4c333c8c54fced00ab10c0a892a2304d; tutorial. When I connect to the OpenVPN network without a Tor, I can ping the computers on the internal network by name, but with that configuration, I can't ping the computers on the internal network by name. I checked the OpenVPN TAP and I can see my internal DNS server IP addresses, but why I can't ping the computers by their names? Please see: https://pasteboard.co/qDUccB3Xrb4F.png Any idea? Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] How to check the OpenVPN security?
Hello,Is there a tool to measure the security of OpenVPN connection? Something that tells if the security parameters used in the configuration file are sufficient or not. Thank you.___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] --user specified but lacking CAP_SETPCAP
Hello, My OpenVPN server started, but I got the following message in the "openvpn.log": --user specified but lacking CAP_SETPCAP. Cannot retain CAP_NET_ADMIN. Disabling data channel offload My server.conf is: port 2023 proto udp dev tun1 ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/Server.crt key /etc/openvpn/server/Server.key dh /etc/openvpn/server/dh.pem server 20.20.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 172.20.1.2" push "dhcp-option DNS 172.20.1.7" topology subnet keepalive 10 120 tls-auth /etc/openvpn/server/ta.key 0 cipher AES-256-GCM data-ciphers AES-256-GCM user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1 Anything wrong? Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] URL forwarding and blacklisting
Hello,I have two questions:1- When someone connects to an OpenVPN server, is it possible to be redirected to duckduckgo.com when trying to go to google.com? 2- How can I block access to certain websites? Does OpenVPN offer such features? Thank you.___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Push the server configuration to the client
>Hi, On Sun, Sep 03, 2023 at 06:05:09AM +, Jason Long wrote: > push "route 10.0.2.0 255.255.255.0 10.0.2.2 1" > push "dhcp-option DNS 172.20.1.2" > push "dhcp-option DNS 172.20.1.7" > push "redirect-gateway autolocal" >This *should* install a default gateway, but if it doesn't, check the >client log files what goes wrong. I've never used "autolocal" without >also setting "def1", but according to the manpage it might work. >Generally speaking, for anyone still bothering with IPv4, using "def1" >is always recommended. So >push "redirect-gateway def1 autolocal" > The routing table is: > > C:\> route print 4 > > IPv4 Route Table > === > Active Routes: > None > Persistent Routes: > None > > When the OpenVPN virtual NIC has the DNS server IP addresses, then why I > can't ping the target with their names? >because you have no routes toward the DNS server IPs. >(Somthing is wrong with your "route print" command anyway, I do not think >that "4" is doing what you want, namely, show only IPv4 - most likely it >tries to lookup a route towards "4", however that is interpreted) >Again, this is all basic understanding of IP and routing, and not an >OpenVPN problem. >gert >-- >"If was one thing all people took for granted, was conviction that if you >feed honest figures into a computer, honest figures come out. Never doubted >it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress >Gert Doering - Munich, Germany g...@greenie.muc.de Hi Gert, Thank you so much for your reply. I added the "topology subnet" and problem solved!!! ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to set a fixed IP to a client?
>On 03/09/2023 15:23, Jason Long via Openvpn-users wrote: > > Hello, > As I said, I have some scenario and I want to learn more. >Have you ordered any of the books you've been recommended? Have you >read any of them? >I would say you are pretty closed to getting banned from this mailing >list by now. You ask so many questions WITHOUT doing your own homework, >not reading documentation you've been pointed at. This has to stop now. >This mailing list is NOT an OpenVPN focused Wikipedia search engine. >If you REALLY want to learn more. START READING the documentation >sources you've been pointed at numerous times over the last weeks. Have >some respect to all of those who replies to you, commonly in their own >spare time. Nobody here is obliged to reply. But they do so out of >generosity. If you continue this nonsense much longer, you will just be >ignored completely - or being taken off the mailing list. >Your questions are not really that unique to your needs. Many of us >responding here has been active in the OpenVPN community for over a >decade; I doubt any of us has experienced anyone so insistent on >ignoring documentation pointers as you have so far. >Take this as strong warning. Enough is enough. >-- >kind regards, >David Sommerseth >OpenVPN Inc Hello, First of all, I did not disrespect anyone and I appreciate everyone's answers. The books you mentioned are all old and OpenVPN is an open source program and its open source nature makes it change quickly. Are these books still useful? I read the document: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing If you change "ifconfig IP Netmask" to "server IP Netmask", then your client can't connect your OpenVPN server. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to set a fixed IP to a client?
>On 03/09/2023 15:23, Jason Long via Openvpn-users wrote: > > Hello, > As I said, I have some scenario and I want to learn more. >Have you ordered any of the books you've been recommended? Have you >read any of them? >I would say you are pretty closed to getting banned from this mailing >list by now. You ask so many questions WITHOUT doing your own homework, >not reading documentation you've been pointed at. This has to stop now. >This mailing list is NOT an OpenVPN focused Wikipedia search engine. >If you REALLY want to learn more. START READING the documentation >sources you've been pointed at numerous times over the last weeks. Have >some respect to all of those who replies to you, commonly in their own >spare time. Nobody here is obliged to reply. But they do so out of >generosity. If you continue this nonsense much longer, you will just be >ignored completely - or being taken off the mailing list. >Your questions are not really that unique to your needs. Many of us >responding here has been active in the OpenVPN community for over a >decade; I doubt any of us has experienced anyone so insistent on >ignoring documentation pointers as you have so far. >Take this as strong warning. Enough is enough. >-- >kind regards, >David Sommerseth >OpenVPN Inc Hello, First of all, I did not disrespect anyone and I appreciate everyone's answers. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to set a fixed IP to a client?
>Hi, >On 03/09/2023 20:50, Jason Long via Openvpn-users wrote: > I read those steps from an OpenVPN document. Can you tell me where > the problem is? >There is no problem. >It is simply not possible to "configure" OpenVPN to assign an IP address >based on the computer name or MAC. >As you have already done, you can assign an IP address based on the >certificate Common Name (CN) because it is presented during negotiation. >If you truly want to assign an IP address based on extra variables (like >MAC address, computer name, world clock, t-shirt color, etc..) you need >to implement this logic by yourself by using two mechanisms: >1) UV_* variables on the client side, where you put the value to send to >the server (i.e. MAC address) >2) --client-connect script on the server side, where you read the UV_* >variable and programmatically create your ifconfig-push directive for >that specific client. >Now, UV_* variables are not authenticated therefore *any* client could >simply send the value it wants: i.e. client A and B could send the same >MAC address and your logic would not work anymore. >The only authenticated pieces of information you have are those related >to your certificates, like the CN, and this is the main reason why you >should rely on those when trying to identifying clients in order to >assign special properties. >I hope this helps. >Cheers, >-- >Antonio Quartulli Hello, Thank you so much for your great information. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to set a fixed IP to a client?
>On Sun, 03 Sep 2023 15:39:56 +, tincantech via Openvpn-users wrote: >Your continued use >of this mailing list as an alternative to reading any documentation >has not gone unnoticed. >+1 >And it should result in *everyone* to stop responding to this list spammer who >does not care reading the docs... >I have counted the number of threads he has *started* over the last 2 months: >July: 14 >August: 13 >Sept: 3 >Total: 30 threads >Meanwhile other users have started 6 threads over the same time and 37 threads >over the *whole* of 2023... >Most of the other threads have just a few entries whereas these "Jason Long" >threads wind on "forever" filling up everyones mailboxes. >I believe this guy is better served in the OpenVPN *forum* which does not push >messages to all subscribers every time a post is made. >Please do not encourage him any longer. >-- >Bo Berglund >Developer in Sweden Hello, I'm not spammer and many of the questions I asked are explained in other social networks with the old configuration. I read the documents: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing If you change the "ifconfig 20.1.0.1 255.255.255.0" to "server 20.1.0.0 255.255.255.0", the your client cannot connect to the server. You can test it yourself. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to set a fixed IP to a client?
>Le 03/09/2023 à 15:23, Jason Long a écrit : > Hello, > As I said, I have some scenario and I want to learn more. >By abusively relying on others? Strange way to achieve your goals. > Do you mean "ccd-exclusive"? If yes, then I edited the Server.conf as below: > > ifconfig 20.1.0.1 255.255.255.0 > mode server > tls-server > client-config-dir ccd > ccd-exclusive > > And: > > # cat ccd/client > 10.0.2.0 255.255.255.0 > ifconfig-push 20.1.0.202 20.1.0.201 > > > After it, a client whose CN name is "client", always takes IP address > 20.1.0.202. Am I right? >What's the first line for? Once again, read the f***ing docs: >https://community.openvpn.net/openvpn/wiki/HOWTO#Configuringclient-specificrulesandaccesspolicies > How can I give the IP address by MAC address? >Why would you do that if you can use the certificate for the same >purpose? At least give a plausible reason why the CN would suit your needs. >Bruno Hi Bruno, As I said, I read these steps from the OpenVPN document: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to set a fixed IP to a client?
On Sun, Sep 3, 2023 at 5:38 PM, Bruno Tréguier via Openvpn-users wrote: Le 03/09/2023 à 15:23, Jason Long a écrit : > Hello, > As I said, I have some scenario and I want to >learn more. >By abusively relying on others? Strange way to >achieve your goals. > Do you mean "ccd-exclusive"? If yes, then I >edited the Server.conf as below: > > ifconfig 20.1.0.1 255.255.255.0 > mode server > tls-server > client-config-dir ccd > ccd-exclusive > > And: > > # cat ccd/client > 10.0.2.0 255.255.255.0 > ifconfig-push 20.1.0.202 20.1.0.201 > > > After it, a client whose CN name is "client", >always takes IP address > 20.1.0.202. Am I >right? >What's the first line for? Once again, read the >f***ing docs: >https://community.openvpn.net/openvpn/wiki/>HOWTO#Configuringclient->specificrulesandaccesspolicies > How can I give the IP address by MAC >address? >Why would you do that if you can use the >certificate for the same >purpose? At least give a plausible reason why >the CN would suit your needs. >Bruno Hello,Thank you so much.I read those steps from an OpenVPN document. Can you tell me where the problem is? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to set a fixed IP to a client?
>Le 03/09/2023 à 08:48, Jason Long via Openvpn-users a écrit : > Hello, > When I use "server 10.8.0.0 255.255.255.0" in the Server.conf file, then > OpenVPN assigns IP addresses to clients respectively. What should I do if I > want to assign a specific IP >address to a client with a specific computer > name or MAC address? > >What should you do? You should read the docs. Really. >Do your homework, Jason. Many questions you're asking here have a simple >answer via "man" commands or by simply googling them. And this is typically >one of them. >$ man openvpn >Excerpt: > --client-config-dir dir Specify a directory dir for >custom client config files. After a connecting client has been authenticated, >OpenVPN will look in this >directory for a file having the same >name as the client's X509 common name. If a matching file exists, it > will be opened and parsed for client-specific configuration >>options. If no matching file is found, OpenVPN will instead try >to open and parse a default file called "DEFAULT", which may be provided but >is not required. Note that >the configura‐ tion files must be >readable by the OpenVPN process after it has dropped it's root privileges. > This file can specify a fixed IP address for a given >client using >--ifconfig-push, as well as fixed subnets owned by the client >using --iroute >If what you meant wasn't exactly that, and if you really want to use the name >of the machine or its mac address instead of its common name, please provide >more insight about >why you would really want to do that. Asking questions out >of the blue, without any perceivable goal, is a real deterrent. >Bruno Hello, As I said, I have some scenario and I want to learn more. Do you mean "ccd-exclusive"? If yes, then I edited the Server.conf as below: ifconfig 20.1.0.1 255.255.255.0 mode server tls-server client-config-dir ccd ccd-exclusive And: # cat ccd/client 10.0.2.0 255.255.255.0 ifconfig-push 20.1.0.202 20.1.0.201 After it, a client whose CN name is "client", always takes IP address 20.1.0.202. Am I right? How can I give the IP address by MAC address? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] How to set a fixed IP to a client?
Hello, When I use "server 10.8.0.0 255.255.255.0" in the Server.conf file, then OpenVPN assigns IP addresses to clients respectively. What should I do if I want to assign a specific IP address to a client with a specific computer name or MAC address? Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Push the server configuration to the client
>Hi, >On Sat, Sep 02, 2023 at 11:44:08AM +, Jason Long via Openvpn-users wrote: > I connected to the server, but default gateway not set: > > Unknown adapter OpenVPN TAP-Windows6: > > Connection-specific DNS Suffix . : > Link-local IPv6 Address . . . . . : fe80::b404:5a8b:df0e:52c3%15 > IPv4 Address. . . . . . . . . . . : 10.8.0.6 > Subnet Mask . . . . . . . . . . . : 255.255.255.252 > Default Gateway . . . . . . . . . : > > Why? >"redirect-gateway def1" will not set "a default route" but "2 half >default routes". >So you'll never see them in "default gateway", but in "route print" >(OTOH, in your setup without any default gateway beforehand, it might >not work without the "local" or "autolocal" flags to redirect-gateway - >which I already wrote some weeks ago) >gert >-- >"If was one thing all people took for granted, was conviction that if you >feed honest figures into a computer, honest figures come out. Never doubted >it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress >Gert Doering - Munich, Germany g...@greenie.muc.de Hi, Thank you so much for your reply. I set the Windows OS network configuration manually: https://pasteboard.co/jXn3NHjHxTR7.png And as you can see, I never set the DNS server IP addresses and because of it, I can't ping the targets with their names. I used the Linux box IP address as the Windows default gateway. I added the following lines to my Server.conf: push "route 10.0.2.0 255.255.255.0 10.0.2.2 1" push "dhcp-option DNS 172.20.1.2" push "dhcp-option DNS 172.20.1.7" push "redirect-gateway autolocal" Added the following line to Client.ovpn: route 10.0.2.0 255.255.255.0 10.0.2.2 I connected to the OpenVPN server and "TAP-Windows Adapter" is as the below: https://pasteboard.co/15EbmDTzN8xS.png As you see, the DNS server IP addresses added to the TAP-Windows Adapter, but I can't ping the targets with their names: C:\> ping google.com Ping request could not find host google.com. Please check the name and try again. C:\> The routing table is: C:\> route print 4 === Interface List 15...00 ff 6a 2b f0 fa ..TAP-Windows Adapter V9 14...Wintun Userspace Tunnel 11...08 00 27 43 77 e3 ..Intel(R) PRO/1000 MT Desktop Adapter 1...Software Loopback Interface 1 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 === IPv4 Route Table === Active Routes: None Persistent Routes: None IPv6 Route Table === Active Routes: None Persistent Routes: None When the OpenVPN virtual NIC has the DNS server IP addresses, then why I can't ping the target with their names? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Push the server configuration to the client
Hello, I have two VMs in VirtualBox and selected the NAT Network type for their networking. For both VMs, I configured the network manually. On Server (Debian) my network configuration is: enp0s3: flags=4163 mtu 1500 inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255 inet6 fe80::a00:27ff:feed:b47c prefixlen 64 scopeid 0x20 ether 08:00:27:ed:b4:7c txqueuelen 1000 (Ethernet) RX packets 46567 bytes 21273157 (20.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 38209 bytes 7396310 (7.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 And routing table is: # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 enp0s3 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 enp0s3 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s3 I can ping Internal and external networks: # ping google.com PING google.com (216.239.38.120) 56(84) bytes of data. 64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=1 ttl=50 time=25.3 ms 64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=2 ttl=50 time=27.1 ms 64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=3 ttl=50 time=27.8 ms ^C --- google.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2032ms rtt min/avg/max/mdev = 25.315/26.722/27.752/1.030 ms # # ping 172.20.1.2 PING 172.20.1.2 (172.20.1.2) 56(84) bytes of data. 64 bytes from 172.20.1.2: icmp_seq=1 ttl=125 time=1.54 ms 64 bytes from 172.20.1.2: icmp_seq=2 ttl=125 time=1.37 ms 64 bytes from 172.20.1.2: icmp_seq=3 ttl=125 time=2.87 ms ^C --- 172.20.1.2 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2051ms rtt min/avg/max/mdev = 1.366/1.922/2.867/0.671 ms On client (Windows OS), I used the below configuration: IP: 10.0.2.16 Subnet Mask: 255.255.255.0 Default Gateway: 10.0.2.15 ==> Linux IP address Both server and client can see each other. When the client connects to the server, I want the default gateway of server to be set on the client. Server.conf: push "redirect-gateway def1 bypass-dhcp" push "route 10.0.2.0 255.255.255.0 10.0.2.2 1" push "dhcp-option DNS 1.1.1.1" Client.ovpn: route 10.0.2.0 255.255.255.0 10.0.2.2 I connected to the server, but default gateway not set: Unknown adapter OpenVPN TAP-Windows6: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::b404:5a8b:df0e:52c3%15 IPv4 Address. . . . . . . . . . . : 10.8.0.6 Subnet Mask . . . . . . . . . . . : 255.255.255.252 Default Gateway . . . . . . . . . : Why? Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OpenVPN Authentication via Active Directory
Hello, I installed the openvpn-auth-ldap package and I want to use the Active Directory for authentication. I Opened Active Directory Users And Computers. Clicked the View menu and selected Advanced Features. After it, I right-clicked on my username and selected the Properties, then clicked the "Object" tab. I found the following information: megaman.xyz/Informatic/Network/Central Office/Jason Long I right-clicked on the "Active Directory Users And Computers" and selected Properties and then clicked on the Attribute Editor tab, found the distinguishedName attribute: CN=NTDS Settings,CN=DC2-MainBranch,CN=Servers,CN=MainBranch,CN=Sites,CN=Configuration,DC=megaman,DC=xyz I edited the auth-ldap.conf file as below: URLldap://DC2-MainBranch.megaman.xyz BindDN "CN=DC2-MainBranch,OU=Informatic/Network/Central Office,DC=megaman,DC=xyz" PasswordMY_AD_Password Timeout15 TLSEnableno FollowReferrals no BaseDN"OU=Informatic/Network/Central Office,dc=megaman,dc=xyz" SearchFilter "(samaccountname=%u)" RequxyzeGroupfalse BaseDN "CN=DC2-MainBranch,OU=Informatic/Network/Central Office,DC=megaman,DC=xyz" SearchFilter "(samaccountname=%u)" MemberAttributeuniqueMember I started the OpenVPN and when I want to connect to my server, the client showed me "wrong credentials. Try again..." error. I checked the OpenVPN log and it showed me the following error: Unable to bind as CN=DC2-MainBranch,OU=Informatic/Network/Central Office,DC=megaman,DC=xyz LDAP connect failed. 2023-09-02 02:25:39 10.0.2.16:56792 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 2023-09-02 02:25:39 10.0.2.16:56792 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so 2023-09-02 02:25:39 10.0.2.16:56792 TLS Auth Error: Auth Username/Password verification failed for peer 2023-09-02 02:25:39 10.0.2.16:56792 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1 2023-09-02 02:25:39 10.0.2.16:56792 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted 2023-09-02 02:25:39 10.0.2.16:56792 Delayed exit in 5 seconds 2023-09-02 02:25:39 10.0.2.16:56792 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1) 2023-09-02 02:25:39 10.0.2.16:56792 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1) 2023-09-02 02:25:39 10.0.2.16:56792 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384 2023-09-02 02:25:39 10.0.2.16:56792 Peer Connection Initiated with [AF_INET]10.0.2.16:56792 2023-09-02 02:25:41 read UDPv4 [ECONNREFUSED]: Connection refused (fd=6,code=111) 2023-09-02 02:25:44 10.0.2.16:56792 SIGTERM[soft,delayed-exit] received, client-instance exiting To check the LDAP, I used the following command and it can see my Active Directory: # ldapsearch -H ldap://172.20.1.7 -D "ja...@megaman.xyz" -W How to solve it? Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Using username/password authentication
On Wed, Aug 30, 2023 at 5:36 PM, Gert Doering wrote: >Hi, >On Wed, Aug 30, 2023 at 01:53:40PM +0000, >Jason Long via Openvpn-users wrote: > Thank you so much for your reply. > As I understand, The "ca.crt" and "ta.crt" keys >are mandatory. I disabled > the "ta.crt" in >Client.ovpn file and I got the following error: >ta.crt is outside the "basic" TLS handshake, so >a different thing - and >if used, must be used on both sides. > Wed Aug 30 17:36:57 2023 TLS Error: TLS key >negotiation failed to occur > within 60 seconds >>(check your network connectivity) > Wed Aug 30 17:36:57 2023 TLS Error: TLS >handshake failed > > Why the following files must exist in the >server.conf file, when the client > using the >username and password authentication >method? > > cert server.crt > key server.key > dh dh.pem >For the same reason you have them in your >apache config if your web server >offers TLS (https). Because TLS needs a >server certificate, and Diffie- >Hellman needs a file with DH groups. >Maybe you really want to follow David's >suggestion and buy one of the >OpenVPN books *and actually read it, from >beginning to end*? >gert >-- >"If was one thing all people took for granted, >was conviction that if you >feed honest figures into a computer, honest >figures come out. Never doubted >it myself till I met a computer with a sense of >humor." > Robert A. Heinlein, The Moon >is a Harsh Mistress >Gert Doering - Munich, Germany >g...@greenie.muc.de Hello,Thanks again.I will.In the end, I want to know if it is possible to connect the server and the client without any key? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Using username/password authentication
>On 30/08/2023 07:45, Jason Long via Openvpn-users wrote: > Hello, > I configured OpenVPN to use the username and password for authentication, but > I need to have the "ca.crt", "cert server.crt", "server.key" and "dh.pem" > certificates. >There are 2 sets of certificates and keys. >* Server side: Uses ca.crt, server.crt, server.key and dh.pem >* Client side: Uses ca.crt, client.crt and client.key >The difference between these certificates and keys are very important to >have a clear understanding of. Each certificate provides an identity of >the server or client and should be unique per host and user. > So, what's the advantage of using this authentication method when I still > need to use these keys? >Certificate based authentication is quite strong. And in many cases, >that is more than enough. OpenVPN can also be configured to not use >client certificates, in this case username/password authentication is >mandatory. For such setups, the client side only needs the ca.crt (to >verify the identity of the VPN server). >Or you can combine certificate with username/password authentication. >This can be used if you want to grant different access to the network(s) >behind the VPN server depending on which device a user is connecting from. >And there is another aspect as well. Some deployments let both >gateway/routers connect to a VPN server as well as individual users. In >this case, those gateway/router hosts will NOT use username/password - >only certificates. While the individual end-users might do only >username/password authentication. >Which approach to use, depends entirely on your own networks need and >the threat model you operate under. There is no "X is better than Y" >scenario in this case; it depends entirely on your own security needs. >-- >kind regards, >David Sommerseth >OpenVPN Inc Hello, Thank you so much for your reply. As I understand, The "ca.crt" and "ta.crt" keys are mandatory. I disabled the "ta.crt" in Client.ovpn file and I got the following error: Wed Aug 30 17:36:57 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Wed Aug 30 17:36:57 2023 TLS Error: TLS handshake failed Why the following files must exist in the server.conf file, when the client using the username and password authentication method? cert server.crt key server.key dh dh.pem ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Using username/password authentication
Hello, I configured OpenVPN to use the username and password for authentication, but I need to have the "ca.crt", "cert server.crt", "server.key" and "dh.pem" certificates. So, what's the advantage of using this authentication method when I still need to use these keys? Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
Hello, Why in the OpenVPN log, I see the following line: Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Revoke a certificate and reuse it
On Sun, Aug 27, 2023 at 1:33 PM, Jochen Bern wrote: On 27.08.23 07:49, Jason Long wrote: > 1- When a key is generated, how many days is the default time for it to > expire? >Whatever your configuration files say. And >frankly, just generating one >and *looking* at it might tell you *even faster* >than reading the configs. >(IIRC EasyRSA comes with its own bunch of >openssl.cnf to cover several >major versions of OpenSSL the machine may >have preinstalled, but a lot >of the parameter are filled from env vars that >the easyrsa "executable" >or a "vars" file would preset.) > 2- Are the following commands correct to >expire the client key after 110 > days?? > > # export EASYRSA_CERT_EXPIRE=110 > # ./easyrsa gen-req My_Client nopass > # ./easyrsa sign-req client My_Client >According to the docs >https://github.com/OpenVPN/easyrsa/blob/master/doc/EasyRSA-Advanced.md#environmental-variables-reference >and assuming that you're using a POSIX >Bourne-style shell >https://unix.stackexchange.com/questions/368944/what-is-the-difference-between-env-setenv-export-and-when-to-use >that seems correct, but as I said, I don't use >EasyRSA myself. >Kind regards, >-- >Jochen Bern >Systemingenieur >Binect GmbH Hello,Thanks again.Can you show me the OpenSSL commands that you use to generate the server and client certificates? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Revoke a certificate and reuse it
>On 26.08.23 07:32, Jason Long wrote: > 1- How do you give keys to a large number of clients? Suppose there are > 1000 employees in a company, do all employees have to go to the IT > department of that company to get the client keys? >Certificates are technical proof that the CA trusts the holder to have a >set of properties - whether that's an e-mail address, a full (legal) >name, being an employee, of a specific department / with a specific job >title / legal capacity within the company, a paying customer, a resident >of the city, yadda yadda. (In your case, it would either *happen* to >imply "yes, he may use that VPN, too", or *be* simply "permission to use >that VPN", whatever purpose the VPN serves.) >In order for the entity to receive a certificate, that entity has to do >whatever it takes to make the CA have that trust in them. If you're >handing out employee certificates in a large company where the only way >to verify "yes, he's one of us" is to compare the photo on his badge >with his face, then yes, he'll obviously have to show up in your office >to do that. (And you should agree on a confidential transfer password so >that the cert can later be sent by an insecure channel - unless you >create it and *somehow* hand it to him on the spot.) >Ideally, there should be a written policy what the CA considers >satisfactory procedures. Yes, that likely means that it's *your* job to >at least define, if not write, it. > 2- Is it possible to send a new key to clients automatically when client > key is revoked? >Not with one OpenVPN connection alone (as revoking the key means that >you do not trust that client anymore, and thus should hand over a new >one to the (re-)verified holder by *different*, still-trusted means). >Kind regards, >-- >Jochen Bern >Systemingenieur >Binect GmbH Hello, Thanks again. 1- When a key is generated, how many days is the default time for it to expire? 2- Are the following commands correct to expire the client key after 110 days?? # export EASYRSA_CERT_EXPIRE=110 # ./easyrsa gen-req My_Client nopass # ./easyrsa sign-req client My_Client ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users smime.p7s Description: S/MIME cryptographic signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Revoke a certificate and reuse it
On Sat, 26 Aug 2023 05:32:56 + (UTC), Jason Long via Openvpn-users wrote: >On 25.08.23 21:41, Jason Long via Openvpn-users wrote: >> Hello,With the help of the following command, you can revoke a certificate: >> # ./revoke-full "Client_Name" >> Now if you change your mind, is it possible to use that certificate again? >> Is there a command to validate a revoked certificate? > >>Semantically, no, there is no such thing as "unrevoking" a certificate. > >>Technically, you can get a cert back out of a CRL or other listing, and >>hope that the world will forget it was ever listed there, or never >>noticed that in the first place, but it'd probably be less work to just >>have the CA issue a *new* cert instead. > >>*Revoked* certs do *not* count against the guideline of "there shouldn't >>be two certs by the same CA for the same DN with overlapping validity >>periods". > > >Hi Jochen, >Thank you so much for your reply. >I have two questions: > >1- How do you give keys to a large number of clients? Suppose there are >1000 employees in a company, do all employees have to go to the IT >department of that company to get the client keys? >If they need to "go" depends on your location geometry >But every single client allowed access through VPN must have his/her own cert >etc with unique CommonName, otherwise there is no way you can seletively >allow/disallow connection! >2- Is it possible to send a new key to clients automatically when client >key is revoked? > >Why would you? If you revoke a client then he is not supposed to connect so why >then send a new key? >There are problems with blocking client access via revocation: >1) You have to revoke the client's cert, which is a bit of a hassle. >2) You have to have a working update system on the server, which refreshes the >revocation list regularly (like at least weekly) even if there has been no >change to the list of revoked certs. >I tried to use revocation on our company VPN when a few employees left and it >seemed to work fine until a week later when it did not work anymore! >At that point the VPN stopped working for *everyone*, noone was allowed in at >all!!! >Luckliy I had a second VPN server to be used when maintenance was needed on the >main server so I could go in and disable the revocation checking system and >then >the legit people could again connect. >To lock out the users no longer allowed access I instead used the ccd system by >adding this to the top of each such user's connect script in the ccd dir(s): >#2023-02-25: This client is blocked from connecting >disable >This solves the problem and is persistent, but it requires the system to have >individual certs for each user (but who would not?). >To re-allow the client to connect is now as simple as removing the disable >command from the ccd file for the client. >This of course assumes you are not cheating the system by giving out *copies* >of >a single ovpn file thus with the same Common Name for everyone. >-- >Bo Berglund >Developer in Sweden Hi, Thank you so much for your reply. 1- Suppose you want to revoke the previous key for any reason. When the client certificate revoked or expired, then is it possible to send a new key to clients automatically? 2- When a key is generated, how many days is the default time for it to expire? 3- Are the following commands correct to expire the client key after 110 days?? # export EASYRSA_CERT_EXPIRE=110 # ./easyrsa gen-req My_Client nopass # ./easyrsa sign-req client My_Client ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Revoke a certificate and reuse it
On 25.08.23 21:41, Jason Long via Openvpn-users wrote: > Hello,With the help of the following command, you can revoke a certificate: > # ./revoke-full "Client_Name" > Now if you change your mind, is it possible to use that certificate again? > Is there a command to validate a revoked certificate? >Semantically, no, there is no such thing as "unrevoking" a certificate. >Technically, you can get a cert back out of a CRL or other listing, and >hope that the world will forget it was ever listed there, or never >noticed that in the first place, but it'd probably be less work to just >have the CA issue a *new* cert instead. >*Revoked* certs do *not* count against the guideline of "there shouldn't >be two certs by the same CA for the same DN with overlapping validity >periods". >Kind regards, >-- >Jochen Bern >Systemingenieur >Binect GmbH Hi Jochen, Thank you so much for your reply. I have two questions: 1- How do you give keys to a large number of clients? Suppose there are 1000 employees in a company, do all employees have to go to the IT department of that company to get the client keys? 2- Is it possible to send a new key to clients automatically when client key is revoked? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users smime.p7s Description: S/MIME cryptographic signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Revoke a certificate and reuse it
Hello,With the help of the following command, you can revoke a certificate: # ./revoke-full "Client_Name" Now if you change your mind, is it possible to use that certificate again? Is there a command to validate a revoked certificate? Thank you.___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] ccd-exclusive does not work
>Hi, On Wed, Aug 23, 2023 at 06:41:35AM +0000, Jason Long via Openvpn-users wrote: > Hello, > My server and client use range 10.0.2.X: > > Server: 10.0.2.15 > Client: 10.0.2.16 >If this is the "outside" IP (LAN NIC) that client and server use to >setup a VPN session... > client-config-dir ccd > ccd-exclusive > route 10.0.2.0 255.255.255.0 > > And add the following line to the "/etc/openvpn/ccd/client" file: > > iroute 10.0.2.0 255.255.255.0 >... it MUST NOT go into the VPN config, because route/iroute are *inside* >things. >"route/iroute" statements in the Openvpn config and the CCD files are >used to route specific IP addresses / subnets *inside* the VPN to the >other side. This could be something like 192.168.100.0 255.255.255.0, >but not "what you use on the outside NICs". >gert >-- >"If was one thing all people took for granted, was conviction that if you >feed honest figures into a computer, honest figures come out. Never doubted >it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress >Gert Doering - Munich, Germany g...@greenie.muc.de Hello, As I understand, if the file name is not equal to the CN name in the client.crt file, then the client can't connect to the OpenVPN server. Excuse me, is the ccd-exclusive statement best way to filter the clients? For example, I only want to allow clients to connect to the server whose CN name is Trusted. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] ccd-exclusive does not work
>On Tue, 22 Aug 2023 08:20:24 + (UTC), Jason Long via Openvpn-users > wrote: >Yes. The file under the CCD directory is exactly as the Common Name of the >client. >So if you have set a requirement for the client to have a ccd entry in order to >connect and this client has exactly that, of course it will be able to connect! >What is the problem? >Yes. Why can the client connect to my OpenVPN server when the IP range is not >correct? >Which IP range? >Client *connect* is not depending on any specific "IP range". >If the client has a valid server IP address in its ovpn files for where the >server is listening for connection *and* the client can reach this IP then the >server will get the connection information and check the validity. Basically >starting the connection process. >For example if you require the clients to have ccd entries then if it has a >file >there and all other checks are also positive to validate the client it will be >connected. >However, what it can do after it has connected depends on all your *other* >config items which you fail to show... >And based on all your other posts here you are trying to misuse the OpenVPN >server in ways that are non-standard to say the least... >Regarding the ccd operations I have 3 classes of VPN clients connecting using >*different* *ports* on the server's single IP address. So my server hardware >has >a single NIC linked to from the Internet via port forwarding on the gateway >router. >And the OpenVPN server runs several service instances on the different ports. >Each port is served by a *different* openvpn server instance defined by its own >conf file under /etc/openvpn/server/. >These servers use *different* ccd directories like /etc/openvpn/ccd_server1, >/etc/openvpn/ccd_server2 and /etc/openvpn/ccd_server3 (obviously my names are >not exactly these, but different from each other. >AND in each server instance conf file the ccd dir is defined by a line with >*the >full path* to the dir to use, all different and *unique* to that server >instance. Your example shows a single dir name without any path information, >which is bad programming IMV. >My 3 different classes of clients are: >- Full access clients routed to *both* the internal server side LAN and the >Internet. These act like they were located on the office LAN. >- Local access clients only routed on to the LAN but not back out to the >Internet. They use their own Internet gateway for all other access. >Used by people needing access to company resources on the LAN but which do not >need to go extra steps for Internet access. >- Web access clients are only routed back out to the Internet and cannot access >the LAN. This is how the commercial VPN services work to circumvent >geoblocking. >I use this for a few people that need to be located inside our country for some >web access and we do not want to use any insecure commercial service for that. >-- >Bo Berglund >Developer in Sweden Hello, My server and client use range 10.0.2.X: Server: 10.0.2.15 Client: 10.0.2.16 I created a "ccd" directory under the "/etc/openvpn" directory, and inside this directory I created a file with the CN's name of the client (client). In order for the client to connect to the server, I must write the below lines to the server.conf: client-config-dir ccd ccd-exclusive route 10.0.2.0 255.255.255.0 And add the following line to the "/etc/openvpn/ccd/client" file: iroute 10.0.2.0 255.255.255.0 But, if I change the 10.0.2.0 to any IP address, then my client can connect to the OpenVPN server. Is this Normal? I think what is important is the file name under the /etc/openvpn/ccd" directory. Am I right? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question that has the potential to become a useful article
On Tue, Aug 22, 2023 at 4:54 PM, Gert Doering wrote: >Hi, >On Tue, Aug 22, 2023 at 07:56:44AM +, >Jason Long wrote: > Thank you so much again. > 1- When I use "local" then I must not use >"multihome" and vice versa? >When you use local, the IP address that >OpenVPN will use is fixed, so >no need for "multihome". > 2- The multihome statement does not need a >parameter? I just need to put it > inside of the >server.conf file? >A quick view into the OpenVPN man page >would answer this... >So, yes, no parameters, into the server config. >gert >-- >"If was one thing all people took for granted, >was conviction that if you >feed honest figures into a computer, honest >figures come out. Never doubted >it myself till I met a computer with a sense of >humor." > Robert A. Heinlein, The Moon >is a Harsh Mistress >Gert Doering - Munich, Germany >g...@greenie.muc.de Hi Gert,Thanks again. What is your opinion about the following options? Method 1: In server.conf:local 1.2.3.X In client.conf:remote 1.2.3.X port Method 2: In server.conf:multihome In client.conf:remote 1.2.3.X port Have I understood correctly?When I use the "local" statement with an IP address in the server.conf file, then I should write the IP address that I have used it along with the "local" statement in the client.conf file. When I use the "multihome" statement in the server.con file, then I can use any IP address set on the server NIC in the client.conf file. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question that has the potential to become a useful article
>Hi, >On 22/08/2023 09:56, Jason Long via Openvpn-users wrote: > 1- When I use "local" then I must not use "multihome" and vice versa? >No. You can have 'multihome' along with 'local', but in this case >'multihome' will do nothing. >If you don't have 'local', using 'multihome' or not depends on your setup. > > 2- The multihome statement does not need a parameter? I just need to put it > inside of the server.conf file? > >Correct. No parameter required and it is just added to the server config. >Regards, >-- >Antonio Quartulli Hello, Suppose my server has two IPs: IP 1: 1.2.3.4 IP 2: 1.2.3.5 Method 1: In server.conf: local 1.2.3.X In client.conf: remote 1.2.3.X port Method 2: In server.conf: multihome In client.conf: remote 1.2.3.X port Am I right? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] ccd-exclusive does not work
On Mon, 21 Aug 2023 06:12:45 + (UTC), Jason Long via Openvpn-users wrote: >Hello, >My server and client IP addresses are in range 10.0.2.X. >I created a CCD directory and create a file inside the folder. I wrote the >below lines in this file: > >iroute 10.0.2.0 255.255.255.0 > > >Then, I opened the server.conf file and wrote these lines in it: > >client-config-dir CCD >ccd-exclusive >route 10.0.2.2 255.255.255.0 >Two requirements given the above statement: >There must exist on your server the following dir: /etc/openvpn/CCD >Do you have a file in that dir named exactly as the CommonName of the client >you >want to connect with? > >I restarted the OpenVPN service and client connected to my OpenVPN server. >So what is the complaint this time? It works does it not? >I changed the "iroute" and "route" IP addresses to something like >"192.168.1.0", but why client can connect to my OpenVPN server? >And why do you write "something like" when you ask for help? >You have to supply the *exact* text in the conf file for anyone to be able to >check why something happens or not... >Are you asking why the client can connect or why it cannot connect? >Your statement is ambiguous >Is it a question or a statement of fact? >-- >Bo Berglund >Developer in Sweden Hello, Thanks again. Yes. The file under the CCD directory is exactly as the Common Name of the client. Yes. Why can the client connect to my OpenVPN server when the IP range is not correct? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question that has the potential to become a useful article
>Hi, >On Mon, Aug 21, 2023 at 06:40:04AM +, Jason Long wrote: > You said "This is not what I would have - I'd have a public IP address on the > NIC,or 2, or 3.", does that mean you assign a separate network card for each > IP address? If yes, >then if your server is physical, the number of your > network cards is limited. >One public IP address, or 2 public IP addresses, or 3 public IP addresses. >I wouldn't use any NAT constructs, because that just adds complications. > When I use "multihome" statement, then OpenVPN listen to the all IP addresses > that set on my server. For example, if my server has three IP addresses, then > I can use them >in the client configuration file. Am I right? If yes, then in > this situation my firewall rules associates NICs to OpenVPN IP ranges. >OpenVPN always listens on all IP addresses, unless told with --local to >listen just on one address. >--multihome ensures that, for UDP VPN, OpenVPN replies with the correct >source address to match the incoming packet from the client. > When you create a virtual NIC in the FreeBSD, then can you ping a target by > its name via that virtual NIC? >"name" is a DNS thing. So yes, when I put the IP addresses into DNS, I >can use names to address them. >Whether or not an IP address is pingable depends on correct routing on >all components on the (indended) packet path, and on firewall rules. This >has nothing to do with names, or virtual/real NICs. >gert >-- >"If was one thing all people took for granted, was conviction that if you >feed honest figures into a computer, honest figures come out. Never doubted >it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress >Gert Doering - Munich, Germany g...@greenie.muc.de Hello, Thank you so much again. 1- When I use "local" then I must not use "multihome" and vice versa? 2- The multihome statement does not need a parameter? I just need to put it inside of the server.conf file? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question that has the potential to become a useful article
>Hi, >On Sun, Aug 20, 2023 at 01:14:55PM +, Jason Long via Openvpn-users wrote: > I googeled my question, but unfortunately, I could not find a correct and > complete article about it and I'm thankful if the experts here, write the > answer step by step and in >summary. > > Suppose you have an OpenVPN server. Now, you want to set two public IP > addresses on it. Your public IP addresses are: > > 1.2.3.4 > 1.2.3.5 > > Your OpenVPN server has one NIC as below: > > # ifconfig > enp0s3: flags=4163 mtu 1500 > inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255 >This is not what I would have - I'd have a public IP address on the NIC, >or 2, or 3. > Can you show how to prepare your OpenVPN server step by step? For example, > You must first create a virtual network card and assign the IP addresses to > it then??? >How you do that is half "dependent on your service provider" and the >other half "dependent on the Linux distribution you use". >So with my service provider, and using FreeBSD, I would put >ifconfig_en0="1.2.3.4/29" >ifconfig_en0_alias0="1.2.3.5/29" >into /etc/rc.config and reboot. How to do that with your ISP and your >Linux variant, your ISP and google will tell you. > The goal of this project is that you want different users to connect to > different IP addresses. >Not sure why you'd want that, but in that case, you can either run >one OpenVPN process per IP address (using --local 1.2.3.4 etc.) or >run one OpenVPN process for all of them (using --multihome) and >differenciate by client cert, username, etc. >gert >-- >"If was one thing all people took for granted, was conviction that if you >feed honest figures into a computer, honest figures come out. Never doubted >it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress >Gert Doering - Munich, Germany g...@greenie.muc.de Hi, Thank you so much for your reply. You said "This is not what I would have - I'd have a public IP address on the NIC,or 2, or 3.", does that mean you assign a separate network card for each IP address? If yes, then if your server is physical, the number of your network cards is limited. When I use "multihome" statement, then OpenVPN listen to the all IP addresses that set on my server. For example, if my server has three IP addresses, then I can use them in the client configuration file. Am I right? If yes, then in this situation my firewall rules associates NICs to OpenVPN IP ranges. When you create a virtual NIC in the FreeBSD, then can you ping a target by its name via that virtual NIC? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] ccd-exclusive does not work
Hello, My server and client IP addresses are in range 10.0.2.X. I created a CCD directory and create a file inside the folder. I wrote the below lines in this file: iroute 10.0.2.0 255.255.255.0 Then, I opened the server.conf file and wrote these lines in it: client-config-dir CCD ccd-exclusive route 10.0.2.2 255.255.255.0 I restarted the OpenVPN service and client connected to my OpenVPN server. I changed the "iroute" and "route" IP addresses to something like "192.168.1.0", but why client can connect to my OpenVPN server? Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] A question that has the potential to become a useful article
Hello, I googeled my question, but unfortunately, I could not find a correct and complete article about it and I'm thankful if the experts here, write the answer step by step and in summary. Suppose you have an OpenVPN server. Now, you want to set two public IP addresses on it. Your public IP addresses are: 1.2.3.4 1.2.3.5 Your OpenVPN server has one NIC as below: # ifconfig enp0s3: flags=4163 mtu 1500 inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255 inet6 fe80::a00:27ff:feed:b47c prefixlen 64 scopeid 0x20 ether 08:00:27:ed:b4:7c txqueuelen 1000 (Ethernet) RX packets 14915 bytes 2455731 (2.3 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 11701 bytes 1581492 (1.5 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 4 bytes 336 (336.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 4 bytes 336 (336.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Can you show how to prepare your OpenVPN server step by step? For example, You must first create a virtual network card and assign the IP addresses to it then… The goal of this project is that you want different users to connect to different IP addresses. I’m sure this thread is very useful for many users. Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Unable to redirect IPv4 default gateway -- Cannot read current default gateway from system
>Hi, >On Sun, Aug 20, 2023 at 09:49:25AM +, Jason Long wrote: > >On Sat, Aug 19, 2023 at 02:18:37PM +, Jason Long via Openvpn-users wrote: > > Sat Aug 19 18:23:53 2023 NOTE: unable to redirect IPv4 default gateway -- > > Cannot read current default gateway from system > > >If client and server are in the same network, and the client has no default > >route, the normal algorithm for "redirect-gateway" does not work. > > >Try "redirect-gateway def1 autolocal" or "redirect-gateway def1 local" > >in the client config. > It didn't matter and I got the error. > when I removed the local statement, then my client can connect to my server. >You are mixing stuff again. The log file above shows a successful connect >where the client can not setup a default-route due to the way client and >server are in the same network. To work around that, the "redirect-gateway" >line (either in the client config or pushed) MUST have the "local" or >"autolocal" flag. >This is not the same as "local" in the server config, it's an extra >additional argument to the "redirect-gateway" option. > Excuse me, how you configure an OpenVPN server with multiple IP addresses? >First of all, I try to figure out what my *goal* is. >Then I decide "do I want the server to listen on *one* IP address?" > -> if yes, use "local i.p.a.ddr". > -> if no, and UDP is used, then you should use "multihome" > (it might work without, but "when will it work and when not" requires > a deeper understanding of socket behaviour and UDP source address > selection) >Then, I try to understand how packets from the client to the server >can arrive (routing!!!), and go testing. >THEN, when I have this all working AND have understood what I did and why, >I start with --client-connect & friends, and iptables. After each step, >re-test, and if it does not work, find out why - without changing the >basic setup again. >gert >-- >"If was one thing all people took for granted, was conviction that if you >feed honest figures into a computer, honest figures come out. Never doubted >it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress >Gert Doering - Munich, Germany g...@greenie.muc.de Hello, I set a default getaway for my client and that error solved. My question is that, suppose you want to set multiple public IP addresses on the OpenVPN server. How do you do it? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Unable to redirect IPv4 default gateway -- Cannot read current default gateway from system
>Hi, >I don't know what mail client you are using, but the signature of the >author of the email you are replying to should be removed before writing >any text. >This said, check my reply below. >On 20/08/2023 11:49, Jason Long via Openvpn-users wrote: > Hi, > It didn't matter and I got the error. > when I removed the local statement, then my client can connect to my server. > > Excuse me, how you configure an OpenVPN server with multiple IP addresses? >OpenVPN does not care about IPs, because this is all OS specific. >If the server has one IP only or more does not truly make any difference. >You don't need the "local" directive in your config, unless you know you >need it: >1) If you are running only one server on that specific port, then you >don't need it. >2) If you want clients to reach the server from any available IP, then >you don't need it. >However, if you have multiple IPs, you most likely need 'multihome'. Hello, The local statement is used when I have multiple OpenVPN servers on one port. About the multihome statement, I just need to add it to my server.conf? If yes, then how OpenVPN use other IP addresses that has been set on server NIC? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Unable to redirect IPv4 default gateway -- Cannot read current default gateway from system
>Hi, >On Sat, Aug 19, 2023 at 02:18:37PM +, Jason Long via Openvpn-users wrote: > Sat Aug 19 18:23:53 2023 NOTE: unable to redirect IPv4 default gateway -- > Cannot read current default gateway from system >If client and server are in the same network, and the client has no default >route, the normal algorithm for "redirect-gateway" does not work. >Try "redirect-gateway def1 autolocal" or "redirect-gateway def1 local" >in the client config. >(Note: this is a special case which is not normally required, for "clients >connected to the Internet") >gert -- >"If was one thing all people took for granted, was conviction that if you >feed honest figures into a computer, honest figures come out. Never doubted >it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress >Gert Doering - Munich, Germany g...@greenie.muc.de Hi, It didn't matter and I got the error. when I removed the local statement, then my client can connect to my server. Excuse me, how you configure an OpenVPN server with multiple IP addresses? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question about the local statement
>Hi, On Mon, Aug 14, 2023 at 09:19:44PM +0000, Jason Long via Openvpn-users wrote: > Hi Bruno,Thank you so much for your reply.Both (Server and Client) can ping > each other and without the local statement my client can connect to the > OpenVPN server.My >client connecting to the server via an internal > network:Server: 192.168.1.20Client: 192.168.1.21 >Can you ping the address that you have specified in "local"? >Pinging the 192.168.1.20-Address is not relevant if that is not the >address you try to reach for OpenVPN. >If you can, but OpenVPN still fails to connect, this smells like firewall. >If it does not ping, fix your routing. >gert -- >"If was one thing all people took for granted, was conviction that if you >feed honest figures into a computer, honest figures come out. Never doubted >it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress >Gert Doering - Munich, Germany g...@greenie.muc.de Hi Gert, How are you? I changed my architecture. My OpenVPN server has only one physical NIC: enp0s3: 10.0.2.15 I created a virtual NIC as below: enp0s3:1: 10.0.5.20 My OpenVPN server network settings are: enp0s3: flags=4163 mtu 1500 inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255 inet6 fe80::a00:27ff:feed:b47c prefixlen 64 scopeid 0x20 ether 08:00:27:ed:b4:7c txqueuelen 1000 (Ethernet) RX packets 9915 bytes 1829851 (1.7 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7792 bytes 1132320 (1.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 enp0s3:10: flags=4163 mtu 1500 inet 10.0.5.20 netmask 255.255.255.0 broadcast 10.0.5.255 ether 08:00:27:ed:b4:7c txqueuelen 1000 (Ethernet) I added the following line to my server.conf: local 10.0.5.20 After it, I used the following iptables rules: IF_MAIN=enp0s3 IF_TUNNEL=tun30 YOUR_OPENVPN_SUBNET=20.1.0.0/16 iptables -I INPUT -p udp --dport 3000 -j ACCEPT iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j MASQUERADE iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -j SNAT --to 10.0.5.20 I started the OpenVPN and it is worked and created a virtual NIC: tun30: flags=4305 mtu 1500 inet 20.1.0.1 netmask 255.255.255.255 destination 20.1.0.2 inet6 fe80::3b66:b0c6:fbf7:988b prefixlen 64 scopeid 0x20 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 10 bytes 480 (480.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Now, client can't connect to my OpenVPN server: Sun Aug 20 11:02:18 2023 read UDPv4: Connection reset by peer (WSAECONNRESET) (fd=ec,code=10054) Why? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Unable to redirect IPv4 default gateway -- Cannot read current default gateway from system
Hello, I changed my server configuration and my OpenVPN server and my client each one have a NIC: OpenVPN Server: 10.0.2.15 Client: 10.0.2.16 The OpenVPN server network configuration is as below and has access to the Internet: # ifconfig enp0s3: flags=4163 mtu 1500 inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255 inet6 fe80::a00:27ff:feed:b47c prefixlen 64 scopeid 0x20 ether 08:00:27:ed:b4:7c txqueuelen 1000 (Ethernet) RX packets 7353 bytes 1384926 (1.3 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6012 bytes 993559 (970.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 # # ping google.com PING google.com (216.239.38.120) 56(84) bytes of data. 64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=1 ttl=48 time=49.5 ms 64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=2 ttl=48 time=41.8 ms 64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=3 ttl=48 time=48.5 ms ^C --- google.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2011ms rtt min/avg/max/mdev = 41.776/46.577/49.490/3.420 ms The client does not have access to the Internet. Both Server and client see each other: # ping 10.0.2.16 PING 10.0.2.16 (10.0.2.16) 56(84) bytes of data. 64 bytes from 10.0.2.16: icmp_seq=1 ttl=128 time=0.856 ms 64 bytes from 10.0.2.16: icmp_seq=2 ttl=128 time=0.827 ms 64 bytes from 10.0.2.16: icmp_seq=3 ttl=128 time=0.884 ms ^C --- 10.0.2.16 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 0.827/0.855/0.884/0.023 ms # C:\>ping 10.0.2.15 Pinging 10.0.2.15 with 32 bytes of data: Reply from 10.0.2.15: bytes=32 time<1ms TTL=64 Reply from 10.0.2.15: bytes=32 time<1ms TTL=64 Reply from 10.0.2.15: bytes=32 time<1ms TTL=64 Reply from 10.0.2.15: bytes=32 time<1ms TTL=64 Ping statistics for 10.0.2.15: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\> The server.conf is as below: port 3000 proto udp dev tun30 ca ca.crt cert server.crt key server.key dh dh.pem server 20.1.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 1.1.1.1" push "dhcp-option DNS 8.8.8.8" keepalive 10 120 tls-auth ta.key 0 data-ciphers AES-256-CBC user nobody group nogroup persist-key persist-tun I strated the OpenVPN server: tun30: flags=4305 mtu 1500 inet 20.1.0.1 netmask 255.255.255.255 destination 20.1.0.2 inet6 fe80::8a00:a85f:217:6609 prefixlen 64 scopeid 0x20 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 9 bytes 432 (432.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 It is worked. After it, I executed the following iptables rules: # IF_MAIN=enp0s3 # IF_TUNNEL=tun30 # YOUR_OPENVPN_SUBNET=20.1.0.0/16 # iptables -I INPUT -p tcp --dport 3000 -j ACCEPT # iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT # iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j MASQUERADE # iptables-save My client.ovpn file is as below: client dev tun30 proto udp remote 10.0.2.15 3000 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key remote-cert-tls server tls-auth ta.key 1 data-ciphers AES-256-CBC verb 3 I want to connect to my OpenVPN server. Client connected, but: 1- It showed me the following errors: Sat Aug 19 18:23:53 2023 NOTE: unable to redirect IPv4 default gateway -- Cannot read current default gateway from system Sat Aug 19 18:23:53 2023 MANAGEMENT: >STATE:1692453233,ADD_ROUTES,, Sat Aug 19 18:23:53 2023 C:\Windows\system32\route.exe ADD 20.1.0.1 MASK 255.255.255.255 20.1.0.5 Sat Aug 19 18:23:53 2023 Route addition via service succeeded Sat Aug 19 18:23:53 2023 Initialization Sequence Completed Sat Aug 19 18:23:53 2023 MANAGEMENT: >STATE:1692453233,CONNECTED,ROUTE_ERROR,20.1.0.6,10.0.2.15,3000,, Sat Aug 19 18:23:52 2023 ERROR: Some routes were not successfully added. The connection may not function correctly 2- The client does not have access to the Internet: C:\>ping google.com Ping request could not find host google.com. Please check the name and try again.
Re: [Openvpn-users] How to use ccd-exclusive statement?
On 19.08.23 10:02, Bo Berglund wrote: > On Sat, 19 Aug 2023 07:03:01 + (UTC), Jason Long via Openvpn-users > wrote: >> I have another questions: >> 1- I checked the "Subject" of the ca.crt file and my CN name is "Server". >> Now, >> I must change the "ccd" directory to "Server", but how about the file name >> under the "Server" directory? > > WHAT? > > The ccd directory is defined in the server.conf file and could be named > whatever > you like. It has NOTHING whatever to do with the CommonName in any certificate > or such! >To add to that, we're talking about the *CA* cert here (in spite of its >CN reading "Server") and the CA isn't going to connect to the VPN >server, so having a CCD¹ *whatever* to match its CN isn't going to do >anything ever. >¹ That *does* still stand for "(Per-)*Client* Configurations Directory", >right? :-3 >>> 2- Suppose you want to configure a server. Can you show me the names you >>> enter >>> for the commands below? >>> >>> # ./easyrsa build-ca nopass >>> ... >>> Common Name (eg: your user, host, or server name) [Easy-RSA CA]: "Your_Name" >Binect Exasperation CA - A >(When rotating CA certs, we "increment" the trailing letter.) >>> # ./easyrsa gen-req "Your_Name" nopass >>> # ./easyrsa sign-req server "Your_Name" >exavpn.binect.de >>> # ./easyrsa gen-req "Your_Name" nopass >>> # ./easyrsa sign-req client "Your_Name" >These create a *client* cert, which is unnecessary to "configure a >*server*", strictly speaking. >Since you seem to plan to have a boatload of CCD files, which need to be >named after the client certs' CN, I would probably revise my previous >suggestion of "Jason Long's private cell phone" and go with something >like "JasonLong_privCell" instead. >Not that it should be much news to you how *I* would name CA, server, >and client certs, respectively, if you had read my previous posts ... >Kind regards, >-- >Jochen Bern >Systemingenieur >Binect GmbH Hi Jochen, Excuse me, I'm confused. I asked: "If CN's name is Server, then I must change the ccd directory to Server? Am I right?" Answer: "If that's what the Subject CN of the cert you want to use as a client cert says, then yes, that's it. Of course, looking at a file "ca.crt" and seeing a CN "Server" for what is supposed to be the *client's* cert is botched twelve ways to Gehenna and back and will perpetually confuse anyone trying to debug your final setup..." Please clarify this for me. To use the --ccd-exclusive statement, I must create a directory under the /etc/openvpn directory: 1- Is the the name of that directory important or not? Its name must be "CCD" or the CN's name, or it could be anything? 2- After the directory, I must create a file under it. How about the name of that file? Is the the name of that file important or not? 3- For "Common Name (eg: your user, host, or server name) [Easy-RSA CA]:" question, I can enter my name or anything and the name that I entered could be used for the following commands, but not mandatory. Am I right? # ./easyrsa gen-req "Your_Name" nopass # ./easyrsa sign-req server "Your_Name" 4- The names that I must enter for the following commands, must be same. Right? # ./easyrsa gen-req "Your_Name" nopass # ./easyrsa sign-req server "Your_Name" ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users smime.p7s Description: S/MIME cryptographic signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
> On 18.08.23 21:22, Jason Long wrote: > 1- In the round-robin mechanism, we can use the same keys for our > servers, but each client uses its own key. >You *can* do that, yes. >Since you apparently don't provide clients with a CRL or any other means >to have server certs revoked, I guess it doesn't worsen your reaction >time / options after a leaked server cert any *further*, anyway ... > 2- So, the name that I entered in the "Common Name (eg: your user, > host, or server name) [Easy-RSA CA]:" question, must be used in > the "./easyrsa gen-req NAME nopass" and "./easyrsa sign-req server > NAME" commands. Right? >NO. Reread what I wrote about the (hint: different) roles the certs >generated by these two sets of commands have. >Kind regards, >-- >Jochen Bern >Systemingenieur >Binect GmbH Hello, I have another questions: 1- I checked the "Subject" of the ca.crt file and my CN name is "Server". Now, I must change the "ccd" directory to "Server", but how about the file name under the "Server" directory? 2- Suppose you want to configure a server. Can you show me the names you enter for the commands below? # ./easyrsa build-ca nopass ... Common Name (eg: your user, host, or server name) [Easy-RSA CA]: "Your_Name" # ./easyrsa gen-req "Your_Name" nopass # ./easyrsa sign-req server "Your_Name" # ./easyrsa gen-req "Your_Name" nopass # ./easyrsa sign-req client "Your_Name" ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users smime.p7s Description: S/MIME cryptographic signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
On Fri, Aug 18, 2023 at 7:51 PM, Jochen Bern wrote: On 18.08.23 16:31, Jason Long wrote: > 1- So, if we have multiple servers, then it is >better that the servers > have the same key, but each client has its >own key. Am I right? >No. >I said that *if* you want your clients to be able >to replace one server >with another dynamically, it may be a valid >reason to have the *CN* in >their server certs have *similarities* to each >other (for >"verify-x509-name ... name-prefix"), or be >outright the same (other >types of "verify-x509-name" checks). >(Identical DNs/CNs technically still do not >imply that the servers use >the same keypair. And using the same keypair >technically still does not >imply that the servers use the same cert. >Though we're going into the >area of somewhat questionable setups there.) > 2- I can filter clients by MAC address >No, you can't. If the VPN server can see the >clients' MACs (*before* a >VPN has been established *and* does >*bridging*), there's no need to run >a VPN between them in the first place. > 3- Can you introduce a tool to easily generate >keys? >You're already using EasyRSA, that's about as >easy¹ as it gets. Not that >the act of generating a keypair looks that much >different between >EasyRSA, plain OpenSSL, or more sophisticated >PKI tools ... >¹ "Easy" as in "easy to understand and use >manually". Automation and >integration may yield something that's easier >*to use and maintain >long-term*, but since you're apparently unclear >on what other systems >you're going to integrate it *with* (see next >question), we can't >comment on that. > 4- You said " You need a PKI solution that >doesn't just chuck new certs > onto a local disk, but can feed it into >whatever mechanism you use > to keep the clients updated.", which >mechanism? >The mechanism that *you* are going to define >(and, probably, build) that >allows you to admin the clients you designed, >and keeps the entire >system from coming crashing down as soon >as the first certificates' >validity period ends. >For example: a) Our staff is usually able to >install a new client cert >for their laptop's VPN connection to the >company LAN themselves, so all >we need *there* is an e-mailed reminder to IT >that user XY will need a >new cert in a couple weeks; but b) the firmware >of the appliances we >send to customers asks our servers "do I need >to update something?" >every morning, and if a VPN cert is running out, >the servers i) verify >that the customer's contract is still ongoing, ii) >generate a new cert, >and iii) inject it into a more general small->updates-offering mechanism >that handles *all* config changes we hand to >those appliances. > 5- When I use "./easyrsa build-ca nopass", then >it asks me "Common Name > (eg: your user, host, or server name) [Easy->RSA CA]:", and as you said, > better not to use "server" as name. For >example, I entered "Jason_Server" >... which should better read "Jason's CA" (yes, >blanks are OK there), as >it still hasn't anything to do with any servers ... > then I must use "Jason_Server" in the >"./easyrsa gen-req Jason_Server > nopass" and "./easyrsa sign-req server >Jason_Server" commands. Right? >Now *those* commands actually *are* part of >generating the *server* >certificate, so having them say "server" makes >sense, unlike in creating >the CA cert above. (I would still prefer server >certs to have an FQDN >for a CN, though. Old habits die hard ...) > 6- Is this true for client too? >Yes. >(With the difference that VPN clients usually >aren't expected to *have* >a long-term-stable FQDN, so I would suggest >naming the certs by user >and/or device, like "Jason Long's private cell >phone".) >Kind regards, >-- >Jochen Bern >Systemingenieur >Binect GmbH Hi Jochen,Thanks again. 1- In the round-robin mechanism, we can use the same keys for our servers, but each client uses its own key. 2- So, the name that I entered in the "Common Name (eg: your user, host, or server name) [Easy-RSA CA]:" question, must be used in the "./easyrsa gen-req NAME nopass" and "./easyrsa sign-req server NAME" commands. Right? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
On Thu, Aug 17, 2023 at 5:32 PM, Jochen Bern wrote: >On 17.08.23 14:12, Jason Long wrote: > It is even better if each server has its own >separate keys. >You didn't mention setting up multiple servers >yet IIRC, but yes, same >best practice there ... in principle. >However, if you plan to instruct the clients to >contact "*any* of >servers you find available" (e.g., by Round >Robin DNS), you need them >all to pass the *exact same* server cert >verification (like per >"verify-x509-name ..."). That *might* justify >having multiple servers >use the same cert(s). > If the clients all use the same keys, then we >can block any client > based on the IP address. It is true? >The design decisions you've made so far >suggest that your VPN clients >will connect to the server from elsewhere than >the site hosting your >server - maybe not just any random >StarDonalds at Shady Mall, but are >you sure that you really can reliably identify >them by their (public) >IP? Will you personally deliver them to >customer sites and nail them to >a load-bearing wall? > 1- Is there a tool to facilitate key generation for >a large number > of clients? >Yes, several. And I wouldn't have too much of a >problem scripting such a >run with nothing but bare OpenSSL, but. >The point is that you need to bring those client >cert+keys *onto the >clients*, not just once, but everytime the >previous client cert >approaches the end of its validity period. You >need a PKI solution that >doesn't just chuck new certs onto a local disk, >but can feed it into >whatever mechanism you use to keep the >clients updated. And *then* one >of these two systems needs to keep tabs on >which clients *should* get a >new cert (customers can terminate their >contracts with you ...) and when. > 2- I've heard that OpenVPN can be configured >to work with username and > password instead of key-based >authentication. Is this possible and > recommended? >I guess it's possible, but I don't run any such >setup and thus can't >comment on it. > 3- About the CN name, if I forget it, then if I >open the "ca.crt" file > and click on the Details tab and check the >Issuer section, then this > is the name that I have entered during >generating the key? >No. The name you enter during generation of >keypair and cert goes to the >cert's *Subject*, the Issuer is determined by the >CA you use to sign the >cert. > 4- If CN's name is Server, then I must change >the ccd directory to > Server? Am I right? >If that's what the Subject CN of the cert you >want to use as a client >cert says, then yes, that's it. >Of course, looking at a file "ca.crt" and seeing a >CN "Server" for what >is supposed to be the *client's* cert is botched >twelve ways to Gehenna >and back and will perpetually confuse anyone >trying to debug your final >setup ... > In which part of the document is this said? > >https://community.openvpn.net/openvpn/wiki/>HOWTO >"The client must have a unique Common Name >in its certificate ("client2" >in our example) [...] The next step is to create a >file called client2 >in the ccd directory." https://community.openvpn.net/openvpn/wiki/HOWTO#IncludingmultiplemachinesontheclientsidewhenusingaroutedVPNdevtun >It doesn't explain how to look up the CN of a >certificate from a file >containing it, though, because it assumes that >you made sure to have it >created and installed in the correct location >with the intended CN >"client2" beforehand and don't *need* to check >"now which cert did this >client happen to end up with?". >Kind regards, >-- >Jochen Bern >Systemingenieur >Binect GmbH Hello,Thanks again.Your answers raised other questions for me: 1- So, if we have multiple servers, then it is better that the servers have the same key, but each client has its own key. Am I right? 2- I can filter clients by MAC address, but MAC spoofing is another problem! 3- Can you introduce a tool to easily generate keys? 4- You said " You need a PKI solution that doesn't just chuck new certs onto a local disk, but can feed it into whatever mechanism you use to keep the clients updated.", which mechanism? 5- When I use "./easyrsa build-ca nopass", then it asks me "Common Name (eg: your user, host, or server name) [Easy-RSA CA]:", and as you said, better not to use "server" as name. For example, I entered "Jason_Server", then I must use "Jason_Server" in the "./easyrsa gen-req Jason_Server nopass" and "./easyrsa sign-req server Jason_Server" commands. Right? 6- Is this true for client too? For example, "./easyrsa gen-req client_name nopass" and "./easyrsa sign-req client client_name". ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net
Re: [Openvpn-users] How to use ccd-exclusive statement?
On Thu, Aug 17, 2023 at 8:24 AM, Bo Berglund wrote:On Wed, 16 Aug 2023 21:28:29 + (UTC), Jason Long via Openvpn-users wrote: >Hi Jochen,Thank you for your advice about the >How-to articles.Can you answer >my questions? >1- What is the difference between >/etc/openvpn and /etc/openvpn/server >>directories? > I put my server.conf file in the /etc/openvpn >directory and it worked. >You are running an *old* version of OpenVPN! >The service infrastructure has >changed and OpenVPN now defaults to using >two subdirectories (client and >server) >to /etc/openvpn to handle the two different >uses of it. >Please read up on how it works in the new >docs. >2- You said "./easyrsa sign-req client client", >make those unique ideally per >device, >not just per user. How to make it unique per >user? >You have to generate *separate* encryption >files for each client where the CN >entry is *unique*, otherwise the server can >never differentiate between them >and >you cannot allow/block clients individually. >Also you open for abuse of your server. >If I have 1000 clients, then I must generate >1000 key files??? >Exactly! >3- For the CA certificate, I must use "Server" >not "server". May I ask why? >So you are not aware that Linux is case >sensitive? >"Server" is NOT equal to "server"... >So what you use depends on what *exact* >name you set the CN to when >genererating >the files. >-- >Bo Berglund >Developer in Sweden Hello,Thank you so much.If I forget the CN name, then if I open the "ca.crt" file and click on the Details tab and check the Issuer section, then this is the name that I have entered during generating the key? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
On Thu, Aug 17, 2023 at 1:52 AM, Jochen Bern wrote: On 16.08.23 23:28, Jason Long wrote: > 1- What is the difference between /etc/openvpn and /etc/openvpn/server > directories? >The systemd "unit files" that define the >templates for the services you >"systemctl" later on used to expect all configs - >whether for a server >or a client instance - to be named >/etc/openvpn/SomeInstanceName.conf , >i.e., configs for both modes would sit together. >Later versions of >systemd-enabled OpenVPN split that into >/etc/openvpn/client and >/etc/openvpn/server , respectively. > I put my server.conf file in the /etc/openvpn >directory and it worked. >Then I'd say that your Debian 12 still uses the >old convention, as did >the how-to's Debian 10. (Over here, RHEL, >Fedora, and IIRC Ubuntu as >well take the new directories instead.) > 2- You said [...] make those unique ideally per >device, not just per > user. How to make it unique per user?If I >have 1000 clients, then > I must generate 1000 key files??? >Yes. By default, if several clients use the same >cert+key, they'll keep >pushing each other out of the VPN. Also, if you >need to shut clients out >of the service, revoking a cert is how you do it - >*all* clients using >that one cert will have their VPN access >disabled, so clients sharing >certs likely isn't what you want even if you >disable the former default >behavior. >Also note that with "server ..." specifying only a >/24 for an address >pool, and with Windows clients (so that you >can't use "topology p2p"), >your VPN server will actually be limited to 64 >simultaneous clients, >anyway. 1000 clients at once require at least a >/20. > 3- For the CA certificate, I must use "Server" >not "server". May I ask why? >I never said that. If anything, the CN of your CA >cert should mention >"CA" somewhere, and *not* "server", no matter >the capitalization. > Wed Aug 16 11:01:39 2023 VERIFY OK: >depth=1, CN=Server > Wed Aug 16 11:01:39 > >2023 VERIFY OK: depth=0, CN=server >This shows that your client presents a cert with >CN "server" as its >*client* cert (the procedure in the how-to >should result in a client >cert with CN "client"), which verifies OK against >a CA cert with a CN of >"Server" (the how-to suggests that it should be >"server", as misguided >as that seems). Hence, either your client uses >the *wrong* cert, or you >misnamed the certs as you created them (even >more than that how-to >instructs you to). >Anyway, in order to create a CCD file for your >client using the cert it >uses *now*, the CCD file would need to be >named "server". >Kind regards, >-- >Jochen Bern >Systemingenieur >Binect GmbH Hello Jochen,Thanks again. Your words are true and I had asked such a question before. It is even better if each server has its own separate keys. If the clients all use the same keys, then we can block any client based on the IP address. It is true? 1- Is there a tool to facilitate key generation for a large number of clients? 2- I've heard that OpenVPN can be configured to work with username and password instead of key-based authentication. Is this possible and recommended? 3- About the CN name, if I forget it, then if I open the "ca.crt" file and click on the Details tab and check the Issuer section, then this is the name that I have entered during generating the key? 4- If CN's name is Server, then I must change the ccd directory to Server? Am I right? In which part of the document is this said? https://community.openvpn.net/openvpn/wiki/HOWTO Maybe I didn't pay attention! ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
On Wed, Aug 16, 2023 at 6:27 PM, Jochen Bern wrote: On 16.08.23 15:05, Jason Long wrote: > I used > "https://www.howtoforge.com/how-to-install-and-configure-openvpn-server-on-debian-10/; > tutorial to create my OpenVPN server. (No date on the article ... no date on the comments ... OpenVPN version not shown anywhere ... according to one systemctl output, probably written in September 2019, when Debian 10 and OpenSSL 1.1.1c were in fact current ... still using /etc/openvpn instead of /etc/openvpn/server and /etc/openvpn/client, respectively ... no mention of doing a "systemctl enable openvpn@ConfigFileBaseName" on the server ... no explicit description of what the VPN set up is supposed to *do* (apparently: secure Inet access for a road warrior, no other servers at the site hosting the VPN peer, no communication back to the clients) ... no discussion of how he came to pick 10.8.0.0/24 for the tunnel IPs, how (far) to check for IP conflicts, how many clients you can accomodate with that /24 ...) ... word of warning: Just because the how-to doesn't ask you to enter something at > Common Name (eg: your user, host, or server name) [client]: >and later has you type in > ./easyrsa sign-req client client >doesn't mean that you want all client certs to be >named "client", or - >even worse - use the same client cert for them >all. Make those *unique* >- ideally per device, not just per user. >However, if you worked along *that* how-to, your >CA certificate is >indeed using the CN of "server" (not "Server", but >that might be a >liberty that MS took). Exactly the same as the >server cert. X-C > Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server > About the server log [...] > # cat /var/log/openvpn/virt1.log > 2023-08-16 06:23:18 WARNING: --topology >net30 support for server configs > with IPv4 >pools will be removed in a future release. >Please migrate to > --topology subnet as soon as >possible. >[...] > 2023-08-16 06:23:18 Initialization Sequence Completed >That shows us the startup phase of the >OpenVPN server. In order to check >what the server thinks about the cert the client >presents, you'll have >to have the client make an attempt to connect, >and then grab the logs >from *those* couple seconds. >Kind regards, >-- >Jochen Bern >Systemingenieur >Binect GmbH Hi Jochen,Thank you for your advice about the How-to articles.Can you answer my questions? 1- What is the difference between /etc/openvpn and /etc/openvpn/server directories? I put my server.conf file in the /etc/openvpn directory and it worked. 2- You said "./easyrsa sign-req client client", make those unique ideally per device, not just per user. How to make it unique per user?If I have 1000 clients, then I must generate 1000 key files??? 3- For the CA certificate, I must use "Server" not "server". May I ask why? Finally, I guess the information that you want from the client side are: Wed Aug 16 11:01:38 2023 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.Wed Aug 16 11:01:38 2023 Note: ovpn-dco-win driver is missing, disabling data channel offload.Wed Aug 16 11:01:38 2023 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023Wed Aug 16 11:01:38 2023 Windows version 6.1 (Windows 7), amd64 executableWed Aug 16 11:01:38 2023 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10Wed Aug 16 11:01:38 2023 DCO version: v0Wed Aug 16 11:01:38 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25343Wed Aug 16 11:01:38 2023 Need hold release from management interface, waiting...Wed Aug 16 11:01:38 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1031Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'state on'Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'log on all'Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'echo on all'Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'bytecount 5'Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'state'Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'hold off'Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'hold release'Wed Aug 16 11:01:39 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.20:2000Wed Aug 16 11:01:39 2023 Socket Buffers: R=[8192->8192] S=[8192->8192]Wed Aug 16 11:01:39 2023 UDPv4 link local: (not bound)Wed Aug 16 11:01:39 2023 UDPv4 link remote: [AF_INET]192.168.1.20:2000Wed Aug 16 11:01:39 2023 MANAGEMENT: >STATE:1692167499,WAIT,,Wed Aug 16 11:01:39 2023 MANAGEMENT: >STATE:1692167499,AUTH,,Wed Aug 16 11:01:39 2023 TLS: Initial packet from [AF_INET]192.168.1.20:2000, sid=2e7d21e3 db47853eWed Aug 16 11:01:39 2023 VERIFY OK: depth=1, CN=ServerWed Aug 16 11:01:39 2023 VERIFY KU OKWed Aug 16 11:01:39 2023 Validating certificate extended key
Re: [Openvpn-users] How to use ccd-exclusive statement?
>On 16/08/2023 15:05, Jason Long via Openvpn-users wrote: > On 16.08.23 12:23, Jason Long via Openvpn-users wrote: >>> On Wed, Aug 16, 2023 at 06:35:01AM +, Jason Long wrote: [...snip...] > Hello, > I used > "https://www.howtoforge.com/how-to-install-and-configure-openvpn-server-on-debian-10/; > tutorial to create my OpenVPN server. >*sigh* Never use a random blog post on "how to do XYZ" when the project >itself has its own set of documentation. No matter which project it is. >I've read enough of those random "OpenVPN how-tos" over the last 15+ >years and the vast majority of them are not up-to-date, tricks you into >using insecure settings, being overly complicated or simply leads you to >misery. >Doing networking isn't really suitable as a "click-this-type-that" type >of how-to, because you *really* need to understand how these things >works and impacts your configuration and setup. >This guides you through the most important steps and should be >reasonably up-to-date (I spot a few things which could be improved, but >shouldn't stop you from getting a functional tun based OpenVPN tunnel >running). This documentation is provided by the official OpenVPN >project and this project is responsible for keeping the documentation in >reasonable shape. ><https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN> >Read this, read the man page entries for options used and try to >understand it. Read the pointers to the related documentation in that >wiki page. Try to understand all the information provided there. Then >you can ask questions and get sensible replies back. >If you need more documentation, buy your own copy of the OpenVPN >Cookbook by Jan Just Keijser. He is a well-trusted OpenVPN community >member and knows this stuff very well. ><https://www.packtpub.com/product/openvpn-cookbook-second-edition/9781786463128> > Gert tole me about the multihome statement and I added it. >When Gert tells you to look at multihome, he has very good reasons for >doing that (I know him too, he is also really trustworthy - in >particular with networking and OpenVPN). But it ALSO means you should >read the documentation for suggested options too. >[...snip...] > # cat /var/log/openvpn/virt1.log > 2023-08-16 06:23:18 WARNING: --topology net30 support for server configs with > IPv4 pools will be removed in a future release. Please migrate to --topology > subnet as soon as possible. > 2023-08-16 06:23:18 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but > missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). > OpenVPN ignores --cipher for cipher negotiations. >Those two lines tells you something important. You should fix this. >I'm not going to tell you how; read the documentation. It is fully >explained in the man page. >[...snip...] > 2023-08-16 06:23:18 Listening for incoming TCP connection on > [AF_INET][undef]:2000 > 2023-08-16 06:23:18 TCPv4_SERVER link local (bound): [AF_INET][undef]:2000 > 2023-08-16 06:23:18 TCPv4_SERVER link remote: [AF_UNSPEC] >I suspect this if from a server configuration (also an important detail >to tell). And it tells you your VPN server is listening TCP port 2000. >[...snip...] > 2023-08-16 06:23:18 Initialization Sequence Completed >This line means that the OpenVPN tunnel is up an running. So that means >this tunnel instance is ready to see clients connecting to it. >And finally. Learn yourself some mailing list netiquette. Inline >replies and replies at the bottom are very fine. But keep the indenting >marks (>) on the original text so it's easier to understand who is >writing what and what you are responding to. >A reasonably good summary of most common mailing list netiquette rules >used in open source (and this is the official recommendation from an >open source project; not a random blog post) ><https://wiki.openstack.org/wiki/MailingListEtiquette> Hello, Thanks again. I can solve those two line with change the --data-ciphers algorithm. Please tell me what is the main problem. If the problem is that my OpenVPN server has an Internal NIC and a NAT NIC, then I'm sure such a scenario exists in the real world. I added all statements that Gert said, but problem is exists. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
On 16.08.23 12:23, Jason Long via Openvpn-users wrote: >> On Wed, Aug 16, 2023 at 06:35:01AM +, Jason Long wrote: >>> route 192.168.1.0 255.255.255.0 >> >> This tells the server "put routing towards 192.168.1.0 into the VPN" [...] > So, what is the right IP for the following statement? > route 192.168.1.0 255.255.255.0 Unknown. Gert told you what this config statement does, I don't remember you ever mentioning that you plan to use such a feature, much less what subnet(s) you'd want to use for that. > I opened the ca.crt file on the client and clicked on the Details tab > and it showed me "CN = Server". So, I must change the "Test-PC" to > "Server". Am I right? ... aybe. I wouldn't be too surprised if your client-side OpenVPN config did indeed take a client cert named "Server" out of a file named "ca.crt" ... >... I would nonetheless recommend that you look at the server log (of >suitable verbosity) for a line telling what cert/CN the client has >actually sent, though. >Kind regards Hello, I used "https://www.howtoforge.com/how-to-install-and-configure-openvpn-server-on-debian-10/; tutorial to create my OpenVPN server. Gert tole me about the multihome statement and I added it. About the server log, I used the following line in the server.conf file: status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/virt1.log log-append /var/log/openvpn/virt1.log verb 3 And: # cat /var/log/openvpn/virt1.log 2023-08-16 06:23:18 WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible. 2023-08-16 06:23:18 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 2023-08-16 06:23:18 NOTICE: --explicit-exit-notify ignored for --proto tcp 2023-08-16 06:23:18 --user specified but lacking CAP_SETPCAP. Cannot retain CAP_NET_ADMIN. Disabling data channel offload 2023-08-16 06:23:18 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] 2023-08-16 06:23:18 library versions: OpenSSL 3.0.9 30 May 2023, LZO 2.10 2023-08-16 06:23:18 DCO version: N/A 2023-08-16 06:23:18 net_route_v4_best_gw query: dst 0.0.0.0 2023-08-16 06:23:18 net_route_v4_best_gw result: via 10.0.2.2 dev enp0s3 2023-08-16 06:23:18 Diffie-Hellman initialized with 2048 bit key 2023-08-16 06:23:18 net_route_v4_best_gw query: dst 0.0.0.0 2023-08-16 06:23:18 net_route_v4_best_gw result: via 10.0.2.2 dev enp0s3 2023-08-16 06:23:18 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:ed:b4:7c 2023-08-16 06:23:18 TUN/TAP device tun20 opened 2023-08-16 06:23:18 net_iface_mtu_set: mtu 1500 for tun20 2023-08-16 06:23:18 net_iface_up: set tun20 up 2023-08-16 06:23:18 net_addr_ptp_v4_add: 10.10.0.1 peer 10.10.0.2 dev tun20 2023-08-16 06:23:18 net_route_v4_add: 192.168.1.0/24 via 10.10.0.2 dev [NULL] table 0 metric -1 2023-08-16 06:23:18 net_route_v4_add: 10.10.0.0/24 via 10.10.0.2 dev [NULL] table 0 metric -1 2023-08-16 06:23:18 Could not determine IPv4/IPv6 protocol. Using AF_INET 2023-08-16 06:23:18 Socket Buffers: R=[131072->131072] S=[16384->16384] 2023-08-16 06:23:18 Listening for incoming TCP connection on [AF_INET][undef]:2000 2023-08-16 06:23:18 TCPv4_SERVER link local (bound): [AF_INET][undef]:2000 2023-08-16 06:23:18 TCPv4_SERVER link remote: [AF_UNSPEC] 2023-08-16 06:23:18 UID set to nobody 2023-08-16 06:23:18 GID set to nogroup 2023-08-16 06:23:18 Capabilities retained: CAP_NET_ADMIN 2023-08-16 06:23:18 MULTI: multi_init called, r=256 v=256 2023-08-16 06:23:18 IFCONFIG POOL IPv4: base=10.10.0.4 size=62 2023-08-16 06:23:18 MULTI: TCP INIT maxclients=1024 maxevents=1029 2023-08-16 06:23:18 Initialization Sequence Completed I use Debian 12. >-- >Jochen Bern >Systemingenieur >Binect GmbH ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users smime.p7s Description: S/MIME cryptographic signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
Hi, On Wed, Aug 16, 2023 at 06:35:01AM +, Jason Long wrote: > I added the following lines to my server.conf: > > client-config-dir myclient > ccd-exclusive > route 192.168.1.0 255.255.255.0 >This tells the server "put routing towards 192.168.1.0 into the VPN", >while 192.168.1.x is your LAN network. So this does not make sense. > multihome > > > Client showed me: [..] > Wed Aug 16 11:01:39 2023 TLS: tls_multi_process: initial untrusted session > promoted to trusted >So the network between client and server is good now... > Wed Aug 16 11:01:39 2023 AUTH: Received control message: AUTH_FAILED >... but the server refuses this client. So you must look into the server >log to see why it does so. >My guess is that the ccd file you created does not have the right name >(must match the CN in the client certificate), or is not in the right >place, or you did fancy thing with chroot (paths must match *inside* >the chroot environment). Hi Gert, Thank you so much for your reply. My OpenVPN server NICs are: enp0s3: flags=4163 mtu 1500 inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255 inet6 fe80::a00:27ff:feed:b47c prefixlen 64 scopeid 0x20 ether 08:00:27:ed:b4:7c txqueuelen 1000 (Ethernet) RX packets 3984 bytes 1600249 (1.5 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 3182 bytes 685377 (669.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 enp0s3:1: flags=4163 mtu 1500 inet 20.1.1.20 netmask 255.0.0.0 broadcast 20.255.255.255 ether 08:00:27:ed:b4:7c txqueuelen 1000 (Ethernet) enp0s8: flags=4163 mtu 1500 inet 192.168.1.20 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::a00:27ff:fe74:6397 prefixlen 64 scopeid 0x20 ether 08:00:27:74:63:97 txqueuelen 1000 (Ethernet) RX packets 396 bytes 76796 (74.9 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 174 bytes 49776 (48.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 So, what is the right IP for the following statement? route 192.168.1.0 255.255.255.0 And about your second note, I must change the "/etc/openvpn/ccd/Test-PC" to the CN in the client certificate. I opened the ca.crt file on the client and clicked on the Details tab and it showed me "CN = Server". So, I must change the "Test-PC" to "Server". Am I right? gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
Hi, On Tue, Aug 15, 2023 at 12:54:45PM +, Jason Long via Openvpn-users wrote: > I did a tcpdump: > > # tcpdump --interface any udp port 2000 -n -v > tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture > size 262144 bytes > 08:50:47.761991 IP (tos 0x0, ttl 128, id 892, offset 0, flags [DF], proto UDP > (17), length 82) > 192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54 Client is sending to ip A. > 08:50:47.762524 IP (tos 0x0, ttl 64, id 24726, offset 0, flags [DF], proto > UDP (17), length 94) > 10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66 >... and server is replying from IP B. >Not sure how you ended there, but if you want the server on 10.10.0.1, >then the client needs to connect to *that* IP. >(I said it before: if a machine has multiple IP addresses and you use >UDP, you *must* use --multihome on the server) >gert Hi Gert, I added the following lines to my server.conf: client-config-dir myclient ccd-exclusive route 192.168.1.0 255.255.255.0 multihome Client showed me: Wed Aug 16 11:01:38 2023 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. Wed Aug 16 11:01:38 2023 Note: ovpn-dco-win driver is missing, disabling data channel offload. Wed Aug 16 11:01:38 2023 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023 Wed Aug 16 11:01:38 2023 Windows version 6.1 (Windows 7), amd64 executable Wed Aug 16 11:01:38 2023 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10 Wed Aug 16 11:01:38 2023 DCO version: v0 Wed Aug 16 11:01:38 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25343 Wed Aug 16 11:01:38 2023 Need hold release from management interface, waiting... Wed Aug 16 11:01:38 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1031 Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'state on' Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'log on all' Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'echo on all' Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'bytecount 5' Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'state' Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'hold off' Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'hold release' Wed Aug 16 11:01:39 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.20:2000 Wed Aug 16 11:01:39 2023 Socket Buffers: R=[8192->8192] S=[8192->8192] Wed Aug 16 11:01:39 2023 UDPv4 link local: (not bound) Wed Aug 16 11:01:39 2023 UDPv4 link remote: [AF_INET]192.168.1.20:2000 Wed Aug 16 11:01:39 2023 MANAGEMENT: >STATE:1692167499,WAIT,, Wed Aug 16 11:01:39 2023 MANAGEMENT: >STATE:1692167499,AUTH,, Wed Aug 16 11:01:39 2023 TLS: Initial packet from [AF_INET]192.168.1.20:2000, sid=2e7d21e3 db47853e Wed Aug 16 11:01:39 2023 VERIFY OK: depth=1, CN=Server Wed Aug 16 11:01:39 2023 VERIFY KU OK Wed Aug 16 11:01:39 2023 Validating certificate extended key usage Wed Aug 16 11:01:39 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Wed Aug 16 11:01:39 2023 VERIFY EKU OK Wed Aug 16 11:01:39 2023 VERIFY OK: depth=0, CN=server Wed Aug 16 11:01:39 2023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256 Wed Aug 16 11:01:39 2023 [server] Peer Connection Initiated with [AF_INET]192.168.1.20:2000 Wed Aug 16 11:01:39 2023 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1 Wed Aug 16 11:01:39 2023 TLS: tls_multi_process: initial untrusted session promoted to trusted Wed Aug 16 11:01:39 2023 AUTH: Received control message: AUTH_FAILED Wed Aug 16 11:01:39 2023 SIGUSR1[soft,auth-failure] received, process restarting Wed Aug 16 11:01:39 2023 MANAGEMENT: >STATE:1692167499,RECONNECTING,auth-failure, Wed Aug 16 11:01:39 2023 Restart pause, 1 second(s) What is your opinion? -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
On Tue, Aug 15, 2023 at 5:57 PM, tincantech wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Tuesday, August 15th, 2023 at 15:02, Gert Doering wrote: > Hi, > > On Tue, Aug 15, 2023 at 12:54:45PM +0000, Jason Long via Openvpn-users wrote: > > > I did a tcpdump: > > > > # tcpdump --interface any udp port 2000 -n -v > > tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture > > size 262144 bytes > > 08:50:47.761991 IP (tos 0x0, ttl 128, id 892, offset 0, flags [DF], proto > > UDP (17), length 82) > > 192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54 > > > Client is sending to ip A. > > > 08:50:47.762524 IP (tos 0x0, ttl 64, id 24726, offset 0, flags [DF], proto > > UDP (17), length 94) > > 10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66 > > > ... and server is replying from IP B. > > Not sure how you ended there, but if you want the server on 10.10.0.1, > then the client needs to connect to that IP. > > (I said it before: if a machine has multiple IP addresses and you use > UDP, you must use --multihome on the server) >Thank you for that insightful observation Gert. >However, this behavior >does not correlate with Jason's claim that >"Without --ccd-exclusive the >client *can* connect". >As I told Jason before, start with a simple >server, that does not have >multiple NICs. >Regards >tct Hello,As I told you, when I removed the --ccd-exclusive statement, then my server worked and I am trying to learn different scenarios. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk24snCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAArjgf/crT2EWnp/+4VHKbmfUY1fWHFsgpPh2Ws9y0GeAv2IgpWrJ08 Sn1x/ZYnAAUm6zjuyq3WPLAQZJhRACV1SrIMTSETdkp1vciBeGDSqhZF/RUl j7n3L9na0qIFwoHLbjea3JhMJyldFTkQnIOIMy+IbAh55OW6v898eDm7DhDu IHIn9Sl7LqrCJZLqljhGpcvPXcYOoQzpQPCGOhk6hNMxTWfKr1VR0qMhf1+W tT9coREHMTDJgbTxmwL8Ik1GlPiABfmwSlZWX0MOHdLkfiojbYAD3Hrfrz2v I2FDAfmW6569v/hHhurLJ+4/yMj3fpPvvaUhY8pBWPdZ7QG5Z0copw== =rstW -END PGP SIGNATURE- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
On Tue, Aug 15, 2023 at 5:33 PM, Gert Doering wrote: Hi, On Tue, Aug 15, 2023 at 12:54:45PM +, Jason Long via Openvpn-users wrote: > I did a tcpdump: > > # tcpdump --interface any udp port 2000 -n -v > tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture > size 262144 bytes > 08:50:47.761991 IP (tos 0x0, ttl 128, id 892, offset 0, flags [DF], proto UDP > (17), length 82) > 192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54 Client is sending to ip A. > 08:50:47.762524 IP (tos 0x0, ttl 64, id 24726, offset 0, flags [DF], proto > UDP (17), length 94) > 10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66 ... and server is replying from IP B. Not sure how you ended there, but if you want the server on 10.10.0.1, then the client needs to connect to *that* IP. >(I said it before: if a machine has multiple IP >addresses and you use >UDP, you *must* use --multihome on the server) >gert Hello,Gert, I used the multihome statement and when the client tries to connect to the server, the connection is repeatedly reset.I will show you the log tomorrow. -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Tuesday, August 15th, 2023 at 10:57, Jason Long wrote: > Hello, > My OpenVPN server internal network IP is "192.168.1.20" and the IP address of > client is "192.168.1.21". Both VMs can ping each other. > > According to "https://community.openvpn.net/openvpn/wiki/HOWTO;, I did the > following stpes: > > # mkdir /etc/openvpn/ccd > # nano /etc/openvpn/server.conf > > client-config-dir ccd > ccd-exclusive > route 192.168.1.0 255.255.255.0 > > Then: > > # touch /etc/openvpn/ccd/Test-PC > # nano /etc/openvpn/ccd/Test-PC > > iroute 192.168.1.0 255.255.255.0 > > > After it, I started the OpenVPN service and it worked. On client, when I want > to connect to my OpenVPN server, then it showed me: > > Tue Aug 15 14:10:22 2023 TLS Error: TLS key negotiation failed to occur > within 60 seconds (check your network connectivity) > Tue Aug 15 14:10:22 2023 TLS Error: TLS handshake failed > > > I take a look at > "https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/; > too. > > When I removed the following lines from my server.conf, then my client can > connect to the server: > > client-config-dir ccd > ccd-exclusive > route 192.168.1.0 255.255.255.0 > > > How can I solve it? >As I have already explained: If your client can only connect when you remove >'ccd-exclusive' from your server config, this means that there is not a CCD >file for the client that is trying to connect. > I changed protocol from UDP to TCP, but problem was not solved. >If you were a pilot, I would go by train. >HTH >tct Hello, You said "this means that there is not a CCD file for the client that is trying to connect", then what does this mean: # touch /etc/openvpn/ccd/Test-PC # nano /etc/openvpn/ccd/Test-PC iroute 192.168.1.0 255.255.255.0 And about change from UDP to TCP: https://serverfault.com/questions/765521/openvpn-issue-tls-key-negotiation-failed-to-occur-within-60-seconds https://support.nordvpn.com/Connectivity/1061816172/Issue-TLS-key-negotiation-failed-to-occur.htm I did a tcpdump: # tcpdump --interface any udp port 2000 -n -v tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes 08:50:47.761991 IP (tos 0x0, ttl 128, id 892, offset 0, flags [DF], proto UDP (17), length 82) 192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54 08:50:47.762524 IP (tos 0x0, ttl 64, id 24726, offset 0, flags [DF], proto UDP (17), length 94) 10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66 08:51:03.573953 IP (tos 0x0, ttl 128, id 893, offset 0, flags [DF], proto UDP (17), length 82) 192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54 08:51:03.574449 IP (tos 0x0, ttl 64, id 26863, offset 0, flags [DF], proto UDP (17), length 94) 10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66 -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk22k6CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACcaAf+PasGH6O2qUqt7caze8p31vl23LgjwLoL7dKgYDQpxClPxIWc K+vA+e6sRyfvkY+OTK3Rfwv/06OCmj7XOsJIvuvK9gQSvqj7dN7x0f45xoUz 0WTo7E+focRcu1Rw1xk5oOpl601O9j9ac+NHa4P07rMe6yiVdr+BQjiZKad7 5455ZBM1vaRa5L7Fb66QhXcLsqxSS1mtYjyrmGzUVmTwESkV7avPGsBcjY6T vpO1rXicIqfdqGi7Rv/txWcCRf0D2YjLSIl0BMYPQc0LlQxiGN9KFD+pf9xg 9fBp1D1aCzyRyOGtn4CMk4+r9s+rEgd9hzkOTDDHk+PHJMnWz5fyNw== =GYK8 -END PGP SIGNATURE- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with Proton Mail secure email. --- Original Message --- On Monday, August 14th, 2023 at 22:11, Jason Long wrote: > On Mon, Aug 14, 2023 at 11:47 PM, tincantech > > > wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Hi, > > > > --- Original Message --- > > On Monday, August 14th, 2023 at 20:49, Jason Long > > wrote: > > > > > On Mon, Aug 14, 2023 at 5:16 PM, tincantech > > > > > > > wrote: > > > > > > > > > > Hello, > > > > Thank you so much for your help. > > > > I take a loot at > > > > "https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html;, but it only > > > > explained the capabilities of this option and did not provide any > > > > examples. > > > > I did: > > > > # mkdir /etc/openvpn/clients > > > > # touch /etc/openvpn/clients/Client-1 > > > > Then, in server.conf: > > > > client-config-dir clients > > > > ccd-exclusive > > > > But, Windows client can't connect to the OpenVPN server and my > > > > connection restarted. Do I need to add something to the client > > > > configuration file? > > > > No. > > > > You have NEVER managed to have a client connect to your server. > > Therefore, your question regarding this problem >is irrelevant. > > > > > > Hi, > > Not really, You wrong. I tested various scenarios and learned a lot from > > you and others. Now I want to learn this scenario, but unfortunately I > > could not find an article that teaches from the beginning. I would be > > grateful if you could tell me where the problem is. There are many reasons which could explain your problem: * You may be using a server with multiple NICs, which is configured incorrectly. * You may have configured your network routing incorrectly. 8 You may have configured --ccd-exclusive incorrectly. * You may have some other unknown problem. Regarding the issue above, if you want to verify that --ccd-exclusive is working correctly then simply remove 'ccd-exclusive' from your server config, restart your server and try to connect again. If your client can now connect then --ccd-exclusive was successfully rejecting your client because there >was no CCD file for that client. >HTH >tct Hello, My OpenVPN server internal network IP is "192.168.1.20" and the IP address of client is "192.168.1.21". Both VMs can ping each other. According to "https://community.openvpn.net/openvpn/wiki/HOWTO;, I did the following stpes: # mkdir /etc/openvpn/ccd # nano /etc/openvpn/server.conf client-config-dir ccd ccd-exclusive route 192.168.1.0 255.255.255.0 Then: # touch /etc/openvpn/ccd/Test-PC # nano /etc/openvpn/ccd/Test-PC iroute 192.168.1.0 255.255.255.0 After it, I started the OpenVPN service and it worked. On client, when I want to connect to my OpenVPN server, then it showed me: Tue Aug 15 14:10:22 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Tue Aug 15 14:10:22 2023 TLS Error: TLS handshake failed I take a look at "https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/; too. When I removed the following lines from my server.conf, then my client can connect to the server: client-config-dir ccd ccd-exclusive route 192.168.1.0 255.255.255.0 How can I solve it? I changed protocol from UDP to TCP, but problem was not solved. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk2pwtCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADkHQf+KtaF6ip0OoQBgdEDu8HBkZSnWIhwHrYFpPO85aRFPBWov7M+ SH/0gj1Q/P0nuJyh054rPO/nO7bdPir6V5qA19jrirN+Ze4BNkmMDmV/MQbv pQjXfBFlb3MswLaLGETeOr5Ay8UvKpFjXP2045R5vCMlB3ipMamSD6J5hBG0 5KtHNbR8UuoNxiRyTF2ZPbCKzulaaGKE+rWpjmi2UjoErfOyWvVP0D1iaC0F nM8S8JaHflhlmkdFfXCt15ZjiI+rgroAjMXWtL+lLkmD4EbIT6qqiB39880x nbcAdOXbDzA5b51hBvz8oyCLvSJ6Z7j1gGoxmTjOyCrb1TEOgO/w+A== =lOa7 -END PGP SIGNATURE- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question about the local statement
On Mon, Aug 14, 2023 at 8:22 PM, Gert Doering wrote: Hi, On Mon, Aug 14, 2023 at 01:59:32PM +, Jason Long wrote: > But I am sure that in a real environment such a scenario can also exist. > Consider an internal network where users connect to an internal OpenVPN > server and this server has several NICs with different IP addresses that are > connected to the Internet. Now you want to connect a group of users to a > specific NIC. For example, users with an IP address in the range of > 192.168.1.0-254 should connect to a NIC with an IP address of 10.0.0.10, and > the rest of the clients with other ranges should be connected to other NICs. If routing is set up properly (DHCP, default gateway, etc), packets will arrive at the server and things will work. If not, there is no magic way to make clients know "ey, for 10.0.0.10, >send packets by magic to *that* server". Hi Gert,Thank you so much for your reply.I guess that I must enable some statements about the DHCP and DNS in server.conf file.I will test it. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question about the local statement
On Mon, Aug 14, 2023 at 6:25 PM, Bruno Tréguier via Openvpn-users wrote: Hello, Le 14/08/2023 à 15:59, Jason Long via Openvpn-users a écrit : > Hi, > Thank you so much. > But I am sure that in a real environment such a scenario can also exist. > Consider an internal network where users connect to an internal OpenVPN > server and this server has several NICs with different IP addresses that are > connected to the Internet. Now you want to connect a group of users to a > specific NIC. For example, users with an IP address in the range of > 192.168.1.0-254 should connect to a NIC with an IP address of 10.0.0.10, and > the rest of the clients with other ranges should be connected to other NICs. > What are you doing? Route and/or NAT things correctly... Even before considering OpenVPN or any other VPN mechanism, make sure everything is correctly routed. Each client machine should be able to ping (if you allow ICMP echo/reply) the VPN server they should be connecting to. If necessary and if possible, allow it temporarily to make sure the routes are correctly set up. What I mean is that, as I understand things, and as tincantech just told you, your issue is *not* OpenVPN-related. It's a basic network problem. Make sure everything is ok network-wise before trying to use applications, especially ones which are sometimes tricky to set up. >Regards, Bruno Hi Bruno,Thank you so much for your reply.Both (Server and Client) can ping each other and without the local statement my client can connect to the OpenVPN server.My client connecting to the server via an internal network:Server: 192.168.1.20Client: 192.168.1.21 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
On Mon, Aug 14, 2023 at 11:47 PM, tincantech wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, --- Original Message --- On Monday, August 14th, 2023 at 20:49, Jason Long wrote: > On Mon, Aug 14, 2023 at 5:16 PM, tincantech > > > wrote: > > > > Hello, > > Thank you so much for your help. > > I take a loot at > > "https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html;, but it only > > explained the capabilities of this option and did not provide any examples. > > I did: > > # mkdir /etc/openvpn/clients > > # touch /etc/openvpn/clients/Client-1 > > Then, in server.conf: > > client-config-dir clients > > ccd-exclusive > > But, Windows client can't connect to the OpenVPN server and my connection > > restarted. Do I need to add something to the client configuration file? No. You have NEVER managed to have a client connect to your server. Therefore, your question regarding this problem >is irrelevant. Hi,Not really, You wrong. I tested various scenarios and learned a lot from you and others. Now I want to learn this scenario, but unfortunately I could not find an article that teaches from the beginning. I would be grateful if you could tell me where the problem is. HTH tct -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk2ou1CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAChzQgAzelXSW91oK4EJBykmS/hVRXIbjt+jq8v1RsuUcVOcwt3EoOm 19v2e9ZjcgcKS2rEMAWEgRpa3NpiXBeDM813fasySJTMdOfgHiRRyF9Bforr /la+8qX6HeFCaS6HXFdD7J2Gtnwtsqnzla95PQpjXGHdqC54Ix1f9qXeMJaJ ZVZvKId6DBwuCKEBrpfbg8UqTUbV2TVkRBiaNucJaw0T2nijTSQDFXFjUy6Z WpKnLXVbHopmrJMMULdo2uMNNwmwZoGzhBh+unXHR3iqybrqmxZg3waF0PVR 25jUYA2EPoePPEadWAhYNtiSyUJ9C6IiffVFCT52NNPd1CubRNb1hA== =P8jt -END PGP SIGNATURE- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to use ccd-exclusive statement?
On Mon, Aug 14, 2023 at 5:16 PM, tincantech wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with Proton Mail secure email. --- Original Message --- On Monday, August 14th, 2023 at 14:13, Jason Long via Openvpn-users wrote: > Hello, > To increase the security of OpenVPN, I want to use the ccd-exclusive. --ccd-exclusive does not "increase the security of OpenVPN". What it does it to provide a server with a convenient way to temporarily, disable certain clients by client commonName. This convenience means that the client certificate does not need to be revoked. And the client can have access to the server restored simply by (re-)creating a CCD file. --ccd-exclusive means that the server will ONLY allow clients access if they have a CCD file in the folder configured by --client-connect-dir. > I googled it, but I could not find a good example. I just found the following > question: > > https://serverfault.com/questions/877201/limit-access-to-remote-server-via-particular-vpn I strongly recommend that your search starts with the Openvpn manual: https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html EVERY option is described in the manual. > But, I really don't know what to do. > I must create a directory under the "/etc/openvpn", then create a file with > the name of clients in it? For example, if my Windows client host name is > "Client-1", then: > > # mkdir /etc/openvpn/clients > # touch /etc/openvpn/clients/Client-1 > > Then, in server.conf: > > client-config-dir clients > ccd-exclusive > > Am I right? Yes. However, I strongly recommend that you learn the difference between "absolute paths" verses "relative paths". (Out of scope for this mailing list) > How about the client configuration? Do I need to add anything? No. Do exactly as the manual (above) describes. >HTH >tct Hello,Thank you so much for your help.I take a loot at "https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html;, but it only explained the capabilities of this option and did not provide any examples.I did:# mkdir /etc/openvpn/clients# touch /etc/openvpn/clients/Client-1Then, in server.conf:client-config-dir clients ccd-exclusiveBut, Windows client can't connect to the OpenVPN server and my connection restarted. Do I need to add something to the client configuration file? -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk2jAcCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABp0wf/b8jrorfOi9WfhfRE8YvgGr7vbkwXlrofzEEdW7MVRWYv5/vm rpHrsVSzYV23PMMWUSGe0gWRRcSuJ4c2L6j1f0mQnXTEU3qXiyTUhwW5EnjL 9ARTeWRCeElIDs5DTOvPqNSqt1qqNAlRZmtYyVafJZNgpCdBQIADDY1Ih+7S hAPISxDe2nQ9+Yqzi8MpVqhf74ZCp/Zh3OQ6sKQhfmizS+BJ4S4crTqHgasB U5jNZAQgWNjD+2UlMTfpZj2GwbCcF3EZ42Qj4HgdSxJarAHpf1rPQ0NLHviC 9QnaYudaG4ZE9NBh5mmmCuyCbE2K8gMb7CZHnMyGpF2Ee2r/4kKWNA== =Hwqp -END PGP SIGNATURE- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question about the local statement
Hi, On Mon, Aug 14, 2023 at 10:51:41AM +, Jason Long wrote: > So, my iptables rules are OK and my problem is just my test environment. > If someone really has such an environment, then what is the solution? Build a proper test environment... whatever you have at hand, either wire an OpenWRT router in between, or use virtual networks in vmware, or use a client with an LTE uplink that comes back via your normal Internet connection, etc. >This very much depends on what you have and what you actually want to >test and simulate. Hi, Thank you so much. But I am sure that in a real environment such a scenario can also exist. Consider an internal network where users connect to an internal OpenVPN server and this server has several NICs with different IP addresses that are connected to the Internet. Now you want to connect a group of users to a specific NIC. For example, users with an IP address in the range of 192.168.1.0-254 should connect to a NIC with an IP address of 10.0.0.10, and the rest of the clients with other ranges should be connected to other NICs. What are you doing? gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] How to use ccd-exclusive statement?
Hello, To increase the security of OpenVPN, I want to use the ccd-exclusive. I googled it, but I could not find a good example. I just found the following question: https://serverfault.com/questions/877201/limit-access-to-remote-server-via-particular-vpn But, I really don't know what to do. I must create a directory under the "/etc/openvpn", then create a file with the name of clients in it? For example, if my Windows client host name is "Client-1", then: # mkdir /etc/openvpn/clients # touch /etc/openvpn/clients/Client-1 Then, in server.conf: client-config-dir clients ccd-exclusive Am I right? How about the client configuration? Do I need to add anything? Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question about the local statement
Hi, On Mon, Aug 14, 2023 at 10:13:48AM +, Jason Long wrote: > And because my client does not have direct access to IP "20.1.1.20", then it > showed me that error. If my client connected to the OpenVPN server directly, > then I should not have such a problem. Am I right? >You need to get your routing "outside of OpenVPN" sorted out before >you can connect. So, yes. Hi Gert, So, my iptables rules are OK and my problem is just my test environment. If someone really has such an environment, then what is the solution? gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question about the local statement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Sent with Proton Mail secure email. --- Original Message --- On Monday, August 14th, 2023 at 09:23, Jason Long via Openvpn-users wrote: > > Mon Aug 14 12:52:03 2023 read UDPv4: Connection reset by peer (WSAECONNRESET) > (fd=ec,code=10054) > > > > Which option is wrong? > >This means that the client packets, sent to the server, are delivered to a >server >which is not listening on the IP:Port combination configured in the client >--remote. Hello, I guess it too. My OpenVPN test environment is: OpenVPN Server : A VM with two NICs NAT: (10.0.2.15) Internal Network: (192.168.1.20) Client: A Windows OS with one NIC Internal Network (192.168.1.21) In the client configuration, I used: client dev tun20 proto udp remote 192.168.1.20 2000 And because my client does not have direct access to IP "20.1.1.20", then it showed me that error. If my client connected to the OpenVPN server directly, then I should not have such a problem. Am I right? Regards -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk2fuICZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADWhQf+MlP+lIYT41EtOYYpzFPC1yfOIzZUknvup2lEGk9ajggeUgkP peQFYVsBCvw3Yj16Vsx2RXStIuGcxAqwoNF7qsujUy941jQ5zeBfEnux+Yia DbMVU6xOTdpNjic1t9ef2YSe6hMKys9XvqXBQfm7P7siREolgzDmdHssmPKv hQQsJCK9Cvm5zCvlmxQsGwe66Zt6YPX/OTxLDNDUZxhdZzU3OGLsRPblFK0M R3uZO+7F+/xiqulUsoh3rPuTE+9y47eRJlZg7l/kySpVFLKilxETAY8uV5l2 vrXR/bZgiC1765qaW5LHuP3DxJaAPrqfpRXyFIyFcjxpuVXsFTNrNQ== =mfKm -END PGP SIGNATURE- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question about the local statement
Hi, On Mon, Aug 14, 2023 at 06:33:52AM +, Jason Long wrote: > Why without the local statement my OpenVPN worked? As I explained weeks ago, the combination of "port" + "local IP" needs to be unique. So if you have only one OpenVPN process listening on one port, you do not need to force the IP address to make the (port,IP) tupel unique. On a machine with multiple IP addresse and *no* --local binding, you will need to use --multihome on UDP servers (otherwise OpenVPN might reply with a wrong source IP). > When I see the error 10054, then this is related to the wrong firewall > settings or wrong port forwarding. >I have no idea what an "error 10054" is. If it's part of an OpenVPN >error message, do post the full line +5 lines of context. Hi, Thanks again. My OpenVPN server has multiple IP addresses and I want to run multiple OpenVPN server on it. My server configuration is: port 2000 proto udp dev tun20 local 20.1.1.20 # My virtual NIC ca ca.crt cert server.crt key server.key dh dh.pem server 10.10.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 1.1.1.1" push "dhcp-option DNS 192.168.1.20" keepalive 10 120 tls-crypt ta.key 0 data-ciphers AES-256-GCM user nobody group nogroup persist-key persist-tun The client show me the following error: Mon Aug 14 12:52:02 2023 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. Mon Aug 14 12:52:02 2023 Note: ovpn-dco-win driver is missing, disabling data channel offload. Mon Aug 14 12:52:02 2023 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023 Mon Aug 14 12:52:02 2023 Windows version 6.1 (Windows 7), amd64 executable Mon Aug 14 12:52:02 2023 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10 Mon Aug 14 12:52:02 2023 DCO version: v0 Mon Aug 14 12:52:02 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25344 Mon Aug 14 12:52:02 2023 Need hold release from management interface, waiting... Mon Aug 14 12:52:03 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1032 Mon Aug 14 12:52:03 2023 MANAGEMENT: CMD 'state on' Mon Aug 14 12:52:03 2023 MANAGEMENT: CMD 'log on all' Mon Aug 14 12:52:03 2023 MANAGEMENT: CMD 'echo on all' Mon Aug 14 12:52:03 2023 MANAGEMENT: CMD 'bytecount 5' Mon Aug 14 12:52:03 2023 MANAGEMENT: CMD 'state' Mon Aug 14 12:52:03 2023 MANAGEMENT: CMD 'hold off' Mon Aug 14 12:52:03 2023 MANAGEMENT: CMD 'hold release' Mon Aug 14 12:52:03 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.20:2000 Mon Aug 14 12:52:03 2023 Socket Buffers: R=[8192->8192] S=[8192->8192] Mon Aug 14 12:52:03 2023 UDPv4 link local: (not bound) Mon Aug 14 12:52:03 2023 UDPv4 link remote: [AF_INET]192.168.1.20:2000 Mon Aug 14 12:52:03 2023 MANAGEMENT: >STATE:1692001323,WAIT,, Mon Aug 14 12:52:03 2023 read UDPv4: Connection reset by peer (WSAECONNRESET) (fd=ec,code=10054) Which option is wrong? gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question about the local statement
Hi, On Sun, Aug 13, 2023 at 08:55:21PM +, Jason Long via Openvpn-users wrote: > Hello,Is the local statement only for physical NICs or does it work for > virtual NICs as well? As I wrote like 2 weeks ago, this is *all* about IP addresses, not about NICs. >As a consequence, it does not matter where you configure the IP addresses, >as long as it is reachable from the outside (routing, ARP, etc.) Hi, Thank you so much. Why without the local statement my OpenVPN worked? When I see the error 10054, then this is related to the wrong firewall settings or wrong port forwarding. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] A question about the local statement
Hello,Is the local statement only for physical NICs or does it work for virtual NICs as well? Thank you.___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN vs WireGuard
On Sun, Aug 13, 2023 at 2:55 PM, Bo Berglund wrote: On Sun, 13 Aug 2023 09:44:08 + (UTC), Jason Long via Openvpn-users wrote: >Patches? >The OpenVPV is open source, what about changing the source code and its >fingerprint? Yes, you are free to do so if you desire (and are proficient in the coding of OpenVPN) I woul not do it myself, though. >Better to use it as it was designed. Hello,Thanks.Can you tell more about patches? -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN vs WireGuard
Hi, On Sun, Aug 13, 2023 at 05:23:07AM +, Jason Long wrote: > Is there a way that OpenVPN can hide itself from censorship devices? > Something like a statement or something like that. >This has not much to do with the thread topic or the Subject: - and >the short answer is "no". >(The long answer is "there are patches that can do this for a limited >time, and then the police catches on, and it will stop working") Hello, Thank you so much for your reply. Patches? The OpenVPV is open source, what about changing the source code and its fingerprint? gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] I set the local statement and I got Connection reset by peer (WSAECONNRESET) (fd=ec, code=10054)
Hello, I added a virtual IP to my OpenVPN NIC as below: ... enp0s3:1: flags=4163 mtu 1500 inet 20.1.1.20 netmask 255.0.0.0 broadcast 20.255.255.255 ether 08:00:27:ed:b4:7c txqueuelen 1000 (Ethernet) ... Then, I added the following line to my Server.conf file: local 20.1.1.20 I did the following iptables rules: IF_MAIN=enp0s3:1 IF_TUNNEL=tun20 YOUR_OPENVPN_SUBNET=10.10.0.0/16 iptables -I INPUT -p udp --dport 2000 -j ACCEPT iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j MASQUERADE iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -j SNAT --to 20.1.1.20 But, the client can't connect to the OpenVPN server and showed me below error: Sat Aug 12 11:10:24 2023 read UDPv4: Connection reset by peer (WSAECONNRESET) (fd=ec,code=10054) >How to solve it? >Thank you. Hello, The complete log is: 2023-08-13 10:30:37 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. 2023-08-13 10:30:37 Note: ovpn-dco-win driver is missing, disabling data channel offload. 2023-08-13 10:30:37 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023 2023-08-13 10:30:37 Windows version 6.1 (Windows 7), amd64 executable 2023-08-13 10:30:37 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10 2023-08-13 10:30:37 DCO version: v0 2023-08-13 10:30:37 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25343 2023-08-13 10:30:37 Need hold release from management interface, waiting... 2023-08-13 10:30:38 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1031 2023-08-13 10:30:38 MANAGEMENT: CMD 'state on' 2023-08-13 10:30:38 MANAGEMENT: CMD 'log on all' 2023-08-13 10:30:38 MANAGEMENT: CMD 'echo on all' 2023-08-13 10:30:38 MANAGEMENT: CMD 'bytecount 5' 2023-08-13 10:30:38 MANAGEMENT: CMD 'state' 2023-08-13 10:30:38 MANAGEMENT: CMD 'hold off' 2023-08-13 10:30:38 MANAGEMENT: CMD 'hold release' 2023-08-13 10:30:38 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.20:2000 2023-08-13 10:30:38 Socket Buffers: R=[8192->8192] S=[8192->8192] 2023-08-13 10:30:38 UDPv4 link local: (not bound) 2023-08-13 10:30:38 UDPv4 link remote: [AF_INET]192.168.1.20:2000 2023-08-13 10:30:38 MANAGEMENT: >STATE:1691906438,WAIT,, 2023-08-13 10:30:38 read UDPv4: Connection reset by peer (WSAECONNRESET) (fd=ec,code=10054) 2023-08-13 10:30:40 read UDPv4: Connection reset by peer (WSAECONNRESET) (fd=ec,code=10054) 2023-08-13 10:30:44 read UDPv4: Connection reset by peer (WSAECONNRESET) (fd=ec,code=10054) 2023-08-13 10:30:52 read UDPv4: Connection reset by peer (WSAECONNRESET) (fd=ec,code=10054) 2023-08-13 10:31:08 read UDPv4: Connection reset by peer (WSAECONNRESET) (fd=ec,code=10054) 2023-08-13 10:31:38 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 2023-08-13 10:31:38 TLS Error: TLS handshake failed 2023-08-13 10:31:38 SIGUSR1[soft,tls-error] received, process restarting 2023-08-13 10:31:38 MANAGEMENT: >STATE:1691906498,RECONNECTING,tls-error, 2023-08-13 10:31:38 Restart pause, 1 second(s) 2023-08-13 10:31:39 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.20:2000 2023-08-13 10:31:39 Socket Buffers: R=[8192->8192] S=[8192->8192] 2023-08-13 10:31:39 UDPv4 link local: (not bound) 2023-08-13 10:31:39 UDPv4 link remote: [AF_INET]192.168.1.20:2000 2023-08-13 10:31:39 MANAGEMENT: >STATE:1691906499,WAIT,, 2023-08-13 10:31:39 read UDPv4: Connection reset by peer (WSAECONNRESET) (fd=ec,code=10054) 2023-08-13 10:31:41 read UDPv4: Connection reset by peer (WSAECONNRESET) (fd=ec,code=10054) The port and protocol are correct in the firewall rules. What is the problem? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN vs WireGuard
Hi, On Fri, Aug 11, 2023 at 09:11:22PM +, Jason Long via Openvpn-users wrote: > Hello,Is it true that WireGuard is safer and faster than OpenVPN? Safer: no. Marketing claims. Faster: depends. With DCO, OpenVPN can be faster, because AES-GCM is hardware accelerated on many Intel/AMD CPUs while chacha-poly is not - without DCO, or on platforms that have chacha-poly in hardware, wireguard will be faster. >Also, OpenVPN needs DCO to scale really well on multi-core systems >where a single CPU might not be able to serve the load for many clients. Hello, Thank you so much. Is there a way that OpenVPN can hide itself from censorship devices? Something like a statement or something like that. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Cannot pre-load keyfile (ta.key)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Sent with Proton Mail secure email. --- Original Message --- On Saturday, August 12th, 2023 at 07:39, Jason Long via Openvpn-users wrote: > Hello, > I added "tls-crypt ta.key 0" and "data-cipher AES-256-GCM" to my Server.conf > and "tls-crypt ta.key 1" and "data-cipher AES-256-GCM" to my Client.conf. > > Client.ovpn is: > > > > # > # 2048 bit OpenVPN static key > # > -BEGIN OpenVPN Static key V1- > ... > -END OpenVPN Static key V1- > > > > > But I got the following errors: > Cannot pre-load keyfile (ta.key) > Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as > fallback when cipher negotiation failed in this case. If you need this > fallback please add '--data-ciphers-fallback BF-CBC' to your configuration > and/or add BF-CBC to --data-ciphers. > > > Why? Is this because my key is not a separate file? >Yes. Hello, Thank you so much for your reply. Is there no trick? For some devices (Cellphone) or for convenience, one is file is better. > > Thank you. > > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJk12KpCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAApRQgAoSe71fAyx6GCDqK0le1bwVipCxCQ/W92kSPs2qRL67g1ziZc /uD97N+yjCaqUQS5648dQpC2jzL82utNvxlxEf1da6c4+XIk5SBO5kFv3Lgj 8KMDeso+PQGA2s29OY6cJDVytdAEZ/JCxuFPFUOXsTWsYkODKncv0LxptI2K T0vsaiqVEs72HmPVak3sntl1fQfIdquC/zegjsSI+xoPgpFad4yQqADsrMEG lS7eiovuDIX2QvLfd/15OCLcu5aNsBYa8MGhqcQzRuQN7zWz7IZOt1kTsk6A 5jW+9qvg+nOPcSoUJGwUnSEpNZ6hBH4KaZwMRjfbaZEQXUUKfua7Ug== =bWkl -END PGP SIGNATURE- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] I set the local statement and I got Connection reset by peer (WSAECONNRESET) (fd=ec, code=10054)
Hello, I added a virtual IP to my OpenVPN NIC as below: ... enp0s3:1: flags=4163 mtu 1500 inet 20.1.1.20 netmask 255.0.0.0 broadcast 20.255.255.255 ether 08:00:27:ed:b4:7c txqueuelen 1000 (Ethernet) ... Then, I added the following line to my Server.conf file: local 20.1.1.20 I did the following iptables rules: IF_MAIN=enp0s3:1 IF_TUNNEL=tun20 YOUR_OPENVPN_SUBNET=10.10.0.0/16 iptables -I INPUT -p udp --dport 2000 -j ACCEPT iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j MASQUERADE iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -j SNAT --to 20.1.1.20 But, the client can't connect to the OpenVPN server and showed me below error: Sat Aug 12 11:10:24 2023 read UDPv4: Connection reset by peer (WSAECONNRESET) (fd=ec,code=10054) How to solve it? Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Cannot pre-load keyfile (ta.key)
Hello, I added "tls-crypt ta.key 0" and "data-cipher AES-256-GCM" to my Server.conf and "tls-crypt ta.key 1" and "data-cipher AES-256-GCM" to my Client.conf. Client.ovpn is: client dev tun20 proto udp remote 192.168.1.20 2000 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key remote-cert-tls server tls-crypt ta.key 1 data-ciphers AES-256-GCM verb 3 -BEGIN CERTIFICATE- ... -END CERTIFICATE- ... -BEGIN PRIVATE KEY- ... -END PRIVATE KEY- # # 2048 bit OpenVPN static key # -BEGIN OpenVPN Static key V1- ... -END OpenVPN Static key V1- But I got the following errors: Cannot pre-load keyfile (ta.key) Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. Why? Is this because my key is not a separate file? Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OpenVPN vs WireGuard
Hello,Is it true that WireGuard is safer and faster than OpenVPN? Thank you.___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Hardening an OpenVPN server
On 10/08/2023 21:44, Jason Long via Openvpn-users wrote: [...snip...] > Hello, > I see. Can you show me a good article about hardening an OpenVPN > server on Linux? The best hardening trick you can do to OpenVPN: Use tls-crypt together with UDP With this setup, port scanners will not see anything - and all you get on your end is some log noise that TLS-unwrap failed (because the tls-crypt protection can't decrypt the scan). And OpenVPN will silently drop the packet. If you use a different port than 1194 - you might not see so much noise even. Secondly, ensure you use AES-GCM algoritums (default with OpenVPN 2.6). Ensure your CA, server and clients use certificates with at least RSA 4096 keys or ECC based keys. And don't reuse certificates for more clients or servers. That's the main attack vector for OpenVPN. These two steps avoid random external users to attempt inspecting your OpenVPN server for weaknesses and it ensures only devices with key pairs issued by you can connect. And the strength of the AES algorithm coupled with the RSA/ECC based keys makes it harder to dump tunnelled traffic and decrypting that dump. To further control users/devices connecting, you can look into using --client-config-dir together with --ccd-exclusive. This will require the server side to have a file named the same as the "CN" field in the client certificate. This way you can also block devices/users which should have their access revoked very easily (remove the file, or just add "disable" as a line in CCD file). The rest of the hardening you can do is actually more pretty basic and standard network and host hardening, which is out-of-scope for OpenVPN itself. OpenVPN is basically just a "virtual network cable" between the VPN server and client. How you treat the traffic coming out or going into that cable is up to the host this "cable" is "plugged" into. -- > kind regards, > David Sommerseth > OpenVPN Inc Hi David,Thank you so much for your great advice.Please consider the following server configuration file, what lines would you add or remove? port 1194proto udpdev tun0ca ca.crtcert server.crtkey server.key dh dh.pemserver 10.8.0.0 255.255.255.0 push "dhcp-option DNS 172.20.1.2"keepalive 10 120tls-auth ta.key 0 data-ciphers AES-256-CBCuser nobodygroup nogrouppersist-keypersist-tunstatus /var/log/openvpn/openvpn-status.loglog /var/log/openvpn/openvpn.loglog-append /var/log/openvpn/openvpn.logverb 3explicit-exit-notify 1 I guess you will change "tls-auth ta.key 0" to "tls-crypt ta.key 0" and "data-ciphers AES-256-CBC" to "data-cipher AES-256-GCM". What else? Cheers. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Hardening an OpenVPN server
On Thu, Aug 10, 2023 at 11:07 PM, Gert Doering wrote: hi, On Thu, Aug 10, 2023 at 07:27:50PM +, Jason Long via Openvpn-users wrote: > Hello,How to hardening an OpenVPN server? I found > "https://openvpn.net/community-resources/hardening-openvpn-security/;, but I > guess this is not complete. For example, it didn't say anything about using > the local statement. >"local" has nothing to with "hardening", so why *should* it say >anything?Hello,I see. Can you show me a good article about hardening an >OpenVPN server on Linux? gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Hardening an OpenVPN server
Hello,How to hardening an OpenVPN server? I found "https://openvpn.net/community-resources/hardening-openvpn-security/;, but I guess this is not complete. For example, it didn't say anything about using the local statement. Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question about "Local" option
On Mon, Aug 7, 2023 at 1:58 PM, Jochen Bern wrote: On 06.08.23 22:41, Jason Long via Openvpn-users wrote: > Hello,Any idea?I would be grateful if someone could guide me. > > On Wed, Aug 2, 2023 at 11:17 PM, Jason Long via > Openvpn-users wrote: Hello,To use > OpenVPN with a NIC that has multiple IP addresses set on it, I need to use > the following statement in the server configuration file: > Local "Virtual IP" > But, when I use the following firewall rules and specify the virtual NIC, > OpenVPN network card and IP range, is there still a need for Local "Virtual > IP"? The "local" statement is *necessary* when and if the same port as in the OpenVPN config needs to be used somewhere else as well (be it by another OpenVPN instance, or some entirely different software), so as to use different *IP*-and-port combos instead. The conflict occurs as soon as the second software tries to start *LISTENing* on that port, with *no packets* being sent yet. Hence, your iptables setup is entirely irrelevant there. Kind regards, -- Jochen Bern Systemingenieur >Binect GmbH Hello,Thank you so much.So, the "local" statement is only applicable when the OpenVPN servers use the same ports. So, if an OpenVPN server with several different IP addresses uses different ports in its settings, there is no need to use the "local" statement. Am I right? Why my iptables rules are irrelevant? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question about "Local" option
Hello,Any idea?I would be grateful if someone could guide me. Cheers. On Wed, Aug 2, 2023 at 11:17 PM, Jason Long via Openvpn-users wrote: Hello,To use OpenVPN with a NIC that has multiple IP addresses set on it, I need to use the following statement in the server configuration file: Local "Virtual IP" But, when I use the following firewall rules and specify the virtual NIC, OpenVPN network card and IP range, is there still a need for Local "Virtual IP"? # IF_MAIN=eth0:X# IF_TUNNEL=tunX# YOUR_OPENVPN_SUBNET=IP/16# iptables -I INPUT -p udp --dport PORT -j ACCEPT# iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT# iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT# iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j MASQUERADE# iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -j SNAT --to OpenVPN_NIC_IP Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question about the VPN providers
On Fri, Aug 4, 2023 at 12:59 PM, David Sommerseth wrote: On 31.07.23 21:42, Jason Long via Openvpn-users wrote: > Hello,Is it possible to set public IP addresses from different > countries on one NIC? This is a bit unclear. Generally, you assign multiple IP addresses to a single NIC (physical), but it gets quickly very messy to route that correctly. For virtual NICs (such as tun or dco interfaces), the remote end of that IP address will need to assign multiple IP addresses; OpenVPN does not support that. And it will be the remote end which needs to know what to do with these IP addresses and route them correctly on the server side. TL;DR: For physical local NICs, it *might* be possible with lots of extra work. For VPN services, multiple IP addresses on a single tun/dco interface is generally not possible. But you can run multiple VPN connections in parallel with separate tun/dco interfaces and route traffic (per IP range) accordingly. > VPN provider companies provide VPN service with IP addresses of > different countries. Do they have a separate server in that country? Yes. > Or have they just set IP addresses from different countries on the > same server? No. You can achieve such a per-country routing setup via the CloudConnexa service provided by OpenVPN Inc. But you need to setup a (VM) host in each country you want to send traffic via, and then configure them in CloudConnexa as egress points for specific IP ranges or even domain suffixes. When you connect your own client end to CloudConnexa, your Internet traffic will be automatically routed via the egress points you have defined in you CloudConnexa setup. But I am not aware of any other VPN provider having this capability. That said, I also don't have a too good overview of all of the VPN providers in this market; it's quite a wild west market segment (especially on the consumer VPN service side). -- kind regards, David Sommerseth > OpenVPN Inc Hello,Thank you so much for your reply.I didn't mean OpenVPN virtual NIC (Tun), I meant server NIC.When you rent a server from a company and they provide you the IP of different countries, it means that they have already done the routing and you can set the IP of different countries on the NIC. Is it true? User opinions are different!!! ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] A question about "Local" option
Hello,To use OpenVPN with a NIC that has multiple IP addresses set on it, I need to use the following statement in the server configuration file: Local "Virtual IP" But, when I use the following firewall rules and specify the virtual NIC, OpenVPN network card and IP range, is there still a need for Local "Virtual IP"? # IF_MAIN=eth0:X# IF_TUNNEL=tunX# YOUR_OPENVPN_SUBNET=IP/16# iptables -I INPUT -p udp --dport PORT -j ACCEPT# iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT# iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT# iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j MASQUERADE# iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -j SNAT --to OpenVPN_NIC_IP Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Options error: Unrecognized option or missing or extra parameter(s)
On Tue, 1 Aug 2023 05:57:29 + (UTC), Jason Long via Openvpn-users wrote: >OK, >in my use case I set up a VPN server on a public IP with the sole purpose to >act >as a connection point between an IoT device running on a LAN with no public IP >available which we needed to access in order to configure, control and retrieve >data from. > >The solution was: >- Set up an OpenVPN server with a dyn-DNS address on the public side. >- Configure it to only allow client-to-client connections (so no other routing) >- Use the ccd system to assign specific tunnel addresses to each device when >connecting >- Make the IoT device connect to the VPN as part of the boot sequence > >Now we can connect our PC to the same VPN and then connect to the device(s) >using their known tunnel addresses. > >This works like a charm. :-) > > >-- >Bo Berglund >>Developer in Sweden > > > >Hello, >Great. >What is the correct syntax of >push "dhcp-option dns 172.20.1.2" for Windows OS client? I wonder: Have you even bothered to read/search in the OpenVPN documentation at all? Seems not since you are wildly posting ne question threads here, which can be answered by reading the doc and searching for your arguments... https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/ https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/ And this answer is written in the community HowTo https://community.openvpn.net/openvpn/wiki/HOWTO -- Pushing DHCP options to clients The OpenVPN server can push DHCP options such as DNS and WINS server addresses to clients. Windows clients can accept pushed DHCP options natively, while non-Windows clients can accept them by using a client-side --up script which parses the foreign_option_n environmental variable list. See ?Using DNS servers pushed to clients. For example, suppose you would like connecting clients to use an internal DNS server at 10.66.0.4 or 10.66.0.5 and a WINS server at 10.66.0.8. Add this to the OpenVPN server configuration: push "dhcp-option DNS 10.66.0.4" push "dhcp-option DNS 10.66.0.5" push "dhcp-option WINS 10.66.0.8" To test this feature on Windows, run the following from a command prompt window after the machine has connected to an OpenVPN server: ipconfig /all The entry for the TAP-Windows adapter should show the DHCP options which were pushed by the server. -- It is pretty disrespectful to totally ignore the existing documentation and instead spam a mailing list like this one! Just in the last 10 days you have started no less than 14 separate threads concerning this non-standard project of yours. This in a list that normally carries just a handful of threads per month! Please realize that these discussions wind up into everyones mailboxes! I belive you would be better off posting into the OpenVPN web forum instead and keep your questions inside a single thread there: https://forums.openvpn.net/index.php -- > Bo Berglund > Developer in Sweden Hello, Thank you so much for useful information and advice. I read documents, but I search mostly on the internet and find questions similar to mine, and when I don't get any results, I ask questions here. For example, about the IP Forwarding and access to the internal network, I found a thread on the Ubuntu forum and someone had the same problem as me. In response to a question, a user had said that IP Forwarding must be disabled to access the internal network remotely. The question had a green tick tag. It means that the problem was solved by that user's answer. I disabled the IP Forwarding, but my problem not solved and I asked here. Is it bad? It is not my intention to spam here or anywhere else. If I ask a lot of questions, it shows my eagerness to learn. And about the https://forums.openvpn.net/index.php, I asked the questions there too, but I did not receive an answer. I guess, that forum is disabled. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to write the iptables rules for a NIC with multiple IP addresses?
On 31.07.23 21:14, Jason Long wrote: > On Mon, Jul 31, 2023 at 4:20 PM, Jochen Bern wrote: >> > If, on the other hand, you'd like to type less, it's up to you to find >> ways to make the rules less specific that still agree with whatever >> *external* requirements you may have. For OpenVPN, the four rules >> >> iptables -I INPUT -p udp -m multiport --dports $PORT1,$PORT2 -j ACCEPT >> iptables -A FORWARD -i tun+ -o e+ -s $BIG_SUBNET -j ACCEPT >> iptables -A FORWARD -i e+ -o tun+ \ >> -m state --state ESTABLISHED,RELATED -j ACCEPT >> iptables -t nat -A POSTROUTING -s $BIG_SUBNET -j SNAT --to $PUB_IP_RANGE >> >> would be enough to cover *all* instances that use those ports and [...] > > You used some variables: > $PORT1,$PORT2$BIG_SUBNET$PUB_IP_RANGE > > Above the iptables rules, I need to initialize them. Can I use "," sing > between the values? For example: > BIG_SUBNET = 10.8.1.0/16, 10.8.2.0/16 No. There is a "multiPORT" extension for iptables that I used in my example, but no "multiNET" or somesuch. ferm would allow you to write a config pretty much like that, but it would nonetheless expand the list into several iptables rules under the hood. Kind regards, -- Jochen Bern Systemingenieur >Binect GmbH Hello, Thanks again. I guess use "e+" is not OK, because it will use other NICs which is not needed. Can you write the iptables rules for a real example? For example, a server has enp3s0 and enp3s0:1 NICs : enp3s0 : 1.2.3.4 enp3s0:1 : 1.2.3.5 Each NIC runs two servers: Server1.conf : Tun1 1194 10.10.0.0/16 Server2.conf : Tun2 1195 10.11.0.0/16 Server3.conf : Tun3 1196 10.12.0.0/16 Server4.conf : Tun4 1195 10.13.0.0/16 I'm thankful if you show me the correct iptables rules for this scenario. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users smime.p7s Description: S/MIME cryptographic signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Options error: Unrecognized option or missing or extra parameter(s)
On Mon, 31 Jul 2023 21:51:43 +0200, Gert Doering wrote: >Hi, > >On Mon, Jul 31, 2023 at 09:11:31PM +0200, Bo Berglund wrote: >> On Mon, 31 Jul 2023 18:52:07 +0000 (UTC), Jason Long via Openvpn-users >> wrote: >> >> >What is the usage of the "client-to-client" and "iroute"? >> >> client-to-client: >> if you would like connecting clients to be able to reach each other over the >> VPN. By default, clients will only be able to reach the server. > >This is not fully correct. > >client-to-client means "the OpenVPN server will route packets between >clients directly". If this is not set, packets will be routed via the >Server's IP stack ("Linux tun interface"), so you can use iptables to >control connectivity between clients - but if iptables permit (and >"forward_ip" is enabled on the server!) clients can still talk. > OK, in my use case I set up a VPN server on a public IP with the sole purpose to act as a connection point between an IoT device running on a LAN with no public IP available which we needed to access in order to configure, control and retrieve data from. The solution was: - Set up an OpenVPN server with a dyn-DNS address on the public side. - Configure it to only allow client-to-client connections (so no other routing) - Use the ccd system to assign specific tunnel addresses to each device when connecting - Make the IoT device connect to the VPN as part of the boot sequence Now we can connect our PC to the same VPN and then connect to the device(s) using their known tunnel addresses. This works like a charm. :-) -- Bo Berglund >Developer in Sweden Hello, Great. What is the correct syntax of push "dhcp-option dns 172.20.1.2" for Windows OS client? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A question about the VPN providers
On Mon, Jul 31, 2023 at 11:49 PM, Jochen Bern wrote: On 31.07.23 21:42, Jason Long via Openvpn-users wrote: > Hello,Is it possible to set public IP addresses from different > countries on one NIC? > VPN provider companies provide VPN service with IP addresses of > different countries. Do they have a separate server in that country? > Or have they just set IP addresses from different countries on the > same server? Maybe not really separate *servers*, but you may assume that *Internet connections* (or "larger versions" of such) bought from providers in / serving that country are involved. >Kind regards, Hello,Thank you so much for your reply.So they can be just IP addresses from different countries that are set on a NIC. -- Jochen Bern Systemingenieur Binect GmbH ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users