Re: [Openvpn-users] Transfer from one server to another, compress and digest

[Joe Patterson]

On Wed, Jan 3, 2024 at 11:24 AM Gert Doering  wrote:
>
> Ideally, you wouldn't create the keys "on the server" anyway - in a
> secure world, the CA key never leaves a *secure* machine for key generation,
> and you'd create server key(s) and client keys on this machine, copying
> to the target machines as are needed.

I'd argue that in the *idealest* world, the server and client keys are
created on the server and client, and csr's and certificates get
copied to and from a secure CA. But that's pure nitpicking, and your
point absolutely stands.

-Joe


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] I can reach only part of the local LAN when connected

[Joe Patterson]

This may be a stupid question, but in the remote office, do you have a
route for 10.8.139.0/25? If not, then the clients can get packets to
the remote network, but the remote network can't get packets back to
the clients.

On Sun, Oct 2, 2022 at 7:44 AM Bo Berglund  wrote:
>
> 6 months ago or so I have set up a system where I have two fiber connected LAN
> segments in different locations tied together with OpenVPN into one single LAN
> using addresses 192.168.117.x and 192.168.119.x.
>
> The two segments have routers configured such that the 117 LAN connects with
> OpenVPN to my main LAN on 119 and the main LAN router has its routing set up 
> to
> channel traffic for 117 via the OpenVPN tunnel.
>
> It works well for devices connected to the two LAN sections directly, but not
> when a device is connected to the main LAN via OpenVPN while travelling.
> In this case (I am now half a workld away from home) I can reach my home LAN
> (119) but not the 117 LAN...
>
> So now I wonder how I should set up the OpenVPN server on the main LAN such 
> that
> if a client wants to talk to a device on the 117 segment it can actually reach
> it?
>
> The server is set up for a split tunnel such that if a client addresses the
> server side LAN it will route through the tunnel but for Internet traffic it
> should use the local gateway directly.
> Now I think that it is actually doing this for traffic to LAN segment 117 too
> and this is what I would like to change.
>
> Here is my server side conf file:
>
> # this is the config for local only access
> port 1190
> proto udp
> dev tun
> ca /etc/openvpn/keys/ca.crt
> cert /etc/openvpn/keys/server.crt
> key /etc/openvpn/keys/server.key
> dh /etc/openvpn/keys/dh2048.pem
> tls-auth /etc/openvpn/keys/ta.key 0
> topology subnet
> server 10.8.139.0 255.255.255.0  'nopool'
> ifconfig-pool 10.8.139.2 10.8.139.127 255.255.255.0
> ifconfig-pool-persist ipplocal.txt
> push "route 192.168.119.0 255.255.255.0" #Local LAN access
> push "dhcp-option DNS 192.168.119.1" #Local server
> push "dhcp-option DNS 208.67.220.220" #Public server
> keepalive 10 120
> cipher AES-256-CBC
> #Disable compression and push this to the client
> comp-lzo no
> push "comp-lzo no"
>
> # This is needed for site-to-site routing via remote Router
> client-config-dir /etc/openvpn/ccdl
> route 192.168.117.0 255.255.255.0
> # Allow other clients to the server to also reach remote
> client-to-client
> push "route 192.168.117.0 255.255.255.0"
> # end site-to-site routing
> max-clients 20
> persist-key
> persist-tun
> status /etc/openvpn/log/ovpn-status_local.log
> log /etc/openvpn/log/ovpn_local.log
> verb 4
> mute 10
> explicit-exit-notify 1
> push "explicit-exit-notify 1"
>
> It seems like the following line does not affect the connected VPN clients on
> the server LAN:
> route 192.168.117.0 255.255.255.0
>
> What could I change to make it work?
>
> Can this line be modified to encompass a larger subnet maybe?
> push "route 192.168.119.0 255.255.255.0" #Local LAN access
>
> for example 192.168.116.0/22 (covering 116, 117, 118, 119)
>
>
> --
> Bo Berglund
> Developer in Sweden
>
>
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Checking server and client certificates expiration?

[Joe Patterson]

The general form of what you want to do is:

openssl x509 -in file.crt -noout -text | grep 'Not After'

If you use the same command against the client files with the embedded
crypto, it will give you the expiration date of the first certificate
block, which *might* be your client cert, or *might* be your CA cert,
depending on how the file is structured.

you can manually copy the chunk between  and  and then
run it through openssl, or do something cleverish like:

grep -A 100 -F '' openvpn.conf | openssl x509 -in - -noout -text
| grep 'Not After'

Hope this is helpful.

-Joe

On Wed, Sep 28, 2022 at 10:08 AM Bo Berglund  wrote:
>
> I have been using OpenVPN for a rather long time now and I have realized that
> there is a risk tat the server certificates may expire as well as the clients.
> The servers all run on Linux (Ubuntu server and Raspberry Pi) but clients are
> both Linux and Windows and actually also some ASUS routers...
>
> How can I check when this will happen?
> The clients use OVPN files with embedded crypto stuff and the server uses a 
> set
> of crypto files in subdir etc/openvpn/keys.
>
> If I can check this and it turns out that they will be expiring in the near
> future, then what can I do to extend the life of them?
> Do I have to re-create the entire set of server and client certs?
>
> Notice:
> The certs were created using easy-rsa on the servers back when the system was
> created and new clients have been added over the years also using easy-rsa on
> the servers.
>
>
> --
> Bo Berglund
> Developer in Sweden
>
>
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] client-to-client NO with exceptions ?

[Joe Patterson]

client-to-client bypasses nftables entirely.  With it enabled,
client-to-client packets are routed internally to openvpn via the
iroute table without ever being handed off to the kernel for
inspection, firewalling, routing, counting, capturing, mangling, or
anything else.

Without client-to-client, the packets are handed to the kernel on the
tun/tap interface where the kernel can decide what to do with them,
which may or may not include handing them back to openvpn to send out
to a different client.

On Fri, Nov 19, 2021 at 9:57 AM lejeczek via Openvpn-users
 wrote:
>
>
>
> On 19/11/2021 13:57, Gert Doering wrote:
> > Hi,
> >
> > On Fri, Nov 19, 2021 at 01:52:20PM +, lejeczek via Openvpn-users wrote:
> >>> unset client-to-client in the openvpn config, make sure "a given client"
> >>> has a known IP address (ifconfig-push in ccd/), then do the filtering
> >>> by iptables on the linux side.
> >> How can it be determined what ovpn does exactly to/with
> >> nftables?
> > That is easy: nothing.  If you want something done in iptables/nftables,
> > you need to set it up whatever you want it.
> >
> >> On most recent CentOS Stream 8 where firewalld is the tool
> >> to manage it, with 'direct' rules I fail to make it work - I
> >> keep making them looser increasingly but with NO
> >> 'client-to-clien' I'm unable to have clients talk one to
> >> another.
> > Try disabling all firewalling first.  If client-to-client then still does
> > not work, the problem is somewhere else (like, ip_forwarding not enabled).
> >
> > If it works without firewalling, try with permissive rules that only log
> > stuff first, so you can see "this rule would have matched".
> >
> > gert
> client-to-client works. I did disable it as per your
> suggestion to "unset" and am trying to work it out through
> rules which would allow.
> But similarly enabled 'client-to-client' also seems to
> escape my rules to drop.
> What I am hoping for is some docs on the 'magic' bits
> 'client-to-client' do in nftables, if any.
>
> thanks, L.
>
>
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Share dynamic routes between hosts

[Joe Patterson]

On Wed, Sep 22, 2021 at 4:19 AM Alex K  wrote:
>
>
>
> On Wed, Sep 22, 2021 at 3:12 AM Joe Patterson  wrote:
>> My first whack at this was an ugly kluge where I directly called vtysh
>> from my client-connect script, along the lines of:
>>
>> #parse ccd file for iroute and/or ifconfig-push
>> if "connect"
>>  vtysh -c 'config t' -c "ip route {net} {mask} {gateway}"
>> else
>>  vtysh -c 'config t' -c "no ip route {net} {mask} {gateway}"
>
> I guess the gateway is the active host in this case? (the other passive hosts 
> will need to reach the published internal networks of the client)

I believe that might be the case if you use TAP, I was using TUN, so
the "gateway" address was the IP of the openvpn side of the tunnel
interface, but actually I was remembering incorrectly, I just routed
to the interface itself, so {net} {mask} tunX

> Why do you publish push routes also? Aren't they supposed to just be pushed 
> to the client and used only from the clients?

I don't publish pushed routes, I publish pushed ifconfigs, i.e.
statically assigned IP's.

>>
>>
>> (please excuse my pseudocode)
>>
>> My second whack at it was a slightly more elegant kluge, where a
>> process connected to the management interface and did... a lot of
>> things, including keeping track of iroutes and advertising them via
>> localhost RIPv2 announcements that could be listened to by quagga and
>> redistributed into ospf. I tried it out some, and it did work, but I
>> don't think anyone (including myself) has ever run it in production.
>>
>> If you're feeling adventurous, it's here:
>> https://github.com/j-m-patterson/ovpnherder
>>
>> The basic idea behind it was to have multiple openvpn servers at
>> multiple sites, and any client could connect to any server and have
>> their iroute-ed subnets and static IP routed to them via ospf.
>>
>> Let me know if you're interested in it.
>
> Thank you for the feedback and pointer. Appreciated. I will have a look and 
> see where I end. In case I end to sth useful I will come back.
> By the way, my three servers are in the same LAN and not WAN distributed and 
> I use glusterfs to share all the openvpn configs and keys. So if I edit one 
> ccd file all the hosts get the same instantly.

I did something somewhat similar.  I stored all my ccd's in git and
then had a commit hook that pushed out to all of my servers.  I used
different keys for each server, and a single config file that pulled
in a local config that had things like a specific server's ifconfig
pool.

> I was thinking also as a quick hack to just add a cron job at each host which 
> will look for all the iroutes and add the required routes in case it is not 
> the active host to reach the client networks through the active one, but I 
> like the idea with OSPF to learn sth new.

That technically works, but you're running the cron job maybe every
minute, which seems like a lot of process executions, but on the other
hand, waiting up to a minute for your network to be reachable also
seems like a long time.

-Joe


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [ext] Re: CA migration?

[Joe Patterson]

Or, make a new ca.crt file with both the old and new ca certs, no
cross-signing required. Deploy to server, then to clients, so that
both server and clients trust both CA's.  Then update the client certs
one by one to the new CA. Then update the server cert to the new CA.
Then deploy a ca.crt with only the new CA cert.

This is tested, at least once, by me, because it's exactly what I did
after our root CA key got corrupted and was about to expire. (word to
the wise: one of the dangers of storing a root CA key on offline media
for 10 years is that sometimes offline media doesn't last for 10
years.  I really should have just printed it out and put it in a safe
as backup)

-Joe

On Thu, Jul 22, 2021 at 5:35 PM Selva Nair  wrote:
>
> Hi,
>
> On Thu, Jul 22, 2021 at 3:40 AM Ralf Hildebrandt 
>  wrote:
>>
>> * Bo Berglund :
>> > On Wed, 21 Jul 2021 10:57:50 +0200, Ralf Hildebrandt
>> >  wrote:
>> >
>> > >But how do I do this? Can I make openvpn accept client certificates
>> > >from two CAs (the old and the new one)?
>> >
>> > Why using a new certificate?
>>
>> I need a new CA due to the german BSI crypto regulations (RSA 2048 is
>> not enough)
>>
>
> The usual approach for updating CA would be to use cross-signed (or link) 
> certificates. I haven't tried it with OpenVPN, but here is a thought:
>
> First update the server cert signed by the new CA but include a link cert for 
> the new CA  signed by the old CA. That will make it possible for clients to 
> still verify the new server cert. Change the CA cert on the server to a stack 
> of old and new CA. Then gradually update the cert and ca on clients to the 
> new one (new CA only not old+new). When all clients are updated remove the 
> old CA cert and the link cert on the server.
>
> Totally untested.
>
> Selva
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] CA migration?

[Joe Patterson]

Yes. A CA crt file can contain multiple certificates concatenated together.

I did exactly this same thing not long ago.

Joe

On Wed, Jul 21, 2021, 4:59 AM Ralf Hildebrandt 
wrote:

> I want to trasition from an old, internal CA (easyrsa) to a new,
> internal CA (also easyrsa).
>
> But how do I do this? Can I make openvpn accept client certificates
> from two CAs (the old and the new one)?
>
> Ralf Hildebrandt
> Charité - Universitätsmedizin Berlin
> Geschäftsbereich IT | Abteilung Netzwerk
>
> Campus Benjamin Franklin (CBF)
> Haus I | 1. OG | Raum 105
> Hindenburgdamm 30 | D-12203 Berlin
>
> Tel. +49 30 450 570 155
> ralf.hildebra...@charite.de
> https://www.charite.de
>
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2fa user authentication

[Joe Patterson]

This does kind of depend on how one defines "2FA".  If you define the
"two factors" as a certificate and a password, then just
auth-user-pass and set up the PAM plugin.

If you want MFA, where the factors are a certificate, password, *and*
OTP, then you'll need to do what you're talking about with respect to
OTP authentication.

Just me being pedantic.  :)

-Joe

On Mon, Jul 5, 2021 at 12:34 PM Selva Nair  wrote:
>
> Hi
>
> On Mon, Jul 5, 2021 at 11:58 AM David Mehler  wrote:
>>
>> Hello,
>>
>> Thank you for your reply. I do not have a plugin-auth-pam I've run a
>> find for it.Where would this be at, this would be perfect, espeecially
>> if I'm understanding your response right each client certificate would
>> then be bound to a specific username and password which would have to
>> be validated serverside.
>
>
> The plugin location may depend on the distribution. In ubuntu and debian it 
> may be in
>  /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so
>
> Note that you need a fairly recent version of OpenVPN (iirc 2.4.10 or later) 
> for the plugin to take apart the password and PIN and present it to PAM. You 
> will need:
>
> In client config:
> auth-user-pass
> static challenge "Challenge text (eg., Enter the auth code)" 1
>
> In server config
> plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login:
> USERNAME Password: PASSWORD Verification OTP"
>
> This assumes your PAM module prompts for login:, Password: and, say, 
> Verification code:
> (See README.auth-pam distributed with OpenVPN for how to format the
> above line to match your pam setup).
>
> There is a lot of discussion of this in the users-list. Search the list 
> archive. One of the latest threads is
> https://sourceforge.net/p/openvpn/mailman/message/37266238/
>
> For older versions of PAM plugin which does not understand OTP, one option is 
> to ask the user to input the password and OTP as a single string and then 
> take it apart in your PAM module. In that case remove static challenge from 
> user config. But this is no longer required, nor recommended -- use 2.4.10+ 
> or 2.5.x on the server.
>
> Selva
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Defining custom routes for particular users

[Joe Patterson]

On Sat, Jun 26, 2021 at 5:31 PM Gert Doering  wrote:
> I'm not sure our include mechanism works in ccd files - but you could
> try.  It's done by specifying a config file in a config file, so
>
>   ifconfig-push ...
>   ifconfig-ipv6-push ...
>   config my_standard_set.conf

I can confirm from experience that the include mechanism works in ccd
files. I've used it extensively.

-Joe


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Is it possible to mix ccd and non-ccd clients to the same server?

[Joe Patterson]

Something I'm curious about, but haven't actually tried, is what
happens in the case of overlap between ifconfig-push and
ifconfig-pool.  Obviously it's best not to overlap these, but if one
were to... not do that, what happens if the next pool address is
already assigned via push?  My assumption is that ovpn is smart enough
to skip it. More interesting is what happens if a push'd address is
already assigned via pool? Does it disconnect the pool client? ignore
the push'd address and select a free one from the pool? Send someone
to your house to slap you for doing such a silly thing?

Just curious...

Thanks,

-Joe

On Thu, May 27, 2021 at 6:58 AM Jan Just Keijser  wrote:
>
> On 27/05/21 12:33, Bo Berglund wrote:
> > I am a bit confused about how the ccd mechanism works...
> >
> > Say that I want to assign a limited number of clients with specific tunnel
> > addresses, whereas the other connecting clients will use dhcp provided
> > addresses.
> > In the server.conf file I have this:
> >
> > server 10.8.1.0 255.255.255.0 'nopool'
> > ifconfig-pool 10.8.1.2 10.8.1.127 255.255.255.0
> > client-config-dir /etc/openvpn/ccd2
> > ifconfig-pool-persist ipp2.txt
> > client-to-client
> >
> > Then in the dir /etc/openvpn/ccd2 I have a few files named as the CN (common
> > name) of a few "server" clients, each of which will contain this (with a
> > different last number in the IP address):
> >
> > ifconfig-push 10.8.1.130 255.255.255.0
> >
> > My question now is how this works?
> > Will the presence of a ccd file named as the CN of the connecting client 
> > mean
> > that the main directive ifconfig-pool is *not* used if the ccd file 
> > contains an
> > ifconfig-push directive?
> the settings from the ccd file overwrite the settings from the main file
> > I assume that all clients not mentioned in the ccd directory will just get 
> > the
> > next "free" IP from the defined pool between 2 and 127?
> Correct, unless you had used
>--ccd-exclusive
> which means that clients without a CCD file simply are not allowed to
> connect.
>
> Also, you can a "default" CCD file named DEFAULT  (capitals, no extensions)
>
> > I want to set up a system whereby a couple of TCP/IP servers can connect to 
> > this
> > OpenVPN and get fixed known tunnel addresses. Then "normal" clients can also
> > connect and get their addresses out of the pool.
> > With this running the clients should be able to connect to the servers using
> > their known addresses from the ccd file.
> >
> > Is this how it will work?
> Yup, this is definitely doable but you need to ensure that routing is
> done correctly to and from the CCD-based clients.
>
> HTH,
>
> JJK
>
>
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to send 2nd factor to server ?

[Joe Patterson]

On Wed, Apr 21, 2021 at 1:55 PM Selva Nair  wrote:
>
> Hi,
>
> On Wed, Apr 21, 2021 at 1:35 PM Joe Patterson  wrote:
>>
>> I stand corrected!  That's very useful to know.
>>
>> Does the "OTP" keywork in the plugin correspond to the OTP argument in
>> the static challenge?
>
>
> No, the argument to static-challenge is local to the client and only used for 
> prompting the user. It's not passed to the server. You can write it 
> differently in each client config if you wish.
>

I thought that seemed like it would be weird.  :)

>>
>> Like if my static challenge was "static-challenge 'enter the number
>> from your authenticator' 1", I'd use auth_pam.so "openvpn login:
>> USERNAME Password: PASSWORD Verification 'enter the number from your
>> authenticator'"?
>
>
> The capitalized words, USERNAME, PASSWORD and OTP are hard coded and stand 
> for the values for username, password and otp received from the client. These 
> get used against the corresponding prompts, "login:", "Password:" and 
> "Verification" in my example. So those latter words are specific to your set 
> up. Only the beginning of the prompt is matched, so "Verification" would also 
> match, say, a pam prompt of "Verification PIN:".
>

Fantastic.

> It's also possible to expose the common name to PAM -- use COMMONNAME as the 
> place-holder. See README.auth-pam.

I know.  I wrote that code.  :)

Thanks!

-Joe


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to send 2nd factor to server ?

[Joe Patterson]

I stand corrected!  That's very useful to know.

Does the "OTP" keywork in the plugin correspond to the OTP argument in
the static challenge?

Like if my static challenge was "static-challenge 'enter the number
from your authenticator' 1", I'd use auth_pam.so "openvpn login:
USERNAME Password: PASSWORD Verification 'enter the number from your
authenticator'"?

Thanks,

-Joe

On Wed, Apr 21, 2021 at 12:40 PM Selva Nair  wrote:
>
> Hi
>
> On Wed, Apr 21, 2021 at 11:48 AM Joe Patterson  
> wrote:
> >
> > What you're looking for is the openvpn challenge/response protocol,
> > which can be used when authentication is done via the management
> > interface.
> >
> > https://openvpn.net/community-resources/management-interface/
> > describes it a bit.
> >
> > I know that the MFA portion of the management interface system I wrote
> > (https://github.com/j-m-patterson/ovpnherder) supports passing TOTP
> > tokens via static challenge (which is where you put the
> > "static-challenge" directive in the client config) as well as
> > concatenating them with the password.
> >
> > Unfortunately, as far as I can tell, static and dynamic
> > challenge-response isn't available if you're using a plugin or script
> > for authentication. So if you're ready to take the plunge into using
> > the management interface, you can do it.  Otherwise, you're stuck with
> > concatenating the OTP token to the password.
>
> Static challenge can be used with plugins and scripts on the server --
> management-auth not required. Here is a pared down example of what I
> use:
>
> Add to client config
>
> static-challenge "OTP " 1
>
> This causes the  openvpn client (or its UI/GUI) to prompt separately for
> username, password and OTP . The prompt text for the latter is taken
> from the first argument to static-challenge. The second arg (1
> above) controls echo-ing of the pin. See the man page of openvpn for
> details. This prompt is also supported by OpenVPN-GUI on windows and,
> I think, by tunnelblick, viscosity and probably others.
>
> On the server, details vary depending on the need and verification
> mechanism used. I use PAM for which one adds to the server config:
>
> plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login:
> USERNAME Password: PASSWORD Verification OTP"
>
> (See README.auth-pam distributed with OpenVPN for how to format the
> above line to match your pam setup).
>
> And have a pam config /etc/pam.d/openvpn with, say,
>
> @include common-auth
> account  required pam_access.so
> @include common-account
> @include common-password
> @include common-session
>
> where common-auth has
>
> auth required pam_google_authenticator.so
>
> among other modules. There are so many ways of setting up PAM
> depending on how the user is authenticated (unix user db, ldap, Active
> Directory, ...), what kind of OTP is in use etc. The above is only
> meant to describe the essentials.
>
> Selva


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to send 2nd factor to server ?

[Joe Patterson]

What you're looking for is the openvpn challenge/response protocol,
which can be used when authentication is done via the management
interface.

https://openvpn.net/community-resources/management-interface/
describes it a bit.

I know that the MFA portion of the management interface system I wrote
(https://github.com/j-m-patterson/ovpnherder) supports passing TOTP
tokens via static challenge (which is where you put the
"static-challenge" directive in the client config) as well as
concatenating them with the password.

Unfortunately, as far as I can tell, static and dynamic
challenge-response isn't available if you're using a plugin or script
for authentication. So if you're ready to take the plunge into using
the management interface, you can do it.  Otherwise, you're stuck with
concatenating the OTP token to the password.

On Tue, Apr 20, 2021 at 3:59 PM Bogdan Rudas via Openvpn-users
 wrote:
>
> Hello!
>
> I've read a couple of guidelines regarding MFA with OpenVPN and all of them 
> mention that the 2nd factor could be either sent as password (with client 
> cert auth) or appended to the password string. Well, people tend to enter a 
> password when they see the password field.
> At the moment the only straightforward and more or less human-friendly way to 
> set up login+password+2fa authentication is to use a kind of 'push token' MFA 
> (so the user confirms login in some mobile application).
> OTP, password cards and any other way that demands text input from the user 
> demands to much from the users, they need blindly enter the password, then 
> type 2nd factor, can't see what they type and don't even know if 
> authentication failed because of wrong password or wrong OTP numbers (for 
> example).
> Is it possible to ask the user for the 2nd factor like OpenVPN client asks 
> for login and password and send discrete error messages for password and for 
> 2nd factor failures?
>
> Thank you.
> --
> Bogdan Rudas
> Director of IT Europe
> Exadel Inc.
> http://www.exadel.com/
> E-mail: bru...@exadel.com
> Skype ID: bogdan.rudas
>
>
>
> CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. 
> If you are not the intended recipient you are hereby notified that using, 
> copying, distributing or taking any action in reliance on the contents of 
> this information is strictly prohibited. If you have received this email in 
> error please notify the sender and delete this email.
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] ovpnherder

[Joe Patterson]

A few years ago, I wrote a little application to help with some
openvpn services. Then some things changed, and I never got a chance
to put it into production.  So I thought I'd check here and see if
anyone might find it useful, or be interested in trying it out, or
might even want to improve on it.

It uses the management interface and connects to one or more openvpn
instances. It has a few features that I think are kind of neat. It
handles authentication, and authenticates against ldap, can have a
list of allowed source IP's, and can do OTP.  When doing OTP, it only
checks on initial connection, not on reauth (so you don't have to put
in your OTP every time openvpn re-authenticates). It uses
client-config-dir style configs, but can also do templating (so user-*
all gets the same config, for example). It does some fun things with
iptables. It can register your CN with DDNS.

Perhaps the most nifty thing it does is to capture ifconfig-push and
iroute directives, and then sends those out as RIPv2 routing updates,
which can adjust routes on a rip daemon running on localhost to
dynamically update the server's routing table, and/or be redistributed
into another routing protocol (such as OSPF), so that you can have
multiple openvpn servers in multiple locations, and clients with
static IP addresses and/or irouted subnets behind them will get
routing right no matter where they connect.

If this sounds intriguing, my code and an example config is at
https://github.com/j-m-patterson/ovpnherder. I haven't tested anything
in years, but so far as I know, it should still work.

Let me know what you think.

Thanks!

-Joe


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Concatenate CRL's?

[Joe Patterson]

If I have multiple CA's, will openvpn understand a --crl-verify
"file", where the file contains the CRL's from all of the CA's
concatenated together?  Or will it accept multiple --crl-verify
entries?

It looks like if I use the --crl-verify "file" dir method, I will run
into trouble if I have serial number collisions between CA's.

It seems like the "right" way to do it is to use the --capath method,
but I want to understand all my options.

I seem to have painted myself into a corner and am trying to find the
least-painful way to get out.

Thanks all!


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] On Access policies

[Joe Patterson]

That's only works as far as you trust your users not to violate policy
(which, generally speaking, you shouldn't).  There's nothing stopping
them from adding "route" statements to their own config files.
Anything you can push, the user can add without it being pushed.
Well, except ifconfig push, which is policed (I believe), and you can
then use those statically provisioned IP addresses in firewall rules.

On Thu, Jul 30, 2020 at 4:36 PM Alex K  wrote:
>
>
>
> On Wed, Jul 29, 2020, 07:57 Peter Fraser  wrote:
>>
>> HI All
>>
>> I set up my OpenVPN Server for IT access but now everyone seems to love and 
>> I have to be allowing more and more persons. I wonder, is there a way to 
>> prevent one user from accessing a particular route that is listed in the 
>> global config file. I have only seen how to the opposite, that is, allow a 
>> user access to a route not listed in the global config. Any help would be 
>> greatly appreciated.
>
> As a simple approach,  I would recommend pushing specific routes to users 
> through the ccd file. Each ccd file named according to the common name of the 
> user's cert.
>>
>>
>>
>>
>>
>> Regards,
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ___
>> Openvpn-users mailing list
>> Openvpn-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN with OSPF there is no proper guide or support --"TAP support removal" rumor

[Joe Patterson]

My previous attempt was a client-connect script that directly added
static routes to quagga via vtysh commands. It worked... usually.
Sometimes.

I see what you're saying about adding iroutes dynamically
post-connect.  I skirt this issue by using OSPF on p2p links between
my openvpn servers, then using my client-connect script or my
management daemon to add ifconfig-push'd static IP addresses or
iroutes from CCD files to the routing table when p2mp clients connect.
So I have no facility for adding a new iroute to a particular client
beyond restarting the connection.  I can definitely understand how
that could be challenging.

On Thu, Apr 30, 2020 at 2:14 PM Gert Doering  wrote:
>
> Hi,
>
> On Thu, Apr 30, 2020 at 01:53:29PM -0400, Joe Patterson wrote:
> > So, I've got a back-burner project that does parts of this.  It's a
> > daemon that connects to the management console and handles things like
> > client auth and such.  The way I did it was that the daemon keeps an
> > internal copy of basically the iroute table, and then advertises it
> > via RIPv2 on localhost.  I can then set up quagga to listen for RIP on
> > localhost and redistribute RIP-learned routes via OSPF.  At some point
> > I will probably share it to the world, as it does some other handy
> > things as well, and also because I am not a master coder, so I'm sure
> > it could be improved upon by smarter folks than me.
>
> Nice.
>
> It's the easier part of the whole thing, though... (You can do the
> "learn about iroute and put into kernel routing" part in client-connect
> scripts as well, and radiusplugin is also doing something along those
> lines to get radius-provided routes installed).
>
> The part that is - as far as I am aware - totally impossible today is
> "while a client is connected, tell OpenVPN that a new iroute is needed
> for this client" (which would be needed if OSPF decides "hey, I want
> to route  to ").
>
> We have a trac ticket for this, somewhere, and all progress we've
> made so far was "uh, this is hard, and there be dragons" :-)
>
> gert
>
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never doubted
>  it myself till I met a computer with a sense of humor."
>  Robert A. Heinlein, The Moon is a Harsh Mistress
>
> Gert Doering - Munich, Germany g...@greenie.muc.de


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN with OSPF there is no proper guide or support --"TAP support removal" rumor

[Joe Patterson]

So, I've got a back-burner project that does parts of this.  It's a
daemon that connects to the management console and handles things like
client auth and such.  The way I did it was that the daemon keeps an
internal copy of basically the iroute table, and then advertises it
via RIPv2 on localhost.  I can then set up quagga to listen for RIP on
localhost and redistribute RIP-learned routes via OSPF.  At some point
I will probably share it to the world, as it does some other handy
things as well, and also because I am not a master coder, so I'm sure
it could be improved upon by smarter folks than me.

-Joe

On Thu, Apr 30, 2020 at 1:25 PM Gert Doering  wrote:
>
> Hi,
>
> On Thu, Apr 30, 2020 at 02:51:25PM +0200, free...@tango.lu wrote:
> > I guess in 2020 we should be done with that type of crap quality. Just
> > write a proper step by step howto please on OSPF+OpenVPN
>
> Please do so!  You are the one who wants to do this, so please share
> your experience when you have it working.
>
> > but what would
> > be even better to have an "ospf" one liner option and when you put that
> > into the OpenVPN config it will just do the magic trick.
>
> Someone will need to implement this in OSPF.  I explained what is needed
> to do it, now it "just needs to be done".
>
> It requires a fairly deep understanding about routing, OpenVPN iroute
> vs. Linux kernel routing, netlink, and C code...  so maybe there's only
> Antonio (and maybe I) today who can do it, but the craft can be learned :-)
>
> gert
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never doubted
>  it myself till I met a computer with a sense of humor."
>  Robert A. Heinlein, The Moon is a Harsh Mistress
>
> Gert Doering - Munich, Germany g...@greenie.muc.de
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] crl-verify [SOLVED]

[Joe Patterson]

My first thought is "I should be trivial to write a little script to
go through and link the decimal name to the hex name", and even
though, intellectually, I know that the chance of a collision between
hex and dec names in that large a space would be infinitesimal, it
still manages to really bother me that it *could* happen.

On Thu, Apr 16, 2020 at 3:16 PM tincanteksup  wrote:
>
> Hi,
>
>
> On 16/04/2020 19:52, richard lucassen wrote:
> > On Thu, 16 Apr 2020 12:02:17 +0200
> > richard lucassen  wrote:
> >
> > Yeah right:
> >
> > cd /etc/openvpn/crl/tun0/
> > mv 0B 11
> >
> > Now it works. The serial number must be decimal.
>
> Which is even more 'fun' with randomised serial numbers, eg:
>
> 94:68:4a:17:db:99:a7:36:88:ad:7d:70:fa:f6:99:11
>
> Which EasyRSA now uses by default.
>
> I presume openvpn is converting Hex to Dec in the code somewhere ?
>
>
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Multiple VPN segments, dispatching by client credentials instead of port?

[Joe Patterson]

Pretty sure there isn't a size limitation, however if you're going to
roll your own address management, you probably don't want to use the
"server" directive.  Look in the documentation, "server" is a shortcut
to a whole big chunk of other commands, only some of which you
actually want.  You want "mode server" and "tls-server", and
"ifconfig" and "route", but you don't want the "ifconfig-pool",
because you're going to be doing that on your own.

-Joe

On Wed, Nov 27, 2019 at 11:11 AM Joshua Judson Rosen
 wrote:
>
> Is there any sort of subnet size limitation I should be aware of? Like,
> if I tell OpenVPN a "server" directive with a /19 specified, should I expect 
> any problems from that?
> (the routing an firewalling rules are straightforward, and there won't 
> actually be _that_ many
>  clients at this point, but if I have to roll my own address-management, just 
> allocating 1k-address
>  subnets eases some pains...).
>
> On 11/26/19 4:28 PM, Joe Patterson wrote:
> > On Tue, Nov 26, 2019 at 3:42 PM Joshua Judson Rosen
> >  wrote:
> >>
> >> On 11/26/19 5:36 AM, Gert Doering wrote:
> >>> Hi,
> >>>
> >>> On Mon, Nov 25, 2019 at 04:45:05PM -0500, Joshua Judson Rosen wrote:
> >>>> Is there some way to set up an OpenVPN server with multiple distinct VPN 
> >>>> segments behind
> >>>> a common listening port, such that I can dispatch connections based on 
> >>>> which CA signed
> >>>> the client certificate?
> >>>
> >>> With intermediate CAs, this might work.  With distinct CAs that have
> >>> nothing to with each other, not sure how to get the server to trust
> >>> all of them.
> >>>
> >>>> I've trying to avoid having different config-files on the clients if 
> >>>> possible,
> >>>> but having different keys and certificates is fine.
> >>>
> >>> Your client certificates *could* encode different meaning into the
> >>> DN, like
> >>>
> >>>   client-marketing-1234
> >>>   client-tech-567
> >>>
> >>> and then have the client-connect script shell out client options (IP
> >>> addresses, possibly VLANs, ...) according to the "marketing" or "tech"
> >>> part.
> >>
> >> Yeah--I've actually done some things with client-connect and tls-verify 
> >> scripts already,
> >> e.g. dynamic DNS updates and custom logging of things like 
> >> certificate-expiries.
> >>
> >> Can I actually use different *server-side* configuration options like 
> >> "route" and "ifconfig-pool"
> >> for different subsets of clients of a single server instance if feed them 
> >> into the tempfile
> >> from a client-connect script?
> >
> > pretty sure not, I think you can only feed things that you would have
> > been able to put in a ccd file (so ifconfig-push, yes.  ifconfig-pool,
> > no.  iroute yes, route no).  But you can roll your own dynamic IP
> > address assignment, and pass it as ifconfig-push.  And while you can't
> > pass "route" directives, you certainly can (assuming the script is
> > running with the appropriate privileges) run an "ip route" command to
> > do what you would have done with the route directive.
> >
> > -Joe
> >
>
> --
> "Don't be afraid to ask (λf.((λx.xx) (λr.f(rr."


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Multiple VPN segments, dispatching by client credentials instead of port?

[Joe Patterson]

On Tue, Nov 26, 2019 at 3:42 PM Joshua Judson Rosen
 wrote:
>
> On 11/26/19 5:36 AM, Gert Doering wrote:
> > Hi,
> >
> > On Mon, Nov 25, 2019 at 04:45:05PM -0500, Joshua Judson Rosen wrote:
> >> Is there some way to set up an OpenVPN server with multiple distinct VPN 
> >> segments behind
> >> a common listening port, such that I can dispatch connections based on 
> >> which CA signed
> >> the client certificate?
> >
> > With intermediate CAs, this might work.  With distinct CAs that have
> > nothing to with each other, not sure how to get the server to trust
> > all of them.
> >
> >> I've trying to avoid having different config-files on the clients if 
> >> possible,
> >> but having different keys and certificates is fine.
> >
> > Your client certificates *could* encode different meaning into the
> > DN, like
> >
> >   client-marketing-1234
> >   client-tech-567
> >
> > and then have the client-connect script shell out client options (IP
> > addresses, possibly VLANs, ...) according to the "marketing" or "tech"
> > part.
>
> Yeah--I've actually done some things with client-connect and tls-verify 
> scripts already,
> e.g. dynamic DNS updates and custom logging of things like 
> certificate-expiries.
>
> Can I actually use different *server-side* configuration options like "route" 
> and "ifconfig-pool"
> for different subsets of clients of a single server instance if feed them 
> into the tempfile
> from a client-connect script?

pretty sure not, I think you can only feed things that you would have
been able to put in a ccd file (so ifconfig-push, yes.  ifconfig-pool,
no.  iroute yes, route no).  But you can roll your own dynamic IP
address assignment, and pass it as ifconfig-push.  And while you can't
pass "route" directives, you certainly can (assuming the script is
running with the appropriate privileges) run an "ip route" command to
do what you would have done with the route directive.

-Joe


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Multiple VPN segments, dispatching by client credentials instead of port?

[Joe Patterson]

On Tue, Nov 26, 2019 at 5:38 AM Gert Doering  wrote:
>
> Hi,
>
> On Mon, Nov 25, 2019 at 04:45:05PM -0500, Joshua Judson Rosen wrote:
> > Is there some way to set up an OpenVPN server with multiple distinct VPN 
> > segments behind
> > a common listening port, such that I can dispatch connections based on 
> > which CA signed
> > the client certificate?
>
> With intermediate CAs, this might work.  With distinct CAs that have
> nothing to with each other, not sure how to get the server to trust
> all of them.

That's surprising to me... I've never tried it, but I always assumed
that the ca file could contain multiple independent CA's, and so long
as a cert was signed by one of them, it was considered valid.

And actually, looking at the documentation, it says: "This file can
have multiple certificates in .pem format, concatenated  together."


However, to the question at hand, as with so very many things with
openvpn, this seems like something that's not built in, but you can
certainly do it...

I've played around some with writing programs to interact with the
openvpn management interface, and when a client connects, you get a
*lot* of information, with which you can choose to do whatever you
want.  You could have multiple CA's, independent or intermediate, or
you could have one CA and give clients certificates with distinct
OU's, which will come through the management interface like:
">CLIENT:ENV,X509_0_OU=Testing".  And then your program interfacing
with the management port can do whatever with that information,
including but not limited to assigning IP addresses based on that
info, or setting firewall rules based on it, or whatever.

-Joe

>
> > I've trying to avoid having different config-files on the clients if 
> > possible,
> > but having different keys and certificates is fine.
>
> Your client certificates *could* encode different meaning into the
> DN, like
>
>   client-marketing-1234
>   client-tech-567
>
> and then have the client-connect script shell out client options (IP
> addresses, possibly VLANs, ...) according to the "marketing" or "tech"
> part.
>
> > If it's not something that OpenVPN can manage itself, maybe there's some 
> > sort of
> > proxy that I could put in front of OpenVPN? Sort-of like how slt can 
> > dispatch to different
> > back-end TLS ports based on SNI, except based on the client credentials 
> > presented
> > instead of SNI?
>
> Not that I'm aware.
>
> gert
>
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never doubted
>  it myself till I met a computer with a sense of humor."
>  Robert A. Heinlein, The Moon is a Harsh Mistress
>
> Gert Doering - Munich, Germany g...@greenie.muc.de
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Select nearest OpenVPN server / shared userbase / Only connect if away from home

[Joe Patterson]

1) Not built into OpenVPN, but it would be reasonably easy to write a small
script that would ping (or some other latency-measuring, hop-measuring, or
something-else-measuring method) all the servers and then construct an
openvpn config file snippet to be included in the main openvpn config.

2) That's already how certificates work.  You shouldn't need to synchronize
anything other than your CA certificate and, periodically, your CRL.  If
you want to *issue* certificates from different places, then you'd need to
have a CA hierarchy, but that's a matter of building your CA to suit your
needs.  Any good reference on X.509 PKI will likely tell you more than you
ever wanted to know about this subject.  But if you build it right, any
certificate issued from one of your CA's should be recognized as valid
throughout your organization instantly, with no synchronization needed, and
should be able to validate all of your servers.

3) Once again, this isn't something that could be done within OpenVPN
itself, but if you're already going to write a script for #1, it'd be
fairly easy to add some logic to exit out if your IP address is within a
list of ranges.

Hope this is helpful!

-Joe

On Mon, Oct 2, 2017 at 10:36 AM Theo Fokkema  wrote:

> Hi all,
>
> My first post to this list.
> A brief introduction, I am a sysadmin for a medium-sized company with a
> small dozen smaller and larger offices spread over the globe.
> Some years back I worked for a company that put linux servers in place in
> offices with Windows workstations and back then I started using OpenVPN. I
> fell for its capability to do bridged networking and to run as a Windows
> service, completely transparent, so end users didn't have to do a lot of
> clicks to end up on the office network, log on to the domain, access
> internal systems, printers etc.
>
> For my current employer I have deployed OpenVPN on Windows laptops for the
> same reasons. But as this is a larger scale operation, I run into some
> questions. I hope to find some ideas or answers here, as I can't find
> anything pointing me in the right direction in the manual or the FAQ.
>
> 1. I'd like to set up an OpenVPN server in each country office. All
> country offices have LAN-to-LAN connectivity with HQ and some also with
> their neigbouring countries office (through different means). We have a lot
> of travelers with laptops who visit different countries.
> Is there a way to provide OpenVPN with a list of servers, then have it
> determine which one is responding fastest (by measuring ping time for
> example?) and then connect to that server - and all of this without the
> user having to do a manual selection like choosing between different
> OpenVPN config profiles?
>
> 2. Is there a way to have different OpenVPN servers share (or synchronize)
> the same certificates so we only have to create one certificate for each
> user to have access to all our OpenVPN servers worldwide? Or entirely
> validate through Active Directory only (probably combined with a single
> certificate)
>
> 3. I'd like to setup the laptops so that OpenVPN service always connects
> automatically. This would provide a transparent user experience from each
> internet connection. But is there a way to prevent OpenVPN from connecting
> when the users are at their home office or one of our other country
> offices? They have an IP address on the LAN then, in the same range that
> they would get as when their OpenVPN service connects to the bridge. This
> means that when connected to the LAN, the machines would get a double IP
> address in the same range, which is not necessary and may lead to IP
> address depletion on the DHCP server in the larger offices. How do I
> prevent OpenVPN from connecting when it's already 'home'/set it to connect
> only when the machine has a public IP address (or a private IP address on a
> different network)?
>
> Alternatively, we could offer only an internet connection on our office
> LAN and make the entire LAN connection through an always-on OpenVPN, but
> I'm afraid that it would make things as slow as the internet connection is
> (which would not work well for things like rapid file server access) and
> make the OpenVPN server a single point of failure for the entire LAN. It
> would help to keep guest laptops that get plugged in off our LAN though...
>
> Any ideas, experience, alternatives, scripts etc. are very welcome.
>
> Best regards,
>
> Theo Fokkema
> Digital Plumber
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
--
Check out the vibrant tech 

Re: [Openvpn-users] Clients can't connect after server reboot

[Joe Patterson]

This may be a stupid question but...

Do any of the openssl cnf files have a comment in them that says "easy-rsa
version 2.x"?

if you do 'echo $KEY_CONFIG', what does it say?

Thanks,

-Joe

On Tue, Aug 8, 2017 at 4:03 PM Mio Vlahović  wrote:

> On 08.08.2017 21:47, David Sommerseth wrote:
> > On 08/08/17 21:28, Mio Vlahović wrote:
> >> On 08.08.2017 21:13, David Sommerseth wrote:
> >>> On 08/08/17 20:34, Leonardo Rodrigues wrote:
> 
>    You very likely created your certificated with MD5 hashing,
> which
>  was disabled on newer OpenSSL versions of CentOS.
> 
>    Try:
> 
>  export NSS_HASH_ALG_SUPPORT=+MD5
>  export OPENSSL_ENABLE_MD5_VERIFY=1
> 
>    before starting your OpenVPN daemon and watch if that make
> clients
>  connect again ...
> >>> DON'T DO THAT.
> >>>
> >>> MD5 based certificates are broken.  If you still use them, upgrade them
> >>> NOW.  And this knowledge about the brokenness dates back to 2005.
> >>>
> >>> 
> >>> 
> >>>
> >>> Anyone using MD5 and re-enables them in the SSL libraries will put
> their
> >>> VPN's security at risk.
> >>
> >> No worries, I don't use MD5, but disabling crl_verify as suggested did
> >> the trick. Now I still have the issue with generating new certificates.
> >>
> >> I will quote myself again
> >> "One update... I can no longer generate new certificates. It seemse that
> >> whichopensslcnf scripts can't find openssl.cnf (which is there in the
> >> same directory...)
> >>
> >> [root@vpn 2.0]# pwd
> >> /etc/openvpn/easy-rsa/2.0
> >> [root@vpn 2.0]# ls -la
> >> drwx--. 3 nobody nobody  4096 Aug  8 20:25 .
> >> drwx--. 3 nobody nobody33 Feb  6  2016 ..
> >> -rwx--. 1 nobody nobody   119 Feb  6  2016 build-ca
> >> -rwx--. 1 nobody nobody   352 Feb  6  2016 build-dh
> >> -rwx--. 1 nobody nobody   188 Feb  6  2016 build-inter
> >> -rwx--. 1 nobody nobody   163 Feb  6  2016 build-key
> >> -rwx--. 1 nobody nobody   157 Feb  6  2016 build-key-pass
> >> -rwx--. 1 nobody nobody   249 Feb  6  2016 build-key-pkcs12
> >> -rwx--. 1 nobody nobody   268 Feb  6  2016 build-key-server
> >> -rwx--. 1 nobody nobody   213 Feb  6  2016 build-req
> >> -rwx--. 1 nobody nobody   158 Feb  6  2016 build-req-pass
> >> -rwx--. 1 nobody nobody   449 Feb  6  2016 clean-all
> >> -rwx--. 1 nobody nobody   424 Feb  6  2016 dh2048.pem
> >> -rwx--. 1 nobody nobody  1471 Feb  6  2016 inherit-inter
> >> drwx--  2 nobody nobody 36864 Jul 26 15:07 keys
> >> -rwx--. 1 nobody nobody   302 Feb  6  2016 list-crl
> >> -rwx--. 1 nobody nobody  7791 Feb  6  2016 openssl-0.9.6.cnf
> >> -rwx--. 1 nobody nobody  8348 Feb  6  2016 openssl-0.9.8.cnf
> >> -rwx--  1 nobody nobody  8247 Aug  8 18:37 openssl-1.0.0.cnf
> >> -rwx--  1 nobody nobody  8247 Aug  8 19:14 openssl.cnf
> >> -rwx--. 1 nobody nobody 12966 Feb  6  2016 pkitool
> >> -rwx--. 1 nobody nobody   928 Feb  6  2016 revoke-full
> >> -rwx--. 1 nobody nobody   178 Feb  6  2016 sign-req
> >> -rwx--  1 nobody nobody  2138 Aug  8 20:25 vars
> >> -rwx--. 1 nobody nobody   740 Feb  6  2016 whichopensslcnf
> >>
> >> root@vpn 2.0]# ./build-key xxx
> >> grep: /etc/openvpn/easy-rsa/2.0/openssl.cnf /etc/openvpn/easy-rsa/2.0:
> >> No such file or directory
> >> pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
> >> version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf
> >> /etc/openvpn/easy-rsa/2.0
> >> The correct version should have a comment that says: easy-rsa version
> 2.x"
> >
> > Did you remember to source the ./vars file first?
> >
> > $ . ./vars
> >
> > (yes, a single dot and then ./vars)
> >
> >
>
> Yes I did, same result... any other hints?
>
> Regards!
>
>
> --
> Mio Vlahović
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Managing the server's IP pool

[Joe Patterson]

I don't think you can with that config, but there are things that you could
do to change it so you can.  If you add a "status" line, you'll get a
status file listing connected systems and their IP's.  If you add a
"management" line, you can telnet in and run the "status" command, and get
a list of connected systems and their IP's.  If you add an
'ifconfig-pool-persist" line, you will get a file with user-to-IP mappings,
though there will be no indication of which are currently connected.
 *without* the ifconfig-pool-persist, then there isn't really a concept of
a "lease", IP addresses go back into the pool as soon as the client
disconnects (at least I'm fairly sure of that).  But with the management
interface, you can both see connected clients and their IP addresses, and,
if you wish, kill their connection.

And, of course, you can combine all three and have access to tons of info
in multiple ways.

-Joe

On Wed, Jun 28, 2017 at 4:38 AM SaAtomic  wrote:

> Hello,
> what is the correct way of managing/observing the IP pool on an OpenVPN
> server?
>
> I'm not sure if this is manged by OpenVPN or the underlying operating
> system.
>
> With this server configuration:
> port 443
> proto udp
> dev tun
> server 172.16.0.0 255.255.255.0
> tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
> tls-version-min 1.2
> cipher AES-256-GCM
> auth SHA512
> comp-lzo
> duplicate-cn
>
> ca 
> cert 
> key 
> dh 
> tls-crypt 
>
> How can I observe how many/which IP addresses currently used - possibly by
> whom.
> How could I flush/release the leases?
>
> Kind regards,
> SaAtomic
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] standby tunnel

[Joe Patterson]

Just as a thought, have you tried running tcpdump on the tunnel interface
immediately after it comes up (before the 10 seconds), on the off chance
that this has nothing to do with openvpn, but instead something on the OS
side of things has decided that a new interface needs a packet or three
sent 10 seconds after it's created?

-Joe

On Thu, Jun 8, 2017 at 5:24 PM richard lucassen 
wrote:

> On Thu, 8 Jun 2017 22:47:35 +0200
> Gert Doering  wrote:
>
> > On Thu, Jun 08, 2017 at 10:31:10PM +0200, richard lucassen wrote:
> > > --verb 6
> > >
> > > You can see the 10 secs wait:
> > >
> > > Thu Jun  8 22:00:11 2017 us=709103 UDPv4 link remote:
> > > [AF_INET]e.f.g.h:1198
> > > Thu Jun  8 22:00:21 2017 us=308356 Peer Connection Initiated with
> > > [AF_INET]e.f.g.h:1198
> > > Thu Jun  8 22:00:22 2017 us=539641 Initialization Sequence Completed
> > >
> > > And if the remote is down it will retry every 10 secs.
> >
> > Well, it's not showing any outgoing packets yet, so maybe it needs
> > more
> > --verb.
>
> Setting verb to 8 makes a lot of noise :) That's why I just looked with
> tcpdump.
>
> > In static key mode, there's no real "peer connection" to be
> > "initiated", as everything is static anyway.  So it's not fully clear
> > to me what it is doing there.
> >
> > (But I've never used static key mode in earnest, so I'll learn
> > something new here :) )
>
> I think it's a glitch in the code which only pops up in this special
> config. For normal use it should not be a problem.
>
> R.
>
> --
> richard lucassen
> http://contact.xaq.nl/
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] automatically restart openvpn

[Joe Patterson]

If openvpn crashing is a regular problem, that's very interesting in its
own right, and I'm sure we'd like to know more, and there's nothing much
you can do *within* openvpn to respond when openvpn crashes.

If openvpn is exiting normally and you don't want it to, my guess is that
you could look to the "connect-retry-max" and "auth-retry" config options,
depending on why it's exiting.

And in either case you *could* if you wanted to, kluge your way around it
by wrapping openvpn in a shell script that does something like "while true;
do openvpn..." (though, if you do that, make sure you don't have the
'daemon' option in your config)

-Joe

On Wed, May 31, 2017 at 9:48 AM Jannis Ohms 
wrote:

> hi
>
> how can i configure openvpn to restart after  the service crashes ?
> iam running on raspbian
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Disconnect messages in the management interface?

[Joe Patterson]

I'm pretty sure that the answer to this is probably "no", but I'm gonna ask
anyhow...

For clients connecting without auth-user-pass, I get a CLIENT notification
for ESTABLISHED, but none for DISCONNECT.  Is there a way to make openvpn
send DISCONNECT messages on the management interface even if the client
didn't authenticate with a username/password?

The management app I'm writing is managing multiple openvpn instances and
it's fine for the ones that use username/password (because I get a CLIENT
notification for CONNECT, ESTABLISHED, DISCONNECT, and others), but when
it's managing one that doesn't use usernames/passwords, it only gets
ESTABLISHED and never knows when a client disconnects.

So far, the only solutions that I can think of are:
A) have a separate client-connect script that uses some sort of messaging
to inform my main app that something's disconnected.  That seems really
ugly, but might work.
B) periodically poll for 'status' and note which clients aren't there
anymore.  That means I have to balance how long I'm OK with stale clients
versus how often I poll status.
C) configure my password-less clients with a static username/password (via
the [up] file argument to --auth-user-pass) that I then ignore.  This is
probably the best option, I just don't like it, and wanted to find out if
there was something simple I was overlooking.  :)

Thanks!

-Joe
--
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Any way to determine CID from management interface?

[Joe Patterson]

I haven't seen anything, but I figured I'd ask before making any
conclusions:  Is there any way to determine the CID of clients in the
management interface?  It doesn't seem to be part of the output of
'status'.  Or does the CID only exist within ">CLIENT:" notifications?

The boring details are:  I'm writing a little program to do management of
my openvpn processes (managing authentication and doing some other useful
ancillary stuff) and whenever I authenticate a client I'm saving a fair
amount of state information about that client internally, and then when a
client disconnects, I'm undoing whatever needs undone for the client and
removing all the state info.  The problem I'm trying to solve is that, if I
restart my program, I lose all that state.  I could write it out to a file
occasionally and pick it back up on restart, and I'd be guaranteed that no
new clients would sneak in while I was restarting (because there'd be
nothing to issue the client-auth), but there's always the possibility that
a client would disconnect while I'm restarting and I'd miss it, thereby
having a bunch of state lying around for a client that's no longer
connected.  The only alternative I can see is to, when I start up, load all
my state from disk, then issue a 'status' command and go through removing
clients that don't have their virtual address in my the client list, which
is probably effective, but just seems ugly.  :)

Thanks in advance for any help!

-Joe
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Launching OpenVPN-GUI automatically on user login?

[Joe Patterson]

I believe he was saying that it would never autoconnect, but only that the
gui would launch.  (as a side note, I will throw in my $.02 that I think
this is definitely a good choice.  I can't think of a situation in which I
wouldn't want the gui to autostart, and I'm pretty sure that if there
exists such a situation, the person in it would probably be able to figure
out how to un-enable that autostart)

-Joe

On Wed, Nov 30, 2016 at 9:11 AM Bonno Bloksma  wrote:

> Hi,
>
> >> I think the silence translates to "nobody would mind". I will run a
> >> few tests on PR#55 myself and then it goes in.
> >
> > "I agree with Selva", so I saw no need to speak up :-)
>
> I just reread the suggestion and +1.
> I think 99% of those who start the GUI want to connect right after that.
>
> I assume this would only autoconnect if there was only 1 config to use,
> otherwise the software might launch the wrong VPN.
>
> Bonno Bloksma
>
>
>
> --
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] openvpn udp server and vrrp

[Joe Patterson]

Thank you both so much!  That was exactly the problem, and once I knew the
right part of the man page to look at, it was glaringly obvious.  :)

All working right now!

Thanks,

-Joe

On Thu, Nov 10, 2016 at 3:40 PM Simon Deziel <simon.dez...@gmail.com> wrote:

> Hi Joe,
>
> On 2016-11-10 03:08 PM, Joe Patterson wrote:
> > I just recently set up a new set of servers running openvpn on a shared
> > vrrp IP.  When I connect to my TCP server, everything is fine, but when
> > I connect to a UDP server, my initial client packet goes to the VRRP IP,
> > but the reply packet from the openvpn server comes from the "real" IP of
> > the interface.
>
> Try adding "multihome" to force the right source address. An alternative
> would be to force a given IP with "local". The man page section of
> multihome explains it well.
>
> Regards,
> Simon
>
>
> --
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Allowing multiple connections by the same user.

[Joe Patterson]

This may be a silly question, but are you pushing static IP's?

-Joe

On Wed, Aug 31, 2016 at 7:30 AM Paul Hancock 
wrote:

> "Multiple sessions per user" and even duplicate-cn are enabled on the
> server, yet it still kicks the oldest connection whenever a new one
> connects.
>
>
> Why...?
>
> - Paul
>
> --
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Add a directly connected route

[Joe Patterson]

I think what you want is 'push "route 89.234.186.0 255.255.255.0"'  If you
just have route with an IP and no netmask, it's going to assume a /32 mask.

On Thu, Aug 18, 2016 at 8:53 AM Alarig Le Lay  wrote:

> Hi,
>
> I have a setup where each client have a /32 IPv4 (not /24) because the
> /24 is not only used for the VPN. The server have the address
> 89.234.186.3 on eth0 and 89.234.186.4 on tun0.
>
> The gateway for the clients is 89.234.186.4. But, as it’s not a /24
> network, openvpn try to add a route (0.0.0.0/0 or 0.0.0.0/1 and
> 128.0.0.0/1) to a non-directly connected gateway.
>
> I would like to add a route like “89.234.186.4 dev tun0” by pushing
> it to each client. But, if I add “push "route 89.234.186.4"” on the
> server config, the client try to add 89.234.186.4 via 89.234.186.4. So
> obviously, it’s not working.
>
> I have this error message:
> /bin/route add -net 89.234.186.4 netmask 255.255.255.255 gw 89.234.186.4
> SIOCADDRT: Network is unreachable
>
> The client interface looks like this:
> 3: tun0:  mtu 1500 qdisc noqueue
> state UNKNOWN group default qlen 100
>link/none
>inet 89.234.186.9/32 brd 89.234.186.9 scope global tun0
>   valid_lft forever preferred_lft forever
>inet6 2a00:5884:8309::1/112 scope global
>   valid_lft forever preferred_lft forever
>
> The server interface looks like this:
> 7: tun-udp0:  mtu 1500 qdisc
> pfifo_fast state UNKNOWN group default qlen 100
> link/none
> inet 89.234.186.4/32 brd 89.234.186.4 scope global tun-udp0
>valid_lft forever preferred_lft forever
> inet6 2a00:5884::4/64 scope global
>valid_lft forever preferred_lft forever
>
> I there a way to do `ip route add 89.234.186.4/32 dev tun0`?
>
> Thanks,
> --
> alarig
>
> --
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] username-as-common-name not setting username as common_name for plugin

[Joe Patterson]

Let me second the suggestion to make it configurable.  I don't know much
about duo, but ages ago I modified the PAM plugin to be able to do the
opposite: use the common name as the username for PAM.  The reason being,
that without something to tie usernames to common names, an attacker only
needs to know/steal/guess any valid username/password and any valid
certificate, which should be harder to do than knowing/stealing/guessing a
*particular* user's password.

-Joe

On Thu, Aug 4, 2016 at 12:46 PM Selva Nair  wrote:

> On Thu, Aug 4, 2016 at 11:50 AM, Michael Hicks 
> wrote:
>
>> I guess I’ll submit a documentation bug to alter the description in the
>> docs for "username-as-common-name” to more clearly illustrate this.  Maybe
>> just changing "For --auth-user-pass-verify authentication...” to
>> "After --auth-user-pass-verify authentication…” and a note about this
>> affecting the client-(dis)connect and client-config-dir options.
>>
>
> Yes the documentation is poorly worded and could be improved. I think the
> reference to auth-user-pass-verify itself is confusing as one could instead
> use management-client-auth to authenticate users. A description that says
> this option replaces the common-name by the "authenticated username"
> without any reference to auth-user-pass-verify may be better. As you wrote,
> clarifying that this affects ccd etc. is also useful.
>
>
>> I modified the duo plugin source to use username instead of common_name
>> and it works as I expect.  I’ll also submit a pull request against the
>> duo_openvpn plugin source to get that changed upstream and see where it
>> goes.
>>
>
> More likely to get accepted if you make that configurable --- say adding
> an optional arg  to the plugin to indicate username should be taken from
> getenv("username",..) instead of getenv("common-name",..) so that existing
> use cases are not affected. That said, I think that plugin could be further
> improved using the static challenge feature openvpn so that the usual
> username/password auth can work along with Duo.
>
> Selva
>
> --
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Same IP Ranges for TCP- and UDP-Server

[Joe Patterson]

The other ideal solution (IMHO), would be to have openvpn support an
internal routing protocol like ospf.  That way you could have tons of
daemon processes (which would also effectively give you multi-processor
support, sort of), and a routing daemon on the host box aggregating all of
those routes together so the OS knows where to send packets.  (as a bonus,
those routes could also propagate to other parts of your network)

I'm currently doing this in a hackish sort of way byt having a
client-connect script that includes vtysh commands to inject routes into a
quagga ospf process.

Not that this'd be any easier to implement than listening on multiple
ports, but it'd be pretty cool.

-Joe

On Wed, Mar 30, 2016 at 4:01 PM Gert Doering  wrote:

> Hi,
>
> On Tue, Mar 29, 2016 at 09:20:06AM +0200, Marc Haber wrote:
> > However, the OpenVPN server does not seem to be able to listen on both
> > UDP and TCP, and I need to run a second OpenVPN server to listen on
> > TCP. This makes it impossible to assign the client that is now
> > connected to the fallback TCP server instead of the default UDP server
> > its normal IP addresses, which of course causes a truckload of issues
> > with access lists and DNS.
> >
> > Is there a known and accepted workaround that will allow a client to
> > connect via UDP today and TCP tomorrow while having its normal IP
> > addresses assigned short of running a dedicated OpenVPN server for
> > each such client and restarting it with the port changed if there is
> > the need to do that?
>
> The "canonical" solution as of today is to use a --learn-address script
> (which gets called by the openvpn process as soon as ifconfig-pool and
> iroute processing is done) and set up routing on the linux side towards
> the corresponding tun device for the "UDP server" or the "TCP server".
>
> Yes, this sucks, but it works...
>
>
> The "totally crazy cool" solution will be, of course, to have the server
> listen on multiple ports.  It is not easily implemented, though - so far,
> Arne and Heiko have tried to tackle this, and the existing code stubbornly
> refuses cooperation...  (historical code evolution from "single peer to
> peer UDP only VPN" to "we can do everything! on all platforms!"...)
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>//
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
> fax: +49-89-35655025
> g...@net.informatik.tu-muenchen.de
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OPENVPN EASY-RSA invalid revocation date in entry

[Joe Patterson]

Check that with cat -A.  There should be two tabs between that date and
serial number, because there's a "revoked on" datetime field in between
those two that's blank for certificates that haven't been revoked.

Also, I'm not sure if the "entry 43" that it's talking about is the same as
the entry with serial number 43.  It might be, but I'm not sure.  The
serial numbers are in hex, and it *might* be referring to the 43rd
(decimal) line.

Thanks,

-Joe

On Mon, Feb 8, 2016 at 10:34 AM Claudio ML 
wrote:

> Hello all,
>
> I have migrated an existing openvpn implementation from OpenSuSE 13.1 to
> Ubuntu 14.04, and now i have a big problem to create new x509 keys with
> easy-rsa, to use them with openvpn. When i issue a "build-key-pass", it
> exits with the following error:
>
> invalid revocation date
>  in entry 43
>
> I have looked into the index.txt file, and the entry 43 is the following:
>
> V   240908095339Z   43  unknown
> /C=IT/ST=TO/O=business/CN=test1234/emailAddress=i...@test.com
>
> Note: is not the last key i have previously created.
>
> Any idea about it?
>
> Cordially,
> Claudio.
>
>
>
>
>
>
> --
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to SSH to the OpenVPN server itself via the tunnel?

[Joe Patterson]

What does the routing table look like?  The fact that you can ping makes
this seem unlikely, but other than that it sounds like it *might* be
getting dropped by urpf.  (that's the only place I can think of between
where libpcap would see it but a listening socket wouldn't, other than
iptables which you've already covered.)

-Joe

On Tue, Aug 25, 2015 at 10:01 AM Tiago Vasconcelos 
tiago.o.vasconce...@gmail.com wrote:

 Hi Gert

 On 25-08-2015 13:20, Gert Doering wrote:
  If it pings, it should SSH.  If it doesn't, someone is firewalling
  you (INPUT chain, not FORWARD)

 I also thought so. Which makes this case a mystery to me.
 Here's why:


 # SSH is indeed running on the OpenVPN server

 $ netstat -ln | grep 22
 tcp  0  0 0.0.0.0:220.0.0.0:*  LISTEN


 # No firewall rules on the server side...

 $ iptables-save
 # Generated by iptables-save v1.4.3.2 on Tue Aug 25 14:34:07 2015
 *nat
 :PREROUTING ACCEPT [9:777]
 :POSTROUTING ACCEPT [19:1364]
 :OUTPUT ACCEPT [19:1364]
 COMMIT
 # Completed on Tue Aug 25 14:34:07 2015
 # Generated by iptables-save v1.4.3.2 on Tue Aug 25 14:34:07 2015
 *mangle
 :PREROUTING ACCEPT [925:77105]
 :INPUT ACCEPT [924:77005]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [599:67933]
 :POSTROUTING ACCEPT [599:67933]
 COMMIT
 # Completed on Tue Aug 25 14:34:07 2015
 # Generated by iptables-save v1.4.3.2 on Tue Aug 25 14:34:07 2015
 *filter
 :INPUT ACCEPT [843:70905]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [599:67933]
 COMMIT


 # Server capture while running 'telnet 192.168.1.2 22' on the client
 # As can be seen, the SYN is not responded and the client keeps retrying

 $ tcpdump -i tun0 -n
 14:30:41.389162 IP 172.31.0.6.60902  192.168.1.2.22: Flags [S], seq
 3893675608, win 4350, options [mss 1130,sackOK,TS val 6434347 ecr
 0,nop,wscale 1], length 0
 14:30:44.338170 IP 172.31.0.6.60902  192.168.1.2.22: Flags [S], seq
 3893675608, win 4350, options [mss 1130,sackOK,TS val 6437347 ecr
 0,nop,wscale 1], length 0


 # Doing a strace on the SSH daemon (Dropbear) confirms it doesn't
 # receive any connection attempt

 $ strace -p 218
 Process 218 attached
 select(8, [4], NULL, NULL, NULL


 # Strangely, pings from the client do work!

 $ ping 192.168.1.2
 PING 192.168.1.2 (192.168.1.2): 56 data bytes
 64 bytes from 192.168.1.2: seq=0 ttl=64 time=105.582 ms
 64 bytes from 192.168.1.2: seq=1 ttl=64 time=103.611 m


 I ran out of ideas...
 Maybe there's something fishy with this router's firmware (renewed
 Oleg's firmware https://code.google.com/p/wl500g/). Both endpoints are
 actually Asus routers running the same firmware and OpenVPN versions.


 Thanks,
 Tiago



 --
 ___
 Openvpn-users mailing list
 Openvpn-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openvpn-users

--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to SSH to the OpenVPN server itself via the tunnel?

[Joe Patterson]

Just as a note, iptables-save *does* show the current rule set, just in a
format that's parseable by iptables-restore.

On Tue, Aug 25, 2015 at 2:24 PM Jan Just Keijser janj...@nikhef.nl wrote:

 On 25/08/15 19:55, Tiago Vasconcelos wrote:
  Hi Jan
 
  On 25-08-2015 17:25, Jan Just Keijser wrote:
  your VPN IP range seems to be 172.31.0.x ?  if so, try SSH'ing to the
  VPN IP of the server (normally 172.31.0.1) .
  Also, what does a traceroute to 192.168.1.2 give ?
  The server has got the address 172.31.0.1 indeed. SSH'ing to this
  address from the client doesn't work either, but ICMP pinging works!
 
  Again, the SYN can be seen arriving to tun0 on the server, but no
  SYN-ACK is sent back. Exactly the same behaviour as when connecting to
  the LAN-facing server address 192.168.1.2.
 
  A MTR to 192.168.1.2 from the client shows one hop:
 
  $ mtr -n -r 192.168.1.2
  Start: Tue Aug 25 18:45:14 2015
  HOST: MyRouter  Loss%  Snt   LastAvg  Best  Wrst  StDev
  1.|-- 192.168.1.20.0%   10  114.8  100.0  76.7  124.2  17.6
 
 
 OK, 99% certain that it is a firewall issue; can you run
iptables -L -n -v
 and post the (sanitized) output; iptables-save might not show any rules,
 but this command will list the **current** rule set.

 also, how about selinux? is that enabled or set to enforcing? try
 setting it to permissive.

 HTH,

 JJK



 --
 ___
 Openvpn-users mailing list
 Openvpn-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openvpn-users

--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Backup and recovery

[Joe Patterson]

Unless you're doing something very strange, they're just files, they can be
copied or moved fairly easily.

Note that the only files the openvpn process really needs is it's own
certificate, its own key, and the CA cert.  The easy-rsa CA really only
needs access to the CA cert and key (and only needs access to those for
generating new certificates)

-Joe

On Wed, Aug 19, 2015 at 4:58 PM Hélio Faria network@gmail.com wrote:

 Hi,
 I have a doubt. I need to change my OpenVPN server and I wonder if it is 
 possible to back up and restore certificates on the new server . Is there a 
 procedure for that?
 Thank you


 --
 ___
 Openvpn-users mailing list
 Openvpn-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openvpn-users

--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Server listen on a specific IPv4 and IPv6 Address

[Joe Patterson]

Another possibility (also kind of klugey, and I haven't personally tried it
with ipv4 to ipv6) is to listen on one IP and then NAT from the other IP to
the one you're listening on.  I use this to listen on multiple (well,
actually all) ports, though I still have to use different processes to
handle tcp and udp connections.

-Joe

On Wed, Jun 10, 2015 at 3:23 PM Gert Doering g...@greenie.muc.de wrote:

 Hi,

 On Wed, Jun 10, 2015 at 04:43:03PM +0200, Kor Korrd wrote:
  I have a Server with multiple IPv4 and IPv6 addresses. Only on one
  specific address (IPv4 and IPv6) should the VPN UDP Server listen on.

 This is not possible today.

  So the question is, how is it possible that OpenVPN listens on a certain
  IPv4 and IPv6 address at the same time?

 You can't.  As with listen on multiple ports at the same time (which,
 effectively, is the same problem: open multiple sockets and listen to
 all of them) it is missing functionality that people want, but nobody
 was able to implement yet (time, interest, knowledge, ...).

 For multiple UDP sockets it's supposedly not *that* hard, but the
 UDP and TCP at the same time case is really complicated as the insides
 of OpenVPN are currently handling this very differently.

 Sorry.

 (One possible workaround would be to just listen on all addresses [with
 --multihome!] and use firewall rules to reject packets to addresses you
 do not want to see exposed, or run multiple OpenVPN processes - none of
 this is perfect)

 gert
 --
 USENET is *not* the non-clickable part of WWW!
//
 www.muc.de/~gert/
 Gert Doering - Munich, Germany
 g...@greenie.muc.de
 fax: +49-89-35655025
 g...@net.informatik.tu-muenchen.de

 --
 ___
 Openvpn-users mailing list
 Openvpn-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openvpn-users

--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] DNS from network behind VPN

[Joe Patterson]

I'm pretty sure it's not possible to do that from a windows perspective,
however the workaround that I've used (that has some advantages of its own)
is to run the bind dns server locally on my windows client machine,
configured as a resolver for localhost only, and configured with forward
zones for specific domains.  It ends up working fairly well.

-Joe

On Tue, Jan 20, 2015 at 5:56 AM, Frank, Petric (Petric) 
petric.fr...@alcatel-lucent.com wrote:

 Hello,

 this is not exactly a OpenVPN problem.

 I connect via VPN to a network (own subnet). There is a DNS server serving
 hosts of some (specific) domains in this subnet.

 Problem is how to keep the locally configured DNS, but tell the system to
 ask the DNS behind the VPN tunnel when it requests hosts from the (known)
 domains of this DNS server.

 For example:
   Lookup of google.com - ask preconfigured DNS
   Lookup of *.local.dom - ask DNS behind VPN tunnel (local.dom is managed
 by him)

 As far as I know I can only replace the configured DNS server by adding
 the line
   push dhcp-option DNS a.b.c.d

 but I would like to have something like
   push dhcp-option DNS local.dom a.b.c.d
 telling that all lookups of local.dom should be directed to a.b.c.d.

 I don't know whether this is possible as such.

 Local host is Windows 7
 VPN server is Linux

 Regards
   Petric



 --
 New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
 GigeNET is offering a free month of service with a new server in Ashburn.
 Choose from 2 high performing configs, both with 100TB of bandwidth.
 Higher redundancy.Lower latency.Increased capacity.Completely compliant.
 http://p.sf.net/sfu/gigenet
 ___
 Openvpn-users mailing list
 Openvpn-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openvpn-users

--
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] dynamically adding iroutes

[Joe Patterson]

Looking through the docs, I *think* I know the answer to this question
already, but I figured I'd ask here in case I'm wrong...

Is there any way to push an iroute to an openvpn server instance at any
time other than when a client connects?  I would think that if this sort of
thing could be done, it would be done via the management port, and I don't
see anything in the management-notes.txt file, but there's always some
possibility that there's another method that I've been missing.

If I'm correct that this isn't possible, is it something anyone's thought
of doing before?  Is there some reason I haven't thought of that it
*shouldn't* be done?

Thanks,

-Joe
--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] reverse routing on mesh topology

[Joe Patterson]

Just out of curiosity, if I'm reading this correctly, if you use loose RPF
on a box, and also use the openvpn's --redirect-gateway def1 (which sets
two /1 routes), that would basically be equivalent to turning off RPF?

-Joe


On Fri, Aug 22, 2014 at 1:34 PM, Josh Cepek josh.ce...@usa.net wrote:

 Simon Deziel wrote:

  On 08/21/2014 12:52 PM, Gert Doering wrote:
  Hi,
 
  On Thu, Aug 21, 2014 at 05:22:28PM +0100, Ian Brooks wrote:
  I can see the traffic leaving the vm, hitting the internal gateway for
  the bridge, hit the correct tunnel to the destination server and arrive
  on tun0 on the destination server, but for some reason the packets
 arent
  then passed to the internal bridge network,
 
  Sounds like linux' rp_filter is biting you if the packet is not
 supposed
  to go there in the forward way, do not accept it on incoming.
 
  Look in sysctl -a for rp_filter, set it to 0 for the relevant tun
  interfaces.
 
  Disabling rp_filter completely should do it but I'd just want to add
  that recent linux version also allow loose mode rp filtering that
  seems all indicated for asymmetric routing like this case.

 There's another benefit to using loose mode as well because the kernel
 takes
 the *largest* value between the interface-specific and 'all' values. While
 the kernel default is 0, many distros set net.ipv4.conf.all.rp_filter=1 in
 startup scripts.

 Using 2 on the interface allows this to be overridden without turning rp
 path protection off completely for all other interfaces.

 --
 Josh



 --
 Slashdot TV.
 Video for Nerds.  Stuff that matters.
 http://tv.slashdot.org/
 ___
 Openvpn-users mailing list
 Openvpn-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openvpn-users

--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN and Multi-Core processor

[Joe Patterson]

I still maintain that it would be much simpler and more useful to put less
effort into making a multi-threaded process, and more effort into making it
easier for multiple processes to coordinate amongst one another.  That gets
the advantage of more easily being able to allocate multiple clients across
a large number of cores.  The only disadvantage I see is that it does
prevent a single client from being able to be serviced by multiple cores,
but if I'm not wrong that's going to be a problem whether it's threaded or
multi-process, unless you're using ecb or ctr ciphers (and I don't see any
ctr ciphers in my openssl, and wouldn't suggest using an ecb one), so I
suspect that problem will be endemic.

-Joe


On Wed, Aug 6, 2014 at 9:20 AM, Gert Doering g...@greenie.muc.de wrote:

 Hi,

 On Wed, Aug 06, 2014 at 02:12:12PM +0200, David Sommerseth wrote:
  Just thinking aloud now, without many filters enabled. (read: uh-oh!)

 :)

  The encryption and decryption using symmetric keys are really fast.

 fast, but used very very often...

  What is CPU intensive is when asymmetric encryption comes into play,
  with the key exchanges and other negotiations etc.

 slow, but used much more seldom...  assuming VPN clients that stay
 connected for a reasonable amount of time, and transfer enough data.

  With this in mind, it does make sense to split out the asymmetric
  encryption phases to a separate core, which can allow other symmetric
  encrypted traffic to flow more freely.
 
  But, this is just splitting stuff into 2 threads.  Any modern
  computers doesn't really have that *few* CPU cores.  (Even cellphones
  seems to have at least 4 cores these days).  So even though the
  benefit of using 2 threads will be noticed, it can be done better.

 My rough idea was something like

  - one control thread doing the IP routing and client connection
 maintenance
  - one group of threads to do decrypt incoming packet
  - one group of threads to do encrypt outgoing packet and send away

 and of course the control thread could split off the asymmetric crypto
 to yet another thread...  this should be sufficient to at least utilize
 a few more cores, until we get to bottlenecks in the central thread.

  What *if* there are 3 thread groups?  One of these groups is a
  single thread which is a SSL state manager.  It keeps tracks of all
  keys being used, and which state each client is in.  Then there is a
  thread group with symmetric encryption work, which basically does
  the real tunnelling and takes care of the network traffic flow.  But
  it receives the keying material from the SSL state manager thread.
  And then last thread group is the one taking care of asymmetric
  encryption and the key negotiations.

 Yep.  Something like that :-)

 Nice design, now it just needs to be done...

  But!  This is going to be a h*** of a lot of work.  And almost
  everything regarding the event management/scheduler and SSL code in
  OpenVPN will be completely rewritten.  In addition, it'll be a lot of
  fun with the plug-ins and script support.
 
  The advantage, how I see it, is primarily with SSL manager
  process/thread.  The SSL manager thread can be completely locked down
  and only be accessible via a kind of internal API.  *IF* this manager
  thread can be a separate process, it can also be possible to lock it
  down further (running as a different user than the other threads, on
  Linux SELinux can further restrict its possibilities).  In addition
  this move can enable clustering support, where you can more seamlessly
  move clients from one physical OpenVPN server to another one.  The SSL
  manager can exchange information through a local multicast network
  with the other cluster member's SSL manager.  However, one of the real
  tricky things here is: How to tackle plug-ins and scripts when a
  client moves from one box to another one?

 Hehe, something left for 2.7, I'd say :-)

 gert
 --
 USENET is *not* the non-clickable part of WWW!
//
 www.muc.de/~gert/
 Gert Doering - Munich, Germany
 g...@greenie.muc.de
 fax: +49-89-35655025
 g...@net.informatik.tu-muenchen.de


 --
 Infragistics Professional
 Build stunning WinForms apps today!
 Reboot your WinForms applications with our WinForms controls.
 Build a bridge from your legacy apps to the future.

 http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk
 ___
 Openvpn-users mailing list
 Openvpn-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openvpn-users


--
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.

Re: [Openvpn-users] OpenVPN and Multi-Core processor

[Joe Patterson]

So maybe what's really needed is less having multi-threading support within
a single openvpn process, but more adding some functionality that makes it
easier to get to the desired end-state, like extending the ip persistence
from a flat file to perhaps a database connection, and have a way to define
ip pools within that same mechanism.  That would allow not only multiple
processes to operate off the same pool, but multiple processes across
multiple physical endpoints.  Then all you'd need is a way to handle
routing the correct IP to the correct process, and I would humbly suggest
that adding support for some sort of routing protocol within openvpn
(probably rip or ospf) would be an *excellent* way of solving this problem.
 Granted, this solution won't be for everyone, but for some of us it would
be ideal.

*that's* a crowdfunding campaign I'd throw some cash at.

-Joe


On Tue, Aug 5, 2014 at 1:27 AM, Gert Doering g...@greenie.muc.de wrote:

 Hi,

 On Tue, Aug 05, 2014 at 12:00:53PM +1200, Jason Haar wrote:
  On 05/08/14 08:36, Gert Doering wrote:
   Nobody did the code yet.
  
   This is a complex problem.  You need a programmer that understands
   parallel processes or threads, network, security, and is willing to
   spend quite a bit of personal time on it - implementation, code review,
   testing.
  I think it can be hacked into place (with the right choice of OS of
 course)
 
  I've effectively multi-processor-ed openvpn by running multiple copies
  on different ports, and then using iptables to round-robin new
  connections onto those backend services.

 Yes, this can be done (and this is what OpenVPN AS does under the hood,
 with slightly more magic regarding the distribution of incoming
 connections).

 It will scale better than just one OpenVPN process, but is still not ideal
 from a load distribution perspective, and - as you point out - needs help
 from a client-connect script to get IP address assignment right.

 gert
 --
 USENET is *not* the non-clickable part of WWW!
//
 www.muc.de/~gert/
 Gert Doering - Munich, Germany
 g...@greenie.muc.de
 fax: +49-89-35655025
 g...@net.informatik.tu-muenchen.de


 --
 Infragistics Professional
 Build stunning WinForms apps today!
 Reboot your WinForms applications with our WinForms controls.
 Build a bridge from your legacy apps to the future.

 http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk
 ___
 Openvpn-users mailing list
 Openvpn-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openvpn-users


--
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] UDP not blocked, but failing.

[Joe Patterson]

Generally speaking, I'd say use a sniffer on the server (assuming that's an
option for you)

Or, you could run netcat on each side and openvpn on the other side, and
see which one is seeing what (it'll fail still, but you should see
*something*)

Do the server logs show anything when the client attempts to connect?

One other possibility (though it's kind of far-out speculation, given the
limited information) is that something in between is dropping UDP packets
over a certain size.  That could be a weird firewall thing, or an MTU
thing, or... I'm not sure what, and it's not something that I've seen, but
I'm just thinking of what would let pings through (because pings are small)
but would fail during negotiation (because certificates and such can be
larger)

-Joe


On Fri, Aug 1, 2014 at 8:18 PM, Ken D'Ambrosio k...@jots.org wrote:

 Hi -- for any number of reasons, I'd prefer to use UDP for my OpenVPN
 setup.  But a curious thing: if I fire up UDP, my handshake times out.
 TCP works great.  So UDP is blocked, you moron.  Get over it.  Well...
 it isn't.  I opened a whole slew of ports with netcat (expecting I'd
 have to find an un-blocked one, like maybe TFTP), and then sequentially
 pinged them from my client, and to my astonishment, they all showed
 open.  (And happily catted out the port number, which was my test.)

 Any ideas on what I might need to be doing here?

 Thanks much!

 -Ken


 --
 Want fast and easy access to all the code in your enterprise? Index and
 search up to 200,000 lines of code with a free copy of Black Duck
 Code Sight - the same software that powers the world's largest code
 search on Ohloh, the Black Duck Open Hub! Try it now.
 http://p.sf.net/sfu/bds
 ___
 Openvpn-users mailing list
 Openvpn-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openvpn-users

--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Consolidating client-specific routes into client-specific ccd/* breaks PINGs across VPN

[Joe Patterson]

If I'm understanding you correctly, I think I know the problem:  route
statements cannot go in a ccd (or, more accurately, they don't do anything
if they're there), because route statements are injecting routes into the
OS routing table, which is only done on start-up (and in the case of
running openvpn un-privileged, only *can* be done at startup before
dropping root privs)

There are two ways to get around this.  First, and generally best, is to
put all the route statements that you expect to need in the main config.
 Second, you *could* put routing commands in a client-connect script (I do
something similar to this to inject client routes into quagga)

-Joe


On Thu, Jul 24, 2014 at 9:57 AM, pg0...@fastmail.fm wrote:

 I have three machines: a 'vpn server'  a 'vpn client' are both running
 OpenVPN 2.3_git [git:master/a4b8f653ee5be9c2].; a 'lan server' sits on the
 client-side LAN behind the 'vpn client'.  'vpn server'  'vpn client' are
 connected via VPN over a
 UDP connection.


 I.e.,

 @VPN_SERVER
 IP(eth0) = S.S.S.S   external/WAN intfc
  = 192.168.0.1
 IP(tun1) = 10.0.0.1vpn tunnel   endpoint

 @VPN_CLIENT
 IP(eth0) = C.C.C.C   external/WAN intfc
 IP(eth1) = 192.168.1.1 internal/LAN intfc
 IP(tun1) = 10.0.0.2vpn tunnel   endpoint

 @ LAN_SERVER
 IP(eth0) = 192.168.1.10  external/WAN intfc


 With a @SERVER configs of

 /etc/openvpn/server.conf
 ...
 mode server
 server10.0.0.0   255.255.255.0
 topology subnet

 ccd-exclusive
 client-config-dir ccd/
 client-to-client

 push route   192.168.0.0 255.255.255.0
 route 192.168.1.0 255.255.255.0
 push route   192.168.1.0 255.255.255.0

 /etc/openvpn/ccd/client1.conf
 ...
 ifconfig-push 10.0.0.2   255.255.255.0
 iroute192.168.1.0 255.255.255.0

 Once the tunnel's up, I can ping both directions all four cases,

 @VPN_SERVER, ping - VPN_CLIENT[192.168.1.1]OK
 @VPN_SERVER, ping - LAN_SERVER[192.168.1.10]   OK
 @VPN_CLIENT, ping - VPN_SERVER[192.168.0.1]OK
 @LAN_SERVER, ping - VPN_SERVER[192.168.0.1]OK

 But if I move all client-specific route config out of the main server
 config to the ccd/client config, i.e.

 /etc/openvpn/server.conf
 mode server
 server10.0.0.0   255.255.255.0
 topology subnet

 ccd-exclusive
 client-config-dir ccd/
 client-to-client

 push route   192.168.0.0 255.255.255.0

 /etc/openvpn/ccd/client1.conf
 ifconfig-push 10.0.0.2   255.255.255.0
 iroute192.168.1.0 255.255.255.0
 +   route 192.168.1.0 255.255.255.0
 +   push route   192.168.1.0 255.255.255.0

 and reestablish the tunnel, only one of those PINGs now works

 @VPN_SERVER, ping - VPN_CLIENT[192.168.1.1]FAIL
 @VPN_SERVER, ping - LAN_SERVER[192.168.1.10]   FAIL
 @VPN_CLIENT, ping - VPN_SERVER[192.168.0.1]OK
 @LAN_SERVER, ping - VPN_SERVER[192.168.0.1]FAIL

 It makes sense to me to be able to consolidate ALL client-specific info in
 client-specific config files.

 But, does SOME client-specific config HAVE to go in the main server config?

 Or does the above config need to change (aka, be fixed) when I consolidate?

 PG


 --
 Want fast and easy access to all the code in your enterprise? Index and
 search up to 200,000 lines of code with a free copy of Black Duck
 Code Sight - the same software that powers the world's largest code
 search on Ohloh, the Black Duck Open Hub! Try it now.
 http://p.sf.net/sfu/bds
 ___
 Openvpn-users mailing list
 Openvpn-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openvpn-users

--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Consolidating client-specific routes into client-specific ccd/* breaks PINGs across VPN

[Joe Patterson]

First off, main doesn't necessarily have to get messy.  If you have a bunch
of clients connecting, all with subnets behind them, and you can't get to
those subnets without the VPN connection being up, then most likely the
most effective thing to do is to find a supernet that encompasses all of
the clients, and have that in your route statement.  Like if all of your
clients have subnets behind them in the 192.168.x.x range, you could do
route 192.168.0.0 255.255.0.0 (and since, with routing, longest prefix
always takes precedence, that won't mess up any local routes to
192.168.x.x/24 or such)  The only time it would be a problem is if there
are 192.168.x.x subnets that are being routed to via the default route.  To
give a little bit better description of what's going on there, the route
statement (which can only be in the main config) sends all of 192.168.x.x
to openvpn, and then the iroute statements (which can be in the ccd
files) tells openvpn which specific client tunnel to send the traffic to.

But, if for some reason you can't or really don't want to do that, then
yes, the client-connect directive goes in the main config, but it's a
single script that runs whenever a client connects and can do different
things depending on the client.  If you really wanted to cut down on the
number of directives in your main config, you can use the client-connect
directive to entirely replace the ccd directive, and simply have the
client-connect script write a ccd file to $1 when it's done.  My script
will be different from yours because A) I'm doing different things and B)
because it's possible, perhaps even likely, that what I'm doing is a
horrible cringe-worthy kluge that should be avoided by all sane people, but
for reference, the part of mine that handles injecting routes looks like
this (mine's in perl):

open (CCD,/etc/openvpn/ccd/$ENV{common_name}) || die Problem opening
ccd\n;
while (CCD) {
if (/iroute/) {
($iroute,$net,$mask) = split();
system(vtysh -c 'conf t' -c 'ip route $net $mask
$ENV{ifconfig_remote}');
};



On Thu, Jul 24, 2014 at 12:28 PM, pg0...@fastmail.fm wrote:

 Hi Joe,

 On Thu, Jul 24, 2014, at 07:31 AM, Joe Patterson wrote:
  If I'm understanding you correctly, I think I know the problem:  route
  statements cannot go in a ccd (or, more accurately, they don't do
 anything
  if they're there), because route statements are injecting routes into the
  OS routing table, which is only done on start-up (and in the case of
  running openvpn un-privileged, only *can* be done at startup before
  dropping root privs)

 Well, that certainly explains the behavior I'm seeing!

  There are two ways to get around this.  First, and generally best, is to
  put all the route statements that you expect to need in the main
 config.
   Second, you *could* put routing commands in a client-connect script (I
 do
  something similar to this to inject client routes into quagga)

 My main's gonna get messy ... so a client-connect script seems the option
 I'll take.

 I'm reading docs

 --client-connect script
 Run script on client connection. The script is passed the common name
 and IP address of the just-authenticated client as environmental variables
 (see environmental variable section below). The script is also passed the
 pathname of a not-yet-created temporary file as $1 (i.e. the first command
 line argument), to be used by the script to pass dynamically generated
 config file directives back to OpenVPN.

 and that seems clear.  What I'm missing is -- does THAT ^^ need to be
 invoked in the main config?  OR can/does it go in the server's
 ccd/clientN.conf?

 The latter keeps things neat(est).  The latter, 'messes up' my main again
 -- though not as much as the 'raw' routes would.

 PG

--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Where are the 2.3.3 sources?

[Joe Patterson]

Not so much a confidentiality benefit as an integrity benefit, to make
sure you really are getting your software from who you think you're getting
it from.

-Joe


On Thu, Apr 10, 2014 at 6:36 AM, David Sommerseth 
openvpn.l...@topphemmelig.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 10/04/14 11:13, Robo Burned wrote:
  //Paranoid mode
 
  Please ensure you are connecting to valid server. DNS substitution,
  MITM
 
  Name: swupdate.openvpn.org Addresses: 108.162.198.149
  108.162.199.149
 
  To community:
 
  Is there any reason why the sources are not protected by  HTTPS?

 Because it's open source and not much to really hide?  What would be
 the real benefit?


 - --
 kind regards,

 David Sommerseth
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iEYEARECAAYFAlNGdCMACgkQDC186MBRfrrE3wCeIyToeh7hH0UTxS6DPXgaPlrs
 ISYAnj42nhjarxAIY2TRLLqp3EI6gya9
 =9rDt
 -END PGP SIGNATURE-


 --
 Put Bad Developers to Shame
 Dominate Development with Jenkins Continuous Integration
 Continuously Automate Build, Test  Deployment
 Start a new project now. Try Jenkins in the cloud.
 http://p.sf.net/sfu/13600_Cloudbees
 ___
 Openvpn-users mailing list
 Openvpn-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openvpn-users

--
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test  Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn pushing invalid route that blocks itself

[Joe Patterson]

Check the logs on the server for SENT CONTROL [user]: 'PUSH_REPLY,... and
see if you're actually pushing that route, or if it's being generated by
the client. (I know that info gets logged on my server at verbosity 4)

-Joe


On Mon, Mar 17, 2014 at 2:23 PM, Billy Crook billycr...@gmail.com wrote:

 I have a very odd situation going on here

 My tunnels have worked for the longest time.  Of course everyone denies
 changing anything.  But all the sudden it stopped working.

 Whereas before the tunnel would establish and the client's vpn address
 could ping the server's vpn address..

 Now the openvpn client connects, and the client's vpn address cannot ping
 the server's vpn address.
 Additionally the client's physical IP can ping the server's physical IP
 BEFORE the tunnel goes up, but not WHILE the tunnel is up.

 I tracked it down to one route statement in the client's route table.
 It sends 1.2.3.4/32 to 10.0.0.11 via interface 10.0.0.12

 1.2.3.4 is the server's public ip address

 10.0.0.12 is the address that the client happens to get from the server's
 client address pool
 10.0.0.11 is the adjacent server address from that pool.  (I hand out /2's
 because I have windows clients.)

 So of course this route breaks things, because as soon as the tunnel is
 up,. the client's kernel starts trying to sent the tunnel through itself.

 To verify my theory, I had cmd.exe ready to press enter on route delete
 1.2.3.4, and retried the connection, and as soon as it came up I deleted
 that route.  Then it worked as normal.

 My question is WHY would openvpn do that?  What could cause such a
 peculiar and self-destructive behavior?


 --
 Learn Graph Databases - Download FREE O'Reilly Book
 Graph Databases is the definitive new guide to graph databases and their
 applications. Written by three acclaimed leaders in the field,
 this first edition is now available. Download your free book today!
 http://p.sf.net/sfu/13534_NeoTech
 ___
 Openvpn-users mailing list
 Openvpn-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openvpn-users


--
Learn Graph Databases - Download FREE O'Reilly Book
Graph Databases is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn -- unable to generate keys

[Joe Patterson]

 /data/md0/usr/share/openvpn/easy-rsa/openssl.cnf
 /data/md0/usr/share/openvpn/easy-rsa/README
 /data/md0/usr/share/openvpn/easy-rsa/revoke-crt
 /data/md0/usr/share/openvpn/easy-rsa/revoke-full
 /data/md0/usr/share/openvpn/easy-rsa/sign-req
 /data/md0/usr/share/openvpn/easy-rsa/vars
 /data/md0/usr/share/openvpn/easy-rsa/Windows
 /data/md0/usr/share/openvpn/easy-rsa/Windows/build-ca.bat
 /data/md0/usr/share/openvpn/easy-rsa/Windows/build-dh.bat
 /data/md0/usr/share/openvpn/easy-rsa/Windows/build-key.bat
 /data/md0/usr/share/openvpn/easy-rsa/Windows/build-key-pkcs12.bat
 /data/md0/usr/share/openvpn/easy-rsa/Windows/build-key-server.bat
 /data/md0/usr/share/openvpn/easy-rsa/Windows/clean-all.bat
 /data/md0/usr/share/openvpn/easy-rsa/Windows/index.txt.start
 /data/md0/usr/share/openvpn/easy-rsa/Windows/init-config.bat
 /data/md0/usr/share/openvpn/easy-rsa/Windows/README.txt
 /data/md0/usr/share/openvpn/easy-rsa/Windows/revoke-full.bat
 /data/md0/usr/share/openvpn/easy-rsa/Windows/serial.start
 /data/md0/usr/share/openvpn/easy-rsa/Windows/vars.bat.sample
 /usr/share/openvpn/easy-rsa
 /usr/share/openvpn/easy-rsa/1.0
 /usr/share/openvpn/easy-rsa/1.0/build-ca
 /usr/share/openvpn/easy-rsa/1.0/build-dh
 /usr/share/openvpn/easy-rsa/1.0/build-inter
 /usr/share/openvpn/easy-rsa/1.0/build-key
 /usr/share/openvpn/easy-rsa/1.0/build-key-pass
 /usr/share/openvpn/easy-rsa/1.0/build-key-pkcs12
 /usr/share/openvpn/easy-rsa/1.0/build-key-server
 /usr/share/openvpn/easy-rsa/1.0/build-req
 /usr/share/openvpn/easy-rsa/1.0/build-req-pass
 /usr/share/openvpn/easy-rsa/1.0/clean-all
 /usr/share/openvpn/easy-rsa/1.0/list-crl
 /usr/share/openvpn/easy-rsa/1.0/make-crl
 /usr/share/openvpn/easy-rsa/1.0/openssl.cnf
 /usr/share/openvpn/easy-rsa/1.0/README
 /usr/share/openvpn/easy-rsa/1.0/revoke-crt
 /usr/share/openvpn/easy-rsa/1.0/revoke-full
 /usr/share/openvpn/easy-rsa/1.0/sign-req
 /usr/share/openvpn/easy-rsa/1.0/vars
 /usr/share/openvpn/easy-rsa/2.0
 /usr/share/openvpn/easy-rsa/2.0/build-ca
 /usr/share/openvpn/easy-rsa/2.0/build-dh
 /usr/share/openvpn/easy-rsa/2.0/build-inter
 /usr/share/openvpn/easy-rsa/2.0/build-key
 /usr/share/openvpn/easy-rsa/2.0/build-key-pass
 /usr/share/openvpn/easy-rsa/2.0/build-key-pkcs12
 /usr/share/openvpn/easy-rsa/2.0/build-key-server
 /usr/share/openvpn/easy-rsa/2.0/build-req
 /usr/share/openvpn/easy-rsa/2.0/build-req-pass
 /usr/share/openvpn/easy-rsa/2.0/clean-all
 /usr/share/openvpn/easy-rsa/2.0/inherit-inter
 /usr/share/openvpn/easy-rsa/2.0/list-crl
 /usr/share/openvpn/easy-rsa/2.0/Makefile
 /usr/share/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf
 /usr/share/openvpn/easy-rsa/2.0/openssl.cnf
 /usr/share/openvpn/easy-rsa/2.0/pkitool
 /usr/share/openvpn/easy-rsa/2.0/README
 /usr/share/openvpn/easy-rsa/2.0/revoke-full
 /usr/share/openvpn/easy-rsa/2.0/sign-req
 /usr/share/openvpn/easy-rsa/2.0/vars
 /usr/share/openvpn/easy-rsa/2.0/whichopensslcnf

 op 21-01-14 13:08, Joe Patterson schreef:

 openssl x509 -noout -modulus -in ca.pem

  then look for a key where the output of:

  openssl rsa -noout -modulus -in file.key

  matches.

  -Joe


 On Tue, Jan 21, 2014 at 6:43 AM, Johan Vermeulen 
 jvermeu...@cawdekempen.be wrote:

  hello All,

 thanks again for helping me out, this is great.

 So getting a ca.pem from a backup, and a client certificate that was made
 before the trouble, I get:

 [root@caw-server1 keys]# openssl verify -CAfile ca.pem elien-crt.pem
 /etc/pki/tls/certs/servercert.pem
 elien-crt.pem: OK
 /etc/pki/tls/certs/servercert.pem: OK

 Any other combination would give me EM:

 error 20 at 0 depth lookup:unable to get local issuer certificate

 Does this mean I have the right ca.crt ( ca.pem)?

 Can I look for the right ca.key the same way?

 greetings, J.


 op 21-01-14 11:43, Jan Just Keijser schreef:

 Hi Johan,

 Johan Vermeulen wrote:

 Dear All,

 since a long time we have an Openvpn-server, now  on Centos6,
 originaly setup on OpenSuse

 [root@caw-server1 2.0]# rpm -qa openvpn
 openvpn-2.3.1-3.el6.x86_64

 It is very reliable, and my only activity on it, is generate new client
 keys.

 Not sure what happened -- a ./clean-all could have been run on it -- but
 since last week, I'm unable to generate new client keys.

 [root@caw-server1 2.0]# source ./vars
 NOTE: If you run ./clean-all, I will be doing a rm -rf on
 /usr/share/openvpn/easy-rsa/2.0/keys
 [root@caw-server1 2.0]# ./build-key testjohan
 pkitool: Need a readable ca.crt and ca.key in
 /usr/share/openvpn/easy-rsa/2.0/keys
 Try pkitool --initca to build a root certificate/key.



 look inside the directory
 /usr/share/openvpn/easy-rsa/2.0/keys
 and see if you can find a ca.crt and ca.key file there; you can post an
 'ls -l' if you like.
 If they are not there then a './clean-all' was run most likely. I hope
 you have a backup somewhere :)

 The EM is straightforward enough, but I'm unsure on how to proceed.

 As far as I can tell the important files are in /etc/pki/tls/certs/ :
 [root@caw-server1 certs]# ls
 ca-bundle.crt  ca-bundle.trust.crt

Re: [Openvpn-users] Openvpn -- unable to generate keys

[Joe Patterson]

What exists in /usr/share/openvpn/easy-rsa/2.0/keys?  If you did a
clean-all, then you will be missing some important files (most especially
the ca.key file, but also some others such as the index and serial files)

If that's the case, you will most likely need to start over from a new CA.
 (one thing I always do, after getting a CA set up, is edit the clean-all
to make it less dangerous, otherwise it just feels like I'm leaving primed
explosives laying around in case I decide I want to use them... best to
keep them locked away.)

-Joe


On Mon, Jan 20, 2014 at 8:39 AM, Johan Vermeulen
jvermeu...@cawdekempen.bewrote:

 Dear All,

 since a long time we have an Openvpn-server, now  on Centos6,
 originaly setup on OpenSuse

 [root@caw-server1 2.0]# rpm -qa openvpn
 openvpn-2.3.1-3.el6.x86_64

 It is very reliable, and my only activity on it, is generate new client
 keys.

 Not sure what happened -- a ./clean-all could have been run on it -- but
 since last week, I'm unable to generate new client keys.

 [root@caw-server1 2.0]# source ./vars
 NOTE: If you run ./clean-all, I will be doing a rm -rf on
 /usr/share/openvpn/easy-rsa/2.0/keys
 [root@caw-server1 2.0]# ./build-key testjohan
 pkitool: Need a readable ca.crt and ca.key in
 /usr/share/openvpn/easy-rsa/2.0/keys
 Try pkitool --initca to build a root certificate/key.

 The EM is straightforward enough, but I'm unsure on how to proceed.

 As far as I can tell the important files are in /etc/pki/tls/certs/ :
 [root@caw-server1 certs]# ls
 ca-bundle.crt  ca-bundle.trust.crt  ca.pem  make-dummy-cert Makefile
 servercert.pem  serverkey.pem  slapd.pem

 as is reflected in /etc/openvpn/server.conf :

 ca /etc/pki/tls/certs/ca.pem
 cert /etc/pki/tls/certs/servercert.pem
 key /etc/pki/tls/certs/serverkey.pem

 but copying / renaming them did not solve the issue.

 Can anyone offer some advise on this?

 Many thanks, J.

 --
 Johan Vermeulen
 IT-medewerker

 Powered by Linux.



 --
 CenturyLink Cloud: The Leader in Enterprise Cloud Services.
 Learn Why More Businesses Are Choosing CenturyLink Cloud For
 Critical Workloads, Development Environments  Everything In Between.
 Get a Quote or Start a Free Trial Today.

 http://pubads.g.doubleclick.net/gampad/clk?id=119420431iu=/4140/ostg.clktrk
 ___
 Openvpn-users mailing list
 Openvpn-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openvpn-users

--
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments  Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431iu=/4140/ostg.clktrk___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Routing problem

[Joe Patterson]

If I'm understanding what you're trying to do, it falls into that lovely
category of either trivial or impossible.  If 1.2.3.4 is the un-nat'd IP
that the client is connecting from, then, as I understand it, it's nearly
impossible because if you route packets to the client IP over the tunnel,
then when you need to send the encapsulated packets, they'll try and go
down the tunnel too (you *could* do it with policy-based routing wherein
you specifically route the openvpn packets outside of the tunnel, but
that's a pain to do).  If, on the other hand, the client is behind a NAT,
or if it's connecting to the server via a different interface than eth0,
then it's pretty easy.  On the server, add route 1.2.3.4 255.255.255.255,
and you add a client-config-dir and in it have a file with the name of the
client cn containing iroute 1.2.3.4 255.255.255.255 (you could do the
same with a client-connect script, but I find the ccd simpler)

The route command routes the packets from the OS to openvpn, and the iroute
tells openvpn which tunnel to send those packets to.

(on a side note, the filenames of your certificate and key are the same on
both the client and the server, are the files themselves the same, or did
you just name them the same?)

Thanks,

-Joe


On Mon, Dec 30, 2013 at 12:43 PM, Jordan Hayes jmha...@j-o-r-d-a-n.comwrote:

 I have a simple Linux OpenVPN client with the following interfaces:

 eth01.2.3.4
 tun010.0.0.5

 The server side of the tunnel is 10.0.0.1 ...

 From the client, I can ping the server:

 % ping -c 3 10.0.0.1
 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
 64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=52.9 ms
 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=32.0 ms
 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=38.0 ms

 If however, I set the source address to the external interface, I can't:

 % ping -I 1.2.3.4 -c 3 10.0.0.1
 PING 10.0.0.1 (10.0.0.1) from 1.2.3.4 : 56(84) bytes of data.

 --- 10.0.0.1 ping statistics ---
 3 packets transmitted, 0 received, 100% packet loss, time 2000ms

 I believe this is a feature :-)

 I've read about --iroute and --route, but it's still pretty opaque to me
 ...

 What would I have to add to my configs to allow this to work as
 intended?

 I don't need packets that *arrive* on eth0 to be routed to the tunnel,
 just the ones that are locally bound on the client machine (if that
 makes a difference).

 Thanks,

 /jordan


 ps: dead-simple client config
 ---
 client
 dev tun
 proto udp
 remote host port
 resolv-retry infinite
 nobind
 persist-key
 persist-tun
 user nobody
 group nobody
 ca server-ca.crt
 cert server.crt
 key server.key
 ns-cert-type server
 tls-auth server-ta.key 1
 comp-lzo
 verb 3
 ---

 server config
 ---
 port port
 proto udp
 dev tun
 ca server-ca.crt
 cert server.crt
 key server.key
 dh dh2048.pem
 server 10.0.0.0 255.255.255.0
 ifconfig-pool-persist ipp.txt
 keepalive 10 120
 tls-auth server-ta.key 0
 comp-lzo
 user nobody
 group nobody
 persist-key
 persist-tun
 status openvpn-status.log
 verb 3
 ---



 --
 Rapidly troubleshoot problems before they affect your business. Most IT
 organizations don't have a clear picture of how application performance
 affects their revenue. With AppDynamics, you get 100% visibility into your
 Java,.NET,  PHP application. Start your 15-day FREE TRIAL of AppDynamics
 Pro!
 http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk
 ___
 Openvpn-users mailing list
 Openvpn-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openvpn-users

--
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET,  PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] question about connection profiles and failure...

[Joe Patterson]

I wanted to check if anyone knows more about what constitutes failure with
respect to client connection profiles.  According to the man page, if you
have a bunch of stanzas of connection/connection, the first one will be
tried and, if it fails, the next one will be tried and so on.  My question
is, when it says if it fails, what is considered a failure?
1) if you have a name in your remote, will a name lookup failure always
be a failure, or only if resolv-retry is set to non-infinite?
2) If you're using a TCP entry, will it only fail if you have
connect-retry-max set to non-infinite?
3) if you're using a UDP entry, what is considered a failure to connect,
and is there any way (I don't see one right off hand) to tweak what is
considered a failure?
4) when it gets to the last entry, does it go back to the top and start
again, or fail and exit?
5) if a successful connection is made, but later fails with a ping-restart,
does it start back at the top of the list, or at the same entry that it
just had a failure on, or the next entry in the list?

I'm experimenting to get some of these answers, but I wanted to see if
anyone had any experience-based or otherwise more authoritative answers.

Thanks!

-Joe
--
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET,  PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users