Re: [Openvpn-users] Checking server and client certificates expiration?
On Wed, Sep 28, 2022 at 11:18:41 -0400, Bo Berglund wrote: > On Wed, 28 Sep 2022 10:40:07 -0400, Joe Patterson > wrote: > > > >grep -A 100 -F '' openvpn.conf | openssl x509 -in - -noout -text > >| grep 'Not After' > so my OVPN files are structured like this: > > client > dev tun > > -BEGIN CERTIFICATE- > block of characters > -END CERTIFICATE- > > > -BEGIN CERTIFICATE- > block of characters > -END CERTIFICATE- > > I haven't used it specifically on inline certificates in openvpn.conf files, but in general I found that when processing multi-certificate input files, "openssl x509" will skip lines in its stdin until it finds a BEGIN CERTIFICATE block, then it will then process one certificate -- leaving stdin ready to be read further to repeat the process. So, you can probably use something like the following to display information on all the certificates found in a particular file: $ while openssl x509 -noout -text ; do echo "==" ; done < openssl.cnf | less The 'echo "=="' bit is just to put a little divider between each certificate's info in the output; you can tweak that to taste. At the end of this loop stderr will get a "PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE" error message; this is normal -- it just indicates that the while loop has gone through all the certificates in the file and couldn't find any new one to process. Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to properly upgrade openvpn server on Ubuntu servers (18.04 and 20.04)?
On Sat, Sep 24, 2022 at 10:45:10 -0500, Bo Berglund wrote: > So now I have travelled to the location and am ready to do the upgrade. > > > I would like to know the best way to get *away* from the build.openvpn.net > repository to the ubuntu 18 repository in preparation for doing the release > upgrade. > > Do I do the following? > > sudo apt remove openvpn > or > sudo apt purge openvpn > > Then remove the files /etc/apt/sources.list.d/openvpn* > > Followed by > sudo apt install openvpn > - > > Or is the better way to: > > > Leave things as they are and do the release upgrade and then check if openvpn > was migrated or not in the migrated server. > > If not then just install it using apt without any separate openvpn > repositories? > > If it is working still but on 2.4.7 then try to move back to the ubuntu > repositories somehow. > It seems unlikely that you should need to _purge_ the package, though if you have your .ovpn/OpenVPN-config files backed up elsewhere then it doesn't doesn't really matter. (But if you chose the first option, a simple "remove" should be fine.) Since you aren't using the VPN link during the upgrade, I don't think it will make much difference which of those two approaches you take. Note that apt/dpkg consider the version string "2.4.7-1ubuntu2.20.04.4" (i.e. the Ubuntu package in Focal) to be lower than "2.4.7-xenial0", so I'm pretty sure if you follow the second option you will indeed need to manually force your system to switch to the Ubuntu version of the package after you complete the release upgrade. (That's where you would use either "apt install openvpn/focal" or "apt install openvpn=2.4.7-1ubuntu2.20.04.4" to override the default package-version-selection algorithm and force the switch.) It's not a bad idea to disable the build.openvpn.net repositories in your /etc/apt/sources.list files yourself, but I believe the release-upgrade process will do that for you in any case Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Is this the correct openvpn version for ubuntu server 20.04.5 LTS?
On Sat, Sep 24, 2022 at 15:49:46 -0500, Bo Berglund wrote: > So here is what I see at the moment: > > $ apt policy openvpn > openvpn: > Installed: (none) > Candidate: 2.4.7-1ubuntu2.20.04.4 <== Why is xenial not mentioned? > Version table: > 2.4.7-1ubuntu2.20.04.4 500 > 500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 > Packages > 500 http://security.ubuntu.com/ubuntu focal-security/main amd64 > Packages > 2.4.7-1ubuntu2 500 > 500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages > > What I am worried about is the fact that it says: > Candidate: 2.4.7-1ubuntu2.20.04.4 > > On another server I run I get this: > > Installed: 2.4.7-xenial0 > Candidate: 2.4.7-xenial0 > > Why is there a difference and why does the server I am trying to upgrade show > a > different candidate? > > Which one should be fixed and how is it done? > The packages with the release *name* (i.e. "xenial0") in the version string are from the OpenVPN-project repositories, while the packages with the release *number* ("20.04.4") in the version string are from Ubuntu's repositories. Based on the discussion last summer, I believe you decided you wanted to use the packages from Ubuntu... so on the server with "Candidate: 2.4.7-1ubuntu2.20.04.4" you should be all set -- just go ahead and install the default openvpn packge. (You can see from the "apt policy" output that all available versions are in ubuntu.com/ubuntu repositories.) Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to properly upgrade openvpn server on Ubuntu servers (18.04 and 20.04)?
On Tue, Jul 05, 2022 at 14:40:31 +0200, Bo Berglund wrote: > Hopefully I can get there and upgrade it on location come September. > I don't dare doing that remotely. Agreed. > Here you go: > > $ apt-cache policy openvpn > openvpn: > Installed: 2.4.7-xenial0 > Candidate: 2.4.7-xenial0 > Version table: > *** 2.4.7-xenial0 100 > 100 /var/lib/dpkg/status > 2.4.4-2ubuntu1.7 500 > 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 > Packages > 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 > Packages > 2.4.4-2ubuntu1 500 > 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages Yeah, this confirms that the system sees openvpn 2.4.4 out in the Ubuntu Bionic archives but currently has the 2.4.7-xenial0 (i.e. from build.openvpn.net) package installed. If you can log in to that server directly (i.e. not over the OpenVPN link), then you should be safe using the "apt install" commands to force installation of the 2.4.4-2ubuntu1.7 package and then try bringing up the link to see if 2.4.4 works in that environment (with the plan to switch back to the build.openvpn.net packages if it doesn't...) Alternately, you can follow the notes in the OpenVPN community wiki page to re-enable the build.openvpn.net repository, presumably using a "...debian/openvpn/2.4 bionic main" line. (Looks like if you do that, you'll be offered openvpn 2.4.11_bionic0 as the available version to upgrade to...) Nathan ---- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to properly upgrade openvpn server on Ubuntu servers (18.04 and 20.04)?
On Sun, Jul 03, 2022 at 21:55:13 +0200, Bo Berglund wrote: > And now I had a look at our office server (Ubuntu 18.04 LTS) and it looks the > same: > > $ openvpn --version > OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] > [MH/PKTINFO] [AEAD] built on Feb 19 2019 > > This server is running 18.04.6 LTS and was upgraded from Ubuntu 16.04 LTS > probably back in 2019. > > OpenVPN was installed in the 16.04 days and has been stopped at 2.4.7 since > quite some time it seems. It too needs an upgrade. Note that my previous emails have all been focusing on the server running Ubuntu 20.04 LTS. The situation on the 18.04 server is a bit different, since the OpenVPN version included in stock Bionic is 2.4.4 -- so you'd actually have to downgrade the upstream OpenVPN version to switch from your current package to the Ubuntu package. That may well be fine for your use case, but obviously it would be a bigger change than the switch from one 2.4.7 package to a different 2.4.7 package that is under discussion on the server running Ubuntu 20.04. Anyway, posting the output of "apt-cache policy openvpn" on that server here would help confirm the exact package versions your system currently knows about... Nathan -------- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to properly upgrade openvpn server on Ubuntu servers (18.04 and 20.04)?
On Mon, Jul 04, 2022 at 08:12:16 +0200, Bo Berglund wrote: > Seems like the distro upgrade orphaned openvpn but left it in place as-is. Right -- one of the first things the Ubuntu upgrade process does is to edit the apt sources to update the release name on the repositories it recognizes (so they now point to the release being upgraded to) and disable the repository entries it doesn't recognize (since it doesn't know if those repositories are applicable after the upgrade). This general process doesn't always orphan the packages that came from the disabled repo... but in the case of the openvpn package on your system the fact that Focal happens to include the same upstream OpenVPN version that you already have installed (2.4.7) combined with the different packaging-specific version-number naming schemes used by build.openvpn.net and the Ubuntu packages, did lead to the package being "stuck" at the 2.4.7-xenial0 version. (Note that if you were to upgrade to Jammy, though, the system would start upgrading the OpenVPN package again, because Jammy includes OpenVPN 2.5.5 and apt would recognize any 2.5.5 package as a higher version number than "2.4.7-xenial0".) > If I understand it you are saying that by using the apt command to install the > current version for focal the existing openvpn would be replaced by the one in > the Ubuntu distro repository and the act of installing it that way would also > put it in the group of packages that will be automatically upgraded come the > next distribution upgrade? Yes, exactly. (For example, once you have 2.4.7-1ubuntu2.20.04.4 succesfully installed, then when 2.4.7-1ubuntu2.20.04.5 eventually becomes available apt will recognize that as an higher version number and upgrade the package along with everything else.) Nathan ---- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to properly upgrade openvpn server on Ubuntu servers (18.04 and 20.04)?
On Sun, Jul 03, 2022 at 21:55:13 +0200, Bo Berglund wrote: > I have looked at the directory /etc/apt/sources.list.d and found a file there > named openvpn-aptrepo.list > It contains this single line: > # deb http://build.openvpn.net/debian/openvpn/stable bionic main # disabled on > upgrade to bionic > Yes, for what it's worth it looks like you probably followed the instructions found at https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories back when you first installed OpenVPN. > Is there a good description on *exactly how* to make openvpn part of apt > updates > again on an Ubuntu 18.04 LTS and an Ubuntu 20.04 LTS server? (There may be a blog post or something out there from someone else who has faced this situation, but it may not be a scenario covered by either OpenVPN or Ubuntu official documentation...) This was covered a bit in the other thread, but I think you have two options at this point: * if you want to switch to using the standard openvpn packages provided by Ubuntu itself (which it seems like would probably be fine for your purposes), then you just need to manually force the installation of the current Ubuntu package (with something along the lines of "apt install openvpn/focal" or "apt install openvpn=2.4.7-1ubuntu2.20.04.4"). Once you switch to a stock-Ubuntu package version, then later package releases will be assigned higher version nubmers and will be automatically upgraded-to in the usual way. * If you want to keep using the OpenVPN-project provided packages, then you will want edit that openvpn-aptrepo.list file to re-enable the line and update the "bionic" name to your current release. With that re-enabled, you should see a new OpenVPN-project package version, which apt will upgrade to from your current version. (But note that if you take this route, you will need to rememeber to repeat the process each time you upgrade to a new version of Ubuntu [since the upgrade process will disable the deb line in the openvpn-aptrepo.list again].) Nathan -------- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to enable timestamps in server logfile?
On Wed, Jun 22, 2022 at 12:38:24 +0200, Bo Berglund wrote: > On Tue, 21 Jun 2022 01:52:48 -0400, Nathan Stratton Treadway > wrote: > > >On Mon, Jun 20, 2022 at 08:51:47 +0200, Bo Berglund wrote: > > > >> Originally I used OpenVPN since around 2014 on RaspberryPi to access my > >> home > >> LAN. I did not have an Ubuntu server back then. > >> Then in 2016 I built the Ubuntu server to handle a lot of other things > >> too, like > >> subversion and such, and I also installed OpenVPN there. > >> But I no longer remember *how* I installed it, it might have been done > >> using > >> some apt repository fiddling so I am now on the wrong branch > > > >The top entry in the /usr/share/doc/openvpn/changelog.Debian.gz should > >give you at least a little information about the specific build of > >the currently-installed version of the package... > > This is what I have in the file: > > openvpn (2.4.7-xenial0) stable; urgency=medium > > * preparing release v2.4.7 (ChangeLog, version.m4, Changes.rst) (Gert > Doering, > 2b8aec62) > ... lots of more lines ... > Well, the interesting line would have been the "signature" line at the end of that section, immediately before the "openvpn (2.4[...]" header line for the next-mentioned-package-version's section But seeing Gert Doering mentioned in that quoted text was enough to make me wonder if this was a package built by the OpenVPN project -- and sure enough, the "-xenial0" naming convention seems to be what they use (as shown in this repository listing: https://build.openvpn.net/debian/openvpn/release/2.4/pool/xenial/main/o/ ) So now my guess is that you had an apt sources.list entry pointing to the build.openvpn.net repo back in your Xenial days, which then probably got disabled by the Ubuntu release-upgrade process (and thus apt no longer suggests newer versions of the OpenVPN package from that repo). Anyway, at this point I think your choices now (when you are back home) are either to manually switch to the current Ubuntu-provided package (as discussed in the earlier emails), or to re-enable the build.openvpn.net repo (switching to their Focal release) and then upgrade to the newer package currently provided there. But presumably one way or the other you will want to upgrade away from 2.4.7-xenial0... Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to enable timestamps in server logfile?
On Wed, Jun 22, 2022 at 16:11:40 +0200, David Sommerseth wrote: > On 20/06/2022 00:10, Nathan Stratton Treadway wrote: > >On Sun, Jun 19, 2022 at 23:03:15 +0200, Bo Berglund wrote: > >>I get this: > >> > >>dpkg -L openvpn | grep systemd.*openv > >>/lib/systemd/system-generators/openvpn-generator > >>/lib/systemd/system/openvpn.service > >>/lib/systemd/system/openvpn@.service > >>/usr/lib/systemd/system/openvpn-client@.service > >>/usr/lib/systemd/system/openvpn-server@.service > > Oh, that's interesting. We need to look into this more carefully, > might be either that the package manager overlooked this detail or > that we're lacking a "systemd service directory override" in our > source code which Debian packaging would need. (David, just wanted to make sure you noticed that in other parts of this thread we realized that Bo's system has a very old OpenVPN package still installed. I don't know about recent build.openvpn.net packages, but the current Ubuntu Focal package [i.e. openvpn 2.4.7-1ubuntu2.20.04.3] uses "/lib/systemd/" consistently in the paths for the systemd files.) Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to enable timestamps in server logfile?
On Mon, Jun 20, 2022 at 08:51:47 +0200, Bo Berglund wrote: > Originally I used OpenVPN since around 2014 on RaspberryPi to access my home > LAN. I did not have an Ubuntu server back then. > Then in 2016 I built the Ubuntu server to handle a lot of other things too, > like > subversion and such, and I also installed OpenVPN there. > But I no longer remember *how* I installed it, it might have been done using > some apt repository fiddling so I am now on the wrong branch The top entry in the /usr/share/doc/openvpn/changelog.Debian.gz should give you at least a little information about the specific build of the currently-installed version of the package... > What would be the proper way to do the manual upgrade? > > Is there a way to find out from where the openvpn I do have is coming and what > is blocking it from being upgraded via apt in that case? > [...] > apt policy openvpn > openvpn: > Installed: 2.4.7-xenial0 > Candidate: 2.4.7-xenial0 > Version table: > *** 2.4.7-xenial0 100 > 100 /var/lib/dpkg/status > 2.4.7-1ubuntu2.20.04.4 500 > 500 http://se.archive.ubuntu.com/ubuntu focal-updates/main amd64 > Packages > 500 http://security.ubuntu.com/ubuntu focal-security/main amd64 > Packages > 500 http://archive.ubuntu.com/ubuntu focal-security/main amd64 > Packages > 500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages This "apt policy" shows that you have the standard Ubuntu repos in your apt.sources list, and thus the standard package is available to install. (It doesn't get installed by default because the dpkg version sort algorithm treats "2.4.7-xenial0" as newer than the version "2.4.7-1ubuntu2.20.04.4" and doesn't want to downgrade the package.) But I think you would be able to manually force installation of the stock Focal package using the command "apt install openvpn/focal" to force selection of the version of the package from the specified distro. (Or alternatively "apt install openvpn=2.4.7-1ubuntu2.20.04.4" to give an explicit version string.) > Can I just uninstall openvpn and then install via apt to get the latest? > Or will that throw out any custom config I have done too? ("remove" -- as opposed to "purge" -- will leave all custom config files, so they should be there waiting when you install the package again. But I'd say you might as well try the "install .../focal" approach first and see if you can do it all in one step.) > Currently over the summer I am not at my home LAN but I connect there via > OpenVPN on my router, so presumably I would have to wait until I am back home > so > I have direct access to the server, right? > (Since I would lose connection once the server OpenVPN goes down). Yeah -- in that case it's probably best to wait... (If the package upgrade works as expected, OpenVPN would automatically start back up afterwards, so you'd presumably just see a slight pause in your ssh session and then resume normal operation... but if anything goes wrong with the upgrade, you'd be in trouble) Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to enable timestamps in server logfile?
On Sat, Jun 18, 2022 at 23:20:54 +0200, Bo Berglund wrote: > I looked in the file: > /usr/lib/systemd/system/openvpn-server@.service > > and it contains this: > [Service} > ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log > --status-version 2 --suppress-timestamps --config %i.conf > > So here I can remove the --suppress-timestamps argument, but does it cover > BOTH > of my two service instances?? > (I don't use this feature personally, but based on my reading of the .service file:) Assuming your setup has the two files /etc/openvpn/server/server.conf and /etc/openvpn/server/serverlocal.conf (and that the openvpn-server@.service file on your system is not too different than the one in the Focal package)... then yes, the openvpn-server@.service covers both of your service instances. Basically when you try to start the "openvpn-server@serverlocal" service, systemd uses the "openvpn-server@.service" file with a parameter of "serverlocal" (which is then substituted in for the "%i" specifier within the .service file). (You can read more about this functionality by searching for the word "template" in the systemd.unit man page) Nathan ---- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to enable timestamps in server logfile?
On Sun, Jun 19, 2022 at 23:03:15 +0200, Bo Berglund wrote: > I get this: > > dpkg -L openvpn | grep systemd.*openv > /lib/systemd/system-generators/openvpn-generator > /lib/systemd/system/openvpn.service > /lib/systemd/system/openvpn@.service > /usr/lib/systemd/system/openvpn-client@.service > /usr/lib/systemd/system/openvpn-server@.service > > and: > > ls -l $(dpkg -L openvpn | grep systemd.*open) > -rwxr-xr-x 1 root root 899 Feb 19 2019 > /lib/systemd/system-generators/openvpn-generator > -rw-r--r-- 1 root root 320 Feb 19 2019 /lib/systemd/system/openvpn.service > -rw-r--r-- 1 root root 914 Feb 19 2019 /lib/systemd/system/openvpn@.service > -rw-r--r-- 1 root root 702 Feb 19 2019 > /usr/lib/systemd/system/openvpn-client@.service > -rw-r--r-- 1 root root 824 Jun 18 23:26 > /usr/lib/systemd/system/openvpn-server@.service [...] > I get this: > > apt-cache policy openvpn > openvpn: > Installed: 2.4.7-xenial0 > Candidate: 2.4.7-xenial0 > Version table: > *** 2.4.7-xenial0 100 > 100 /var/lib/dpkg/status > 2.4.7-1ubuntu2.20.04.4 500 > 500 http://se.archive.ubuntu.com/ubuntu focal-updates/main amd64 > Packages > 500 http://security.ubuntu.com/ubuntu focal-security/main amd64 > Packages > 500 http://archive.ubuntu.com/ubuntu focal-security/main amd64 > Packages > 500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages > 2.4.7-1ubuntu2 500 > 500 http://se.archive.ubuntu.com/ubuntu focal/main amd64 Packages > 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages > > I am not enough into Linux to get anything useful from this... > Hopefully you can. Well, I don't know how much difference it will make for your overall project, but this output shows that you are still running an old ("xenial") version of OpenVPN... and that package puts .service files under both /lib/ and /usr/lib/ So I think that explains the results you saw from your "find" commands. I'm guessing you used a locally-build package for 2.4.7 under Xenial (since the Ubuntu repo for Xenial has version 2.3.10)... but the naming conventions clash ("-xenial0" is greater than "-1ubuntu" in the package version-string sort order) and so the system didn't automatically move to the Focal-provided package when you upgraded. Anyway, unless you have a specific reason to stick with the -xenial package, you could go ahead and manually upgrade to the 2.4.7-1ubuntu2.20.04.4 version of the package... at which point all your .service files should appear together under /usr/lib/ (and from that point your system should automaticly offer to update to newer versions of the package within Focal, if any someday get released). Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to enable timestamps in server logfile?
On Sat, Jun 18, 2022 at 19:03:48 +0200, Bo Berglund wrote: > On Sat, 18 Jun 2022 13:46:09 +, tincantech via Openvpn-users > wrote: > >If you want your log-file to contain time-stamps then edit the file: > >/lib/systemd/system/openvpn-server@.service > >remove '--supress-timestamps' > > I cannot find such a file... > > bosse@ubuntuserv:/lib/systemd/system$ ls -la open* > -rw-r--r-- 1 root root 987 Jan 19 2021 open-iscsi.service > -rw-r--r-- 1 root root 489 Jul 12 2021 open-vm-tools.service > -rw-r--r-- 1 root root 320 Feb 19 2019 openvpn.service > -rw-r--r-- 1 root root 914 Feb 19 2019 openvpn@.service > > And: > > bosse@ubuntuserv:/lib/systemd$ find ./ -name "openvpn*" > ./system/openvpn@.service > ./system/openvpn.service > ./system-generators/openvpn-generator > I'm no expert on systemd's inner workings, but do have OpenVPN running on a Ubuntu Focal/20.04 box What do you get if you run these commands on your system?: $ dpkg -L openvpn | grep systemd.*openv $ ls -l $(dpkg -L openvpn | grep systemd.*open) On my system with openvpn 2.4.7-1ubuntu2.20.04.3 currently installed, I get: == $ dpkg -L openvpn | grep systemd.*openv /lib/systemd/system/openvpn-client@.service /lib/systemd/system/openvpn-server@.service /lib/systemd/system/openvpn.service /lib/systemd/system/openvpn@.service /lib/systemd/system-generators/openvpn-generator $ ls -l $(dpkg -L openvpn | grep systemd.*open) -rwxr-xr-x 1 root root 899 Jul 19 2021 /lib/systemd/system-generators/openvpn-generator -rw-r--r-- 1 root root 688 Jul 19 2021 /lib/systemd/system/openvpn-client@.service -rw-r--r-- 1 root root 810 Jul 19 2021 /lib/systemd/system/openvpn-server@.service -rw-r--r-- 1 root root 299 Jul 19 2021 /lib/systemd/system/openvpn.service -rw-r--r-- 1 root root 946 Jul 19 2021 /lib/systemd/system/openvpn@.service == So it seems that my Ubuntu OpenVPN package does install the /lib/systemd/system/openvpn-server@.service file (What does "apt-cache policy openvpn" say on your system?) Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
On Fri, Feb 11, 2022 at 19:18:32 +0100, Gert Doering wrote: > On Fri, Feb 11, 2022 at 07:10:17PM +0100, Bo Berglund wrote: > > The output of tcpdump is saved to thie file: > > http://blog.boberglund.com/tcpdump.log > > > > Does this show anything valuable? > > It says > > 18:58:12.150535 ip: 192.168.119.216.2049 > 10.8.139.3.942: Flags [P.], seq > 29:53, ack 289, win 508, options [nop,nop,TS val 3346628708 ecr 3593052701], > length 24: NFS reply xid 955890808 reply ERR 20: Auth Bogus Credentials (seal > broken) > > so it's not a firewall or routing thing, but you *do* talk to the I noticed that the tcpdump gives the packet destination address of 10.8.139.3, but didn't see that IP mentioned in the mount/export commands Is there NAT configured somewhere in the middle of this connection, or something like that? Nathan -------- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] (no subject)
On Thu, Dec 02, 2021 at 23:42:04 +, tincantech via Openvpn-users wrote: > > On Thursday, December 2nd, 2021 at 22:44, Stella Ashburne > wrote: > > OK. I surfed to > > https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html which I > > guess is the latest version of man page of OpenVPN 2.5, right? > > According to it, "push-peer-info" is a server option. > > That is the latest. > > What it say is: --push-peer-info > * Push additional information about the client to server. The >following data is always pushed to the server.. > > It clearly states "Push *additional* information about the client to server". I believe that what Stella is commenting on is the fact that --push-peer-info is listed in the "Server Options" section of the man page rather than the "Client Options" section Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Triple Device/Server Configuration
On Sun, Mar 14, 2021 at 22:05:38 -0600, Eric Schoeller wrote: > This gets a little sloppy with the need to have multiple > tunnels/networks on each machine, but it works and resolves the > problem of having 'Server A' become unavailable - B and C can still > communicate. > > Is there a better way to do this? Somehow having all three machines > participate in the same network? For what it's worth, depending on how tied you are to using OpenVPN, you might find that tinc works better for this particular application. In particular, tinc can build a mesh network between all nodes in the network, rather than being limited to client-server relationships between pairs of nodes https://tinc-vpn.org/ Nathan -------- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN with OSPF there is no proper guide or support --"TAP support removal" rumor
On Wed, Apr 29, 2020 at 05:34:14 -0400, Jonathan K. Bullard wrote: > Hi, > > On Wed, Apr 29, 2020 at 3:43 AM Gert Doering wrote: > > On Wed, Apr 29, 2020 at 09:03:20AM +0200, free...@tango.lu wrote: > > > Which makes me think OSPF is only possible with the old tap interfaces, > > > what the OpenVPN dev team even want to remove in the future, why is > > > there no proper support of OSPF in routed tun tunnels? > > > > Not sure where that rumor is coming from. No removal of TAP device > > support is planned. > > I don't know where the rumor started, but I can understand why it is > plausible: > > (A) The OpenVPN developers discourage the use of TAP connections, > saying, for example "Layer 3 is for a number of reasons the better > choice anyways" [1]; > (B) The "OpenVPN Connect" Android and iOS apps do not support TAP > connections [1][2]; and > (C) Apple has deprecated loading the system extension that Tunnelblick > uses to create a TAP device and, on the latest version of macOS, pops > up a warning saying the extension "will be incompatible with future > versions of macOS" [3]. Expanding further on those points, there was a discussion of this topic here on this list back in March 2019, under the Subject "Removal of the TAP Bridge, Strange ARP issue and looking for solutions for an alternative Layer2 VPN", e.g. https://sourceforge.net/p/openvpn/mailman/message/36606924/ or https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg04759.html . That disussion makes clear that in fact OpenVPN _3_ specifically does *not* include support for TAP (at least as currently implemented). The discussion does go on to explain that that all releases of OpenVPN _2.x_ will continue include TAP support and that v2 "will live for a long time to come"... but I can certainly understand "casual" users being confused by this distinction. The OP in that thread did not give an explicit reference to the origin of his/her information regarding TAP support/"bridged networking", so I'm not sure what would have helped avoid the confusion there... ... but I searched around a bit in the Community Wiki and though there are a number of pages that mention specific OpenVPN 3 software packages, I didn't find any general page explaining the differences-between and future-plans-for the v2 and v3 (and "Connect") product lines, etc. -- something like that might help clear up (a little of) this sort of confusion. Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Fri, Apr 03, 2020 at 15:06:38 -0400, Nathan Stratton Treadway wrote: > On Fri, Apr 03, 2020 at 20:00:54 +0300, Samuli Seppänen wrote: > > Il 02/04/20 22:07, Nathan Stratton Treadway ha scritto: > > > > > > Would this second option be consistent with the fact that the failed > > > setupapi log says the driver package was "already imported? > > > > Seems like it. You can use > > > > <https://github.com/mattock/tap-windows-scripts> > > > > to get rid of all tap-windows instances in the Driver Store. That's what > > I use when I need to be 100% positive the latest driver version is > > actually being used and not some cached version. > > Yeah, I will plan to do that once it seems like there's nothing more to > learn investigating the system in its current state Okay, I took this approach, and now have a working OpenVPN installation on that system. I started out by running the TAP-Windows -> "Delete ALL TAP virtual ethernet adapters" option of the Windows Start Menu. Then, since I already knew from looking through the setupapi.dev.log file and the output of "pnputil" that the tap0901 driver was called "oem43" on that system, I just went ahead and deleted the driver directly (based on what the Remove-Tapwindows.ps1 script would have done): C:\WINDOWS\system32>c:\windows\system32\pnputil /delete-driver oem43.inf Microsoft PnP Utility Driver package deleted successfully. In hindsite it looks like running the "add adapter" script would have done this automatically, but I went ahead and put the Win10 version of the driver back in the driver store by right-clicking on "C:\Program Files\TAP-Windows\driver\OemVista.inf" and choosing "Install" (since I new that that the files in that directory were indeed the Win10 versions).. And finally I added the virtual adapter back in by clicking on the TAP-Windows -> "Add a new TAP virtual Ethernet adapter" Start Menu entry. At that point, the "TAP-Windows Provider V9" device showed up again in Device Manager with no warning triangle in the icon, and when I clicked on the OpenVPN icon it proceeded to start the VPN connection without any trouble. So I think the situation is resolved on this machine. Given that we now have the correct driver files installed I am no longer able to do much testing related to the installer being confused by having the wrong ones in use... but I have kept copies of the various setupapi* log files, so let me know if I can provide any additional information Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Fri, Apr 03, 2020 at 20:00:54 +0300, Samuli Seppänen wrote: > Il 02/04/20 22:07, Nathan Stratton Treadway ha scritto: > > Anway, I will see if I can determine anything by checking the timestamps > > for the various c:\windows\ files mentioned in the log, etc. > > Ok, let me know what you find! Just to close the loop on this part of the discussion: I don't know very much about the various flavors of "factory reset" for Windows 10 (using the HP Recovery Manager, in this case)... but looking through the setupapi.offline.log file, I can see that "sysreset.exe -continue" and related commands did a bunch of operations with various device drivers, and then mentioned those drivers again in >>> [Setup PnP Driver Store Property Apply - C:\$WINDOWS.~BT\NewOS\WINDOWS] and >>> [Sysprep Specialize Offline - C:\$WINDOWS.~BT\NewOS\Windows] sections -- and included in that batch of drivers being processed are mentions of the TAP-Window-related files (tap0901.*/oemvista.inf/ oem43.inf... as well as the drivers for Network hardware devices), So, in short, as far as I can figure the "factory reset" which the user performed did actually involved copying device drivers from the old installation, including the non-functioning versions of the TAP-Windows drivers. It seems like the reset did get rid of some parts of the previous OS setup (since it cured the system crashes that were happening frequently beforehand), and it left the system looking "new" (users had to be created from scratch on the first boot, third-party application were no longer installed, etc.). But it copied just enough of the previous OpenVPN installation that performing an apparently-from-scratch OpenVPN Windows 10 installer run resulted in the newly-created "TAP-Windows Adapter V9" device getting tied to the wrong tap0901.* files Nathan ---- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Fri, Apr 03, 2020 at 15:06:38 -0400, Nathan Stratton Treadway wrote: > On Fri, Apr 03, 2020 at 20:00:54 +0300, Samuli Seppänen wrote: > > Il 02/04/20 22:07, Nathan Stratton Treadway ha scritto: > > > Is "oemvista.inf_amd64_6d4bec28a2ef0cdf" a name that is hard-coded > > > inside the TAP-Windows installer, or is that generated dynamically at > > > installer-execution time? > > > > I have absolutely no idea. We don't actively create such identifiers, > > identifiers so I have to assume it's Windows. > > Well, I guess the interesting thing is that the same directory name was > used on both the failing- and succeeding-installation machines. So I > guess it is baked into the driver-installer somewhere (unlike the > "c:\windows\inf\oem*.inf" name used, which was different between the two > machines) But I'm wondering whether or not that directory name is > constant across tap-windows versions, etc. (Looking through the setupapi.offline.log file [and the DriverStore\FileRepository\ driectory in general], it seems like the part of this name before the "_amd64" is taken from the name of the .inf file originally used in the installation process -- and that the usual convention is have a driver-specific name for the file, e.g. "geminilakesystem.inf" or "cannonlake-lpsystemthermal.inf" . I don't know that changing the name would directly have made any difference in our case, but as long as you are looking at changing the generation of the .inf files, I wondered if it would make sense for the TAP-Windows installer to use a more descriptive name than "oemvista.inf"...?) Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Sat, Apr 04, 2020 at 20:02:02 -0400, Selva Nair wrote: > Yes, the win7 installer will run on windows 10 and install the wrong driver > causing the signature error seen in device manager. > Ah, right, thanks. (I did see your earlier message but missed the specific mention in there about the Win7 installer running under Win10.) Given that, it seems pretty likely that the explanation for our situation was a combination of running the wrong OpenVPN installer the first time, then assuming that the "factory reset" would completely blow away all of the existing Windows installation when in fact parts were preserved across the reset. Anyway, (Samuli) would it be possible for the OpenVPN installer to double-check that it was running in the correct evironment before proceeding with the installation? That would presumably have avoided the broken driver situation in the first place (in our case, at least). (Separately, the previously-discussed tweaks to the .inf file so that Windows actually replaces an incorrect driver with the correct one would be useful to get out of the situation, however one originally into it.) Nathan -------- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Sat, Apr 04, 2020 at 18:40:06 -0400, Selva Nair wrote: > Is it possible that the user might have mistakenly installed the windows 7 > version of 2.4.8 on this machine before the reset? The fact that the > offending .sys file and inf came back via the ~BT folder seems to indicate > it > was saved by the reset process and then copied back in. The user did try to install OpenVPN before the reset, so I guess it's possible. If one downloads the openvpn-install-2.4.8-I602-Win7.exe by mistake, will it actually run (and proceed with installing things) under Windows 10? > It could be that the process was not really a factory reset (not sure > whether you > already said otherwise) or the factory version has some program that > this driver with the same inf file. Though it would sound strange to > distribute a > a cross-signed driver with Windows 10, there are some old flavours > of Windows 10 where such a driver works, iirc. We were operating under the assumption that the reset process resulted in a clean installation of Windows 10... but that assumption could certainily be incorrect. (I'll see if I can find out more.) > > Can you check whether the offending .sys is in use by any devices? > driverquery utility > may in windows 10 probably help. After the OpenVPN Win10 installer completed running, the tap0901.sys driver was in use by the "AP-Windows Adapter V9" device created by that installer. (That's the device that showed up in Device Manager with the yellow-triangle icon and unable-to-verify-signature warning message.) Nathan ---- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Fri, Apr 03, 2020 at 14:56:05 -0400, Nathan Stratton Treadway wrote: [mystery files found pre-installed on the computer with broken TAP-Windows:] > Directory of > C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf > 10/31/2019 02:11 AM10,042 tap0901.cat > 10/31/2019 02:09 AM30,720 tap0901.sys > > The sha1sums of the two versions of the file are: > = > $ sha1sum *{program,system32}*tap09* > 42189b6a1b8c736397113bfc2283f5e1e1a44e8e failed_program-files_tap0901.sys > [the 39,920-byte file] > 841a86f416a882b0743fd6d9c9f29baf3ed06b6a failed_system32-drivers_tap0901.sys > [the 30,720-byte file] > = > > > So.. do you recognize this 30,720-byte file at all, or have any ideas > where it might have originated from? It occurred to me that even though we don't need to install OpenVPN on a Windows 7 box I could go ahead and download the Win7 installer and see if the embedded TAP driver files match the ones included there. Short answer: yes, the mystery files are exactly the same as the ones in that installer. So, that doesn't really tell us how those driver files got installed on the box before OpenVPN was ever installed -- but at least it tells us exactly which files were involved Nathan Here's the transcript of the check: First, the sha1sums of the "bad" files pulled out of the DriverStore\... directory: $ sha1sum failed_system32-driverstore_* d85f4e65fe10f13ded1780ddbd074edfc75f2d25 failed_system32-driverstore_oemvista.inf d99e38968de1ca1850971a2b81bfdab49626aaed failed_system32-driverstore_tap0901.cat 841a86f416a882b0743fd6d9c9f29baf3ed06b6a failed_system32-driverstore_tap0901.sys ... and the original Windows timestamps: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf 03/27/2020 11:09 AM . 03/27/2020 11:09 AM .. 10/31/2019 02:09 AM 7,537 oemvista.inf 03/27/2020 11:09 AM 8,828 oemvista.PNF 10/31/2019 02:11 AM10,042 tap0901.cat 10/31/2019 02:09 AM30,720 tap0901.sys Then, unpack the Win7 installer and check the files inside it: $ sha1sum openvpn-install-2.4.8-I602-Win7.exe 8c9f28d7bdbb4613777a9741809e34b91fd45a0f openvpn-install-2.4.8-I602-Win7.exe $ 7z e openvpn-install-2.4.8-I602-Win7.exe '$TEMP/tap-windows.exe' 7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,8 CPUs) Processing archive: openvpn-install-2.4.8-I602-Win7.exe Extracting $TEMP/tap-windows.exe Everything is Ok Size: 575288 Compressed: 4322568 $ ls -l total 4788 -rw-rw-r-- 1 nathanst nathanst 4322568 Apr 4 14:28 openvpn-install-2.4.8-I602-Win7.exe -rw-rw-r-- 1 nathanst nathanst 575288 Oct 31 03:34 tap-windows.exe $ sha1sum tap-windows.exe f0fd7873544739a0cac4cf93e446efe629c00668 tap-windows.exe $ 7z x tap-windows.exe 7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,8 CPUs) Processing archive: tap-windows.exe [ ... bunch of files extracted; once again, I had to choose the "A(u)to rename all" option because the various flavors all try to unpack into the same subdirectories ... ] $ cd */driver [ ... the first-level subdirectory name is non-ascii, so use a wildcard to get down into the second-level "driver" subdirectory ... ] $ grep amd *.inf OemVista.inf: %Provider% = tap0901, NTamd64 OemVista.inf:[tap0901.NTamd64] $ file tap0901.* tap0901.cat: data tap0901.sys: PE32+ executable (native) x86-64, for MS Windows $ ls -l {OemVista,tap0901}.* -rw-rw-r-- 1 nathanst nathanst 7537 Oct 31 02:09 OemVista.inf -rw-rw-r-- 1 nathanst nathanst 10042 Oct 31 02:11 tap0901.cat -rw-rw-r-- 1 nathanst nathanst 30720 Oct 31 02:09 tap0901.sys $ sha1sum {OemVista,tap0901}.* d85f4e65fe10f13ded1780ddbd074edfc75f2d25 OemVista.inf d99e38968de1ca1850971a2b81bfdab49626aaed tap0901.cat 841a86f416a882b0743fd6d9c9f29baf3ed06b6a tap0901.sys So, the unpacked-from-archive timestamps and the sha1sums match for all three files. Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
I received an off-list reply stating: > On Fri, Apr 03, 2020 at 18:43:31 -0400, Nathan Stratton Treadway wrote: > >Based on a quick glance, it looks this log file shows a bunch of > >drivers getting installed from this c:\$WINDOWS.~BT\ directory > >into the C:\windows directory. Does this ring a bell with anyone? > > That's the place Windows stored upgrade files for the 7/8 -> 10 free > upgrade. This particular machine was new in Dec 2019 and as far as I can tell it never had any form of Windows 7 or 8 installed on it. However, on 3/26 the user did do a "factory reset" operation to achieve a fresh install of Windows 10, which I guess involves running the Windows installer off of a hidden partition on the disk drive, so perhaps that process also uses a c:\$WINDOWS.~BT\ directory? But that still leaves unanswered the question why the Win7 version of the tap0901 driver was somehow included as part of that process Nathan -------- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Thu, Apr 02, 2020 at 01:33:11 -0400, Nathan Stratton Treadway wrote: > = > $ diff -ui setupapi_TAP-Windows_{succeeded,failed}.log_cleaned > --- setupapi_TAP-Windows_succeeded.log_cleaned2020-04-02 > 00:18:12.0 -0400 > +++ setupapi_TAP-Windows_failed.log_cleaned 2020-04-02 00:19:09.0 > -0400 > @@ -1,5 +1,5 @@ > >>> [Device Install (UpdateDriverForPlugAndPlayDevices) - tap0901] > ->>> Section start 2020/03/13 HH:MM:SS.sss > +>>> Section start 2020/03/27 HH:MM:SS.sss >cmd: "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install > "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901 > ndv: INF path: C:\Program Files\TAP-Windows\driver\OemVista.inf > ndv: Install flags: 0x0001 > @@ -9,19 +9,13 @@ > dvi: {Build Driver List} HH:MM:SS.sss > dvi: Searching for hardware ID(s): > dvi:tap0901 > - sig: {_VERIFY_FILE_SIGNATURE} HH:MM:SS.sss > - sig:Key = oemvista.inf > - sig:FilePath = c:\program > files\tap-windows\driver\oemvista.inf > - sig:Catalog = c:\program > files\tap-windows\driver\tap0901.cat > - sig:Success: File is signed in catalog. > - sig: {_VERIFY_FILE_SIGNATURE exit(0x)} HH:MM:SS.sss > dvi: Created Driver Node: > dvi:HardwareID - tap0901 > dvi:InfName - c:\program > files\tap-windows\driver\oemvista.inf > dvi:DevDesc - TAP-Windows Adapter V9 > dvi:Section - tap0901.ndi > dvi:Rank - 0x00ff > - dvi:Signer Score - WHQL > + dvi:Signer Score - Authenticode > dvi:DrvDate - 09/27/2019 > dvi:Version - 9.24.2.601 > dvi: {Build Driver List - exit(0x)} HH:MM:SS.sss > @@ -40,70 +34,15 @@ > ndv: Inf Name - oemvista.inf > ndv: Driver Date- 09/27/2019 > ndv: Driver Version - 9.24.2.601 > + ndv: Driver package > 'C:\WINDOWS\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\oemvista.inf' > is already imported. > sto: {Setup Import Driver Package: c:\program > files\tap-windows\driver\oemvista.inf} HH:MM:SS.sss > - inf: Provider: TAP-Windows Provider V9 > - inf: Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318} > - inf: Driver Version: 09/27/2019,9.24.2.601 > - inf: Catalog File: tap0901.cat > - sto: {Copy Driver Package: c:\program > files\tap-windows\driver\oemvista.inf} HH:MM:SS.sss [...] > + sto: Driver package already imported as 'oem43.inf'. I am still not sure exactly how oem48.inf came to be pre-loaded on this computer, but at this point it seems like an important question is "how does Windows decide a driver package is 'already loaded'?" When I looked around on the machine while the TAP driver was broken, I believe that the oemvista.inf file that got pre-installed was identical to the one distributed in the openvpn-install-2.4.8-I602-Win10.exe file... while obviously the two tap0901.* files were different. So I'm wondering if Windows just does some sort of file compare on the .inf files and concludes "no work to do here" if they match? Whatever the mechinism Windows uses, it seems maybe the .inf files could to be tweaked in some way between the Win7 and Win10 packages so that if the wrong one is pre-installed Windows goes ahead and uninstalls that version rather than leaving it unchanged... Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Fri, Apr 03, 2020 at 23:26:46 +0200, Gert Doering wrote: > Hi, > > On Fri, Apr 03, 2020 at 05:04:51PM -0400, Nathan Stratton Treadway wrote: > > Just to wrap up some a few loose ends: the 10,042-byte tap0901.cat file > > from the DriverStore... directory _does_ seem to have the unwanted > > "OpenVPN, Inc." signature: > > Now things are starting to get interesting... just this minute, I > get a question on IRC (#openvpn-devel) > > 23:06 < kitsune1> Anyone knows why Kaspersky anti virus includes tapwindows > driver (looks like 9.23.x). I'm running into a conflict > with > it and OpenVPN 2.4.8 install on a Windows machine. No tap > adapter shows up (except the one Kaspersky installed) and > services dont start etc.. Struggling with this for a user > over a remote line.. sigh.. > > any chance that you have Kaspersky on the problematic Win10 machines? I am not sure if this relates in any way to the Kaspersky situation... but I did just track down a little bit of hint as to the origin of the incorrect driver files on our failing box. Specifically, I discoverd that there was a file C:\Windows\INF\setupapi.offline.log which is dated 03/26/2020 04:04 PM, so righin sync iwth the 03/26/2020 04:03 PM timestamp for the bizarre oem43.inf file. Sure enough, tap0901 is mentioned in that file: >>> [Import Driver Package - >>> C:\Windows\System32\DriverStore\FileRepository\oem vista.inf_amd64_6d4bec28a2ef0cdf\oemvista.inf] >>> Section start 2020/03/26 12:03:38.780 os: Version = 10.0.18362, Service Pack = 0.0, Suite = 0x0100, ProductType = 1, Architecture = amd64 cmd:C:\$WINDOWS.~BT\Work\8281DF86-CE40-4716-9BC0-D8633386BCF0\dismhost.exe {7EE7940C-F55C-48C2-BD75-FFE81BDC58C9} sto: Driver Store = C:\$WINDOWS.~BT\NewOS\Windows\System32\DriverStore (10.0.18362) sto: Driver Package = C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\oemvista.inf sto: Architecture = amd64 sto: Flags = 0x0040 inf: Provider = TAP-Windows Provider V9 inf: Class GUID = {4d36e972-e325-11ce-bfc1-08002be10318} inf: Driver Version = 09/27/2019,9.24.2.601 inf: Catalog File = tap0901.cat [...] (I guess the timestamps in the log are 4 hours earlier than the file timestamps, for some reason...) Based on a quick glance, it looks this log file shows a bunch of drivers getting installed from this c:\$WINDOWS.~BT\ directory into the C:\windows directory. Does this ring a bell with anyone? Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Fri, Apr 03, 2020 at 23:26:46 +0200, Gert Doering wrote: > Hi, > > On Fri, Apr 03, 2020 at 05:04:51PM -0400, Nathan Stratton Treadway wrote: > > Just to wrap up some a few loose ends: the 10,042-byte tap0901.cat file > > from the DriverStore... directory _does_ seem to have the unwanted > > "OpenVPN, Inc." signature: > > Now things are starting to get interesting... just this minute, I > get a question on IRC (#openvpn-devel) > > 23:06 < kitsune1> Anyone knows why Kaspersky anti virus includes tapwindows > driver (looks like 9.23.x). I'm running into a conflict > with > it and OpenVPN 2.4.8 install on a Windows machine. No tap > adapter shows up (except the one Kaspersky installed) and > services dont start etc.. Struggling with this for a user > over a remote line.. sigh.. > > any chance that you have Kaspersky on the problematic Win10 machines? That sounds very similar, but as far as I can tell Kaspersky is NOT installed on the box in question Nathan ---- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Fri, Apr 03, 2020 at 14:56:05 -0400, Nathan Stratton Treadway wrote: > However, when I search under c:\windwos\, the tap0901.sys files found > are different: > > = > C:\Windows>dir /s tap0901.* > Volume in drive C is Windows > Volume Serial Number is 0687-5D0C > > Directory of C:\Windows\System32\drivers > 10/31/2019 02:09 AM30,720 tap0901.sys >1 File(s) 30,720 bytes > > Directory of > C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf > 10/31/2019 02:11 AM10,042 tap0901.cat > 10/31/2019 02:09 AM30,720 tap0901.sys >2 File(s) 40,762 bytes > > Total Files Listed: >3 File(s) 71,482 bytes >0 Dir(s) 79,828,119,552 bytes free > = > Just to wrap up some a few loose ends: the 10,042-byte tap0901.cat file from the DriverStore... directory _does_ seem to have the unwanted "OpenVPN, Inc." signature: = $ ls -l failed_DriverStore_oemvista.inf_amd64_6d4bec28a2ef0cdf_tap0901.cat -rw-rw-r-- 1 nathanst nathanst 10042 Apr 3 16:22 failed_DriverStore_oemvista.inf_amd64_6d4bec28a2ef0cdf_tap0901.cat $ sha1sum failed_DriverStore_oemvista.inf_amd64_6d4bec28a2ef0cdf_tap0901.cat d99e38968de1ca1850971a2b81bfdab49626aaed failed_DriverStore_oemvista.inf_amd64_6d4bec28a2ef0cdf_tap0901.cat $ strings failed_DriverStore_oemvista.inf_amd64_6d4bec28a2ef0cdf_tap0901.cat | grep "OpenVPN\|Code Sign" "DigiCert EV Code Signing CA (SHA2)0 OpenVPN Inc.1 OpenVPN Inc.0 "DigiCert EV Code Signing CA (SHA2)0 "DigiCert EV Code Signing CA (SHA2) = As I mentioned in the previous email, the emvista.inf_amd64_6d4bec28a2ef0cdf has a timestamp which coincides with the moment that the OpenVPN installer was being run. However, I noticed that the oem43.inf file does have an earlier timestamp: = Directory of c:\windows\inf 03/26/2020 04:03 PM 7,537 oem43.inf 03/27/2020 11:09 AM 8,828 oem43.PNF = ... though weirdly Windows on that box was reinstalled in the _morning_ of 3/26, and 16:03 doesn't correspond to any entries at all in the setupapi.dev.log file (which jumps from 2020/03/26 12:30:18 in one entry to 2020/03/27 07:50:45 in the next). So it doesn't quite seem like oem43.inf would have been created during the initial reinstall of Windows, but I also don't know what would have created it later that day... The c:\windows\inf\oem43.inf file is identical to the one in C:\Program Files\TAP-Windows\driver: = $ sha1sum failed_windows-inf_oem43.inf failed_program-files_OemVista.inf d85f4e65fe10f13ded1780ddbd074edfc75f2d25 failed_windows-inf_oem43.inf d85f4e65fe10f13ded1780ddbd074edfc75f2d25 failed_program-files_OemVista.inf = ... but I suppose that might just indicate that the Win7 and Win10 versions of that file are identical (if in fact the \windows\inf\ copy came from the Win7 drivers somehow). Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Fri, Apr 03, 2020 at 20:00:54 +0300, Samuli Seppänen wrote: > Hi, > > Il 02/04/20 22:07, Nathan Stratton Treadway ha scritto: > > > > Would this second option be consistent with the fact that the failed > > setupapi log says the driver package was "already imported? > > Seems like it. You can use > > <https://github.com/mattock/tap-windows-scripts> > > to get rid of all tap-windows instances in the Driver Store. That's what > I use when I need to be 100% positive the latest driver version is > actually being used and not some cached version. Yeah, I will plan to do that once it seems like there's nothing more to learn investigating the system in its current state > > > Is "oemvista.inf_amd64_6d4bec28a2ef0cdf" a name that is hard-coded > > inside the TAP-Windows installer, or is that generated dynamically at > > installer-execution time? > > I have absolutely no idea. We don't actively create such identifiers, > identifiers so I have to assume it's Windows. Well, I guess the interesting thing is that the same directory name was used on both the failing- and succeeding-installation machines. So I guess it is baked into the driver-installer somewhere (unlike the "c:\windows\inf\oem*.inf" name used, which was different between the two machines) But I'm wondering whether or not that directory name is constant across tap-windows versions, etc. Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
ccur, and the spot at the end of the file where the various strings that appear to be related to the signing certificate in the Oct 23/39,920-byte version of the file has no similar strings in this Oct 31 version.) (Actually, if I run a diff on the "strings" output from the two .sys files, the _only_ difference is that the older file has all the Microsoft-signing-related strings at the end of the output; if I compare the hexdumps of the two files only a few scattered bytes are different in the first 30,720 bytes of each.) Interestingly, though, the oemvista.inf_amd64_6d4bec28a2ef0cdf directory seems to have a timestamp from when the OpenVPN installer was run: = Directory of C:\Windows\System32\DriverStore\FileRepository 03/27/2020 11:09 AM oemvista.inf_amd64_6d4bec28a2ef0cdf = ... but I can't say if the directory was newly created then, or just modified The sha1sums of the two versions of the file are: = $ sha1sum *{program,system32}*tap09* 42189b6a1b8c736397113bfc2283f5e1e1a44e8e failed_program-files_tap0901.sys [the 39,920-byte file] 841a86f416a882b0743fd6d9c9f29baf3ed06b6a failed_system32-drivers_tap0901.sys [the 30,720-byte file] = So.. do you recognize this 30,720-byte file at all, or have any ideas where it might have originated from? (I'll continue looking through the various directories under \Windows\ to see if I can find any more clues.) Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Thu, Apr 02, 2020 at 21:16:48 +0300, Samuli Seppänen wrote: > The installer I extracted had a sha1sum of > > 9c3fa39b6dc1ca9a02bf940c0509cf58a13fdf7d > > That matches the sha1sum of openvpn-install-2.4.8-i602-Win10.exe's which > I just a few minutes ago downloaded from the official download page and > our alternative download server: Yes, this matches the other copies of the installer we have (though unfortunately on the machine where this failed, the installer .exe file was not saved, so I guess there is some remote possibility that it was not the same file, somehow). > > <https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.8-I602-Win10.exe> > <https://build.openvpn.net/downloads/releases/openvpn-install-2.4.8-I601-Win10.exe> > > At this point I have no clue where a Windows 7 version of the driver > could have appeared from, unless: > > - The installer you're using is somehow accidentally not the correct one > - Windows has the Windows 7 driver hidden somewhere (Driver Store) Would this second option be consistent with the fact that the failed setupapi log says the driver package was "already imported? Is "oemvista.inf_amd64_6d4bec28a2ef0cdf" a name that is hard-coded inside the TAP-Windows installer, or is that generated dynamically at installer-execution time? Anway, I will see if I can determine anything by checking the timestamps for the various c:\windows\ files mentioned in the log, etc. Nathan ---- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Thu, Apr 02, 2020 at 20:17:23 +0300, Samuli Seppänen wrote: > Il 02/04/20 19:22, Nathan Stratton Treadway ha scritto: > > On Thu, Apr 02, 2020 at 12:17:17 -0400, Nathan Stratton Treadway wrote: > >> On Thu, Apr 02, 2020 at 18:07:26 +0200, Gert Doering wrote: > >>> Hi, > >>> > >>> On Thu, Apr 02, 2020 at 11:48:14AM -0400, Nathan Stratton Treadway wrote: > >>>> So it does seem like the driver is signed by OpenVPN (and not > >>>> Microsoft)... but the version is 9.24. Does that mean it actually is > >>>> the "tap0901" driver, or can the tap-windows6 driver also have a version > >>>> of 9.24? > >>> > >>> All these are "tap-windows6", "tap0901". > >>> > >>> 2.4.7 ships with 9.23 of the tap-windows6 driver, 2.4.8 with 9.24 > >>> > >>> There used to be a tap-windows with NDIS5, but I think we never > >>> shipped a 2.4 installer with it - the installer versions with "-I001" > >>> in the name had tap5, the "I601, I602, ..."" ones have tap6. > >> > >> Okay, thanks, that helps. > >> > >> So does the openvpn-install-2.4.8-i602-Win10.exe installer contain both > >> the Windows 7 and Windows 10 versions of the tap-windows6 driver? > >> > > > > Or, I guess a more precise question is: does the tapinstall.exe file > > included in the openvpn-install-2.4.8-i602-Win10.exe installer (which I > > guess is tapinstall v602 , right?) contain both Win 7 and Win 10 > > drivers? > > The OpenVPN installers should contain only Windows 7 (cross-signed) or > Windows 10 (attestation-signed) drivers in i386, amd64 and arm64 Are you saying that the openvpn-install-2.4.8-i602-Win10.exe installer should contain *only* the Win 10 version of the TAP-windows driver? If so, then the question is where the cross-signed driver is coming from on this box (which has never had any OpenVPN [or TAP] installer other then openvpn-install-2.4.8-i602-Win10.exe run on it)? > flavors. Verifying that is fairly easy by extracting the installer with > p7zip and checking the signatures of all the *.cat files in it. p7zip on my Ubuntu box (Xenial) refused to open the .exe file, as did 7zr ("Can not open file as archive"). Can you sent a pointer to a website which discusses the type of unpacking-of-installer-file you are talking about? (Note that I don't run Windows myself, and only have limit access to the Windows machines in question.) Thanks. Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Thu, Apr 02, 2020 at 12:17:17 -0400, Nathan Stratton Treadway wrote: > On Thu, Apr 02, 2020 at 18:07:26 +0200, Gert Doering wrote: > > Hi, > > > > On Thu, Apr 02, 2020 at 11:48:14AM -0400, Nathan Stratton Treadway wrote: > > > So it does seem like the driver is signed by OpenVPN (and not > > > Microsoft)... but the version is 9.24. Does that mean it actually is > > > the "tap0901" driver, or can the tap-windows6 driver also have a version > > > of 9.24? > > > > All these are "tap-windows6", "tap0901". > > > > 2.4.7 ships with 9.23 of the tap-windows6 driver, 2.4.8 with 9.24 > > > > There used to be a tap-windows with NDIS5, but I think we never > > shipped a 2.4 installer with it - the installer versions with "-I001" > > in the name had tap5, the "I601, I602, ..."" ones have tap6. > > Okay, thanks, that helps. > > So does the openvpn-install-2.4.8-i602-Win10.exe installer contain both > the Windows 7 and Windows 10 versions of the tap-windows6 driver? > Or, I guess a more precise question is: does the tapinstall.exe file included in the openvpn-install-2.4.8-i602-Win10.exe installer (which I guess is tapinstall v602 , right?) contain both Win 7 and Win 10 drivers? Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Thu, Apr 02, 2020 at 18:07:26 +0200, Gert Doering wrote: > Hi, > > On Thu, Apr 02, 2020 at 11:48:14AM -0400, Nathan Stratton Treadway wrote: > > So it does seem like the driver is signed by OpenVPN (and not > > Microsoft)... but the version is 9.24. Does that mean it actually is > > the "tap0901" driver, or can the tap-windows6 driver also have a version > > of 9.24? > > All these are "tap-windows6", "tap0901". > > 2.4.7 ships with 9.23 of the tap-windows6 driver, 2.4.8 with 9.24 > > There used to be a tap-windows with NDIS5, but I think we never > shipped a 2.4 installer with it - the installer versions with "-I001" > in the name had tap5, the "I601, I602, ..."" ones have tap6. Okay, thanks, that helps. So does the openvpn-install-2.4.8-i602-Win10.exe installer contain both the Windows 7 and Windows 10 versions of the tap-windows6 driver? Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Thu, Apr 02, 2020 at 08:47:57 +0300, Samuli Seppänen wrote: > I looked at Ralf's logs and they show that - for whatever reason - the > tap-windows installer chose to install the Windows 7 version of > tap-windows6 on those Windows 10 instances. The Digital signer in the > device properties should show "Microsoft Windows Hardware > Compatibility Publisher" (=attestation signature), not "OpenVPN Inc" > (cross-signed). I looked at the Properties for the "TAP-Windows Adapter V9" device in Device Manger. The Driver tab shows: Driver Proider: TAP-Windows Provider V9 Driver Date: 9/27/2019 Driver version: 9.24.2.601 Digital Signer: OpenVPN Inc. So it does seem like the driver is signed by OpenVPN (and not Microsoft)... but the version is 9.24. Does that mean it actually is the "tap0901" driver, or can the tap-windows6 driver also have a version of 9.24? Nathan -------- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Thu, Apr 02, 2020 at 08:47:57 +0300, Samuli Seppänen wrote: > difference is. Or maybe something changed in Windows which causes this > misbehavior. Fully removing all traces of tap-windows6 from the system, > e.g. with Remote-Tapwindows.ps1: > > <https://github.com/mattock/tap-windows-scripts> > > Can you guys try if that full removal helps with this? You are saying we should try using that script to fully remove the tap driver, then then try running the OpenVPN installer again? (Or, there some tap-driver-only installer that it would be more helpful for us to be running instead, at this point?) Nathan -------- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Thu, Apr 02, 2020 at 10:03:40 +0300, Samuli Seppänen wrote: > Hi, > > Il 02/04/20 08:33, Nathan Stratton Treadway ha scritto: > > On Wed, Apr 01, 2020 at 11:14:08 -0400, Nathan Stratton Treadway wrote: > >> I should be able to get the setupapi.dev.log files from both of the > >> machines if that would be helpful. > > > > I extracted the section of the setupapi.dev.log files related to the > > TAP-Windows installation from each of the systems in question, and then > > to try to spot the funtional differences between the two, I ran the > > following commands to mask off the timestamps contained within the log: > > > > $ sed "s/10:50:03\/HH:MM:SS.sss/g" setupapi_TAP-Windows_succeeded.log > > > setupapi_TAP-Windows_succeeded.log_cleaned > > $ sed "s/11:09:33\/HH:MM:SS.sss/g" setupapi_TAP-Windows_failed.log > > > setupapi_TAP-Windows_failed.log_cleaned > > > > and then compared the two "_cleaned" files: > > > > = > > $ diff -ui setupapi_TAP-Windows_{succeeded,failed}.log_cleaned > > --- setupapi_TAP-Windows_succeeded.log_cleaned 2020-04-02 > > 00:18:12.0 -0400 > > +++ setupapi_TAP-Windows_failed.log_cleaned 2020-04-02 00:19:09.0 > > -0400 > > @@ -1,5 +1,5 @@ > > >>> [Device Install (UpdateDriverForPlugAndPlayDevices) - tap0901] > > ->>> Section start 2020/03/13 HH:MM:SS.sss > > +>>> Section start 2020/03/27 HH:MM:SS.sss > >cmd: "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install > > "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901 > > ndv: INF path: C:\Program Files\TAP-Windows\driver\OemVista.inf > > ndv: Install flags: 0x0001 > > @@ -9,19 +9,13 @@ > > dvi: {Build Driver List} HH:MM:SS.sss > > dvi: Searching for hardware ID(s): > > dvi:tap0901 > > - sig: {_VERIFY_FILE_SIGNATURE} HH:MM:SS.sss > > - sig:Key = oemvista.inf > > - sig:FilePath = c:\program > > files\tap-windows\driver\oemvista.inf > > - sig:Catalog = c:\program > > files\tap-windows\driver\tap0901.cat > > - sig:Success: File is signed in catalog. > > - sig: {_VERIFY_FILE_SIGNATURE exit(0x)} HH:MM:SS.sss > > dvi: Created Driver Node: > > dvi:HardwareID - tap0901 > > dvi:InfName - c:\program > > files\tap-windows\driver\oemvista.inf > > dvi:DevDesc - TAP-Windows Adapter V9 > > dvi:Section - tap0901.ndi > > dvi:Rank - 0x00ff > > - dvi:Signer Score - WHQL > > + dvi:Signer Score - Authenticode > > Your problem seems to be the same as Ralf's (see my other email). The > NSIS installer chose to install the Windows 7 version of tap-windows6 on > this Windows 10 instance, and that will not work. > > WHQL = attestation signed > Authenticode = cross-signed Sorry, I don't know much about NSIS operation: is tap-windows6 driver included in the openvpn-install-2.4.8-i602-Win10.exe installer? > > > dvi:DrvDate - 09/27/2019 > > dvi:Version - 9.24.2.601 > > dvi: {Build Driver List - exit(0x)} HH:MM:SS.sss > > @@ -40,70 +34,15 @@ > > ndv: Inf Name - oemvista.inf > > ndv: Driver Date- 09/27/2019 > > ndv: Driver Version - 9.24.2.601 > > + ndv: Driver package > > 'C:\WINDOWS\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\oemvista.inf' > > is already imported. > > sto: {Setup Import Driver Package: c:\program > > files\tap-windows\driver\oemvista.inf} HH:MM:SS.sss > > - inf: Provider: TAP-Windows Provider V9 > > - inf: Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318} > > - inf: Driver Version: 09/27/2019,9.24.2.601 > > - inf: Catalog File: tap0901.cat > > - sto: {Copy Driver Package: c:\program > > files\tap-windows\driver\oemvista.inf} HH:MM:SS.sss > > - sto:Driver Package = c:\program > > files\tap-windows\driver\oemvista.inf > > - sto:Flags = 0x0007 > > [... skipping the copying of all the driver files, etc...] > > - sto:
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Thu, Apr 02, 2020 at 12:14:07 +0100, tincanteksup wrote: > > > On 02/04/2020 06:47, Samuli Seppänen wrote: > >Hi, > > > > > > > > >I looked at Ralf's logs and they show that - for whatever reason - the > >tap-windows installer chose to install the Windows 7 version of > >tap-windows6 on those Windows 10 instances. The Digital signer in the > >device properties should show "Microsoft Windows Hardware > >Compatibility Publisher" (=attestation signature), not "OpenVPN Inc" > >(cross-signed). > > Is this possibly related to a Windows 7 machine being updated to > Windows 10 ? At least in our case, no -- we're hitting thise problem on a system that never had Windows 7 installed Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Wed, Apr 01, 2020 at 11:14:08 -0400, Nathan Stratton Treadway wrote: > I should be able to get the setupapi.dev.log files from both of the > machines if that would be helpful. I extracted the section of the setupapi.dev.log files related to the TAP-Windows installation from each of the systems in question, and then to try to spot the funtional differences between the two, I ran the following commands to mask off the timestamps contained within the log: $ sed "s/10:50:03\/HH:MM:SS.sss/g" setupapi_TAP-Windows_succeeded.log > setupapi_TAP-Windows_succeeded.log_cleaned $ sed "s/11:09:33\/HH:MM:SS.sss/g" setupapi_TAP-Windows_failed.log > setupapi_TAP-Windows_failed.log_cleaned and then compared the two "_cleaned" files: = $ diff -ui setupapi_TAP-Windows_{succeeded,failed}.log_cleaned --- setupapi_TAP-Windows_succeeded.log_cleaned 2020-04-02 00:18:12.0 -0400 +++ setupapi_TAP-Windows_failed.log_cleaned 2020-04-02 00:19:09.0 -0400 @@ -1,5 +1,5 @@ >>> [Device Install (UpdateDriverForPlugAndPlayDevices) - tap0901] ->>> Section start 2020/03/13 HH:MM:SS.sss +>>> Section start 2020/03/27 HH:MM:SS.sss cmd: "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901 ndv: INF path: C:\Program Files\TAP-Windows\driver\OemVista.inf ndv: Install flags: 0x0001 @@ -9,19 +9,13 @@ dvi: {Build Driver List} HH:MM:SS.sss dvi: Searching for hardware ID(s): dvi:tap0901 - sig: {_VERIFY_FILE_SIGNATURE} HH:MM:SS.sss - sig:Key = oemvista.inf - sig:FilePath = c:\program files\tap-windows\driver\oemvista.inf - sig:Catalog = c:\program files\tap-windows\driver\tap0901.cat - sig:Success: File is signed in catalog. - sig: {_VERIFY_FILE_SIGNATURE exit(0x)} HH:MM:SS.sss dvi: Created Driver Node: dvi:HardwareID - tap0901 dvi:InfName - c:\program files\tap-windows\driver\oemvista.inf dvi:DevDesc - TAP-Windows Adapter V9 dvi:Section - tap0901.ndi dvi:Rank - 0x00ff - dvi:Signer Score - WHQL + dvi:Signer Score - Authenticode dvi:DrvDate - 09/27/2019 dvi:Version - 9.24.2.601 dvi: {Build Driver List - exit(0x)} HH:MM:SS.sss @@ -40,70 +34,15 @@ ndv: Inf Name - oemvista.inf ndv: Driver Date- 09/27/2019 ndv: Driver Version - 9.24.2.601 + ndv: Driver package 'C:\WINDOWS\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\oemvista.inf' is already imported. sto: {Setup Import Driver Package: c:\program files\tap-windows\driver\oemvista.inf} HH:MM:SS.sss - inf: Provider: TAP-Windows Provider V9 - inf: Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318} - inf: Driver Version: 09/27/2019,9.24.2.601 - inf: Catalog File: tap0901.cat - sto: {Copy Driver Package: c:\program files\tap-windows\driver\oemvista.inf} HH:MM:SS.sss - sto:Driver Package = c:\program files\tap-windows\driver\oemvista.inf - sto:Flags = 0x0007 [... skipping the copying of all the driver files, etc...] - sto: {DRIVERSTORE IMPORT END} HH:MM:SS.sss - dvi: Flushed all driver package files to disk. Time = 16 ms - sig: Installed catalog 'tap0901.cat' as 'oem128.cat'. - sto: {DRIVERSTORE IMPORT END: exit(0x)} HH:MM:SS.sss - sto:{Core Driver Package Import: exit(0x)} HH:MM:SS.sss - sto: {Stage Driver Package: exit(0x)} HH:MM:SS.sss + sto: Driver package already imported as 'oem43.inf'. sto: {Setup Import Driver Package - exit (0x)} HH:MM:SS.sss dvi: Searching for hardware ID(s): dvi: tap0901 dvi: Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}. dvi: {Plug and Play Service: Device Install for ROOT\NET\} - dvi: Driver INF Path: C:\windows\INF\oem128.inf + dvi: Driver INF Path: C:\WINDOWS\INF\oem43.inf dvi: Driver Node Name: oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.24.2.601:tap0901, dvi: Driver Store Path: C:\windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\oemvista.inf dvi: Searching for hardware
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
On Thu, Mar 26, 2020 at 17:11:27 +0200, Samuli Seppänen wrote: > Il 26/03/20 15:47, Ralf Hildebrandt ha scritto: > > As you might have heard this covid19 thingy is forcing (our) users to > > work from home. > > > > We're using openvpn (in the meantime we deployed three openvpn servers > > to handle the load adn have optimised the scripts to lower the overall > > latency upon execution), and recently we encountered massive problems with > > openvpn 2.4.8 on Windows 10. The bundled TAP32 Adapter is having > > issues (little yellow triangle with an exclamation mark in the device > > manager). > > Can you send me (privately) C:\Windows\inf\setupapi.dev.log from one or > some of the affected computers? Or just the part of it which describes > the failed tap-windows6 installation (rather easy to find). We've just hit what I assume is the same problem at our site. Interestingly we have two "twin" Windows 10 machines (same model purchased at the same time), but OpenVPN installed fine on one and had the problem on the other. (Specifically on the failed machine the TAP-Windows Adapter V9 entry in the Deveice manger has a Device Status of "Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)"..) On both of these machines OpenVPN had never been installed before the recent installation. I should be able to get the setupapi.dev.log files from both of the machines if that would be helpful. Nathan ---- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Connection attempts to seemingly random IP addresses
On Mon, Feb 10, 2020 at 12:00:32 +0100, Reto Schneider wrote: > addresses it never should. The devices it is running on are Yocto based, > embedded, 32bit MIPS and deployed in remote networks which are not under > my control. [...] > 5) Optional: Wifi comes up again, interface gets IP address and route > assigned (dhcpcd logs): [...] > 6) OpenVPN suddenly tries to connect to a faulty IP: [...] > In this case there seems to be a correlation to the router IP address in > 5), but I have many more examples of unexplicable IP addresses (e.g. > 1.1.1.11, 212.27.38.252, 192.168.246.123, ...), all of which are > definitely not assigned to example.com. How much do you know about the remote (Wifi) networks these clients are connecting to? Is there a correlation between the different inexplicable IP addresses used and the particular remote network for that client? In particular I'm wondering if these are networks where when you first connect all traffic is directed to an "accept our terms of service" page (In this case, it would seem to involve overriding DNS responses from the networks local DNS server(s) so all domain names point to the local IP of the system hosting that page.) Nathan ---- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] changing DH parameters from 1024 to 2048 bits?
On Sun, Mar 29, 2015 at 14:12:01 +0200, Steffan Karger wrote: > That was probably NIST SP 800-57, section 6.5.1 [1], which states > 15360-bit DH or RSA has the same security level as AES256. Both finite > field problems (such as DH) and integer factorization (such as RSA) are > placed in the same league. So yes, to achieve an equal security level, > you should choose your DH group the same size as your RSA modulus. [...]> > both RSA and DH are completely broken [3]. Which makes it from my point > of view very reasonable to choose a security level similar to AES-128 > for your DH parameters or RSA modulus. On a related topic: I am running a small OpenVPN network that's been in place for a while now. At some point we'll probably upgrade to a new VPN server and start over with a new PKI infrastructure, but in the short term I was looking for simple changes to make the existing setup more secure. Given the web-industry move to 2048 SSL certificates these days it seems an obvious change to switch our newly issued client certificates to using 2048-bit keys instead of the previous 1024-bit size. As Jack mentioned the EasyRSA setup is to use same DH parameter size as the RSA key size -- which raises the question of what to do with DH parameter when one is using different-sized RSA keys... I did general web research but didn't come across any discussions that directly covered my situation, so I was wondering: * Am I correct that the DH and RSA operations are separate and the bit size used for one doesn't affect the work of other? That is, the idea behind having the DH and RSA sizes be the same is simply that doing so means the two "links in the chain" are about the same strength and thus neither one is an obviously-easier target for attack? * Assuming that's true, is there any reason I can't/shouldn't make things a little stronger by switching to a 2048-bit dh param file on my server (for use with both existing 1024-bit and future 2048-bit RSA client certificates)? Thanks. Nathan -------- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Does traffic in client-to-client config go through the server?
On Wed, Jun 11, 2014 at 01:12:05 +0300, Mike Josh wrote: > > OpenVPN is not a peer-to-peer VPN solution (by design). > > This means that I cannot tell Alice's client to communicate directly > with Bob's? > > I'm not saying that each instance of OpenVPN should be both, a client > and a server. I'm talking about a central server that authorises clients > and then allows them to communicate with each other directly. If this VPN exists just for this gaming purpose (and you aren't using OpenVPN for some other reason), you might want to give the tinc VPN package a look. Tinc specifically does support "mesh" communications among the VPN nodes. http://www.tinc-vpn.org/ Nathan -------- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 -- HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users