Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

On 19.08.23 10:02, Bo Berglund wrote:
> On Sat, 19 Aug 2023 07:03:01 + (UTC), Jason Long via Openvpn-users
>  wrote:
>> I have another questions:
>> 1- I checked the "Subject" of the ca.crt file and my CN name is "Server". 
>> Now,
>>    I must change the "ccd" directory to "Server", but how about the file name
>>    under the "Server" directory?
> 
> WHAT?
> 
> The ccd directory is defined in the server.conf file and could be named 
> whatever
> you like. It has NOTHING whatever to do with the CommonName in any certificate
> or such!

>To add to that, we're talking about the *CA* cert here (in spite of its 
>CN reading "Server") and the CA isn't going to connect to the VPN 
>server, so having a CCD¹ *whatever* to match its CN isn't going to do 
>anything ever.

>¹ That *does* still stand for "(Per-)*Client* Configurations Directory", 
>right? :-3

>>> 2- Suppose you want to configure a server. Can you show me the names you 
>>> enter
>>>    for the commands below? 
>>> 
>>> # ./easyrsa build-ca nopass
>>> ...
>>> Common Name (eg: your user, host, or server name) [Easy-RSA CA]: "Your_Name"

>Binect Exasperation CA - A

>(When rotating CA certs, we "increment" the trailing letter.)

>>> # ./easyrsa gen-req "Your_Name" nopass 
>>> # ./easyrsa sign-req server "Your_Name"

>exavpn.binect.de

>>> # ./easyrsa gen-req "Your_Name" nopass
>>> # ./easyrsa sign-req client "Your_Name"

>These create a *client* cert, which is unnecessary to "configure a 
>*server*", strictly speaking.

>Since you seem to plan to have a boatload of CCD files, which need to be 
>named after the client certs' CN, I would probably revise my previous 
>suggestion of "Jason Long's private cell phone" and go with something 
>like "JasonLong_privCell" instead.

>Not that it should be much news to you how *I* would name CA, server, 
>and client certs, respectively, if you had read my previous posts ...

>Kind regards,
>-- 
>Jochen Bern
>Systemingenieur

>Binect GmbH






Hi Jochen,
Excuse me, I'm confused. I asked:

"If CN's name is Server, then I must change the ccd directory to Server? Am I 
right?"

Answer:

"If that's what the Subject CN of the cert you want to use as a client cert 
says, then yes, that's it. Of course, looking at a file "ca.crt" and seeing a 
CN "Server" for what is supposed to be the *client's* cert is botched twelve 
ways to Gehenna and back and will perpetually confuse anyone trying to debug 
your final setup..."


Please clarify this for me. To use the --ccd-exclusive statement, I must create 
a directory under the /etc/openvpn directory:

1- Is the the name of that directory important or not? Its name must be "CCD" 
or the CN's name, or it could be anything?

2- After the directory, I must create a file under it. How about the name of 
that file? Is the the name of that file important or not?

3-  For "Common Name (eg: your user, host, or server name) [Easy-RSA CA]:" 
question, I can enter my name or anything and the name that I entered could be 
used for the following commands, but not mandatory. Am I right?

# ./easyrsa gen-req "Your_Name" nopass
# ./easyrsa sign-req server "Your_Name"

4- The names that I must enter for the following commands, must be same. Right?

# ./easyrsa gen-req "Your_Name" nopass
# ./easyrsa sign-req server "Your_Name"



 
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


smime.p7s
Description: S/MIME cryptographic signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jochen Bern]

On 19.08.23 10:02, Bo Berglund wrote:

On Sat, 19 Aug 2023 07:03:01 + (UTC), Jason Long via Openvpn-users
 wrote:

I have another questions:
1- I checked the "Subject" of the ca.crt file and my CN name is "Server". Now,
   I must change the "ccd" directory to "Server", but how about the file name
   under the "Server" directory?


WHAT?

The ccd directory is defined in the server.conf file and could be named whatever
you like. It has NOTHING whatever to do with the CommonName in any certificate
or such!


To add to that, we're talking about the *CA* cert here (in spite of its 
CN reading "Server") and the CA isn't going to connect to the VPN 
server, so having a CCD¹ *whatever* to match its CN isn't going to do 
anything ever.


¹ That *does* still stand for "(Per-)*Client* Configurations Directory", 
right? :-3



2- Suppose you want to configure a server. Can you show me the names you enter
   for the commands below? 


# ./easyrsa build-ca nopass
...
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: "Your_Name"


Binect Exasperation CA - A

(When rotating CA certs, we "increment" the trailing letter.)

# ./easyrsa gen-req "Your_Name" nopass 
# ./easyrsa sign-req server "Your_Name"


exavpn.binect.de


# ./easyrsa gen-req "Your_Name" nopass
# ./easyrsa sign-req client "Your_Name"


These create a *client* cert, which is unnecessary to "configure a 
*server*", strictly speaking.


Since you seem to plan to have a boatload of CCD files, which need to be 
named after the client certs' CN, I would probably revise my previous 
suggestion of "Jason Long's private cell phone" and go with something 
like "JasonLong_privCell" instead.


Not that it should be much news to you how *I* would name CA, server, 
and client certs, respectively, if you had read my previous posts ...


Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH


smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Bo Berglund]

On Sat, 19 Aug 2023 07:03:01 + (UTC), Jason Long via Openvpn-users
 wrote:

>Hello,
>I have another questions:
>
>1- I checked the "Subject" of the ca.crt file and my CN name is "Server". Now, 
>I must change the "ccd" directory to "Server", but how about the file name 
>under the "Server" directory?
>

WHAT?

The ccd directory is defined in the server.conf file and could be named whatever
you like. It has NOTHING whatever to do with the CommonName in any certificate
or such!

If you have several servers running (like I do) then you define *different* ccd
directories in the *different* server1.conf, server2.conf etc files.
THis tells the OpenVPN service where to look for client specific configurations
when the client connects. That ios all.

I cannot understand how this can be a hard thing to grasp and how you come back
time and time again mixing in misconception after misconception...

Maybe you are really just trolling the mail list?



-- 
Bo Berglund
Developer in Sweden



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

> On 18.08.23 21:22, Jason Long wrote:
> 1- In the round-robin mechanism, we can use the same keys for our
>    servers, but each client uses its own key.

>You *can* do that, yes.

>Since you apparently don't provide clients with a CRL or any other means 
>to have server certs revoked, I guess it doesn't worsen your reaction 
>time / options after a leaked server cert any *further*, anyway ...

> 2- So, the name that I entered in the "Common Name (eg: your user,
>    host, or server name) [Easy-RSA CA]:" question, must be used in
>    the "./easyrsa gen-req NAME nopass" and "./easyrsa sign-req server
>    NAME" commands. Right?

>NO. Reread what I wrote about the (hint: different) roles the certs 
>generated by these two sets of commands have.

>Kind regards,
>-- 
>Jochen Bern
>Systemingenieur

>Binect GmbH




Hello,
I have another questions:

1- I checked the "Subject" of the ca.crt file and my CN name is "Server". Now, 
I must change the "ccd" directory to "Server", but how about the file name 
under the "Server" directory?


2- Suppose you want to configure a server. Can you show me the names you enter 
for the commands below? 

# ./easyrsa build-ca nopass
...
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: "Your_Name"

# ./easyrsa gen-req "Your_Name" nopass 

# ./easyrsa sign-req server "Your_Name"

# ./easyrsa gen-req "Your_Name" nopass

# ./easyrsa sign-req client "Your_Name"


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


smime.p7s
Description: S/MIME cryptographic signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jochen Bern]

On 18.08.23 21:22, Jason Long wrote:

1- In the round-robin mechanism, we can use the same keys for our
   servers, but each client uses its own key.


You *can* do that, yes.

Since you apparently don't provide clients with a CRL or any other means 
to have server certs revoked, I guess it doesn't worsen your reaction 
time / options after a leaked server cert any *further*, anyway ...



2- So, the name that I entered in the "Common Name (eg: your user,
   host, or server name) [Easy-RSA CA]:" question, must be used in
   the "./easyrsa gen-req NAME nopass" and "./easyrsa sign-req server
   NAME" commands. Right?


NO. Reread what I wrote about the (hint: different) roles the certs 
generated by these two sets of commands have.


Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH


smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

On Fri, Aug 18, 2023 at 7:51 PM, Jochen Bern
 wrote:   On 18.08.23 16:31, Jason Long wrote:
> 1- So, if we have multiple servers, then it is >better that the servers
>    have the same key, but each client has its >own key. Am I right?

>No.

>I said that *if* you want your clients to be able  >to replace one server 
>with another dynamically, it may be a valid >reason to have the *CN* in 
>their server certs have *similarities* to each >other (for 
>"verify-x509-name ... name-prefix"), or be >outright the same (other 
>types of "verify-x509-name" checks).

>(Identical DNs/CNs technically still do not >imply that the servers use 
>the same keypair. And using the same keypair >technically still does not 
>imply that the servers use the same cert. >Though we're going into the 
>area of somewhat questionable setups there.)

> 2- I can filter clients by MAC address

>No, you can't. If the VPN server can see the >clients' MACs (*before* a 
>VPN has been established *and* does >*bridging*), there's no need to run 
>a VPN between them in the first place.

> 3- Can you introduce a tool to easily generate >keys?

>You're already using EasyRSA, that's about as >easy¹ as it gets. Not that 
>the act of generating a keypair looks that much >different between 
>EasyRSA, plain OpenSSL, or more sophisticated >PKI tools ...

>¹ "Easy" as in "easy to understand and use >manually". Automation and 
>integration may yield something that's easier >*to use and maintain 
>long-term*, but since you're apparently unclear >on what other systems 
>you're going to integrate it *with* (see next >question), we can't 
>comment on that.

> 4- You said " You need a PKI solution that  >doesn't just chuck new certs
>    onto a local disk, but can feed it into >whatever mechanism you use
>    to keep the clients updated.", which >mechanism?

>The mechanism that *you* are going to define >(and, probably, build) that 
>allows you to admin the clients you designed, >and keeps the entire 
>system from coming crashing down as soon >as the first certificates' 
>validity period ends.

>For example: a) Our staff is usually able to >install a new client cert 
>for their laptop's VPN connection to the >company LAN themselves, so all 
>we need *there* is an e-mailed reminder to IT >that user XY will need a 
>new cert in a couple weeks; but b) the firmware >of the appliances we 
>send to customers asks our servers "do I need >to update something?" 
>every morning, and if a VPN cert is running out, >the servers i) verify 
>that the customer's contract is still ongoing, ii) >generate a new cert, 
>and iii) inject it into a more general small->updates-offering mechanism 
>that handles *all* config changes we hand to >those appliances.

> 5- When I use "./easyrsa build-ca nopass", then >it asks me "Common Name
>    (eg: your user, host, or server name) [Easy->RSA CA]:", and as you said,
>    better not to use "server" as name. For >example, I entered "Jason_Server"

>... which should better read "Jason's CA" (yes, >blanks are OK there), as 
>it still hasn't anything to do with any servers ...

>    then I must use "Jason_Server" in the >"./easyrsa gen-req Jason_Server
>    nopass" and "./easyrsa sign-req server >Jason_Server" commands. Right?

>Now *those* commands actually *are* part of >generating the *server* 
>certificate, so having them say "server" makes >sense, unlike in creating 
>the CA cert above. (I would still prefer server >certs to have an FQDN 
>for a CN, though. Old habits die hard ...)

> 6- Is this true for client too?

>Yes.

>(With the difference that VPN clients usually >aren't expected to *have* 
>a long-term-stable FQDN, so I would suggest >naming the certs by user 
>and/or device, like "Jason Long's private cell >phone".)

>Kind regards,
>-- 
>Jochen Bern
>Systemingenieur

>Binect GmbH



Hi Jochen,Thanks again.
1- In the round-robin mechanism, we can use the same keys for our servers, but 
each client uses its own key.
2- So, the name that I entered in the "Common Name (eg: your user, host, or 
server name) [Easy-RSA CA]:" question, must be used in the "./easyrsa gen-req 
NAME nopass" and "./easyrsa sign-req server NAME" commands. Right?
  
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jochen Bern]

On 18.08.23 16:31, Jason Long wrote:

1- So, if we have multiple servers, then it is better that the servers
   have the same key, but each client has its own key. Am I right?


No.

I said that *if* you want your clients to be able to replace one server 
with another dynamically, it may be a valid reason to have the *CN* in 
their server certs have *similarities* to each other (for 
"verify-x509-name ... name-prefix"), or be outright the same (other 
types of "verify-x509-name" checks).


(Identical DNs/CNs technically still do not imply that the servers use 
the same keypair. And using the same keypair technically still does not 
imply that the servers use the same cert. Though we're going into the 
area of somewhat questionable setups there.)



2- I can filter clients by MAC address


No, you can't. If the VPN server can see the clients' MACs (*before* a 
VPN has been established *and* does *bridging*), there's no need to run 
a VPN between them in the first place.



3- Can you introduce a tool to easily generate keys?


You're already using EasyRSA, that's about as easy¹ as it gets. Not that 
the act of generating a keypair looks that much different between 
EasyRSA, plain OpenSSL, or more sophisticated PKI tools ...


¹ "Easy" as in "easy to understand and use manually". Automation and 
integration may yield something that's easier *to use and maintain 
long-term*, but since you're apparently unclear on what other systems 
you're going to integrate it *with* (see next question), we can't 
comment on that.



4- You said " You need a PKI solution that doesn't just chuck new certs
   onto a local disk, but can feed it into whatever mechanism you use
   to keep the clients updated.", which mechanism?


The mechanism that *you* are going to define (and, probably, build) that 
allows you to admin the clients you designed, and keeps the entire 
system from coming crashing down as soon as the first certificates' 
validity period ends.


For example: a) Our staff is usually able to install a new client cert 
for their laptop's VPN connection to the company LAN themselves, so all 
we need *there* is an e-mailed reminder to IT that user XY will need a 
new cert in a couple weeks; but b) the firmware of the appliances we 
send to customers asks our servers "do I need to update something?" 
every morning, and if a VPN cert is running out, the servers i) verify 
that the customer's contract is still ongoing, ii) generate a new cert, 
and iii) inject it into a more general small-updates-offering mechanism 
that handles *all* config changes we hand to those appliances.



5- When I use "./easyrsa build-ca nopass", then it asks me "Common Name
   (eg: your user, host, or server name) [Easy-RSA CA]:", and as you said,
   better not to use "server" as name. For example, I entered "Jason_Server"


... which should better read "Jason's CA" (yes, blanks are OK there), as 
it still hasn't anything to do with any servers ...



   then I must use "Jason_Server" in the "./easyrsa gen-req Jason_Server
   nopass" and "./easyrsa sign-req server Jason_Server" commands. Right?


Now *those* commands actually *are* part of generating the *server* 
certificate, so having them say "server" makes sense, unlike in creating 
the CA cert above. (I would still prefer server certs to have an FQDN 
for a CN, though. Old habits die hard ...)



6- Is this true for client too?


Yes.

(With the difference that VPN clients usually aren't expected to *have* 
a long-term-stable FQDN, so I would suggest naming the certs by user 
and/or device, like "Jason Long's private cell phone".)


Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH


smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

On Thu, Aug 17, 2023 at 5:32 PM, Jochen Bern
 wrote:   >On 17.08.23 14:12, Jason Long wrote:
> It is even better if each server has its own >separate keys.

>You didn't mention setting up multiple servers >yet IIRC, but yes, same 
>best practice there ... in principle.

>However, if you plan to instruct the clients to >contact "*any* of 
>servers you find available" (e.g., by Round >Robin DNS), you need them 
>all to pass the *exact same* server cert >verification (like per 
>"verify-x509-name ..."). That *might* justify >having multiple servers 
>use the same cert(s).

> If the clients all use the same keys, then we >can block any client
> based on the IP address. It is true?

>The design decisions you've made so far >suggest that your VPN clients 
>will connect to the server from elsewhere than >the site hosting your 
>server - maybe not just any random >StarDonalds at Shady Mall, but are 
>you sure that you really can reliably identify >them by their (public) 
>IP? Will you personally deliver them to >customer sites and nail them to 
>a load-bearing wall?

> 1- Is there a tool to facilitate key generation for >a large number
>    of clients?

>Yes, several. And I wouldn't have too much of a >problem scripting such a 
>run with nothing but bare OpenSSL, but.

>The point is that you need to bring those client >cert+keys *onto the 
>clients*, not just once, but everytime the >previous client cert 
>approaches the end of its validity period. You >need a PKI solution that 
>doesn't just chuck new certs onto a local disk, >but can feed it into 
>whatever mechanism you use to keep the >clients updated. And *then* one 
>of these two systems needs to keep tabs on >which clients *should* get a 
>new cert (customers can terminate their >contracts with you ...) and when.

> 2- I've heard that OpenVPN can be configured >to work with username and
>    password instead of key-based >authentication. Is this possible and
>    recommended?

>I guess it's possible, but I don't run any such >setup and thus can't 
>comment on it.

> 3- About the CN name, if I forget it, then if I >open the "ca.crt" file
>    and click on the Details tab and check the >Issuer section, then this
>    is the name that I have entered during >generating the key?

>No. The name you enter during generation of >keypair and cert goes to the 
>cert's *Subject*, the Issuer is determined by the >CA you use to sign the 
>cert.

> 4- If CN's name is Server, then I must change >the ccd directory to
>    Server? Am I right?

>If that's what the Subject CN of the cert you >want to use as a client 
>cert says, then yes, that's it.

>Of course, looking at a file "ca.crt" and seeing a >CN "Server" for what 
>is supposed to be the *client's* cert is botched >twelve ways to Gehenna 
>and back and will perpetually confuse anyone >trying to debug your final 
>setup ...

> In which part of the document is this said?
> >https://community.openvpn.net/openvpn/wiki/>HOWTO

>"The client must have a unique Common Name >in its certificate ("client2" 
>in our example) [...] The next step is to create a >file called client2 
>in the ccd directory."
https://community.openvpn.net/openvpn/wiki/HOWTO#IncludingmultiplemachinesontheclientsidewhenusingaroutedVPNdevtun

>It doesn't explain how to look up the CN of a >certificate from a file 
>containing it, though, because it assumes that >you made sure to have it 
>created and installed in the correct location >with the intended CN 
>"client2" beforehand and don't *need* to check >"now which cert did this 
>client happen to end up with?".

>Kind regards,
>-- 
>Jochen Bern
>Systemingenieur

>Binect GmbH



Hello,Thanks again.Your answers raised other questions for me:

1- So, if we have multiple servers, then it is better that the servers have the 
same key, but each client has its own key. Am I right?

2- I can filter clients by MAC address, but MAC spoofing is another problem!

3- Can you introduce a tool to easily generate keys?

4- You said " You need a PKI solution that doesn't just chuck new certs onto a 
local disk, but can feed it into whatever mechanism you use to keep the clients 
updated.", which mechanism?

5- When I use "./easyrsa build-ca nopass", then it asks me "Common Name (eg: 
your user, host, or server name) [Easy-RSA CA]:", and as you said, better not 
to use "server" as name. For example, I entered "Jason_Server", then I must use 
"Jason_Server" in the "./easyrsa gen-req Jason_Server nopass" and "./easyrsa 
sign-req server Jason_Server" commands. Right?

6- Is this true for client too? For example, "./easyrsa gen-req client_name 
nopass" and "./easyrsa sign-req client client_name".


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
  
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Gert Doering]

Hi,

On Wed, Aug 16, 2023 at 10:23:40AM +, Jason Long wrote:
> enp0s8: flags=4163  mtu 1500
>         inet 192.168.1.20  netmask 255.255.255.0  broadcast 192.168.1.255
> 
> So, what is the right IP for the following statement?
> 
> route 192.168.1.0 255.255.255.0

What do you want to *achieve* here?  "route" statements in OpenVPN config
tell OpenVPN "please route this *into the VPN*".

On the *Server*, if this is a local NIC, you do not want this "into the VPN".

> And about your second note, I must change the "/etc/openvpn/ccd/Test-PC" to 
> the CN in the client certificate. I opened the ca.crt file on the client and 
> clicked on the Details tab and it showed me "CN = Server". So, I must change 
> the "Test-PC" to "Server". Am I right?

If that is the CN of the cert the client uses, yes.  But *read the server
logs* (with verb 4).  It will tell you.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Bo Berglund]

On Thu, 17 Aug 2023 12:12:13 + (UTC), Jason Long via Openvpn-users
 wrote:

>Hello Jochen,Thanks again.
>Your words are true and I had asked such a question before. It is even better 
>if each server has its own separate keys. If the clients all use the same 
>keys, then we can block any client based on the IP address. It is true?
>
>1- Is there a tool to facilitate key generation for a large number of clients?
>
>2- I've heard that OpenVPN can be configured to work with username and password
>instead of key-based authentication. Is this possible and recommended?

>3- About the CN name, if I forget it, then if I open the "ca.crt" file and 
>click
> on the Details tab and check the Issuer section, then this is the name that I
> have entered during generating the key?

>4- If CN's name is Server, then I must change the ccd directory to Server? Am 
>I right?
>In which part of the document is this said?

Absolutely NOT!!!
You can use any dir name of your liking as the ccd dir, it is simply entered
into the server's conf file:

client-config-dir /etc/openvpn/ccdw

I use a different dir for each server instance so I have another too and
it is entered into that server's conf file:

client-config-dir /etc/openvpn/ccdl

>https://community.openvpn.net/openvpn/wiki/HOWTO
>
>Maybe I didn't pay attention!

I believe so :-(

By the questions you are asking it seems like you are not caring to actually
read the documentation and instead rely on some dubious googled websites that
are not even up-to-date...


-- 
Bo Berglund
Developer in Sweden



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Bo Berglund]

On Thu, 17 Aug 2023 12:17:06 + (UTC), Jason Long via Openvpn-users
 wrote:

>>1- What is the difference between >/etc/openvpn and /etc/openvpn/server 
>>>directories?
>>  I put my server.conf file in the /etc/openvpn >directory and it worked.
>
>>You are running an *old* version of OpenVPN! >The service infrastructure has
>>changed and OpenVPN now defaults to using >two subdirectories (client and 
>>server)
>>to /etc/openvpn to handle the two different >uses of it.
>>Please read up on how it works in the new >docs.
>
>>2- You said "./easyrsa sign-req client client", >make those unique ideally 
>>per device,
>>not just per user. How to make it unique per >user?
>
>>You have to generate *separate* encryption >files for each client where the CN
>>entry is *unique*, otherwise the server can >never differentiate between them 
>>and
>>you cannot allow/block clients individually.
>>Also you open for abuse of your server.
>
>>If I have 1000 clients, then I must generate >1000 key files???
>
>>Exactly!
>
>>3- For the CA certificate, I must use "Server" >not "server". May I ask why?
>
>>So you are not aware that Linux is case >sensitive?
>>"Server" is NOT equal to "server"...
>>So what you use depends on what *exact* >name you set the CN to when 
>>genererating
>>the files.
>
>
>Hello,Thank you so much.If I forget the CN name, then if I open the "ca.crt" 
>file
>and click on the Details tab and check the Issuer section, then this is the 
>name
>that I have entered during generating the key?
>

No-no-no!

We are talking about the CLIENTS here!
Every client must have a unique Common Name assigned to it
If anything the CN will be inside the ClientCN.crt, but you should really
consider keeping tabs on what you are doing...


For each *client* easyrsa generates a number of separate crypto files and the
common name (CN) is used in that process. The CN will be embedded in the files
itself but is also the name of the files being generated.

So in my case I have a directory where I manage the clients and where the client
files reside somewhere on the server.
Note that this location is NOT where the server runs! This is an admin location
and only the files needed for the OpenVPN server's operation will be copied to
the server's keys dir and the path entered into the server's conf file.

Each client in my case has 3 differeny files here (CommonName is the CN name of
each client):
CommonName.key
CommonName.crt
CommonName.csr

In the process of creating these the SERVER side ca.crt (or possibly ca.key) is
used to sign the client files (don't remember now since I have created a script
that handles it all when I need to make a new client).

Anyway the final job for you to do fdor each client is to assemble the files
into the client's ovpn file and it shall contain:
- The client configuration commands
- The server certificate
- The client certificate
- The client key
- The tls-auth OpenVPN static key if password protection of the ovpn file is
set.


-- 
Bo Berglund
Developer in Sweden



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jochen Bern]

On 17.08.23 14:12, Jason Long wrote:

It is even better if each server has its own separate keys.


You didn't mention setting up multiple servers yet IIRC, but yes, same 
best practice there ... in principle.


However, if you plan to instruct the clients to contact "*any* of 
servers you find available" (e.g., by Round Robin DNS), you need them 
all to pass the *exact same* server cert verification (like per 
"verify-x509-name ..."). That *might* justify having multiple servers 
use the same cert(s).



 If the clients all use the same keys, then we can block any client
based on the IP address. It is true?


The design decisions you've made so far suggest that your VPN clients 
will connect to the server from elsewhere than the site hosting your 
server - maybe not just any random StarDonalds at Shady Mall, but are 
you sure that you really can reliably identify them by their (public) 
IP? Will you personally deliver them to customer sites and nail them to 
a load-bearing wall?



1- Is there a tool to facilitate key generation for a large number
   of clients?


Yes, several. And I wouldn't have too much of a problem scripting such a 
run with nothing but bare OpenSSL, but.


The point is that you need to bring those client cert+keys *onto the 
clients*, not just once, but everytime the previous client cert 
approaches the end of its validity period. You need a PKI solution that 
doesn't just chuck new certs onto a local disk, but can feed it into 
whatever mechanism you use to keep the clients updated. And *then* one 
of these two systems needs to keep tabs on which clients *should* get a 
new cert (customers can terminate their contracts with you ...) and when.



2- I've heard that OpenVPN can be configured to work with username and
   password instead of key-based authentication. Is this possible and
   recommended?


I guess it's possible, but I don't run any such setup and thus can't 
comment on it.



3- About the CN name, if I forget it, then if I open the "ca.crt" file
   and click on the Details tab and check the Issuer section, then this
   is the name that I have entered during generating the key?


No. The name you enter during generation of keypair and cert goes to the 
cert's *Subject*, the Issuer is determined by the CA you use to sign the 
cert.



4- If CN's name is Server, then I must change the ccd directory to
   Server? Am I right?


If that's what the Subject CN of the cert you want to use as a client 
cert says, then yes, that's it.


Of course, looking at a file "ca.crt" and seeing a CN "Server" for what 
is supposed to be the *client's* cert is botched twelve ways to Gehenna 
and back and will perpetually confuse anyone trying to debug your final 
setup ...



In which part of the document is this said?
https://community.openvpn.net/openvpn/wiki/HOWTO


"The client must have a unique Common Name in its certificate ("client2" 
in our example) [...] The next step is to create a file called client2 
in the ccd directory."

https://community.openvpn.net/openvpn/wiki/HOWTO#IncludingmultiplemachinesontheclientsidewhenusingaroutedVPNdevtun

It doesn't explain how to look up the CN of a certificate from a file 
containing it, though, because it assumes that you made sure to have it 
created and installed in the correct location with the intended CN 
"client2" beforehand and don't *need* to check "now which cert did this 
client happen to end up with?".


Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH


smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

On Thu, Aug 17, 2023 at 8:24 AM, Bo Berglund
 wrote:On Wed, 16 Aug 2023 21:28:29 + (UTC), Jason 
Long via Openvpn-users
 wrote:

>Hi Jochen,Thank you for your advice about the >How-to articles.Can you answer 
>my questions?

>1- What is the difference between >/etc/openvpn and /etc/openvpn/server 
>>directories?
>  I put my server.conf file in the /etc/openvpn >directory and it worked.

>You are running an *old* version of OpenVPN! >The service infrastructure has
>changed and OpenVPN now defaults to using >two subdirectories (client and 
>server)
>to /etc/openvpn to handle the two different >uses of it.
>Please read up on how it works in the new >docs.

>2- You said "./easyrsa sign-req client client", >make those unique ideally per 
>device,
>not just per user. How to make it unique per >user?

>You have to generate *separate* encryption >files for each client where the CN
>entry is *unique*, otherwise the server can >never differentiate between them 
>and
>you cannot allow/block clients individually.
>Also you open for abuse of your server.

>If I have 1000 clients, then I must generate >1000 key files???

>Exactly!

>3- For the CA certificate, I must use "Server" >not "server". May I ask why?

>So you are not aware that Linux is case >sensitive?
>"Server" is NOT equal to "server"...
>So what you use depends on what *exact* >name you set the CN to when 
>genererating
>the files.


>-- 
>Bo Berglund
>Developer in Sweden



Hello,Thank you so much.If I forget the CN name, then if I open the "ca.crt" 
file and click on the Details tab and check the Issuer section, then this is 
the name that I have entered during generating the key?

___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
  
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

On Thu, Aug 17, 2023 at 1:52 AM, Jochen Bern
 wrote:   On 16.08.23 23:28, Jason Long wrote:
> 1- What is the difference between /etc/openvpn and /etc/openvpn/server 
> directories?

>The systemd "unit files" that define the >templates for the services you 
>"systemctl" later on used to expect all configs - >whether for a server 
>or a client instance - to be named >/etc/openvpn/SomeInstanceName.conf , 
>i.e., configs for both modes would sit together. >Later versions of 
>systemd-enabled OpenVPN split that into >/etc/openvpn/client and 
>/etc/openvpn/server , respectively.

>    I put my server.conf file in the /etc/openvpn >directory and it worked.

>Then I'd say that your Debian 12 still uses the >old convention, as did 
>the how-to's Debian 10. (Over here, RHEL, >Fedora, and IIRC Ubuntu as 
>well take the new directories instead.)

> 2- You said [...] make those unique ideally per >device, not just per
>    user. How to make it unique per user?If I >have 1000 clients, then
>    I must generate 1000 key files???

>Yes. By default, if several clients use the same  >cert+key, they'll keep 
>pushing each other out of the VPN. Also, if you  >need to shut clients out 
>of the service, revoking a cert is how you do it - >*all* clients using 
>that one cert will have their VPN access >disabled, so clients sharing 
>certs likely isn't what you want even if you >disable the former default 
>behavior.

>Also note that with "server ..." specifying only a >/24 for an address 
>pool, and with Windows clients (so that you >can't use "topology p2p"), 
>your VPN server will actually be limited to 64 >simultaneous clients, 
>anyway. 1000 clients at once require at least a >/20.

> 3- For the CA certificate, I must use "Server" >not "server". May I ask why?

>I never said that. If anything, the CN of your CA >cert should mention 
>"CA" somewhere, and *not* "server", no matter >the capitalization.

> Wed Aug 16 11:01:39 2023 VERIFY OK: >depth=1, CN=Server > Wed Aug 16 11:01:39 
> >2023 VERIFY OK: depth=0, CN=server

>This shows that your client presents a cert with >CN "server" as its 
>*client* cert (the procedure in the how-to >should result in a client 
>cert with CN "client"), which verifies OK against >a CA cert with a CN of 
>"Server" (the how-to suggests that it should be >"server", as misguided 
>as that seems). Hence, either your client uses >the *wrong* cert, or you 
>misnamed the certs as you created them (even >more than that how-to 
>instructs you to).

>Anyway, in order to create a CCD file for your >client using the cert it 
>uses *now*, the CCD file would need to be >named "server".

>Kind regards,
>-- 
>Jochen Bern
>Systemingenieur

>Binect GmbH



Hello Jochen,Thanks again.
Your words are true and I had asked such a question before. It is even better 
if each server has its own separate keys. If the clients all use the same keys, 
then we can block any client based on the IP address. It is true?

1- Is there a tool to facilitate key generation for a large number of clients?

2- I've heard that OpenVPN can be configured to work with username and password 
instead of key-based authentication. Is this possible and recommended?
3- About the CN name, if I forget it, then if I open the "ca.crt" file and 
click on the Details tab and check the Issuer section, then this is the name 
that I have entered during generating the key?
4- If CN's name is Server, then I must change the ccd directory to Server? Am I 
right?
In which part of the document is this said?

https://community.openvpn.net/openvpn/wiki/HOWTO

Maybe I didn't pay attention!

___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Bo Berglund]

On Wed, 16 Aug 2023 21:28:29 + (UTC), Jason Long via Openvpn-users
 wrote:

>Hi Jochen,Thank you for your advice about the How-to articles.Can you answer 
>my questions?

>1- What is the difference between /etc/openvpn and /etc/openvpn/server 
>directories?
>   I put my server.conf file in the /etc/openvpn directory and it worked.

You are running an *old* version of OpenVPN! The service infrastructure has
changed and OpenVPN now defaults to using two subdirectories (client and server)
to /etc/openvpn to handle the two different uses of it.
Please read up on how it works in the new docs.

>2- You said "./easyrsa sign-req client client", make those unique ideally per 
>device,
>not just per user. How to make it unique per user?

You have to generate *separate* encryption files for each client where the CN
entry is *unique*, otherwise the server can never differentiate between them and
you cannot allow/block clients individually.
Also you open for abuse of your server.

>If I have 1000 clients, then I must generate 1000 key files???

Exactly!

>3- For the CA certificate, I must use "Server" not "server". May I ask why?

So you are not aware that Linux is case sensitive?
"Server" is NOT equal to "server"...
So what you use depends on what *exact* name you set the CN to when genererating
the files.


-- 
Bo Berglund
Developer in Sweden



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jochen Bern]

On 16.08.23 23:28, Jason Long wrote:

1- What is the difference between /etc/openvpn and /etc/openvpn/server 
directories?


The systemd "unit files" that define the templates for the services you 
"systemctl" later on used to expect all configs - whether for a server 
or a client instance - to be named /etc/openvpn/SomeInstanceName.conf , 
i.e., configs for both modes would sit together. Later versions of 
systemd-enabled OpenVPN split that into /etc/openvpn/client and 
/etc/openvpn/server , respectively.



   I put my server.conf file in the /etc/openvpn directory and it worked.


Then I'd say that your Debian 12 still uses the old convention, as did 
the how-to's Debian 10. (Over here, RHEL, Fedora, and IIRC Ubuntu as 
well take the new directories instead.)



2- You said [...] make those unique ideally per device, not just per
   user. How to make it unique per user?If I have 1000 clients, then
   I must generate 1000 key files???


Yes. By default, if several clients use the same cert+key, they'll keep 
pushing each other out of the VPN. Also, if you need to shut clients out 
of the service, revoking a cert is how you do it - *all* clients using 
that one cert will have their VPN access disabled, so clients sharing 
certs likely isn't what you want even if you disable the former default 
behavior.


Also note that with "server ..." specifying only a /24 for an address 
pool, and with Windows clients (so that you can't use "topology p2p"), 
your VPN server will actually be limited to 64 simultaneous clients, 
anyway. 1000 clients at once require at least a /20.



3- For the CA certificate, I must use "Server" not "server". May I ask why?


I never said that. If anything, the CN of your CA cert should mention 
"CA" somewhere, and *not* "server", no matter the capitalization.



Wed Aug 16 11:01:39 2023 VERIFY OK: depth=1, CN=Server > Wed Aug 16 11:01:39 
2023 VERIFY OK: depth=0, CN=server


This shows that your client presents a cert with CN "server" as its 
*client* cert (the procedure in the how-to should result in a client 
cert with CN "client"), which verifies OK against a CA cert with a CN of 
"Server" (the how-to suggests that it should be "server", as misguided 
as that seems). Hence, either your client uses the *wrong* cert, or you 
misnamed the certs as you created them (even more than that how-to 
instructs you to).


Anyway, in order to create a CCD file for your client using the cert it 
uses *now*, the CCD file would need to be named "server".


Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH


smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

On Wed, Aug 16, 2023 at 6:27 PM, Jochen Bern
 wrote:   On 16.08.23 15:05, Jason Long wrote:
> I used 
> "https://www.howtoforge.com/how-to-install-and-configure-openvpn-server-on-debian-10/;
>  tutorial to create my OpenVPN server.

(No date on the article ... no date on the comments ... OpenVPN version 
not shown anywhere ... according to one systemctl output, probably 
written in September 2019, when Debian 10 and OpenSSL 1.1.1c were in 
fact current ... still using /etc/openvpn instead of /etc/openvpn/server 
and /etc/openvpn/client, respectively ... no mention of doing a 
"systemctl enable openvpn@ConfigFileBaseName" on the server ... no 
explicit description of what the VPN set up is supposed to *do* 
(apparently: secure Inet access for a road warrior, no other servers at 
the site hosting the VPN peer, no communication back to the clients) ... 
no discussion of how he came to pick 10.8.0.0/24 for the tunnel IPs, how 
(far) to check for IP conflicts, how many clients you can accomodate 
with that /24 ...)

... word of warning: Just because the how-to doesn't ask you to enter 
something at

> Common Name (eg: your user, host, or server name) [client]:

>and later has you type in

> ./easyrsa sign-req client client

>doesn't mean that you want all client certs to be >named "client", or - 
>even worse - use the same client cert for them >all. Make those *unique* 
>- ideally per device, not just per user.

>However, if you worked along *that* how-to, your >CA certificate is 
>indeed using the CN of "server" (not "Server", but >that might be a 
>liberty that MS took). Exactly the same as the >server cert. X-C

> Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server



> About the server log [...]
> # cat /var/log/openvpn/virt1.log
> 2023-08-16 06:23:18 WARNING: --topology >net30 support for server configs 
> with IPv4 >pools will be removed in a future release. >Please migrate to 
> --topology subnet as soon as >possible.
>[...]
> 2023-08-16 06:23:18 Initialization Sequence Completed

>That shows us the startup phase of the >OpenVPN server. In order to check 
>what the server thinks about the cert the client >presents, you'll have 
>to have the client make an attempt to connect, >and then grab the logs 
>from *those* couple seconds.

>Kind regards,
>-- 
>Jochen Bern
>Systemingenieur

>Binect GmbH



Hi Jochen,Thank you for your advice about the How-to articles.Can you answer my 
questions?
1- What is the difference between /etc/openvpn and /etc/openvpn/server 
directories? I put my server.conf file in the /etc/openvpn directory and it 
worked.
2- You said "./easyrsa sign-req client client", make those unique ideally per 
device, not just per user. How to make it unique per user?If I have 1000 
clients, then I must generate 1000 key files???
3- For the CA certificate, I must use "Server" not "server". May I ask why?

Finally, I guess the information that you want from the client side are:
Wed Aug 16 11:01:38 2023 Note: --cipher is not set. OpenVPN versions before 2.5 
defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If 
you need this fallback please add '--data-ciphers-fallback BF-CBC' to your 
configuration and/or add BF-CBC to --data-ciphers.Wed Aug 16 11:01:38 2023 
Note: ovpn-dco-win driver is missing, disabling data channel offload.Wed Aug 16 
11:01:38 2023 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL 
(OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023Wed Aug 16 
11:01:38 2023 Windows version 6.1 (Windows 7), amd64 executableWed Aug 16 
11:01:38 2023 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10Wed Aug 16 
11:01:38 2023 DCO version: v0Wed Aug 16 11:01:38 2023 MANAGEMENT: TCP Socket 
listening on [AF_INET]127.0.0.1:25343Wed Aug 16 11:01:38 2023 Need hold release 
from management interface, waiting...Wed Aug 16 11:01:38 2023 MANAGEMENT: 
Client connected from [AF_INET]127.0.0.1:1031Wed Aug 16 11:01:38 2023 
MANAGEMENT: CMD 'state on'Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'log on 
all'Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'echo on all'Wed Aug 16 11:01:39 
2023 MANAGEMENT: CMD 'bytecount 5'Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 
'state'Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'hold off'Wed Aug 16 11:01:39 
2023 MANAGEMENT: CMD 'hold release'Wed Aug 16 11:01:39 2023 TCP/UDP: Preserving 
recently used remote address: [AF_INET]192.168.1.20:2000Wed Aug 16 11:01:39 
2023 Socket Buffers: R=[8192->8192] S=[8192->8192]Wed Aug 16 11:01:39 2023 
UDPv4 link local: (not bound)Wed Aug 16 11:01:39 2023 UDPv4 link remote: 
[AF_INET]192.168.1.20:2000Wed Aug 16 11:01:39 2023 MANAGEMENT: 
>STATE:1692167499,WAIT,,Wed Aug 16 11:01:39 2023 MANAGEMENT: 
>STATE:1692167499,AUTH,,Wed Aug 16 11:01:39 2023 TLS: Initial packet from 
[AF_INET]192.168.1.20:2000, sid=2e7d21e3 db47853eWed Aug 16 11:01:39 2023 
VERIFY OK: depth=1, CN=ServerWed Aug 16 11:01:39 2023 VERIFY KU OKWed Aug 16 
11:01:39 2023 Validating certificate extended key 

Re: [Openvpn-users] How to use ccd-exclusive statement?

[tincantech via Openvpn-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

--- Original Message ---
On Wednesday, August 16th, 2023 at 15:55, Jochen Bern  
wrote:



> However, if you worked along that how-to, your CA certificate is
> indeed using the CN of "server" (not "Server", but that might be a
> liberty that MS took). Exactly the same as the server cert. X-C
> 
> > Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server



Thank you Jochen, indeed, that is an unfortunate possibility..

@Jason - When you create your CA certificate, simply use the default Easy-RSA,
for the time being.  Creating and customising a new PKI can be done later, once
you get your VPN working.

Good luck,
tct

-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk3PYECZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAAAD7wf/baphGHzMkTzQLihrwUGqv7I16h40ghZEAPYpiom7dzE00L5k
jq82St5Yl/IIyYpFqCkMJ7mo7zJBqF5OuXFUvXZJwXVMXg0/npxTO3kBSUkY
ppRAMh4rBohhSCGt2s2j5Czbv7iVl5LZOPLhTDWKnSjuquuF9srNgdL9nnx+
2chg3pf+mByXwDiuRyNXp4PaWJc7JCk96aw/zudvJGTIUj3SbcN3qZdC+/KS
Ly9lx4pURvlV7vB330XemytgXc+FU7y0Q9zFpLYRO9s8TqAwlXSwmOMknuh6
8WIgS9qcbuIM3jwb+d9krU8HIvSHlMg50Lx5M7IlaMVUdXGh6fbswg==
=yypt
-END PGP SIGNATURE-


publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys


publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jochen Bern]

On 16.08.23 15:05, Jason Long wrote:

I used 
"https://www.howtoforge.com/how-to-install-and-configure-openvpn-server-on-debian-10/;
 tutorial to create my OpenVPN server.


(No date on the article ... no date on the comments ... OpenVPN version 
not shown anywhere ... according to one systemctl output, probably 
written in September 2019, when Debian 10 and OpenSSL 1.1.1c were in 
fact current ... still using /etc/openvpn instead of /etc/openvpn/server 
and /etc/openvpn/client, respectively ... no mention of doing a 
"systemctl enable openvpn@ConfigFileBaseName" on the server ... no 
explicit description of what the VPN set up is supposed to *do* 
(apparently: secure Inet access for a road warrior, no other servers at 
the site hosting the VPN peer, no communication back to the clients) ... 
no discussion of how he came to pick 10.8.0.0/24 for the tunnel IPs, how 
(far) to check for IP conflicts, how many clients you can accomodate 
with that /24 ...)


... word of warning: Just because the how-to doesn't ask you to enter 
something at



Common Name (eg: your user, host, or server name) [client]:


and later has you type in


./easyrsa sign-req client client


doesn't mean that you want all client certs to be named "client", or - 
even worse - use the same client cert for them all. Make those *unique* 
- ideally per device, not just per user.


However, if you worked along *that* how-to, your CA certificate is 
indeed using the CN of "server" (not "Server", but that might be a 
liberty that MS took). Exactly the same as the server cert. X-C



Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server





About the server log [...]
# cat /var/log/openvpn/virt1.log
2023-08-16 06:23:18 WARNING: --topology net30 support for server configs with 
IPv4 pools will be removed in a future release. Please migrate to --topology 
subnet as soon as possible.

[...]

2023-08-16 06:23:18 Initialization Sequence Completed


That shows us the startup phase of the OpenVPN server. In order to check 
what the server thinks about the cert the client presents, you'll have 
to have the client make an attempt to connect, and then grab the logs 
from *those* couple seconds.


Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH


smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

>On 16/08/2023 15:05, Jason Long via Openvpn-users wrote:
> On 16.08.23 12:23, Jason Long via Openvpn-users wrote:
>>> On Wed, Aug 16, 2023 at 06:35:01AM +, Jason Long wrote:
[...snip...]

> Hello,
> I used 
> "https://www.howtoforge.com/how-to-install-and-configure-openvpn-server-on-debian-10/;
>  tutorial to create my OpenVPN server.

>*sigh* Never use a random blog post on "how to do XYZ" when the project 
>itself has its own set of documentation.  No matter which project it is.

>I've read enough of those random "OpenVPN how-tos" over the last 15+ 
>years and the vast majority of them are not up-to-date, tricks you into 
>using insecure settings, being overly complicated or simply leads you to 
>misery.

>Doing networking isn't really suitable as a "click-this-type-that" type 
>of how-to, because you *really* need to understand how these things 
>works and impacts your configuration and setup.

>This guides you through the most important steps and should be 
>reasonably up-to-date (I spot a few things which could be improved, but 
>shouldn't stop you from getting a functional tun based OpenVPN tunnel 
>running).  This documentation is provided by the official OpenVPN 
>project and this project is responsible for keeping the documentation in 
>reasonable shape.

>

>Read this, read the man page entries for options used and try to 
>understand it.  Read the pointers to the related documentation in that 
>wiki page.  Try to understand all the information provided there.  Then 
>you can ask questions and get sensible replies back.

>If you need more documentation, buy your own copy of the OpenVPN 
>Cookbook by Jan Just Keijser.  He is a well-trusted OpenVPN community 
>member and knows this stuff very well.

>


> Gert tole me about the multihome statement and I added it.

>When Gert tells you to look at multihome, he has very good reasons for 
>doing that (I know him too, he is also really trustworthy - in 
>particular with networking and OpenVPN).  But it ALSO means you should 
>read the documentation for suggested options too.


>[...snip...]


> # cat /var/log/openvpn/virt1.log
> 2023-08-16 06:23:18 WARNING: --topology net30 support for server configs with 
> IPv4 pools will be removed in a future release. Please migrate to --topology 
> subnet as soon as possible.
> 2023-08-16 06:23:18 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but 
> missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). 
> OpenVPN ignores --cipher for cipher negotiations.

>Those two lines tells you something important.  You should fix this. 
>I'm not going to tell you how; read the documentation.  It is fully 
>explained in the man page.


>[...snip...]

> 2023-08-16 06:23:18 Listening for incoming TCP connection on 
> [AF_INET][undef]:2000
> 2023-08-16 06:23:18 TCPv4_SERVER link local (bound): [AF_INET][undef]:2000
> 2023-08-16 06:23:18 TCPv4_SERVER link remote: [AF_UNSPEC]

>I suspect this if from a server configuration (also an important detail 
>to tell).  And it tells you your VPN server is listening TCP port 2000.


>[...snip...]

> 2023-08-16 06:23:18 Initialization Sequence Completed

>This line means that the OpenVPN tunnel is up an running.  So that means 
>this tunnel instance is ready to see clients connecting to it.



>And finally.  Learn yourself some mailing list netiquette.  Inline 
>replies and replies at the bottom are very fine.  But keep the indenting 
>marks (>) on the original text so it's easier to understand who is 
>writing what and what you are responding to.

>A reasonably good summary of most common mailing list netiquette rules 
>used in open source (and this is the official recommendation from an 
>open source project; not a random blog post)

>


Hello,
Thanks again.
I can solve those two line with change the --data-ciphers algorithm. Please 
tell me what is the main problem. If the problem is that my OpenVPN server has 
an Internal NIC and a NAT NIC, then I'm sure such a scenario exists in the real 
world.
I added all statements that Gert said, but problem is exists.

-- 
kind regards,

David Sommerseth
OpenVPN Inc





___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[David Sommerseth]

On 16/08/2023 15:05, Jason Long via Openvpn-users wrote:

On 16.08.23 12:23, Jason Long via Openvpn-users wrote:

On Wed, Aug 16, 2023 at 06:35:01AM +, Jason Long wrote:

[...snip...]


Hello,
I used 
"https://www.howtoforge.com/how-to-install-and-configure-openvpn-server-on-debian-10/;
 tutorial to create my OpenVPN server.


*sigh* Never use a random blog post on "how to do XYZ" when the project 
itself has its own set of documentation.  No matter which project it is.


I've read enough of those random "OpenVPN how-tos" over the last 15+ 
years and the vast majority of them are not up-to-date, tricks you into 
using insecure settings, being overly complicated or simply leads you to 
misery.


Doing networking isn't really suitable as a "click-this-type-that" type 
of how-to, because you *really* need to understand how these things 
works and impacts your configuration and setup.


This guides you through the most important steps and should be 
reasonably up-to-date (I spot a few things which could be improved, but 
shouldn't stop you from getting a functional tun based OpenVPN tunnel 
running).  This documentation is provided by the official OpenVPN 
project and this project is responsible for keeping the documentation in 
reasonable shape.




Read this, read the man page entries for options used and try to 
understand it.  Read the pointers to the related documentation in that 
wiki page.  Try to understand all the information provided there.  Then 
you can ask questions and get sensible replies back.


If you need more documentation, buy your own copy of the OpenVPN 
Cookbook by Jan Just Keijser.  He is a well-trusted OpenVPN community 
member and knows this stuff very well.





> Gert tole me about the multihome statement and I added it.

When Gert tells you to look at multihome, he has very good reasons for 
doing that (I know him too, he is also really trustworthy - in 
particular with networking and OpenVPN).  But it ALSO means you should 
read the documentation for suggested options too.



[...snip...]



# cat /var/log/openvpn/virt1.log
2023-08-16 06:23:18 WARNING: --topology net30 support for server configs with 
IPv4 pools will be removed in a future release. Please migrate to --topology 
subnet as soon as possible.
2023-08-16 06:23:18 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but 
missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN 
ignores --cipher for cipher negotiations.


Those two lines tells you something important.  You should fix this. 
I'm not going to tell you how; read the documentation.  It is fully 
explained in the man page.



[...snip...]


2023-08-16 06:23:18 Listening for incoming TCP connection on 
[AF_INET][undef]:2000
2023-08-16 06:23:18 TCPv4_SERVER link local (bound): [AF_INET][undef]:2000
2023-08-16 06:23:18 TCPv4_SERVER link remote: [AF_UNSPEC]


I suspect this if from a server configuration (also an important detail 
to tell).  And it tells you your VPN server is listening TCP port 2000.



[...snip...]

2023-08-16 06:23:18 Initialization Sequence Completed
This line means that the OpenVPN tunnel is up an running.  So that means 
this tunnel instance is ready to see clients connecting to it.




And finally.  Learn yourself some mailing list netiquette.  Inline 
replies and replies at the bottom are very fine.  But keep the indenting 
marks (>) on the original text so it's easier to understand who is 
writing what and what you are responding to.


A reasonably good summary of most common mailing list netiquette rules 
used in open source (and this is the official recommendation from an 
open source project; not a random blog post)





--
kind regards,

David Sommerseth
OpenVPN Inc




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

On 16.08.23 12:23, Jason Long via Openvpn-users wrote:
>> On Wed, Aug 16, 2023 at 06:35:01AM +, Jason Long wrote:
>>> route 192.168.1.0 255.255.255.0
>> 
>> This tells the server "put routing towards 192.168.1.0 into the VPN"
[...]
> So, what is the right IP for the following statement?
> route 192.168.1.0 255.255.255.0

Unknown. Gert told you what this config statement does, I don't remember 
you ever mentioning that you plan to use such a feature, much less what 
subnet(s) you'd want to use for that.

> I opened the ca.crt file on the client and clicked on the Details tab
> and it showed me "CN = Server". So, I must change the "Test-PC" to
> "Server". Am I right?

... aybe. I wouldn't be too surprised if your client-side OpenVPN 
config did indeed take a client cert named "Server" out of a file named 
"ca.crt" ...

>... I would nonetheless recommend that you look at the server log (of 
>suitable verbosity) for a line telling what cert/CN the client has 
>actually sent, though.

>Kind regards


Hello,
I used 
"https://www.howtoforge.com/how-to-install-and-configure-openvpn-server-on-debian-10/;
 tutorial to create my OpenVPN server.
Gert tole me about the multihome statement and I added it.

About the server log, I used the following line in the server.conf file:

status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/virt1.log
log-append  /var/log/openvpn/virt1.log
verb 3

And:

# cat /var/log/openvpn/virt1.log
2023-08-16 06:23:18 WARNING: --topology net30 support for server configs with 
IPv4 pools will be removed in a future release. Please migrate to --topology 
subnet as soon as possible.
2023-08-16 06:23:18 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but 
missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN 
ignores --cipher for cipher negotiations. 
2023-08-16 06:23:18 NOTICE: --explicit-exit-notify ignored for --proto tcp
2023-08-16 06:23:18 --user specified but lacking CAP_SETPCAP. Cannot retain 
CAP_NET_ADMIN. Disabling data channel offload
2023-08-16 06:23:18 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] 
[LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2023-08-16 06:23:18 library versions: OpenSSL 3.0.9 30 May 2023, LZO 2.10
2023-08-16 06:23:18 DCO version: N/A
2023-08-16 06:23:18 net_route_v4_best_gw query: dst 0.0.0.0
2023-08-16 06:23:18 net_route_v4_best_gw result: via 10.0.2.2 dev enp0s3
2023-08-16 06:23:18 Diffie-Hellman initialized with 2048 bit key
2023-08-16 06:23:18 net_route_v4_best_gw query: dst 0.0.0.0
2023-08-16 06:23:18 net_route_v4_best_gw result: via 10.0.2.2 dev enp0s3
2023-08-16 06:23:18 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 
HWADDR=08:00:27:ed:b4:7c
2023-08-16 06:23:18 TUN/TAP device tun20 opened
2023-08-16 06:23:18 net_iface_mtu_set: mtu 1500 for tun20
2023-08-16 06:23:18 net_iface_up: set tun20 up
2023-08-16 06:23:18 net_addr_ptp_v4_add: 10.10.0.1 peer 10.10.0.2 dev tun20
2023-08-16 06:23:18 net_route_v4_add: 192.168.1.0/24 via 10.10.0.2 dev [NULL] 
table 0 metric -1
2023-08-16 06:23:18 net_route_v4_add: 10.10.0.0/24 via 10.10.0.2 dev [NULL] 
table 0 metric -1
2023-08-16 06:23:18 Could not determine IPv4/IPv6 protocol. Using AF_INET
2023-08-16 06:23:18 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-08-16 06:23:18 Listening for incoming TCP connection on 
[AF_INET][undef]:2000
2023-08-16 06:23:18 TCPv4_SERVER link local (bound): [AF_INET][undef]:2000
2023-08-16 06:23:18 TCPv4_SERVER link remote: [AF_UNSPEC]
2023-08-16 06:23:18 UID set to nobody
2023-08-16 06:23:18 GID set to nogroup
2023-08-16 06:23:18 Capabilities retained: CAP_NET_ADMIN
2023-08-16 06:23:18 MULTI: multi_init called, r=256 v=256
2023-08-16 06:23:18 IFCONFIG POOL IPv4: base=10.10.0.4 size=62
2023-08-16 06:23:18 MULTI: TCP INIT maxclients=1024 maxevents=1029
2023-08-16 06:23:18 Initialization Sequence Completed

I use Debian 12. 


>-- 
>Jochen Bern
>Systemingenieur

>Binect GmbH
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


smime.p7s
Description: S/MIME cryptographic signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[tincantech via Openvpn-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Edited for brevity:

--- Original Message ---
> On 16.08.23 12:23, Jason Long via Openvpn-users wrote:

> > I opened the ca.crt file on the client and clicked on the Details tab
> > and it showed me "CN = Server". So, I must change the "Test-PC" to
> > "Server". Am I right?
> 

No.

Given your apparent level of skill, I find it impossible to believe
that you have created a certificate with CN of Server, with a file name
of ca.crt -- And if you have done then you should start PKI from scratch.

Good luck,
tct

-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk3LhYCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAABtAwf9EyrX8YT9+tWiwrBuYBppie2Ikhj4gGI0e1hyXaO3+DUGLSc0
wDToApgo8v0J2jg4Bry5VEG0W4777/KY0Z7PwIpqDY9w2VGBjjauMR93fcFj
roKO/5MeVOfD9SLryXQ8qDL3ZUj29/isHZpCnmiHKtLsjM0mv6qgHbvT0lyC
Kw6DkKWPN5DzEvlN5fH7DdhbqTnQpwb4vScSzy7/cNDZ+TumrDV50EHVFDV0
B+RrxqUYwxEz/5ni6k5NEKHl3jiLEOyNTT3sReWDJy1nFyC4Ziuh9Ny4LaaO
fYm2P66Gy+M1T2HCvtP6IHYgkoNpDz3m21S0SajT3LzftTKczhP4hg==
=GsEC
-END PGP SIGNATURE-


publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys


publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jochen Bern]

On 16.08.23 12:23, Jason Long via Openvpn-users wrote:

On Wed, Aug 16, 2023 at 06:35:01AM +, Jason Long wrote:

route 192.168.1.0 255.255.255.0


This tells the server "put routing towards 192.168.1.0 into the VPN"

[...]

So, what is the right IP for the following statement?
route 192.168.1.0 255.255.255.0


Unknown. Gert told you what this config statement does, I don't remember 
you ever mentioning that you plan to use such a feature, much less what 
subnet(s) you'd want to use for that.



I opened the ca.crt file on the client and clicked on the Details tab
and it showed me "CN = Server". So, I must change the "Test-PC" to
"Server". Am I right?


... aybe. I wouldn't be too surprised if your client-side OpenVPN 
config did indeed take a client cert named "Server" out of a file named 
"ca.crt" ...


... I would nonetheless recommend that you look at the server log (of 
suitable verbosity) for a line telling what cert/CN the client has 
actually sent, though.


Kind regards
--
Jochen Bern
Systemingenieur

Binect GmbH


smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

Hi,

On Wed, Aug 16, 2023 at 06:35:01AM +, Jason Long wrote:
> I added the following lines to my server.conf:
> 
> client-config-dir myclient
> ccd-exclusive
> route 192.168.1.0 255.255.255.0

>This tells the server "put routing towards 192.168.1.0 into the VPN",
>while 192.168.1.x is your LAN network.  So this does not make sense.

> multihome
> 
> 
> Client showed me:
[..]
> Wed Aug 16 11:01:39 2023 TLS: tls_multi_process: initial untrusted session 
> promoted to trusted

>So the network between client and server is good now...

> Wed Aug 16 11:01:39 2023 AUTH: Received control message: AUTH_FAILED

>... but the server refuses this client.  So you must look into the server
>log to see why it does so.

>My guess is that the ccd file you created does not have the right name
>(must match the CN in the client certificate), or is not in the right
>place, or you did fancy thing with chroot (paths must match *inside*
>the chroot environment).



Hi Gert,
Thank you so much for your reply.
My OpenVPN server NICs are:

enp0s3: flags=4163  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::a00:27ff:feed:b47c  prefixlen 64  scopeid 0x20
        ether 08:00:27:ed:b4:7c  txqueuelen 1000  (Ethernet)
        RX packets 3984  bytes 1600249 (1.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3182  bytes 685377 (669.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s3:1: flags=4163  mtu 1500
        inet 20.1.1.20  netmask 255.0.0.0  broadcast 20.255.255.255
        ether 08:00:27:ed:b4:7c  txqueuelen 1000  (Ethernet)


enp0s8: flags=4163  mtu 1500
        inet 192.168.1.20  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::a00:27ff:fe74:6397  prefixlen 64  scopeid 0x20
        ether 08:00:27:74:63:97  txqueuelen 1000  (Ethernet)
        RX packets 396  bytes 76796 (74.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 174  bytes 49776 (48.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



So, what is the right IP for the following statement?

route 192.168.1.0 255.255.255.0


And about your second note, I must change the "/etc/openvpn/ccd/Test-PC" to the 
CN in the client certificate. I opened the ca.crt file on the client and 
clicked on the Details tab and it showed me "CN = Server". So, I must change 
the "Test-PC" to "Server". Am I right?



gert
-- 
"If was one thing all people took for granted, was conviction that if you 
feed honest figures into a computer, honest figures come out. Never doubted 
it myself till I met a computer with a sense of humor."
                            Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                            g...@greenie.muc.de


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Bo Berglund]

On Wed, 16 Aug 2023 06:35:01 + (UTC), Jason Long via Openvpn-users
 wrote:

>
>I added the following lines to my server.conf:
>
>client-config-dir myclient
>ccd-exclusive
>route 192.168.1.0 255.255.255.0
>multihome
>
>From the reference manual:

multihome

Configure a multi-homed UDP server. This option needs to be used when a
server has more than one IP address (e.g. multiple interfaces, or secondary IP
addresses), and is not using --local to force binding to one specific address
only. This option will add some extra lookups to the packet path to ensure that
the UDP reply packets are always sent from the address that the client is
talking to. This is not supported on all platforms, and it adds more processing,
so it's not enabled by default.Note: this option is only relevant for UDP
servers.

Note 2: if you do an IPv6+IPv4 dual-stack bind on a Linux machine with
multiple IPv4 address, connections to IPv4 addresses will not work right on
kernels before 3.15, due to missing kernel support for the IPv4-mapped case
(some distributions have ported this to earlier kernel versions, though).


-- 
Bo Berglund
Developer in Sweden



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Gert Doering]

Hi,

On Wed, Aug 16, 2023 at 06:35:01AM +, Jason Long wrote:
> I added the following lines to my server.conf:
> 
> client-config-dir myclient
> ccd-exclusive
> route 192.168.1.0 255.255.255.0

This tells the server "put routing towards 192.168.1.0 into the VPN",
while 192.168.1.x is your LAN network.  So this does not make sense.

> multihome
> 
> 
> Client showed me:
[..]
> Wed Aug 16 11:01:39 2023 TLS: tls_multi_process: initial untrusted session 
> promoted to trusted

So the network between client and server is good now...

> Wed Aug 16 11:01:39 2023 AUTH: Received control message: AUTH_FAILED

... but the server refuses this client.  So you must look into the server
log to see why it does so.

My guess is that the ccd file you created does not have the right name
(must match the CN in the client certificate), or is not in the right
place, or you did fancy thing with chroot (paths must match *inside*
the chroot environment).

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

Hi,

On Tue, Aug 15, 2023 at 12:54:45PM +, Jason Long via Openvpn-users wrote:
> I did a tcpdump:
> 
> # tcpdump --interface any udp port 2000 -n -v
> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture 
> size 262144 bytes
> 08:50:47.761991 IP (tos 0x0, ttl 128, id 892, offset 0, flags [DF], proto UDP 
> (17), length 82)
>     192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54

Client is sending to ip A.


> 08:50:47.762524 IP (tos 0x0, ttl 64, id 24726, offset 0, flags [DF], proto 
> UDP (17), length 94)
>     10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66


>... and server is replying from IP B.

>Not sure how you ended there, but if you want the server on 10.10.0.1,
>then the client needs to connect to *that* IP.

>(I said it before: if a machine has multiple IP addresses and you use
>UDP, you *must* use --multihome on the server)

>gert



Hi Gert,

I added the following lines to my server.conf:

client-config-dir myclient
ccd-exclusive
route 192.168.1.0 255.255.255.0
multihome


Client showed me:

Wed Aug 16 11:01:38 2023 Note: --cipher is not set. OpenVPN versions before 2.5 
defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If 
you need this fallback please add '--data-ciphers-fallback BF-CBC' to your 
configuration and/or add BF-CBC to --data-ciphers.
Wed Aug 16 11:01:38 2023 Note: ovpn-dco-win driver is missing, disabling data 
channel offload.
Wed Aug 16 11:01:38 2023 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] 
Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 
2023
Wed Aug 16 11:01:38 2023 Windows version 6.1 (Windows 7), amd64 executable
Wed Aug 16 11:01:38 2023 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
Wed Aug 16 11:01:38 2023 DCO version: v0
Wed Aug 16 11:01:38 2023 MANAGEMENT: TCP Socket listening on 
[AF_INET]127.0.0.1:25343
Wed Aug 16 11:01:38 2023 Need hold release from management interface, waiting...
Wed Aug 16 11:01:38 2023 MANAGEMENT: Client connected from 
[AF_INET]127.0.0.1:1031
Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'state on'
Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'log on all'
Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'echo on all'
Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'bytecount 5'
Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'state'
Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'hold off'
Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'hold release'
Wed Aug 16 11:01:39 2023 TCP/UDP: Preserving recently used remote address: 
[AF_INET]192.168.1.20:2000
Wed Aug 16 11:01:39 2023 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Aug 16 11:01:39 2023 UDPv4 link local: (not bound)
Wed Aug 16 11:01:39 2023 UDPv4 link remote: [AF_INET]192.168.1.20:2000
Wed Aug 16 11:01:39 2023 MANAGEMENT: >STATE:1692167499,WAIT,,
Wed Aug 16 11:01:39 2023 MANAGEMENT: >STATE:1692167499,AUTH,,
Wed Aug 16 11:01:39 2023 TLS: Initial packet from [AF_INET]192.168.1.20:2000, 
sid=2e7d21e3 db47853e
Wed Aug 16 11:01:39 2023 VERIFY OK: depth=1, CN=Server
Wed Aug 16 11:01:39 2023 VERIFY KU OK
Wed Aug 16 11:01:39 2023 Validating certificate extended key usage
Wed Aug 16 11:01:39 2023 ++ Certificate has EKU (str) TLS Web Server 
Authentication, expects TLS Web Server Authentication
Wed Aug 16 11:01:39 2023 VERIFY EKU OK
Wed Aug 16 11:01:39 2023 VERIFY OK: depth=0, CN=server
Wed Aug 16 11:01:39 2023 Control Channel: TLSv1.3, cipher TLSv1.3 
TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Wed Aug 16 11:01:39 2023 [server] Peer Connection Initiated with 
[AF_INET]192.168.1.20:2000
Wed Aug 16 11:01:39 2023 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL 
reinit_src=1
Wed Aug 16 11:01:39 2023 TLS: tls_multi_process: initial untrusted session 
promoted to trusted
Wed Aug 16 11:01:39 2023 AUTH: Received control message: AUTH_FAILED
Wed Aug 16 11:01:39 2023 SIGUSR1[soft,auth-failure] received, process restarting
Wed Aug 16 11:01:39 2023 MANAGEMENT: 
>STATE:1692167499,RECONNECTING,auth-failure,
Wed Aug 16 11:01:39 2023 Restart pause, 1 second(s)


What is your opinion?



-- 
"If was one thing all people took for granted, was conviction that if you 
feed honest figures into a computer, honest figures come out. Never doubted 
it myself till I met a computer with a sense of humor."
                            Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                            g...@greenie.muc.de



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

On Tue, Aug 15, 2023 at 5:57 PM, tincantech
 wrote:   -BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

--- Original Message ---
On Tuesday, August 15th, 2023 at 15:02, Gert Doering  
wrote:


> Hi,
> 
> On Tue, Aug 15, 2023 at 12:54:45PM +, Jason Long via Openvpn-users wrote:
> 
> > I did a tcpdump:
> > 
> > # tcpdump --interface any udp port 2000 -n -v
> > tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture 
> > size 262144 bytes
> > 08:50:47.761991 IP (tos 0x0, ttl 128, id 892, offset 0, flags [DF], proto 
> > UDP (17), length 82)
> >     192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54
> 
> 
> Client is sending to ip A.
> 
> > 08:50:47.762524 IP (tos 0x0, ttl 64, id 24726, offset 0, flags [DF], proto 
> > UDP (17), length 94)
> >     10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66
> 
> 
> ... and server is replying from IP B.
> 
> Not sure how you ended there, but if you want the server on 10.10.0.1,
> then the client needs to connect to that IP.
> 
> (I said it before: if a machine has multiple IP addresses and you use
> UDP, you must use --multihome on the server)


>Thank you for that insightful observation Gert. >However, this behavior
>does not correlate with Jason's claim that >"Without --ccd-exclusive the
>client *can* connect".

>As I told Jason before, start with a simple >server, that does not have
>multiple NICs.

>Regards
>tct
Hello,As I told you, when I removed the --ccd-exclusive statement, then my 
server worked and I am trying to learn different scenarios.
-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk24snCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAAArjgf/crT2EWnp/+4VHKbmfUY1fWHFsgpPh2Ws9y0GeAv2IgpWrJ08
Sn1x/ZYnAAUm6zjuyq3WPLAQZJhRACV1SrIMTSETdkp1vciBeGDSqhZF/RUl
j7n3L9na0qIFwoHLbjea3JhMJyldFTkQnIOIMy+IbAh55OW6v898eDm7DhDu
IHIn9Sl7LqrCJZLqljhGpcvPXcYOoQzpQPCGOhk6hNMxTWfKr1VR0qMhf1+W
tT9coREHMTDJgbTxmwL8Ik1GlPiABfmwSlZWX0MOHdLkfiojbYAD3Hrfrz2v
I2FDAfmW6569v/hHhurLJ+4/yMj3fpPvvaUhY8pBWPdZ7QG5Z0copw==
=rstW
-END PGP SIGNATURE-
  
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

On Tue, Aug 15, 2023 at 5:33 PM, Gert Doering wrote:   Hi,

On Tue, Aug 15, 2023 at 12:54:45PM +, Jason Long via Openvpn-users wrote:
> I did a tcpdump:
> 
> # tcpdump --interface any udp port 2000 -n -v
> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture 
> size 262144 bytes
> 08:50:47.761991 IP (tos 0x0, ttl 128, id 892, offset 0, flags [DF], proto UDP 
> (17), length 82)
>     192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54

Client is sending to ip A.

> 08:50:47.762524 IP (tos 0x0, ttl 64, id 24726, offset 0, flags [DF], proto 
> UDP (17), length 94)
>     10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66

... and server is replying from IP B.

Not sure how you ended there, but if you want the server on 10.10.0.1,
then the client needs to connect to *that* IP.

>(I said it before: if a machine has multiple IP >addresses and you use
>UDP, you *must* use --multihome on the server)

>gert
Hello,Gert, I used the multihome statement and when the client tries to connect 
to the server, the connection is repeatedly reset.I will show you the log 
tomorrow.
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                            Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                            g...@greenie.muc.de
  
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[tincantech via Openvpn-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

--- Original Message ---
On Tuesday, August 15th, 2023 at 15:02, Gert Doering  
wrote:


> Hi,
> 
> On Tue, Aug 15, 2023 at 12:54:45PM +, Jason Long via Openvpn-users wrote:
> 
> > I did a tcpdump:
> > 
> > # tcpdump --interface any udp port 2000 -n -v
> > tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture 
> > size 262144 bytes
> > 08:50:47.761991 IP (tos 0x0, ttl 128, id 892, offset 0, flags [DF], proto 
> > UDP (17), length 82)
> >     192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54
> 
> 
> Client is sending to ip A.
> 
> > 08:50:47.762524 IP (tos 0x0, ttl 64, id 24726, offset 0, flags [DF], proto 
> > UDP (17), length 94)
> >     10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66
> 
> 
> ... and server is replying from IP B.
> 
> Not sure how you ended there, but if you want the server on 10.10.0.1,
> then the client needs to connect to that IP.
> 
> (I said it before: if a machine has multiple IP addresses and you use
> UDP, you must use --multihome on the server)


Thank you for that insightful observation Gert. However, this behavior
does not correlate with Jason's claim that "Without --ccd-exclusive the
client *can* connect".

As I told Jason before, start with a simple server, that does not have
multiple NICs.

Regards
tct
-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk24snCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAAArjgf/crT2EWnp/+4VHKbmfUY1fWHFsgpPh2Ws9y0GeAv2IgpWrJ08
Sn1x/ZYnAAUm6zjuyq3WPLAQZJhRACV1SrIMTSETdkp1vciBeGDSqhZF/RUl
j7n3L9na0qIFwoHLbjea3JhMJyldFTkQnIOIMy+IbAh55OW6v898eDm7DhDu
IHIn9Sl7LqrCJZLqljhGpcvPXcYOoQzpQPCGOhk6hNMxTWfKr1VR0qMhf1+W
tT9coREHMTDJgbTxmwL8Ik1GlPiABfmwSlZWX0MOHdLkfiojbYAD3Hrfrz2v
I2FDAfmW6569v/hHhurLJ+4/yMj3fpPvvaUhY8pBWPdZ7QG5Z0copw==
=rstW
-END PGP SIGNATURE-


publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys


publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Gert Doering]

Hi,

On Tue, Aug 15, 2023 at 12:54:45PM +, Jason Long via Openvpn-users wrote:
> I did a tcpdump:
> 
> # tcpdump --interface any udp port 2000 -n -v
> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture 
> size 262144 bytes
> 08:50:47.761991 IP (tos 0x0, ttl 128, id 892, offset 0, flags [DF], proto UDP 
> (17), length 82)
>     192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54

Client is sending to ip A.

> 08:50:47.762524 IP (tos 0x0, ttl 64, id 24726, offset 0, flags [DF], proto 
> UDP (17), length 94)
>     10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66

... and server is replying from IP B.

Not sure how you ended there, but if you want the server on 10.10.0.1,
then the client needs to connect to *that* IP.

(I said it before: if a machine has multiple IP addresses and you use
UDP, you *must* use --multihome on the server)

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

--- Original Message ---
On Tuesday, August 15th, 2023 at 10:57, Jason Long  wrote:



> Hello,
> My OpenVPN server internal network IP is "192.168.1.20" and the IP address of 
> client is "192.168.1.21". Both VMs can ping each other.
> 
> According to "https://community.openvpn.net/openvpn/wiki/HOWTO;, I did the 
> following stpes:
> 
> # mkdir /etc/openvpn/ccd
> # nano /etc/openvpn/server.conf
> 
> client-config-dir ccd
> ccd-exclusive
> route 192.168.1.0 255.255.255.0
> 
> Then:
> 
> # touch /etc/openvpn/ccd/Test-PC
> # nano /etc/openvpn/ccd/Test-PC
> 
> iroute 192.168.1.0 255.255.255.0
> 
> 
> After it, I started the OpenVPN service and it worked. On client, when I want 
> to connect to my OpenVPN server, then it showed me:
> 
> Tue Aug 15 14:10:22 2023 TLS Error: TLS key negotiation failed to occur 
> within 60 seconds (check your network connectivity)
> Tue Aug 15 14:10:22 2023 TLS Error: TLS handshake failed
> 
> 
> I take a look at 
> "https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/;
>  too.
> 
> When I removed the following lines from my server.conf, then my client can 
> connect to the server:
> 
> client-config-dir ccd
> ccd-exclusive
> route 192.168.1.0 255.255.255.0
> 
> 
> How can I solve it?

>As I have already explained: If your client can only connect when you remove
>'ccd-exclusive' from your server config, this means that there is not a CCD
>file for the client that is trying to connect.


> I changed protocol from UDP to TCP, but problem was not solved.

>If you were a pilot, I would go by train.

>HTH
>tct



Hello,
You said "this means that there is not a CCD file for the client that is trying 
to connect", then what does this mean:

# touch /etc/openvpn/ccd/Test-PC
# nano /etc/openvpn/ccd/Test-PC
iroute 192.168.1.0 255.255.255.0

And about change from UDP to TCP:

https://serverfault.com/questions/765521/openvpn-issue-tls-key-negotiation-failed-to-occur-within-60-seconds

https://support.nordvpn.com/Connectivity/1061816172/Issue-TLS-key-negotiation-failed-to-occur.htm


I did a tcpdump:

# tcpdump --interface any udp port 2000 -n -v
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 
262144 bytes
08:50:47.761991 IP (tos 0x0, ttl 128, id 892, offset 0, flags [DF], proto UDP 
(17), length 82)
    192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54
08:50:47.762524 IP (tos 0x0, ttl 64, id 24726, offset 0, flags [DF], proto UDP 
(17), length 94)
    10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66
08:51:03.573953 IP (tos 0x0, ttl 128, id 893, offset 0, flags [DF], proto UDP 
(17), length 82)
    192.168.1.21.60461 > 192.168.1.20.2000: UDP, length 54
08:51:03.574449 IP (tos 0x0, ttl 64, id 26863, offset 0, flags [DF], proto UDP 
(17), length 94)
    10.10.0.1.2000 > 192.168.1.21.60461: UDP, length 66




-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk22k6CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAACcaAf+PasGH6O2qUqt7caze8p31vl23LgjwLoL7dKgYDQpxClPxIWc
K+vA+e6sRyfvkY+OTK3Rfwv/06OCmj7XOsJIvuvK9gQSvqj7dN7x0f45xoUz
0WTo7E+focRcu1Rw1xk5oOpl601O9j9ac+NHa4P07rMe6yiVdr+BQjiZKad7
5455ZBM1vaRa5L7Fb66QhXcLsqxSS1mtYjyrmGzUVmTwESkV7avPGsBcjY6T
vpO1rXicIqfdqGi7Rv/txWcCRf0D2YjLSIl0BMYPQc0LlQxiGN9KFD+pf9xg
9fBp1D1aCzyRyOGtn4CMk4+r9s+rEgd9hzkOTDDHk+PHJMnWz5fyNw==
=GYK8

-END PGP SIGNATURE-


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[tincantech via Openvpn-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

--- Original Message ---
On Tuesday, August 15th, 2023 at 10:57, Jason Long  wrote:



> Hello,
> My OpenVPN server internal network IP is "192.168.1.20" and the IP address of 
> client is "192.168.1.21". Both VMs can ping each other.
> 
> According to "https://community.openvpn.net/openvpn/wiki/HOWTO;, I did the 
> following stpes:
> 
> # mkdir /etc/openvpn/ccd
> # nano /etc/openvpn/server.conf
> 
> client-config-dir ccd
> ccd-exclusive
> route 192.168.1.0 255.255.255.0
> 
> Then:
> 
> # touch /etc/openvpn/ccd/Test-PC
> # nano /etc/openvpn/ccd/Test-PC
> 
> iroute 192.168.1.0 255.255.255.0
> 
> 
> After it, I started the OpenVPN service and it worked. On client, when I want 
> to connect to my OpenVPN server, then it showed me:
> 
> Tue Aug 15 14:10:22 2023 TLS Error: TLS key negotiation failed to occur 
> within 60 seconds (check your network connectivity)
> Tue Aug 15 14:10:22 2023 TLS Error: TLS handshake failed
> 
> 
> I take a look at 
> "https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/;
>  too.
> 
> When I removed the following lines from my server.conf, then my client can 
> connect to the server:
> 
> client-config-dir ccd
> ccd-exclusive
> route 192.168.1.0 255.255.255.0
> 
> 
> How can I solve it?

As I have already explained: If your client can only connect when you remove
'ccd-exclusive' from your server config, this means that there is not a CCD
file for the client that is trying to connect.


> I changed protocol from UDP to TCP, but problem was not solved.

If you were a pilot, I would go by train.

HTH
tct

-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk22k6CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAACcaAf+PasGH6O2qUqt7caze8p31vl23LgjwLoL7dKgYDQpxClPxIWc
K+vA+e6sRyfvkY+OTK3Rfwv/06OCmj7XOsJIvuvK9gQSvqj7dN7x0f45xoUz
0WTo7E+focRcu1Rw1xk5oOpl601O9j9ac+NHa4P07rMe6yiVdr+BQjiZKad7
5455ZBM1vaRa5L7Fb66QhXcLsqxSS1mtYjyrmGzUVmTwESkV7avPGsBcjY6T
vpO1rXicIqfdqGi7Rv/txWcCRf0D2YjLSIl0BMYPQc0LlQxiGN9KFD+pf9xg
9fBp1D1aCzyRyOGtn4CMk4+r9s+rEgd9hzkOTDDHk+PHJMnWz5fyNw==
=GYK8
-END PGP SIGNATURE-


publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys


publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256




Sent with Proton Mail secure email.

--- Original Message ---
On Monday, August 14th, 2023 at 22:11, Jason Long  wrote:


> On Mon, Aug 14, 2023 at 11:47 PM, tincantech
> 
> >  wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> > 
> > Hi,
> > 
> > --- Original Message ---
> > On Monday, August 14th, 2023 at 20:49, Jason Long  
> > wrote:
> > 
> > > On Mon, Aug 14, 2023 at 5:16 PM, tincantech
> > >
> > > >  wrote:
> > 
> > > >
> > > > Hello,
> > > > Thank you so much for your help.
> > > > I take a loot at 
> > > > "https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html;, but it only 
> > > > explained the capabilities of this option and did not provide any 
> > > > examples.
> > > > I did:
> > > > # mkdir /etc/openvpn/clients
> > > > # touch /etc/openvpn/clients/Client-1
> > > > Then, in server.conf:
> > > > client-config-dir clients 
> > > > ccd-exclusive
> > > > But, Windows client can't connect to the OpenVPN server and my 
> > > > connection restarted. Do I need to add something to the client 
> > > > configuration file?
> > 
> > No.
> > 
> > You have NEVER managed to have a client connect to your server.
> > Therefore, your question regarding this problem >is irrelevant.
> > 
> > 
> > Hi,
> > Not really, You wrong. I tested various scenarios and learned a lot from 
> > you and others. Now I want to learn this scenario, but unfortunately I 
> > could not find an article that teaches from the beginning. I would be 
> > grateful if you could tell me where the problem is.


There are many reasons which could explain your problem:
* You may be using a server with multiple NICs, which is configured
  incorrectly.
* You may have configured your network routing incorrectly.
8 You may have configured --ccd-exclusive incorrectly.
* You may have some other unknown problem.

Regarding the issue above, if you want to verify that --ccd-exclusive is
working correctly then simply remove 'ccd-exclusive' from your server config,
restart your server and try to connect again. If your client can now connect
then --ccd-exclusive was successfully rejecting your client because there
>was no CCD file for that client.

>HTH
>tct




Hello,
My OpenVPN server internal network IP is "192.168.1.20" and the IP address of 
client is "192.168.1.21". Both VMs can ping each other.

According to "https://community.openvpn.net/openvpn/wiki/HOWTO;, I did the 
following stpes:

# mkdir /etc/openvpn/ccd
# nano /etc/openvpn/server.conf

client-config-dir ccd
ccd-exclusive
route 192.168.1.0 255.255.255.0

Then:

# touch /etc/openvpn/ccd/Test-PC
# nano /etc/openvpn/ccd/Test-PC

iroute 192.168.1.0 255.255.255.0


After it, I started the OpenVPN service and it worked. On client, when I want 
to connect to my OpenVPN server, then it showed me:

Tue Aug 15 14:10:22 2023 TLS Error: TLS key negotiation failed to occur within 
60 seconds (check your network connectivity)
Tue Aug 15 14:10:22 2023 TLS Error: TLS handshake failed


I take a look at 
"https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/;
 too.

When I removed the following lines from my server.conf, then my client can 
connect to the server:

client-config-dir ccd
ccd-exclusive
route 192.168.1.0 255.255.255.0


How can I solve it? I changed protocol from UDP to TCP, but problem was not 
solved.






-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk2pwtCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAADkHQf+KtaF6ip0OoQBgdEDu8HBkZSnWIhwHrYFpPO85aRFPBWov7M+
SH/0gj1Q/P0nuJyh054rPO/nO7bdPir6V5qA19jrirN+Ze4BNkmMDmV/MQbv
pQjXfBFlb3MswLaLGETeOr5Ay8UvKpFjXP2045R5vCMlB3ipMamSD6J5hBG0
5KtHNbR8UuoNxiRyTF2ZPbCKzulaaGKE+rWpjmi2UjoErfOyWvVP0D1iaC0F
nM8S8JaHflhlmkdFfXCt15ZjiI+rgroAjMXWtL+lLkmD4EbIT6qqiB39880x
nbcAdOXbDzA5b51hBvz8oyCLvSJ6Z7j1gGoxmTjOyCrb1TEOgO/w+A==
=lOa7

-END PGP SIGNATURE-


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[tincantech via Openvpn-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256




Sent with Proton Mail secure email.

--- Original Message ---
On Monday, August 14th, 2023 at 22:11, Jason Long  wrote:


> On Mon, Aug 14, 2023 at 11:47 PM, tincantech
> 
> >  wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> > 
> > Hi,
> > 
> > --- Original Message ---
> > On Monday, August 14th, 2023 at 20:49, Jason Long  
> > wrote:
> > 
> > > On Mon, Aug 14, 2023 at 5:16 PM, tincantech
> > >
> > > >  wrote:
> > 
> > > >
> > > > Hello,
> > > > Thank you so much for your help.
> > > > I take a loot at 
> > > > "https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html;, but it only 
> > > > explained the capabilities of this option and did not provide any 
> > > > examples.
> > > > I did:
> > > > # mkdir /etc/openvpn/clients
> > > > # touch /etc/openvpn/clients/Client-1
> > > > Then, in server.conf:
> > > > client-config-dir clients 
> > > > ccd-exclusive
> > > > But, Windows client can't connect to the OpenVPN server and my 
> > > > connection restarted. Do I need to add something to the client 
> > > > configuration file?
> > 
> > No.
> > 
> > You have NEVER managed to have a client connect to your server.
> > Therefore, your question regarding this problem >is irrelevant.
> > 
> > 
> > Hi,
> > Not really, You wrong. I tested various scenarios and learned a lot from 
> > you and others. Now I want to learn this scenario, but unfortunately I 
> > could not find an article that teaches from the beginning. I would be 
> > grateful if you could tell me where the problem is.


There are many reasons which could explain your problem:
* You may be using a server with multiple NICs, which is configured
  incorrectly.
* You may have configured your network routing incorrectly.
8 You may have configured --ccd-exclusive incorrectly.
* You may have some other unknown problem.

Regarding the issue above, if you want to verify that --ccd-exclusive is
working correctly then simply remove 'ccd-exclusive' from your server config,
restart your server and try to connect again. If your client can now connect
then --ccd-exclusive was successfully rejecting your client because there
was no CCD file for that client.

HTH
tct

-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk2pwtCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAADkHQf+KtaF6ip0OoQBgdEDu8HBkZSnWIhwHrYFpPO85aRFPBWov7M+
SH/0gj1Q/P0nuJyh054rPO/nO7bdPir6V5qA19jrirN+Ze4BNkmMDmV/MQbv
pQjXfBFlb3MswLaLGETeOr5Ay8UvKpFjXP2045R5vCMlB3ipMamSD6J5hBG0
5KtHNbR8UuoNxiRyTF2ZPbCKzulaaGKE+rWpjmi2UjoErfOyWvVP0D1iaC0F
nM8S8JaHflhlmkdFfXCt15ZjiI+rgroAjMXWtL+lLkmD4EbIT6qqiB39880x
nbcAdOXbDzA5b51hBvz8oyCLvSJ6Z7j1gGoxmTjOyCrb1TEOgO/w+A==
=lOa7
-END PGP SIGNATURE-


publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys


publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[André via Openvpn-users]

Hi,

Howto is here:
https://community.openvpn.net/openvpn/wiki/HOWTO

wkr
Pippin
--- Original Message ---
On Monday, August 14th, 2023 at 23:11, Jason Long via Openvpn-users 
 wrote:

> On Mon, Aug 14, 2023 at 11:47 PM, tincantech
>
>>  wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Hi,
>>
>> --- Original Message ---
>> On Monday, August 14th, 2023 at 20:49, Jason Long  
>> wrote:
>>
>>> On Mon, Aug 14, 2023 at 5:16 PM, tincantech
>>>
>>> >  wrote:
>>
>>> >
>>> > Hello,
>>> > Thank you so much for your help.
>>> > I take a loot at 
>>> > "https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html;, but it only 
>>> > explained the capabilities of this option and did not provide any 
>>> > examples.
>>> > I did:
>>> > # mkdir /etc/openvpn/clients
>>> > # touch /etc/openvpn/clients/Client-1
>>> > Then, in server.conf:
>>> > client-config-dir clients
>>> > ccd-exclusive
>>> > But, Windows client can't connect to the OpenVPN server and my connection 
>>> > restarted. Do I need to add something to the client configuration file?
>>
>> No.
>>
>> You have NEVER managed to have a client connect to your server.
>> Therefore, your question regarding this problem >is irrelevant.
>>
>> Hi,
>> Not really, You wrong. I tested various scenarios and learned a lot from you 
>> and others. Now I want to learn this scenario, but unfortunately I could not 
>> find an article that teaches from the beginning. I would be grateful if you 
>> could tell me where the problem is.
>>
>> HTH
>> tct
>> -BEGIN PGP SIGNATURE-
>> Version: ProtonMail
>>
>> wsBzBAEBCAAnBYJk2ou1CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
>> kLidAAChzQgAzelXSW91oK4EJBykmS/hVRXIbjt+jq8v1RsuUcVOcwt3EoOm
>> 19v2e9ZjcgcKS2rEMAWEgRpa3NpiXBeDM813fasySJTMdOfgHiRRyF9Bforr
>> /la+8qX6HeFCaS6HXFdD7J2Gtnwtsqnzla95PQpjXGHdqC54Ix1f9qXeMJaJ
>> ZVZvKId6DBwuCKEBrpfbg8UqTUbV2TVkRBiaNucJaw0T2nijTSQDFXFjUy6Z
>> WpKnLXVbHopmrJMMULdo2uMNNwmwZoGzhBh+unXHR3iqybrqmxZg3waF0PVR
>> 25jUYA2EPoePPEadWAhYNtiSyUJ9C6IiffVFCT52NNPd1CubRNb1hA==
>> =P8jt
>>
>> -END PGP SIGNATURE-___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

On Mon, Aug 14, 2023 at 11:47 PM, tincantech

 wrote:   -BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

--- Original Message ---
On Monday, August 14th, 2023 at 20:49, Jason Long  wrote:

> On Mon, Aug 14, 2023 at 5:16 PM, tincantech
> 
> >  wrote:

> > 
> > Hello,
> > Thank you so much for your help.
> > I take a loot at 
> > "https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html;, but it only 
> > explained the capabilities of this option and did not provide any examples.
> > I did:
> > # mkdir /etc/openvpn/clients
> > # touch /etc/openvpn/clients/Client-1
> > Then, in server.conf:
> > client-config-dir clients 
> > ccd-exclusive
> > But, Windows client can't connect to the OpenVPN server and my connection 
> > restarted. Do I need to add something to the client configuration file?

No.

You have NEVER managed to have a client connect to your server.
Therefore, your question regarding this problem >is irrelevant.

Hi,Not really, You wrong. I tested various scenarios and learned a lot from you 
and others. Now I want to learn this scenario, but unfortunately I could not 
find an article that teaches from the beginning. I would be grateful if you 
could tell me where the problem is.

HTH
tct
-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk2ou1CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAAChzQgAzelXSW91oK4EJBykmS/hVRXIbjt+jq8v1RsuUcVOcwt3EoOm
19v2e9ZjcgcKS2rEMAWEgRpa3NpiXBeDM813fasySJTMdOfgHiRRyF9Bforr
/la+8qX6HeFCaS6HXFdD7J2Gtnwtsqnzla95PQpjXGHdqC54Ix1f9qXeMJaJ
ZVZvKId6DBwuCKEBrpfbg8UqTUbV2TVkRBiaNucJaw0T2nijTSQDFXFjUy6Z
WpKnLXVbHopmrJMMULdo2uMNNwmwZoGzhBh+unXHR3iqybrqmxZg3waF0PVR
25jUYA2EPoePPEadWAhYNtiSyUJ9C6IiffVFCT52NNPd1CubRNb1hA==
=P8jt
-END PGP SIGNATURE-
  
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[tincantech via Openvpn-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

--- Original Message ---
On Monday, August 14th, 2023 at 20:49, Jason Long  wrote:

> On Mon, Aug 14, 2023 at 5:16 PM, tincantech
> 
> >  wrote:

> > 
> > Hello,
> > Thank you so much for your help.
> > I take a loot at 
> > "https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html;, but it only 
> > explained the capabilities of this option and did not provide any examples.
> > I did:
> > # mkdir /etc/openvpn/clients
> > # touch /etc/openvpn/clients/Client-1
> > Then, in server.conf:
> > client-config-dir clients 
> > ccd-exclusive
> > But, Windows client can't connect to the OpenVPN server and my connection 
> > restarted. Do I need to add something to the client configuration file?

No.

You have NEVER managed to have a client connect to your server.
Therefore, your question regarding this problem is irrelevant.

HTH
tct
-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk2ou1CZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAAChzQgAzelXSW91oK4EJBykmS/hVRXIbjt+jq8v1RsuUcVOcwt3EoOm
19v2e9ZjcgcKS2rEMAWEgRpa3NpiXBeDM813fasySJTMdOfgHiRRyF9Bforr
/la+8qX6HeFCaS6HXFdD7J2Gtnwtsqnzla95PQpjXGHdqC54Ix1f9qXeMJaJ
ZVZvKId6DBwuCKEBrpfbg8UqTUbV2TVkRBiaNucJaw0T2nijTSQDFXFjUy6Z
WpKnLXVbHopmrJMMULdo2uMNNwmwZoGzhBh+unXHR3iqybrqmxZg3waF0PVR
25jUYA2EPoePPEadWAhYNtiSyUJ9C6IiffVFCT52NNPd1CubRNb1hA==
=P8jt
-END PGP SIGNATURE-


publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys


publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

On Mon, Aug 14, 2023 at 5:16 PM, tincantech

 wrote:   -BEGIN PGP SIGNED MESSAGE-
Hash: SHA256






Sent with Proton Mail secure email.

--- Original Message ---
On Monday, August 14th, 2023 at 14:13, Jason Long via Openvpn-users 
 wrote:


> Hello,
> To increase the security of OpenVPN, I want to use the ccd-exclusive.

--ccd-exclusive does not "increase the security of OpenVPN".
What it does it to provide a server with a convenient way to temporarily,
disable certain clients by client commonName.

This convenience means that the client certificate does not need to be
revoked.  And the client can have access to the server restored simply
by (re-)creating a CCD file.

--ccd-exclusive means that the server will ONLY allow clients access
if they have a CCD file in the folder configured by --client-connect-dir.



> I googled it, but I could not find a good example. I just found the following 
> question:
> 
> https://serverfault.com/questions/877201/limit-access-to-remote-server-via-particular-vpn

I strongly recommend that your search starts with the Openvpn manual:
https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html

EVERY option is described in the manual.



> But, I really don't know what to do.
> I must create a directory under the "/etc/openvpn", then create a file with 
> the name of clients in it? For example, if my Windows client host name is 
> "Client-1", then:
> 
> # mkdir /etc/openvpn/clients
> # touch /etc/openvpn/clients/Client-1
> 
> Then, in server.conf:
> 
> client-config-dir clients
> ccd-exclusive
> 
> Am I right?

Yes.

However, I strongly recommend that you learn the difference between
"absolute paths" verses "relative paths". (Out of scope for this mailing list)



> How about the client configuration? Do I need to add anything?

No.

Do exactly as the manual (above) describes.

>HTH
>tct



Hello,Thank you so much for your help.I take a loot at 
"https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html;, but it only 
explained the capabilities of this option and did not provide any examples.I 
did:# mkdir /etc/openvpn/clients# touch /etc/openvpn/clients/Client-1Then, in 
server.conf:client-config-dir clients ccd-exclusiveBut, Windows client can't 
connect to the OpenVPN server and my connection restarted. Do I need to add 
something to the client configuration file?

-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk2jAcCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAABp0wf/b8jrorfOi9WfhfRE8YvgGr7vbkwXlrofzEEdW7MVRWYv5/vm
rpHrsVSzYV23PMMWUSGe0gWRRcSuJ4c2L6j1f0mQnXTEU3qXiyTUhwW5EnjL
9ARTeWRCeElIDs5DTOvPqNSqt1qqNAlRZmtYyVafJZNgpCdBQIADDY1Ih+7S
hAPISxDe2nQ9+Yqzi8MpVqhf74ZCp/Zh3OQ6sKQhfmizS+BJ4S4crTqHgasB
U5jNZAQgWNjD+2UlMTfpZj2GwbCcF3EZ42Qj4HgdSxJarAHpf1rPQ0NLHviC
9QnaYudaG4ZE9NBh5mmmCuyCbE2K8gMb7CZHnMyGpF2Ee2r/4kKWNA==
=Hwqp
-END PGP SIGNATURE-
  
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How to use ccd-exclusive statement?

[tincantech via Openvpn-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256






Sent with Proton Mail secure email.

--- Original Message ---
On Monday, August 14th, 2023 at 14:13, Jason Long via Openvpn-users 
 wrote:


> Hello,
> To increase the security of OpenVPN, I want to use the ccd-exclusive.

--ccd-exclusive does not "increase the security of OpenVPN".
What it does it to provide a server with a convenient way to temporarily,
disable certain clients by client commonName.

This convenience means that the client certificate does not need to be
revoked.  And the client can have access to the server restored simply
by (re-)creating a CCD file.

--ccd-exclusive means that the server will ONLY allow clients access
if they have a CCD file in the folder configured by --client-connect-dir.



> I googled it, but I could not find a good example. I just found the following 
> question:
> 
> https://serverfault.com/questions/877201/limit-access-to-remote-server-via-particular-vpn

I strongly recommend that your search starts with the Openvpn manual:
https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html

EVERY option is described in the manual.



> But, I really don't know what to do.
> I must create a directory under the "/etc/openvpn", then create a file with 
> the name of clients in it? For example, if my Windows client host name is 
> "Client-1", then:
> 
> # mkdir /etc/openvpn/clients
> # touch /etc/openvpn/clients/Client-1
> 
> Then, in server.conf:
> 
> client-config-dir clients
> ccd-exclusive
> 
> Am I right?

Yes.

However, I strongly recommend that you learn the difference between
"absolute paths" verses "relative paths". (Out of scope for this mailing list)



> How about the client configuration? Do I need to add anything?

No.

Do exactly as the manual (above) describes.

HTH
tct

-BEGIN PGP SIGNATURE-
Version: ProtonMail

wsBzBAEBCAAnBYJk2jAcCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAABp0wf/b8jrorfOi9WfhfRE8YvgGr7vbkwXlrofzEEdW7MVRWYv5/vm
rpHrsVSzYV23PMMWUSGe0gWRRcSuJ4c2L6j1f0mQnXTEU3qXiyTUhwW5EnjL
9ARTeWRCeElIDs5DTOvPqNSqt1qqNAlRZmtYyVafJZNgpCdBQIADDY1Ih+7S
hAPISxDe2nQ9+Yqzi8MpVqhf74ZCp/Zh3OQ6sKQhfmizS+BJ4S4crTqHgasB
U5jNZAQgWNjD+2UlMTfpZj2GwbCcF3EZ42Qj4HgdSxJarAHpf1rPQ0NLHviC
9QnaYudaG4ZE9NBh5mmmCuyCbE2K8gMb7CZHnMyGpF2Ee2r/4kKWNA==
=Hwqp
-END PGP SIGNATURE-


publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys


publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] How to use ccd-exclusive statement?

[Jason Long via Openvpn-users]

Hello,
To increase the security of OpenVPN, I want to use the ccd-exclusive. I googled 
it, but I could not find a good example. I just found the following question:

https://serverfault.com/questions/877201/limit-access-to-remote-server-via-particular-vpn

But, I really don't know what to do.
I must create a directory under the "/etc/openvpn", then create a file with the 
name of clients in it? For example, if my Windows client host name is 
"Client-1", then:

# mkdir /etc/openvpn/clients
# touch /etc/openvpn/clients/Client-1

Then, in server.conf:

client-config-dir clients
ccd-exclusive

Am I right?
How about the client configuration? Do I need to add anything?


Thank you.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users