On Wed, Jan 3, 2024 at 11:24 AM Gert Doering wrote:
>
> Ideally, you wouldn't create the keys "on the server" anyway - in a
> secure world, the CA key never leaves a *secure* machine for key generation,
> and you'd create server key(s) and client keys on this machine, copying
> to the target
This may be a stupid question, but in the remote office, do you have a
route for 10.8.139.0/25? If not, then the clients can get packets to
the remote network, but the remote network can't get packets back to
the clients.
On Sun, Oct 2, 2022 at 7:44 AM Bo Berglund wrote:
>
> 6 months ago or so I
The general form of what you want to do is:
openssl x509 -in file.crt -noout -text | grep 'Not After'
If you use the same command against the client files with the embedded
crypto, it will give you the expiration date of the first certificate
block, which *might* be your client cert, or *might*
client-to-client bypasses nftables entirely. With it enabled,
client-to-client packets are routed internally to openvpn via the
iroute table without ever being handed off to the kernel for
inspection, firewalling, routing, counting, capturing, mangling, or
anything else.
Without
On Wed, Sep 22, 2021 at 4:19 AM Alex K wrote:
>
>
>
> On Wed, Sep 22, 2021 at 3:12 AM Joe Patterson wrote:
>> My first whack at this was an ugly kluge where I directly called vtysh
>> from my client-connect script, along the lines of:
>>
>> #parse ccd
Or, make a new ca.crt file with both the old and new ca certs, no
cross-signing required. Deploy to server, then to clients, so that
both server and clients trust both CA's. Then update the client certs
one by one to the new CA. Then update the server cert to the new CA.
Then deploy a ca.crt with
Yes. A CA crt file can contain multiple certificates concatenated together.
I did exactly this same thing not long ago.
Joe
On Wed, Jul 21, 2021, 4:59 AM Ralf Hildebrandt
wrote:
> I want to trasition from an old, internal CA (easyrsa) to a new,
> internal CA (also easyrsa).
>
> But how do I
This does kind of depend on how one defines "2FA". If you define the
"two factors" as a certificate and a password, then just
auth-user-pass and set up the PAM plugin.
If you want MFA, where the factors are a certificate, password, *and*
OTP, then you'll need to do what you're talking about with
On Sat, Jun 26, 2021 at 5:31 PM Gert Doering wrote:
> I'm not sure our include mechanism works in ccd files - but you could
> try. It's done by specifying a config file in a config file, so
>
> ifconfig-push ...
> ifconfig-ipv6-push ...
> config my_standard_set.conf
I can confirm from
Something I'm curious about, but haven't actually tried, is what
happens in the case of overlap between ifconfig-push and
ifconfig-pool. Obviously it's best not to overlap these, but if one
were to... not do that, what happens if the next pool address is
already assigned via push? My assumption
On Wed, Apr 21, 2021 at 1:55 PM Selva Nair wrote:
>
> Hi,
>
> On Wed, Apr 21, 2021 at 1:35 PM Joe Patterson wrote:
>>
>> I stand corrected! That's very useful to know.
>>
>> Does the "OTP" keywork in the plugin correspond to the OTP argument in
&
login:
USERNAME Password: PASSWORD Verification 'enter the number from your
authenticator'"?
Thanks,
-Joe
On Wed, Apr 21, 2021 at 12:40 PM Selva Nair wrote:
>
> Hi
>
> On Wed, Apr 21, 2021 at 11:48 AM Joe Patterson
> wrote:
> >
> > What you're looking for is the o
What you're looking for is the openvpn challenge/response protocol,
which can be used when authentication is done via the management
interface.
https://openvpn.net/community-resources/management-interface/
describes it a bit.
I know that the MFA portion of the management interface system I wrote
A few years ago, I wrote a little application to help with some
openvpn services. Then some things changed, and I never got a chance
to put it into production. So I thought I'd check here and see if
anyone might find it useful, or be interested in trying it out, or
might even want to improve on
If I have multiple CA's, will openvpn understand a --crl-verify
"file", where the file contains the CRL's from all of the CA's
concatenated together? Or will it accept multiple --crl-verify
entries?
It looks like if I use the --crl-verify "file" dir method, I will run
into trouble if I have
That's only works as far as you trust your users not to violate policy
(which, generally speaking, you shouldn't). There's nothing stopping
them from adding "route" statements to their own config files.
Anything you can push, the user can add without it being pushed.
Well, except ifconfig push,
understand how
that could be challenging.
On Thu, Apr 30, 2020 at 2:14 PM Gert Doering wrote:
>
> Hi,
>
> On Thu, Apr 30, 2020 at 01:53:29PM -0400, Joe Patterson wrote:
> > So, I've got a back-burner project that does parts of this. It's a
> > daemon that connects to the manage
So, I've got a back-burner project that does parts of this. It's a
daemon that connects to the management console and handles things like
client auth and such. The way I did it was that the daemon keeps an
internal copy of basically the iroute table, and then advertises it
via RIPv2 on
My first thought is "I should be trivial to write a little script to
go through and link the decimal name to the hex name", and even
though, intellectually, I know that the chance of a collision between
hex and dec names in that large a space would be infinitesimal, it
still manages to really
y
> clients at this point, but if I have to roll my own address-management, just
> allocating 1k-address
> subnets eases some pains...).
>
> On 11/26/19 4:28 PM, Joe Patterson wrote:
> > On Tue, Nov 26, 2019 at 3:42 PM Joshua Judson Rosen
> > wrote:
> >>
&
On Tue, Nov 26, 2019 at 3:42 PM Joshua Judson Rosen
wrote:
>
> On 11/26/19 5:36 AM, Gert Doering wrote:
> > Hi,
> >
> > On Mon, Nov 25, 2019 at 04:45:05PM -0500, Joshua Judson Rosen wrote:
> >> Is there some way to set up an OpenVPN server with multiple distinct VPN
> >> segments behind
> >> a
On Tue, Nov 26, 2019 at 5:38 AM Gert Doering wrote:
>
> Hi,
>
> On Mon, Nov 25, 2019 at 04:45:05PM -0500, Joshua Judson Rosen wrote:
> > Is there some way to set up an OpenVPN server with multiple distinct VPN
> > segments behind
> > a common listening port, such that I can dispatch connections
1) Not built into OpenVPN, but it would be reasonably easy to write a small
script that would ping (or some other latency-measuring, hop-measuring, or
something-else-measuring method) all the servers and then construct an
openvpn config file snippet to be included in the main openvpn config.
2)
This may be a stupid question but...
Do any of the openssl cnf files have a comment in them that says "easy-rsa
version 2.x"?
if you do 'echo $KEY_CONFIG', what does it say?
Thanks,
-Joe
On Tue, Aug 8, 2017 at 4:03 PM Mio Vlahović wrote:
> On 08.08.2017 21:47, David
I don't think you can with that config, but there are things that you could
do to change it so you can. If you add a "status" line, you'll get a
status file listing connected systems and their IP's. If you add a
"management" line, you can telnet in and run the "status" command, and get
a list of
Just as a thought, have you tried running tcpdump on the tunnel interface
immediately after it comes up (before the 10 seconds), on the off chance
that this has nothing to do with openvpn, but instead something on the OS
side of things has decided that a new interface needs a packet or three
sent
If openvpn crashing is a regular problem, that's very interesting in its
own right, and I'm sure we'd like to know more, and there's nothing much
you can do *within* openvpn to respond when openvpn crashes.
If openvpn is exiting normally and you don't want it to, my guess is that
you could look
I'm pretty sure that the answer to this is probably "no", but I'm gonna ask
anyhow...
For clients connecting without auth-user-pass, I get a CLIENT notification
for ESTABLISHED, but none for DISCONNECT. Is there a way to make openvpn
send DISCONNECT messages on the management interface even if
I haven't seen anything, but I figured I'd ask before making any
conclusions: Is there any way to determine the CID of clients in the
management interface? It doesn't seem to be part of the output of
'status'. Or does the CID only exist within ">CLIENT:" notifications?
The boring details are:
I believe he was saying that it would never autoconnect, but only that the
gui would launch. (as a side note, I will throw in my $.02 that I think
this is definitely a good choice. I can't think of a situation in which I
wouldn't want the gui to autostart, and I'm pretty sure that if there
-11-10 03:08 PM, Joe Patterson wrote:
> > I just recently set up a new set of servers running openvpn on a shared
> > vrrp IP. When I connect to my TCP server, everything is fine, but when
> > I connect to a UDP server, my initial client packet goes to the VRRP IP,
> > but t
This may be a silly question, but are you pushing static IP's?
-Joe
On Wed, Aug 31, 2016 at 7:30 AM Paul Hancock
wrote:
> "Multiple sessions per user" and even duplicate-cn are enabled on the
> server, yet it still kicks the oldest connection whenever a new one
I think what you want is 'push "route 89.234.186.0 255.255.255.0"' If you
just have route with an IP and no netmask, it's going to assume a /32 mask.
On Thu, Aug 18, 2016 at 8:53 AM Alarig Le Lay wrote:
> Hi,
>
> I have a setup where each client have a /32 IPv4 (not /24)
Let me second the suggestion to make it configurable. I don't know much
about duo, but ages ago I modified the PAM plugin to be able to do the
opposite: use the common name as the username for PAM. The reason being,
that without something to tie usernames to common names, an attacker only
needs
The other ideal solution (IMHO), would be to have openvpn support an
internal routing protocol like ospf. That way you could have tons of
daemon processes (which would also effectively give you multi-processor
support, sort of), and a routing daemon on the host box aggregating all of
those routes
Check that with cat -A. There should be two tabs between that date and
serial number, because there's a "revoked on" datetime field in between
those two that's blank for certificates that haven't been revoked.
Also, I'm not sure if the "entry 43" that it's talking about is the same as
the entry
What does the routing table look like? The fact that you can ping makes
this seem unlikely, but other than that it sounds like it *might* be
getting dropped by urpf. (that's the only place I can think of between
where libpcap would see it but a listening socket wouldn't, other than
iptables
Just as a note, iptables-save *does* show the current rule set, just in a
format that's parseable by iptables-restore.
On Tue, Aug 25, 2015 at 2:24 PM Jan Just Keijser janj...@nikhef.nl wrote:
On 25/08/15 19:55, Tiago Vasconcelos wrote:
Hi Jan
On 25-08-2015 17:25, Jan Just Keijser wrote:
Unless you're doing something very strange, they're just files, they can be
copied or moved fairly easily.
Note that the only files the openvpn process really needs is it's own
certificate, its own key, and the CA cert. The easy-rsa CA really only
needs access to the CA cert and key (and only
Another possibility (also kind of klugey, and I haven't personally tried it
with ipv4 to ipv6) is to listen on one IP and then NAT from the other IP to
the one you're listening on. I use this to listen on multiple (well,
actually all) ports, though I still have to use different processes to
I'm pretty sure it's not possible to do that from a windows perspective,
however the workaround that I've used (that has some advantages of its own)
is to run the bind dns server locally on my windows client machine,
configured as a resolver for localhost only, and configured with forward
zones
Looking through the docs, I *think* I know the answer to this question
already, but I figured I'd ask here in case I'm wrong...
Is there any way to push an iroute to an openvpn server instance at any
time other than when a client connects? I would think that if this sort of
thing could be done,
Just out of curiosity, if I'm reading this correctly, if you use loose RPF
on a box, and also use the openvpn's --redirect-gateway def1 (which sets
two /1 routes), that would basically be equivalent to turning off RPF?
-Joe
On Fri, Aug 22, 2014 at 1:34 PM, Josh Cepek josh.ce...@usa.net wrote:
I still maintain that it would be much simpler and more useful to put less
effort into making a multi-threaded process, and more effort into making it
easier for multiple processes to coordinate amongst one another. That gets
the advantage of more easily being able to allocate multiple clients
So maybe what's really needed is less having multi-threading support within
a single openvpn process, but more adding some functionality that makes it
easier to get to the desired end-state, like extending the ip persistence
from a flat file to perhaps a database connection, and have a way to
Generally speaking, I'd say use a sniffer on the server (assuming that's an
option for you)
Or, you could run netcat on each side and openvpn on the other side, and
see which one is seeing what (it'll fail still, but you should see
*something*)
Do the server logs show anything when the client
If I'm understanding you correctly, I think I know the problem: route
statements cannot go in a ccd (or, more accurately, they don't do anything
if they're there), because route statements are injecting routes into the
OS routing table, which is only done on start-up (and in the case of
running
}');
};
On Thu, Jul 24, 2014 at 12:28 PM, pg0...@fastmail.fm wrote:
Hi Joe,
On Thu, Jul 24, 2014, at 07:31 AM, Joe Patterson wrote:
If I'm understanding you correctly, I think I know the problem: route
statements cannot go in a ccd (or, more accurately, they don't do
anything
if they're
Not so much a confidentiality benefit as an integrity benefit, to make
sure you really are getting your software from who you think you're getting
it from.
-Joe
On Thu, Apr 10, 2014 at 6:36 AM, David Sommerseth
openvpn.l...@topphemmelig.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash:
Check the logs on the server for SENT CONTROL [user]: 'PUSH_REPLY,... and
see if you're actually pushing that route, or if it's being generated by
the client. (I know that info gets logged on my server at verbosity 4)
-Joe
On Mon, Mar 17, 2014 at 2:23 PM, Billy Crook billycr...@gmail.com wrote:
/usr/share/openvpn/easy-rsa/2.0/vars
/usr/share/openvpn/easy-rsa/2.0/whichopensslcnf
op 21-01-14 13:08, Joe Patterson schreef:
openssl x509 -noout -modulus -in ca.pem
then look for a key where the output of:
openssl rsa -noout -modulus -in file.key
matches.
-Joe
On Tue, Jan 21
What exists in /usr/share/openvpn/easy-rsa/2.0/keys? If you did a
clean-all, then you will be missing some important files (most especially
the ca.key file, but also some others such as the index and serial files)
If that's the case, you will most likely need to start over from a new CA.
(one
If I'm understanding what you're trying to do, it falls into that lovely
category of either trivial or impossible. If 1.2.3.4 is the un-nat'd IP
that the client is connecting from, then, as I understand it, it's nearly
impossible because if you route packets to the client IP over the tunnel,
then
I wanted to check if anyone knows more about what constitutes failure with
respect to client connection profiles. According to the man page, if you
have a bunch of stanzas of connection/connection, the first one will be
tried and, if it fails, the next one will be tried and so on. My question
54 matches
Mail list logo