Re: [Openvpn-users] Transfer from one server to another, compress and digest

On Wed, Jan 3, 2024 at 11:24 AM Gert Doering wrote: > > Ideally, you wouldn't create the keys "on the server" anyway - in a > secure world, the CA key never leaves a *secure* machine for key generation, > and you'd create server key(s) and client keys on this machine, copying > to the target

Re: [Openvpn-users] I can reach only part of the local LAN when connected

This may be a stupid question, but in the remote office, do you have a route for 10.8.139.0/25? If not, then the clients can get packets to the remote network, but the remote network can't get packets back to the clients. On Sun, Oct 2, 2022 at 7:44 AM Bo Berglund wrote: > > 6 months ago or so I

Re: [Openvpn-users] Checking server and client certificates expiration?

The general form of what you want to do is: openssl x509 -in file.crt -noout -text | grep 'Not After' If you use the same command against the client files with the embedded crypto, it will give you the expiration date of the first certificate block, which *might* be your client cert, or *might*

Re: [Openvpn-users] client-to-client NO with exceptions ?

client-to-client bypasses nftables entirely. With it enabled, client-to-client packets are routed internally to openvpn via the iroute table without ever being handed off to the kernel for inspection, firewalling, routing, counting, capturing, mangling, or anything else. Without

Re: [Openvpn-users] Share dynamic routes between hosts

On Wed, Sep 22, 2021 at 4:19 AM Alex K wrote: > > > > On Wed, Sep 22, 2021 at 3:12 AM Joe Patterson wrote: >> My first whack at this was an ugly kluge where I directly called vtysh >> from my client-connect script, along the lines of: >> >> #parse ccd

Re: [Openvpn-users] [ext] Re: CA migration?

Or, make a new ca.crt file with both the old and new ca certs, no cross-signing required. Deploy to server, then to clients, so that both server and clients trust both CA's. Then update the client certs one by one to the new CA. Then update the server cert to the new CA. Then deploy a ca.crt with

Re: [Openvpn-users] CA migration?

Yes. A CA crt file can contain multiple certificates concatenated together. I did exactly this same thing not long ago. Joe On Wed, Jul 21, 2021, 4:59 AM Ralf Hildebrandt wrote: > I want to trasition from an old, internal CA (easyrsa) to a new, > internal CA (also easyrsa). > > But how do I

Re: [Openvpn-users] OpenVPN 2fa user authentication

This does kind of depend on how one defines "2FA". If you define the "two factors" as a certificate and a password, then just auth-user-pass and set up the PAM plugin. If you want MFA, where the factors are a certificate, password, *and* OTP, then you'll need to do what you're talking about with

Re: [Openvpn-users] Defining custom routes for particular users

On Sat, Jun 26, 2021 at 5:31 PM Gert Doering wrote: > I'm not sure our include mechanism works in ccd files - but you could > try. It's done by specifying a config file in a config file, so > > ifconfig-push ... > ifconfig-ipv6-push ... > config my_standard_set.conf I can confirm from

Re: [Openvpn-users] Is it possible to mix ccd and non-ccd clients to the same server?

Something I'm curious about, but haven't actually tried, is what happens in the case of overlap between ifconfig-push and ifconfig-pool. Obviously it's best not to overlap these, but if one were to... not do that, what happens if the next pool address is already assigned via push? My assumption

Re: [Openvpn-users] How to send 2nd factor to server ?

On Wed, Apr 21, 2021 at 1:55 PM Selva Nair wrote: > > Hi, > > On Wed, Apr 21, 2021 at 1:35 PM Joe Patterson wrote: >> >> I stand corrected! That's very useful to know. >> >> Does the "OTP" keywork in the plugin correspond to the OTP argument in &

Re: [Openvpn-users] How to send 2nd factor to server ?

login: USERNAME Password: PASSWORD Verification 'enter the number from your authenticator'"? Thanks, -Joe On Wed, Apr 21, 2021 at 12:40 PM Selva Nair wrote: > > Hi > > On Wed, Apr 21, 2021 at 11:48 AM Joe Patterson > wrote: > > > > What you're looking for is the o

Re: [Openvpn-users] How to send 2nd factor to server ?

What you're looking for is the openvpn challenge/response protocol, which can be used when authentication is done via the management interface. https://openvpn.net/community-resources/management-interface/ describes it a bit. I know that the MFA portion of the management interface system I wrote

[Openvpn-users] ovpnherder

A few years ago, I wrote a little application to help with some openvpn services. Then some things changed, and I never got a chance to put it into production. So I thought I'd check here and see if anyone might find it useful, or be interested in trying it out, or might even want to improve on

[Openvpn-users] Concatenate CRL's?

If I have multiple CA's, will openvpn understand a --crl-verify "file", where the file contains the CRL's from all of the CA's concatenated together? Or will it accept multiple --crl-verify entries? It looks like if I use the --crl-verify "file" dir method, I will run into trouble if I have

Re: [Openvpn-users] On Access policies

That's only works as far as you trust your users not to violate policy (which, generally speaking, you shouldn't). There's nothing stopping them from adding "route" statements to their own config files. Anything you can push, the user can add without it being pushed. Well, except ifconfig push,

Re: [Openvpn-users] OpenVPN with OSPF there is no proper guide or support --"TAP support removal" rumor

understand how that could be challenging. On Thu, Apr 30, 2020 at 2:14 PM Gert Doering wrote: > > Hi, > > On Thu, Apr 30, 2020 at 01:53:29PM -0400, Joe Patterson wrote: > > So, I've got a back-burner project that does parts of this. It's a > > daemon that connects to the manage

Re: [Openvpn-users] OpenVPN with OSPF there is no proper guide or support --"TAP support removal" rumor

So, I've got a back-burner project that does parts of this. It's a daemon that connects to the management console and handles things like client auth and such. The way I did it was that the daemon keeps an internal copy of basically the iroute table, and then advertises it via RIPv2 on

Re: [Openvpn-users] crl-verify [SOLVED]

My first thought is "I should be trivial to write a little script to go through and link the decimal name to the hex name", and even though, intellectually, I know that the chance of a collision between hex and dec names in that large a space would be infinitesimal, it still manages to really

Re: [Openvpn-users] Multiple VPN segments, dispatching by client credentials instead of port?

y > clients at this point, but if I have to roll my own address-management, just > allocating 1k-address > subnets eases some pains...). > > On 11/26/19 4:28 PM, Joe Patterson wrote: > > On Tue, Nov 26, 2019 at 3:42 PM Joshua Judson Rosen > > wrote: > >> &

Re: [Openvpn-users] Multiple VPN segments, dispatching by client credentials instead of port?

On Tue, Nov 26, 2019 at 3:42 PM Joshua Judson Rosen wrote: > > On 11/26/19 5:36 AM, Gert Doering wrote: > > Hi, > > > > On Mon, Nov 25, 2019 at 04:45:05PM -0500, Joshua Judson Rosen wrote: > >> Is there some way to set up an OpenVPN server with multiple distinct VPN > >> segments behind > >> a

Re: [Openvpn-users] Multiple VPN segments, dispatching by client credentials instead of port?

On Tue, Nov 26, 2019 at 5:38 AM Gert Doering wrote: > > Hi, > > On Mon, Nov 25, 2019 at 04:45:05PM -0500, Joshua Judson Rosen wrote: > > Is there some way to set up an OpenVPN server with multiple distinct VPN > > segments behind > > a common listening port, such that I can dispatch connections

Re: [Openvpn-users] Select nearest OpenVPN server / shared userbase / Only connect if away from home

1) Not built into OpenVPN, but it would be reasonably easy to write a small script that would ping (or some other latency-measuring, hop-measuring, or something-else-measuring method) all the servers and then construct an openvpn config file snippet to be included in the main openvpn config. 2)

Re: [Openvpn-users] Clients can't connect after server reboot

This may be a stupid question but... Do any of the openssl cnf files have a comment in them that says "easy-rsa version 2.x"? if you do 'echo $KEY_CONFIG', what does it say? Thanks, -Joe On Tue, Aug 8, 2017 at 4:03 PM Mio Vlahović wrote: > On 08.08.2017 21:47, David

Re: [Openvpn-users] Managing the server's IP pool

I don't think you can with that config, but there are things that you could do to change it so you can. If you add a "status" line, you'll get a status file listing connected systems and their IP's. If you add a "management" line, you can telnet in and run the "status" command, and get a list of

Re: [Openvpn-users] standby tunnel

Just as a thought, have you tried running tcpdump on the tunnel interface immediately after it comes up (before the 10 seconds), on the off chance that this has nothing to do with openvpn, but instead something on the OS side of things has decided that a new interface needs a packet or three sent

Re: [Openvpn-users] automatically restart openvpn

If openvpn crashing is a regular problem, that's very interesting in its own right, and I'm sure we'd like to know more, and there's nothing much you can do *within* openvpn to respond when openvpn crashes. If openvpn is exiting normally and you don't want it to, my guess is that you could look

[Openvpn-users] Disconnect messages in the management interface?

I'm pretty sure that the answer to this is probably "no", but I'm gonna ask anyhow... For clients connecting without auth-user-pass, I get a CLIENT notification for ESTABLISHED, but none for DISCONNECT. Is there a way to make openvpn send DISCONNECT messages on the management interface even if

[Openvpn-users] Any way to determine CID from management interface?

I haven't seen anything, but I figured I'd ask before making any conclusions: Is there any way to determine the CID of clients in the management interface? It doesn't seem to be part of the output of 'status'. Or does the CID only exist within ">CLIENT:" notifications? The boring details are:

Re: [Openvpn-users] Launching OpenVPN-GUI automatically on user login?

I believe he was saying that it would never autoconnect, but only that the gui would launch. (as a side note, I will throw in my $.02 that I think this is definitely a good choice. I can't think of a situation in which I wouldn't want the gui to autostart, and I'm pretty sure that if there

Re: [Openvpn-users] openvpn udp server and vrrp

-11-10 03:08 PM, Joe Patterson wrote: > > I just recently set up a new set of servers running openvpn on a shared > > vrrp IP. When I connect to my TCP server, everything is fine, but when > > I connect to a UDP server, my initial client packet goes to the VRRP IP, > > but t

Re: [Openvpn-users] Allowing multiple connections by the same user.

This may be a silly question, but are you pushing static IP's? -Joe On Wed, Aug 31, 2016 at 7:30 AM Paul Hancock wrote: > "Multiple sessions per user" and even duplicate-cn are enabled on the > server, yet it still kicks the oldest connection whenever a new one

Re: [Openvpn-users] Add a directly connected route

I think what you want is 'push "route 89.234.186.0 255.255.255.0"' If you just have route with an IP and no netmask, it's going to assume a /32 mask. On Thu, Aug 18, 2016 at 8:53 AM Alarig Le Lay wrote: > Hi, > > I have a setup where each client have a /32 IPv4 (not /24)

Re: [Openvpn-users] username-as-common-name not setting username as common_name for plugin

Let me second the suggestion to make it configurable. I don't know much about duo, but ages ago I modified the PAM plugin to be able to do the opposite: use the common name as the username for PAM. The reason being, that without something to tie usernames to common names, an attacker only needs

Re: [Openvpn-users] Same IP Ranges for TCP- and UDP-Server

The other ideal solution (IMHO), would be to have openvpn support an internal routing protocol like ospf. That way you could have tons of daemon processes (which would also effectively give you multi-processor support, sort of), and a routing daemon on the host box aggregating all of those routes

Re: [Openvpn-users] OPENVPN EASY-RSA invalid revocation date in entry

Check that with cat -A. There should be two tabs between that date and serial number, because there's a "revoked on" datetime field in between those two that's blank for certificates that haven't been revoked. Also, I'm not sure if the "entry 43" that it's talking about is the same as the entry

Re: [Openvpn-users] How to SSH to the OpenVPN server itself via the tunnel?

What does the routing table look like? The fact that you can ping makes this seem unlikely, but other than that it sounds like it *might* be getting dropped by urpf. (that's the only place I can think of between where libpcap would see it but a listening socket wouldn't, other than iptables

Re: [Openvpn-users] How to SSH to the OpenVPN server itself via the tunnel?

Just as a note, iptables-save *does* show the current rule set, just in a format that's parseable by iptables-restore. On Tue, Aug 25, 2015 at 2:24 PM Jan Just Keijser janj...@nikhef.nl wrote: On 25/08/15 19:55, Tiago Vasconcelos wrote: Hi Jan On 25-08-2015 17:25, Jan Just Keijser wrote:

Re: [Openvpn-users] Backup and recovery

Unless you're doing something very strange, they're just files, they can be copied or moved fairly easily. Note that the only files the openvpn process really needs is it's own certificate, its own key, and the CA cert. The easy-rsa CA really only needs access to the CA cert and key (and only

Re: [Openvpn-users] Server listen on a specific IPv4 and IPv6 Address

Another possibility (also kind of klugey, and I haven't personally tried it with ipv4 to ipv6) is to listen on one IP and then NAT from the other IP to the one you're listening on. I use this to listen on multiple (well, actually all) ports, though I still have to use different processes to

Re: [Openvpn-users] DNS from network behind VPN

I'm pretty sure it's not possible to do that from a windows perspective, however the workaround that I've used (that has some advantages of its own) is to run the bind dns server locally on my windows client machine, configured as a resolver for localhost only, and configured with forward zones

[Openvpn-users] dynamically adding iroutes

Looking through the docs, I *think* I know the answer to this question already, but I figured I'd ask here in case I'm wrong... Is there any way to push an iroute to an openvpn server instance at any time other than when a client connects? I would think that if this sort of thing could be done,

Re: [Openvpn-users] reverse routing on mesh topology

Just out of curiosity, if I'm reading this correctly, if you use loose RPF on a box, and also use the openvpn's --redirect-gateway def1 (which sets two /1 routes), that would basically be equivalent to turning off RPF? -Joe On Fri, Aug 22, 2014 at 1:34 PM, Josh Cepek josh.ce...@usa.net wrote:

Re: [Openvpn-users] OpenVPN and Multi-Core processor

I still maintain that it would be much simpler and more useful to put less effort into making a multi-threaded process, and more effort into making it easier for multiple processes to coordinate amongst one another. That gets the advantage of more easily being able to allocate multiple clients

Re: [Openvpn-users] OpenVPN and Multi-Core processor

So maybe what's really needed is less having multi-threading support within a single openvpn process, but more adding some functionality that makes it easier to get to the desired end-state, like extending the ip persistence from a flat file to perhaps a database connection, and have a way to

Re: [Openvpn-users] UDP not blocked, but failing.

Generally speaking, I'd say use a sniffer on the server (assuming that's an option for you) Or, you could run netcat on each side and openvpn on the other side, and see which one is seeing what (it'll fail still, but you should see *something*) Do the server logs show anything when the client

Re: [Openvpn-users] Consolidating client-specific routes into client-specific ccd/* breaks PINGs across VPN

If I'm understanding you correctly, I think I know the problem: route statements cannot go in a ccd (or, more accurately, they don't do anything if they're there), because route statements are injecting routes into the OS routing table, which is only done on start-up (and in the case of running

Re: [Openvpn-users] Consolidating client-specific routes into client-specific ccd/* breaks PINGs across VPN

}'); }; On Thu, Jul 24, 2014 at 12:28 PM, pg0...@fastmail.fm wrote: Hi Joe, On Thu, Jul 24, 2014, at 07:31 AM, Joe Patterson wrote: If I'm understanding you correctly, I think I know the problem: route statements cannot go in a ccd (or, more accurately, they don't do anything if they're

Re: [Openvpn-users] Where are the 2.3.3 sources?

Not so much a confidentiality benefit as an integrity benefit, to make sure you really are getting your software from who you think you're getting it from. -Joe On Thu, Apr 10, 2014 at 6:36 AM, David Sommerseth openvpn.l...@topphemmelig.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash:

Re: [Openvpn-users] Openvpn pushing invalid route that blocks itself

Check the logs on the server for SENT CONTROL [user]: 'PUSH_REPLY,... and see if you're actually pushing that route, or if it's being generated by the client. (I know that info gets logged on my server at verbosity 4) -Joe On Mon, Mar 17, 2014 at 2:23 PM, Billy Crook billycr...@gmail.com wrote:

Re: [Openvpn-users] Openvpn -- unable to generate keys

/usr/share/openvpn/easy-rsa/2.0/vars /usr/share/openvpn/easy-rsa/2.0/whichopensslcnf op 21-01-14 13:08, Joe Patterson schreef: openssl x509 -noout -modulus -in ca.pem then look for a key where the output of: openssl rsa -noout -modulus -in file.key matches. -Joe On Tue, Jan 21

Re: [Openvpn-users] Openvpn -- unable to generate keys

What exists in /usr/share/openvpn/easy-rsa/2.0/keys? If you did a clean-all, then you will be missing some important files (most especially the ca.key file, but also some others such as the index and serial files) If that's the case, you will most likely need to start over from a new CA. (one

Re: [Openvpn-users] Routing problem

If I'm understanding what you're trying to do, it falls into that lovely category of either trivial or impossible. If 1.2.3.4 is the un-nat'd IP that the client is connecting from, then, as I understand it, it's nearly impossible because if you route packets to the client IP over the tunnel, then

[Openvpn-users] question about connection profiles and failure...

I wanted to check if anyone knows more about what constitutes failure with respect to client connection profiles. According to the man page, if you have a bunch of stanzas of connection/connection, the first one will be tried and, if it fails, the next one will be tried and so on. My question