Re: [Openvpn-users] Defining custom routes for particular users

On 27/6/2021 3:26 μ.μ., Joe Patterson wrote: I can confirm from experience that the include mechanism works in ccd files. I've used it extensively. Thank you, Gert and Joe, for your help! By the way, would it be possible to push IPv4 routes using CIDR format, for example can we use: pus

[Openvpn-users] Defining custom routes for particular users

Hello, We are using OpenVPN 2.5.2 on CentOS 8. The setup is using split tunnel for all users, without NAT: remote clients are assigned a static IPv4 and a static IPv6 address which are used directly (without NAT) to access all of our organization network. The rest of their traffic is routed t

Re: [Openvpn-users] Remote Client IPv6 address incorrect logging

On 10/6/2021 10:00 π.μ., Jan Just Keijser wrote: try using   ifconfig_pool_remote_ip6 Hi Jan, Thanks for the hint, your suggestion works great! Note: I had not located this parameter in the documentation. In any case, problem solved! Cheers, Nick

[Openvpn-users] Remote Client IPv6 address incorrect logging

Hello, We are using a LogTraffic.sh script to log client stats at disconnect: client-disconnect scripts/LogTraffic.sh This script logs (among other) the assigned IPv4 and IPv6 addresses, configured in a ccd file as follows for a specific user: ifconfig-push 10.201.32.4 255.255.252.0

[Openvpn-users] OpenVPN Setup on a VM with two NICs

Hello, I would like to ask for your help for a setup according to the following scenario. We are setting up a cloud-based CentOS 8 VM (on our ISP's network) connected to our router over two different L2VPNs (VLANs) with two respective NICs: 1. The first NIC (NIC1) with a public address wil

Re: [Openvpn-users] Split Tunnel on a per client basis

On 23/5/2016 11:15 μμ, Selva Nair wrote: > While this should work, leaving all common options in the config file > and the ones that need client-specific override in ccd/DEFAULT may be > easier to maintain than using push-reset and redefining all push > options. Then all clients without a speci

Re: [Openvpn-users] Split Tunnel on a per client basis

On 22/5/2016 8:40 μμ, Gert Doering wrote: > ... > - call --push-reset, which will remove*everything* from the push list, > and re-build all options except "push redirect-gateway" > ... Thank you Gert for all your advice, I also thank Selva Nair, who replied off-list. You have been very h

[Openvpn-users] Split Tunnel on a per client basis

Hello, We are running OpenVPN v2.3.5 using subnet topology. As configured, connected clients are rerouted totally (full tunnel) through the "organizational" network. Can we configure on the server side particular clients to connect in split-tunnel mode and how? Those clients should use their o

Re: [Openvpn-users] Dynamic NAT uses only the last IP Address in range

On 26/9/2015 10:34 μμ, Gert Doering wrote: > I wonder if just pre-setting all the NAT mappings wouldn't be much > easier? So, you know that your server is handing out 192.168.1.x - so > why not just initialize the SNAT so that ever .x address is NATted > to .150+(x mod 6) and done? > > (Now I'm p

Re: [Openvpn-users] Server delays disconnect

On 26/9/2015 5:01 μμ, ValdikSS wrote: > You can push it from the server. The current codebase allows you to push > almost anything - all pushed options are treated as if they were set on the > client > side; thus, inofficially you can push things like 'explicit-exit-notify' , > even though the

Re: [Openvpn-users] Dynamic NAT uses only the last IP Address in range

On 21/9/2015 6:17 μμ, Jan Just Keijser wrote: > Personally I'd use a simple file-based counter to figure out which > source IP address to use: I soon found out that we would need a slightly more sophisticated file-based counter (to record which public address is used or released and available

Re: [Openvpn-users] Server delays disconnect

On 26/9/2015 3:49 μμ, ValdikSS wrote: > Please don't reply outside of maillist. Press "reply list" or "reply all" > instead of usual "reply". Thank you again for your latest advice. I inadvertently deleted the list address instead of your personal one in the recipients list! Sorry for this! I

[Openvpn-users] Server delays disconnect

Hello, I am using OpenVPN Server 2.3.5 on CentOS 6.7 x86_64. It works fine, but I am having a problem: When a client disconnects (mostly using OpenVPN GUI on Win Vista and later versions, up to Win 10), the OpenVPN server delays to "understand" the disconnect and consequently delays to run the

Re: [Openvpn-users] Dynamic NAT uses only the last IP Address in range

On 22/9/2015 8:22 μμ, debbie...@gmail.com wrote: > It is *not*$ifconfig_pool_local_ip > it *is*$ifconfig_pool_remote_ip > > and it is avaialble at --client-connet script execute Ah, yes, I checked again, you are quite right. This is the case. Thank you for this correction! Any and all additiona

Re: [Openvpn-users] Dynamic NAT uses only the last IP Address in range

On 21/9/2015 6:17 μμ, Jan Just Keijser wrote: > A client-connect script would be a much better option in this case. > Unfortunately, there is no env var that contains the number of > connected clients. Remember that a lost client-connection does not > appear in the status/logs until the client

Re: [Openvpn-users] Dynamic NAT uses only the last IP Address in range

On 21/9/2015 2:22 μμ, debbie...@gmail.com wrote: > You could use OpenVPN --client-connect script to assign specific > iptables NAT rules on a per client basis: > > Client-connect - client 1: > iptables -t nat -A POSTROUTING -s 10.10.112.101/32 -j SNAT --to-source > 194.xxx.xxx.151 Thank you for

Re: [Openvpn-users] Dynamic NAT uses only the last IP Address in range

On 21/9/2015 10:06 πμ, Nikolaos Milas wrote: > ... > We have now decided to offer a range of 6 public IP Addresses to > connected hosts, so we have changed the above rule to: > > iptables -t nat -A POSTROUTING -o eth0 -s 10.10.112.0/24 -j SNAT > --to-source 194.xxx.xxx.1

[Openvpn-users] Dynamic NAT uses only the last IP Address in range

Hello, I am using OpenVPN 2.3.5 on CentOS 6.7 x86_64. Until today I've been using simple masquerading to NAT a private VPN: iptables -t nat -A POSTROUTING -s 10.10.112.0/24 -o eth0 -j MASQUERADE and it was working fine. We have now decided to offer a range of 6 public IP Addresses to con

Re: [Openvpn-users] Building v2.3.5 for RHEL/CentOS 6

On 19/11/2014 2:42 μμ, David Sommerseth wrote: > I don't know the consequences of upgrading pkcs11-helper on EL6 and > EL7, as I don't know which other packages may depend on it. # yum --enablerepo=epel localinstall * Loaded plugins: fastestmirror, presto Setting up Local Package Process Examinin

Re: [Openvpn-users] Building v2.3.5 for RHEL/CentOS 6

On 18/11/2014 8:08 μμ, Samuli Seppänen wrote: > You could add a link to your packages in here: > > Thank you, but I am afraid I don't know how I can add a link there. In any case, my packages are here: http://iweb.noa.g

Re: [Openvpn-users] Building v2.3.5 for RHEL/CentOS 6

On 15/11/2014 12:19 πμ, Gert Doering wrote: > On the protocol side, about everything is compatible with everything > else - we do our best to introduce new stuff in a way that is always > compatible. So a 2.2.2 client can talk to a git master server just > fine, and vice versa:-) Thank you Gert,

Re: [Openvpn-users] Building v2.3.5 for RHEL/CentOS 6

On 13/11/2014 11:41 μμ, Gert Doering wrote: > My guess is that the version is too old. Thank you Gert and p50bac, Indeed, I built an RPM for pkcs11-helper v1.11 by adapting: http://pkgs.repoforge.org/pkcs11-helper/pkcs11-helper-1.08-1.rf.src.rpm and using as a source: https://pkgs.fedoraproject.

[Openvpn-users] Building v2.3.5 for RHEL/CentOS 6

Hello, I have adapted EPEL src.rpm for OpenVPN v2.3.2 (http://dl.fedoraproject.org/pub/epel/6/SRPMS/openvpn-2.3.2-2.el6.src.rpm) to build v2.3.5 on CentOS 6 x86_64 (fully updated), because, as far as I know, there is no 2.3.5 rpm released by EPEL (or other source) for el6 yet. The problem I ha

Re: [Openvpn-users] Overriding a plugin using ccd

On 27/8/2013 11:45 μμ, Gert Doering wrote: > Ask the maintainer of the plugin you use...? The auth-ldap plugin isn't > maintained by the openvpn group. Thank you, I guess the easiest way to implement this would be to set up a separate server instance, listening to a different port and providin

Re: [Openvpn-users] Overriding a plugin using ccd

On 27/8/2013 3:45 μμ, Gert Doering wrote: > If you want that, you need to do that inside the authentication plugin. Thanks Gert, But, how do we do that? Thanks, Nick -- Learn the latest--Visual Studio 2012, SharePoint

[Openvpn-users] Overriding a plugin using ccd

Hello, I am using OpenVPN Community openvpn-2.2.2-1.el6.x86_64 on CentOS 6.4 x86_64 using two-factor auth, certs and ldap - by calling the ldap plugin: plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf Is there a way to specify (using a ccd file) that a par