Secure Computing Logo
Secure Computing Networks
You're using IPv4 from: 38.107.179.211 (Reverse resolution failed.)
HomeWikiOpenVPN DocsPing TestTracerouteMy IP
Page last updated Saturday, 19 May 2012 00:00:02 -18000
KeyFactoid
--OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
/30#1: Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background
#2: you can avoid this behavior by reading !topology
#3: by default, first client is .6, then .10 .14 .18 etc
#4: use openvpn --show-valid-subnets to see the subnets you can use in net30
#5: <+EugeneKay> tl;dr: Windows sucks, use --topology subnet in your server.conf.
2.1-winpass-scripthttp://article.gmane.org/gmane.network.openvpn.user/24575
ASplease go to #OpenVPN-AS for help with Access-Server
EugeneKayright because EugeneKay is always right.
access-serverOpenVPN Access Server support is in #openvpn-as
activedirectoryhttp://amigo4life.googlepages.com/openvpn for the guide of how to auth against AD
adsee !activedirectory
all#1: please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles
#2: For more detailed instructions, look to: !logs !configs !interface
allinfoPlease type !configs !logs and !interface to see all the info we want to be able to help you
android#1: CyanogenMod includes an integrated OpenVPN client. You will need a !p12 to load your certificates.
#2: If you can't get CM, get root/busybox/tun and grab android-openvpn-installer + openvpn-settings from Market
#3: if you have ICS, you no longer need root, use the oficial android package at http://swupdate.openvpn.net/beta-downloads/OpenVPN-RC1.apk You will need in-line ca
ask#1: don't ask to ask, just ask your question please
#2: http://www.latinsud.com/answer/
#3: http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help
authpass#1: please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs
#2: or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required
#3: and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
badtimeif !certverify shows you error 9 at 1 depth lookup:certificate is not yet valid. You need to check the times/dates/years/timezones on the machines, including the CA
basicif you do not understand basic networking, you probably should not be administrating a vpn... you should understand the basics of routing / firewalls first
bcast#1: pptp source tree has bcrelay in it, bcrelay can be used to relay broadcasts over a tun setup
#2: http://www.hanksoft.de/service/46-udpbroadcastforwarder seems to be a windows program for relaying bcast (use google translate if needed)
bestosthe best os for openvpn is the one you are most comfortable with
betamanhttp://www.openvpn.net/man-beta.html
blame#1: According to Bushmills, it's always krzee's fault
#2: According to krzee, it's always dazo's fault
#3: and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments
blogDo not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them.
bonjourhttp://www.dslreports.com/forum/r18525512-Routing-Bonjour-How-to
bookhttp://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!
botI'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
bothIf you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
bridge#1: http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc
#2: http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ
#3: also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
bridge-dhcphttp://openvpn.net/faq.html#bridge-addressing for making clients grab dhcp ip over the bridge but not over-riding dhcp ip from local dhcp server
bridge-fw"ebtables" is Linux uses ebtables for firewalling layer 2 bridges. See http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png to understand how layer 2 and layer 3 works in linux and how to use ebtables
bridgingUsing bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you
broadcast-relaya software that comes with pptp. use it in tun mode when needing broadcasts, and WINS isnt enough.
bsdnatsee !fbsdnat
bufferwhen you see write UDPv4: No buffer space available (code=55) you probably have a routing loop. the way to fix this is to get a book on basic networking, preferably a coloring book!
bugshttps://community.openvpn.net/openvpn if we tell you that you found a bug. go there, open an account, and file a bug report in trac (your forum login is good for the trac too)
c2c"client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other clients
ccd#1: entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
#2: the ccd file is parsed each time the client connects.
centosSee !epel5
cert_chainshttps://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains ... JJK actually mentions that scenario in this page
certinforun `openssl x509 -in <file> -noout -text` for info from your cert file
certs#1: use !easy-rsa-unix for easy-rsa
#2: use !ssl-admin for ecrists copy of ssl-admin to make and manage your certs
certverify#1: verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
#2: also make sure you use the same ca.crt on both sides by checking their md5
change-log#1: see http://openvpn.net/index.php/open-source/documentation/change-log/70-20-change-log.html for 2.0 change log
#2: see http://openvpn.net/index.php/open-source/documentation/change-log/71-21-change-log.html for 2.1 change log
#3: see http://openvpn.net/index.php/open-source/documentation/change-log/425-changelog-for-openvpn-22.html for 2.2 change log
change-passphrasesee http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase
changelog#1: http://www.openvpn.net/changelog.html to see the openvpn changelog
#2: For OpenVPN 2.2 changelog , see http://www.openvpn.net/index.php/open-source/documentation/change-log/425-changelog-for-openvpn-22.html
cidrhttp://www.oav.net/mirrors/cidr.html
cisco#1: An open-source client for Cisco SSL VPN is available from http://www.infradead.org/openconnect.html
#2: OpenConnect is availabe in FreeBSD ports in security/openconnect
client-connect--client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
client-to-clientwith this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other clients
clientlan#1: for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn)
#2: see !route for a better explanation
commentyou can use ; or # to make comments in the config file
compif you see Bad LZO decompression header you have a mis-match in your comp-lzo settings. You need to be sure you have the same setting in all configs for comp-lzo, or that you dont have it in any configs.
confgen#1: http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
#2: you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
#3: you must run this in bash
configs#1: please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn.
#2: dont forget to include any ccd entries
controlhttp://secure-computing.net/files/control.jpg
crl#1: --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised.
#2: you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you
current#1: Our policy is to only support current versions of software. If your Linux distribution's repository doesn't have the latest, you'll need to compile from source. See /topic for the latest versions of OpenVPN software (usually at the beginning). Anything earlier than these, and you'll be REQUIRED to upgrade before we offer assistance.
#2: The current version of OpenVPN can be downloaded from http://openvpn.net/index.php/open-source/downloads.html for RELEASE and BETA versions, and a tarball snapshot of the development tree can be had from ftp://ftp.secure-computing.net/pub/openvpn/
dazo"eurephia" is http://www.eurephia.net/
debianAlthough we are aware the Debian stable package repository has OpenVPN 2.1rc11, to offer support, we require users to run the current version of OpenVPN. See !download for information on where/how to obtain a recent release.
def1#1: used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.
#2: please see --redirect-gateway in the man page ( !man ) to fully understand
#3: push "redirect-gateway def1"
devhttps://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list
dhbuild-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
dhcpredirect-gateway bypass-dhcp gets around the problem of DHCP packets to the local DHCP server being incorrectly routed into the tunnel. Available in 2.1
diagramYou can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle
dlink_static_routehttp://lizzi555.dyndns.org/655/StaticRoute.html for the workaround for issues adding static route into d-link router with A3 firmware
dns#1: Level3 open recursive DNS server at 4.2.2.[1-6]
#2: Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
#3: you might be looking for !pushdns
donate#1: send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel.
#2: Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc.
#3: http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations for Contribution totals and benefactors
download#1: http://openvpn.net/index.php/download/community-downloads.html to download openvpn
#2: OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
#3: Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html
dupe#1: see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended)
#2: instead, use !pki to make a cert for each user
duplicatethe option duplicate-cn is for allowing the same cert to login more than once. It should not be used in most situations, with main exceptions being if you also use !authpass or if just testing
dynamicfirewallto learn how to modify the firewall based on which client has which ip, please read --learn-address in the manpage (!man)
easy-rsa-unixhttp://www.freebsddiary.org/openvpn-easy-rsa.php for a writeup of making certs with easy-rsa in fbsd, only the dir changes for linux
ebtablesLinux uses ebtables for firewalling layer 2 bridges. See http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png to understand how layer 2 and layer 3 works in linux and how to use ebtables
enable-passwd-save--enable-passwd-save is enabled on windows builds starting with 2.2 preview 8 and will be default going forward from 2.2 release
encryptionWhy symetric encryption is better: http://www.ketufile.com/Symmetric_vs_Asymmetric_Encryption.pdf
enterThe enter key is not a punctuation mark.
epel5Please use the EPEL repository when installing OpenVPN on RHEL/CentOS: http://fedoraproject.org/wiki/EPEL/FAQ#How_can_I_install_the_packages_from_the_EPEL_software_repository.3F
eurephiahttp://www.eurephia.net/
external_routessee !route_outside_openvpn
factoidsA semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
faq#1: http://openvpn.net/index.php/documentation/faq.html
#2: http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ
fbsdbridgehttp://www.freebsddiary.org/openvpn.php for dvl's writeup on bridging openvpn in freebsd
fbsdipforwardis set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
fbsdjail<thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas
fbsdnatnat on $ext_if from $vpn_network to any -> ($ext_if) (this is for PF)
firestarterif you use firestarter to config your firewall you may want to see http://jcape.ignore-your.tv/2006/08/03/openvpn-and-firestarter/ for help
firewall#1: please see http://openvpn.net/man#lbBD for more info
#2: see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
forum#1: The official OpenVPN support forum is available at http://forums.openvpn.net
#2: Our official forum can be found at http://forums.openvpn.net
forwardsecurity#1: in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can only decrypt the traffic within the timeframe since last renegotiation
#2: in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
fragmenthttp://openvpn.net/archive/openvpn-users/2005-01/msg00411.html if getting FRAG_IN error
freebsdhttp://www.secure-computing.net/wiki/index.php/OpenVPN_Server
freebsdnatsee !fbsdnat
gentoo#1: http://gentoo.linuxhowtos.org/openvpn/openvpn.htm
#2: Gentoo will update /etc/resolv.conf automatically if started via /etc/init.d/openvpn. To disable this, set PEER_DNS="no" in /etc/conf.d/openvpn
gigabithttps://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
git#1: For the stable git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git
#2: For the development git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git
#3: Browse the git repositories here: http://openvpn.git.sourceforge.net/git/gitweb-index.cgi
#4: See !git-doc how to use git
git-doc#1: For a good git documentation, see http://progit.org/book/
#2: For a very quick git crash course, see https://community.openvpn.net/openvpn/wiki/GitCrashCourse
goalPlease clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
gvpehttp://software.schmorp.de/pkg/gvpe.html <Bushmills> Unlike other virtual private network" solutions which merely create a single tunnel, GVPE creates a real network with multiple endpoints. free, opensource, for nixes, meant for those looking for a vpn with direct peer connections. those who'd be sent to hamachi otherwise.
helpMy owner did not give me a help command
hmac#1: The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS.
#2: openvpn --genkey --secret ta.key to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
howsecurityworkssecurity can be obtained by: something you have (certificates, usb tokens), something you know (passwords), something you are (biometrics). for best security use more than 1. if you save passwords to a file (!pwfile), you change them from something you know to something you have, which destroys the point of using passwords
howto#1: OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!
#2: http://www.secure-computing.net/openvpn/howto.php for a mirror
ifconfigusage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to.
insanitydoing the same thing over and over expecting different results
interface#1: paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server
#2: in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
ipadsee !iphone
ipforwardplease choose between !linipforward !winipforward !osxipforward and !fbsdipforward
iphone#1: http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries
#2: http://modmyi.com/cydia/package.php?id=15784 for the gui portion
#3: http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone
#4: see http://www.guizmovpn.com/ for an iOS client for OpenVPN for iPhone and iPad.
iporder#1: OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice).
#2: Use --client-config-dir file for static IP (next choice) !static for more info
#3: Use --ifconfig-pool allocation for dynamic IP (last choice)
#4: if you use --ifconfig-pool-persist see !ipp
ipp#1: the option --ifconfig-pool-persist ipp.txt does NOT create static ips
#2: Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
iptables#1: to test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -F; iptables -Z
#2: please see http://openvpn.net/man#lbBD for more info
#3: you can see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for pf or iptables
#4: These is just the basics to get OpenVPN working. Proper firewall design is beyond the scope of this channel. You can try #iptables
ipv6#1: http://www.greenie.net/ipv6/openvpn.html for info about the ipv6 patch (adds nice ipv6 options to openvpn)
#2: use 2.3 or see !snapshots for a release with ipv6 patches in it
irchttp://www.irchelp.org/irchelp/irctutorial.html
irclogsChannel logs are available at http://secure-computing.net/logs/#openvpn.log and http://secure-computing.net/logs/#openvpn-devel.log and are updated every three hours.
ircstats#1: See http://secure-computing.net/logs/openvpn.html for all-time IRC stats.
#2: See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats.
iroutedoes not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
keepalive#1: see --keepalive in the manual for how to make clients retry connecting if they get disconnected.
#2: basically it is a wrapper for managing --ping and --ping-restart in server/client mode
#3: if you use this, don't use --tls-exit and also avoid --single-session and --inactive
keyshttp://openvpn.net/howto#pki
kissKeep It Simple Stupid
krzeekrzee says happy 4/20
lanshttps://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
layer2#1: you are using tap, what specific layer2 protocol do you need to work over the vpn?
#2: Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better
#3: protocols that use layer2 communicate by MAC address, not IP address
ldap_iptablessee http://planetjoel.com/viewarticle/638/OpenVPN%3A+Dynamically+create+IPtables+rules+based+on+LDAP+group+membership for a cool script for setting iptables rules based on LDAP membership (currently only handles TCP rules, but an easy fix to support UDP)
linfw"iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info
linipforward#1: echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution
#2: chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
#3: you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
linnat#1: for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
#2: to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>
#3: http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
#4: openvz see !openvzlinnat
linportforward#1: to forward port 80 tcp to a vpn client, use this (replacing <SERVERIP> with the real ip of the server, and <VPNIP> with the clients VPN ip)
#2: iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to <VPNIP>
#3: iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT
lintrafaccnthttp://www.catonmat.net/blog/traffic-accounting-with-iptables/ for a walkthrough on using iptables for traffic accounting
listen-ipv6use --proto tcp6 or --proto udp6 ... and it *must* be the development version (!snapshots) ... 2.2.x and earlier don't support this
locala flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
log#1: openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile
#2: verb 3 is good for everyday usage, verb 5 for debugging
logfile#1: openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile
#2: verb 3 is good for everyday usage, verb 5 for debugging
#3: see --daemon --log and --verb in the manual (!man) for more info
logs#1: is please pastebin your logfiles from both client and server with verb set to 5
#2: In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log
#3: In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard
#4: if you dont know how to find your logs, see !logfile
macUse Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/)
mactuntaphttp://tuntaposx.sourceforge.net/ for osX tuntap drivers
mail#1: http://sourceforge.net/mail/?group_id=48978
#2: http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive
man#1: http://openvpn.net/man for 2.0 manual
#2: http://openvpn.net/man-beta.html for 2.1 manual
#3: http://openvpn.net/index.php/open-source/documentation/manuals/427-openvpn-22.html for 2.2 manual
#4: the man pages are your friend!
management#1: see http://openvpn.net/management for doc on management interface
#2: read http://svn.openvpn.net/projects/openvpn/obsolete/BETA21-preauto/openvpn/management/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN
mbufsee http://openvpn.net/archive/openvpn-users/2005-07/msg00247.html if you haved ruled out a routing loop as the cause of the error: MULTI: packet dropped due to output saturation (multi_add_mbuf)
meetingsOpenVPN developers meetings are usually held on Thursdays @ 18:00 UTC. Ask mattock or dazo for latest info. Meeting agendas and minutes are here: https://community.openvpn.net/openvpn/wiki/IrcMeetings
menu#1: please use '!factoids search *'
#2: you can leave it a * to see all, or replace it with a word to search for
#3: or type !factoids to see a complete list
mesh#1: openvpn does not do mesh networking
#2: see !rip
#3: check out http://github.com/darkpixel/openmesher/ for auto-creating openvpn meshes
mgmt#1: http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html
#2: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/management/management-notes.txt
mirror#1: http://openvpn.scarydevilmonastery.net for a mirror of the docs
#2: http://www.secure-computing.net/openvpn/ for another
mitm#1: http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially
#2: use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates
#3: then use: ns-cert-type server in the client config
msg#1: to see vpnHelper's factoids in msg instead of the channel, /msg vpnHelper factoids whatis #openvpn <key>
#2: so to see !configs in msg, you would type /msg vpnHelper factoids whatis #openvpn configs
mtu#1: see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
#2: mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
mtu-testyou can just use --mtu-test on the client to see what the best mtu for your connection is
multi_process_incoming_tunhttp://blog.tuinslak.org/2010/03/openvpn-packet-drops/
multiple_casee !cert_chains
nagioshttp://securfox.wordpress.com/2009/04/24/openvpn-nagios-pluging/ for info on hooking openvpn into nagios
nat#1: http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn
#2: http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules
#3: dont forget to turn on ip forwarding
#4: please choose between !linnat !winnat and !fbsdnat for specific howto
nathacksee https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines
net101http://www.youtube.com/watch?v=PBWhzz_Gn10 for a good video example
net30"/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
netmanif you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list
new_win_guihttp://sourceforge.net/projects/openvpn-gui/ is the upstream project for the new windows gui
no_as#1: go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server)
#2: not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
nobindDo not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option.
nocert#1: to use login and pass (NO CERTS) for auth in server setup, you want --username-as-common-name --auth-user-pass-verify --client-cert-not-required
#2: to know more, read about those config options in the manual (!man)
noenc#1: if you're going to disable encryption, you might as well build a GRE tunnel
#2: but you would use cipher none
nomhttp://secure-computing.net/files/om_nom_nom.jpg
nopaste"pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
norootSee !unpriv for a writeup by EugeneKay
notcompat#1: IPSEC and PPTP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use proprietary protocols and therefore cannot be compatible.
#2: OpenVPN only connects to OpenVPN
notopenvpnyour problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
notovpn"notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
nsupdatehttp://scarydevilmonastery.net/client_connect_nsupdate for a script Bushmills wrote to solve the question How can my vpn update my nameserver?
obsdtaphttp://kerneltrap.org/mailarchive/openbsd-misc/2008/2/19/911924 to see how to get obsd using tap (but you should prolly use tun anyways)
openbsdnat#1: pass out on $ext_if from 10.8.0.0/24 to any nat-to servers.public.ip && pass in quick proto tcp from any to port 1194 keep state label openvpn && pass quick on $vpn_if keep state
#2: see !fbsdnat
openvz#1: http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn
#2: It is usually less painful to switch to a host with better virtualization technology, eg Xen.
openvzlinnatsince openvz cant do NAT inside containers, use iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination <container.ip>
openvznat#1: a user reported success with this command: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to <PUBLIC-IP>
#2: someone else got it working with: iptables -t nat -A POSTROUTING -s <vpn_subnet>/<netmask> -o eth<public> -j SNAT --to <public ip>
osx#1: Tunnelblick includes everything you need to run OpenVPN on OS X. https://code.google.com/p/tunnelblick/
#2: Viscosity is another OpenVPN client for OS X, but it is commercial. http://www.thesparklabs.com/viscosity/
osxboothttp://www.secure-computing.net/wiki/index.php/Leopard_Static_Routes for how to run commands on boot in osX, you can change a single line in StaticRoutes file to make it start OpenVPN
osxipforward#1: sysctl -w net.inet.ip.forwarding=1 for a temp solution
#2: add IPFORWARDING=-YES- in /etc/hostconfig for a permanent solution
otherprojectshttps://community.openvpn.net/openvpn/wiki/RelatedProjects for links to other projects
p12openssl pkcs12 -export -out filename.p12 -inkey filename.key -in filename.crt -certfile ca.crt
password-onlyhttp://openvpn.net/archive/openvpn-users/2004-10/msg00418.html
paste"pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
pastebinplease paste anything with more than 5 lines into pastebin or a similar website
path#1: use full paths in your config!
#2: if you use windows, see !winpath
pfnatnat on <inf> from <subnet/ip> to <subnet/ip> -> <nat_ip>
pfsensedont use the web gui for configuring openvpn, you need to understand the config and logfiles
pki#1: http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs)
#2: Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed specially as a server (see !servercert)
policy#1: http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies
#2: http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario
port-shareWhen run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh. Not implemented on Windows.
pptp#1: PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to read about why to not use pptp
#2: Why not to use pptp: http://en.wikipedia.org/wiki/Pptp#Security_of_the_PPTP_protocol
privledgesjust choose a sandbox user/group that nothing else is using, then in config use: user vpnuser and group vpngroup , and if it is the server add: persist-key and persist-tun
psychicWe're not psychic -- please !paste your !configs and !logs and a description of the issue
pushusage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
push-resetDon't inherit the global push list for a specific client instance. Specify this option in a client-specific context such as with a --client-config-dir configuration file. This option will ignore --push options at the global config file level.
pushdns#1: push "dhcp-option DNS a.b.c.d" to push dns to the client
#2: http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns
#3: http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit
#4: in unix you'll use the update-resolv-conf script
#5: also http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
pwfile#1: OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h
#2: see --auth-user-pass in the manual (!man) for more info
#3: if you're using this with the windows service, you will need --askpass
qnxhttp://ovpnforum.com/viewtopic.php?f=4&t=2449 for the qnx6 port of openvpn
quietopenssl#1: see http://www.mail-archive.com/openssl-users@openssl.org/msg31052.html and read 'man req' to see how to make openssl not prompt you
#2: also see !ssl-admin for a sweet tool for managing your certs
read<krzee> ive been known to overreact when people look for 2 minutes and ask me to explain it to them
redirect#1: to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
#2: you may need to use a different dns server when redirecting gateway, see !dns or !pushdns
redirect_ips#1: https://forums.openvpn.net/topic8559.html for more info on giving users their own internet routable IPs
#2: it is also possible to directly hand out the ips from --server, jjk explains how to do this in his book (!book) which krzee highly recommends reading
release-noteshttp://openvpn.net/index.php/open-source/documentation/release-notes.html
remapBy default, OpenVPN will remap any character other than alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and slash ('/') to underbar ('_').
rhelsee !epel5
riphttp://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
roadmaphttps://community.openvpn.net/openvpn/wiki/RoadMap for the roadmap for OpenVPN 3
route#1: http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT
#2: READ IT DONT SKIM IT
#3: See !tcpip for more info about a more basic networking guide
route_outside_openvpn#1: If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route
#2: Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
route_outside_ovpn"route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
route_override#1: https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet
#2: to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
routebyappif you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
routerif you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them
ruleshttp://secure-computing.net/openvpn/openvpn.php for channel guildelines.
samba#1: http://openvpn.net/faq#samba-routing for using samba with a routed tun, or use NETBIOS with a bridge
#2: http://www.openvpn.net/howto#samba if you run samba on linux and use tun mode
samesubnetclients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
sample#1: http://www.ircpimps.org/openvpn.configs for a working sample config
#2: DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
#3: these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
sayNO! you're not the boss of me!
scale#1: OpenVPN has no hard limits built in, but it is not recommended to run much more than 100 clients per process.
#2: Also remember that it is single-threaded, so your throughput will be limited by the speed your CPU can do the crypto.
#3: Both of these issues can be handled by running multiple server instances(on several IPs or ports) and having clients round-robin between them
scaredhttp://www.youtube.com/watch?v=P_WI0VI7aIw
scriptsee http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn
secretfunny that people use free programs, consult free help for them, run a business with them, but are restricted to say what they do.
secure#1: http://openvpn.net/howto.html#security for hardening
#2: http://openvpn.net/index.php/documentation/security-overview.html for security overview
security"secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview
servercert#1: openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key
#2: or just use build-key-server in easy-rsa
#3: this will help with !mitm
serverlan#1: for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn)
#2: see !route for a better explanation
shorewallhttp://www.shorewall.net/OPENVPN.html to see about running OpenVPN on Shorewall firewalls.
shotgun#1: the most effective form of physical security
#2: <hyper_ch> shotgun security? <EugeneKay> If you try to physically attack my network, I chase you with a shotgun.
slowesxipyther> seems as if there is some type of bug with the vmxnet3 network module, so I just switched to the e1000 module, the vpn box is a virtual machine on vmware esxi. http://nwsmith.blogspot.com/2010/07/patching-vmxnet-to-disable-lro.html <pyther> something about disabling LRO
snapshots#1: weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn
#2: by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
sockdif you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
solarishttp://www.whiteboard.ne.jp/~admin2/tuntap/ for the solaris tuntap driver, good luck... ive heard mixed reviews. let us know how it works for you
someclient2client"policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario
splitdnssee http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups
splitroute#1: https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet
#2: see !route_override for how to override --redirect-gateway for a certain subnet
spoonfeedinghttp://www.mp3car.com/the-faq-emporium/53368-faq-what-is-spoon-feeding.html
ssl-admin#1: if you use freebsd, it is in ports
#2: svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn
#3: A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
ssl-admin 1http://www.secure-computing.net/wiki/index.php/FreeBSD_OpenVPN_Server/Routed
static#1: use --ifconfig-push in a ccd entry for a static ip for the vpn client
#2: example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0
#3: also see !ccd and !iporder
static-keywhen you use --secret, you are using a static key. this is only valid for point-to-point setups. Static keys are less secure in that they never change. If someone captures your traffic, and then gains your static key a year from now, they can decrypt the captured traffic. Setups that use certs re-key every hour by default
static_key_detailshttp://svn.openvpn.net/projects/openvpn/web/trunk/faq-static-key-explanation.txt for an explanation of how static key files are used
statickey#1: you can use static keys by using --secret </path/to/key>
#2: static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time.
#3: see !forwardsecurity for more info
strip-passphrasesee http://blog.lib.umn.edu/silvi003/codenotes/2008/08/how_to_strip_a_passphrase_from.html to learn how to strip a passphrase from a key file
subnethttp://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork
subscriptionhttps://www.tunnelr.com has a slick interface and costs $7/mo , or https://www.openvpn.net/index.php/ for the pay software from openvpn technologies
sudowinhttp://sourceforge.net/projects/sudowin/
supybothttp://supybook.fealdia.org/devel/#_adding_a_new_user
suseYou EITHER! (see !ubuntu)
sweethttp://sweet.nodns4.us/ =(
tap"bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where the protocol uses MAC addresses instead of IP addresses.
tcp#1: Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea.
#2: http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
#3: if you must use tcp, you likely want --tcp-nodelay
tcp_nodelay<EmperorTom> A good analogy is a bus depot. Drivers normally wait as long as possible to see if any more passengers show up. If you set TCP_NODELAY on the bus driver, he would leave the station as soon as someone got on board. It's faster for the one passenger, but you need a lot more big, ugly, smelly, slow buses on the road to meet demand.
tcpiphttp://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
testing"snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
timeoutif you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or the client's isp blocks it
tls-auth"hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
tls-cipherhttp://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users
toolshttps://www.secure-computing.net/ip.php
topicsee /topic instead.
topology#1: it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions.
#2: Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets.
#3: See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this.
topsecretif your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust.
trac#1: see https://community.openvpn.net for development information and bug tracker.
#2: if you have a forum login, use that for trac, its the same database.
tunnelblickhttp://www.tunnelblick.net - Free OpenVPN GUI Client for Mac OS X
tunortap#1: you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead.
#2: and if your reason for wanting tap is windows shares, see !wins
#3: also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you over the vpn
#4: lan gaming? use tap!
ubuntudont use network manager!
unprivsee https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions.
verb#1: verb command is for setting log verbosity, see --verb in the manual (!man) for more info
#2: verb 5 is good for debugging, verb 3 is good for normal usage
vista13:51 < Nirkus> ecrist: i figured it out. i was able to create a link to windows explorer and activate 'run as administrator' within the 'advanced' context menu. using an windows explorer started by that link i was able to write files to c:\program files (x86)\OpenVPN\config\
vpnhttp://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is
walkthroughif you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
webgui#1: http://openvpn-web-gui.sourceforge.net/ if you have tried this please give us feedback
#2: http://sourceforge.net/projects/openvpn-status/ also pls let us know if you use that
welcomeStart with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
whyBecause fuck you, that's why.
wiki#1: http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki
#2: https://community.openvpn.net/openvpn/wiki for the Official wiki
willWhere there's a will, there's /away
win-dnsFrom cmd.exe: if ipconfig /all shows the proper DNS server adcdress assigned to the tap device... Please choose !win-dns-xp or !win-dns-vista-7
win-dns-vista-7click start -> control panel -> network and sharing center -> change adapter settings -> <ALT> -> advanced -> advanced settings. Make sure your VPN connection is at the top of the list
win-dns-xpclick start -> control panel -> network connections -> advanced -> advanced settings. Make sure your VPN connection is at the top of the list.
win2k8Server 2008 assigns the OpenVPN TAP Adapter v9 as an Unidentified network which the default Local Security Policy of Server 2008 assigns as being a Public Interface with restricted access. To fix it do this: Go into Control Panel / Administrative Tools / Local Security Policy / Network List Manager Policies / Unidentified Networks. Set Location Type to Private.
win7http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/8a3e9b05-353b-4250-a023-066a085e9657 for a workaround to the windows 7 unidentified network issue you get when using redirect-gateway
win_buildhttps://community.openvpn.net/openvpn/wiki/BuildingOnWindows for mattock's doc on building openvpn on windows
win_ipfailif the adapter fails to set the IP properly check that DHCP client service, and tap-win32 is enabled.
win_noadmin#1: http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows
#2: and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista
win_rollupplease see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
win_tcplimitsee http://readlist.com/lists/lists.sourceforge.net/openvpn-users/0/2383.html to know why windows TCP servers can only handle 60 clients
windows#1: computers are like air conditioners, they work well until you open windows.
#2: http://secure-computing.net/files/windows.jpg for funny
#3: http://secure-computing.net/files/windows_2.jpg for more funny
windows_mobilehttp://ovpnppc.ziggurat29.com/ovpnppc-files.htm for windows mobile builds of openvpn
windows_problems#1: PCs are like air conditioners - they work fine until you open windows.
#2: http://secure-computing.net/files/windows.jpg for funny
#3: http://secure-computing.net/files/windows_2.jpg for more funny
winipforwardhttp://support.microsoft.com/kb/315236 to enable ip forwarding on windows
winnat#1: http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
#2: http://www.nanodocumet.com/?p=14 for windows XP
winpassopenvpnGUI for windows has a change password feature that will change the passphrase on your .key files
winpath#1: Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key"
#2: also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
winroute#1: in windows if the route cannot be added, try route-method exe in your config file
#2: many users also report it helps to add route-delay to give the interface extra time to get up
#3: you may need to turn off routing and remote acess in administrative tools - routing and remote access
#4: make sure you are running openvpn as admin
#5: http://openvpn.net/index.php/open-source/faq/79-client/259-tap-win32-adapter-is-not-coming-up-qinitialization-sequence-completed-with-errorsq.html you might also want to see that and use trial and error with those solutions
winshttp://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
winscripta user reported that his --up script was not executed in windows gui. his config was bps.ovpn, he renamed the script to bps_up.bat and put it in the dir with his config... then it worked!
winshortcutTo start OpenVPN-GUI easily on Windows, make a shortcut and set the Target as: \"C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe\" --config_dir \"C:\path\to\config\" --connect client.ovpn --show_balloon 0 --silent_connection 1 --show_script_window 0
winsudo"sudowin" is http://sourceforge.net/projects/sudowin/
wintaphide#1: in regedit find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} then Look through each sub-key for one with a DriverDesc = TAP-Win32Adapter V8 . Set Characteristics = 0x89
#2: To show again, set it to 0x81
wireless#1: if you are getting replay errors while on wireless, see --mute-replay-warnings in the manual (!man)
#2: if you are securing your wireless using openvpn, see !local
wisdomWe can only provide you with the information. We are not, unfortunately, able to make you understand it.
wishlisthttps://forums.openvpn.net/viewforum.php?f=10 for the openvpn wishlist
xyhttp://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
42the answer to life, the universe, and everything.
101This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, and Routing
1918#1: RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16
#2: see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html
#3: Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi
© Copyright 1997-2012 Secure Computing Networks & Eric F Crist