Secure Computing Logo
Secure Computing Networks
You're using IPv4 from: 50.16.17.90 (ec2-50-16-17-90.compute-1.amazonaws.com)
HomeWikiOpenVPN DocsPing TestTracerouteMy IP
Page last updated Friday, 24 May 2013 14:28:44 -18000
KeyFactoid
--OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
/30#1: Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background
#2: you can avoid this behavior by reading !topology
#3: by default, first client is .6, then .10 .14 .18 etc
#4: use openvpn --show-valid-subnets to see the subnets you can use in net30
#5: tl;dr Windows sucks, use --topology subnet in your server.conf
2.1-winpass-scripthttp://article.gmane.org/gmane.network.openvpn.user/24575
ASplease go to #OpenVPN-AS for help with Access-Server
EugeneKayright because EugeneKay is always right.
access-serverOpenVPN Access Server support is in #openvpn-as
accountinghttp://pekster.sdf.org/code/files/openvpn-user-accounting.tgz for some bash code for basic accounting
activedirectoryhttp://amigo4life.googlepages.com/openvpn for the guide of how to auth against AD
adsee !activedirectory
all#1: please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles
#2: For more detailed instructions, look to: !logs !configs !interface
allinfoPlease type !configs !logs and !interface to see all the info we want to be able to help you
android#1: an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ
#2: If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the market
asbestosas best os: freebsd sukka! (according to krzee)
askdon't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc
authpass#1: please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs
#2: or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required
#3: and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
badtimeif !certverify shows you error 9 at 1 depth lookup:certificate is not yet valid. You need to check the times/dates/years/timezones on the machines, including the CA
basicif you do not understand basic networking, you probably should not be administrating a vpn... you should understand the basics of routing / firewalls first
bcast#1: pptp source tree has bcrelay in it, bcrelay can be used to relay broadcasts over a tun setup
#2: http://www.hanksoft.de/service/46-udpbroadcastforwarder seems to be a windows program for relaying bcast (use google translate if needed)
beerwhat's for dinner (and occasionally breakfast)
bestosthe best os for openvpn is the one you are most comfortable with
blame#1: According to Bushmills, it's always krzee's fault
#2: According to krzee, it's always dazo's fault
#3: and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments
#4: cron2 says its always d12fk's fault (and sometimes the customers)
blogDo not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them.
bonjourhttp://www.dslreports.com/forum/r18525512-Routing-Bonjour-How-to
bookhttp://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!
botI'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
bothIf you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
botsnackOm nom nom!
bridge#1: http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc
#2: http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ
#3: also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
#4: also see !whybridge
bridge-dhcphttp://openvpn.net/faq.html#bridge-addressing for making clients grab dhcp ip over the bridge but not over-riding dhcp ip from local dhcp server
bridge-fw"ebtables" is Linux uses ebtables for firewalling layer 2 bridges. See http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png to understand how layer 2 and layer 3 works in linux and how to use ebtables
bridging#1: Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you
#2: See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
broadcast-relaya software that comes with pptp. use it in tun mode when needing broadcasts, and WINS isnt enough.
bsdnatsee !fbsdnat
bufferwhen you see write UDPv4: No buffer space available (code=55) you probably have a routing loop. the way to fix this is to get a book on basic networking, preferably a coloring book!
bugshttps://community.openvpn.net/openvpn if we tell you that you found a bug. go there, open an account, and file a bug report in trac (your forum login is good for the trac too)
c2c"client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other clients
ccd#1: entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
#2: the ccd file is parsed each time the client connects.
centosSee !epel5
cert_chainshttps://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains ... JJK actually mentions that scenario in this page
certfightwhen you use 2 clients with the same certificate (and not using !dupe) your vpn will not work. your second client will knock off your first client, then your first will knock off the second (if you have !keepalive) and they will simply fight back and forth disconnecting over and over until a voice says FINISH HIM
certinforun `openssl x509 -in <file> -noout -text` for info from your cert file
certpw"change-passphrase" is see http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase
certs#1: use !easy-rsa-unix for easy-rsa
#2: use !ssl-admin for ecrists copy of ssl-admin to make and manage your certs
certverify#1: verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
#2: also make sure you use the same ca.crt on both sides by checking their md5
change-passphrasesee http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase
changelogSee http://openvpn.net/index.php/open-source/documentation/change-log.html for the openvpn change logs
cidrhttp://www.oav.net/mirrors/cidr.html
cisco#1: An open-source client for Cisco SSL VPN is available from http://www.infradead.org/openconnect.html
#2: OpenConnect is availabe in FreeBSD ports in security/openconnect
client-connect--client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
client-to-clientwith this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other clients
clientlan#1: for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn)
#2: see !route for a better explanation
#3: Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png
commentyou can use ; or # to make comments in the config file
compif you see Bad LZO decompression header you have a mis-match in your comp-lzo settings. You need to be sure you have the same setting in all configs for comp-lzo, or that you dont have it in any configs.
confgen#1: http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
#2: you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
#3: you must run this in bash
configs#1: please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn.
#2: dont forget to include any ccd entries
#3: on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
crl#1: --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised.
#2: you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you
#3: openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem
current#1: Our policy is to only support current versions of software. If your Linux distribution's repository doesn't have the latest, you'll need to compile from source. See /topic for the latest versions of OpenVPN software (usually at the beginning). Anything earlier than these, and you'll be REQUIRED to upgrade before we offer assistance.
#2: The current version of OpenVPN can be downloaded from http://openvpn.net/index.php/open-source/downloads.html for RELEASE and BETA versions, and a tarball snapshot of the development tree can be had from ftp://ftp.secure-computing.net/pub/openvpn/
dazhttp://www.eurephia.net/ for eurephia, an auth plugin supporting dynamic firewall updates
dazoThe project name krzee always forgets .... eurephia ... http://www.eurephia.net/
debatehttp://www.irreligion.org/wp-content/uploads/2011/02/Debate-Flow-Chart1.jpg
debianAlthough we are aware the Debian stable package repository has OpenVPN 2.1rc11, to offer support, we require users to run the current version of OpenVPN. See !download for information on where/how to obtain a recent release.
def1#1: used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.
#2: please see --redirect-gateway in the man page ( !man ) to fully understand
#3: push "redirect-gateway def1"
devhttps://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list
dhbuild-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
dhcpredirect-gateway bypass-dhcp gets around the problem of DHCP packets to the local DHCP server being incorrectly routed into the tunnel. Available in 2.1
diagramYou can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle
dlink_static_routehttp://lizzi555.dyndns.org/655/StaticRoute.html for the workaround for issues adding static route into d-link router with A3 firmware
dmzLow end SOHO routers sometimes have a DMZ feature. This does NOT magically give your internal host a public IP, but is a form of fallthrough NAT. Such features may or may not operate as expected depending on the device; consult its documentation, not here, for details.
dns#1: Level3 open recursive DNS server at 4.2.2.[1-6]
#2: Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
#3: you might be looking for !pushdns
donate#1: send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel.
#2: Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc.
#3: http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations for Contribution totals and benefactors
download#1: http://openvpn.net/index.php/download/community-downloads.html to download openvpn
#2: OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
#3: Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html
#4: in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs
dropje#1: Always listen to dropje
#2: well, dazo might not agree to the 'always' part always ... but .....
dupe#1: see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended)
#2: instead, use !pki to make a cert for each user
duplicatethe option duplicate-cn is for allowing the same cert to login more than once. It should not be used in most situations, with main exceptions being if you also use !authpass or if just testing
dynamicfirewallto learn how to modify the firewall based on which client has which ip, please read --learn-address in the manpage (!man)
easy-rsa#1: easy-rsa is a certificate generation utility.
#2: Download here: https://github.com/OpenVPN/easy-rsa/downloads
easy-rsa-unixhttp://www.freebsddiary.org/openvpn-easy-rsa.php for a writeup of making certs with easy-rsa in fbsd, only the dir changes for linux
easyrsa"easy-rsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/downloads or (#3) Download easy-rsa from git hub at https://github.com/OpenVPN/easy-rsa
ebtablesLinux uses ebtables for firewalling layer 2 bridges. See http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png to understand how layer 2 and layer 3 works in linux and how to use ebtables
ecristhttp://www.youtube.com/watch?v=0Veqz8W98iA
effortIf you are not willing to put the effort into gathering information and trying to figure out your problem we are not willing to help you with it
enable-passwd-save--enable-passwd-save is enabled on windows builds starting with 2.2 preview 8 and will be default going forward from 2.2 release
encryptionWhy symetric encryption is better: http://www.ketufile.com/Symmetric_vs_Asymmetric_Encryption.pdf
enterThe enter key is not a punctuation mark.
epel5Please use the EPEL repository when installing OpenVPN on RHEL/CentOS: http://fedoraproject.org/wiki/EPEL/FAQ#How_can_I_install_the_packages_from_the_EPEL_software_repository.3F
eurephiahttp://www.eurephia.net/
external_routessee !route_outside_openvpn
factoidsA semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
fail2banin linux you can replace fail2ban without the background process with something like: iptables -A INPUT -m tcp -p tcp --dport 22 -m hashlimit --hashlimit-name ssh --hashlimit-upto 5/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT
faq#1: http://openvpn.net/index.php/documentation/faq.html
#2: http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ
fbsdbridgehttp://www.freebsddiary.org/openvpn.php for dvl's writeup on bridging openvpn in freebsd
fbsdipforwardis set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
fbsdjail<thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas
fbsdnatnat on $ext_if from $vpn_network to any -> ($ext_if) (this is for PF)
festivusfor the rest of us
firestarterif you use firestarter to config your firewall you may want to see http://jcape.ignore-your.tv/2006/08/03/openvpn-and-firestarter/ for help
firewall#1: please see https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG for more info
#2: see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
forum#1: The official OpenVPN support forum is available at http://forums.openvpn.net
#2: you can join #OpenVPN-Forum to see the forum-feed announcements if you want to.
forwardsecurity#1: in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can only decrypt the traffic within the timeframe since last renegotiation
#2: in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
fragmenthttp://openvpn.net/archive/openvpn-users/2005-01/msg00411.html if getting FRAG_IN error
freebsdhttp://www.secure-computing.net/wiki/index.php/OpenVPN_Server
freebsdnatsee !fbsdnat
fridayIt's Friday, be warned that, due to him working at home, our resident guard-dog, ecrist, is likely already in the bag. Tread carefully.
gentoo#1: http://gentoo.linuxhowtos.org/openvpn/openvpn.htm
#2: Gentoo will update /etc/resolv.conf automatically if started via /etc/init.d/openvpn. To disable this, set PEER_DNS="no" in /etc/conf.d/openvpn
gigabithttps://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
git#1: For the stable git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git
#2: For the development git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git
#3: Browse the git repositories here: http://openvpn.git.sourceforge.net/git/gitweb-index.cgi
#4: See !git-doc how to use git
git-doc#1: For a good git documentation, see http://progit.org/book/
#2: For a very quick git crash course, see https://community.openvpn.net/openvpn/wiki/GitCrashCourse
goalPlease clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
googleauthhttp://securityskittles.wordpress.com/2012/03/14/two-factor-authentication-for-openvpn-on-centos-using-google-authenticator/
gvpehttp://software.schmorp.de/pkg/gvpe.html <Bushmills> Unlike other virtual private network" solutions which merely create a single tunnel, GVPE creates a real network with multiple endpoints. free, opensource, for nixes, meant for those looking for a vpn with direct peer connections. those who'd be sent to hamachi otherwise.
helpMy owner did not give me a help command
hmac#1: The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS.
#2: openvpn --genkey --secret ta.key to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
hotpotatoif you have 2 uplinks and the traffic comes in one and out the other you have hot potato routing. read this: http://www.rjsystems.nl/en/2100-adv-routing.php
howsecurityworkssecurity can be obtained by: something you have (certificates, usb tokens), something you know (passwords), something you are (biometrics). for best security use more than 1. if you save passwords to a file (!pwfile), you change them from something you know to something you have, which destroys the point of using passwords
howto#1: OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!
#2: http://www.secure-computing.net/openvpn/howto.php for a mirror
ifconfigusage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to.
ifconfig-linuxAvoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. Use the 'ip a' and 'ip r' commands instead. More info: http://inai.de/2008/0219-ifconfig-sucks.php
inline#1: Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV
#2: https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
insanitydoing the same thing over and over expecting different results
interface#1: paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server
#2: For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6)
#3: For Unix: iface: 'ifconfig -a' routing: 'netstat -rn'
#4: For Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
ipadsee !iphone
ipforward#1: please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
#2: ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall
iphone#1: http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone
#2: OpenVPN is now available for iOS in the App Store
#3: https://community.openvpn.net/openvpn/wiki/IOSinline
iporder#1: OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice).
#2: Use --client-config-dir file for static IP (next choice) !static for more info
#3: Use --ifconfig-pool allocation for dynamic IP (last choice)
#4: if you use --ifconfig-pool-persist see !ipp
ipp#1: the option --ifconfig-pool-persist ipp.txt does NOT create static ips
#2: Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
iptables#1: to test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -F; iptables -Z
#2: please see https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG for more info
#3: you can see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for pf or iptables
#4: These are just the basics to get OpenVPN working. Proper firewall design is beyond the scope of this channel. You may try #netfilter
ipv6#1: http://www.greenie.net/ipv6/openvpn.html for info about the ipv6 patch (adds nice ipv6 options to openvpn)
#2: use 2.3 or see !snapshots for a release with ipv6 patches in it
#3: http://ipstats.arvig.net/BraveHeartMEME.jpg
ipv6_transportuse --proto udp6
irchttp://www.irchelp.org/irchelp/irctutorial.html
irclogsChannel logs are available at http://secure-computing.net/logs/#openvpn.log and http://secure-computing.net/logs/#openvpn-devel.log and are updated every three hours.
ircstats#1: See http://secure-computing.net/logs/openvpn.html for all-time IRC stats.
#2: See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats.
iroutedoes not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
karmanick++ adds karma nick-- adds bad karma, as seen in !ircstats
keepalive#1: see --keepalive in the manual for how to make clients retry connecting if they get disconnected.
#2: basically it is a wrapper for managing --ping and --ping-restart in server/client mode
#3: if you use this, don't use --tls-exit and also avoid --single-session and --inactive
keyshttp://openvpn.net/howto#pki
kindleOpenVPN for Android works fine on Kindle Fire HD and Kindle Fire 2nd generation. Get the apk from http://plai.de/android
kissKeep It Simple Stupid
krzee#1: krzee says happy 4/20
#2: http://www.ircpimps.org/pics/krzee/blunt.jpg
#3: location: moon base where he smokes moonajuana
lanshttps://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
layer2#1: you are using tap, what specific layer2 protocol do you need to work over the vpn?
#2: Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better
#3: protocols that use layer2 communicate by MAC address, not IP address
ldap_iptablessee http://planetjoel.com/viewarticle/638/OpenVPN%3A+Dynamically+create+IPtables+rules+based+on+LDAP+group+membership for a cool script for setting iptables rules based on LDAP membership (currently only handles TCP rules, but an easy fix to support UDP)
linipforward#1: echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution
#2: chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
#3: you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
linnat#1: for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
#2: to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>
#3: http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
#4: openvz see !openvzlinnat
linportforward#1: to forward port 80 tcp to a vpn client, use this (replacing <SERVERIP> with the real ip of the server, and <VPNIP> with the clients VPN ip)
#2: iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to <VPNIP>
#3: iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT
lintrafaccnthttp://www.catonmat.net/blog/traffic-accounting-with-iptables/ for a walkthrough on using iptables for traffic accounting
listen-ipv6use --proto tcp6 or --proto udp6 ... and it *must* be the development version (!snapshots) ... 2.2.x and earlier don't support this
locala flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
log[logfile]
logfile#1: openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile
#2: verb 3 is good for everyday usage, verb 5 for debugging
#3: see --daemon --log and --verb in the manual (!man) for more info
#4: without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient
logs#1: is please pastebin your logfiles from both client and server with verb set to 5
#2: In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log
#3: In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard
#4: if you dont know how to find your logs, see !logfile
macUse Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/)
mactuntaphttp://tuntaposx.sourceforge.net/ for osX tuntap drivers
magicFor a story about magic read http://www.catb.org/jargon/html/magic-story.html
mail#1: http://sourceforge.net/mail/?group_id=48978
#2: http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive
mailinglist#1: User's mailing list: http://thread.gmane.org/gmane.network.openvpn.user
#2: Developer's mailing list: http://thread.gmane.org/gmane.network.openvpn.devel
man#1: For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/
#2: the man pages are your friend!
#3: Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
management#1: see http://openvpn.net/management for doc on management interface
#2: read http://svn.openvpn.net/projects/openvpn/obsolete/BETA21-preauto/openvpn/management/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN
mbufsee http://openvpn.net/archive/openvpn-users/2005-07/msg00247.html if you haved ruled out a routing loop as the cause of the error: MULTI: packet dropped due to output saturation (multi_add_mbuf)
meetingsOpenVPN developers meetings are usually held on Thursdays @ 18:00 UTC. Ask mattock or dazo for latest info. Meeting agendas and minutes are here: https://community.openvpn.net/openvpn/wiki/IrcMeetings
menu#1: please use '!factoids search *'
#2: you can leave it a * to see all, or replace it with a word to search for
#3: or type !factoids to see a complete list
mesh#1: openvpn does not do mesh networking
#2: see !rip
#3: check out http://github.com/darkpixel/openmesher/ for auto-creating openvpn meshes
mgmt#1: http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html
#2: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/management/management-notes.txt
mirror#1: http://openvpn.scarydevilmonastery.net for a mirror of the docs
#2: http://www.secure-computing.net/openvpn/ for another
mitm#1: http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially
#2: use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates
#3: then use: remote-cert-tls server in the client config
msg#1: to see vpnHelper's factoids in msg instead of the channel, /msg vpnHelper factoids whatis #openvpn <key>
#2: so to see !configs in msg, you would type /msg vpnHelper factoids whatis #openvpn configs
mtu#1: see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
#2: mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
mtu-testyou can just use --mtu-test on the client to see what the best mtu for your connection is
multi_process_incoming_tunhttp://blog.tuinslak.org/2010/03/openvpn-packet-drops/
multiple_casee !cert_chains
nagioshttp://securfox.wordpress.com/2009/04/24/openvpn-nagios-pluging/ for info on hooking openvpn into nagios
nat#1: http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn
#2: http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules
#3: dont forget to turn on ip forwarding
#4: please choose between !linnat !winnat and !fbsdnat for specific howto
nathacksee https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines
net101http://www.youtube.com/watch?v=PBWhzz_Gn10 for a good video example
net30"/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
netmanif you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list
new_win_guihttp://sourceforge.net/projects/openvpn-gui/ is the upstream project for the new windows gui
no_as#1: go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server)
#2: not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
nobindDo not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option.
nocert#1: to use login and pass (NO CERTS) for auth in server setup, you want --username-as-common-name --auth-user-pass-verify --client-cert-not-required
#2: to know more, read about those config options in the manual (!man)
noenc#1: if you're going to disable encryption, you might as well build a GRE tunnel
#2: but you would use cipher none
nomhttp://secure-computing.net/files/om_nom_nom.jpg
nopaste"pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
noroot"unpriv" is see https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions.
notcompat#1: IPSEC and PPTP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use proprietary protocols and therefore cannot be compatible.
#2: OpenVPN only connects to OpenVPN
notopenvpnyour problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
notovpn"notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
nsupdatehttp://scarydevilmonastery.net/client_connect_nsupdate for a script Bushmills wrote to solve the question How can my vpn update my nameserver?
obfs#1: if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols
#2: http://community.openvpn.net/openvpn/wiki/TrafficObfuscation
#3: in client/server mode an admin can know that openvpn is being used. in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
obfsproxy#1: For a writeup on using obfsproxy with OpenVPN see https://syria.hacktivist.me/?p=148
#2: See also !obfs. The link to TrafficObfuscation also contains a setup example
obsdnatpass out on $ext_if from $vpn_network to any nat-to <IP ADDRESS>
obsdtaphttp://kerneltrap.org/mailarchive/openbsd-misc/2008/2/19/911924 to see how to get obsd using tap (but you should prolly use tun anyways)
openbsdnat#1: pass out on $ext_if from 10.8.0.0/24 to any nat-to servers.public.ip && pass in quick proto tcp from any to port 1194 keep state label openvpn && pass quick on $vpn_if keep state
#2: see !fbsdnat
opendnsYou should avoid using OpenDNS for pushed DNS servers as they violate spec and send you to ad/search domains for mistyped URLs. Use GoogleDNS instead. See !dns for more info.
openvz#1: http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn
#2: It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
openvzlinnatsince openvz cant do NAT inside containers, use iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination <container.ip>
openvznat#1: a user reported success with this command: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to <PUBLIC-IP>
#2: someone else got it working with: iptables -t nat -A POSTROUTING -s <vpn_subnet>/<netmask> -o eth<public> -j SNAT --to <public ip>
osx#1: Tunnelblick includes everything you need to run OpenVPN on OS X. https://code.google.com/p/tunnelblick/
#2: Viscosity is another OpenVPN client for OS X, but it is commercial. http://www.thesparklabs.com/viscosity/
osxboothttp://www.secure-computing.net/wiki/index.php/Leopard_Static_Routes for how to run commands on boot in osX, you can change a single line in StaticRoutes file to make it start OpenVPN
osxipforward#1: sysctl -w net.inet.ip.forwarding=1 for a temp solution
#2: add IPFORWARDING=-YES- in /etc/hostconfig for a permanent solution
otherprojectshttps://community.openvpn.net/openvpn/wiki/RelatedProjects for links to other projects
ovpn#1: OpenVPN GUI will load config files with a .ovpn extension when double-clicked.
#2: this is the same config file format as the standard .conf , just renamed to prevent extension collisions on Windows
p12openssl pkcs12 -export -out filename.p12 -inkey filename.key -in filename.crt -certfile ca.crt
passwordFor a good guidline on generating strong passwords, read http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/
password-onlyhttp://openvpn.net/archive/openvpn-users/2004-10/msg00418.html
paste"pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use
pastebin#1: please paste anything with more than 5 lines into pastebin or a similar website
#2: https://gist.github.com is a recommended place to use
#3: If you're pasting config files, see !configs for grep syntax to remove comments comments
path#1: use full paths in your config!
#2: if you use windows, see !winpath
pfnatnat on <inf> from <subnet/ip> to <subnet/ip> -> <nat_ip>
pfsensedont use the web gui for configuring openvpn, you need to understand the config and logfiles
pingOnly one. http://www.youtube.com/watch?v=jr0JaXfKj68
pki#1: http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs)
#2: Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed specially as a server (see !servercert)
policy#1: http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies
#2: http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario
port-shareWhen run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh. Not implemented on Windows.
ppp_defaultrouteif your otherwise working openvpn config can not redirect-gateway because its default gateway is ppp and openvpn complains it can not find the default gateway; you can try this: http://blog.wsensors.com/2011/04/openvpn-and-ppp-on-linux-vpn-traffic-forwarding-default-gateway-fix/
pptp#1: PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to read about why to not use pptp
#2: Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security
#3: https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
privatetunnelgo to support@privatetunnel.com for support!
privledgesjust choose a sandbox user/group that nothing else is using, then in config use: user vpnuser and group vpngroup , and if it is the server add: persist-key and persist-tun
provider#1: We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team.
#2: Please contact their support team.
psychicWe're not psychic -- please !paste your !configs and !logs and a description of the issue
pt"privatetunnel" is go to support@privatetunnel.com for support!
pushusage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
push-resetDon't inherit the global push list for a specific client instance. Specify this option in a client-specific context such as with a --client-config-dir configuration file. This option will ignore --push options at the global config file level.
pushdns#1: push "dhcp-option DNS a.b.c.d" to push dns to the client
#2: http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns
#3: http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit
#4: in unix you'll use the update-resolv-conf script
#5: also http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
pwfile#1: OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h
#2: see --auth-user-pass in the manual (!man) for more info
#3: if you're using this with the windows service, you will need --askpass
qnxhttp://ovpnforum.com/viewtopic.php?f=4&t=2449 for the qnx6 port of openvpn
quietopenssl#1: see http://www.mail-archive.com/openssl-users@openssl.org/msg31052.html and read 'man req' to see how to make openssl not prompt you
#2: also see !ssl-admin for a sweet tool for managing your certs
randomsubnethttp://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet
read<krzee> ive been known to overreact when people look for 2 minutes and ask me to explain it to them
redactPlease don't redact or change things(hostname, port, CNs, etc) when you !paste your !configs and !logs. It's a lot easier for us to debug if we're seeing the same thing you are.
redirect#1: to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
#2: you may need to use a different dns server when redirecting gateway, see !dns or !pushdns
#3: if using ipv6 try: route-ipv6 2000::/3
#4: Handy troubleshooting flowchart: http://ircpimps.org/redirect.png
redirect_ips#1: https://forums.openvpn.net/topic8559.html for more info on giving users their own internet routable IPs
#2: it is also possible to directly hand out the ips from --server, jjk explains how to do this in his book (!book) which krzee highly recommends reading
refundIf you are not satisfied with the GPL openvpn, or the support provided by the volunteers of #openvpn, you are entitled to a full refund of the purchase price and are invited to use another VPN solution. Elsewhere.
release-noteshttp://openvpn.net/index.php/open-source/documentation/release-notes.html
remapBy default, OpenVPN will remap any character other than alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and slash ('/') to underbar ('_').
repoopenvpn runs some software repositories for your installing pleasure, http://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
rfc1918"1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi
rhelsee !epel5
riphttp://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
roadmaphttps://community.openvpn.net/openvpn/wiki/RoadMap for the roadmap for OpenVPN 3
rocksNobody around but us rocks! Please go ahead and ask your question, and be patient - somebody helpful will eventually perk up.
rollupSee !win_rollup
route#1: http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT
#2: READ IT DONT SKIM IT!
#3: See !tcpip for more info about a more basic networking guide
#4: See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
route_outside_openvpn#1: If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route
#2: Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
route_outside_ovpn"route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
route_override#1: https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet
#2: to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
routebyappif you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
routerif you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them
ruleshttp://secure-computing.net/openvpn/openvpn.php for channel guildelines.
samba#1: http://openvpn.net/faq#samba-routing for using samba with a routed tun, or use NETBIOS with a bridge
#2: http://www.openvpn.net/howto#samba if you run samba on linux and use tun mode
samesubnet#1: clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
#2: you can use --client-nat if on 2.3 to work around changing the subnet, but you should still just change the subnet
sample#1: http://www.ircpimps.org/openvpn.configs for a working sample config
#2: DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
#3: these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
sayNO! you're not the boss of me!
scale#1: OpenVPN has no hard limits built in, but it is not recommended to run much more than 100 clients per process.
#2: Also remember that it is single-threaded, so your throughput will be limited by the speed your CPU can do the crypto.
#3: Both of these issues can be handled by running multiple server instances(on several IPs or ports) and having clients round-robin between them
scaredhttp://www.youtube.com/watch?v=P_WI0VI7aIw
scriptSee SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
secretfunny that people use free programs, consult free help for them, run a business with them, but are restricted to say what they do.
secure#1: http://openvpn.net/howto.html#security for hardening
#2: http://openvpn.net/index.php/documentation/security-overview.html for security overview
security"secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview
servercert#1: openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key
#2: or just use build-key-server in easy-rsa
#3: this will help with !mitm
serverlan#1: for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn)
#2: see !route for a better explanation
#3: Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png
shapingto enable traffic shaping on clients, you do this in your firewall. it is unrelated to openvpn. it is called QOS, and in linux you would enable it in iptables with tc
shorewallhttp://www.shorewall.net/OPENVPN.html to see about running OpenVPN on Shorewall firewalls.
shotgun#1: the most effective form of physical security
#2: <hyper_ch> shotgun security? <EugeneKay> If you try to physically attack my network, I chase you with a shotgun.
slowesxipyther> seems as if there is some type of bug with the vmxnet3 network module, so I just switched to the e1000 module, the vpn box is a virtual machine on vmware esxi. http://nwsmith.blogspot.com/2010/07/patching-vmxnet-to-disable-lro.html <pyther> something about disabling LRO
smart14:50:56 < jnewt_> in other words, i see the information you're giving me, but don't have the brains to apply it.
snapshots#1: weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn
#2: by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
sockdif you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
solarishttp://www.whiteboard.ne.jp/~admin2/tuntap/ for the solaris tuntap driver, good luck... ive heard mixed reviews. let us know how it works for you
someclient2client"policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario
splitdnssee http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups
splitroute#1: https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet
#2: see !route_override for how to override --redirect-gateway for a certain subnet
spoonfeedinghttp://www.mp3car.com/the-faq-emporium/53368-faq-what-is-spoon-feeding.html
ssl-admin#1: if you use freebsd, it is in ports
#2: svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn
#3: A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
ssl-admin 1http://www.secure-computing.net/wiki/index.php/FreeBSD_OpenVPN_Server/Routed
static#1: use --ifconfig-push in a ccd entry for a static ip for the vpn client
#2: example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0
#3: also see !ccd and !iporder
#4: when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range
static-keywhen you use --secret, you are using a static key. this is only valid for point-to-point setups. Static keys are less secure in that they never change. If someone captures your traffic, and then gains your static key a year from now, they can decrypt the captured traffic. Setups that use certs re-key every hour by default
static_key_detailshttp://svn.openvpn.net/projects/openvpn/web/trunk/faq-static-key-explanation.txt for an explanation of how static key files are used
statickey#1: you can use static keys by using --secret </path/to/key>
#2: static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time.
#3: see !forwardsecurity for more info
status#1: You can use the --status directive to write to a status file to show the list of currently connected clients. This list can be sent to stdout (or your defined !log mechanism) with a USR2 signal as well.
#2: See also !management
strip-passphrasesee http://blog.lib.umn.edu/silvi003/codenotes/2008/08/how_to_strip_a_passphrase_from.html to learn how to strip a passphrase from a key file
subnethttp://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork
subscriptionhttps://www.tunnelr.com has a slick interface and costs $7/mo , or https://www.openvpn.net/index.php/ for the pay software from openvpn technologies
sudowinhttp://sourceforge.net/projects/sudowin/
supybothttp://supybook.fealdia.org/devel/#_adding_a_new_user
suseYou EITHER! (see !ubuntu)
sweethttp://sweet.nodns4.us/ =(
tap"bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where the protocol uses MAC addresses instead of IP addresses.
tcp#1: Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea.
#2: http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
#3: if you must use tcp, you likely want --tcp-nodelay
tcp_nodelay<EmperorTom> A good analogy is a bus depot. Drivers normally wait as long as possible to see if any more passengers show up. If you set TCP_NODELAY on the bus driver, he would leave the station as soon as someone got on board. It's faster for the one passenger, but you need a lot more big, ugly, smelly, slow buses on the road to meet demand.
tcpiphttp://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
testing"snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
ticketCreate a trouble ticket by going to https://community.openvpn.net/ registering and loggin in
timeoutif you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or the client's isp blocks it
tls-auth"hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
tls-cipherhttp://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users
toolshttps://www.secure-computing.net/ip.php
topicsee /topic instead.
topology#1: it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions.
#2: Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets.
#3: See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this.
topsecretif your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust.
trac#1: see https://community.openvpn.net for development information and bug tracker.
#2: if you have a forum login, use that for trac, its the same database.
tunnelblickhttp://www.tunnelblick.net - Free OpenVPN GUI Client for Mac OS X
tunortap#1: you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead.
#2: and if your reason for wanting tap is windows shares, see !wins
#3: also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you over the vpn
#4: lan gaming? use tap!
#5: Normal Android/iOS devices (not rooted/jailbroken) support only tun.
ubuntudont use network manager!
unixa text adventure, and the only cheat mode is to ask in IRC, where to start reading
unprivsee https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions.
vampirePlease don't be a help vampire - we're here to point you in the right direction, not type out the commands verbatim for you. http://slash7.com/2006/12/22/vampires/
verbverb command is for setting log verbosity, see --verb in the manual (!man) for more info
vista13:51 < Nirkus> ecrist: i figured it out. i was able to create a link to windows explorer and activate 'run as administrator' within the 'advanced' context menu. using an windows explorer started by that link i was able to write files to c:\program files (x86)\OpenVPN\config\
vpnhttp://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is
walkthroughif you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
webgui#1: http://openvpn-web-gui.sourceforge.net/ if you have tried this please give us feedback
#2: http://sourceforge.net/projects/openvpn-status/ also pls let us know if you use that
welcome#1: Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm
#2: Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
whining< MacGyver> If somebody reads your question, and knows the answer, he'll answer it when and how he feels like it. This is IRC, not your company's paid tech support desk. Whining doesn't do any good except annoy the people who could help you.
whybecause screw you, that's why.
whybridge#1: you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun.
#2: See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
#3: See also !tunortap
wiki#1: http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki
#2: https://community.openvpn.net/openvpn/wiki for the Official wiki
willWhere there's a will, there's /away
win-dnsFrom cmd.exe: if ipconfig /all shows the proper DNS server adcdress assigned to the tap device... Please choose !win-dns-xp or !win-dns-vista-7
win-dns-vista-7click start -> control panel -> network and sharing center -> change adapter settings -> <ALT> -> advanced -> advanced settings. Make sure your VPN connection is at the top of the list
win-dns-xpclick start -> control panel -> network connections -> advanced -> advanced settings. Make sure your VPN connection is at the top of the list.
win2k8Server 2008 assigns the OpenVPN TAP Adapter v9 as an Unidentified network which the default Local Security Policy of Server 2008 assigns as being a Public Interface with restricted access. To fix it do this: Go into Control Panel / Administrative Tools / Local Security Policy / Network List Manager Policies / Unidentified Networks. Set Location Type to Private.
win7http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/8a3e9b05-353b-4250-a023-066a085e9657 for a workaround to the windows 7 unidentified network issue you get when using redirect-gateway
win_buildhttps://community.openvpn.net/openvpn/wiki/BuildingOnWindows for mattock's doc on building openvpn on windows
win_ipfailif the adapter fails to set the IP properly check that DHCP client service, and tap-win32 is enabled.
win_noadmin#1: http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows
#2: and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista
win_rollupplease see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
win_tcplimitsee http://readlist.com/lists/lists.sourceforge.net/openvpn-users/0/2383.html to know why windows TCP servers can only handle 60 clients
windows#1: computers are like air conditioners, they work well until you open windows.
#2: http://secure-computing.net/files/windows.jpg for funny
#3: http://secure-computing.net/files/windows_2.jpg for more funny
windows_mobilehttp://ovpnppc.ziggurat29.com/ovpnppc-files.htm for windows mobile builds of openvpn
windows_problems#1: PCs are like air conditioners - they work fine until you open windows.
#2: http://secure-computing.net/files/windows.jpg for funny
#3: http://secure-computing.net/files/windows_2.jpg for more funny
winipforwardhttp://support.microsoft.com/kb/315236 to enable ip forwarding on windows
winnat#1: http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
#2: http://www.nanodocumet.com/?p=14 for windows XP
#3: https://community.openvpn.net/openvpn/wiki/NatOverWindows2008 for 2k8
winpassopenvpnGUI for windows has a change password feature that will change the passphrase on your .key files
winpath#1: Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key"
#2: also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
winroute#1: in windows if the route cannot be added, try route-method exe in your config file
#2: many users also report it helps to add route-delay to give the interface extra time to get up
#3: you may need to turn off routing and remote acess in administrative tools - routing and remote access
#4: make sure you are running openvpn as admin
#5: http://openvpn.net/index.php/open-source/faq/79-client/259-tap-win32-adapter-is-not-coming-up-qinitialization-sequence-completed-with-errorsq.html you might also want to see that and use trial and error with those solutions
winshttp://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
winscripta user reported that his --up script was not executed in windows gui. his config was bps.ovpn, he renamed the script to bps_up.bat and put it in the dir with his config... then it worked!
winshortcutTo start OpenVPN-GUI easily on Windows, make a shortcut and set the Target as: \"C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe\" --config_dir \"C:\path\to\config\" --connect client.ovpn --show_balloon 0 --silent_connection 1 --show_script_window 0
winsudo"sudowin" is http://sourceforge.net/projects/sudowin/
wintaphide#1: in regedit find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} then Look through each sub-key for one with a DriverDesc = TAP-Win32Adapter V8 . Set Characteristics = 0x89
#2: To show again, set it to 0x81
wireless#1: if you are getting replay errors while on wireless, see --mute-replay-warnings in the manual (!man)
#2: if you are securing your wireless using openvpn, see !local
wisdomWe can only provide you with the information. We are not, unfortunately, able to make you understand it.
wishlisthttps://forums.openvpn.net/viewforum.php?f=10 for the openvpn wishlist
xca#1: XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa.
#2: Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA
xyhttp://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
42the answer to life, the universe, and everything.
101This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
1918#1: RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16
#2: see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html
#3: Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi
© Copyright 1997-2013 Secure Computing Networks & Eric F Crist