Secure Computing Logo
Secure Computing Networks
You're using IPv4 from: 54.166.65.9 (ec2-54-166-65-9.compute-1.amazonaws.com)
HomeWikiOpenVPN DocsPing TestTracerouteMy IP
Page last updated Tuesday, 16 Sep 2014 14:42:07 -18000 (415 keys, 670 factoids)
KeyFactoid
#1: as AS is a commercial product by OpenVPN Technologies Inc, and is NOT the same thing as the Community openvpn, which we support here.
#2: as AS is a commercial product by OpenVPN Technologies Inc, and is NOT the same thing as the GPL OpenVPN codebase ("Community OpenVPN"), which we support here.
#3: as please go to #OpenVPN-AS for help with Access-Server or any other closed source tech from openvpn technologies such as Connect.
#4: as Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
#5: as AS is a commercial product, different from open source OpenVPN
--OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
/30#1: http://goo.gl/SbKrT5 explains why routed clients each use 4 ips
#2: you can avoid this behavior with by reading !topology
1waya 1-way ping between client and server indicates that you have a firewall problem on the end that cannot be pinged but is able to ping the other side
2.1-winpass-scripthttp://article.gmane.org/gmane.network.openvpn.user/24575
ASPlease go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc. Access Server is a commercial product, different from open source OpenVPN
EugeneKayright because EugeneKay is always right.
UACOn Windows >=Vista, you can check if UAC is on (0x1) or off (0x0) with this command: reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
access-serverOpenVPN Access Server support is in #openvpn-as
accountingSome shell code for basic user accounting on connect/disconnect: https://github.com/QueuingKoala/openvpn-dynamic/tree/master/user-accounting
activedirectoryhttp://amigo4life.googlepages.com/openvpn for the guide of how to auth against AD
adsee !activedirectory
addressingFor information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
all#1: please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles
#2: For more detailed instructions, look to: !logs !configs !interface
allinfoPlease type !configs !logs and !interface to see all the info we want to be able to help you
android#1: an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ
#2: Direct Play link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn
#3: Old (pre-ICS) device? See: !android-old
#4: You can get the apk directly from http://plai.de/android/
android-oldIf you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the market
androidsource#1: The source for OpenVPN For Android is here: http://code.google.com/p/ics-openvpn/source/checkout
#2: The source for some of OpenVPN connect for android/IOS is here: http://staging.openvpn.net/openvpn3/
asbestosas best os: freebsd sukka! (according to krzee)
ask#1: don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc
#2: See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
#3: if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
authenticationhttps://community.openvpn.net/openvpn/wiki/Concepts-Authentication
authpass#1: please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs
#2: or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required
#3: and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
awsZiber> So, in the AWS console, you can disable 'source/destination checks', which allow you to route outside of the VPC. Which is a LAN-ception concept, that's isolated beyond belief.
badtimeif !certverify shows you error 9 at 1 depth lookup:certificate is not yet valid. You need to check the times/dates/years/timezones on the machines, including the CA
basicif you do not understand basic networking, you probably should not be administrating a vpn... you should understand the basics of routing / firewalls first
bcast#1: pptp source tree has bcrelay in it, bcrelay can be used to relay broadcasts over a tun setup
#2: http://www.hanksoft.de/service/46-udpbroadcastforwarder seems to be a windows program for relaying bcast (use google translate if needed)
beerwhat's for dinner (and occasionally breakfast)
bestosthe best os for openvpn is the one you are most comfortable with
blame#1: According to Bushmills, it's always krzee's fault
#2: According to krzee, it's always dazo's fault
#3: and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments
#4: cron2 says its always d12fk's fault (and sometimes the customers)
blogDo not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them.
bonjourhttp://www.dslreports.com/forum/r18525512-Routing-Bonjour-How-to
bookhttp://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!
botI'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
bothIf you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
botsnackOm nom nom!
bottleneck#1: OpenVPN uses userland crypto unless you have HW accel available (as shown with `openvpn --show-engines`.) This means the CPU is frequently the performance bottleneck; remember that OVPN is single-threaded
#2: See also: !gigabit for ideas on advanced performance tuning options
bridge#1: http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc
#2: http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ
#3: also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
#4: also see !whybridge
bridge-dhcphttp://openvpn.net/faq.html#bridge-addressing for making clients grab dhcp ip over the bridge but not over-riding dhcp ip from local dhcp server
bridge-fw"ebtables" is Linux uses ebtables for firewalling layer 2 bridges. See http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png to understand how layer 2 and layer 3 works in linux and how to use ebtables
bridging#1: Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you
#2: See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
broadcast-relaya software that comes with pptp. use it in tun mode when needing broadcasts, and WINS isnt enough.
bsdnatsee !fbsdnat
bufferwhen you see write UDPv4: No buffer space available (code=55) you probably have a routing loop. the way to fix this is to get a book on basic networking, preferably a coloring book!
bugshttps://community.openvpn.net/openvpn if we tell you that you found a bug. go there, open an account, and file a bug report in trac (your forum login is good for the trac too)
c2c"client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other clients
callhttp://www.xmg.com/wp-content/uploads/2012/07/GB_Logo_New_MB_WIP-2.png
ccd#1: entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
#2: the ccd file is parsed each time the client connects.
centosSee !epel5
cert_chainshttps://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains ... JJK actually mentions that scenario in this page
certfightwhen you use 2 clients with the same certificate (and not using !dupe) your vpn will not work. your second client will knock off your first client, then your first will knock off the second (if you have !keepalive) and they will simply fight back and forth disconnecting over and over until a voice says FINISH HIM
certinforun `openssl x509 -in <file> -noout -text` for info from your cert file
certman#1: Various frontends can help you manage your PKI (certs & keys.) !easy-rsa is the officially supported one for OpenVPN.
#2: Other choices include: !xca, !ssladmin, and probably others online
certpw"change-passphrase" is see http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase
certs#1: use !easy-rsa-unix for easy-rsa
#2: use !ssl-admin for ecrists copy of ssl-admin to make and manage your certs
certverify#1: verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
#2: also make sure you use the same ca.crt on both sides by checking their md5
change-passphrasesee http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase
changelogSee http://openvpn.net/index.php/open-source/documentation/change-log.html for the openvpn change logs
cidrhttp://www.oav.net/mirrors/cidr.html
cisco#1: An open-source client for Cisco SSL VPN is available from http://www.infradead.org/openconnect.html
#2: OpenConnect is availabe in FreeBSD ports in security/openconnect
client-connect--client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
client-to-clientwith this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other clients
clientlan#1: for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn)
#2: see !route for a better explanation
#3: Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png | http://pekster.sdf.org/misc/clientlan.png
cloakTalk to ecrist if you want an OpenVPN user host cloak such as ircuser@openvpn/user/ircuser
cmdhelpIf you have problems with a command it's best to show us exactly what you did. Try a !paste of your command history that shows the issue.
commentyou can use ; or # to make comments in the config file
commercialPlease go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
compif you see Bad LZO decompression header you have a mis-match in your comp-lzo settings. You need to be sure you have the same setting in all configs for comp-lzo, or that you dont have it in any configs.
confgen#1: http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
#2: you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
#3: you must run this in bash
configs#1: please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn.
#2: dont forget to include any ccd entries
#3: on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
connect#1: OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide
#2: https://forums.openvpn.net/post34969.html#p34969
#3: the source is here: http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API)
cpu"bottleneck" is (#1) OpenVPN uses userland crypto unless you have HW accel available (as shown with `openvpn --show-engines`.) This means the CPU is frequently the performance bottleneck; remember that OVPN is single-threaded or (#2) See also: !gigabit for ideas on advanced performance tuning options
crl#1: --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised.
#2: you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you
#3: openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem
crystal#1: Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome.
#2: unless reiffert is here, his crystal ball is functional again
current#1: Our policy is to only support current versions of software. If your Linux distribution's repository doesn't have the latest, you'll need to compile from source. See /topic for the latest versions of OpenVPN software (usually at the beginning). Anything earlier than these, and you'll be REQUIRED to upgrade before we offer assistance.
#2: The current version of OpenVPN can be downloaded from http://openvpn.net/index.php/open-source/downloads.html for RELEASE and BETA versions, and a tarball snapshot of the development tree can be had from ftp://ftp.secure-computing.net/pub/openvpn/
dazhttp://www.eurephia.net/ for eurephia, an auth plugin supporting dynamic firewall updates
dazoThe project name krzee always forgets .... eurephia ... http://www.eurephia.net/
dd-wrt#1: While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN
#2: Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783
#3: more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
debatehttp://www.irreligion.org/wp-content/uploads/2011/02/Debate-Flow-Chart1.jpg
debianAlthough we are aware the Debian stable package repository has OpenVPN 2.1rc11, to offer support, we require users to run the current version of OpenVPN. See !download for information on where/how to obtain a recent release.
def1#1: used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.
#2: please see --redirect-gateway in the man page ( !man ) to fully understand
#3: push "redirect-gateway def1"
devhttps://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list
dh#1: build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
#2: openssl gendh [numbits]
dhcpredirect-gateway bypass-dhcp gets around the problem of DHCP packets to the local DHCP server being incorrectly routed into the tunnel. Available in 2.1
diagramYou can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle
dlink_static_routehttp://lizzi555.dyndns.org/655/StaticRoute.html for the workaround for issues adding static route into d-link router with A3 firmware
dmzLow end SOHO routers sometimes have a DMZ feature. This does NOT magically give your internal host a public IP, but is a form of fallthrough NAT. Such features may or may not operate as expected depending on the device; consult its documentation, not here, for details.
dns#1: Level3 open recursive DNS server at 4.2.2.[1-6]
#2: Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
#3: you might be looking for !pushdns
dnsbindhttp://dan.langille.org/2013/11/25/openvpn-and-dynamic-dns/ for a writeup on how the user used bind to serve a VPN/LAN domain and update it for vpn clients
dnsmasqhttp://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
donate#1: send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel.
#2: Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc.
#3: http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations for Contribution totals and benefactors
doucheyhttp://catb.org/~esr/faqs/smart-questions.html#keepcool
douchy"douchey" is http://catb.org/~esr/faqs/smart-questions.html#keepcool
download#1: http://openvpn.net/index.php/download/community-downloads.html to download openvpn
#2: OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
#3: Don't trust download.com at all. It provides an extremely old version with malware: http://insecure.org/news/download-com-fiasco.html
#4: in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs
dropje#1: Always listen to dropje
#2: well, dazo might not agree to the 'always' part always ... but .....
dupe#1: see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended)
#2: instead, use !pki to make a cert for each user
duplicatethe option duplicate-cn is for allowing the same cert to login more than once. It should not be used in most situations, with main exceptions being if you also use !authpass or if just testing
duplicate-cn"dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user
dynamicfirewallto learn how to modify the firewall based on which client has which ip, please read --learn-address in the manpage (!man)
easy-rsa#1: easy-rsa is a certificate generation utility.
#2: Download here: https://github.com/OpenVPN/easy-rsa/downloads
#3: https://community.openvpn.net/openvpn/wiki/EasyRSA
easy-rsa-unixhttp://www.freebsddiary.org/openvpn-easy-rsa.php for a writeup of making certs with easy-rsa in fbsd, only the dir changes for linux
easyrsa#1: easy-rsa is a certificate generation utility.
#2: Download here: https://github.com/OpenVPN/easy-rsa/releases
#3: Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master.
#4: Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
easyrsa-ngTo track development or usage of the next-gen Easy-RSA codebase with improvements to the original, see http://pekster.sdf.org/code/projects/easyrsa3.html . Be aware this code is beta , but is usable as it stands now. Send suggestions/comments to pekster.
ebtablesLinux uses ebtables for firewalling layer 2 bridges. See http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png to understand how layer 2 and layer 3 works in linux and how to use ebtables
ecristhttp://www.youtube.com/watch?v=0Veqz8W98iA
effortIf you are not willing to put the effort into gathering information and trying to figure out your problem we are not willing to help you with it
enable-passwd-save--enable-passwd-save is enabled on windows builds starting with 2.2 preview 8 and will be default going forward from 2.2 release
encryptionWhy symetric encryption is better: http://www.ketufile.com/Symmetric_vs_Asymmetric_Encryption.pdf
enterThe enter key is not a punctuation mark.
entropyhttps://www.youtube.com/watch?v=95N2KXqH5cs for a nice talk that explains some nice info on rsa factoring, especially why you need good entropy sources
epel5Please use the EPEL repository when installing OpenVPN on RHEL/CentOS: http://fedoraproject.org/wiki/EPEL/FAQ#How_can_I_install_the_packages_from_the_EPEL_software_repository.3F
eurephiahttp://www.eurephia.net/
external_routessee !route_outside_openvpn
facthacksFor an ~hour long talk on entropy in embedded solutions, see: http://www.youtube.com/watch?v=IuSnY_O8DqQ
factoidsA semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
fail2banin linux you can replace fail2ban without the background process with something like: iptables -A INPUT -m tcp -p tcp --dport 22 -m hashlimit --hashlimit-name ssh --hashlimit-upto 5/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT
faq#1: http://openvpn.net/index.php/documentation/faq.html
#2: http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ
fbsdbridgehttp://www.freebsddiary.org/openvpn.php for dvl's writeup on bridging openvpn in freebsd
fbsdipforwardis set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
fbsdjail<thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas
fbsdnatnat on $ext_if from $vpn_network to any -> ($ext_if) (this is for PF)
festivusfor the rest of us
firestarterif you use firestarter to config your firewall you may want to see http://jcape.ignore-your.tv/2006/08/03/openvpn-and-firestarter/ for help
firewall#1: please see https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG for more info
#2: see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
#3: Please see this for a better method to unloading netfilter (aka iptables ) rules: https://gist.github.com/QueuingKoala/6350127
forum#1: The official OpenVPN support forum is available at http://forums.openvpn.net
#2: you can join #OpenVPN-Forum to see the forum-feed announcements if you want to.
forwardsecurity#1: in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can only decrypt the traffic within the timeframe since last renegotiation
#2: in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
fragmenthttp://openvpn.net/archive/openvpn-users/2005-01/msg00411.html if getting FRAG_IN error
freebsdhttp://www.secure-computing.net/wiki/index.php/OpenVPN_Server
freebsdnatsee !fbsdnat
freevpnhttp://www.vpnbook.com/ has free openvpn accounts. we can not speak for anything about them, but hey its free
fridayIt's Friday, be warned that, due to him working at home, our resident guard-dog, ecrist, is likely already in the bag. Tread carefully.
frozentux#1: Frozentux Netfilter/iptables tutorial at: https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
#2: If you want to do port-forwarding (aka DNAT) check out the relevant DNAT section of that tutorial
#3: theres another NAT tutorial at http://www.karlrupp.net/en/computer/nat_tutorial
gentoo#1: http://gentoo.linuxhowtos.org/openvpn/openvpn.htm
#2: Gentoo will update /etc/resolv.conf automatically if started via /etc/init.d/openvpn. To disable this, set PEER_DNS="no" in /etc/conf.d/openvpn
gigabithttps://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
git#1: For the stable git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git
#2: For the development git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git
#3: Browse the git repositories here: http://openvpn.git.sourceforge.net/git/gitweb-index.cgi
#4: See !git-doc how to use git
git-doc#1: For a good git documentation, see http://progit.org/book/
#2: For a very quick git crash course, see https://community.openvpn.net/openvpn/wiki/GitCrashCourse
goalPlease clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
googleauthhttp://securityskittles.wordpress.com/2012/03/14/two-factor-authentication-for-openvpn-on-centos-using-google-authenticator/
gui#1: The only official GUI is the OpenVPN-GUI for Windows (see https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI .) While there are other 3rd party GUIs, they may cause unexpected issues
#2: If you're having problems starting OpenVPN through an unoffiical GUI, try launching it on the command line; if that works, the GUI is your problem
gvpehttp://software.schmorp.de/pkg/gvpe.html <Bushmills> Unlike other virtual private network" solutions which merely create a single tunnel, GVPE creates a real network with multiple endpoints. free, opensource, for nixes, meant for those looking for a vpn with direct peer connections. those who'd be sent to hamachi otherwise.
hardeninghttps://community.openvpn.net/openvpn/wiki/Hardening
heartbleed#1: only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl
#2: if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised.
#3: android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected.
#4: https://community.openvpn.net/openvpn/wiki/heartbleed
#5: http://xkcd.com/1354/
helpMy owner did not give me a help command
hmac#1: The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS.
#2: openvpn --genkey --secret ta.key to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
hotpotatoif you have 2 uplinks and the traffic comes in one and out the other you have hot potato routing. read this: http://www.rjsystems.nl/en/2100-adv-routing.php
howsecurityworkssecurity can be obtained by: something you have (certificates, usb tokens), something you know (passwords), something you are (biometrics). for best security use more than 1. if you save passwords to a file (!pwfile), you change them from something you know to something you have, which destroys the point of using passwords
howto#1: OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!
#2: http://www.secure-computing.net/openvpn/howto.php for a mirror
ifconfigusage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to.
ifconfig-linuxAvoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. Use the 'ip a' and 'ip r' commands instead. More info: http://inai.de/2008/0219-ifconfig-sucks.php
inline#1: Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV
#2: https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
insanitydoing the same thing over and over expecting different results
interface#1: paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server
#2: For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6)
#3: For Unix: iface: 'ifconfig -a' routing: 'netstat -rn'
#4: For Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
intro-to-pkiFor an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
ipadsee !iphone
ipforward#1: ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall
#2: please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
iphone#1: OpenVPN Connect is now available for iOS in the App Store (see also: !connect)
#2: https://community.openvpn.net/openvpn/wiki/IOSinline
iporder#1: OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice).
#2: Use --client-config-dir file for static IP (next choice) !static for more info
#3: Use --ifconfig-pool allocation for dynamic IP (last choice)
#4: if you use --ifconfig-pool-persist see !ipp
ipp#1: the option --ifconfig-pool-persist ipp.txt does NOT create static ips
#2: Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
iptables#1: To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this.
#2: See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG
#3: These are just the basics to get you started as firewall design is beyond this channel's scope; you can also see #netfilter
iptables-rulesWhen posting iptables rules, please use the `iptables-save` syntax as it is easiest to read. While we try to be helpful, #netfilter may be more appropriate for complex netfilter issues
ipv6#1: The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6
#2: The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
ipv6_transportuse --proto udp6
irchttp://www.irchelp.org/irchelp/irctutorial.html
irclogsChannel logs are available at http://secure-computing.net/logs/openvpn.log and http://secure-computing.net/logs/openvpn-devel.log and are updated every three hours.
ircstats#1: See http://secure-computing.net/logs/openvpn.html for all-time IRC stats.
#2: See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats.
iroutedoes not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
karmanick++ adds karma nick-- adds bad karma, as seen in !ircstats
keepalive#1: see --keepalive in the manual for how to make clients retry connecting if they get disconnected.
#2: basically it is a wrapper for managing --ping and --ping-restart in server/client mode
#3: if you use this, don't use --tls-exit and also avoid --single-session and --inactive
#4: Also beware of --auth-nocache for automated reconnects
keyshttp://openvpn.net/howto#pki
kindleOpenVPN for Android works fine on Kindle Fire HD and Kindle Fire 2nd generation. Get the apk from http://plai.de/android
kissKeep It Simple Stupid
krzee#1: krzee says happy 4/20
#2: http://www.ircpimps.org/pics/krzee/blunt.jpg
#3: location: moon base where he smokes moonajuana
#4: takes bonghits on the freeswitch teleconference
lanshttps://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
lartcLARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux
layer2#1: you are using tap, what specific layer2 protocol do you need to work over the vpn?
#2: Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better
#3: protocols that use layer2 communicate by MAC address, not IP address
ldap_iptablessee http://planetjoel.com/viewarticle/638/OpenVPN%3A+Dynamically+create+IPtables+rules+based+on+LDAP+group+membership for a cool script for setting iptables rules based on LDAP membership (currently only handles TCP rules, but an easy fix to support UDP)
license#1: OpenVPN 2 is a GPLv2 project and can be distributed, modified, and used under the GPLv2 license.
#2: Note that any commercial products are under their own EULA; these include AS, Connect, and any services provided by 'OpenVPN Technologies, Inc.' These are not maintained by the open-source community.
#3: The website is somewhat confusing on purpose to lead you to the non-free Access Server stuff. OpenVPN is fully GPL with no fees required for use under that license. If you want to download the GPL openvpn see !download
linipforward#1: echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution
#2: chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
#3: you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
linnat#1: for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
#2: to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>
#3: http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info or (#4) openvz see !openvzlinnat
linportforward#1: to forward port 80 tcp to a vpn client, use this (replacing <SERVERIP> with the real ip of the server, and <VPNIP> with the clients VPN ip)
#2: iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to <VPNIP>
#3: iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT
lintrafaccnthttp://www.catonmat.net/blog/traffic-accounting-with-iptables/ for a walkthrough on using iptables for traffic accounting
listen-ipv6use --proto tcp6 or --proto udp6 ... and it *must* be the development version (!snapshots) ... 2.2.x and earlier don't support this
locala flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
logfile#1: If you want logging you can easily just specify your own logfile with: log /path/to/logfile
#2: openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout.
#3: verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
logs#1: please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked)
#2: In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log
#3: In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard
#4: if you dont know how to find your logs, see !logfile
lovehttp://secure-computing.net/files/zebra.jpg
macUse Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/)
mactuntaphttp://tuntaposx.sourceforge.net/ for osX tuntap drivers
magicFor a story about magic read http://www.catb.org/jargon/html/magic-story.html
mail#1: http://sourceforge.net/mail/?group_id=48978
#2: http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive
mailinglist#1: User's mailing list: http://thread.gmane.org/gmane.network.openvpn.user
#2: Developer's mailing list: http://thread.gmane.org/gmane.network.openvpn.devel
man#1: For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/
#2: the man pages are your friend!
#3: Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
management#1: see http://openvpn.net/management for doc on management interface
#2: read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN
#3: Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
mbufsee http://openvpn.net/archive/openvpn-users/2005-07/msg00247.html if you haved ruled out a routing loop as the cause of the error: MULTI: packet dropped due to output saturation (multi_add_mbuf)
meetingsOpenVPN developers meetings are usually held on Thursdays @ 18:00 UTC. Ask mattock or dazo for latest info. Meeting agendas and minutes are here: https://community.openvpn.net/openvpn/wiki/IrcMeetings
menu#1: please use '!factoids search *'
#2: you can leave it a * to see all, or replace it with a word to search for
#3: or type !factoids to see a complete list
mesh#1: openvpn does not do mesh networking
#2: see !rip
#3: check out http://github.com/darkpixel/openmesher/ for auto-creating openvpn meshes
mgmt#1: http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html
#2: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/management/management-notes.txt
mime-typeOpenVPN configuration files (.ovpn) should have the MIME type application/x-openvpn-profile
mirror#1: http://openvpn.scarydevilmonastery.net for a mirror of the docs
#2: http://www.secure-computing.net/openvpn/ for another
mitm#1: http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially
#2: use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates
#3: then use: remote-cert-tls server in the client config
msg#1: to see vpnHelper's factoids in msg instead of the channel, /msg vpnHelper factoids whatis #openvpn <key>
#2: so to see !configs in msg, you would type /msg vpnHelper factoids whatis #openvpn configs
#3: you can also just see !factoids for a link to the full list of what the bot knows
mtu#1: see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
#2: mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
mtu-testyou can just use --mtu-test on the client to see what the best mtu for your connection is
multi_process_incoming_tunhttp://blog.tuinslak.org/2010/03/openvpn-packet-drops/
multiple_casee !cert_chains
nagioshttp://securfox.wordpress.com/2009/04/24/openvpn-nagios-pluging/ for info on hooking openvpn into nagios
nat#1: http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn
#2: http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules
#3: dont forget to turn on ip forwarding
#4: please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
nathacksee https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines
net101http://www.youtube.com/watch?v=PBWhzz_Gn10 for a good video example
net30"/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
netfilterUnder Linux, use `iptables-save` to show firewall rulesets (add -c to include counters.) Do not use iptables -L as it is incomplete & often lies. #netfilter is more on-topic for detailed help.
netman#1: if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list
#2: Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/
new#1: New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto
#2: You can type each of the !commands in this chat and our bot will provide useful references and info
#3: you can see the full factoids list at !factoids
new_win_guihttp://sourceforge.net/projects/openvpn-gui/ is the upstream project for the new windows gui
no_as#1: go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server)
#2: not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
nobindDo not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option.
nocert#1: to use login and pass (NO CERTS) for auth in server setup, you want --username-as-common-name --auth-user-pass-verify --client-cert-not-required
#2: to know more, read about those config options in the manual (!man)
nodnsif you can ping 8.8.8.8 but not google.com (host lookup failure) then you need to either change your client's DNS server to something open to the world (see !dns) or set your vpn server to push a nameserver that it can reach from the server's ip (see !pushdns)
noenc#1: if you're going to disable encryption, you might as well build a GRE tunnel
#2: Reference --cipher in the manpage (--auth may also be useful to review)
nomhttp://secure-computing.net/files/om_nom_nom.jpg
nopaste"pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
nopull"route-nopull" is If you want to accept pushed options from the server but not apply the routes (including --redirect-gateway) you can use --route-nopull to ignore all pushed routes
noroot"unpriv" is see https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions.
notcompat#1: IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible.
#2: OpenVPN connects only to OpenVPN
notopenvpnyour problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
notovpn#1: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
#2: sorry, but we dont care. this channel is only for help with openvpn.
nsupdatehttp://scarydevilmonastery.net/client_connect_nsupdate for a script Bushmills wrote to solve the question How can my vpn update my nameserver?
obfs#1: if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols
#2: http://community.openvpn.net/openvpn/wiki/TrafficObfuscation
#3: in client/server mode an admin can know that openvpn is being used. in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
obfsproxy#1: For a writeup on using obfsproxy with OpenVPN see https://syria.hacktivist.me/?p=148
#2: See also !obfs. The link to TrafficObfuscation also contains a setup example
obsdnatpass out on $ext_if from $vpn_network to any nat-to <IP ADDRESS>
obsdtaphttp://kerneltrap.org/mailarchive/openbsd-misc/2008/2/19/911924 to see how to get obsd using tap (but you should prolly use tun anyways)
openbsdnat#1: pass out on $ext_if from 10.8.0.0/24 to any nat-to servers.public.ip && pass in quick proto tcp from any to port 1194 keep state label openvpn && pass quick on $vpn_if keep state
#2: see !fbsdnat
opendnsYou should avoid using OpenDNS for pushed DNS servers as they violate spec and send you to ad/search domains for mistyped URLs. Use GoogleDNS instead. See !dns for more info.
openvz#1: http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn
#2: It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
openvznat#1: a user reported success with this command: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to <PUBLIC-IP>
#2: someone else got it working with: iptables -t nat -A POSTROUTING -s <vpn_subnet>/<netmask> -o eth<public> -j SNAT --to <public ip>
openwrtIn OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
osx#1: Tunnelblick includes everything you need to run OpenVPN on OS X. https://code.google.com/p/tunnelblick/
#2: Viscosity is another OpenVPN client for OS X, but it is commercial. http://www.thesparklabs.com/viscosity/
osxboothttp://www.secure-computing.net/wiki/index.php/Leopard_Static_Routes for how to run commands on boot in osX, you can change a single line in StaticRoutes file to make it start OpenVPN
osxipforward#1: sysctl -w net.inet.ip.forwarding=1 for a temp solution
#2: add IPFORWARDING=-YES- in /etc/hostconfig for a permanent solution
otherprojectshttps://community.openvpn.net/openvpn/wiki/RelatedProjects for links to other projects
ovpn#1: OpenVPN GUI will load config files with a .ovpn extension when double-clicked.
#2: this is the same config file format as the standard .conf , just renamed to prevent extension collisions on Windows
p12openssl pkcs12 -export -out filename.p12 -inkey filename.key -in filename.crt -certfile ca.crt
p2p"statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
pam-mysqlin order to use pam-mysql with openvpn in feeebsd (and maybe other OS) you need to patch it. http://techtots.blogspot.ro/2010/01/openvpn-with-pammysql-usernamepassword.html
passwordFor a good guidline on generating strong passwords, read http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/
password-onlyhttp://openvpn.net/archive/openvpn-users/2004-10/msg00418.html
paste"pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
pastebin#1: please paste anything with more than 5 lines into a pastebin site
#2: https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups
#3: If you're pasting config files, see !configs for grep syntax to remove comments
#4: gist allows multiple files per paste, useful if you have several files to show
path#1: use full paths in your config!
#2: if you use windows, see !winpath
petepete and repeat were on a boat, pete fell off, who was still on the boat?
pfnatnat on <inf> from <subnet/ip> to <subnet/ip> -> <nat_ip>
pfsense#1: dont use the web gui for configuring openvpn, you need to understand the config and logfiles
#2: http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
pingOnly one. http://www.youtube.com/watch?v=jr0JaXfKj68
pki#1: http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs)
#2: Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed specially as a server (see !servercert)
#3: See !certman for various PKI management frontends
polarssl#1: https://polarssl.org/core-features polarssl is an alternative to openssl which openvpn supports. it is open source, small with clean code, and made for the embedded world. openvpn connect (ios,android) uses this instead of openssl.
#2: https://community.openvpn.net/openvpn/wiki/UsingPolarSSL
policy#1: http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies
#2: http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario
#3: dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic
port-shareWhen run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh. Not implemented on Windows.
ppp_defaultrouteif your otherwise working openvpn config can not redirect-gateway because its default gateway is ppp and openvpn complains it can not find the default gateway; you can try this: http://blog.wsensors.com/2011/04/openvpn-and-ppp-on-linux-vpn-traffic-forwarding-default-gateway-fix/
pptp#1: PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to read about why to not use pptp
#2: Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security
#3: https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
previewsUnofficial bleeding-edge feature previews for Windows can be found at this project page: https://bitbucket.org/QueuingKoala/openvpn-previews/wiki
privatetunnelgo to support@privatetunnel.com for support!
privledgesjust choose a sandbox user/group that nothing else is using, then in config use: user vpnuser and group vpngroup , and if it is the server add: persist-key and persist-tun
provider#1: We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team.
#2: Please contact their support team.
psk"statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
psychicWe're not psychic -- please !paste your !configs and !logs and a description of the issue
pt"privatetunnel" is go to support@privatetunnel.com for support!
pushusage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
push-resetDon't inherit the global push list for a specific client instance. Specify this option in a client-specific context such as with a --client-config-dir configuration file. This option will ignore --push options at the global config file level.
pushdns#1: push dhcp-option DNS a.b.c.d to push dns to the client
#2: For pushing DNS to a Windows client, see: !windns
#3: Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage
#4: For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
pwfile#1: OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h
#2: see --auth-user-pass in the manual (!man) for more info
#3: if you're using this with the windows service, you will need --askpass
qnxhttps://forums.openvpn.net/topic2449.html for the qnx6 port of openvpn
quietopenssl#1: see http://www.mail-archive.com/openssl-users@openssl.org/msg31052.html and read 'man req' to see how to make openssl not prompt you
#2: also see !ssl-admin for a sweet tool for managing your certs
randomsubnet#1: http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet
#2: If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
read<krzee> ive been known to overreact when people look for 2 minutes and ask me to explain it to them
redactPlease don't redact or change things(hostname, port, CNs, etc) when you !paste your !configs and !logs. It's a lot easier for us to debug if we're seeing the same thing you are.
redirect#1: to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
#2: you may need to use a different dns server when redirecting gateway, see !dns or !pushdns
#3: if using ipv6 try: route-ipv6 2000::/3
#4: Handy troubleshooting flowchart: http://ircpimps.org/redirect.png | http://pekster.sdf.org/misc/redirect.png
redirect-policyIf you are using --redirect-gateway and wish to maintain external access to the same system, you need Policy Routing. If using Linux, see !lartc for reading on the subject. Note that this is a somewhat advanced networking topic.
redirect_ignoreyou can ignore --redirect-gateway (because you do not run the server, and the server pushes it to you) by reading the info at this page: https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
redirect_ips#1: https://forums.openvpn.net/topic8559.html for more info on giving users their own internet routable IPs
#2: it is also possible to directly hand out the ips from --server, jjk explains how to do this in his book (!book) which krzee highly recommends reading
refundIf you are not satisfied with the GPL openvpn, or the support provided by the volunteers of #openvpn, you are entitled to a full refund of the purchase price and are invited to use another VPN solution. Elsewhere.
release-noteshttp://openvpn.net/index.php/open-source/documentation/release-notes.html
remapBy default, OpenVPN will remap any character other than alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and slash ('/') to underbar ('_').
reneg#1: by default (in client/server mode) openvpn will renegotiate the tls key hourly. this can be adjusted with the --reneg option
#2: this should not be disabled as it is important for !forwardsecurity
repoopenvpn runs some software repositories for your installing pleasure, http://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
rfc1918"1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi
rhelsee !epel5
riphttp://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
roadmaphttps://community.openvpn.net/openvpn/wiki/RoadMap for the roadmap for OpenVPN 3
rocksNobody around but us rocks! Please go ahead and ask your question, and be patient - somebody helpful will eventually perk up.
rollupSee !win_rollup
route#1: http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT
#2: READ IT DONT SKIM IT!
#3: See !tcpip for a basic networking guide
#4: See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client
route-nopullIf you want to accept pushed options from the server but not apply the routes (including --redirect-gateway) you can use --route-nopull to ignore all pushed routes
route_outside_openvpn#1: If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route
#2: Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
route_outside_ovpn"route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
route_override#1: https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet
#2: to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
routebyapp#1: if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
#2: Alternatively, read up about Policy Routing to make routing decisions based on defined policies you set. For Linux, read about !lartc
routerif you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them
ruleshttp://secure-computing.net/openvpn/openvpn.php for channel guildelines.
samba#1: http://openvpn.net/faq#samba-routing for using samba with a routed tun, or use NETBIOS with a bridge
#2: http://www.openvpn.net/howto#samba if you run samba on linux and use tun mode
samesubnet#1: clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
#2: you can use --client-nat if on 2.3 to work around changing the subnet, but you should still just change the subnet
sample#1: http://www.ircpimps.org/openvpn.configs for a working sample config
#2: DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
#3: these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
sayNO! you're not the boss of me!
scale#1: OpenVPN has no hard limits built in, but it is not recommended to run much more than 100 clients per process.
#2: Also remember that it is single-threaded, so your throughput will be limited by the speed your CPU can do the crypto.
#3: Both of these issues can be handled by running multiple server instances(on several IPs or ports) and having clients round-robin between them
scaredhttp://www.youtube.com/watch?v=P_WI0VI7aIw
scriptSee SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
scripting"script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
scripts"script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
secretfunny that people use free programs, consult free help for them, run a business with them, but are restricted to say what they do.
secure#1: http://openvpn.net/howto.html#security for hardening
#2: http://openvpn.net/index.php/documentation/security-overview.html for security overview
security"secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview
servercert#1: openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key
#2: or just use build-key-server in easy-rsa
#3: this will help with !mitm
serverlan#1: for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn)
#2: see !route for a better explanation
#3: Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png | http://pekster.sdf.org/misc/serverlan.png
shapingto enable traffic shaping on clients, you do this in your firewall. it is unrelated to openvpn. it is called QOS, and in linux you would enable it in iptables with tc
shorewallhttp://www.shorewall.net/OPENVPN.html to see about running OpenVPN on Shorewall firewalls.
shotgun#1: the most effective form of physical security
#2: <hyper_ch> shotgun security? <EugeneKay> If you try to physically attack my network, I chase you with a shotgun.
slowesxipyther> seems as if there is some type of bug with the vmxnet3 network module, so I just switched to the e1000 module, the vpn box is a virtual machine on vmware esxi. http://nwsmith.blogspot.com/2010/07/patching-vmxnet-to-disable-lro.html <pyther> something about disabling LRO
smart14:50:56 < jnewt_> in other words, i see the information you're giving me, but don't have the brains to apply it.
snapshots#1: weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn
#2: by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
sockdif you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
solarishttp://www.whiteboard.ne.jp/~admin2/tuntap/ for the solaris tuntap driver, good luck... ive heard mixed reviews. let us know how it works for you
someclient2client"policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario
speed#1: Having speed problems? The following suggestions may help.
#2: OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded)
#3: Prefer UDP over TCP (see !tcp)
#4: MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues
#5: iface txqueuelen often needs to be >100 on fast and/or latent links
#6: latenty/slow links don't magically get better with openvpn
#7: less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs)
#8: Prefer tun over tap (see !tunortap and !whybridge)
splitdnssee http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups
splitroute#1: https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet
#2: see !route_override for how to override --redirect-gateway for a certain subnet
spoonfeedinghttp://www.mp3car.com/the-faq-emporium/53368-faq-what-is-spoon-feeding.html
ssl-admin#1: if you use freebsd, it is in ports
#2: svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn
#3: A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
ssl-admin 1http://www.secure-computing.net/wiki/index.php/FreeBSD_OpenVPN_Server/Routed
static#1: use --ifconfig-push in a ccd entry for a static ip for the vpn client
#2: example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0
#3: also see !ccd and !iporder
#4: with static IPs, limit your --ifconfig-pool to exclude the static range
#5: See also: !addressing
static-keywhen you use --secret, you are using a static key. this is only valid for point-to-point setups. Static keys are less secure in that they never change. If someone captures your traffic, and then gains your static key a year from now, they can decrypt the captured traffic. Setups that use certs re-key every hour by default
static_key_detailshttp://svn.openvpn.net/projects/openvpn/web/trunk/faq-static-key-explanation.txt for an explanation of how static key files are used
statickey#1: you can use static keys by using --secret </path/to/key>
#2: static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time.
#3: see !forwardsecurity for more info
status#1: You can use the --status directive to write to a status file to show the list of currently connected clients. This list can be sent to stdout (or your defined !log mechanism) with a USR2 signal as well.
#2: See also !management
strip-passphrasesee http://blog.lib.umn.edu/silvi003/codenotes/2008/08/how_to_strip_a_passphrase_from.html to learn how to strip a passphrase from a key file
subnet#1: http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork
#2: Want a random subnet generator? See: !randomsubnet
#3: You may be looking for !toplogy
subscriptionhttps://www.tunnelr.com has a slick interface and costs $7/mo , or https://www.openvpn.net/index.php/ for the pay software from openvpn technologies
sudowinhttp://sourceforge.net/projects/sudowin/
supybothttp://supybook.fealdia.org/devel/#_adding_a_new_user
suseYou EITHER! (see !ubuntu)
sweethttp://sweet.nodns4.us/ =(
tap#1: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where the protocol uses MAC addresses instead of IP addresses.
#2: For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
tcp#1: Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea.
#2: http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
#3: if you must use tcp, you likely want --tcp-nodelay
tcp_nodelay<EmperorTom> A good analogy is a bus depot. Drivers normally wait as long as possible to see if any more passengers show up. If you set TCP_NODELAY on the bus driver, he would leave the station as soon as someone got on board. It's faster for the one passenger, but you need a lot more big, ugly, smelly, slow buses on the road to meet demand.
tcpdump#1: tcpdump is a great troubleshooting tool (Wireshark or the tshark.exe CLI tools for Windows.) To start, try a syntax like `tcpdump -pni ifWhatever`
#2: You can also add filters to the command, like 'icmp' or 'udp port 1194' and the like. Consult the tcpdump docs for details.
tcpiphttp://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
tcptcp"tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
testing"snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
ticketCreate a trouble ticket by going to https://community.openvpn.net/ registering and loggin in
timeif you see VERIFY ERROR: depth=1, error=certificate is not yet valid: then make sure you update the clocks of your client,server,ca via ntp
timeoutif you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or the client's isp blocks it
tls-auth"hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
tls-cipherhttp://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users
toolshttps://www.secure-computing.net/ip.php
topicsee /topic instead.
topology#1: it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions.
#2: Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets.
#3: details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
topsecret#1: if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust.
#2: Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice.
trac#1: see https://community.openvpn.net for development information and bug tracker.
#2: if you have a forum login, use that for trac, its the same database.
triplehandshake<mattock> here a page about the TLS Triple Handshake Vulnerability: https://community.openvpn.net/openvpn/wiki/TLSTripleHandshakeVulnerabilityAndOpenVPN
tunnelblickhttp://www.tunnelblick.net - Free OpenVPN GUI Client for Mac OS X
tunortap#1: you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun.
#2: and if your reason for wanting tap is windows shares, see !wins or use DNS
#3: remember layer2 has no security, arp poisoning works over tap vpns
#4: lan gaming? use tap!
#5: Normal Android/iOS devices (not rooted/jailbroken) support only tun
ubuntudont use network manager!
uci"openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
unixa text adventure, and the only cheat mode is to ask in IRC, where to start reading
unprivsee https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions.
vagueIf you tell us you have an error or failure or problem , we'll tell you no more than something is wrong. You might want to review !ask for help learning how to ask questions to get more on-target answers
vampirePlease don't be a help vampire - we're here to point you in the right direction, not type out the commands verbatim for you. http://slash7.com/2006/12/22/vampires/
verb#1: verb command is for setting log verbosity, see --verb in the manual (!man) for more info
#2: verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage.
#3: Anything more than 5 is for developer debugging only
verify#1: If you receive certificate-based 'VERIFY ERROR' messages, you can manually verify the remote cert against a local CA using openssl: `openssl verify -verbose -CAfile /local/ca.crt /remote/copy/of/other.crt`
#2: Note that this requires you to manually transfer the remote certificate to the local system for testing
#3: You can also manually check issuer fingerprints with detailed cert output: `openssl x509 -in /some/cert.crt -noout -text` and compare against the CA cert fingerprint
version15"version_15" is (#1) If you get unknown IP version=15 in your logs, first check for mis-matched --comp-lzo settings. Then assume an app/kernel on your client is at fault by generating trash itself: http://www.docunext.com/blog/2013/02/ip-packet-with-unknown-ip-version-15-seen.html or (#2) http://www.toofishes.net/blog/openvpn-and-aoe-interaction/
version_15#1: If you get unknown IP version=15 in your logs, first check for mis-matched --comp-lzo settings. Then assume an app/kernel on your client is at fault by generating trash itself: http://www.docunext.com/blog/2013/02/ip-packet-with-unknown-ip-version-15-seen.html
#2: http://www.toofishes.net/blog/openvpn-and-aoe-interaction/
vista13:51 < Nirkus> ecrist: i figured it out. i was able to create a link to windows explorer and activate 'run as administrator' within the 'advanced' context menu. using an windows explorer started by that link i was able to write files to c:\program files (x86)\OpenVPN\config\
vpnhttp://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is
vpnHelper"bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
walkthroughif you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
webgui#1: http://openvpn-web-gui.sourceforge.net/ if you have tried this please give us feedback
#2: http://sourceforge.net/projects/openvpn-status/ also pls let us know if you use that
welcome#1: Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm
#2: Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
whining< MacGyver> If somebody reads your question, and knows the answer, he'll answer it when and how he feels like it. This is IRC, not your company's paid tech support desk. Whining doesn't do any good except annoy the people who could help you.
whybecause screw you, that's why.
whybridge#1: you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun.
#2: See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
#3: See also !tunortap
wiki#1: http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki
#2: https://community.openvpn.net/openvpn/wiki for the Official wiki
willWhere there's a will, there's /away
win-dnsFrom cmd.exe: if ipconfig /all shows the proper DNS server adcdress assigned to the tap device... Please choose !win-dns-xp or !win-dns-vista-7
win-dns-vista-7click start -> control panel -> network and sharing center -> change adapter settings -> <ALT> -> advanced -> advanced settings. Make sure your VPN connection is at the top of the list
win-dns-xpclick start -> control panel -> network connections -> advanced -> advanced settings. Make sure your VPN connection is at the top of the list.
win2k8Server 2008 assigns the OpenVPN TAP Adapter v9 as an Unidentified network which the default Local Security Policy of Server 2008 assigns as being a Public Interface with restricted access. To fix it do this: Go into Control Panel / Administrative Tools / Local Security Policy / Network List Manager Policies / Unidentified Networks. Set Location Type to Private.
win7http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/8a3e9b05-353b-4250-a023-066a085e9657 for a workaround to the windows 7 unidentified network issue you get when using redirect-gateway
win_buildhttps://community.openvpn.net/openvpn/wiki/BuildingOnWindows for mattock's doc on building openvpn on windows
win_ipfailif the adapter fails to set the IP properly check that DHCP client service, and tap-win32 is enabled.
win_noadmin#1: http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows
#2: and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista
win_rollupplease see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
win_tcplimitsee http://readlist.com/lists/lists.sourceforge.net/openvpn-users/0/2383.html to know why windows TCP servers can only handle 60 clients
windns#1: http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns
#2: http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit
#3: http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
windows#1: computers are like air conditioners, they work well until you open windows.
#2: http://secure-computing.net/files/windows.jpg for funny
#3: http://secure-computing.net/files/windows_2.jpg for more funny
windows_mobilehttp://ovpnppc.ziggurat29.com/ovpnppc-files.htm for windows mobile builds of openvpn
windows_problems#1: PCs are like air conditioners - they work fine until you open windows.
#2: http://secure-computing.net/files/windows.jpg for funny
#3: http://secure-computing.net/files/windows_2.jpg for more funny
winipforwardhttp://support.microsoft.com/kb/315236 to enable ip forwarding on windows
winnat#1: http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
#2: http://www.nanodocumet.com/?p=14 for windows XP
#3: https://community.openvpn.net/openvpn/wiki/NatOverWindows2008 for 2k8
winpassopenvpnGUI for windows has a change password feature that will change the passphrase on your .key files
winpath#1: Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key"
#2: also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
winroute#1: in windows if the route cannot be added, try route-method exe in your config file
#2: many users also report it helps to add route-delay to give the interface extra time to get up
#3: you may need to turn off routing and remote acess in administrative tools - routing and remote access
#4: make sure you are running openvpn as admin
#5: you might also want to see that and use trial and error with these solutions: http://openvpn.net/index.php/open-source/faq/79-client/259-tap-win32-adapter-is-not-coming-up-qinitialization-sequence-completed-with-errorsq.html
winshttp://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
winscripta user reported that his --up script was not executed in windows gui. his config was bps.ovpn, he renamed the script to bps_up.bat and put it in the dir with his config... then it worked!
winshortcutTo start OpenVPN-GUI easily on Windows, make a shortcut and set the Target as: \"C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe\" --config_dir \"C:\path\to\config\" --connect client.ovpn --show_balloon 0 --silent_connection 1 --show_script_window 0
winsudo"sudowin" is http://sourceforge.net/projects/sudowin/
wintaphide#1: in regedit find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} then Look through each sub-key for one with a DriverDesc = TAP-Win32Adapter V8 . Set Characteristics = 0x89
#2: To show again, set it to 0x81
wireless#1: if you are getting replay errors while on wireless, see --mute-replay-warnings in the manual (!man)
#2: if you are securing your wireless using openvpn, see !local
wisdomWe can only provide you with the information. We are not, unfortunately, able to make you understand it.
wishlisthttps://forums.openvpn.net/viewforum.php?f=10 for the openvpn wishlist
womansee !man but with a monthly attitude :D
xca#1: XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa.
#2: Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA
xyhttp://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
42the answer to life, the universe, and everything.
101This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
1918#1: RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16
#2: see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html
#3: Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi
#4: See !5737 for addresses to use for examples and documentation
5737Clever readers may attempt to use RFC5737 to represent arbitrary public IPs one wishes to hide; unclever attempts may be ignored with prejudice.
© Copyright 1997-2014 Secure Computing Networks & Eric F Crist