Secure Computing Logo
Secure Computing Networks
You're using IPv4 from: 172.70.174.135 (Reverse resolution failed.)
HomeWikiOpenVPN DocsPing TestTracerouteWhois
My IP
Page last updated Thursday, 28 Mar 2024 15:19:22 -18000 (496 keys, 823 factoids)
KeyFactoid
#1: as OpenVPN Access Server users can use https://support.openvpn.net/ for support. All other Access Server, OpenVPN Connect and Private Tunnel users will be supported in the forums: https://forums.openvpn.net/
#2: as The #openvpn-as channel is no longer in active use
#3: as OpenVPN Access Server users can use https://support.openvpn.net/ for support. All other Access Server and OpenVPN Connect will be supported in the forums: https://openv.pn/supforums
--OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
/30#1: https://openv.pn/net30 explains why routed clients use 4 ips each
#2: you can avoid this behavior by reading !topology
1waya 1-way ping between client and server usually indicates that you have a firewall problem on the end that cannot be pinged but is able to ping the other side
2.1-winpass-scripthttp://article.gmane.org/gmane.network.openvpn.user/24575
24changeshttps://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst
25/8God Save the Queen! This IP block is assigned for use by the UK Ministry of Defense. If it's used by someone not the UK MoD, they're probably trying (and failing) to be clever. If you're doing this, use RFC1918 space (see: !randomsubnet for ideas.) Or better, use IPv6.
AS#1: OpenVPN Access Server users can use https://support.openvpn.net/ for support. All other Access Server and OpenVPN Connect will be supported in the forums: https://openv.pn/supforums
#2: PrivateTunnel users will be supported here: https://support.privatetunnel.com/
#3: OpenVPN Access Server, Connect and PrivateTunnel are commercial offerings by OpenVPN Inc
ECDHESee syzzer's writeup at https://gitlab.com/dazo/openvpn/blob/master/README.ec
ECDSAsee !ECDHE
EugeneKayright because EugeneKay is always right.
UACOn Windows >=Vista, you can check if UAC is on (0x1) or off (0x0) with this command: reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
access-serverSee !AS
accountingSome shell code for basic user accounting on connect/disconnect: https://github.com/QueuingKoala/openvpn-dynamic/tree/master/user-accounting
activedirectoryCan be done using LDAP integration
adsee !activedirectory
addressingFor information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
advanced_routinghttps://github.com/knorrie/network-examples/blob/master/README.md for a tutorial on how to learn OSPF and BGP
all#1: please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles
#2: For more detailed instructions, look to: !logs !configs !interface
allinfoPlease type !goal !configs !logs and !interface to see all the info we want to be able to help you
android#1: available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html
#2: Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android
#3: For a difference between the clients see http://ics-openvpn.blinkt.de/FAQ.html#faq_androids_clients_title
android availableOpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html
android-old#1: If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the market
#2: Standalone OpenVPN binaries (expert users only) for Android are also available at http://plai.de/android/standalone-binaries.tar
androidapiif you see vpn api permission dialog ignored in your android log, you may have a program that manipulates the screen (eg: twilight) messing with you https://community.f-secure.com/t5/F-Secure/Android-Lollipop-Cannot-select/td-p/64502
androidsource#1: The source for OpenVPN For Android is here: http://code.google.com/p/ics-openvpn/source/checkout
#2: The source for some of OpenVPN connect for android/IOS is here: http://staging.openvpn.net/openvpn3/
anonhttps://www.goldenfrog.com/blog/myths-about-vpn-logging-and-anonymity
asbestosas best os: freebsd sukka! (according to krzee)
ask#1: don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc
#2: See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html
#3: if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :)
authenticationhttps://community.openvpn.net/openvpn/wiki/Concepts-Authentication
authpass#1: please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs
#2: or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required
#3: and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
awsZiber> So, in the AWS console, you can disable 'source/destination checks', which allow you to route outside of the VPC. Which is a LAN-ception concept, that's isolated beyond belief.
badtimeif !certverify shows you error 9 at 1 depth lookup:certificate is not yet valid. You need to check the times/dates/years/timezones on the machines, including the CA
basicif you do not understand basic networking, you probably should not be administrating a vpn... you should understand the basics of routing / firewalls first
bcast#1: pptp source tree has bcrelay in it, bcrelay can be used to relay broadcasts over a tun setup
#2: http://www.hanksoft.de/service/46-udpbroadcastforwarder seems to be a windows program for relaying bcast (use google translate if needed)
beerwhat's for dinner (and occasionally breakfast)
bestos#1: the best os for openvpn is the one you are most comfortable with
#2: FreeBSD. Always FreeBSD.
blame#1: According to Bushmills, it's always krzee's fault
#2: According to krzee, it's always dazo's fault
#3: and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments
#4: cron2 says its always d12fk's fault (and sometimes the customers)
#5: if it is crypto blame syzzer and plai for acking
#6: <+DArqueBishop> I meant, I wanted to see an entry under blame referring to tun/tap. ;-)
block-outside-dns#1: in windows this option blocks DNS servers on other non-VPN network adapters to prevent DNS leaks. This option prevents any application from accessing TCP or UDP port 53 except one inside the tunnel.
#2: if you have a delay in DNS when using this in windows 10, a user fixed this problem by setting the network interface priority to 1 in powershell with: Set-NetIPInterface -InterfaceIndex 13 -InterfaceMetric 1 replace 13 with the index number from Get-NetIPInterface shows the Index
blockdns#1: --block-outside-dns is a Windows only option and there are no plans to add this for any other platforms. The reason is that it modifies the Windows Firewall on-the-fly
#2: You can achieve a similar functionality by using --up and --down (or using the down-root plugin) to manipulate the firewalls to deny DNS requests outside the VPN tunnel when it is running
blog#1: Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them.
#2: Also see !howto
#3: Posts found on secure-computing.net are written by knowledgeable people and are an exception to #1.
bonjourhttp://www.dslreports.com/forum/r18525512-Routing-Bonjour-How-to
book#1: http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!
#2: Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn
#3: Troubleshooting OpenVPN (April, 2017) by Eric Crist at https://www.packtpub.com/networking-and-servers/troubleshooting-openvpn
botI'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
both#1: If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead.
#2: if you dont have access to both sides, come back when you do
botsnackOm nom nom!
bottleneck#1: OpenVPN uses userland crypto unless you have HW accel available (as shown with `openvpn --show-engines`.) This means the CPU is frequently the performance bottleneck; remember that OVPN is single-threaded
#2: See also: !gigabit for ideas on advanced performance tuning options
bridge#1: http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc
#2: http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ
#3: also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
#4: also see !whybridge
bridge-dhcphttp://openvpn.net/faq.html#bridge-addressing for making clients grab dhcp ip over the bridge but not over-riding dhcp ip from local dhcp server
bridge-fw"ebtables" is Linux uses ebtables for firewalling layer 2 bridges. See http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png to understand how layer 2 and layer 3 works in linux and how to use ebtables
bridging#1: Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you
#2: See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
broadcast-relaya software that comes with pptp. use it in tun mode when needing broadcasts, and WINS isnt enough.
brokendns#1: Odds are you are using a nameserver that is not configured to allow requests from your VPN's server IP. When you redirect your internet over the vpn the nameserver sees you as coming from the server IP and stops responding to your dns queries. you can verify this by pinging 8.8.8.8, and can fix this by setting your nameserver to 8.8.8.8 (or any other publicly accessible dns server)
#2: you can make openvpn do this for you by seeing !pushdns
bsdnatsee !fbsdnat
bufferwhen you see write UDPv4: No buffer space available (code=55) you probably have a routing loop. the way to fix this is to get a book on basic networking, preferably a coloring book!
bugshttps://community.openvpn.net/openvpn if we tell you that you found a bug. go there, open an account, and file a bug report in trac (your forum login is good for the trac too)
c2c"client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other clients
callhttp://www.xmg.com/wp-content/uploads/2012/07/GB_Logo_New_MB_WIP-2.png
ccd#1: entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
#2: the ccd file is parsed each time the client connects.
#3: As an alternative you can push directives through a --client-connect script
centosSee !epel5
cert_chainshttps://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains ... JJK actually mentions that scenario in this page
certfightwhen you use 2 clients with the same certificate (and not using !dupe) your vpn will not work. your second client will knock off your first client, then your first will knock off the second (if you have !keepalive) and they will simply fight back and forth disconnecting over and over until a voice says FINISH HIM
certinforun `openssl x509 -in <file> -noout -text` for info from your cert file
certman#1: Various frontends can help you manage your PKI (certs & keys.) !easy-rsa is the officially supported one for OpenVPN.
#2: Other choices include: !xca, !ssladmin, and probably others online
certpw"change-passphrase" is see http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase
certs#1: use !easy-rsa-unix for easy-rsa
#2: use !ssl-admin for ecrists copy of ssl-admin to make and manage your certs
certverify#1: verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
#2: also make sure you use the same ca.crt on both sides by checking their md5
change-passphrasesee http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase
changelogSee http://openvpn.net/index.php/open-source/documentation/change-log.html for the openvpn change logs
cidrhttps://subnettingpractice.com/cheatsheet.html for the cidr cheatsheet
cisco#1: An open-source client for Cisco SSL VPN is available from http://www.infradead.org/openconnect.html
#2: OpenConnect is availabe in FreeBSD ports in security/openconnect
client-connect--client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
client-to-clientwith this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other clients
clientlan#1: for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn)
#2: see !route for a better explanation
#3: Handy troubleshooting flowchart: http://www.ircpimps.org/clientlan.png
cloakTalk to ecrist if you want an OpenVPN user host cloak such as ircuser@openvpn/user/ircuser
cmdhelpIf you have problems with a command it's best to show us exactly what you did. Try a !paste of your command history that shows the issue.
commentyou can use ; or # to make comments in the config file
commercialPlease go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, Android Connect, etc
compif you see Bad LZO decompression header you have a mis-match in your comp-lzo settings. You need to be sure you have the same setting in all configs for comp-lzo, or that you dont have it in any configs.
compileInstructions for building OpenVPN on Windows can be found at http://community.openvpn.net/openvpn/wiki/BuildingOpenVPN-GUI
configs#1: please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version
#2: dont forget to include any ccd entries
#3: pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
#4: remove inline private key or tls-auth key before posting
conflict#1: It is best to avoid the followint RFC1918 address spaces due to their common usage: 192.168.0.0/24, 192.168.1.0/24, 10.0.0.0/16.
#2: I've had good luck in the higher end of the 172.16.0.0/12, but choose something random-ish.
connect#1: OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide
#2: the source is here: https://github.com/OpenVPN/openvpn3 except for the portion that may not be released because of NDA with apple (for its vpn API)
#3: It is impossible to retrieve your configuration from Connect itself. This is by design. Keep a copy of your config (and any certs/keys/etc that go with it) someplace safe, and where you can find it later
cpu"bottleneck" is (#1) OpenVPN uses userland crypto unless you have HW accel available (as shown with `openvpn --show-engines`.) This means the CPU is frequently the performance bottleneck; remember that OVPN is single-threaded or (#2) See also: !gigabit for ideas on advanced performance tuning options
crl#1: --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised.
#2: you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you
#3: openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem
crypto#1: For a guide comparing ECC to RSA see http://page.mi.fu-berlin.de/rhschulz/Krypto/RSA_or_ECC.pdf
#2: A speed comparison between ECC and RSA can be found at https://joneaves.wordpress.com/2004/04/18/ecc_and_rsa_speed_comparison/comment-page-1/
crystal#1: Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome.
#2: unless reiffert is here, his crystal ball is functional again
current#1: Our policy is to only support current versions of software. If your Linux distribution's repository doesn't have the latest, you'll need to compile from source. See /topic for the latest versions of OpenVPN software (usually at the beginning). Anything earlier than these, and you'll be REQUIRED to upgrade before we offer assistance.
#2: The current version of OpenVPN can be downloaded from http://openvpn.net/index.php/open-source/downloads.html for RELEASE and BETA versions, and a tarball snapshot of the development tree can be had from ftp://ftp.secure-computing.net/pub/openvpn/
cuz"why" is because screw you, that's why.
daemonopenvpn starts in the foreground by default, with output going to the terminal. if you use --log then the output goes to the file instead of the terminal. with --daemon openvpn will go to the background after starting
dazhttp://www.eurephia.net/ for eurephia, an auth plugin supporting dynamic firewall updates
dazoThe project name krzee always forgets .... eurephia ... http://www.eurephia.net/
dd-wrt#1: While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN
#2: Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783
#3: more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536
#4: And the security focus still seems to need improvements: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=279467 (hint: dd-wrt company does not do this effort + no reference to any security fixes)
debatehttp://www.irreligion.org/wp-content/uploads/2011/02/Debate-Flow-Chart1.jpg
debianAlthough we are aware the Debian stable package repository has OpenVPN 2.1rc11, to offer support, we require users to run the current version of OpenVPN. See !download for information on where/how to obtain a recent release.
def1#1: used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.
#2: please see --redirect-gateway in the man page ( !man ) to fully understand
#3: push "redirect-gateway def1"
devhttps://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list
dh#1: build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
#2: openssl gendh [numbits]
dhcpredirect-gateway bypass-dhcp gets around the problem of DHCP packets to the local DHCP server being incorrectly routed into the tunnel. Available in 2.1
diagramYou can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle
dlink_static_routehttp://lizzi555.dyndns.org/655/StaticRoute.html for the workaround for issues adding static route into d-link router with A3 firmware
dmzLow end SOHO routers sometimes have a DMZ feature. This does NOT magically give your internal host a public IP, but is a form of fallthrough NAT. Such features may or may not operate as expected depending on the device; consult its documentation, not here, for details.
dns#1: Level3 open recursive DNS server at 4.2.2.[1-6]
#2: Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
#3: you might be looking for !pushdns
#4: See Also: https://secure-computing.net/files/dns.jpg
dnsbindhttp://dan.langille.org/2013/11/25/openvpn-and-dynamic-dns/ for a writeup on how the user used bind to serve a VPN/LAN domain and update it for vpn clients
dnsmasqhttp://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
doucheyhttp://catb.org/~esr/faqs/smart-questions.html#keepcool
douchy"douchey" is http://catb.org/~esr/faqs/smart-questions.html#keepcool
download#1: http://openvpn.net/index.php/download/community-downloads.html to download openvpn
#2: in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs
dropje#1: Always listen to dropje
#2: well, dazo might not agree to the 'always' part always ... but .....
duhkOpenVPN is not vulnerable to DUHK. It does not use any hard coded keys, neither OpenSSL nor mbed TLS touches the broken ANSI X9.31 algorithm and both libraries does re-seeding on regular intervals. More details on DUHK: https://community.openvpn.net/openvpn/wiki/DUHKattack https://duhkattack.com/
dupe#1: see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended)
#2: instead, use !pki to make a cert for each user
duplicatethe option duplicate-cn is for allowing the same cert to login more than once. It should not be used in most situations, with main exceptions being if you also use !authpass or if just testing
duplicate-cn"dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user
dynamicfirewallto learn how to modify the firewall based on which client has which ip, please read --learn-address in the manpage (!man)
easy-rsa#1: easy-rsa is a certificate generation utility.
#2: Download here: https://github.com/OpenVPN/easy-rsa/releases
#3: Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA
easy-rsa-unixhttp://www.freebsddiary.org/openvpn-easy-rsa.php for a writeup of making certs with easy-rsa in fbsd, only the dir changes for linux
easyrsa#1: easy-rsa is a certificate generation utility.
#2: Download here: https://github.com/OpenVPN/easy-rsa/releases
#3: Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
#4: Source checkouts available from the github project.
easyrsa-ng"easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Source checkouts available from the github project; current official release download is 2.2.2 with 3.x code in git-master. or (#4) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA
ebtablesLinux uses ebtables for firewalling layer 2 bridges. See http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png to understand how layer 2 and layer 3 works in linux and how to use ebtables
ecristhttp://www.youtube.com/watch?v=0Veqz8W98iA
effortIf you are not willing to put the effort into gathering information and trying to figure out your problem we are not willing to help you with it
enable-passwd-save--enable-passwd-save is enabled on windows builds starting with 2.2 preview 8 and will be default going forward from 2.2 release
encryptionWhy symetric encryption is better: http://www.ketufile.com/Symmetric_vs_Asymmetric_Encryption.pdf
enterThe enter key is not a punctuation mark.
entropyhttps://www.youtube.com/watch?v=95N2KXqH5cs for a nice talk that explains some nice info on rsa factoring, especially why you need good entropy sources
epel5Please use the EPEL repository when installing OpenVPN on RHEL/CentOS: http://fedoraproject.org/wiki/EPEL/FAQ#How_can_I_install_the_packages_from_the_EPEL_software_repository.3F
eurephiahttp://www.eurephia.net/
examplesThere are some useful examples in the OpenVPN HowTo: https://openvpn.net/index.php/open-source/documentation/howto.html#examples
extension#1: .ovpn is the windows file extension for openvpn configs
#2: the linux startup scripts are set to start every *.conf in /etc/openvpn/
external_routessee !route_outside_openvpn
facthacksFor an ~hour long talk on entropy in embedded solutions, see: http://www.youtube.com/watch?v=IuSnY_O8DqQ
factoidsA semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
fail2banin linux you can replace fail2ban without the background process with something like: iptables -A INPUT -m tcp -p tcp --dport 22 -m hashlimit --hashlimit-name ssh --hashlimit-upto 5/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT
faq#1: http://openvpn.net/index.php/documentation/faq.html
#2: http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ
fbsdbridgehttp://www.freebsddiary.org/openvpn.php for dvl's writeup on bridging openvpn in freebsd
fbsdipforwardis set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
fbsdipfowardyou can do it with a running system with: sysctl net.inet.ip.forwarding=1; sysctl net.inet6.ip6.forwarding=1
fbsdjail<thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas
fbsdnatnat on $ext_if from $vpn_network to any -> ($ext_if) (this is for PF)
festivusfor the rest of us
firestarterif you use firestarter to config your firewall you may want to see http://jcape.ignore-your.tv/2006/08/03/openvpn-and-firestarter/ for help
firewall#1: please see https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG for more info
#2: see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
#3: Please see this for a better method to unloading netfilter (aka iptables ) rules: https://gist.github.com/QueuingKoala/6350127
#4: https://twitter.com/fronbasal/status/942537589017534464
flowcharts#1: from !serverlan http://www.ircpimps.org/serverlan.png
#2: from !clientlan http://www.ircpimps.org/clientlan.png
#3: from !redirect http://www.ircpimps.org/redirect.png
follow-the-packetTraffic not arriving where you expect? You'll need to figure out where it gets lost. Follow the packet at each hop , including through each interface on routers. Tools like !tcpdump (Wireshark for Windows) are quite useful here
forumThe official OpenVPN support forum is available at http://forums.openvpn.net
forwardsecurity#1: in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can not decrypt past traffic
#2: in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured
fragmenthttp://openvpn.net/archive/openvpn-users/2005-01/msg00411.html if getting FRAG_IN error
free#1: Free services: https://openv.pn/youprod
#2: Freemium model: https://openv.pn/freemium
#3: Free VPN services cannot be trusted; they do not provide proper security nor privacy: https://openv.pn/freevpns
#4: Private Tunnel (by OpenVPN Inc, creators of OpenVPN) offers a 7 day free trial of their VPN service: https://www.privatetunnel.com
freebsdhttp://www.secure-computing.net/wiki/index.php/OpenVPN_Server
freebsdnatsee !fbsdnat
freevpnhttp://www.vpnbook.com/ has free openvpn accounts. we can not speak for anything about them, but hey its free
fridayIt's Friday, be warned that, due to him working at home, our resident guard-dog, ecrist, is likely already in the bag. Tread carefully.
frozentux#1: Frozentux Netfilter/iptables tutorial at: https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
#2: If you want to do port-forwarding (aka DNAT) check out the relevant DNAT section of that tutorial
#3: theres another NAT tutorial at http://www.karlrupp.net/en/computer/nat_tutorial
gentoo#1: http://gentoo.linuxhowtos.org/openvpn/openvpn.htm
#2: Gentoo will update /etc/resolv.conf automatically if started via /etc/init.d/openvpn. To disable this, set PEER_DNS="no" in /etc/conf.d/openvpn
gigabithttps://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit
git#1: The public git trees are here: a) git://git.code.sf.net/p/openvpn/openvpn, b) https://gitlab.com/openvpn/openvpn.git, c) https://github.com/OpenVPN/openvpn/
#2: All of these git locations should always be in sync and identical, if not something bad has happened and you should inform the developers ASAP
#3: See !git-doc how to use git
#4: git troubles? http://justinhileman.info/article/git-pretty/git-pretty.png
git-doc#1: For a good git documentation, see http://progit.org/book/
#2: For a very quick git crash course, see https://community.openvpn.net/openvpn/wiki/GitCrashCourse
gm"goodmorning" is good morning! it's always morning somewhere in the world
goalPlease clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
goodmorninggood morning! it's always morning somewhere in the world
googleDon't trust google searches blindly. Start first by looking at the official docs at https://community.openvpn.net/openvpn/wiki/
googleauthhttp://securityskittles.wordpress.com/2012/03/14/two-factor-authentication-for-openvpn-on-centos-using-google-authenticator/
googledns#1: Google DNS offers global recursive nameserves for your use: 8.8.8.8 and 8.8.4.4 (IPv6: 2001:4860:4860::8888 & 2001:4860:4860::8844)
#2: https://developers.google.com/speed/public-dns
gui#1: The only official GUI is the OpenVPN-GUI for Windows (see https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI .) While there are other 3rd party GUIs, they may cause unexpected issues
#2: If you're having problems starting OpenVPN through an unoffiical GUI, try launching it on the command line; if that works, the GUI is your problem
gvpehttp://software.schmorp.de/pkg/gvpe.html <Bushmills> Unlike other virtual private network" solutions which merely create a single tunnel, GVPE creates a real network with multiple endpoints. free, opensource, for nixes, meant for those looking for a vpn with direct peer connections. those who'd be sent to hamachi otherwise.
haSee http://www.secure-computing.net/wiki/index.php/OpenVPN/High-Availability for a brief explaination about OpenVPN and HA
hardeninghttps://community.openvpn.net/openvpn/wiki/Hardening
heartbleed#1: only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl
#2: if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised.
#3: android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected.
#4: https://community.openvpn.net/openvpn/wiki/heartbleed
#5: http://xkcd.com/1354/
helpMy owner did not give me a help command
hmac#1: The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS.
#2: openvpn --genkey --secret ta.key to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
hmackeysizeto learn how the tls-auth key works and why it is the size that it is, read this: https://community.openvpn.net/openvpn/wiki/327-changed-hex-bytes-in-the-static-key-the-key-still-connects-to-a-remote-peer-using-the-original-key
hotpotatoif you have 2 uplinks and the traffic comes in one and out the other you have hot potato routing. read this: http://www.rjsystems.nl/en/2100-adv-routing.php
howsecurityworkssecurity can be obtained by: something you have (certificates, usb tokens), something you know (passwords), something you are (biometrics). for best security use more than 1. if you save passwords to a file (!pwfile), you change them from something you know to something you have, which destroys the point of using passwords
howto#1: OpenVPN comes with a great howto, https://community.openvpn.net/openvpn/wiki/HOWTO PLEASE READ IT!
#2: Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
hyper_chRandom stuff you didn't know you wanted to know.
ifconfigusage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to.
ifconfig-linuxAvoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. Use the 'ip a' and 'ip r' commands instead. More info: http://inai.de/2008/0219-ifconfig-sucks.php
ignoresee --pull-filter in the manual (!man) to see how to have the client filter what it allows the server to push to it
inline#1: Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV
#2: https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs
insanitydoing the same thing over and over expecting different results
interface#1: paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server
#2: For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6)
#3: For Unix: iface: 'ifconfig -a' routing: 'netstat -rn'
#4: For Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes)
intermediatecayoud cat intermediate-ca.crt root-ca.crt > client-ca.crt and then clients get client-ca.crt and server(s) get root-ca.crt
intro-to-pkiFor an intro to PKI basics, see: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/Intro-To-PKI.md
ios#1: See the iOS FAQ here - https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html
#2: https://community.openvpn.net/openvpn/wiki/IOSinline might be useful
ipadsee !iphone
ipforward#1: ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall
#2: please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
iphone#1: OpenVPN Connect is now available for iOS in the App Store (see also: !connect)
#2: https://community.openvpn.net/openvpn/wiki/IOSinline
iporder#1: OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice).
#2: Use --client-config-dir file for static IP (next choice) !static for more info
#3: Use --ifconfig-pool allocation for dynamic IP (last choice)
#4: if you use --ifconfig-pool-persist see !ipp
ipp#1: the option --ifconfig-pool-persist ipp.txt does NOT create static ips
#2: Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
iptables#1: To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this.
#2: See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG
#3: These are just the basics to get you started as firewall design is beyond this channel's scope; you can also see #netfilter
iptables-rulesWhen posting iptables rules, please use the `iptables-save` syntax as it is easiest to read. While we try to be helpful, #netfilter may be more appropriate for complex netfilter issues
ipv6#1: The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6
#2: The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ
#3: http://xkcd.com/865/
#4: to ignore ipv6 from the server see !noipv6client
ipv6_transportuse --proto udp6
irchttp://www.irchelp.org/irchelp/irctutorial.html
irclogsChannel logs are available at http://secure-computing.net/logs/openvpn.log and http://secure-computing.net/logs/openvpn-devel.log and are updated every three hours.
ircstats#1: See http://secure-computing.net/logs/openvpn.html for all-time IRC stats.
#2: See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats.
iroutedoes not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
karmanick++ adds karma nick-- adds bad karma, as seen in !ircstats
keepalive#1: see --keepalive in the manual for how to make clients retry connecting if they get disconnected.
#2: basically it is a wrapper for managing --ping and --ping-restart in server/client mode
#3: if you use this, don't use --tls-exit and also avoid --single-session and --inactive
#4: Also beware of --auth-nocache for automated reconnects
kernelEvery system has a kernel. Yes, even Windows. In the kernel pantheon it's an Elder Kernel ... which makes sense, actually, given how many sysadmins it drives mad regularly...
keyshttp://openvpn.net/howto#pki
keyusage#1: Use --remote-cert-ku to require specific key usage from a remote end point's certificate.
#2: use --remote-cert-tls client|server to require server or client key usage extension from a remote end point.
killswitch#1: what people keep calling vpn killswitch is really just an outbound firewall. in linux/unix you can just block traffic out of the internet interface except for to the vpn server (feel free to add this to an --up script if desired). in windows, osx there are probably methods with the built in firewalls, but you could also use something like snoopsnitch (osx) or netlimiter (windows).
#2: https://github.com/wknapik/vpnfailsafe for an --up script that does this
kindleOpenVPN for Android works fine on Kindle Fire HD and Kindle Fire 2nd generation. Get the apk from http://plai.de/android
kissKeep It Simple Stupid
krzee#1: krzee says happy 4/20
#2: http://www.ircpimps.org/pics/krzee/blunt.jpg
#3: location: moon base where he smokes moonajuana
#4: takes bonghits on the freeswitch teleconference
lanshttps://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
lartc#1: LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux
#2: there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
launch#1: Problems starting OpenVPN with a service or init wrapper? Run it directly instead to debug, like this: openvpn --config /path/to/openvpn.conf
#2: Then, once you get that working, feel free to integrate this into your init per your distro's documentation
layer2#1: you are using tap, what specific layer2 protocol do you need to work over the vpn?
#2: Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better
#3: protocols that use layer2 communicate by MAC address, not IP address
ldap_iptablessee http://planetjoel.com/viewarticle/638/OpenVPN%3A+Dynamically+create+IPtables+rules+based+on+LDAP+group+membership for a cool script for setting iptables rules based on LDAP membership (currently only handles TCP rules, but an easy fix to support UDP)
leakIP/DNS Detect - What is your IP, what is your DNS, what informations you send to websites. (at ipleak.net)
lede"openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
libvirtIf attaching an OpenVPN tunnel to a libvirtd managed bridge with its own NAT setup, do not configure an IP address pool in OpenVPN; let libvirtd dnsmasq instance do the DHCP instead
license#1: OpenVPN 2 is a GPLv2 project and can be distributed, modified, and used under the GPLv2 license.
#2: Note that any commercial products are under their own EULA; these include AS, Connect, and any services provided by 'OpenVPN Technologies, Inc.' These are not maintained by the open-source community.
#3: The website is somewhat confusing on purpose to lead you to the non-free Access Server stuff. OpenVPN is fully GPL with no fees required for use under that license. If you want to download the GPL openvpn see !download
linipforward#1: echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution
#2: chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
#3: you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT
linnat#1: for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
#2: to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>
#3: http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
linportforward#1: to forward port 80 tcp to a vpn client, use this (replacing <SERVERIP> with the real ip of the server, and <VPNIP> with the clients VPN ip)
#2: iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to <VPNIP>
#3: iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT
lintrafaccnthttp://www.catonmat.net/blog/traffic-accounting-with-iptables/ for a walkthrough on using iptables for traffic accounting
linux#1: OpenVPN 2.x is available in most Linux distributions native package repositories. If you find them too old, have a look here: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
#2: See !openvpn3 - The OpenVPN 3 Linux client is a complete re-write, will not require root privileges to start VPN tunnels any more + DNS configuration is also taken care of out-of-the-box.
listen-ipv6use --proto tcp6 or --proto udp6 ... and it *must* be the development version (!snapshots) ... 2.2.x and earlier don't support this
locala flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
logfile#1: If you want logging you can easily just specify your own logfile with: log /path/to/logfile
#2: openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout.
#3: verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info
#4: For systemd based systems, see !systemd-log
logs#1: please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked)
#2: In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log
#3: In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard
#4: if you dont know how to find your logs, see !logfile
#5: It is best to include a single client connection from start to close.
lovehttp://secure-computing.net/files/zebra.jpg
macUse Tunnelblick for the Mac. (https://tunnelblick.net/)
mactuntaphttp://tuntaposx.sourceforge.net/ for osX tuntap drivers
magicFor a story about magic read http://www.catb.org/jargon/html/magic-story.html
mail#1: http://sourceforge.net/mail/?group_id=48978
#2: http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive
mailinglist#1: User's mailing list: http://thread.gmane.org/gmane.network.openvpn.user
#2: Developer's mailing list: http://thread.gmane.org/gmane.network.openvpn.devel
man#1: see https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage for the man pages
#2: the man pages are your friend!
#3: Protip: you can search the manpage for a specific --option (with dashes) to find it quicker
#4: 'man openvpn' on a Unix system with OpenVPN installed
management#1: see http://openvpn.net/management for doc on management interface
#2: read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN
#3: Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options
manref#1: If you are given a reference that looks like this: openvpn(8) this is a manpage you can read with the command: `man 8 openvpn`. On Windows, see !man for the OpenVPN manpages in web-accessible form
#2: If you're new to manpages, type `man man` to read how they work
mbedtlssee !polarssl
mbufsee http://openvpn.net/archive/openvpn-users/2005-07/msg00247.html if you haved ruled out a routing loop as the cause of the error: MULTI: packet dropped due to output saturation (multi_add_mbuf)
meetingsOpenVPN developers meetings are usually held on Thursdays @ 18:00 UTC. Ask mattock or dazo for latest info. Meeting agendas and minutes are here: https://community.openvpn.net/openvpn/wiki/IrcMeetings
menu#1: please use '!factoids search *'
#2: you can leave it a * to see all, or replace it with a word to search for
#3: or type !factoids to see a complete list
mesh#1: openvpn does not do mesh networking
#2: see !rip
#3: check out http://github.com/darkpixel/openmesher/ for auto-creating openvpn meshes
mgmt#1: http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html
#2: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/management/management-notes.txt
mime-typeOpenVPN configuration files (.ovpn) should have the MIME type application/x-openvpn-profile
mirror#1: http://openvpn.scarydevilmonastery.net for a mirror of the docs
#2: http://www.secure-computing.net/openvpn/ for another
mitm#1: http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially
#2: use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates
#3: then use: remote-cert-tls server in the client config
msg#1: to see vpnHelper's factoids in msg instead of the channel, /msg vpnHelper factoids whatis #openvpn <key>
#2: so to see !configs in msg, you would type /msg vpnHelper factoids whatis #openvpn configs
#3: you can also just see !factoids for a link to the full list of what the bot knows
mtu#1: see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
#2: mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
#3: useful info here: https://forum.pfsense.org/index.php?topic=67080.0
mtu-testyou can just use --mtu-test on the client to see what the best mtu for your connection is
multi_process_incoming_tunhttp://blog.tuinslak.org/2010/03/openvpn-packet-drops/
multiple_casee !cert_chains
nagioshttp://securfox.wordpress.com/2009/04/24/openvpn-nagios-pluging/ for info on hooking openvpn into nagios
nat#1: http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn
#2: http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules
#3: dont forget to turn on ip forwarding
#4: please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto
nathacksee https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines
net-toolshttps://github.com/QueuingKoala/fn-netfilter/wiki#avoid
net101http://www.youtube.com/watch?v=PBWhzz_Gn10 for a good video example
net30see !/30
netfilterUnder Linux, use `iptables-save` to show firewall rulesets (add -c to include counters.) Do not use iptables -L as it is incomplete & often lies. #netfilter is more on-topic for detailed help.
netman#1: NetworkManager usually works fine, but can have some challenges in som env
#2: Ensure you run a reasonably recent NM version
#3: NM is aimed at client configurations and requires a logged in user session and is sensitive to instable unstable networks
#4: If OpenVPN works from the command line but not NM, go to #nm or https://wiki.gnome.org/Projects/NetworkManager
new#1: New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto
#2: You can type each of the !commands in this chat and our bot will provide useful references and info
#3: you can see the full factoids list at !factoids
#4: Also new to IRC? Here's an intro: http://catb.org/~esr/faqs/smart-questions.html#intro
new_win_guihttp://sourceforge.net/projects/openvpn-gui/ is the upstream project for the new windows gui
no_as#1: go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server)
#2: not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here
nobindDo not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option.
nocert#1: to use login and pass (NO CERTS) for auth in server setup, you want --username-as-common-name --auth-user-pass-verify --client-cert-not-required
#2: to know more, read about those config options in the manual (!man)
nodnsif you can ping 8.8.8.8 but not google.com (host lookup failure) then you need to either change your client's DNS server to something open to the world (see !dns) or set your vpn server to push a nameserver that it can reach from the server's ip (see !pushdns)
noenc#1: if you're going to disable encryption, you might as well build a GRE tunnel
#2: Reference --cipher in the manpage (--auth may also be useful to review)
noipv6clientYou can add pull-filter ignore ifconfig-ipv6 and pull-filter ignore route-ipv6 in your client to ignore IPv6 pushed by the server (OpenVPN 2.4 and later)
nomhttp://secure-computing.net/files/om_nom_nom.jpg
nopaste"pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
nopull"route-nopull" is If you want to accept pushed options from the server but not apply the routes (including --redirect-gateway) you can use --route-nopull to ignore all pushed routes
noroot"unpriv" is see https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions.
notcompat#1: IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible.
#2: OpenVPN connects only to OpenVPN
notopenvpnyour problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
notovpn#1: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
#2: sorry, but we dont care. this channel is only for help with openvpn.
nsupdatehttp://scarydevilmonastery.net/client_connect_nsupdate for a script Bushmills wrote to solve the question How can my vpn update my nameserver?
obfs#1: if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols
#2: http://community.openvpn.net/openvpn/wiki/TrafficObfuscation
#3: in client/server mode an admin can know that openvpn is being used. in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity)
#4: You can also use tls-crypt/tls-cryptv2 instead of static-key mode for p2mp and forward security
obfsproxy#1: For a writeup on using obfsproxy with OpenVPN see https://syria.hacktivist.me/?p=148
#2: See also !obfs. The link to TrafficObfuscation also contains a setup example
obsdnatpass out on $ext_if from $vpn_network to any nat-to <IP ADDRESS>
obsdtaphttp://kerneltrap.org/mailarchive/openbsd-misc/2008/2/19/911924 to see how to get obsd using tap (but you should prolly use tun anyways)
openbsdnat#1: pass out on $ext_if from 10.8.0.0/24 to any nat-to servers.public.ip && pass in quick proto tcp from any to port 1194 keep state label openvpn && pass quick on $vpn_if keep state
#2: see !fbsdnat
opendnsYou should avoid using OpenDNS for pushed DNS servers as they violate spec and send you to ad/search domains for mistyped URLs. Use GoogleDNS instead. See !dns for more info.
openvpnStrong like bull!
openvpn3#1: OpenVPN 3 provides OpenVPN as a library, re-written in C++. Source code lives here: https://github.com/OpenVPN/openvpn3/
#2: OpenVPN 3 Linux can be found here https://github.com/OpenVPN/openvpn3-linux and some getting started guide here https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux
openvz#1: http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn
#2: It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen
openwrtIn OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
osx#1: Tunnelblick includes everything you need to run OpenVPN on OS X. https://code.google.com/p/tunnelblick/
#2: Viscosity is another OpenVPN client for OS X, but it is commercial. http://www.thesparklabs.com/viscosity/
osxboothttp://www.secure-computing.net/wiki/index.php/Leopard_Static_Routes for how to run commands on boot in osX, you can change a single line in StaticRoutes file to make it start OpenVPN
osxipforward#1: sysctl -w net.inet.ip.forwarding=1 for a temp solution
#2: add IPFORWARDING=-YES- in /etc/hostconfig for a permanent solution
otherprojectshttps://community.openvpn.net/openvpn/wiki/RelatedProjects for links to other projects
ovpn#1: OpenVPN GUI will load config files with a .ovpn extension when double-clicked.
#2: this is the same config file format as the standard .conf, just renamed to allow Windows to associate it with the openvpn program
ovpnukehttps://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6
p12openssl pkcs12 -export -out filename.p12 -inkey filename.key -in filename.crt -certfile ca.crt
p2p"statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
paidvpnWe are very reluctant to help you if you use a (commerical) VPN provider since we do not want to be their unpaid support team. See also !both
pam-mysqlin order to use pam-mysql with openvpn in feeebsd (and maybe other OS) you need to patch it. http://techtots.blogspot.ro/2010/01/openvpn-with-pammysql-usernamepassword.html
passwordFor a good guidline on generating strong passwords, read http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/
password-onlyhttp://openvpn.net/archive/openvpn-users/2004-10/msg00418.html
paste#1: "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show
#2: paste.ee is also nice
#3: <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
pastebin#1: please paste anything with more than 5 lines into a pastebin site
#2: https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups
#3: If you're pasting config files, see !configs for grep syntax to remove comments
#4: gist allows multiple files per paste, useful if you have several files to show
#5: <bibble> termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234'
path#1: use full paths in your config!
#2: if you use windows, see !winpath
pebkacYour problem exists between your keyboard and chair...
petepete and repeat were on a boat, pete fell off, who was still on the boat?
pfnatnat on <inf> from <subnet/ip> to <subnet/ip> -> <nat_ip>
pfsSee !forwardsecurity
pfsense#1: dont use the web gui for configuring openvpn, you need to understand the config and logfiles
#2: http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
pki#1: Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed specially as a server (see !servercert)
#2: !certman for various PKI management tools
#3: see !intro-to-pki
polarssl#1: https://polarssl.org/core-features polarssl is an alternative to openssl which openvpn supports. it is open source, small with clean code, and made for the embedded world. openvpn connect (ios,android) uses this instead of openssl.
#2: https://community.openvpn.net/openvpn/wiki/UsingPolarSSL
#3: Has been renamed to mbedTLS after being bought by ARM
policy#1: http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies
#2: http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario
#3: dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic
pongjust stupid
poodle#1: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has
#2: https://www.tinfoilsecurity.com/poodle for a tool for testing your websites
port-shareWhen run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh. Not implemented on Windows.
ppp_defaultrouteif your otherwise working openvpn config can not redirect-gateway because its default gateway is ppp and openvpn complains it can not find the default gateway; you can try this: http://blog.wsensors.com/2011/04/openvpn-and-ppp-on-linux-vpn-traffic-forwarding-default-gateway-fix/
pptp#1: PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to read about why to not use pptp
#2: Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security
#3: https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
previewsUnofficial bleeding-edge feature previews for Windows can be found at this project page: https://bitbucket.org/QueuingKoala/openvpn-previews/wiki
privatetunnelPrivateTunnel users will be supported here: https://support.privatetunnel.com/
privledgesjust choose a sandbox user/group that nothing else is using, then in config use: user vpnuser and group vpngroup , and if it is the server add: persist-key and persist-tun
provider#1: We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team.
#2: Please contact their support team.
#3: https://gist.github.com/joepie91/5a9909939e6ce7d09e29 for why not to use vpn providers
psk"statickey" is (#1) you can use static keys by using --secret </path/to/key> or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info
psychicWe're not psychic -- please !paste your !configs and !logs and a description of the issue
ptprivatetunnel as PrivateTunnel users will be supported here: https://support.privatetunnel.com/
pureDo you dare to trust any VPN service? https://twitter.com/FainPablo/status/802630006195318784/photo/1 We sure wouldn't.
pushusage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
push-resetDon't inherit the global push list for a specific client instance. Specify this option in a client-specific context such as with a --client-config-dir configuration file. This option will ignore --push options at the global config file level.
push_ignoresee --pull-filter in the manual (!man) to see how to have the client filter what it allows the server to push to it
pushdns#1: push dhcp-option DNS a.b.c.d to push dns to the client
#2: For pushing DNS to a Windows client, see: !windns
#3: Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage
#4: For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir
#5: Mobile Client like OpenVPN for Android and OpenVPN Connect will happily accept push dhcp-option
pwfile#1: OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h
#2: see --auth-user-pass in the manual (!man) for more info
#3: if you're using this with the windows service, you will need --askpass
qk-utilSome OpenVPN utility scripts on github at: https://github.com/QueuingKoala/openvpn-util
qnxhttps://forums.openvpn.net/topic2449.html for the qnx6 port of openvpn
quietopenssl#1: see http://www.mail-archive.com/[email protected]/msg31052.html and read 'man req' to see how to make openssl not prompt you
#2: also see !ssl-admin for a sweet tool for managing your certs
randomsubnet#1: If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 `
#2: Or try this perl oneliner: `perl -e 'printf 10.%d.%d.0/24 , int(rand(256)), int(rand(256));'`
read<krzee> ive been known to overreact when people look for 2 minutes and ask me to explain it to them
redactPlease don't redact or change things(hostname, port, CNs, etc) when you !paste your !configs and !logs. It's a lot easier for us to debug if we're seeing the same thing you are.
redirect#1: to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
#2: you may need to use a different dns server when redirecting gateway, see !dns or !pushdns
#3: if using ipv6 try: route-ipv6 2000::/3
#4: Handy troubleshooting flowchart: http://pekster.sdf.org/misc/redirect.png
redirect-policyIf you are using --redirect-gateway and wish to maintain external access to the same system, you need Policy Routing. If using Linux, see !lartc for reading on the subject. Note that this is a somewhat advanced networking topic.
redirect_bypass#1: route <ip> <netmask> net_gateway to to override --redirect-gateway for a certain subnet. note that net_gateway is internal to openvpn and should not be changed
#2: to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
redirect_ignoreyou can ignore --redirect-gateway (because you do not run the server, and the server pushes it to you) by reading the info at this page: https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
redirect_ips#1: https://forums.openvpn.net/topic8559.html for more info on giving users their own internet routable IPs
#2: it is also possible to directly hand out the ips from --server, jjk explains how to do this in his book (!book) which krzee highly recommends reading
refundIf you are not satisfied with the GPL openvpn, or the support provided by the volunteers of #openvpn, you are entitled to a full refund of the purchase price and are invited to use another VPN solution. Elsewhere.
release-noteshttp://openvpn.net/index.php/open-source/documentation/release-notes.html
remapBy default, OpenVPN will remap any character other than alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and slash ('/') to underbar ('_').
reneg#1: by default (in client/server mode) openvpn will renegotiate the tls key hourly. this can be adjusted with the --reneg option
#2: this should not be disabled as it is important for !forwardsecurity
repoopenvpn runs some software repositories for your installing pleasure, http://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
rfc1918"1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi
rfc5737"5737" is Clever readers may attempt to use RFC5737 to represent arbitrary public IPs one wishes to hide; unclever attempts may be ignored with prejudice.
rhelsee !epel5
riphttp://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
roadmaphttps://community.openvpn.net/openvpn/wiki/RoadMap for the roadmap for OpenVPN 3
rob0is actually /dev/rob0 (because 0>5). Rumor has it that he is an AI project by google, but nobody can confirm.
rocksNobody around but us rocks! Please go ahead and ask your question, and be patient - somebody helpful will eventually perk up.
rollupSee !win_rollup
route#1: http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT
#2: READ IT DONT SKIM IT!
#3: See !tcpip for a basic networking guide
#4: See !serverlan or !clientlan for steps and troubleshooting flowcharts
route-nopullIf you want to accept pushed options from the server but not apply the routes (including --redirect-gateway) you can use --route-nopull to ignore all pushed routes
route_outside_openvpn#1: If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route
#2: Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
route_outside_ovpn"route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png
route_override"redirect_bypass" is (#1) route <ip> <netmask> net_gateway to to override --redirect-gateway for a certain subnet. note that net_gateway is internal to openvpn and should not be changed, or (#2) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute
routebyapp#1: if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
#2: Alternatively, read up about Policy Routing to make routing decisions based on defined policies you set. For Linux, read about !lartc
routerif you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them
ruleshttp://secure-computing.net/openvpn/openvpn.php for channel guildelines.
samba#1: http://openvpn.net/faq#samba-routing for using samba with a routed tun, or use NETBIOS with a bridge
#2: http://www.openvpn.net/howto#samba if you run samba on linux and use tun mode
samesubnet#1: clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
#2: you can use --client-nat if on 2.3 to work around changing the subnet, but you should still just change the subnet
sample#1: http://www.ircpimps.org/openvpn.configs for a working sample config
#2: DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
#3: these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
sayNO! you're not the boss of me!
scale#1: OpenVPN has no hard limits built in, but it is not recommended to run much more than 100 clients per process.
#2: Also remember that it is single-threaded, so your throughput will be limited by the speed your CPU can do the crypto.
#3: Both of these issues can be handled by running multiple server instances(on several IPs or ports) and having clients round-robin between them
scaredhttp://www.youtube.com/watch?v=P_WI0VI7aIw
script#1: See SCRIPTING AND ENVIRONMENTAL VARIABLES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage#lbAS
#2: to see all vars available to a script, you can env > /tmp/env
#3: if using bash you can put exec 2>&1 in the first line of your script and it will send all error output to your openvpn log. set -x as well to show your commands as they are executed
scripting"script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
scripts"script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR
secret#1: funny that people use free programs, consult free help for them, run a business with them, but are restricted to say what they do.
#2: See also !topsecret
secure#1: http://openvpn.net/howto.html#security for hardening
#2: http://openvpn.net/index.php/documentation/security-overview.html for security overview
security#1: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview
#2: see !wrench
#3: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements for security announcements
servercert#1: openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key
#2: or just use build-key-server in easy-rsa
#3: this will help with !mitm
serverlan#1: for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn)
#2: see !route for a better explanation
#3: Handy troubleshooting flowchart: http://www.ircpimps.org/serverlan.png
service_behind_clientIn addition to normal iptables (firewall) configuration with port NAT, you also need to configure an ip routing policy ... for some quick clues: https://paste.fedoraproject.org/526839/48433431/raw/
shapingto enable traffic shaping on clients, you do this in your firewall. it is unrelated to openvpn. it is called QOS, and in linux you would enable it in iptables with tc
shorewallhttp://www.shorewall.net/OPENVPN.html to see about running OpenVPN on Shorewall firewalls.
shotgun#1: the most effective form of physical security
#2: <hyper_ch> shotgun security? <EugeneKay> If you try to physically attack my network, I chase you with a shotgun.
sigshttps://openvpn.net/index.php/open-source/documentation/sig.html for how to check pgp signatures to verify download of OpenVPN releases
sleepif you are having issues with openvpn after waking from sleep mode in windows see: https://community.openvpn.net/openvpn/wiki/WhyMyOpenVPNTunnelDoesNot
slowesxipyther> seems as if there is some type of bug with the vmxnet3 network module, so I just switched to the e1000 module, the vpn box is a virtual machine on vmware esxi. http://nwsmith.blogspot.com/2010/07/patching-vmxnet-to-disable-lro.html <pyther> something about disabling LRO
smart14:50:56 < jnewt_> in other words, i see the information you're giving me, but don't have the brains to apply it.
snapshots#1: weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn
#2: by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
sockdif you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
solarishttp://www.whiteboard.ne.jp/~admin2/tuntap/ for the solaris tuntap driver, good luck... ive heard mixed reviews. let us know how it works for you
someclient2client"policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario
speed#1: Having speed problems? The following suggestions may help.
#2: OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded)
#3: MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu)
#4: iface txqueuelen often needs to be >100 on fast and/or latent links
#5: less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs)
#6: prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp)
#7: if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better.
#8: also consider testing without compression (on _both_ sides, try: --comp-lzo no)
#9: a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them.
splitdns#1: see http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups
#2: "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route
splitroute#1: see https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet
#2: see !route_override for how to override --redirect-gateway for a certain subnet
spoonfeedWe'll gladly help with troubleshooting and answering questions, but we won't do the work for you. There are plenty of consultants out there who would be more than willing to take your money to fix your problems for you.
spoonfeedinghttp://www.mp3car.com/the-faq-emporium/53368-faq-what-is-spoon-feeding.html
ssl-admin#1: if you use freebsd, it is in ports
#2: A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
#3: to get it you can use: svn co https://www.secure-computing.net/svn/trunk/ssl-admin
#4: if svn is down theres a copy at http://secure-computing.net/files/ssl-admin-1.0.3.tar.gz
ssl-admin 1http://www.secure-computing.net/wiki/index.php/FreeBSD_OpenVPN_Server/Routed
sslbenchmarks#1: see http://svimik.com/mbedtls_bm1.htm for a comparison of ssl benchmark speeds between openssl and mbedtls check out
#2: jjk also made a writeup that includes comparing aes to bf at !gigabit
static#1: use --ifconfig-push in a ccd entry for a static ip for the vpn client
#2: example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0
#3: also see !ccd and !iporder
#4: with static IPs, limit your --ifconfig-pool to exclude the static range
#5: See also: !addressing
static-keywhen you use --secret, you are using a static key. this is only valid for point-to-point setups. Static keys are less secure in that they never change. If someone captures your traffic, and then gains your static key a year from now, they can decrypt the captured traffic. Setups that use certs re-key every hour by default
static_key_detailshttp://svn.openvpn.net/projects/openvpn/web/trunk/faq-static-key-explanation.txt for an explanation of how static key files are used
statickey#1: you can use static keys by using --secret </path/to/key>
#2: static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time.
#3: see !forwardsecurity for more info
status#1: You can use the --status directive to write to a status file to show the list of currently connected clients. This list can be sent to stdout (or your defined !log mechanism) with a USR2 signal as well.
#2: See also !management
strip-passphrasesee http://blog.lib.umn.edu/silvi003/codenotes/2008/08/how_to_strip_a_passphrase_from.html to learn how to strip a passphrase from a key file
subnet#1: http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork
#2: Want a random subnet generator? See: !randomsubnet
#3: You may be looking for !toplogy
subscriptionhttps://www.tunnelr.com has a slick interface and costs $7/mo , or https://www.openvpn.net/index.php/ for the pay software from openvpn technologies
sudowinhttp://sourceforge.net/projects/sudowin/
supybothttp://supybook.fealdia.org/devel/#_adding_a_new_user
suseYou EITHER! (see !ubuntu)
sweethttp://sweet.nodns4.us/ =(
sweet32http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32
systemd#1: Most systemd based distros package the upstream OpenVPN [email protected] and [email protected] unit files. Use those instead of the distro provided ones (openvpn.service, [email protected]), as they too often work poorly.
#2: Unfortunately, Debian have added some weird OpenVPN systemd integration trying to simulate how things worked before systemd arrived. These approaches often causes more confusion, so _do_ consider #1 carefully.
#3: Also see this README for OpenVPN + systemd: https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/README.systemd
systemd Most systemd based distros package the upstream OpenVPN [email protected] and [email protected] unit files. Use those instead of the distro provided ones (openvpn.service, [email protected]),they too often work poorly.
systemd-logWhen using openvpn-{client,server}@.service unit files, use journalctl to extract the log data easily: journalctl --since today -u openvpn-{client,server}@CONFIGNAME
tap#1: http://openvpn.net/index.php/documentation/faq.html#bridge1
#2: Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better
#3: Useful for windows sharing (without wins server) and LAN gaming, anything where the protocol uses MAC addresses instead of IP addresses, but essentially nowhere else
#4: For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
#5: also look at !tunortap
#6: See also: https://community.openvpn.net/openvpn/wiki/BridgingOverview
tcp#1: Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea.
#2: http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
#3: if you must use tcp, you likely want --tcp-nodelay
tcp_nodelay<EmperorTom> A good analogy is a bus depot. Drivers normally wait as long as possible to see if any more passengers show up. If you set TCP_NODELAY on the bus driver, he would leave the station as soon as someone got on board. It's faster for the one passenger, but you need a lot more big, ugly, smelly, slow buses on the road to meet demand.
tcpdump#1: tcpdump is a great troubleshooting tool (Wireshark or the tshark.exe CLI tools for Windows.) To start, try a syntax like `tcpdump -pni ifWhatever`
#2: You can also add filters to the command, like 'icmp' or 'udp port 1194' and the like. Consult the tcpdump docs for details.
tcpiphttp://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
tcptcp"tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay
tcptunehttp://www.psc.edu/index.php/networking/641-tcp-tune
testing"snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
threatA threat model defines what your risks are related to security, exposure, and what kinds of attacks or attackers you desire protection from; this helps define what technical protection you may need
thursdayToday must be a Thursday. I never could get the hang of Thursdays. -- Douglas Adams, Hitchhikers Guide To The Galaxy
ticketCreate a trouble ticket by going to https://community.openvpn.net/ registering and loggin in
timeif you see VERIFY ERROR: depth=1, error=certificate is not yet valid: then make sure you update the clocks of your client,server,ca via ntp
timeoutif you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or one of the ISPs blocks it
tls-auth"hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
tls-cipher#1: http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users
#2: To prevent the use of export ciphers or other insecure ciphers use tls-cipher DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA
#3: ECDH ciphers require OpenVPN 2.4+
toolshttps://www.secure-computing.net/ip.php
topicsee /topic instead.
topology#1: it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions.
#2: Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets.
#3: details and examples at: https://community.openvpn.net/openvpn/wiki/Topology
topsecret#1: if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust.
#2: Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice.
#3: https://secure-computing.net/files/real_ips.jpg
trac#1: see https://community.openvpn.net for development information and bug tracker.
#2: if you have a forum login, use that for trac, its the same database.
triplehandshake<mattock> here a page about the TLS Triple Handshake Vulnerability: https://community.openvpn.net/openvpn/wiki/TLSTripleHandshakeVulnerabilityAndOpenVPN
trustIf you do not trust the configuration pushed by the server, don't connect to it!
truthssee !1925
tryharder<Poster> until you run out of tap/tun interfaces, you're not really giving it your all
tunnelblickhttp://www.tunnelblick.net - Free OpenVPN GUI Client for Mac OS X
tunortap#1: you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun.
#2: and if your reason for wanting tap is windows shares, see !wins or use DNS
#3: remember layer2 has no security, arp poisoning works over tap vpns
#4: lan gaming? use tap!
#5: Normal Android/iOS devices (not rooted/jailbroken) support only tun
ubuntudont use network manager to configure your vpns! get it working via commandline and then import to network manager if you want to use it.
uci"openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you.
unixa text adventure, and the only cheat mode is to ask in IRC, where to start reading
unprivsee https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions.
vagueIf you tell us you have an error or failure or problem , we'll tell you no more than something is wrong. You might want to review !ask for help learning how to ask questions to get more on-target answers
vampirePlease don't be a help vampire - we're here to point you in the right direction, not type out the commands verbatim for you. http://slash7.com/2006/12/22/vampires/
verb#1: verb command is for setting log verbosity, see --verb in the manual (!man) for more info
#2: verb 5 is good for finding firewall problems, verb 4 for troubleshooting anything else, and 3 is good for every day usage.
#3: Anything more than 5 is for developer debugging only (special debug build needed)
verb5the WRWRwrwr is explained in !man at --verb : Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
verify#1: If you receive certificate-based 'VERIFY ERROR' messages, you can manually verify the remote cert against a local CA using openssl: `openssl verify -verbose -CAfile /local/ca.crt /remote/copy/of/other.crt`
#2: Note that this requires you to manually transfer the remote certificate to the local system for testing
#3: You can also manually check issuer fingerprints with detailed cert output: `openssl x509 -in /some/cert.crt -noout -text` and compare against the CA cert fingerprint
version15"version_15" is (#1) If you get unknown IP version=15 in your logs, first check for mis-matched --comp-lzo settings. Then assume an app/kernel on your client is at fault by generating trash itself: http://www.docunext.com/blog/2013/02/ip-packet-with-unknown-ip-version-15-seen.html or (#2) http://www.toofishes.net/blog/openvpn-and-aoe-interaction/
version_15#1: If you get unknown IP version=15 in your logs, first check for mis-matched --comp-lzo settings. Then assume an app/kernel on your client is at fault by generating trash itself: http://www.docunext.com/blog/2013/02/ip-packet-with-unknown-ip-version-15-seen.html
#2: http://www.toofishes.net/blog/openvpn-and-aoe-interaction/
viscositysave yourself 4 hours of troubleshooting broken connections (and $9) and just use tunnelblick! :-p
vista13:51 < Nirkus> ecrist: i figured it out. i was able to create a link to windows explorer and activate 'run as administrator' within the 'advanced' context menu. using an windows explorer started by that link i was able to write files to c:\program files (x86)\OpenVPN\config\
voracle#1: Compression is generally discourage as it allows VORACLE and similar attacks
#2: https://community.openvpn.net/openvpn/wiki/VORACLE
vpnhttp://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is
vpnHelper"bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
vpnproviders#1: A list of VPN providers you really need to be careful with ... https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa
#2: Not convinced? See !pure
vulninfo#1: See these factoids for more info about specific vulnerabilities: !heartbleed !poodle !ovpnuke !sweet32 !duhk
#2: See here for all security announcements: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
walkthroughif you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
weakmdYour certificate is probably using MD5 and OpenSSL 1.1 does not allow that anymore. You should update your certifaces. For OpenVPN 2.4.4+ you can Use tls-cipher DEFAULT:@SECLEVEL=0 to allow md5 signatures.
webgui#1: http://openvpn-web-gui.sourceforge.net/ if you have tried this please give us feedback
#2: http://sourceforge.net/projects/openvpn-status/ also pls let us know if you use that
welcome#1: Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal <whatever>' - the bot doesn't understand that - just '!goal' [without the quotes])
#2: New to IRC? see the link in !ask
#3: We may need you to !paste your !logs and !configs and maybe !interface to help you
#4: See !howto for beginners
#5: See !route for lans behind openvpn
#6: !redirect for sending inet traffic through the server
#7: Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm
#8: Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
#9: And again, if you think you need !tap, you're probably wrong
#10: see !1925 before arguing with the admins or the person helping you
whining< MacGyver> If somebody reads your question, and knows the answer, he'll answer it when and how he feels like it. This is IRC, not your company's paid tech support desk. Whining doesn't do any good except annoy the people who could help you.
whybecause screw you, that's why.
whybridge#1: you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun.
#2: See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
#3: See also !tunortap
wiki#1: http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki
#2: https://community.openvpn.net/openvpn/wiki for the Official wiki
willWhere there's a will, there's /away
win-dnsFrom cmd.exe: if ipconfig /all shows the proper DNS server adcdress assigned to the tap device... Please choose !win-dns-xp or !win-dns-vista-7
win-dns-vista-7click start -> control panel -> network and sharing center -> change adapter settings -> <ALT> -> advanced -> advanced settings. Make sure your VPN connection is at the top of the list
win-dns-xpclick start -> control panel -> network connections -> advanced -> advanced settings. Make sure your VPN connection is at the top of the list.
win2k8Server 2008 assigns the OpenVPN TAP Adapter v9 as an Unidentified network which the default Local Security Policy of Server 2008 assigns as being a Public Interface with restricted access. To fix it do this: Go into Control Panel / Administrative Tools / Local Security Policy / Network List Manager Policies / Unidentified Networks. Set Location Type to Private.
win7http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/8a3e9b05-353b-4250-a023-066a085e9657 for a workaround to the windows 7 unidentified network issue you get when using redirect-gateway
win_buildhttps://community.openvpn.net/openvpn/wiki/BuildingOnWindows for mattock's doc on building openvpn on windows
win_ipfailif the adapter fails to set the IP properly check that DHCP client service, and tap-win32 is enabled.
win_noadmin#1: http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows
#2: and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista
win_rollupplease see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
win_tcplimitsee http://readlist.com/lists/lists.sourceforge.net/openvpn-users/0/2383.html to know why windows TCP servers can only handle 60 clients
windns#1: http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns
#2: http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit
#3: http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7
windows#1: computers are like air conditioners, they work well until you open windows.
#2: http://secure-computing.net/files/windows.jpg for funny
#3: http://secure-computing.net/files/windows_2.jpg for more funny
windows_mobilehttp://ovpnppc.ziggurat29.com/ovpnppc-files.htm for windows mobile builds of openvpn
windows_problems#1: PCs are like air conditioners - they work fine until you open windows.
#2: http://secure-computing.net/files/windows.jpg for funny
#3: http://secure-computing.net/files/windows_2.jpg for more funny
winipforward#1: reboot after enabling it
#2: https://support.microsoft.com/EN-US/kb/230082 to enable ip forwarding on windows
winnat#1: http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
#2: http://www.nanodocumet.com/?p=14 for windows XP
#3: https://community.openvpn.net/openvpn/wiki/NatOverWindows2008 for 2k8
winpassopenvpnGUI for windows has a change password feature that will change the passphrase on your .key files
winpath#1: Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key"
#2: also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
winroute#1: in windows if the route cannot be added, try route-method exe in your config file
#2: many users also report it helps to add route-delay to give the interface extra time to get up
#3: you may need to turn off routing and remote acess in administrative tools - routing and remote access
#4: make sure you are running openvpn as admin
#5: you might also want to see that and use trial and error with these solutions: http://openvpn.net/index.php/open-source/faq/79-client/259-tap-win32-adapter-is-not-coming-up-qinitialization-sequence-completed-with-errorsq.html
winshttp://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
winscripta user reported that his --up script was not executed in windows gui. his config was bps.ovpn, he renamed the script to bps_up.bat and put it in the dir with his config... then it worked!
winshortcutTo start OpenVPN-GUI easily on Windows, make a shortcut and set the Target as: \"C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe\" --config_dir \"C:\path\to\config\" --connect client.ovpn --show_balloon 0 --silent_connection 1 --show_script_window 0
winsudo"sudowin" is http://sourceforge.net/projects/sudowin/
wintapWindows uses a combined TUN/TAP driver, so the same TAP-Win32 adapter is used in both modes
wintaphide#1: in regedit find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} then Look through each sub-key for one with a DriverDesc = TAP-Win32Adapter V8 . Set Characteristics = 0x89
#2: To show again, set it to 0x81
wireless#1: if you are getting replay errors while on wireless, see --mute-replay-warnings in the manual (!man)
#2: if you are securing your wireless using openvpn, see !local
wisdomWe can only provide you with the information. We are not, unfortunately, able to make you understand it.
wishlisthttps://forums.openvpn.net/viewforum.php?f=10 for the openvpn wishlist
womansee !man but with a monthly attitude :D
wrenchhttps://xkcd.com/538/
xca#1: XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa.
#2: Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA
xforyhttps://meta.stackexchange.com/questions/66377/what-is-the-xy-problem
xyhttp://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
youdoyouhttp://www.urbandictionary.com/define.php?term=You%20Do%20You
42the answer to life, the universe, and everything.
101This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
1918#1: RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16
#2: see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html
#3: See !5737 for addresses to use for examples and documentation
#4: See !conflict for common conflicting address spaces.
1925RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
5737Clever readers may attempt to use RFC5737 to represent arbitrary public IPs one wishes to hide; unclever attempts may be ignored with prejudice.
© Copyright 1997-2024 Secure Computing Networks & Eric F Crist