Secure Computing Networks
You're using IPv4 from: 50.16.17.90 (ec2-50-16-17-90.compute-1.amazonaws.com)
Page last updated Friday, 24 May 2013 14:28:44 -18000
KeyFactoid
--OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file.
/30#1: Default behaviour assigns a /30 subnet(4 addresses) to each peer. See http://goo.gl/6vemm for background
#2: you can avoid this behavior by reading !topology
#3: by default, first client is .6, then .10 .14 .18 etc
#4: use openvpn --show-valid-subnets to see the subnets you can use in net30
#5: tl;dr Windows sucks, use --topology subnet in your server.conf
2.1-winpass-scripthttp://article.gmane.org/gmane.network.openvpn.user/24575
ASplease go to #OpenVPN-AS for help with Access-Server
EugeneKayright because EugeneKay is always right.
access-serverOpenVPN Access Server support is in #openvpn-as
accountinghttp://pekster.sdf.org/code/files/openvpn-user-accounting.tgz for some bash code for basic accounting
all#1: please pastebin your client and server configs (with comments removed, you can use grep -vE '^#' client.conf), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles
#2: For more detailed instructions, look to: !logs !configs !interface
allinfoPlease type !configs !logs and !interface to see all the info we want to be able to help you
android#1: an open source OpenVPN client for ICS is available in Google Play, look for OpenVPN for Android. FAQ is here: http://code.google.com/p/ics-openvpn/wiki/FAQ
#2: If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the market
asbestosas best os: freebsd sukka! (according to krzee)
authpass#1: please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs
#2: or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required
#3: and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
badtimeif !certverify shows you error 9 at 1 depth lookup:certificate is not yet valid. You need to check the times/dates/years/timezones on the machines, including the CA
basicif you do not understand basic networking, you probably should not be administrating a vpn... you should understand the basics of routing / firewalls first
bcast#1: pptp source tree has bcrelay in it, bcrelay can be used to relay broadcasts over a tun setup
#2: http://www.hanksoft.de/service/46-udpbroadcastforwarder seems to be a windows program for relaying bcast (use google translate if needed)
beerwhat's for dinner (and occasionally breakfast)
bestosthe best os for openvpn is the one you are most comfortable with
blame#1: According to Bushmills, it's always krzee's fault
#2: According to krzee, it's always dazo's fault
#3: and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments
#4: cron2 says its always d12fk's fault (and sometimes the customers)
blogDo not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them.
bonjourhttp://www.dslreports.com/forum/r18525512-Routing-Bonjour-How-to
bookhttp://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!
botI'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
botsnackOm nom nom!
bridge#1: http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc
#2: http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ
#3: also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
#4: also see !whybridge
bridge-dhcphttp://openvpn.net/faq.html#bridge-addressing for making clients grab dhcp ip over the bridge but not over-riding dhcp ip from local dhcp server
bridge-fw"ebtables" is Linux uses ebtables for firewalling layer 2 bridges. See http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png to understand how layer 2 and layer 3 works in linux and how to use ebtables
bridging#1: Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you
broadcast-relaya software that comes with pptp. use it in tun mode when needing broadcasts, and WINS isnt enough.
bsdnatsee !fbsdnat
bufferwhen you see write UDPv4: No buffer space available (code=55) you probably have a routing loop. the way to fix this is to get a book on basic networking, preferably a coloring book!
bugshttps://community.openvpn.net/openvpn if we tell you that you found a bug. go there, open an account, and file a bug report in trac (your forum login is good for the trac too)
c2c"client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other clients
ccd#1: entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
#2: the ccd file is parsed each time the client connects.
centosSee !epel5
certfightwhen you use 2 clients with the same certificate (and not using !dupe) your vpn will not work. your second client will knock off your first client, then your first will knock off the second (if you have !keepalive) and they will simply fight back and forth disconnecting over and over until a voice says FINISH HIM
certinforun openssl x509 -in <file> -noout -text for info from your cert file
certpw"change-passphrase" is see http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase
certs#1: use !easy-rsa-unix for easy-rsa
certverify#1: verify your certs are signed correctly by running openssl verify -CAfile <ca.crt> <client.crt> for client.crt and server.crt
#2: also make sure you use the same ca.crt on both sides by checking their md5
change-passphrasesee http://openvpn.net/archive/openvpn-users/2005-03/msg00230.html for how to change (or add) a key's passphrase
changelogSee http://openvpn.net/index.php/open-source/documentation/change-log.html for the openvpn change logs
cidrhttp://www.oav.net/mirrors/cidr.html
cisco#1: An open-source client for Cisco SSL VPN is available from http://www.infradead.org/openconnect.html
#2: OpenConnect is availabe in FreeBSD ports in security/openconnect
client-connect--client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1. client-to-clientwith this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other clients clientlan#1: for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) #2: see !route for a better explanation #3: Handy troubleshooting flowchart: http://ircpimps.org/clientlan.png commentyou can use ; or # to make comments in the config file compif you see Bad LZO decompression header you have a mis-match in your comp-lzo settings. You need to be sure you have the same setting in all configs for comp-lzo, or that you dont have it in any configs. confgen#1: http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator #2: you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/ #3: you must run this in bash configs#1: please pastebin your client and server configs (with comments removed, you can use grep -vE '^#|^;|^$' server.conf), also include which OS and version of openvpn.
#2: dont forget to include any ccd entries
#3: on pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config
crl#1: --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised.
#2: you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you
#3: openssl ca -config openssl-1.0.0.cnf -gencrl -out keys/crl.pem
current#1: Our policy is to only support current versions of software. If your Linux distribution's repository doesn't have the latest, you'll need to compile from source. See /topic for the latest versions of OpenVPN software (usually at the beginning). Anything earlier than these, and you'll be REQUIRED to upgrade before we offer assistance.
#2: The current version of OpenVPN can be downloaded from http://openvpn.net/index.php/open-source/downloads.html for RELEASE and BETA versions, and a tarball snapshot of the development tree can be had from ftp://ftp.secure-computing.net/pub/openvpn/
dazhttp://www.eurephia.net/ for eurephia, an auth plugin supporting dynamic firewall updates
dazoThe project name krzee always forgets .... eurephia ... http://www.eurephia.net/
debianAlthough we are aware the Debian stable package repository has OpenVPN 2.1rc11, to offer support, we require users to run the current version of OpenVPN. See !download for information on where/how to obtain a recent release.
def1#1: used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.
#2: please see --redirect-gateway in the man page ( !man ) to fully understand
#3: push "redirect-gateway def1"
dhbuild-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
dhcpredirect-gateway bypass-dhcp gets around the problem of DHCP packets to the local DHCP server being incorrectly routed into the tunnel. Available in 2.1
diagramYou can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle
dmzLow end SOHO routers sometimes have a DMZ feature. This does NOT magically give your internal host a public IP, but is a form of fallthrough NAT. Such features may or may not operate as expected depending on the device; consult its documentation, not here, for details.
dns#1: Level3 open recursive DNS server at 4.2.2.[1-6]
#2: Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
#3: you might be looking for !pushdns
donate#1: send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel.
#2: Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc.
#3: http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations for Contribution totals and benefactors
#2: OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
#4: in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs
dropje#1: Always listen to dropje
#2: well, dazo might not agree to the 'always' part always ... but .....
dupe#1: see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended)
#2: instead, use !pki to make a cert for each user
duplicatethe option duplicate-cn is for allowing the same cert to login more than once. It should not be used in most situations, with main exceptions being if you also use !authpass or if just testing
dynamicfirewallto learn how to modify the firewall based on which client has which ip, please read --learn-address in the manpage (!man)
easy-rsa#1: easy-rsa is a certificate generation utility.
easy-rsa-unixhttp://www.freebsddiary.org/openvpn-easy-rsa.php for a writeup of making certs with easy-rsa in fbsd, only the dir changes for linux
ebtablesLinux uses ebtables for firewalling layer 2 bridges. See http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html and http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png to understand how layer 2 and layer 3 works in linux and how to use ebtables
effortIf you are not willing to put the effort into gathering information and trying to figure out your problem we are not willing to help you with it
enable-passwd-save--enable-passwd-save is enabled on windows builds starting with 2.2 preview 8 and will be default going forward from 2.2 release
encryptionWhy symetric encryption is better: http://www.ketufile.com/Symmetric_vs_Asymmetric_Encryption.pdf
enterThe enter key is not a punctuation mark.
epel5Please use the EPEL repository when installing OpenVPN on RHEL/CentOS: http://fedoraproject.org/wiki/EPEL/FAQ#How_can_I_install_the_packages_from_the_EPEL_software_repository.3F
eurephiahttp://www.eurephia.net/
external_routessee !route_outside_openvpn
factoidsA semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
fail2banin linux you can replace fail2ban without the background process with something like: iptables -A INPUT -m tcp -p tcp --dport 22 -m hashlimit --hashlimit-name ssh --hashlimit-upto 5/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT
faq#1: http://openvpn.net/index.php/documentation/faq.html
#2: http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ
fbsdbridgehttp://www.freebsddiary.org/openvpn.php for dvl's writeup on bridging openvpn in freebsd
fbsdipforwardis set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
fbsdjail<thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas
fbsdnatnat on $ext_if from$vpn_network to any -> ($ext_if) (this is for PF) festivusfor the rest of us firestarterif you use firestarter to config your firewall you may want to see http://jcape.ignore-your.tv/2006/08/03/openvpn-and-firestarter/ for help firewall#1: please see https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG for more info #2: see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. forum#1: The official OpenVPN support forum is available at http://forums.openvpn.net #2: you can join #OpenVPN-Forum to see the forum-feed announcements if you want to. forwardsecurity#1: in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can only decrypt the traffic within the timeframe since last renegotiation #2: in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured fragmenthttp://openvpn.net/archive/openvpn-users/2005-01/msg00411.html if getting FRAG_IN error freebsdhttp://www.secure-computing.net/wiki/index.php/OpenVPN_Server freebsdnatsee !fbsdnat fridayIt's Friday, be warned that, due to him working at home, our resident guard-dog, ecrist, is likely already in the bag. Tread carefully. gentoo#1: http://gentoo.linuxhowtos.org/openvpn/openvpn.htm #2: Gentoo will update /etc/resolv.conf automatically if started via /etc/init.d/openvpn. To disable this, set PEER_DNS="no" in /etc/conf.d/openvpn gigabithttps://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit git#1: For the stable git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git #2: For the development git tree: git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git #3: Browse the git repositories here: http://openvpn.git.sourceforge.net/git/gitweb-index.cgi #4: See !git-doc how to use git git-doc#1: For a good git documentation, see http://progit.org/book/ #2: For a very quick git crash course, see https://community.openvpn.net/openvpn/wiki/GitCrashCourse goalPlease clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc googleauthhttp://securityskittles.wordpress.com/2012/03/14/two-factor-authentication-for-openvpn-on-centos-using-google-authenticator/ gvpehttp://software.schmorp.de/pkg/gvpe.html <Bushmills> Unlike other virtual private network" solutions which merely create a single tunnel, GVPE creates a real network with multiple endpoints. free, opensource, for nixes, meant for those looking for a vpn with direct peer connections. those who'd be sent to hamachi otherwise. helpMy owner did not give me a help command hmac#1: The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. #2: openvpn --genkey --secret ta.key to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs hotpotatoif you have 2 uplinks and the traffic comes in one and out the other you have hot potato routing. read this: http://www.rjsystems.nl/en/2100-adv-routing.php howsecurityworkssecurity can be obtained by: something you have (certificates, usb tokens), something you know (passwords), something you are (biometrics). for best security use more than 1. if you save passwords to a file (!pwfile), you change them from something you know to something you have, which destroys the point of using passwords howto#1: OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! #2: http://www.secure-computing.net/openvpn/howto.php for a mirror ifconfigusage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to. ifconfig-linuxAvoid use of 'ifconfig' and 'route' commands on modern Linux distros. It's old, deprecated, and often misleading/wrong. Use the 'ip a' and 'ip r' commands instead. More info: http://inai.de/2008/0219-ifconfig-sucks.php inline#1: Inline files (e.g. <ca> ... </ca> are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV #2: https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs insanitydoing the same thing over and over expecting different results interface#1: paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server #2: For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) #3: For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' #4: For Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes) ipadsee !iphone ipforward#1: please choose between !linipforward !winipforward !osxipforward and !fbsdipforward #2: ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall iphone#1: http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone #2: OpenVPN is now available for iOS in the App Store #3: https://community.openvpn.net/openvpn/wiki/IOSinline iporder#1: OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). #2: Use --client-config-dir file for static IP (next choice) !static for more info #3: Use --ifconfig-pool allocation for dynamic IP (last choice) #4: if you use --ifconfig-pool-persist see !ipp ipp#1: the option --ifconfig-pool-persist ipp.txt does NOT create static ips #2: Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static iptables#1: to test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -F; iptables -Z #2: please see https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG for more info #3: you can see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for pf or iptables #4: These are just the basics to get OpenVPN working. Proper firewall design is beyond the scope of this channel. You may try #netfilter ipv6#1: http://www.greenie.net/ipv6/openvpn.html for info about the ipv6 patch (adds nice ipv6 options to openvpn) #2: use 2.3 or see !snapshots for a release with ipv6 patches in it #3: http://ipstats.arvig.net/BraveHeartMEME.jpg ipv6_transportuse --proto udp6 irchttp://www.irchelp.org/irchelp/irctutorial.html irclogsChannel logs are available at http://secure-computing.net/logs/#openvpn.log and http://secure-computing.net/logs/#openvpn-devel.log and are updated every three hours. ircstats#1: See http://secure-computing.net/logs/openvpn.html for all-time IRC stats. #2: See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats. iroutedoes not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd karmanick++ adds karma nick-- adds bad karma, as seen in !ircstats keepalive#1: see --keepalive in the manual for how to make clients retry connecting if they get disconnected. #2: basically it is a wrapper for managing --ping and --ping-restart in server/client mode #3: if you use this, don't use --tls-exit and also avoid --single-session and --inactive keyshttp://openvpn.net/howto#pki kindleOpenVPN for Android works fine on Kindle Fire HD and Kindle Fire 2nd generation. Get the apk from http://plai.de/android kissKeep It Simple Stupid krzee#1: krzee says happy 4/20 #2: http://www.ircpimps.org/pics/krzee/blunt.jpg #3: location: moon base where he smokes moonajuana lanshttps://www.secure-computing.net/wiki/index.php/OpenVPN/Routing layer2#1: you are using tap, what specific layer2 protocol do you need to work over the vpn? #2: Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better #3: protocols that use layer2 communicate by MAC address, not IP address ldap_iptablessee http://planetjoel.com/viewarticle/638/OpenVPN%3A+Dynamically+create+IPtables+rules+based+on+LDAP+group+membership for a cool script for setting iptables rules based on LDAP membership (currently only handles TCP rules, but an easy fix to support UDP) linipforward#1: echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution #2: chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware #3: you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT linnat#1: for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE #2: to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS> #3: http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info #4: openvz see !openvzlinnat linportforward#1: to forward port 80 tcp to a vpn client, use this (replacing <SERVERIP> with the real ip of the server, and <VPNIP> with the clients VPN ip) #2: iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to <VPNIP> #3: iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT lintrafaccnthttp://www.catonmat.net/blog/traffic-accounting-with-iptables/ for a walkthrough on using iptables for traffic accounting listen-ipv6use --proto tcp6 or --proto udp6 ... and it *must* be the development version (!snapshots) ... 2.2.x and earlier don't support this locala flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. log[logfile] logfile#1: openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile #2: verb 3 is good for everyday usage, verb 5 for debugging #3: see --daemon --log and --verb in the manual (!man) for more info #4: without any log-redirection options, openvpn sends output to stdout. Explicit logging is often more convenient logs#1: is please pastebin your logfiles from both client and server with verb set to 5 #2: In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log #3: In the OS X client(Tunnelblick) right-click it nd select Copy log text to clipboard #4: if you dont know how to find your logs, see !logfile macUse Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/) mactuntaphttp://tuntaposx.sourceforge.net/ for osX tuntap drivers magicFor a story about magic read http://www.catb.org/jargon/html/magic-story.html mail#1: http://sourceforge.net/mail/?group_id=48978 #2: http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive mailinglist#1: User's mailing list: http://thread.gmane.org/gmane.network.openvpn.user #2: Developer's mailing list: http://thread.gmane.org/gmane.network.openvpn.devel man#1: For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ #2: the man pages are your friend! #3: Protip: you can search the manpage for a specific --option (with dashes) to find it quicker management#1: see http://openvpn.net/management for doc on management interface #2: read http://svn.openvpn.net/projects/openvpn/obsolete/BETA21-preauto/openvpn/management/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN mbufsee http://openvpn.net/archive/openvpn-users/2005-07/msg00247.html if you haved ruled out a routing loop as the cause of the error: MULTI: packet dropped due to output saturation (multi_add_mbuf) meetingsOpenVPN developers meetings are usually held on Thursdays @ 18:00 UTC. Ask mattock or dazo for latest info. Meeting agendas and minutes are here: https://community.openvpn.net/openvpn/wiki/IrcMeetings menu#1: please use '!factoids search *' #2: you can leave it a * to see all, or replace it with a word to search for #3: or type !factoids to see a complete list mesh#1: openvpn does not do mesh networking #2: see !rip #3: check out http://github.com/darkpixel/openmesher/ for auto-creating openvpn meshes mgmt#1: http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html #2: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/management/management-notes.txt mirror#1: http://openvpn.scarydevilmonastery.net for a mirror of the docs #2: http://www.secure-computing.net/openvpn/ for another mitm#1: http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially #2: use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates #3: then use: remote-cert-tls server in the client config msg#1: to see vpnHelper's factoids in msg instead of the channel, /msg vpnHelper factoids whatis #openvpn <key> #2: so to see !configs in msg, you would type /msg vpnHelper factoids whatis #openvpn configs mtu#1: see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config #2: mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting mtu-testyou can just use --mtu-test on the client to see what the best mtu for your connection is multi_process_incoming_tunhttp://blog.tuinslak.org/2010/03/openvpn-packet-drops/ multiple_casee !cert_chains nagioshttp://securfox.wordpress.com/2009/04/24/openvpn-nagios-pluging/ for info on hooking openvpn into nagios nat#1: http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn #2: http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules #3: dont forget to turn on ip forwarding #4: please choose between !linnat !winnat and !fbsdnat for specific howto nathacksee https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines net101http://www.youtube.com/watch?v=PBWhzz_Gn10 for a good video example net30"/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology netmanif you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list new_win_guihttp://sourceforge.net/projects/openvpn-gui/ is the upstream project for the new windows gui no_as#1: go to http://openvpn.net/index.php/access-server/support-center.html for support with access server (see !AS to know about access server) #2: not only do we not know AS here, but even if we did we would be tainting the professional level of support included in AS by supporting it here. it comes with REAL support. we are just users helping users around here nobindDo not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option. nocert#1: to use login and pass (NO CERTS) for auth in server setup, you want --username-as-common-name --auth-user-pass-verify --client-cert-not-required #2: to know more, read about those config options in the manual (!man) noenc#1: if you're going to disable encryption, you might as well build a GRE tunnel #2: but you would use cipher none nomhttp://secure-computing.net/files/om_nom_nom.jpg nopaste"pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca noroot"unpriv" is see https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions. notcompat#1: IPSEC and PPTP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use proprietary protocols and therefore cannot be compatible. #2: OpenVPN only connects to OpenVPN notopenvpnyour problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem notovpn"notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem nsupdatehttp://scarydevilmonastery.net/client_connect_nsupdate for a script Bushmills wrote to solve the question How can my vpn update my nameserver? obfs#1: if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols #2: http://community.openvpn.net/openvpn/wiki/TrafficObfuscation #3: in client/server mode an admin can know that openvpn is being used. in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity) obfsproxy#1: For a writeup on using obfsproxy with OpenVPN see https://syria.hacktivist.me/?p=148 #2: See also !obfs. The link to TrafficObfuscation also contains a setup example obsdnatpass out on$ext_if from $vpn_network to any nat-to <IP ADDRESS> obsdtaphttp://kerneltrap.org/mailarchive/openbsd-misc/2008/2/19/911924 to see how to get obsd using tap (but you should prolly use tun anyways) openbsdnat#1: pass out on$ext_if from 10.8.0.0/24 to any nat-to servers.public.ip && pass in quick proto tcp from any to port 1194 keep state label openvpn && pass quick on $vpn_if keep state #2: see !fbsdnat opendnsYou should avoid using OpenDNS for pushed DNS servers as they violate spec and send you to ad/search domains for mistyped URLs. Use GoogleDNS instead. See !dns for more info. openvz#1: http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn #2: It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen openvzlinnatsince openvz cant do NAT inside containers, use iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination <container.ip> openvznat#1: a user reported success with this command: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to <PUBLIC-IP> #2: someone else got it working with: iptables -t nat -A POSTROUTING -s <vpn_subnet>/<netmask> -o eth<public> -j SNAT --to <public ip> osx#1: Tunnelblick includes everything you need to run OpenVPN on OS X. https://code.google.com/p/tunnelblick/ #2: Viscosity is another OpenVPN client for OS X, but it is commercial. http://www.thesparklabs.com/viscosity/ osxboothttp://www.secure-computing.net/wiki/index.php/Leopard_Static_Routes for how to run commands on boot in osX, you can change a single line in StaticRoutes file to make it start OpenVPN osxipforward#1: sysctl -w net.inet.ip.forwarding=1 for a temp solution #2: add IPFORWARDING=-YES- in /etc/hostconfig for a permanent solution otherprojectshttps://community.openvpn.net/openvpn/wiki/RelatedProjects for links to other projects ovpn#1: OpenVPN GUI will load config files with a .ovpn extension when double-clicked. #2: this is the same config file format as the standard .conf , just renamed to prevent extension collisions on Windows p12openssl pkcs12 -export -out filename.p12 -inkey filename.key -in filename.crt -certfile ca.crt passwordFor a good guidline on generating strong passwords, read http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/ password-onlyhttp://openvpn.net/archive/openvpn-users/2004-10/msg00418.html paste"pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website or (#2) https://gist.github.com is a recommended place to use pastebin#1: please paste anything with more than 5 lines into pastebin or a similar website #2: https://gist.github.com is a recommended place to use #3: If you're pasting config files, see !configs for grep syntax to remove comments comments path#1: use full paths in your config! #2: if you use windows, see !winpath pfnatnat on <inf> from <subnet/ip> to <subnet/ip> -> <nat_ip> pfsensedont use the web gui for configuring openvpn, you need to understand the config and logfiles pingOnly one. http://www.youtube.com/watch?v=jr0JaXfKj68 pki#1: http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs) #2: Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed specially as a server (see !servercert) policy#1: http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies #2: http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario port-shareWhen run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh. Not implemented on Windows. ppp_defaultrouteif your otherwise working openvpn config can not redirect-gateway because its default gateway is ppp and openvpn complains it can not find the default gateway; you can try this: http://blog.wsensors.com/2011/04/openvpn-and-ppp-on-linux-vpn-traffic-forwarding-default-gateway-fix/ pptp#1: PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to read about why to not use pptp #2: Why not to use it: http://en.wikipedia.org/wiki/Pptp#Security #3: https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ privatetunnelgo to support@privatetunnel.com for support! privledgesjust choose a sandbox user/group that nothing else is using, then in config use: user vpnuser and group vpngroup , and if it is the server add: persist-key and persist-tun provider#1: We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. #2: Please contact their support team. psychicWe're not psychic -- please !paste your !configs and !logs and a description of the issue pt"privatetunnel" is go to support@privatetunnel.com for support! pushusage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries push-resetDon't inherit the global push list for a specific client instance. Specify this option in a client-specific context such as with a --client-config-dir configuration file. This option will ignore --push options at the global config file level. pushdns#1: push "dhcp-option DNS a.b.c.d" to push dns to the client #2: http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns #3: http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit #4: in unix you'll use the update-resolv-conf script #5: also http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7 pwfile#1: OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h #2: see --auth-user-pass in the manual (!man) for more info #3: if you're using this with the windows service, you will need --askpass qnxhttp://ovpnforum.com/viewtopic.php?f=4&t=2449 for the qnx6 port of openvpn quietopenssl#1: see http://www.mail-archive.com/openssl-users@openssl.org/msg31052.html and read 'man req' to see how to make openssl not prompt you #2: also see !ssl-admin for a sweet tool for managing your certs randomsubnethttp://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet read<krzee> ive been known to overreact when people look for 2 minutes and ask me to explain it to them redactPlease don't redact or change things(hostname, port, CNs, etc) when you !paste your !configs and !logs. It's a lot easier for us to debug if we're seeing the same thing you are. redirect#1: to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. #2: you may need to use a different dns server when redirecting gateway, see !dns or !pushdns #3: if using ipv6 try: route-ipv6 2000::/3 #4: Handy troubleshooting flowchart: http://ircpimps.org/redirect.png redirect_ips#1: https://forums.openvpn.net/topic8559.html for more info on giving users their own internet routable IPs #2: it is also possible to directly hand out the ips from --server, jjk explains how to do this in his book (!book) which krzee highly recommends reading refundIf you are not satisfied with the GPL openvpn, or the support provided by the volunteers of #openvpn, you are entitled to a full refund of the purchase price and are invited to use another VPN solution. Elsewhere. release-noteshttp://openvpn.net/index.php/open-source/documentation/release-notes.html remapBy default, OpenVPN will remap any character other than alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and slash ('/') to underbar ('_'). repoopenvpn runs some software repositories for your installing pleasure, http://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos rfc1918"1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi rhelsee !epel5 riphttp://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn roadmaphttps://community.openvpn.net/openvpn/wiki/RoadMap for the roadmap for OpenVPN 3 rocksNobody around but us rocks! Please go ahead and ask your question, and be patient - somebody helpful will eventually perk up. rollupSee !win_rollup route#1: http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT #2: READ IT DONT SKIM IT! #3: See !tcpip for more info about a more basic networking guide #4: See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client route_outside_openvpn#1: If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route #2: Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png route_outside_ovpn"route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png route_override#1: https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet #2: to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute routebyappif you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. routerif you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them ruleshttp://secure-computing.net/openvpn/openvpn.php for channel guildelines. samba#1: http://openvpn.net/faq#samba-routing for using samba with a routed tun, or use NETBIOS with a bridge #2: http://www.openvpn.net/howto#samba if you run samba on linux and use tun mode samesubnet#1: clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway #2: you can use --client-nat if on 2.3 to work around changing the subnet, but you should still just change the subnet sample#1: http://www.ircpimps.org/openvpn.configs for a working sample config #2: DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) #3: these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting sayNO! you're not the boss of me! scale#1: OpenVPN has no hard limits built in, but it is not recommended to run much more than 100 clients per process. #2: Also remember that it is single-threaded, so your throughput will be limited by the speed your CPU can do the crypto. #3: Both of these issues can be handled by running multiple server instances(on several IPs or ports) and having clients round-robin between them scaredhttp://www.youtube.com/watch?v=P_WI0VI7aIw scriptSee SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR secretfunny that people use free programs, consult free help for them, run a business with them, but are restricted to say what they do. secure#1: http://openvpn.net/howto.html#security for hardening #2: http://openvpn.net/index.php/documentation/security-overview.html for security overview security"secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview servercert#1: openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key #2: or just use build-key-server in easy-rsa #3: this will help with !mitm serverlan#1: for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) #2: see !route for a better explanation #3: Handy troubleshooting flowchart: http://ircpimps.org/serverlan.png shapingto enable traffic shaping on clients, you do this in your firewall. it is unrelated to openvpn. it is called QOS, and in linux you would enable it in iptables with tc shorewallhttp://www.shorewall.net/OPENVPN.html to see about running OpenVPN on Shorewall firewalls. shotgun#1: the most effective form of physical security #2: <hyper_ch> shotgun security? <EugeneKay> If you try to physically attack my network, I chase you with a shotgun. slowesxipyther> seems as if there is some type of bug with the vmxnet3 network module, so I just switched to the e1000 module, the vpn box is a virtual machine on vmware esxi. http://nwsmith.blogspot.com/2010/07/patching-vmxnet-to-disable-lro.html <pyther> something about disabling LRO smart14:50:56 < jnewt_> in other words, i see the information you're giving me, but don't have the brains to apply it. snapshots#1: weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn #2: by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch sockdif you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn solarishttp://www.whiteboard.ne.jp/~admin2/tuntap/ for the solaris tuntap driver, good luck... ive heard mixed reviews. let us know how it works for you someclient2client"policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario splitdnssee http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups splitroute#1: https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet #2: see !route_override for how to override --redirect-gateway for a certain subnet spoonfeedinghttp://www.mp3car.com/the-faq-emporium/53368-faq-what-is-spoon-feeding.html ssl-admin#1: if you use freebsd, it is in ports #2: svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn #3: A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa ssl-admin 1http://www.secure-computing.net/wiki/index.php/FreeBSD_OpenVPN_Server/Routed static#1: use --ifconfig-push in a ccd entry for a static ip for the vpn client #2: example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 #3: also see !ccd and !iporder #4: when pushing static IPs, you should also limit your --ifconfig-pool to exclude the static range static-keywhen you use --secret, you are using a static key. this is only valid for point-to-point setups. Static keys are less secure in that they never change. If someone captures your traffic, and then gains your static key a year from now, they can decrypt the captured traffic. Setups that use certs re-key every hour by default static_key_detailshttp://svn.openvpn.net/projects/openvpn/web/trunk/faq-static-key-explanation.txt for an explanation of how static key files are used statickey#1: you can use static keys by using --secret </path/to/key> #2: static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. #3: see !forwardsecurity for more info status#1: You can use the --status directive to write to a status file to show the list of currently connected clients. This list can be sent to stdout (or your defined !log mechanism) with a USR2 signal as well. #2: See also !management strip-passphrasesee http://blog.lib.umn.edu/silvi003/codenotes/2008/08/how_to_strip_a_passphrase_from.html to learn how to strip a passphrase from a key file subnethttp://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork subscriptionhttps://www.tunnelr.com has a slick interface and costs$7/mo , or https://www.openvpn.net/index.php/ for the pay software from openvpn technologies
sudowinhttp://sourceforge.net/projects/sudowin/
suseYou EITHER! (see !ubuntu)
sweethttp://sweet.nodns4.us/ =(
tap"bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where the protocol uses MAC addresses instead of IP addresses.
tcp#1: Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea.
#2: http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
#3: if you must use tcp, you likely want --tcp-nodelay
tcp_nodelay<EmperorTom> A good analogy is a bus depot. Drivers normally wait as long as possible to see if any more passengers show up. If you set TCP_NODELAY on the bus driver, he would leave the station as soon as someone got on board. It's faster for the one passenger, but you need a lot more big, ugly, smelly, slow buses on the road to meet demand.
tcpiphttp://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know
testing"snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
ticketCreate a trouble ticket by going to https://community.openvpn.net/ registering and loggin in
timeoutif you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or the client's isp blocks it
tls-auth"hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
toolshttps://www.secure-computing.net/ip.php
topology#1: it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions.
#2: Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets.
#3: See http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html for more history on this.
topsecretif your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust.
trac#1: see https://community.openvpn.net for development information and bug tracker.
#2: if you have a forum login, use that for trac, its the same database.
tunnelblickhttp://www.tunnelblick.net - Free OpenVPN GUI Client for Mac OS X
tunortap#1: you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead.
#2: and if your reason for wanting tap is windows shares, see !wins
#3: also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you over the vpn
#4: lan gaming? use tap!
#5: Normal Android/iOS devices (not rooted/jailbroken) support only tun.
ubuntudont use network manager!
unixa text adventure, and the only cheat mode is to ask in IRC, where to start reading
unprivsee https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions.
vampirePlease don't be a help vampire - we're here to point you in the right direction, not type out the commands verbatim for you. http://slash7.com/2006/12/22/vampires/
verbverb command is for setting log verbosity, see --verb in the manual (!man) for more info
vista13:51 < Nirkus> ecrist: i figured it out. i was able to create a link to windows explorer and activate 'run as administrator' within the 'advanced' context menu. using an windows explorer started by that link i was able to write files to c:\program files (x86)\OpenVPN\config\
vpnhttp://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is
walkthroughif you are using some walkthrough and now you are here cause you have problems and dont understand your setup, type !howto and !man and try to actually learn what you're doing. most those docs about openvpn from google SUCK.
webgui#1: http://openvpn-web-gui.sourceforge.net/ if you have tried this please give us feedback
#2: http://sourceforge.net/projects/openvpn-status/ also pls let us know if you use that
welcome#1: Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm
#2: Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
whining< MacGyver> If somebody reads your question, and knows the answer, he'll answer it when and how he feels like it. This is IRC, not your company's paid tech support desk. Whining doesn't do any good except annoy the people who could help you.
whybecause screw you, that's why.
whybridge#1: you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun.
#2: See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
wiki#1: http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki
#2: https://community.openvpn.net/openvpn/wiki for the Official wiki
willWhere there's a will, there's /away
win-dnsFrom cmd.exe: if ipconfig /all shows the proper DNS server adcdress assigned to the tap device... Please choose !win-dns-xp or !win-dns-vista-7
win-dns-vista-7click start -> control panel -> network and sharing center -> change adapter settings -> <ALT> -> advanced -> advanced settings. Make sure your VPN connection is at the top of the list
win-dns-xpclick start -> control panel -> network connections -> advanced -> advanced settings. Make sure your VPN connection is at the top of the list.
win2k8Server 2008 assigns the OpenVPN TAP Adapter v9 as an Unidentified network which the default Local Security Policy of Server 2008 assigns as being a Public Interface with restricted access. To fix it do this: Go into Control Panel / Administrative Tools / Local Security Policy / Network List Manager Policies / Unidentified Networks. Set Location Type to Private.
win7http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/8a3e9b05-353b-4250-a023-066a085e9657 for a workaround to the windows 7 unidentified network issue you get when using redirect-gateway
win_buildhttps://community.openvpn.net/openvpn/wiki/BuildingOnWindows for mattock's doc on building openvpn on windows
win_ipfailif the adapter fails to set the IP properly check that DHCP client service, and tap-win32 is enabled.
#2: and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista
win_rollupplease see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
win_tcplimitsee http://readlist.com/lists/lists.sourceforge.net/openvpn-users/0/2383.html to know why windows TCP servers can only handle 60 clients
windows#1: computers are like air conditioners, they work well until you open windows.
#2: http://secure-computing.net/files/windows.jpg for funny
#3: http://secure-computing.net/files/windows_2.jpg for more funny
windows_mobilehttp://ovpnppc.ziggurat29.com/ovpnppc-files.htm for windows mobile builds of openvpn
windows_problems#1: PCs are like air conditioners - they work fine until you open windows.
#2: http://secure-computing.net/files/windows.jpg for funny
#3: http://secure-computing.net/files/windows_2.jpg for more funny
winipforwardhttp://support.microsoft.com/kb/315236 to enable ip forwarding on windows
winnat#1: http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
#2: http://www.nanodocumet.com/?p=14 for windows XP
#3: https://community.openvpn.net/openvpn/wiki/NatOverWindows2008 for 2k8
winpassopenvpnGUI for windows has a change password feature that will change the passphrase on your .key files
winpath#1: Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key"
#2: also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
winroute#1: in windows if the route cannot be added, try route-method exe in your config file
#2: many users also report it helps to add route-delay to give the interface extra time to get up
#3: you may need to turn off routing and remote acess in administrative tools - routing and remote access
#4: make sure you are running openvpn as admin
#5: http://openvpn.net/index.php/open-source/faq/79-client/259-tap-win32-adapter-is-not-coming-up-qinitialization-sequence-completed-with-errorsq.html you might also want to see that and use trial and error with those solutions
winshttp://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
winscripta user reported that his --up script was not executed in windows gui. his config was bps.ovpn, he renamed the script to bps_up.bat and put it in the dir with his config... then it worked!
winshortcutTo start OpenVPN-GUI easily on Windows, make a shortcut and set the Target as: \"C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe\" --config_dir \"C:\path\to\config\" --connect client.ovpn --show_balloon 0 --silent_connection 1 --show_script_window 0
winsudo"sudowin" is http://sourceforge.net/projects/sudowin/
wintaphide#1: in regedit find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} then Look through each sub-key for one with a DriverDesc = TAP-Win32Adapter V8 . Set Characteristics = 0x89
#2: To show again, set it to 0x81
wireless#1: if you are getting replay errors while on wireless, see --mute-replay-warnings in the manual (!man)
#2: if you are securing your wireless using openvpn, see !local
wisdomWe can only provide you with the information. We are not, unfortunately, able to make you understand it.
wishlisthttps://forums.openvpn.net/viewforum.php?f=10 for the openvpn wishlist
xca#1: XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa.
#2: Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA
xyhttp://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y...
42the answer to life, the universe, and everything.
101This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc
1918#1: RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16